1 2 3 Previous Next 134 Replies Latest reply on Feb 22, 2011 5:32 AM by Texiwill

    ESX_SRRSecure - Script to allow ESX to pass a DISA Security Readiness Review.

    pmorrison Enthusiast

      Background: taken from the DISA website: http://iase.disa.mil/stigs/index.html

      In a DOD facility all systems must pass the Security Technical Implementation Guide (STIGs) for the host operating system.  The STIG is the configuration standard for DOD IA and IA-enabled devices/systems.


      A Security Checklist http://iase.disa.mil/stigs/checklist/index.html (sometimes referred to as a lockdown guide, hardening guide, or benchmark configuration) is essentially a document that contains instructions or procedures to verify compliance to a baseline level of security.


      Security Readiness Review Scripts (SRRs)  http://iase.disa.mil/stigs/SRR/index.html test products for STIG compliance. SRR Scripts are available for all operating systems and databases that have STIGs, and web servers using IIS. The SRR scripts are unlicensed tools developed by the Field Security Office (FSO) and the use of these tools on products is completely at the user's own risk.


      The problem:

      As of this writing there is no “official” VMware ESX STIGbut it has been determined that since the ESX service console is *nix based it must conform to the latest Unix STIG.


      The current Unix STIG is located here: http://iase.disa.mil/stigs/stig/unix-stig-v5r1.pdf

      The current Unix SRR is located here: http://iase.disa.mil/stigs/SRR/unix.html


      When reviewing the results of the SRR, not all open issues are valid as the DISA SRR was written for UNIX, LINUX, and AIX.  The ESX’s console operating system is based on the Linux Redhat Enterprise 4.5 version, but only contains a subset of the entire operating system and has been customized with specific functionality for interfacing the ESX kernel.


      The solution:

      Running the SRR will result in an open findings report.  After remediating the open issues the SRR is re-run.  The goal is to have as few open issues and to document the remaining items as either false findings or open issues with notes as to when they will be closed (patches from VMware) or why they need to be left open.

      An example of an open issue is:

      ==========PDI=IAVA1115 Result========================

      PDI Number: IAVA1115

      Finding Category: CAT II

      Reference: IAVA 2007-T-0042

      Description: Sun JRE Web Start Multiple Remote


      Status: Open – *will be fixed in a patch from VMware due

      in June.*

      For example:

      IAVA1115: IAVA 2007-T-0042 - Sun JRE Web Start Multiple

      Remote Vulnerabilities.


      /usr/lib/vmware/webAccess/java/jre1.5.0_12/bin/java, JAVA version

      found on esx.philhome.dyndns.org.

      Upgrade to JAVA version on esx.philhome.dyndns.org.



      An example of a false finding that will remain is:

      ==========PDI=IAVA0360 Result========================

      PDI Number: IAVA0360

      Finding Category: CAT I

      Reference: IAVA 2003-A-0015

      Description: There are multiple vulnerabilities in OpenSSL.

      Status: Open – *This is a documented false finding as the

      vulnerabilities were fixed but the version number was not updated.*

      For example:

      IAVA0360: IAVA 2003-A-0015

      /usr/bin/openssl version 0.9.7a found on

      esx.philhome.dyndns.org 2.4.21-47.0.1.ELvmnix.

      ==========PDI=IAVA0410 Result========================


      The ESX SRR Secure script is a shell script which attempts to remediate all of the issues possible on an ESX 3.x host.  Some prerequisites to running this script are as follows:

      1.      Must be run as root.
      2.The host must be in maintenance mode.
      3.      Before beginning with the SRR its advised to install the LAuS library to increase auditing capabilities within the ESX service console, as by default there is limited auditing taking place within the service console itself. These libraries are located on the VMware ESX CD in the /vmware/RPM/ directory. (Note: It appears that this is installed by default in ESX 3.5 update 1)
      4.      </span>Make sure that all passwords meet the complexity requirements.  7 characters with at least 1 number, 1 symbol, 1 upper case and 1 lower case.  This needs to be done for root and any additional accounts installed manually. (Do not change any accounts created by adding a host to Virtual Center).


      Once the system is ready, run the script as root and allow the host to be rebooted.  Re-run the Unix SRR and compare the open findings report.  Below is an example of the summary section both before and after running ESX SRR Secure:


      CAT I = 3/541, CAT II = 55/541, CAT III = 3/541, CAT IV = 0/541


      CAT I = 1/139, CAT II = 9/345, CAT III = 1/57, CAT IV = 0/5


      The remaining open issues should be documented and should be sufficient to present to the DISA FSO for approval.


      Since this is the first “public” exposure for this script, please consider this an early release and test this in a NON-production environment until verification can be made that it does not break something.  Also, please give feedback as we would love to see what the community thinks and are continuing to try and make this process better.


      Updated script with some corrections and begin to address ESX STIG findings.

        1 2 3 Previous Next