ESXi

 View Only
  • 1.  Making ESXi v7 complaint with DISA STIG

    Posted Sep 09, 2022 04:49 PM

    Hello,

    I have several ESXi hosts that were upgraded from v6.7 to 7.0. I need to comply with DISA STIG Checklists for these servers.  The ESXi STIG has not been updated for 7.0 as far as I am aware, so I have to make due with the old checklist.

    There are 2 items I have difficulty with regarding SSH configuration.  Most of the SSH settings are complaint out of the box, but the "MaxConnections" and "AcceptENV" options are either missing or commented out.  If I try to add these to the sshd_config file, it saves, but as  soon as I restart the sshd service, the config is wiped and restore to the previous version.

    I understand why this is probably happening, but that does not remove the need for these settings so that I can report I am in compliance.

    Is there some way to append these settings to the sshd_config that is persistent?

    I have tried to use the DoD STIG VIB Fling in the past, but that seems to break the SSH service completely on ESXi v7.



  • 2.  RE: Making ESXi v7 complaint with DISA STIG

    Posted Sep 12, 2022 08:21 PM

    These settings may not be compatible with the build of OpenSSH that comes with ESXi7.  I would open an SR on this one.