not sure you are looking at the right script then as I just did a search and could not find any references to "an example of a script". However, I have built custom install CDs in which this script is run automatically in the %post section.

It's the script in the post I replied to:

http://communities.vmware.com/servlet/JiveServlet/download/1058030-13969/samplescript.sh?tstart=0&st...

It must have been munged by the vmware.com servers...

$ sh ./samplescript.sh

./samplescript.sh: line 1: {rtf1ansiansicpg1252deff0deflang1033{fonttbl{f0fswissfcharset0: command not found

./samplescript.sh: line 1: }}\r': command not found

./samplescript.sh: line 2: {*generator: command not found

./samplescript.sh: line 2: }viewkind4uc1pardsb100sa100f0fs20: command not found

./samplescript.sh: line 3: f0fs20: command not found

./samplescript.sh: line 23: fg: no job control

./samplescript.sh: line 24: fg: no job control

Has anyone heard if DISA will come out with the SRR specifically for the ESX Server?

Has anyone compiled a list of False Positives when running the regular SRR against the ESX Server? If so, can you please share...

Is the ESX_SRRSecure v1.4 lockdown script ready to be released?

thanks

I've been following this thread from the beginning and it has proved to be a great resource for me. I'm also a consultant for DoD and have to ensure that our systems are locked down according to the ESX STIG.

We're running ESX 3.5 w/ VirtualCenter 2.5 (planning to go to Update 3 of both in our next testing window)

We've recently run into an issue in our test lab where after running the lockdown script v.1.2 HA stops working. Has anyone else seen this in their environment? This didn't occur on our development test deck but prior to digging in and spending a lot of vaulable time troubleshooting I wanted to check.

I'll drop more details here if anything turns up.

I finally get to weigh in on this post!

So I have a problem with the ESX0050 STIG itself, and since my ESX came from Dell, I can't "officially" call VMWare directly because my support is with Dell.

I submitted the following as a possible issue to DISA:

ESX0050 states the following:

Permissions for the virtual machine files will adhere to VMware's best practices. The configuration file (.vmx), will be read, write, execute (rwx) for owner and read and execute (r-x) for group and read (r--) for others (754). If these permissions are not set for the .vmx files then VMotion across ESX Servers may not work. The virtual machine's virtual disk (.vmdk) will be read and write (rw-) for owner (600).

The reference VI3 Security Hardening (p. 7, attached) states:

Be sure permissions for the virtual machine's files are set according to the guidelines in this section.

Permissions for the configuration file (.vmx), should be read, write, execute (rwx) for owner, and read and execute (r-x) for group (755). Permissions for the virtual machine's virtual disk (.vmdk) should be read and write (rw-) for owner (600). For all of these files, both the user and group should be root.

The error is obviously the .vmx permission requirement that states 755 in the hardening guide, but was changed to 754 in the STIG.

The incorporation of a 754 permission would require a manual chmod after the creation of every VM.

In response to my DISA email, I received the following answer:

Status or Resolution Summary: UNFORTUNATELY, THE STIG IS POLICY. THE 754 WAS AGREED AND APPROVED BY VMWARE BEFORE THE STIG WAS PUBLISHED. THERE WAS MUCH DISCUSSION OVER THESE PERMISSIONS AND THE 754 IS THE BEST CONFIGURATION. VMWARE MAY HAVE LESS STRINGENT REQUIREMENTS FOR THEIR NON-DOD CUSTOMERS. THANKS.

Even though the STIG contradicts itself by saying it is using VMWare best practice, but it obviously is not VMWare best practice, DISA is sticking by its document.

I did not know who else to ask, except coming here to VMware and hopefully determining if VMWare really suggested and agreed to 754 for .vmx files for government and why.

Thanks. Sean.

Hello,

I am not sure who was involved in that discussion but I think that 755/754 is way to open personally. I have locked them down to 700 with no issues.

At the moment all you can do to adhere to the STIG is a manual change as ESX uses 755.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

SearchVMware Blog: http://itknowledgeexchange.techtarget.com/virtualization-pro/

Blue Gears Blogs - http://www.itworld.com/ and http://www.networkworld.com/community/haletky

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

I didn't see it anywhere, but the link to the latest STIG is now:

adam

Hello,

Check out http://www.astroarch.com/wiki/index.php/Top_Virtualization_Security_Links which will be kept up to date. It has a link to the latest ESX STIG, http://iase.disa.mil/stigs/checklist/esx_server_checklist_v1_r1-2_03sep2008pdf.zip and the UNIX STIG to which its dependent as well as a bunch of other useful links from a security perspective.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

Blue Gears and other Blogs: http://www.astroarch.com/wiki/index.php/Blog_Roll

Hello,

Nothing yet.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

Blue Gears and SearchVMware Pro Blogs: http://www.astroarch.com/wiki/index.php/Blog_Roll

Top Virtualization Security Links: http://www.astroarch.com/wiki/index.php/Top_Virtualization_Security_Links

I think this might have been affected by "hosts.allow" and "hosts.deny" changes. Can anyone confirm this?

GEN006620 - The access control program is not configured to grant and deny system access to specific hosts.

I'm all set, it was definitely the hosts.allow and hosts.deny files.

There was one ip address hardcoded in the hosts.allow i belive <been a while since I could mess with it.> there was talk previously in this thread where it was called out. I will search for it and reply again.

OK I found it. If you want smb to work you have to search for 192.168.10. and replace with the proper network.

As for host.allow, the script does a lookup of the ipaddress of your esx box and adds just that network to the hosts.allow. If you have other networks trying to connect to the service console you would have to add those as well... but if this is on a DoD network this is a no no unless all the boxes involved are on their own VLAN.

twa3

I experienced the same issue. I see from the other postings that you already have your solution.

The ESX_SRRSecure script does not make IP entries to 'hosts.allow' ; which would enable remote login from your Virtual Center or another remote management host. You could revise the script to accept data entry of IP addresses from a user. That is what I did. I revised the script and posted a version last September on this forum. You can copy that code from this revised version:

Indeed ssh is restored, just a sanity check. Now I'll restore the secure files so that cross-vlan ssh is disabled. This forum is a lifesaver. I never thought I'd find a DISA SRR "get-ready" script out here. I was simply looking for an answer to one of the vulnerabilities that I was trying to solve. This is much better.

@Jonathan -

If your ESX service console is on a different physical network (or vlan) from your the machine that you're trying to ping you'll need to modify the following files to regain mgmt access to your host:

/etc/hosts.allow

/etc/hosts.deny

Both files were emtpy before the script was run on your host. The script took the IP address from the SC and locked down hosts.allow to only allow TCP traffic from that network. hosts.deny is configured to block all traffic that is no explicitly allowed in the hosts.allow file.