Summary
- The ability to use vSphere Update Manager ('VUM') to quickly deploy the VIB to ESXi hosts (you cannot do this with a customer created VIB)
- The ability to use VUM to quickly check if all ESXi hosts have the STIG VIB installed and therefore are also in compliance
- No need to manually replace and copy files directly on each ESXi host in your environment
- No need to create complex shell scripts that run each time ESXi boots to re-apply settings

Requirements
ESXi 5.x and 6.0 are supported but each have a different set of VIBs as the vSphere 5.0 and 6.0 STIGs have different requirements.
The following VIBs are provided for each ESXi version as follows:
ESXi 5.x
- dod-esxi5-stig-rd
- dod-esxi5-stig-re
ESXi 6.0
- dod-esxi6-stig-rd
- dod-esxi6-stig-re
Multiple versions of each VIB were created as marked by the “rd” and “re” in the filename. This designation is for root SSH enabled (“re”) and root SSH deactivated (“rd"). This designation is for root SSH enabled and root SSH deactivated. Depending on your organizational policies and whether or not it is possible to join ESXi to Active Directory will dictate which VIB fits your needs.
STIG ID SRG-OS-000109-ESXI5 for 5.0 and STIG ID ESXI-06-000014 for 6.0 requires root logins to be deactivated via SSH.
Instructions
Changelog
Update March 2021
- New ESXi 7.0 STIG VIB release
- Updated sshd_config file to meet the ESXi 7.0 Draft STIG which is also now the default config in 7.0 U2 with the exception of permitting root user logins.
- Removed /etc/vmware/welcome file from VIB since it can be configured via the UI or PowerCLI now with issue.
- Draft ESXi content can be found here: https://github.com/vmware/dod-compliance-and-automation/tree/master/vsphere/7.0/docs
- See the updated Overview and Installation guide included in the download.
Update September 2019
- New ESXi 6.7 STIG VIB release
- Updated sshd_config file. Removed protocol 2 setting as it is deprecated. Added "FipsMode yes" setting. Updated Ciphers and MACs for newer version of OpenSSH
- Removed /etc/issue and /etc/pam.d/passwd files from VIB as those settings can be set via advanced settings now
- Note - This VIB is based on draft STIG content! It is recommended to use this over the previous 6.5-7 STIG VIB
Update August 2018
- Updated 6.5 STIG VIB to resolve issue with it not being applicable to 6.7 in VUM.
- Also updated package to replace 6.0 version and root deactivated or root enabled for the same version if you are switching between them.
Update January 2018
- Added 6.5 STIG VIB to the downloads section. **Please note this is not based on a DISA STIG as a 6.5 STIG has not been released**
Update August 2016
- Updated 6.0 STIG VIB for the version 1 release 2 STIG. Added new ciphers in the sshd_config file
- Updated 5.x STIG VIB for the version 1 release 9 STIG. Removed AllowGroups setting in the sshd_config file
- Added MD5 and SHA1 hashes to the contents
- Updated documentation file
Contributors
Similar Flings
No similar flings found. Check these out instead...

vRealize Automation Health Monitor
vRealize Automation health Monitor is a one stop application, which provides you with all the necessary information to monitor the health of the vRealize Automation.

Horizon View Configuration Tool
The Horizon View Configuration Tool automates Horizon View 6.2 installation and deployment. It removes the complexities and manual steps required for setting up a basic Horizon View deployment.

USB Network Native Driver for ESXi
This Fling supports the most popular USB network adapter chipsets found in the market.

gemcached
gemcached is a memcached server written in Java that understands memcached's ASCII protocol and translates it into GemFire operations.

Mjolnir : Automation Library for VMware Mangle
Mjolnir is a python utility package that helps in performing fault injections on remote hosts. It is a lightweight python wrapper that consumes VMware Mangle REST APIs in backend to inject or remediate a fault on a host machine.

Distributed Trust Incident Reporting
Security incidents are important to track so that all parties know the status of a breach and can respond in concert and with appropriate speed. Current methods to track incidents are generally paper-based manual processes.