Please provide your feedback in this short Flings' survey.
fling logo of DoD Security Technical Implementation Guide(STIG) ESXi VIB

DoD Security Technical Implementation Guide(STIG) ESXi VIB

version 7.0_1.0.0 — March 29, 2021

Summary

The DoD Security Technical Implementation Guide ('STIG') ESXi VIB is a Fling that provides a custom VMware-signed ESXi vSphere Installation Bundle ('VIB') to assist in remediating Defense Information Systems Agency STIG controls for ESXi. This VIB has been developed to help customers rapidly implement the more challenging aspects of the vSphere STIG. These include the fact that installation is time consuming and must be done manually on the ESXi hosts. In certain cases, it may require complex scripting, or even development of an in-house VIB that would not be officially digitally signed by VMware (and therefore would not be deployed as a normal patch would). The need for a VMware-signed VIB is due to the system level files that are to be replaced. These files cannot be modified at a community supported acceptance level. The use of the VMware-signed STIG VIB provides customers the following benefits:
  • The ability to use vSphere Update Manager ('VUM') to quickly deploy the VIB to ESXi hosts (you cannot do this with a customer created VIB)
  • The ability to use VUM to quickly check if all ESXi hosts have the STIG VIB installed and therefore are also in compliance
  • No need to manually replace and copy files directly on each ESXi host in your environment
  • No need to create complex shell scripts that run each time ESXi boots to re-apply settings
stigvib-large

Requirements

ESXi 5.x and 6.0 are supported but each have a different set of VIBs as the vSphere 5.0 and 6.0 STIGs have different requirements.

The following VIBs are provided for each ESXi version as follows:

ESXi 5.x

  • dod-esxi5-stig-rd
  • dod-esxi5-stig-re

ESXi 6.0

  • dod-esxi6-stig-rd
  • dod-esxi6-stig-re

Multiple versions of each VIB were created as marked by the “rd” and “re” in the filename. This designation is for root SSH enabled (“re”) and root SSH deactivated (“rd"). This designation is for root SSH enabled and root SSH deactivated. Depending on your organizational policies and whether or not it is possible to join ESXi to Active Directory will dictate which VIB fits your needs.

STIG ID SRG-OS-000109-ESXI5 for 5.0 and STIG ID ESXI-06-000014 for 6.0 requires root logins to be deactivated via SSH.

Changelog

Update March 2021

  • New ESXi 7.0 STIG VIB release
  • Updated sshd_config file to meet the ESXi 7.0 Draft STIG which is also now the default config in 7.0 U2 with the exception of permitting root user logins.
  • Removed /etc/vmware/welcome file from VIB since it can be configured via the UI or PowerCLI now with issue.
  • Draft ESXi content can be found here: https://github.com/vmware/dod-compliance-and-automation/tree/master/vsphere/7.0/docs
  • See the updated Overview and Installation guide included in the download.

Update September 2019

  • New ESXi 6.7 STIG VIB release
  • Updated sshd_config file. Removed protocol 2 setting as it is deprecated. Added "FipsMode yes" setting. Updated Ciphers and MACs for newer version of OpenSSH
  • Removed /etc/issue and /etc/pam.d/passwd files from VIB as those settings can be set via advanced settings now
  • Note - This VIB is based on draft STIG content! It is recommended to use this over the previous 6.5-7 STIG VIB

Update August 2018

  • Updated 6.5 STIG VIB to resolve issue with it not being applicable to 6.7 in VUM.
  • Also updated package to replace 6.0 version and root deactivated or root enabled for the same version if you are switching between them.

Update January 2018

  • Added 6.5 STIG VIB to the downloads section. **Please note this is not based on a DISA STIG as a 6.5 STIG has not been released**

Update August 2016

  • Updated 6.0 STIG VIB for the version 1 release 2 STIG. Added new ciphers in the sshd_config file
  • Updated 5.x STIG VIB for the version 1 release 9 STIG. Removed AllowGroups setting in the sshd_config file
  • Added MD5 and SHA1 hashes to the contents
  • Updated documentation file

Similar Flings

No similar flings found. Check these out instead...
Jan 02, 2016
fling logo of VCS to VCVA Converter

VCS to VCVA Converter

version 0.9.1

The VCS to VCVA Converter Appliance is the winning idea from the 2013 Fling Contest. It allows customers to migrate from Windows vCenter Server with an External Microsoft SQL Server Database to the vCenter Server Appliance with an embedded vPostgres database.

Sep 30, 2020
fling logo of SQL30 - An ORM for SQLITE on ESX

SQL30 - An ORM for SQLITE on ESX

version 1.0

SQL30 is a ZERO weight ORM for SQLITE database written using only native python constructs. This ORM works as is on current ESX version of Python without having any additional dependencies.

Mar 31, 2021
fling logo of Configuration Wizard for Nuance PowerMic

Configuration Wizard for Nuance PowerMic

version 1.0

This handy standalone Fling will assist in determining the optimal PowerMic configuration for a specific environment.

Mar 30, 2022
fling logo of vSphere Diagnostic Tool

vSphere Diagnostic Tool

version 1.1.4

vSphere Diagnostic Tool is a python script that runs diagnostic commands on the Photon Appliance or ESXi platform to return useful troubleshooting data while running within the confines of the local environment with out upstream dependencies.

Sep 03, 2014
fling logo of WebCommander

WebCommander

version 3.0

Have you ever wanted to give your users access to certain virtual infrastructure tasks instead of the entire vCenter Client?
WebCommander is a way to do this! WebCommander was designed as a framework to wrap your PowerShell and PowerCLI scripts into an easy-to-access web service.

Oct 14, 2020
fling logo of vSphere Pod Autoscaler

vSphere Pod Autoscaler

version 1.0

This Fling is useful for vSphere PodVM users who want to perform auto-scaling on vSphere PodVMs based on memory utilization.

View More