Making ESXi v7 complaint with DISA STIG

KWKirchner · ‎09-09-2022

Hello,

I have several ESXi hosts that were upgraded from v6.7 to 7.0. I need to comply with DISA STIG Checklists for these servers. The ESXi STIG has not been updated for 7.0 as far as I am aware, so I have to make due with the old checklist.

There are 2 items I have difficulty with regarding SSH configuration. Most of the SSH settings are complaint out of the box, but the "MaxConnections" and "AcceptENV" options are either missing or commented out. If I try to add these to the sshd_config file, it saves, but as soon as I restart the sshd service, the config is wiped and restore to the previous version.

I understand why this is probably happening, but that does not remove the need for these settings so that I can report I am in compliance.

Is there some way to append these settings to the sshd_config that is persistent?

I have tried to use the DoD STIG VIB Fling in the past, but that seems to break the SSH service completely on ESXi v7.

Tibmeister · ‎09-12-2022

These settings may not be compatible with the build of OpenSSH that comes with ESXi7. I would open an SR on this one.

All

Making ESXi v7 complaint with DISA STIG

DISA

ESXi

STIG