In case anyone missed it DISA posted a brand spank’n new ESXi 5 STIG revision on Friday, January 24th.

ESXi 5 STIG Version 1 Revision 4

Now, I want to point out a few things about this revision.  First off I teamed up with a great engineer working for DISA FSO to basically rewrite most of the ESXi 5 Server portion of this STIG.  We put a lot of work into that section and I was proud of the result.  If you’ve had trouble implementing the ESXi 5 Server piece in the past please take a look at the changes in revision 4.  You can see from the release notes alone that dozens of checks were changed, and several deleted all together.

Additionally, a lot of the posts on this blog are now moot if you’re using revision 4.  Why?  Because we essentially used this blog as a point of reference in the rewrite.  I’ll be leaving the posts up here, but note in them that it was pre-revision 4 information.

Finally I wanted to mention our Forge.mil Community Project for ESXi STIG Automation.  If you haven’t signed up for this project yet, please do so.  We will use revision 4 as the focal point for its development.

As I’ve eluded to in some previous articles I’ve started up a software.forge.mil community project on ESXi 5 STIG automation.  Why Forge.mil?  Well, quite simply to help with credibility.  The best way to apply the ESXi 5 STIG settings is by way of a VIB, and in order for one to create and deploy a VIB in this fashion it will be unsigned but have a higher than Community acceptance level.  That is, as you know, a STIG issue itself.  Bit Chicken and Egg if you know what I mean.  So to help combat that I decided to post this as a community project on Forge.mil.  If this is to be useful it must be trusted by the IA community within DoD.

Now, all that aside, let’s talk business.  First thing you need to do is go join the project!  Even if you do not plan to directly participate please join the project anyway.  This way we can show numbers and interest from the DoD community.  Trust me, things like this gain a life of their own and contribute a great deal to decisions made in development within VMware (you’d think).  Additionally, numbers and involvement will help drive IA acceptance of the tool as well.  NOW JOIN!

Project Site: ESXi STIG Toolset (CAC Required)

Now, you’ve joined the project, right?  Ok, next… read.  Take a look at the project charter and get familiar with project controls.  You’ll notice there’s a Discussion tab in the project console.  Use it.  Post questions, code snipits, and general information here.  That way everyone involved will benefit.

Next take notice of the Tracker tab.  This is a bug / feature tracker if you will.  As we progress along we should place features and bugs in this tracker.  Again, it helps everyone if we follow a standard.

File Releases is next.  Here is where we will place pre-built VIB versions for download, along with their code.  If you are familiar with source control we will build a branch and tag it as a release, those artifacts will go here.

Finally is the Source Control tab.  Within this tab you will see a Development repository.  This is where we will keep all the project files.

Now let’s get to building.  I’ll post a followup article on my ideas as to how we move forward.  What I ask of you is involvement.  Share your scripts and ESXi STIG settings within the project discussion group.  This is a community project.  I’ll be working on the build automation and documentation.  I need help with the rest of it.  I’ll cover what that is in the next article.  Until then, join the project!  I’ll be posting updates here and via e-mail through the project group itself.

Note: As of right now, only the project site itself and a minimum repository file structure has been established.  The real content will come.  Keep an eye here for a follow-up post and join the group for e-mail notification.

Anyone that has tried to apply the ESXi STIG knows the pain it can cause, especially across multiple hosts.  Settings don’t stick, special scripts must be created, and local files need to be changed.  Doing this once is a pain, doing it across your data center will drive one to drink.  How can this be made easier?

The answer could be a custom VIB.  Using a VIB can resolve the missing or non-sticky file issue, and populate the settings for you, but is that really a viable solution for the Federal data center?  Short answer, it depends.  Let’s dive into the reasons.

Continue reading

That’s right, revision 4 of the ESXi 5 STIG is right around the corner. You should see it in mid to late January, barring any issues during sign off at DISA.

So, what are the changes you ask?  Well, there are quite a few, and I shouldn’t derail the DISA FSO process by posting them early. However, I can tell you this. The assigned DISA engineer and I sat down for several hours and pretty much rewrote a large majority of the platform portion of the STIG. A special thanks should go out to that engineer, Joe. He absolutely set out to make a much more user friendly and accurate document, and I believe he did.  Well done and thanks Joe!

Another thing you will notice is a striking resemblance to this blog and it’s guidance in the check/fix(s) of the next revision!  Each and every one of you helped to contribute to that knowledge. So, in a sense, you all had a hand in the rewrite since a large portion of the content was pulled from this site. Thanks to all of you for correcting and adding to what I provided here.  I absolutely consider this not only a community effort, but a success at that.

Kudos and all that aside this will undoubtedly not make everyone out there happy, nor will it cover each and every use case. The intent in this revision was to provide content that was achievable and possible to implement. You could say I was trying to work myself out of a blog. 🙂  The revision will not address everything for everyone, but it does work!  Remember, as always, the STIG is an implementation guide to controls that do not fit into every situation. Work with your IA teams and DAA on a plan that fits within your agencies goals and security procedures.

Happy Holidays to all!

 

For years now as VMware has traveled down the path of the Virtual Appliance.  It’s nothing new, but the approach has changed thanks to a few very key people within the company.

The Virtual Appliance of the past typically almost never saw an OS patch, rarely was hardened, and quite frankly scared Federal Admins and IA groups for those reasons.  Truth be told, they all wanted to use them, but getting it approved was just too much of a hurdle.  That is quickly changing, and some of it has already and you didn’t even know it.

With 5.5 on the horizon you’re going to see a new breed of Virtual Appliance for products such as vCenter Server and vCenter Orchestrator that are all based upon a common OS, common set of services, and a common set of hardening.  No more one-offs, everything is going to a standard.  What does that mean for you?  A great deal from both the administrative and security point of view.

Continue reading

Note: This article covers material present in Version 1 Revision 3 and below.  Topics found below may be mitigated in the most current version of the ESXi 5 STIG.  Ensure you are using the most current version of the DISA STIG documents.

Ah the dreaded STIG. For many, a necessity by way of policy, but an implementation headache for all. Sadly the ESXi 5 STIG, released at V1R1 on August 9th 2013, will be no different.

In the spirit of VMFieldTips I will be taking you on a journey over the next few weeks through the ESXi 5 STIG. I will hit the head scratchers, problem points, and the just plain crazy.  Also, where appropriate, I will try and loop in the official VMware Security Hardening Guides if possible.  I know @mikefoley will be proud.

What this blog series is not:  It is not an official implementation guide by any means.  It is a compilation of questions and answers from the field on how to address, or in some cases securely work around, the findings in the ESXi 5 STIG.  It is completely open for comment and can be driven by you.  If I have not covered a specific finding yet, ask me for it.  If you have a better way, throw it into a comment on the article.  I will review, discuss, and possibly even add it into the article itself.  Blogs are a way to learn, share, and in this case overcome and intense feelings of insanity as you muscle through the ESXi 5 STIG.

The ESXi 5 STIG is made up of three parts, ESXi Server, vCenter Server, and VM (vmx).  I will start this series off in the ESXi Server portion of the STIG, a few findings at a time to reduce the time between posts.  Already, just from the start, we are going to have our work cut out for us.

Posts that are a part of this series will be linked below.  I will also provide the full STIG ID(s) in each post for easy searching and Google indexing.  Ok, now let’s get to it.

Blog Series Table of Contents:

Blog Series: ESXi 5 STIG – ESXi Server SSH Daemon

Blog Series: ESXi 5 STIG – File and Setting Persistence

Blog Series: ESXi 5 STIG – ESXi Server SSH Client

Blog Series: ESXi 5 STIG – ESXi Server Password Complexity Requirements

Update: VMware has now published a KB article covering this issue.  The fix steps provided there are the same as below.

Using Horizon View 5.2 Feature Pack 1 against a Windows XP Desktop source HTML access connections fail with:

An error has occurred: {“code”:”ECONNRESET”}

Subsequent tests against a Windows 7 Desktop source all function correctly, so I know my configuration is correct.  What’s the problem here, and is there a solution?

Great question, so what’s actually going on here?  It’s even talked about on Wee Kiong Tan’s blog here, he had the same issue, so lets walk though what causes this.

Continue reading