Please provide your feedback in this short Flings' survey.
Jan 27, 2016

So I had a chance to load this VIB into our test lab. Here are some of the quirks I found. Before I even applied the VIB I used the blog post you mentioned in the comments to change the logon banner to our company approved text. The PowerCLI worked well enough and I was able to change the banner to our company approved text.

I then applied the VIB using VUM and rebooted the host (ESXi 5.5). To my surprise the login banner still had my company text and not the standard government text. I expected the VIB to override what I had done with PowerCLI. This was not the case. This was an unexpected bonus as I didn't have to re-run the PowerCLI commands.

One annoyance I did find after the VIB install was that the /etc/issue file had become read only. When I tried to use vi to edit the text to fit our company approved banner it would not let me save the changes. I tried modifying the permissions to the /etc/issue to allow me to save changes (chmod) but still it would not let me save the changes. I had to delete the /etc/issue and recreate one to finally be allowed to add our company banner text. Prior to installing the VIB I was able to edit the /etc/issue with no problems.

Thoughts?

Other than that the VIB worked well. It essentially put all the settings I had done manually via command line with a few mouse clicks in VUM.

Jan 27, 2016

Federico the read only condition on the files this is replacing is a side effect of the VIB. What I have done when needing to alter one of those files is to just make a copy then chmod it then replace the original and it is then editable.

Jan 27, 2016

Ironically we were just in the process of manually creating a STIG compliance document and scripts.
This has the potential to be a life saver. Many thanks, we will deploy in our test lab and provide feedback.

Jan 26, 2016

One would also be very useful for the CIS benchmarks for the ESXi requirements.

Jan 26, 2016

This will be a very useful tool. We have been working on our ESX hardening policies including following some of the DoD STIG recommendations. One question, we are from the Canadian Government and the DoD console banner is not applicable (or possibly even legal) for our purposes. If we provided the appropriate text, could you produce a signed VIB with our wording in it?

Jan 26, 2016

+1 - In fact, can we edit the STIG rules? Are they in SCAP format?
Would be great if we could write new rules or load ones from other sources like CIS.

Jan 27, 2016

You would not be able to edit the contents of these VIBs and we tried to make them as universal as possible for DoD customers so customers not in that space would probably find parts of these like the login messages not acceptable.

Jan 27, 2016

I'm not sure VMware can create a VIB that would allow users to change its contents, that would make the VMware signed package invalid if we could add stuff ourselves.

Apr 09, 2020

I know the above comment is 4 years old, but i find myself coming to this page often enough to find it worth a comment:

>> The following applies to ESXi 7.0, i know it's less of an issue in 6.7. <<
The mentioned blog only applies to the welcome message on the DCUI. VMware [in their infinite wisdom] has found it necessary to put the login message for the web login in a different place (even though they can use the same text blob).
The web login text blob is [by default] picked up from the text placed in /etc/vmware/welcome ... and is utterly useless after applying the DoD STIG fling, because the fling locks down that file completely and prevents any change to the file (don't bother with that).
The login web page picks up the text blob from a text file in the web root, welcome.txt. That file is a link to the /etc/vmware/welcome file. The link is restored on reboot so any change to the link wont persist.

The only way i have found to solve this is by;
1 - Creating a new text file with my welcome text-blob and save i´t in the datastore.
2 - Add a entry to the /etc/rc.local.d/local.sh which on every reboot edits the soft link in the web folder ... with something like this;
ln -fs "/vmfs/volumes/Datastore1/welcome.txt /usr/lib/vmware/hostd/docroot/ui/welcome.txt"

Sep 09, 2020

The above fix doesn't really work permanently, for some reason the makers of the VIB really, REALLY, R E A L L Y want the USG disclaimer to be the ONLY disclaimer used in the whole world, so they bent over backwards to make extra sure that no other disclaimer than the USG disclaimer exist in the system. If you want a non USG disclaimer, you cannot use this VIB.