Please provide your feedback in this short Flings' survey.
Go back to fling details
fling logo

DoD Security Technical Implementation Guide(STIG) ESXi VIB

This VIB has been developed to help customers rapidly implement the more challenging aspects of the vSphere STIG. These include the fact that installation is time consuming and must be done manually on the ESXi hosts. In certain cases, it may require complex scripting, or even development of an in-house VIB that would not be officially digitally signed by VMware (and therefore would not be deployed as a normal patch would).

Community
Comments 301 Bugs 4
profile picture of Tyler
Tyler
Jun 22, 2020

Has anyone tested if we can apply the 6.7 ESXI VIB to a 7.x ESXI install?

profile picture of Tyler
Tyler
Jun 22, 2020

I ask because I know that there isn't even a draft STIG out for 7 yet from DISA, but we want to start looking at 7 in some dev clusters and want to leverage existing STIGs if they are applicable without breaking things.

profile picture of J E
J E
Jun 16, 2020

Can these VIBs be used to harden the VCSA itself or is there another procedure?

profile picture of Ryan Lakey
Ryan Lakey
Jun 16, 2020
profile picture of Carmo
Carmo
Sep 09, 2020

The VIB is actually _only_ for US government use. For some obscure reason things like the disclaimer cannot be permanently changed after the VIB is deployed, the USG disclaimer will overwrite anything added later.
Why this has been done this way is a complete mystery and only means anyone outside USG have to abandon this VIB and use some other means to automate post install hardening, like PowerCli-scripts.
It worked fine in 6.7 but as of 7.0 I'm forced to abandon this VIB, it was great and useful while it lasted!

profile picture of Carmo
Carmo
Sep 09, 2020

I'm sorry if i come off as salty and bitter since that's certainly not the case, these VIB's have saved me tons of time over many deployments the last few years and I'm super grateful for the work put in to keep them updated!
It has slowly dawned on me that the issues with applying this most likely have nothing to do with the VIB itself, but depends on the way ESXi 7 applies VIB's. It would seem that ESXi 7is more agressive in keeping the settings of the VIB's applied and will reapply settings if they're altered from those in the VIB.
There's no apparent solution to this, i guess a STIG VIB without the disclaimer would work, letting non USG users apply their own. Just an idea.

profile picture of TJ
TJ
Jun 02, 2020

Is there an anticipated release timeline for a 7.0 VIB?

profile picture of Ryan Lakey
Ryan Lakey
Jun 07, 2020

Tj no time frame at this point.

profile picture of Kevin
Kevin
May 28, 2020

Having an issue when the script gets to ssh_root_authorized_keys. The GET is returning a 404 error. I have run the command manually and get the 404 error- but when I SSH into the host, the file is there and empty. Has anyone else seen this?

profile picture of Ryan Lakey
Ryan Lakey
Jun 07, 2020

Hey Kevin. Are you referring to a script over on github that handles the other parts of the STIG the VIB does not?