Wednesday, June 4, 2008

DISA releases official ESX Security Technical Implementation Guide

ESX Server STIG Version 1, Release 1.0

Seems harmless enough on the first pass but if you read carefully you will see the following finding:
(ESX0010: CAT II) The IAO/SA will configure the ESX Server in accordance with the UNIX STIG and Checklist. This is not applicable to ESX Server 3i. The following open findings will NOT be applicable when running the UNIX SRR against the ESX Server service console:

What this means is that on top of all the configuration changes you have to make within VirtualCenter (configuring virtual switches, etc.) you have to make sure the host can pass the UNIX STIG.

Unix has been around a loooooong time and as such the STIG for Unix is freaking HUGE. There is already a Security Readiness Review Evaluation Script for Unix which will have to be run on each ESX host at a DOD facility.

Fortunately, a colleague and I have already been working on a shell script to help lock down ESX so that it can pass the UNIX SRR. While I am sure it is not full proof in protecting agains hackers it will at least bring the host to a level of security to gain approval from the FSO to be allowed to connect to the network.

If you are interested, there is a thread in the VMTN that talks about the script here.
ESX_SRRSecure - Script to allow ESX to pass a DISA Security Readiness Review


  1. So, which meant we need to run the ESX SRR script (what is the latest version -1.2?) then run the UNIX script and compare it, right?

  2. So, the process I use is this.

    1. Run the DISA provided SRR Unix script.
    Capture the open issues report.
    2. Install LAUS rpm files off of ESX CD
    Make sure to chkconfig so the service starts at boot
    service start audit
    3. We have another script (unpublished) that changes the banner info based on secret/top secret
    4. Run to lock things down.
    5. Reboot
    6. Re-run the Unix SRR script.
    7. Capture the new open findings report and compare to the first file.

    As an aside note we also have a corresponding document that goes along with the script to document all the original findings and how to manually fix them or document if they are false positives....

  3. What is this?
    AS-08-548 Security Technical Implementation Guidance (STIG)