ESXi 6.5 STIG Welcome Message

So the ESXi 6.5 Security Technical Implementation Guide (STIG) finally released in May 2019. Unfortunately, some of the items I would have liked to see fixed or updated were not. One of the biggest pet peeves is the Annotations.WelcomeMessage advanced setting check. This setting updates the /etc/vmware/welcome file in the filesystem.

If the STIG fix text is implemented as stated, then you get an unsightly Direct Console User Interface (DCUI). The first screenshot below is what the text looks like if you copy and paste using vi on the terminal. The second screenshot shows the resulting DCUI.

There is a VMware Fling called DoD Security Technical Implementation Guide(STIG) ESXi VIB found at https://labs.vmware.com/flings/dod-security-technical-implementation-guide-stig-esxi-vib, that when implemented, results in a really nice looking DCUI window. The only thing about implementing this VIB is that it changes the permissions on the files in the filesystem, which I found terribly annoying. I wrote a post, http://box5304.temp.domains/~aaronrp2/vmware-esxi-6-5-stig-default-file-permissions/, that explains what the default permissions are supposed to be and how to change them back.

The first screenshot below shows what /etc/vmware/welcome looks like after installing the VIB. Clearly, the differences are already apparent. The second screenshot shows the resulting DCUI. It is a much more professional looking console to look at.

It would be nice to see the STIG ‘Fix Text’ get updated to reflect this better looking code at some point. The only thing I can think of that prevents this is the STIG Viewer collapses white space and that’s why we get what we get. I am including the better looking text in /etc/vmware/welcome below so that if you want to update your copy, you can. Unfortunately, I have been unable to figure out how to populate the Annotations.WelcomeMessage advanced setting in a Host Profile if you are wanting to implement this STIG at scale. Everytime I copy and paste, something gets messed up with line feeds and white space. The only way I can get the result I am looking for is to write to the /etc/vmware/welcome file directly or install the VIB.

{bgcolor:black} {/color}{align:left}{bgcolor:black}{color:yellow}{hostname} , {ip}{/color}{/bgcolor}{/align}
{bgcolor:black} {/color}{align:left}{bgcolor:black}{color:yellow}{esxproduct} {esxversion}{/color}{/bgcolor}{/align}
{bgcolor:black} {/color}{align:left}{bgcolor:black}{color:yellow}{memory} RAM{/color}{/bgcolor}{/align}
{bgcolor:black} {/color}{align:left}{bgcolor:black}{color:white}        {/color}{/bgcolor}{/align}
{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black}                                                                                                                          {/color}{/bgcolor}{/align}
{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black}  You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By      {/color}{/bgcolor}{/align}
{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black}  using this IS (which includes any device attached to this IS), you consent to the following conditions:                 {/color}{/bgcolor}{/align}
{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black}                                                                                                                          {/color}{/bgcolor}{/align}
{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black}  -       The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited     {/color}{/bgcolor}{/align}
{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black}          to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law      {/color}{/bgcolor}{/align}
{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black}          enforcement (LE), and counterintelligence (CI) investigations.                                                  {/color}{/bgcolor}{/align}
{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black}                                                                                                                          {/color}{/bgcolor}{/align}
{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black}  -       At any time, the USG may inspect and seize data stored on this IS.                                              {/color}{/bgcolor}{/align}
{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black}                                                                                                                          {/color}{/bgcolor}{/align}
{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black}  -       Communications using, or data stored on, this IS are not private, are subject to routine monitoring,            {/color}{/bgcolor}{/align}
{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black}          interception, and search, and may be disclosed or used for any USG-authorized purpose.                          {/color}{/bgcolor}{/align}
{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black}                                                                                                                          {/color}{/bgcolor}{/align}
{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black}  -       This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not     {/color}{/bgcolor}{/align}
{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black}          for your personal benefit or privacy.                                                                           {/color}{/bgcolor}{/align}
{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black}                                                                                                                          {/color}{/bgcolor}{/align}
{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black}  -       Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching    {/color}{/bgcolor}{/align}
{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black}          or monitoring of the content of privileged communications, or work product, related to personal representation  {/color}{/bgcolor}{/align}
{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black}          or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work       {/color}{/bgcolor}{/align}
{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black}          product are private and confidential. See User Agreement for details.                                           {/color}{/bgcolor}{/align}
{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black}                                                                                                                          {/color}{/bgcolor}{/align}
{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black}                                                                                                                          {/color}{/bgcolor}
{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black}                                                                                                                          {/color}{/bgcolor}
{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black}                                                                                                                          {/color}{/bgcolor}
{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black}                                                                                                                          {/color}{/bgcolor}
{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black}                                                                                                                          {/color}{/bgcolor}
{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black}                                                                                                                          {/color}{/bgcolor}
{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black}                                                                                                                          {/color}{/bgcolor}
{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black}                                                                                                                          {/color}{/bgcolor}
{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black}                                                                                                                          {/color}{/bgcolor}
{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black}                                                                                                                          {/color}{/bgcolor}
{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black}                                                                                                                          {/color}{/bgcolor}
{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black}                                                                                                                          {/color}{/bgcolor}
{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black}                                                                                                                          {/color}{/bgcolor}
{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black}                                                                                                                          {/color}{/bgcolor}
{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black}                                                                                                                          {/color}{/bgcolor}
{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black}                                                                                                                          {/color}{/bgcolor}
{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black}                                                                                                                          {/color}{/bgcolor}
{bgcolor:black} {/color}{align:left}{bgcolor:dark-grey}{color:white}   Accept Conditions and Customize System / View Logs{/align}{align:right} Accept Conditions and Shut Down/Restart  {bgcolor:black} {/color}{/color}{/bgcolor}{/align}
{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black}                                                                                                                          {/color}{/bgcolor}

Making a REST API Request in vRealize Orchestrator

This was a tough nut to crack for me. I definitely don’t ever want to struggle through learning this topic again. I hope if you are reading this, I can save you a ton of lost time. I use Postman to scope out the concepts before trying to translate them in vRealize Orchestrator (vRO). When you see text surrounded by curly braces like, {{text}}, you can replace with your environment variables. If you are using Postman, then set this as an environment variable. It will save you a lot of typing in the long run.

First, here is the URL for the Swagger UI:
https://{{vRealize Server Fully Qualified Domain Name (FQDN)}}/vco/api/doc/index.html

Recover vCenter Appliance after Power/Storage Failure

Well, this would have saved me quite a bit of time in my past. My storage device got unplugged from the network while my lab was running and vCenter refused to come back. This is expected as the appliance has an embedded database.

I found this article from VMware that worked! It took less than 10 minutes.

https://kb.vmware.com/s/article/2149838

Use Shift + PgUp to scroll through the boot process and find out what filesystem, if any, is causing trouble.

Then type df -h to ensure none of the filesystems are full.

Compare /etc/fstab with the output from dh -f.

Once you have identified the missing or corrupt filesystem, run

e2fsck -y /dev/filesystem-that-needs-to-be-checked

Reboot the appliance and away you go!

reboot

ESXi Ruleset & Firewall Correlation

Working with VMware is usually a breeze. Unfortunately, this time I ran into an issue while setting up a new Host Profile, specifically the Ruleset Configuration for the Firewall, during the configuration for a DISA STIG. Almost all of the rules match a Firewall named rule but there are Firewall rules that do not have corresponding Ruleset names. I looked through VMware documentation, Reddit, and of course Google. I was unable to find any information where the two were together. So…I decided I would take on the task myself and of course share this with everyone.

VMware does provide an Incoming and Outgoing Firewall Ports for ESXi Hosts article (https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.security.doc/GUID-171B99EA-15B3-4CC5-8B9A-577D8336FAA0.html) but the service is only listed, not the corresponding Ruleset Configuration name. This is what the following table will help fill-in.

ESXi Ruleset & Firewall Correlation Table
  • Default – The service is enabled upon initial install
  • Survive Reboot – The service will be enabled after rebooting the host
  • Ruleset Name – Host Profile > Security and Services > Firewall Configuration > Firewall Configuration > Ruleset Configuration
  • Ruleset Order – This is the order the rules are presented in the Host Profile
  • Firewall Name – The name from Configure > System > Security Profile > Firewall menu
  • In-Ord – This is the order of the incoming rules in the UI
  • In – These are the ingress TCP/UDP ports
  • Out-Ord – This is the order of the outgoing rules in the UI
  • Out – These are the egress TCP/UDP ports

How to Dot Source a PowerShell Script

So I wrote a script the other day in PowerShell ISE and it worked fine. But when I wanted to use the function in a standard PowerShell window, I was perplexed. It is actually a really easy thing to take care of.

In the case of my server, I wrote a PowerShell function and stored it in my Documents folder. So when opening a new PowerShell window, all I had to do was run the following command:

PS C:\Users\<username>\Documents> . .\New-Function.ps1

This made all of the functions written in the script available for use during my current session. For me and this case, I am OK with only running the script when needed.

Role-based Access Control (RBAC)

I would have to say that this topic is probably one of the biggest pet peeves of mine in the Information Technology field. Why do Systems Administrators not use Security Groups correctly (mind you, Microsoft administrators usually)? Why do I go to a site and most often find that permissions are given directly to a leaf object (user) and not to a security group? How does an administrator worth their salt get away with this and more importantly, why do they want to do this? It ends up creating more work in the end and clutters Active Directory.

It’s really not hard to follow the following principle, IGDLA, but it is if the system has already been in use for quite some time. In order to correct this situation, generally, a forklift upgrade would have to take place.

So, you are probably wondering what IGDLA is? It’s actually an acronym that stands for the following:

I – Identities (user objects)
G – Global groups (containers to hold user objects with common functions, Human Resources, Information Technology, Supervisors, etc)
DL – Domain local security groups (these are where the permissions are actually applied)
A – Access (this is the access given to the DL, such as, read or read and write)

What’s confusing to a lot of administrators is when it comes to nesting. They get too granular and then the system just breaks down and they start to throw individuals in and give them permissions. The problem with this is when that particular user leaves the organization or no longer requires that access, there is no easy way to enumerate all the places they had access to and remove it.

Let’s use the following image as an example to work with.

At a minimum, an organization should have a security group created to contain users who perform similar functions. Users can, and usually are, part of more than one security group. For instance, in my organization, I am part of the ‘Information Technology’ team. More specifically, I am a Server Administrator and have an office symbol. Everyone with the same office symbol performs a similar function, we are part of a group. I would be part of the ‘Server Team’ security group.

Now let’s also imagine that I am part of a morale committee called, Fish! (based off the novel, Fish!: A Proven Way to Boost Morale and Improve Results, by Stephen C. Lundin). I would also belong to a security group called ‘Fish Committee’. In this group with me are various other people in the organization.

Starting Out, On Boarding

On-boarding, join an organization and get placed into correct department security group

IT sets up a file plan and sets file access appropriately. This means that when you are placed into the one security group, your department group, it will be nested in all the appropriate places you need access for. If you find that you do not have access to something, maybe it is due to fulfilling, or not as a matter of fact, a different role. This means the role based access is working correctly. You do not have the need to know in the role you are assuming and therefore do not require the access you seek. If you are truly in another role, then once you are placed in that role’s security group, you will have the access you require, nothing more.

Off boarding

When you have decided to leave the organization, or the decision has been made for you, the IT staff only needs to disable your account in one place. All of the groups you were a part of can be removed and they are done at that point. There is no digging around looking for where you may have had access to.

Notes

MongoDB 4 Quick Start Guide by Doug Bierer Published by Packt Publishing, 2018

Role-based access control It’s important to note the difference between a role (https://docs.mongodb.com/manual/core/authorization/#role-based-access-control) and a user. Privileges are granted to roles. Roles, in turn, are assigned to users. This arrangement vastly minimizes the complications which could arise as the numbers of database users increases. In addition, one role can inherit from another, which allows you to create a hierarchy of privileges and minimize the number of assignments which need to be made.

Ideas

  • Roles with regards to accessing Organization file plans
  • Roles with regards to Microsoft Active Directory

Benefits

  • Users share the same permissions (uniform)
  • Can easily enumerate a user’s access

Pitfalls

  • Hard to implement after a system has already been established
  • Must teach junior administrators the correct method

Change the Canonical Name (CN) of an Active Directory User

One of the most annoying things for me (and I assume many other Systems Administrators) is going into an organization and querying users to find all variations of name formats. Some are ‘first name last name’, ‘last name, first name’, or some other variation. It’s almost like an archeological dig where you can see periods of time that there was one format and then later on another format came along.

What’s frustrating is knowing how easy it is to change the format and that it doesn’t happen. It’s fine if the organization wants to change the format, but if that’s the case, then be sure to change the information already contained to match. There is nothing wrong with periodically running a “cleanup” script over Active Directory to make everything uniform. The great thing about Active Directory is that it is a database, it already contains the information. The DisplayName property and the cn are display properties, they can be changed whenever without affecting the user object. Also, running a script like the one below can clean up and make Active Directory uniform in a matter of seconds, if not less.

	# Where the users are located that you want to change
	$exerciseUsersOU = 'OU=USERS,OU=TEMPORARY,DC=aaronrombaut,DC=com'
	# An array of the users (adjust Properties as needed)
	$exerciseUsers = Get-ADUser -Filter * -SearchBase $exerciseUsersOU -Properties Title, GivenName, Surname
	
	# Loop through all the users
	foreach ($exerciseUser in $exerciseUsers)
	{
		$title = $exerciseUser.Title
		$firstName = $exerciseUser.GivenName
		$lastName = $exerciseUser.Surname
		
		# The following line will adjust the DisplayName
		Set-ADUser -Identity $exerciseUser -DisplayName "$lastName, $firstName, $title"
		
		# The following line will adjust the cn
		Rename-ADObject -Identity $exerciseUser -NewName "$lastName, $firstName"
	}

The following images show a before and after but are only a representation of what you can rename from and to. Your organization may use different naming standards. Either way, when standards change, be sure to adjust the objects already present. This will be much more professional and organized.

Before renaming the User
After renaming the User