This was a very technical session on how to implement the DISA STIG’s (security lockdowns) for DoD/Government customers. Many of the slides contained script snippets that help automate the process. Thus my session notes are very light. If you are a U.S. Government Federal customer that must comply with the STIG’s, then look at the reference slide I have below. The speaker’s automated scripts and VIBs are located on a CAC-only web site for you to download. If you attended VMworld, then listen to this session and gain some insights on issues the authors found and how to overcome them.
STIGS are broken up into three area: hosts, VMs and vCenter
Checking VM settings with PowerCLI: Easiest report to create since it relies most only VMX settings
Checking ESXi settings with Power CLI: Most host STIG controls cannot be queried via exposed APIs. Shows a script that uses Plink and PowerShell to query settings.
Checking vCenter controls with PowerCLI: Very manual process.
ESXi host hardening requires changing of permanent files or adding new files. They will be non-persistent and disappear upon reboot.
ESXi5-CPT: Graphical tool to create VIBs that can replace files on ESXi hosts.
Use ‘ESXcli vib install -d <path> -no-sig-check’ to install the custom VIB or PowerCLI
Additional tools: vCenter Configuration manager (vCM), Nessus scanner, VMware compliance checker, DoD Forge.mil project