Wednesday, June 4, 2008

DISA releases official ESX Security Technical Implementation Guide

ESX Server STIG Version 1, Release 1.0

Seems harmless enough on the first pass but if you read carefully you will see the following finding:
(ESX0010: CAT II) The IAO/SA will configure the ESX Server in accordance with the UNIX STIG and Checklist. This is not applicable to ESX Server 3i. The following open findings will NOT be applicable when running the UNIX SRR against the ESX Server service console:

What this means is that on top of all the configuration changes you have to make within VirtualCenter (configuring virtual switches, etc.) you have to make sure the host can pass the UNIX STIG.

Unix has been around a loooooong time and as such the STIG for Unix is freaking HUGE. There is already a Security Readiness Review Evaluation Script for Unix which will have to be run on each ESX host at a DOD facility.

Fortunately, a colleague and I have already been working on a shell script to help lock down ESX so that it can pass the UNIX SRR. While I am sure it is not full proof in protecting agains hackers it will at least bring the host to a level of security to gain approval from the FSO to be allowed to connect to the network.

If you are interested, there is a thread in the VMTN that talks about the script here.
ESX_SRRSecure - Script to allow ESX to pass a DISA Security Readiness Review