VMware Cloud Community
pmorrison
Enthusiast
Enthusiast

ESX_SRRSecure - Script to allow ESX to pass a DISA Security Readiness Review.

Background: taken from the DISA website:

In a DOD facility all systems must pass the Security Technical Implementation Guide (STIGs) for the host operating system. The STIG is the configuration standard for DOD IA and IA-enabled devices/systems.

A Security Checklist (sometimes referred to as a lockdown guide, hardening guide, or benchmark configuration) is essentially a document that contains instructions or procedures to verify compliance to a baseline level of security.

Security Readiness Review Scripts (SRRs) test products for STIG compliance. SRR Scripts are available for all operating systems and databases that have STIGs, and web servers using IIS. The SRR scripts are unlicensed tools developed by the Field Security Office (FSO) and the use of these tools on products is completely at the user's own risk.

The problem:

As of this writing there is no “official” VMware ESX STIGbut it has been determined that since the ESX service console is *nix based it must conform to the latest Unix STIG.

The current Unix STIG is located here:

The current Unix SRR is located here:

When reviewing the results of the SRR, not all open issues are valid as the DISA SRR was written for UNIX, LINUX, and AIX. The ESX’s console operating system is based on the Linux Redhat Enterprise 4.5 version, but only contains a subset of the entire operating system and has been customized with specific functionality for interfacing the ESX kernel.

The solution:

Running the SRR will result in an open findings report. After remediating the open issues the SRR is re-run. The goal is to have as few open issues and to document the remaining items as either false findings or open issues with notes as to when they will be closed (patches from VMware) or why they need to be left open.

An example of an open issue is:

==========PDI=IAVA1115 Result========================

PDI Number: IAVA1115

Finding Category: CAT II

Reference: IAVA 2007-T-0042

Description: Sun JRE Web Start Multiple Remote

Vulnerabilities.

Status: Open – *will be fixed in a patch from VMware due

in June.*

For example:

IAVA1115: IAVA 2007-T-0042 - Sun JRE Web Start Multiple

Remote Vulnerabilities.

Outdated

/usr/lib/vmware/webAccess/java/jre1.5.0_12/bin/java, JAVA version 1.5.0.12

found on esx.philhome.dyndns.org.

Upgrade to JAVA version 1.5.0.13 on esx.philhome.dyndns.org.

=========================================================

An example of a false finding that will remain is:

==========PDI=IAVA0360 Result========================

PDI Number: IAVA0360

Finding Category: CAT I

Reference: IAVA 2003-A-0015

Description: There are multiple vulnerabilities in OpenSSL.

Status: Open – *This is a documented false finding as the

vulnerabilities were fixed but the version number was not updated.*

For example:

IAVA0360: IAVA 2003-A-0015

/usr/bin/openssl version 0.9.7a found on

esx.philhome.dyndns.org 2.4.21-47.0.1.ELvmnix.

==========PDI=IAVA0410 Result========================

The ESX SRR Secure script is a shell script which attempts to remediate all of the issues possible on an ESX 3.x host. Some prerequisites to running this script are as follows:

1. Must be run as root.
2.The host must be in maintenance mode.
3. Before beginning with the SRR its advised to install the LAuS library to increase auditing capabilities within the ESX service console, as by default there is limited auditing taking place within the service console itself. These libraries are located on the VMware ESX CD in the /vmware/RPM/ directory. (Note: It appears that this is installed by default in ESX 3.5 update 1)
4. </span>Make sure that all passwords meet the complexity requirements. 7 characters with at least 1 number, 1 symbol, 1 upper case and 1 lower case. This needs to be done for root and any additional accounts installed manually. (Do not change any accounts created by adding a host to Virtual Center).

Once the system is ready, run the script as root and allow the host to be rebooted. Re-run the Unix SRR and compare the open findings report. Below is an example of the summary section both before and after running ESX SRR Secure:

Before:

CAT I = 3/541, CAT II = 55/541, CAT III = 3/541, CAT IV = 0/541

After:

CAT I = 1/139, CAT II = 9/345, CAT III = 1/57, CAT IV = 0/5

The remaining open issues should be documented and should be sufficient to present to the DISA FSO for approval.

Since this is the first “public” exposure for this script, please consider this an early release and test this in a NON-production environment until verification can be made that it does not break something. Also, please give feedback as we would love to see what the community thinks and are continuing to try and make this process better.

Updated script with some corrections and begin to address ESX STIG findings.

Tags (4)
Reply
0 Kudos
134 Replies
AllisonCassatt1
Contributor
Contributor

Perrymans, you just became my best friend!!!

Reply
0 Kudos
DSeaman
Enthusiast
Enthusiast

I'm trying to find a way to take care of ESX0980, which is disabling VMware tools drag and drop. I've disabled the cut and paste features, and done all of the other recommended VMX tweaks. What setting takes care of disabling the drag and drop feature?

Will there be a script for ESXi 4.0? I realize there's no service console, so there's not much there to secure.

Derek Seaman
Reply
0 Kudos
Texiwill
Leadership
Leadership

Hello,

Drag and Drop are per VM settings and you can either use the vSphere Client, PowerShell, or some other scripting mechanism to make these changes using the VI SDK. I am beginning to migrate almost all my tools from shell scripts to ones that use PowerShell and access the shell as necessary. This may be the best way to move forward the DISA SRR in the future. If anyone is interested let me know.


Best regards,

Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst[/url]
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'[/url]
Also available 'VMWare ESX Server in the Enterprise'[/url]
[url=http://www.astroarch.com/wiki/index.php/Blog_Roll]SearchVMware Pro[/url]|Blue Gears[/url]|Top Virtualization Security Links[/url]|Virtualization Security Round Table Podcast[/url]

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos
Aughtly
Contributor
Contributor

Updated version 1.5a (Minor corrections and some additional checks)

By default, this version will not scan datastores. This is mostly due to the fact that in large enviornements this checking can take a while (depending upon number of VM's/files). The datastores only need to be scanned by one host to ensure compliance. To enable scanning of the datastores, use the "-d" parameter.

This version is still mainly for ESX 3.x, but some folks have used it on the vSphere enviornment with little to no modifications. If you have any issues/problems with it, please report here and I will do my best to get them corrected and posted.

Thanks

Ed

Reply
0 Kudos
jkordish
Contributor
Contributor

nice work Ed. Smiley Happy

I've actually been looking to automate much of the DISA STIG checks via powershell. Maybe once it gets to a point were I don't feel embarrassed by my coding skills I will post it. Mostly written based on what an assessment team would check for. Since this will let you pass the hurdles to get approved but not necessarily to pass a future assessment. dumb, I know.

Reply
0 Kudos
JoeNick
Contributor
Contributor

Have been testing this version of the SRR Script on a vSphere 4.0 host. Ran the script on the host prior to the host being added to the vCenter inventory.

The script completed and when attempting to add the host to the vCenter inventory am getting an error message. "A general system error occured:p passwd: Authentication token manipulation error Failed to configure the VIM account on the hosts"

Looking for suggestion of possible fixes short of reloading ESX 4.0, any help would be appreciated.

Reply
0 Kudos
Texiwill
Leadership
Leadership

Hello,

Password modifications and enforcement should not be applied to the vpxuser account. Which is the account created when you join a host to vCenter. this already has a very strong password.


Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, 2010

Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'[/url]

Also available 'VMWare ESX Server in the Enterprise'[/url]

Blogging: The Virtualization Practice[/url]|Blue Gears[/url]|TechTarget[/url]|Network World[/url]

Podcast: Virtualization Security Round Table Podcast[/url]|Twitter: Texiwll[/url]

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos
JoeNick
Contributor
Contributor

Thanks for leading me in the right direction.

The SRR script does some modifications regarding password requirements and makes changes to the /etc/pam.d/system-auth file, by returning this file to the default configuration (what the file contained before running the script), was able to add the host to vCenter. Returned the file to it's condition after script running and all appears to be good.

THANKS again!

Reply
0 Kudos
Texiwill
Leadership
Leadership

Hello,

vCenter automatically changes the vpxuser password 1 a month so things may NOT be good. :} I would track down why it could not set the vpxuser password properly.

There is also a bug in ESX v4.1 with paswdqc PAM module... check out http://www.virtuallyghetto.com/2010/07/esxi-41-major-security-issue.html for some details on this.


Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, 2010

Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'[/url]

Also available 'VMWare ESX Server in the Enterprise'[/url]

Blogging: The Virtualization Practice[/url]|Blue Gears[/url]|TechTarget[/url]|Network World[/url]

Podcast: Virtualization Security Round Table Podcast[/url]|Twitter: Texiwll[/url]

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos
RMJones1
Contributor
Contributor

Hello,

Has anyone been able to successfully configure auditid to correct GEN002720, GEN002740, GEN002760, and GEN002780? I added the following to /etc/audit/audit.rules and restarted auditd:

  1. Audit Failed File and Program Access Attempts

-a exit,always -F arch=b64 -S open -F success=0

-a exit,always -F arch=b32 -S open -F success=0

  1. Audit File and Program Deletion

-a exit,always -F arch=b64 -S unlink -S rmdir

-a exit,always -F arch=b32 -S unlink -S rmdir

  1. Audit Administrative, Privileged, and Security Actions

-w /etc/audit/auditd.conf

-w /etc/audit/audit.rules

#-a exit,always -F arch=b64 -S stime -S acct -S reboot -S swapon

-a exit,always -F arch=b64 -S settimeofday -S setrlimit -S setdomainname

-a exit,always -F arch=b64 -S sched_setparam -S sched_setscheduler

-a exit,always -F arch=b32 -S stime -S acct -S reboot -S swapon

-a exit,always -F arch=b32 -S settimeofday -S setrlimit -S setdomainname

-a exit,always -F arch=b32 -S sched_setparam -S sched_setscheduler

  1. Audit Discretionary Access Control Permission Modifications

-a exit,always -F arch=b64 -S chmod -S fchmod -S chown -S fchown

-a exit,always -F arch=b64 -S lchown

-a exit,always -F arch=b32 -S chmod -S fchmod -S chown -S fchown

-a exit,always -F arch=b32 -S lchown

Still receiving results from the DISA SRR script that auditing is not enabled, even though the auditd process is running. Are the results a false positive?

Thanks

Reply
0 Kudos
Texiwill
Leadership
Leadership

Hello,

They could be a false positive. I would look at the DISA script and determine exactly what it wants to see. It maybe looking for odd spacing, etc.


Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, 2010

Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'[/url]

Also available 'VMWare ESX Server in the Enterprise'[/url]

Blogging: The Virtualization Practice[/url]|Blue Gears[/url]|TechTarget[/url]|Network World[/url]

Podcast: Virtualization Security Round Table Podcast[/url]|Twitter: Texiwll[/url]

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos
Aughtly
Contributor
Contributor

Version 1.6

Minor fixes (GEN00600) and ensured a couple more files are backed up before changed.

Thanks

Ed

Reply
0 Kudos
RMJones1
Contributor
Contributor

Ed,

Did you make corrections to GEN000600 or GEN006000?

Regards,

Rodney

Reply
0 Kudos
Aughtly
Contributor
Contributor

ALL -

I have an updated version of the ESX_SRRSecure (2.0) script that I would like to have some help testing out.  It works on 3.x and 4.x ESX (with the Service Console) and addresses findings both in the SRR and some of the checklists.  This newer version has a new option that will allow for reporting only (will not make any modifications) and includes a few fixes/newer findings.

If you would like to help me test it out both in the 4.x and regression test it in the 3.x environments, please send me a private message.  The sooner I can get it vented though some environments, the sooner I will get it released.

***** NOTE *****

This is NOT for ESXi - I have a series of PowerShell scripts that I'm working on that will address the enviornment in both ESX and ESXi, but it will not replace the need for the ESX_SRRSecure in the Service Console at this time.

***** NOTE *****

Thanks

Ed

Reply
0 Kudos
Texiwill
Leadership
Leadership

Hello,

Please post the script.

Best regards,

Edward L. Haletky

Communities Moderator, VMware vExpert,

Author: VMware vSphere and Virtual Infrastructure Security,VMware ESX and ESXi in the Enterprise 2nd Edition

Podcast: The Virtualization Security Podcast Resources: The Virtualization Bookshelf

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos