Is there any movement on making the 7.0 version Production ready?

Hi Joe there are no plans to productize the VIB but to eliminate the need for it by enabling programmatic access to the settings that do not have it.

I dont see a valid STIG to check with the cyber mill to check against. Just trying to see how to get it prod approved :)

Is there a timeline on the 7.0.2 version? We are building out a new environment and the 7.0.1 version does not seem to work as it is not setting any of the STIG settings on a 7.0.2 host.

Hi Justin the 7.0 VIB should only update the sshd_config file. Are you seeing that not updated at all?

There are some setting that are good. However, these settings are not being updated:

GSSAPIAuthentication no
GSSAPIAuthentication no
MaxSessions 1

Will this be updated to do most of the STIG settings? Or will it not be until an actual 7 checklist comes out?

Yes, I just applied the 7.0 STIG VIB to one of my ESXi 7 hosts and noticed "KerberosAuthentication no" also seems to be missing.

One thing I am also noticing is that after applying the VIB I can no longer access SSH even when turning the service on. I get immediately rejected, no login prompt. SSH was working fine beforehand. I have not yet tried to remove the VIB and see if connectivity is restored. Wondering if anyone else was seeing this behavior.

Ok so the 7.0 VIB was created against a draft of our 7.0 STIG and the settings will be different from the 6.5 or 6.7 STIGs. GSSAPIAuthentication for example is a deprecated option in the ssh version ESXi 7.0 is running.

Hi - I see that the GitHub code base has been updated for the official DoD 6.7 v1r1 STIG which released a few weeks ago. In looking at the changelog for the 6.7 VIB it doesn't seem like the VIB has been updated yet to reflect these changes. Can you please confirm if the vmware_dod_stig_vibs_6.7_1.0.0.zip VIB is written to cover the new DoD 6.7 STIG v1r1?

Thanks!

Hi Jay. Yes with the exception of the ciphers list it covers the 6.7 STIG V1R1. The ciphers will be updated in the next revision of the STIG which will then match the VIB.

On the New 6.7 DOD STIG there is a requirement to add MaxSessions 1

We are fully Vsphere 7 and don't see an option to add this without removing the entire VIB

Is there any knowledge that this stig was deprecated??

Hi Roger. We removed MaxSessions from the 7.0 content after doing a review of this setting and found it to be of no value.

Hi Roger. The 7.0 VIB is based on our draft vSphere STIG content and will not always align to the 6.7 content and this particular setting has been removed in our 7.0 content.