In the new 6.5 STIGs the ciphers required (ESXI-65-000010) are listed as aes256-ctr,aes192-ctr,aes128-ctr. When running the check on a ESXi Host with the STIG vib installed the results returned are aes128-ctr,aes192-ctr,aes256-ctr. Is this a Vib issue or does the STIG wording need to be changed?

No technical issue. The wording was updated it seems in order of strongest to weakest cipher but either order is fine.

Is there a way to see the info in the VIB? We would like to add things to the VIB that would be specific to us, so we wouldnt have to follow up with another powercli script etc after.

Joe it's not possible to alter the VIB because it is signed which would break that. It is possible to create your own custom VIB but it would not be officially signed and usable through VUM/VLCM.

Sorry if this has been addressed - is there a list (or way to check) that shows all the settings this VIB touches?

I did phrase that well. Is there a list of 6.7 STIG IDs that the VIB remediates?

No the documentation hasn't been updated with STIG IDs since the 6.7 STIG came out but it is all controls relating to the /etc/ssh/sshd_config, /etc/pam.d/passwd, and /etc/vmware/welcome files.

Actually /etc/pam.d/passwd it not part of the latest 6.7 VIB sorry about that.

Thanks for all the work on the VIBs.. However some of the settings inside the VIB I have to undo so I can support other cyber functions in the tactical space, is there any way to update the VIB? Should I just edit our custom ISO vsphere install and just copy contents out to apply during install? Should I just deploy the VIB and have systems undo the STIGs needed for their systems and document?

Hi pacificeve,

Please reach out to stigs@vmware.com so we can discuss your scenario and see what we can do to help.