VMworld 2014: DISA STIG vSphere 5 Deep Dive

Session INF1273

This was a very technical session on how to implement the DISA STIG’s (security lockdowns) for DoD/Government customers. Many of the slides contained script snippets that help automate the process. Thus my session notes are very light. If you are a U.S. Government Federal customer that must comply with the STIG’s, then look at the reference slide I have below. The speaker’s automated scripts and VIBs are located on a CAC-only web site for you to download. If you attended VMworld, then listen to this session and gain some insights on issues the authors found and how to overcome them.

STIGS are broken up into three area: hosts, VMs and vCenter

Checking VM settings with PowerCLI: Easiest report to create since it relies most only VMX settings

Checking ESXi settings with Power CLI: Most host STIG controls cannot be queried via exposed APIs. Shows a script that uses Plink and PowerShell to query settings.

Checking vCenter controls with PowerCLI: Very manual process.

ESXi host hardening requires changing of permanent files or adding new files. They will be non-persistent and disappear upon reboot.

ESXi5-CPT: Graphical tool to create VIBs that can replace files on ESXi hosts.

Use ‘ESXcli vib install -d <path> -no-sig-check’ to install the custom VIB or PowerCLI

Additional tools: vCenter Configuration manager (vCM), Nessus scanner, VMware compliance checker, DoD Forge.mil project







Print Friendly, PDF & Email

Related Posts

Notify of
1 Comment
Newest Most Voted
Inline Feedbacks
View all comments
William Payton
February 2, 2018 10:31 pm

Where is the link for the automatic scripts you mentioned? Thanks