Where can I find the VIB for ESXi 6.7?

The current VIB made available is for ESXi 7.0, but there is no formal STIG released for that version yet.

Trey the 6.7 VIB is in the download drop down list as "vmware_dod_stig_vibs_6.7_1.0.0.zip".

I appreciate the feedback. Such a bonehead move on my part.

Is there a tool VMware provides that allows me to change or customize the vib file?

Is it possible to become a contributor to this project?

Trey there were at one time some 3rd party tools to create a custom VIB but I'm not up to date on their current status. Do note if they do exist you would only be able to create a VIB that is not officially signed and would not be usable through VUM/vLCM and only installable from the command line by ignoring the verification process.

Fling contributors are limited to VMware employees at this time.

Understood. Thank you.

The only customizations I would see useful, would be a correction for the SSH ciphers.

Per ESXI-67-100010, it states:

'# grep -i "^Ciphers" /etc/ssh/sshd_config

If there is no output, or the output is not exactly "Ciphers aes128-ctr,aes192-ctr,aes256-ctr", this is a finding.'

However, the ciphers employed by the vib are:

'aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'

Is it possible this vib could be updated to reflect meeting the requirement criteria?

The other thing that would be nice is to customize the login banner text. Just for customized environments that require that. But the current text does meet the requirement as it is.

Its January 2022 and this is still an issue. When the STIG says "is not exactly" the auditors really have no leeway, and they seem to be paid per "mistake" found.

I sent an email to DISA to confirm the ordering of the ciphers. They seem backwards in the STIG. You should try to negotiate the highest encryption first and from what I have read, openSSH does pay attention to the order they are listed in the config. The RHEL7 STIG makes a point of exactly matching both the ciphers and their order.

The current ESXi 6.7 STIG (v1r1) also seems to have dropped the SSH HMAC configuration, which I have also asked about, since both cipher/HMAC are still identified in the Red Hat Linux STIG. I asked if this was intentional. The old ESXi 6.5 STIG had HMAC in the wrong order as well.

Sorry to nitpick. This VIB is a great assistant. If it werent for being signed, I'd just fix it myself.

A future version of the 6.7 STIG is correcting the ciphers to include the openssh.com ciphers so the VIB does not need to be updated.

But no customizations are not possible for the configurations the VIB is implementing.

Thank you!

One more question. Is there a VIB for the vCenter STIG requirements?

No a VIB is an ESXi only thing.

We're using vLCM and an image. Not sure how to apply this vib. I did look at:

https://core.vmware.com/blog/installing-esxi-kernel-modules-made-easy

and thinking that might work.

Were you able to try this? It looks like it should work but I have not tested it myself.

I ran into an issue where, after installing the VIB, my host failed during secure boot. I had to remove the secure boot setting, boot into the hypervisor and remove the VIB to get the host to boot.

Has anyone been able to create an ESXi 7.0 custom image with these VIBs applied? I have ran through the process but appears that the VIBs aren't taking.

Same.