Hot off the press DISA has released the VMware vSphere 5 STIG, which includes vCenter, ESXi and VM components. For those of you familiar with U.S. Government IT systems, you’ve probably heard of the DISA STIGs. STIGs are Security Technical Implementation Guides, which set the baseline for a variety of operating systems, network devices, and applications. It’s basically a long checklist of hardening settings that the product should comply with. Usually a fully STIG’d system won’t be very usable, so some “findings” are generally normal for many environments. Testing of a post-STIG’d system is extremely critical.
The process to create and approve the STIGs is quite lengthy, so their release for a product will generally lag the GA/RTM by months if not years. So it’s not surprising that the vSphere 5 STIGs are just now coming out, nearly two years after vSphere 5.0 hit the streets.
The STIGs for vSphere are publically available, so even if you aren’t supporting US Government systems, they are definitely worth looking at. There are a lot of settings in there that you may not find elsewhere. You can find the download page here. When you go to that page you will see the following downloads.
What you really want are the ZIP files. Once you open the ZIP file, open the embedded ZIP file. Once in there you will see a XML file, XLS style sheet, and possibly an image or two. Extract all the files to a local directory then open the XML file with a browser.
Once opened in your browser you will see a very long list of manual checks that you need to perform. An example is shown below. Many steps provide details where in the GUI or command line that you need to look for or configure the hardening setting. There’s no automation tool that I’m aware of, so for a big environment this would be extremely time consuming.
VMware has their own very good set of hardening guides that you can find here. They are much more timely with their releases, so they have vSphere 5.1 guides available. To help automate the VMware-based checks you can use this great script by William Lam, here.