Please provide your feedback in this short Flings' survey.
Jan 24, 2020

Hello, i see this has been asked before below but i wanted to revisit it since i didn't notice a clear answer. How do we make the /etc/ssh/sshd_config writable again after the STIG VIB is installed and why does it lock down that directory in the first place? Per ESX 6.5 STIG, i need to get rid of the cbc ciphers in the sshd_config file but it will not allow me to modify it when i try to write the changes in the vi editor. I can copy the file out of the directory, modify it, and copy it back but after a host reboot, the changes are reverted.

I have tried the following but nothing seems to be working:

chmod 600 /etc/ssh/sshd_config
chmod +t /etc/ssh/sshd_config
chmod 777 /etc/ssh/sshd_config
chmod 777 -R /etc

Feb 24, 2020

AaronD,
Not sure if you're still having this issue but I've had success modifying the sshd_config file by creating a copy of the sshd file and then deleting the original and modifying the newly created copy.

cp sshd_config sshd_config.bak
rm sshd_config
mv sshd_config.bak sshd_config
vi sshd_config and it lets me save changes at that point

Jan 24, 2020

Does anyone know what the STIG VIB does to lockdown the /etc/ssh/ directory and how to undo it besides uninstalling the VIB?

Jan 26, 2020

Hi Aaron it is not intended to be able to modify the sshd_config when using the VIB since it will be re-applied after a reboot anyway.

The 6.5 and 6.7 VIBs do not have cbc ciphers specified in them so I'm not sure why you are seeing that unless you are using the 6.0 VIB possibly?

Jan 29, 2020

Ryan, you are correct, i was using the wrong STIG VIB. I have 6.7 hosts and was using the 6.0 VIB initially which had the CBC ciphers. I then mistakenly used the 6.7 VIB which did not have CBC ciphers but did include the @openssh.com ciphers which still kept me out of STIG compliance. After finally realizing i needed to use the STIG VIB that correlated with what STIG version i was using(6.5...yes, i feel dumb), everything is right in the world. Thank you for your reply.

Any ETA on when the 6.7 VIB will come out?

Jan 29, 2020

The 6.7 VIB you used second is what we recommend for 6.7 and will match the 6.7 STIG content when it's released. 6.7 openssh is a little newer than 6.5 and there are new options like fipsmode which are in the 6.7 VIB.

Jan 29, 2020

Sorry, any ETA on when the 6.7 STIG checklist will be released?

Jan 28, 2020
Jan 28, 2020

Right those are not CBC and will be included when the 6.7 content comes out.

Nov 15, 2019

I have been going through the latest DISA STIG release "U_VMWare_vSphere_6-5_STIG-1" and i noticed what might be a problem.

V-93967, V-94497
Check Text: Only FIPS-approved ciphers should be used. To verify that only FIPS-approved ciphers are in use, run the following command from an SSH session connected to the ESXi host, or from the ESXi shell:

# grep -i "^Ciphers" /etc/ssh/sshd_config

If there is no output or the output is not exactly "Ciphers aes128-ctr,aes192-ctr,aes256-ctr", this is a finding.

and

V-94481

Check Text: Temporarily enable SSH, connect to the ESXi host and run the following command:

grep "enableTLS" /etc/sfcb/sfcb.cfg

If the output indicates that any protocol is enabled other than TLSv1_2, this is a finding.

Is there a reason you added aes256-gcm@openssh.com,aes128-gcm@openssh.com to sshd_config? perhaps an upcoming 6.7 STIG release by DISA?

Nov 15, 2019

Sorry didn't include the STIG IDs

ESXI-65-000010
ESXI-65-000073
ESXI-65-100010

Nov 16, 2019

If you are referring to the 6.7 VIB then yes it is based on draft content as mentioned in the change log.

Nov 18, 2019

sorry yes i am referring to the 6.7 VIB

Nov 18, 2019

Ok, so to pass the current STIG release should i apply the 6.5-7 vib?

Oct 07, 2019

Apologies as this may have been answered previously, but has anyone experienced issues applying the vmware_dod_stig_vibs_6.7_1.0.0 against a HPE ESXi 6.7 custom image? (Currently running latest ESXi 6.7 Build 14320388).

Oct 07, 2019

What issue are you seeing?

Oct 09, 2019

As a follow up.. Rebuilt a ESXi host with a fresh HPE custom ESXi 6.7 image and the 6.7 vib deployed via VUM perfectly...and without a required reboot also;) Thx again for this.

Oct 08, 2019

Was getting a check esxupdate.log error via vCenter after trying to deploy via VUM. I was able to successfully apply the vmware_dod_stig_vibs_6.7_1.0.0 vib manually from an HPE custom image ESXi host using an absolute path via use of "esxcli software vib install -v /vmfs/volumes/data-store-xxx/xxx.vib -f". Still having issues deploying via VUM though for this latest ESXi 6.7 STIG version. Thanks again for this .vib work it is much appreciated!

Oct 02, 2019

Is there a document that lists the STIG IDs addressed by the 6.5 version?

Oct 02, 2019

Hey Scott here you go.

ESXI-65-000007
ESXI-65-000008
ESXI-65-000009
ESXI-65-000010
ESXI-65-000011
ESXI-65-000012
ESXI-65-000013
ESXI-65-000014
ESXI-65-000015
ESXI-65-000016
ESXI-65-000017
ESXI-65-000018
ESXI-65-000019
ESXI-65-000020
ESXI-65-000021
ESXI-65-000022
ESXI-65-000023
ESXI-65-000024
ESXI-65-000025
ESXI-65-000026
ESXI-65-000027
ESXI-65-000028
ESXI-65-000031
ESXI-65-000032
ESXI-65-000033
ESXI-65-100007
ESXI-65-100010
ESXI-65-100031
ESXI-65-200031
ESXI-65-300031
ESXI-65-400031
ESXI-65-500031