VMware Cloud Community
DZ1
Hot Shot
Hot Shot
‎06-11-2013 03:28 PM
Jump to solution

ESXi 5.0 STIG (Security hardening)

I performed security hardening on an ESXi 5 host (test area), and I cannot figure out what portion of it is completing stopping the ESXi shell service to keep stopping.  Lockdown mode is not enabled, the SSH service is running when I look at the GUI and when I F2 and login via the DCUI it shows that the "ESXi Shell is Enabled.  Under that same area it shows "SSH is Enabled", and under the firewall, SSH server is checked and running.

I'm hoping someone knows exactly what it is, of course I changed some of the files sshd_config and such, but I don't if that is affecting this.  This isn't causing an issue since it's just a test host, but I after going through all those pages, I just can't figure out what is stopping this.

I need to make a correction.  When I log into the DCUI under "Troubleshooting Mode Options"  even if I Enable ESXi Shell here, in a second or two, it gets set back to disabled. 

Reply
0 Kudos
1 Solution

Accepted Solutions
MKguy
Virtuoso
Virtuoso
‎06-12-2013 01:06 AM
Jump to solution

Did you modify the ESXiShellInteractiveTimeOut or ESXiShellTimeOut options? These settings can reset a manually enabled shell. Check the values with these commands:

# esxcfg-advcfg -g /UserVars/ESXiShellInteractiveTimeOut

# esxcfg-advcfg -g /UserVars/ESXiShellTimeOut

Also see:

http://blogs.vmware.com/vsphere/2012/09/vsphere-5-1-new-esxishellinteractivetimeout.html

-- http://alpacapowered.wordpress.com

View solution in original post

Reply
0 Kudos
5 Replies
MKguy
Virtuoso
Virtuoso
‎06-12-2013 01:06 AM
Jump to solution

Did you modify the ESXiShellInteractiveTimeOut or ESXiShellTimeOut options? These settings can reset a manually enabled shell. Check the values with these commands:

# esxcfg-advcfg -g /UserVars/ESXiShellInteractiveTimeOut

# esxcfg-advcfg -g /UserVars/ESXiShellTimeOut

Also see:

http://blogs.vmware.com/vsphere/2012/09/vsphere-5-1-new-esxishellinteractivetimeout.html

-- http://alpacapowered.wordpress.com
Reply
0 Kudos
DZ1
Hot Shot
Hot Shot
‎06-12-2013 08:24 AM
Jump to solution

Thanks, I did set the ESXiShellTimeout to 15 minutes, but it's not the problem.  I actually have two hosts that have been STIG'd, but for some reason I can connect to one, but not the other.  I'll really look through the guide again, I had to have set something up incorrectly. 

Reply
0 Kudos
DZ1
Hot Shot
Hot Shot
‎06-12-2013 08:52 AM
Jump to solution

OH my...thank you.  Without a doubt, the timeout was set to 15 minutes, I just looked at it and responded, but I decided to just disable the value, so I set it back to 0.  Well, that did it.  I can't believe it.  I definitely had it at 15 minutes, not 1 or anything. Because the timeout was at 15 minutes, I probably would not have thought it about until you brought it up.  I did patch one of the hosts and not the other, so maybe there is something in the patch notes.  Thank you so much. 

Reply
0 Kudos
MKguy
Virtuoso
Virtuoso
‎06-12-2013 12:24 PM
Jump to solution

I think I vaguely remember some inconsistency about how these values are interpreted, in minutes or seconds.

This article talks about seconds too:

http://www.punchingclouds.com/2012/10/24/managing-multiple-terminal-session-timeouts-for-esxi/

Can you test that?

-- http://alpacapowered.wordpress.com
Reply
DZ1
Hot Shot
Hot Shot
‎06-12-2013 05:15 PM
Jump to solution

Wow, talk about feeling like an idiot.  The timeout value is in seconds, I'll be taking that remedial VMware class now. 

Reply
0 Kudos