Thanks for all the work on the VIBs.. However some of the settings inside the VIB I have to undo so I can support other cyber functions in the tactical space, is there any way to update the VIB? Should I just edit our custom ISO vsphere install and just copy contents out to apply during install? Should I just deploy the VIB and have systems undo the STIGs needed for their systems and document?

Hi pacificeve,

Please reach out to stigs@vmware.com so we can discuss your scenario and see what we can do to help.

Is there any movement on making the 7.0 version Production ready?

Hi Joe there are no plans to productize the VIB but to eliminate the need for it by enabling programmatic access to the settings that do not have it.

I dont see a valid STIG to check with the cyber mill to check against. Just trying to see how to get it prod approved :)

Is there a timeline on the 7.0.2 version? We are building out a new environment and the 7.0.1 version does not seem to work as it is not setting any of the STIG settings on a 7.0.2 host.

Hi Justin the 7.0 VIB should only update the sshd_config file. Are you seeing that not updated at all?

There are some setting that are good. However, these settings are not being updated:

GSSAPIAuthentication no
GSSAPIAuthentication no
MaxSessions 1

Will this be updated to do most of the STIG settings? Or will it not be until an actual 7 checklist comes out?

Yes, I just applied the 7.0 STIG VIB to one of my ESXi 7 hosts and noticed "KerberosAuthentication no" also seems to be missing.

One thing I am also noticing is that after applying the VIB I can no longer access SSH even when turning the service on. I get immediately rejected, no login prompt. SSH was working fine beforehand. I have not yet tried to remove the VIB and see if connectivity is restored. Wondering if anyone else was seeing this behavior.

Ok so the 7.0 VIB was created against a draft of our 7.0 STIG and the settings will be different from the 6.5 or 6.7 STIGs. GSSAPIAuthentication for example is a deprecated option in the ssh version ESXi 7.0 is running.

Hi - I see that the GitHub code base has been updated for the official DoD 6.7 v1r1 STIG which released a few weeks ago. In looking at the changelog for the 6.7 VIB it doesn't seem like the VIB has been updated yet to reflect these changes. Can you please confirm if the vmware_dod_stig_vibs_6.7_1.0.0.zip VIB is written to cover the new DoD 6.7 STIG v1r1?

Thanks!

Hi Jay. Yes with the exception of the ciphers list it covers the 6.7 STIG V1R1. The ciphers will be updated in the next revision of the STIG which will then match the VIB.