Thanks!

Do I understand correctly, that the ESXi 6.5 VIB must be installed prior to the ESXi 6.7 VIB in order to properly harden a 6.7 system? The 6.7 VIB cannot be used by itself?

The 6.7 VIB can be used by itself.

Is the bundle supposed to cause issue with the ha agent @ all. After i installed it multiple hosts complain and are unable to connect to vcenter ,but are working perfect when you connect to them directly.

there is a cat 1 violation if you don't have ssh version 2. The latest download removes this. Why was this done? Vmware has also said on the phone that line also need to be in the sshd file

That setting is deprecated in newer versions of openssh and is no longer a valid configuration so ssh is always running with protocol version 2 now.

can i edit the file back so it says Protocol 2 so it is no longer a violation

No you can't. If you want you show them the openssh release notes that it is no longer a valid option until DISA releases updated guidance for 6.7.

https://www.openssh.com/txt/release-7.6

if i uninstall the vib, will that make sshd_config writable again?

Yea uninstalling the VIB will restore all of those files to their default values and behavior.