Comments for Phil's NewsPhlash

Comment on DISA releases official ESX Security Technical Implementation Guide by Philip Morrison

Philip Morrison — Tue, 04 Nov 2008 20:35:13 +0000

Not sure I understand the question?

Comment on DISA releases official ESX Security Technical Implementation Guide by Givens

Givens — Tue, 04 Nov 2008 20:27:00 +0000

What is this?
AS-08-548 Security Technical Implementation Guidance (STIG)

Comment on Script to allow ESX to pass a DISA Security Readiness Review by Philip Morrison

Philip Morrison — Thu, 21 Aug 2008 22:35:21 +0000

I think I answered this in the VMTN but in case I didnt (ive been on a bunch of planes lately)…
/var/log/ESX_SRRSecure.timestamp should have the output of the results.

Comment on Script to allow ESX to pass a DISA Security Readiness Review by BacMan

BacMan — Thu, 21 Aug 2008 04:58:23 +0000

Thanks Philip.

Also, for the ESX script, is there a way to output the result to a log file for later review. As I have noticed when I ran the script it has some errors but it went by too fast. Or, is there a way to pause the script at certain point to see what is going on?

I am new to UNXIX and shell scripting. Thanks again for your help and much appreciated.

Cheers,

Comment on Script to allow ESX to pass a DISA Security Readiness Review by Philip Morrison

Philip Morrison — Wed, 20 Aug 2008 22:43:24 +0000

when you run the SRR it creates a folder that is the same as the FQDN of the server you ran it on. IF you told the SRR to only report open findings you should find a file there that should be the name-of-the-server.open It should have all the open findings in txt format.

Comment on DISA releases official ESX Security Technical Implementation Guide by Philip Morrison

Philip Morrison — Wed, 20 Aug 2008 22:41:26 +0000

So, the process I use is this.

1. Run the DISA provided SRR Unix script.
Capture the open issues report.
2. Install LAUS rpm files off of ESX CD
Make sure to chkconfig so the service starts at boot
service start audit
3. We have another script (unpublished) that changes the banner info based on secret/top secret
4. Run ESX_SRRSecure.sh to lock things down.
5. Reboot
6. Re-run the Unix SRR script.
7. Capture the new open findings report and compare to the first file.

As an aside note we also have a corresponding document that goes along with the script to document all the original findings and how to manually fix them or document if they are false positives….

Comment on DISA releases official ESX Security Technical Implementation Guide by BacMan

BacMan — Wed, 20 Aug 2008 01:39:44 +0000

So, which meant we need to run the ESX SRR script (what is the latest version -1.2?) then run the UNIX script and compare it, right?

Comment on Script to allow ESX to pass a DISA Security Readiness Review by BacMan

BacMan — Wed, 20 Aug 2008 01:30:54 +0000

Thanks Philip.

As a note,the doc above mentioned that you run the SRR and allowed the ESX server rebooted. Then, re-run the SRR script again and compare the result. Where the results are save as?

TIA

Comment on Script to allow ESX to pass a DISA Security Readiness Review by Philip Morrison

Philip Morrison — Thu, 07 Aug 2008 00:01:46 +0000

There is a way to do this from the command line.
vimsh -n -e /hostsvc/maintenance_mode_exit

This was going to be in the script but we decided not to do so since it could impact production environments.

Comment on Script to allow ESX to pass a DISA Security Readiness Review by BacMan

BacMan — Wed, 06 Aug 2008 23:04:06 +0000

In ESX SRR prerequisites that the ESX server need to be in the “maintenance mode”. Do you know how to do this from the console?

I guessed I can use VC to put the ESX server in the maintenance mode. But, just want to know if I can do it from CLI.

Thanks.