Gabe,
It does not change lockdown mode or the status of the SSH service. Depending on which VIB you install it will disable root SSH access.
I don't know if anyone is using it with Nutanix and I haven't received any feedback so I can't comment there.
Ryan
This is not a full solution. It only implements part of the STIG process and therefore still requires a script to be run on a host-by-host basis. If they were serious about supporting a huge customer in the DoD they would release the full STIG process via a VIB and make it signed at partner or above. Afterall, it clearly states in the STIG Guide that it's a CAT 1 finding if it's a community signed VIB.
Until this happens, this is really of no use.
The alternative would be to make an authoring software readily available for multiple platforms which allows the DoD signature and then DISA changes the STIG requirements.
Phil I am in touch with your TAM and we will reach out to see what we can do to assist.
Did you happen to find a way to assist? As mentioned, having a community signed VIB wont fly. Not trying to sound ungrateful, but it really would be helpful if you worked with DISA and released a process/script that would remediate the majority of the STIG requirements.
Kevin we did have a discussion mostly around the intent and pain points this fling is meant to alleviate. The VIB in this fling is NOT created at a community supported acceptance level but is at VMware certified which is not against the STIG finding.
We did include PowerCLI commands in the vSphere 6 STIG where we could to help with that but not everything is scriptable and no customer implements the STIG the same so there's no one size fits all solution that will work for everyone.
Where did you guys get the list of STIGS for Esxi 6 referenced in the Overview/Installation document? I haven't been able to find documentation for them yet.
Keith,
The DISA STIG for vSphere 6 was released recently. Here is a link to it.
http://iase.disa.mil/stigs/os/virtualization/Pages/index.aspx
Ryan
Thanks so much for putting this together Ryan. This is exactly what we need as well. Unfortunately as I read the Fling License terms this vib cannot be used in a production environment. Is there a way we can fast track getting some more friendly license terms?
Don,
Did you happen to see Mike Foley's blog article about this? He addresses this in one section but you are right the standard fling disclaimer says that you should not but that is something each organization will have to assess but I have no issues recommending it for production as long as the support stance is understood.
Ryan
Thanks Ryan, yes I did see the blog post too. Maybe we'll pursue the license issue through one of our programs (TAP, PVSP, IOVP, etc.). You and I as engineers understand but our legal teams live and die by the words in the license :(
Don
Does this VIB enforce Lock Down Mode, or disable SSH? How Nutanix friendly is this VIB?