DoD STIGs for VMware

I’ve recently had to STIG some VMware environments for a client of mine. I cannot recommend Ryan Lakey and the work on his GitHub page enough. He’s taken a lot of the manual work out of this process.

Check it out here. His script will not only check your hosts but will also re-mediate them!

You’ll want to cross reference your findings using a STIG Viewer.

The HIGH severity are the ones you’ll want to address first.

V-63263HighThe Image Profile and VIB Acceptance Levels must be verified.Verify the ESXi Image Profile to only allow signed VIBs. An unsigned VIB represents untested code installed on an ESXi host. The ESXi Image profile supports four acceptance levels: (1) …
V-63311HighThe system must verify the integrity of the installation media before installing ESXi.Always check the SHA1 hash after downloading an ISO, offline bundle, or patch to ensure integrity and authenticity of the downloaded files.
V-63313HighThe system must have all security patches and updates installed.Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities.
V-63289HighThe virtual switch MAC Address Change policy must be set to reject.If the virtual machine operating system changes the MAC address, it can send frames with an impersonated source MAC address at any time. This allows it to stage malicious attacks on the devices in …
V-63901HighThe VMM must implement cryptographic mechanisms to prevent unauthorized modification of all information at rest on all VMM components by verifying Image Profile and VIP Acceptance Levels.Verify the ESXi Image Profile to only allow signed VIBs. An unsigned VIB represents untested code installed on an ESXi host. The ESXi Image profile supports four acceptance levels: (1) …
V-63191HighThe SSH daemon must be configured to use only the SSHv2 protocol.SSH protocol version 1 suffers from design flaws that result in security vulnerabilities and should not be used.
V-63199HighThe SSH daemon must not allow authentication using an empty password.Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere.
V-63823HighThe VMM must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs and guest VMs by verifying Image Profile and VIP Acceptance Levels.Verify the ESXi Image Profile to only allow signed VIBs. An unsigned VIB represents untested code installed on an ESXi host. The ESXi Image profile supports four acceptance levels: (1) …

Once you’ve determined what needs to be addressed, my recommendation would be to use either his script to remediate the hosts, then apply the changes to all hosts via Host Profiles, or deploy this VIB that’s over on the VMware Flings page.

Good luck with your hardening!

This entry was posted in Security, vSphere. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *