KWKirchner
Enthusiast
Enthusiast

Making ESXi v7 complaint with DISA STIG

Hello,

I have several ESXi hosts that were upgraded from v6.7 to 7.0. I need to comply with DISA STIG Checklists for these servers.  The ESXi STIG has not been updated for 7.0 as far as I am aware, so I have to make due with the old checklist.

There are 2 items I have difficulty with regarding SSH configuration.  Most of the SSH settings are complaint out of the box, but the "MaxConnections" and "AcceptENV" options are either missing or commented out.  If I try to add these to the sshd_config file, it saves, but as  soon as I restart the sshd service, the config is wiped and restore to the previous version.

I understand why this is probably happening, but that does not remove the need for these settings so that I can report I am in compliance.

Is there some way to append these settings to the sshd_config that is persistent?

I have tried to use the DoD STIG VIB Fling in the past, but that seems to break the SSH service completely on ESXi v7.

Labels (3)
1 Reply
Tibmeister
Expert
Expert

These settings may not be compatible with the build of OpenSSH that comes with ESXi7.  I would open an SR on this one.

0 Kudos