Making Security Easier – An ESXi Fling for US Federal Customers

Running systems in the US Federal Government presents its own unique challenges. From specific system login requirements (CAC/PIV smart cards) to specific regulations like DISA STIG’s, managing systems in this environment comes with a healthy dose of security. Today we’re taking a small step towards making that easier with the introduction of a VMware Fling for ESXi targeting the DISA STIG standards.

DISA STIG

Many of the requirements of a STIG come from years of operational experience with other operating systems. Even though ESXi isn’t Linux, there are some common tools that have specific settings requirements that need to be met by the STIG. This VIB simplifies this process and does it in a more secure manner.

For example, SSH. While SSH is disabled by default, IF it is used it must have an sshd_config setting of “PermitRootLogin” disabled. In order to change that, you have to hand edit or replace the file. Automation of this step is difficult. Until today.

You can read more about the ESXi STIG and get the VIB from VMware Labs

The VIB is available for ESXi 5.x and ESXi 6.x

What’s a VIB?

First, let’s talk about how ESXi is structured so we can put everything into the proper context. The ESXi file system is built using VIB files. A VIB is a vSphere Installation Bundle. It is a digitally signed g-zipped TAR file. ESXi enforces what type of VIB files can be installed by enforcing an Acceptance Level. Kyle Gleed goes into detail on this in his excellent post from 2011.

Unfortunately, I can’t install a hand-built VIB unless I lower the acceptance level for ALL VIB’s, thereby decreasing my security overall posture. That essentially forces the hands of the Fed IT folks to come up with more creative ways to be compliant. (editing files, complex scripting, etc…) This adds significant cost and opens systems up for mis-configuration. Editing files for a single system might be ok, but when you are talking hundreds or thousands of ESXi hosts, that adds up to significant resources and planning necessary to complete all these tasks. Our goal was to make this as easy as possible with the least amount of operational impact.

What is now available is a VMware-signed VIB that incorporates all of the changes to ESXi required by the STIG that cannot be met via API-level means. Let me be clear, installing this VIB does not mean you are STIG compliant. There are other steps to take that are called out in the STIG. What this is doing is very easily automating all of the hand editing that you would have had to do before.

Why is this a good thing?

Is this supported by VMware GSS?

Technically, no. GSS may ask you to back out any changes made. But that’s no different than today’s status quo. Fortunately, when you use the VIB then going back to factory settings is as simple as uninstalling the VIB (and some PowerCLI if you manually changed the login banner See below). All the changes in the VIB have been done on ESXi servers for years. The VIB is simply a more convenient and more secure way to incorporate those changes you’ve already been making. It has already been met with great enthusiasm from the DISA community.

Who brought us this wondrous gift?!

All the hard work for this was done by one of our Federal Sale Engineers, Ryan Lakey with assistance from Lincoln Porter and myself. Fed folks, if Ryan shows up at your site give him a pat on the back for a job well done!

But what if I want to use the VIB but I’m not in the government?

If you like the changes that are made with the VIB and want to use them and you’re not in the government, then please do. As a matter of fact, we’ve already gotten a couple of questions on the VIB and it was only released yesterday!

One of the recurring questions is “What if I don’t want the DOD login banner?”. You can change that with some PowerCLI. The login banner file was added because formatting the string in PowerCLI is a little challenging. William Lam first introduced this on his blog.

Please note that this is one of those “unsupported” things and that if you talk with GSS about it, they may ask you to reset it.

Thankfully, resetting to factory defaults for the welcome message is super-simple to do. See Below. If you want to not use the DOD banner and would like to change it, use the following code at the end of this blog post.

We’d love to hear more about what you think about this Fling. Reply here or reach out on Twitter @vspheresecurity or @mikefoley. Let us know if you want to see more things that make security of your vSphere environment easier to manage.

Enjoy!
mike, Ryan and Lincoln

How to change the login banner

The Login Banner used by the VIB looks like the image below. You can change this using PowerCLI. See the code below. Note that setting the ESXi Host Advanced Setting of Annotation.WelcomeMessage to a null value will reset back to factory.

ESXi login banner for DISA compliance

What is this code doing?

First, the code creates a variable called $welcomemessage. The contents of this variable contains all the formatting commands for the DCUI login screen. Please read and understand all the code below before running it. See the code at the end of this blog post to reset the Welcome Message to factory defaults in case GSS asks you to or in case you fat-finger something.

$welcomemessage = @"
 {bgcolor:black} {/color}{align:left}{bgcolor:black}{color:yellow}{hostname} , {ip}{/color}{/bgcolor}{/align}
 {bgcolor:black} {/color}{align:left}{bgcolor:black}{color:yellow}{esxproduct} {esxversion}{/color}{/bgcolor}{/align}
 {bgcolor:black} {/color}{align:left}{bgcolor:black}{color:yellow}{memory} RAM{/color}{/bgcolor}{/align}
 {bgcolor:black} {/color}{align:left}{bgcolor:black}{color:white} {/color}{/bgcolor}{/align}
 {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {/color}{/bgcolor}{/align}
 {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By {/color}{/bgcolor}{/align}
 {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} using this IS (which includes any device attached to this IS), you consent to the following conditions: {/color}{/bgcolor}{/align}
 {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {/color}{/bgcolor}{/align}
 {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} - The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited {/color}{/bgcolor}{/align}
 {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law {/color}{/bgcolor}{/align}
 {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} enforcement (LE), and counterintelligence (CI) investigations. {/color}{/bgcolor}{/align}
 {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {/color}{/bgcolor}{/align}
 {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} - At any time, the USG may inspect and seize data stored on this IS. {/color}{/bgcolor}{/align}
 {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {/color}{/bgcolor}{/align}
 {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} - Communications using, or data stored on, this IS are not private, are subject to routine monitoring, {/color}{/bgcolor}{/align}
 {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} interception, and search, and may be disclosed or used for any USG-authorized purpose. {/color}{/bgcolor}{/align}
 {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {/color}{/bgcolor}{/align}
 {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} - This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not {/color}{/bgcolor}{/align}
 {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} for your personal benefit or privacy. {/color}{/bgcolor}{/align}
 {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {/color}{/bgcolor}{/align}
 {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} - Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching {/color}{/bgcolor}{/align}
 {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} or monitoring of the content of privileged communications, or work product, related to personal representation {/color}{/bgcolor}{/align}
 {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work {/color}{/bgcolor}{/align}
 {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} product are private and confidential. See User Agreement for details. {/color}{/bgcolor}{/align}
 {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {/color}{/bgcolor}{/align}
 {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor}
 {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor}
 {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor}
 {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor}
 {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor}
 {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor}
 {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor}
 {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor}
 {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor}
 {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor}
 {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor}
 {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor}
 {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor}
 {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor}
 {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor}
 {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor}
 {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor}
 {bgcolor:black} {/color}{align:left}{bgcolor:dark-grey}{color:white} Accept Conditions and Customize System / View Logs{/align}{align:right} Accept Conditions and Shut Down/Restart {bgcolor:black} {/color}{/color}{/bgcolor}{/align}
 {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor}
 "@

The PowerCLI command below loops through every ESXi host in vCenter

foreach ($vmhost in Get-VMHost)
{Get-AdvancedSetting -Entity $vmhost -Name Annotations.WelcomeMessage | Set-AdvancedSetting -Value $welcomemessage
}

To reset the login banner to factory default on all hosts, set Annotations.WelcomeMessage to null

foreach ($vmhost in Get-VMHost)
{Get-AdvancedSetting -Entity $vmhost -Name Annotations.WelcomeMessage | Set-AdvancedSetting -Value ""
}

These changes are immediate and do not require a reboot or restart of services on ESXi 6.