DoD Security Technical Implementation Guide(STIG) ESXi VIB

Summary

The DoD Security Technical Implementation Guide ('STIG') ESXi VIB is a Fling that provides a custom VMware-signed ESXi vSphere Installation Bundle ('VIB') to assist in remediating Defense Information Systems Agency STIG controls for ESXi. This VIB has been developed to help customers rapidly implement the more challenging aspects of the vSphere STIG. These include the fact that installation is time consuming and must be done manually on the ESXi hosts. In certain cases, it may require complex scripting, or even development of an in-house VIB that would not be officially digitally signed by VMware (and therefore would not be deployed as a normal patch would). The need for a VMware-signed VIB is due to the system level files that are to be replaced. These files cannot be modified at a community supported acceptance level. The use of the VMware-signed STIG VIB provides customers the following benefits:

The ability to use vSphere Update Manager ('VUM') to quickly deploy the VIB to ESXi hosts (you cannot do this with a customer created VIB)
The ability to use VUM to quickly check if all ESXi hosts have the STIG VIB installed and therefore are also in compliance
No need to manually replace and copy files directly on each ESXi host in your environment
No need to create complex shell scripts that run each time ESXi boots to re-apply settings

Requirements

ESXi 5.x and 6.0 are supported but each have a different set of VIBs as the vSphere 5.0 and 6.0 STIGs have different requirements.

The following VIBs are provided for each ESXi version as follows:

ESXi 5.x

dod-esxi5-stig-rd
dod-esxi5-stig-re

ESXi 6.0

dod-esxi6-stig-rd
dod-esxi6-stig-re

Multiple versions of each VIB were created as marked by the “rd” and “re” in the filename. This designation is for root SSH enabled (“re”) and root SSH deactivated (“rd"). This designation is for root SSH enabled and root SSH deactivated. Depending on your organizational policies and whether or not it is possible to join ESXi to Active Directory will dictate which VIB fits your needs.

STIG ID SRG-OS-000109-ESXI5 for 5.0 and STIG ID ESXI-06-000014 for 6.0 requires root logins to be deactivated via SSH.

Instructions

Please see VMware DoD STIG VIB Overview and Installation(pdf).

Changelog

Update March 2021

New ESXi 7.0 STIG VIB release
Updated sshd_config file to meet the ESXi 7.0 Draft STIG which is also now the default config in 7.0 U2 with the exception of permitting root user logins.
Removed /etc/vmware/welcome file from VIB since it can be configured via the UI or PowerCLI now with issue.
Draft ESXi content can be found here: https://github.com/vmware/dod-compliance-and-automation/tree/master/vsphere/7.0/docs
See the updated Overview and Installation guide included in the download.

Update September 2019

New ESXi 6.7 STIG VIB release
Updated sshd_config file. Removed protocol 2 setting as it is deprecated. Added "FipsMode yes" setting. Updated Ciphers and MACs for newer version of OpenSSH
Removed /etc/issue and /etc/pam.d/passwd files from VIB as those settings can be set via advanced settings now
Note - This VIB is based on draft STIG content! It is recommended to use this over the previous 6.5-7 STIG VIB

Update August 2018

Updated 6.5 STIG VIB to resolve issue with it not being applicable to 6.7 in VUM.
Also updated package to replace 6.0 version and root deactivated or root enabled for the same version if you are switching between them.

Update January 2018

Added 6.5 STIG VIB to the downloads section. **Please note this is not based on a DISA STIG as a 6.5 STIG has not been released**

Update August 2016

Updated 6.0 STIG VIB for the version 1 release 2 STIG. Added new ciphers in the sshd_config file
Updated 5.x STIG VIB for the version 1 release 9 STIG. Removed AllowGroups setting in the sshd_config file
Added MD5 and SHA1 hashes to the contents
Updated documentation file

Contributors

Etienne Le Sueur

Lincoln Porter

Ryan Lakey

Similar Flings

No similar flings found. Check these out instead...

Jun 06, 2023

HCIBench

version 2.8.2

HCIBench stands for "Hyper-converged Infrastructure Benchmark". It's essentially an automation wrapper around the popular and proven VDbench open source benchmark tool that makes it easier to automate testing across a HCI cluster.

VMware vSAN

Nov 11, 2015

Auto Deploy GUI

version 5.0/5.1/5.5/6.0

Auto Deploy GUI is a front end interface to the Auto Deploy/Stateless infrastructure.

Auto Deploy

GUI

image profiles

VIB

Oct 17, 2011

CIM Plugin

version 1.0.0

The plugin is general enough to support other CIM compliant services and is not limited only to ESX. However the primary goal for developing the plugin was to expose ESX CIMOM in the vCenter Orchestrator. This affected the API design.

cim

reporting

vCenter Orchestrator

Jul 31, 2015

Jenkins Plugin for CodeStream

version 1.0

This open source Jenkins plugin Fling integrates VMware vRealize CodeStream with Jenkins.

jenkins plug in

open source

vRealize

Aug 07, 2020

Software-Defined Data Center Skywalk

version 1.0

We are solving the problem to auto register, discover, connect VPN's between VMC SDDC's on single click event. The Distributed Firewall DFW firewall policies are also mapped on user inputs from on-premise to VMC SDDC using this interface.

SDDC

Feb 25, 2016

VNC Server and VNC Client

version 2.0

This Fling is a stand-alone, cross-platform VNC implementation based on the remoting technology found in vSphere and VMware Workstation. It allows remote access to a desktop session running on another native system, or inside of a virtual machine.

VNC

Workstation