Note: This article covers material present in Version 1 Revision 3 and below. Topics found below may be mitigated in the most current version of the ESXi 5 STIG. Ensure you are using the most current version of the DISA STIG documents.
Before we move into Part 2 of the ESXi 5 STIG documentation we need to talk about file persistence and how to deal with it.
Note: This is UNSUPPORTED! Also, changes made to the rc.local and/or local.sh file may not persist after an update or upgrade. Take good configuration notes of your systems and verify once an update or upgrade is applied.
Those of you that have been using ESXi for a while now realize that files do not persist across reboots unless they are tagged by VisorFS as persistent. While this may be inconvenient at times the reasons behind it are valid.
So, along the lines of the ESXi 5 STIG, we have a few things that we need to set and persist across reboots. Findings that have us modify existing files on ESXi are fine. We can modify those and they will persist, typically. Always test with a reboot to ensure your settings stick. What about the findings where the configuration file doesn’t exist? The SSH Client (ssh_config) settings are a prime example of this. ESXi 5+ does not currently have a ssh_config file present in /etc/ssh, so any attempt to create and populate one with settings will be lost on reboot. That’s a problem for you SAs out there needing to comply with the STIG.
How do I create configuration files and make them persist you ask? Smoke and mirrors my friend. Persist by way of recreation at boot. You could do this with a custom package file too, but that violates another STIG setting, so lets stick with this method for now.