Sorry for the long title, but I wanted it to be descriptive enough to understand and search. So recently, I was testing out the VMware Fling, “DoD Security Technical Implementation Guide(STIG) ESXi VIB” to try to speed up how I secure my hosts. Unfortunately, it changed the default file permissions on my files and I didn’t have the defaults documented. So I went to my lab and installed a fresh copy of ESXi 6.5 and connected to it with SSH. Yes, I am fully aware that I should have started in my lab, then moved on to production. Eh, you win some and you lose some.
The following files are updated as part of the Fling to comply with the 6.0 STIG (http://iasecontent.disa.mil/stigs/zip/U_VMware_vSphere_6-0_ESXi_V1R4_STIG.zip). At the time of this writing, the 6.5 STIG still has not been released.
- /etc/issue
- /etc/pam.d/passwd
- /etc/ssh/sshd_config
- /etc/vmware/welcome
Here are the file permissions on a default ESXi 6.5 installation.
/etc/issue (octal 1644)
[root@localhost:~] ls -la /etc/issue -rw-r--r-T 1 root root 0 Apr 7 2017 /etc/issue
/etc/pam.d/passwd (octal 1644)
[root@localhost:~] ls -la /etc/pam.d/passwd -rw-r--r-T 1 root root 335 Apr 7 2017 /etc/pam.d/passwd
/etc/ssh/sshd_config (octal 1600)
[root@localhost:~] ls -la /etc/ssh/sshd_config -rw------T 1 root root 1115 Apr 7 2017 /etc/ssh/sshd_config
/etc/vmware/welcome (octal 1644)
[root@localhost:~] ls -la /etc/vmware/welcome -rw-r--r-T 1 root root 0 Apr 7 2017 /etc/vmware/welcome
The meaning behind each octal digit is this:
1000 is the sticky bit
0600 is read (r) and write (w) for the user
0040 is read (r) for the group
0004 is read (r) for everyone
‘chmod 1644 <filename>’ will change the mode of the file with the permission described above.
Thank you for this, really helped! =)