ESXi Ruleset & Firewall Correlation

Working with VMware is usually a breeze. Unfortunately, this time I ran into an issue while setting up a new Host Profile, specifically the Ruleset Configuration for the Firewall, during the configuration for a DISA STIG. Almost all of the rules match a Firewall named rule but there are Firewall rules that do not have corresponding Ruleset names. I looked through VMware documentation, Reddit, and of course Google. I was unable to find any information where the two were together. So…I decided I would take on the task myself and of course share this with everyone.

VMware does provide an Incoming and Outgoing Firewall Ports for ESXi Hosts article (https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.security.doc/GUID-171B99EA-15B3-4CC5-8B9A-577D8336FAA0.html) but the service is only listed, not the corresponding Ruleset Configuration name. This is what the following table will help fill-in.

ESXi Ruleset & Firewall Correlation Table
  • Default – The service is enabled upon initial install
  • Survive Reboot – The service will be enabled after rebooting the host
  • Ruleset Name – Host Profile > Security and Services > Firewall Configuration > Firewall Configuration > Ruleset Configuration
  • Ruleset Order – This is the order the rules are presented in the Host Profile
  • Firewall Name – The name from Configure > System > Security Profile > Firewall menu
  • In-Ord – This is the order of the incoming rules in the UI
  • In – These are the ingress TCP/UDP ports
  • Out-Ord – This is the order of the outgoing rules in the UI
  • Out – These are the egress TCP/UDP ports

VMware ESXi 6.5 STIG Default File Permissions

Sorry for the long title, but I wanted it to be descriptive enough to understand and search. So recently, I was testing out the VMware Fling, “DoD Security Technical Implementation Guide(STIG) ESXi VIB” to try to speed up how I secure my hosts. Unfortunately, it changed the default file permissions on my files and I didn’t have the defaults documented. So I went to my lab and installed a fresh copy of ESXi 6.5 and connected to it with SSH. Yes, I am fully aware that I should have started in my lab, then moved on to production. Eh, you win some and you lose some.

The following files are updated as part of the Fling to comply with the 6.0 STIG (http://iasecontent.disa.mil/stigs/zip/U_VMware_vSphere_6-0_ESXi_V1R4_STIG.zip). At the time of this writing, the 6.5 STIG still has not been released.

  • /etc/issue
  • /etc/pam.d/passwd
  • /etc/ssh/sshd_config
  • /etc/vmware/welcome

Here are the file permissions on a default ESXi 6.5 installation.

/etc/issue (octal 1644)

[root@localhost:~] ls -la /etc/issue
-rw-r--r-T 1 root root 0 Apr 7 2017 /etc/issue

 

/etc/pam.d/passwd (octal 1644)

[root@localhost:~] ls -la /etc/pam.d/passwd
-rw-r--r-T 1 root root 335 Apr 7 2017 /etc/pam.d/passwd

 

/etc/ssh/sshd_config (octal 1600)

[root@localhost:~] ls -la /etc/ssh/sshd_config
-rw------T 1 root root 1115 Apr 7 2017 /etc/ssh/sshd_config

 

/etc/vmware/welcome (octal 1644)

[root@localhost:~] ls -la /etc/vmware/welcome
-rw-r--r-T 1 root root 0 Apr 7 2017 /etc/vmware/welcome

 

The meaning behind each octal digit is this:

1000 is the sticky bit
0600 is read (r) and write (w) for the user
0040 is read (r) for the group
0004 is read (r) for everyone

‘chmod 1644 <filename>’ will change the mode of the file with the permission described above.