DoD Security Technical Implementation Guide(STIG) ESXi VIB

The DoD Security Technical Implementation Guide ('STIG') ESXi VIB is a Fling that provides a custom VMware-signed ESXi vSphere Installation Bundle ('VIB') to assist in remediating Defense Information Systems Agency STIG controls for ESXi. This VIB has been developed to help customers rapidly implement the more challenging aspects of the vSphere STIG. These include the fact that installation is time consuming and must be done manually on the ESXi hosts. In certain cases, it may require complex scripting, or even development of an in-house VIB that would not be officially digitally signed by VMware (and therefore would not be deployed as a normal patch would). The need for a VMware-signed VIB is due to the system level files that are to be replaced. These files cannot be modified at a community supported acceptance level. The use of the VMware-signed STIG VIB provides customers the following benefits:
  • The ability to use vSphere Update Manager ('VUM') to quickly deploy the VIB to ESXi hosts (you cannot do this with a customer created VIB)
  • The ability to use VUM to quickly check if all ESXi hosts have the STIG VIB installed and therefore are also in compliance
  • No need to manually replace and copy files directly on each ESXi host in your environment
  • No need to create complex shell scripts that run each time ESXi boots to re-apply settings
stigvib-large

ESXi 5.x and 6.0 are supported but each have a different set of VIBs as the vSphere 5.0 and 6.0 STIGs have different requirements.

The following VIBs are provided for each ESXi version as follows:

ESXi 5.x

  • dod-esxi5-stig-rd
  • dod-esxi5-stig-re

ESXi 6.0

  • dod-esxi6-stig-rd
  • dod-esxi6-stig-re

Multiple versions of each VIB were created as marked by the “rd” and “re” in the filename. This designation is for root SSH enabled (“re”) and root SSH disabled (“rd"). This designation is for root SSH enabled and root SSH disabled. Depending on your organizational policies and whether or not it is possible to join ESXi to Active Directory will dictate which VIB fits your needs.

STIG ID SRG-OS-000109-ESXI5 for 5.0 and STIG ID ESXI-06-000014 for 6.0 requires root logins to be disabled via SSH.

Please see VMware DoD STIG VIB Overview and Installation(pdf).

Update August 2016

  • Updated 6.0 STIG VIB for the version 1 release 2 STIG. Added new ciphers in the sshd_config file
  • Updated 5.x STIG VIB for the version 1 release 9 STIG. Removed AllowGroups setting in the sshd_config file
  • Added MD5 and SHA1 hashes to the contents
  • Updated documentation file
Add a Comment
Report a Bug