Comment thread started by Theron Speer on DoD Security Technical Implementation Guide(STIG) ESXi VIB

I know that the default settings for ESXi 7.0U2 now match those that the stig.vib applied, aside from the welcome banner/message on dcui/host login webpage. But there have been some changes in the ciphers used, maybe a few other changes from the 6.5 stig vib settings.
Originally I was going to just ask if a stig.vib could be created that just installs the Govt required banner messages, but have another question.
About 700 of our hosts, we had running 6.5 + stig vib for 6.5, that we then upgraded to 7.0U2. My question is, will settings applied specifically from the 6.5 stig vib still be in place, or will all of the newer changes between the 6.5 stig.vib and the 7.0U2 out of the box defaults replace those settings, in this scenario where the ESXi has been upgraded. We performed the upgrade by booting to the 7.0U2 iso, and choosing “Upgrade”.

The banner no longer works after the above procedure, and upgrading stig vib to the 7.0_1.0.0.zip doesn’t correct the banner either. I fished the banner out of the 6.5 stig.vib, but applying that, the /Align or /AlignLeft, etc type tags no longer work, and the banner is all out of shape. This will still result in a finding when audited. Appears to be a bug in 7.0U2a (which we are still on) that the /Align tags seem broken, or maybe the syntax changed since the welcome messages are saved in different locations from what I have been able to determine. But we need to still apply that banner so a fling that just applies that would be useful.
But also, even though the 7.0U2 default settings match the remaining stig fling settings, I wonder if we should have a stig.vib that applies all of those same settings so that we can easily use that to roll out all of those settings, in the event that an Upgraded 6.5->7.0U2 host might possibly retain outdated setting from the older stig.vib. If the upgrade procedure we followed also upgrades all settings previously set by the 6.5 stig.vib, then a current fling with all of those settings isn’t necessary. But it would still be quite helpful to have a fling that just applies the govt banner.

Appreciate any help or clarification for these 2 issues that you can provide.

Hi Theron,

On your upgrade question it's been a while since I have gone through that workflow but since the VIBs have some version specific criteria defined I would expect them to be part of the packages that get left behind on an upgrade as described.

For the banner, depending on which one you are referring to...DCUI or SSH, these settings may no longer be controlled by the file we were previously replacing and instead part of an internal configuration store. Since these settings are available for modification from the UI or API/PowerCLI now there is no benefit to including them in the VIB as our primary reason for the VIB was to make it easy to apply these configurations that had no programmatic access.

The ESXi advanced settings "Annotations.WelcomeMessage" and "Config.Etc.issue" are available to set the banner.

I've found that on our systems that have been updated from 6.7 to 7.0, having the 6.5 or 6.7 vib loaded actually locks out changes on some settings, including "Annotations.WelcomeMessage".
The *really* interesting thing which worked with 6.5 or 6.7...
- With 6.5 or 6.7 vib loaded - Annotations.WelcomeMessage showed as blank and couldn't be edited via GUI or powercli.
- After I removed the vib (and rebooted), I could edit Annotations.WelcomeMessage. I put in a value of "test". The value showed correctly on console. So far so good.
- I reinstalled the vib, and Annotations.WelcomeMessage went back to blank and I was unable to edit
- I removed the vib again, and not only could I edit Annotations.WelcomeMessage again, the "test" value returned!

Obviously 7.0 does something different with this kind of vib. My thought was that while 6.x only applies the settings from a vib on reboot, 7.0 actually actively forces it to those values.
Doesn't explain why the value showed blank, though.

Brian so I'm clear this scenario was with the 6.7 VIB installed on 7.0?

Yes, an ESXi 7.0u2 host with either the 6.5 or 6.7 vib installed (tried both) did this. The original host I found this on was one that had been upgraded from 6.7 to 7.0, but right now I'm testing various vibs on clean installs from the Cisco ESXi 7.0u3 ISO onto some B200M3 blades. Same result.
I have not verified that I'm using the very latest version of the 6.5 and 6.7 vibs.
7.0 vib doesn't do this, but I don't see it doing anything else either...

We don't normally test the VIBs on mismatched versions of ESXi so I would recommend using the 7.0 version if needed. The 7.0 VIB doesn't touch the /etc/vmware/welcome file since that file is no longer used to set this banner in 7.0.

Should add that I'm doing it via a straight esxcli software vib install/remove, rather than update manager. The hosts I'm testing on aren't in a vcenter anyway.