In case anyone missed it DISA posted a brand spank’n new ESXi 5 STIG revision on Friday, January 24th.

ESXi 5 STIG Version 1 Revision 4

Now, I want to point out a few things about this revision.  First off I teamed up with a great engineer working for DISA FSO to basically rewrite most of the ESXi 5 Server portion of this STIG.  We put a lot of work into that section and I was proud of the result.  If you’ve had trouble implementing the ESXi 5 Server piece in the past please take a look at the changes in revision 4.  You can see from the release notes alone that dozens of checks were changed, and several deleted all together.

Additionally, a lot of the posts on this blog are now moot if you’re using revision 4.  Why?  Because we essentially used this blog as a point of reference in the rewrite.  I’ll be leaving the posts up here, but note in them that it was pre-revision 4 information.

Finally I wanted to mention our Forge.mil Community Project for ESXi STIG Automation.  If you haven’t signed up for this project yet, please do so.  We will use revision 4 as the focal point for its development.

5 thoughts on “Blog Series: ESXi 5 STIG Revision 4 is OUT!

  1. Hi Eric,

    With rev 4, there were mods to sshd_config to include more MACs, but ssh seems to crap out for me if I use anything other than the sha1 family. Have you played with this change? I’m running ESXi 5.1. Thanks.

    – Aaron

    • Hi Aaron. I have, yes. The most common issue there is the case used. The sshd file is case sensitive, and not always clear on what is the proper case to use.

      Verify your logs in /var/log. Likely the issue will be called out. Typical ones are errors that sshd doesn’t recognize the attribute or setting. Not saying that’s the issue, but double check to be sure.

  2. I wish you discussed CHAP in your breakout. I don’t know if not using it is a deal breaker or not.

    • Sorry Windy, this comment got lost in the spam. Apparently my spam filtering method needs updating.

      You are required to use CHAP, yes, if you have to conform to the DISA STIG guidelines. Vul: V-39298 (SRG-OS-99999-ESXI5-000141) requires the use of bi-directional CHAP authentication if you are using iSCSI. However, it’s a severity low, so the ability to mitigate that if CHAP isn’t an option for you does exist. You could isolate iSCSI traffic to a dedicated out of band or non-routed network to help mitigate that. The risk with not using CHAP is of course MiTM, which is why isolated networks could be a partial mitigation for you.

Comments are closed.