updates for vsphere 7 v1r3

.github/workflows/code-linting.yml

@@ -288,27 +288,3 @@ jobs:
       - uses: ansible-community/ansible-lint-action@main
         with:
           path: "nsx/4.x/ansible/vmware-nsx-4.x-stig-ansible-hardening/"
-  ansiblelint-vsphere70-esxi:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Clone Repo
-        uses: actions/checkout@v3
-      - name: Install Collections
-        run: ansible-galaxy collection install -f -r vsphere/7.0/vsphere/ansible/vmware-esxi-7.0-stig-ansible-hardening/requirements.yml -p /home/runner/work/dod-compliance-and-automation/dod-compliance-and-automation/collections
-      - uses: ansible-community/ansible-lint-action@main
-        env:
-          ANSIBLE_COLLECTIONS_PATH: '/home/runner/work/dod-compliance-and-automation/dod-compliance-and-automation/collections'
-        with:
-          path: "vsphere/7.0/vsphere/ansible/vmware-esxi-7.0-stig-ansible-hardening/"
-  ansiblelint-vsphere70-vm:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Clone Repo
-        uses: actions/checkout@v3
-      - name: Install Collections
-        run: ansible-galaxy collection install -f -r vsphere/7.0/vsphere/ansible/vmware-esxi-7.0-stig-ansible-hardening/requirements.yml -p /home/runner/work/dod-compliance-and-automation/dod-compliance-and-automation/collections
-      - uses: ansible-community/ansible-lint-action@main
-        env:
-          ANSIBLE_COLLECTIONS_PATH: '/home/runner/work/dod-compliance-and-automation/dod-compliance-and-automation/collections'
-        with:
-          path: "vsphere/7.0/vsphere/ansible/vmware-vm-7.0-stig-ansible-hardening/"

saf-manifest.json

@@ -5,9 +5,9 @@
     "vendor": "VMware",
     "guidance": {
       "name": "VMware vSphere 7 STIG",
-      "version": "V1R2",
+      "version": "V1R3",
       "date": "July 24, 2023",
-      "source": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_7-0_Y23M07_STIG.zip",
+      "source": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_7-0_Y24M01_STIG.zip",
       "type": "Official STIG",
       "category": "Virtual Platforms"
     },
@@ -30,15 +30,15 @@
     "validation": [
       {
         "name": "VMware vSphere vCenter Appliance 7.0 STIG Chef InSpec Profile",
-        "version": "V1R2",
-        "date": "July 24, 2023",
+        "version": "V1R3",
+        "date": "January 22, 2024",
         "source": "https://github.com/vmware/dod-compliance-and-automation/tree/master/vsphere/7.0/vcsa/inspec/vmware-vcsa-7.0-stig-baseline",
         "platform": "InSpec"
       },
       {
         "name": "VMware vSphere 7.0 STIG Chef InSpec Profile",
-        "version": "V1R2",
-        "date": "July 24, 2023",
+        "version": "V1R3",
+        "date": "January 22, 2024",
         "source": "https://github.com/vmware/dod-compliance-and-automation/tree/master/vsphere/7.0/vsphere/inspec/vmware-vsphere-7.0-stig-baseline",
         "platform": "InSpec"
       }

vsphere/7.0/README.md

@@ -1,7 +1,7 @@
 # VMware vSphere 7.0 DoD STIG Compliance and Automation
 
 ## Overview
-*STIG Status: Officially published Version 1 Release 2*
+*STIG Status: Officially published Version 1 Release 3*
 
 [Visit public.cyber.mil for the latest official releases](https://public.cyber.mil/stigs/)
 

vsphere/7.0/vcsa/README.md

@@ -4,4 +4,4 @@
 The vCenter Server Appliance (VCSA) is vCenter as you know it but delivered without the dependency on Windows Server. The bundle includes a Linux operating system, a number of web servers and a database, as illustrated below. The green boxes are in scope of this STIG while the vCenter application itself is addressed separately.
 
 
-<img src="https://github.com/vmware/dod-compliance-and-automation/blob/vsphere7/vsphere/7.0/vcsa/Diagram.png" width="484" height="457">
+<img src="https://github.com/vmware/dod-compliance-and-automation/blob/master/vsphere/7.0/vcsa/Diagram.png" width="484" height="457">

vsphere/7.0/vcsa/inspec/vmware-vcsa-7.0-stig-baseline/CHANGELOG.md

@@ -1,5 +1,11 @@
 # Change Log
 
+## [7.0 Official STIG Version 1 Release 3] (2024-01-22)
+
+#### Release Notes
+- Updated metadata to match official STIG V1R3
+- PHTN-30-000089 updated check to check for masking of the service
+
 ## [7.0 Official STIG Version 1 Release 2] (2023-07-26)
 
 #### Release Notes

vsphere/7.0/vcsa/inspec/vmware-vcsa-7.0-stig-baseline/README.md

@@ -1,6 +1,6 @@
 # vmware-vcsa-7.0-stig-baseline
 VMware vSphere vCenter Appliance 7.0 STIG Chef InSpec Profile  
-Version: Release 1 Version 2 Date: 26 July 2023  
+Version: Release 1 Version 3 Date: 22 January 2024    
 STIG Type: Official STIG
 
 ## VCSA InSpec Profiles

vsphere/7.0/vcsa/inspec/vmware-vcsa-7.0-stig-baseline/inspec.yml

@@ -1,11 +1,11 @@
 name: vmware-vcsa-7.0-stig-baseline
-title: InSpec Wrapper Profile for VMware vCenter Server Appliance 7.0 STIG Version 1 Release 2
+title: InSpec Wrapper Profile for VMware vCenter Server Appliance 7.0 STIG Version 1 Release 3
 maintainer: VMTA
 copyright: VMware
 copyright_email: [email protected]
 license: Apache-2.0
 summary: An InSpec Compliance Profile
-version: 1.0.2
+version: 1.0.3
 
 depends:
   - name: eam

vsphere/7.0/vcsa/inspec/vmware-vcsa-7.0-stig-baseline/photon/controls/PHTN-30-000064.rb

@@ -15,7 +15,7 @@
 
 Expected result:
 
-ciphers [email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
+ciphers aes128-ctr,[email protected],aes192-ctr,[email protected],aes256-ctr
 
 If the output matches the ciphers in the expected result or a subset thereof, this is not a finding.
 
@@ -26,7 +26,7 @@
 
 Ensure the "Ciphers" line is uncommented and set to the following:
 
-Ciphers [email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
+Ciphers aes128-ctr,[email protected],aes192-ctr,[email protected],aes256-ctr
 
 At the command line, run the following command:
 

vsphere/7.0/vcsa/inspec/vmware-vcsa-7.0-stig-baseline/photon/controls/PHTN-30-000089.rb

@@ -8,10 +8,10 @@
 Expected result:
 
 ctrl-alt-del.target
-Loaded: masked (/dev/null; bad)
+Loaded: masked (Reason: Unit ctrl-alt-del.target is masked.)
 Active: inactive (dead)
 
-If the output does not match the expected result, this is a finding.'
+If the "ctrl-alt-del.target" is not "inactive" and "masked", this is a finding.'
   desc 'fix', 'At the command line, run the following command:
 
 # systemctl mask ctrl-alt-del.target'
@@ -30,4 +30,10 @@
     it { should_not be_enabled }
     it { should_not be_running }
   end
+  describe systemd_service('ctrl-alt-del.target').params['LoadState'] do
+    it { should cmp 'masked' }
+  end
+  describe systemd_service('ctrl-alt-del.target').params['UnitFileState'] do
+    it { should cmp 'masked' }
+  end
 end

vsphere/7.0/vcsa/inspec/vmware-vcsa-7.0-stig-baseline/photon/controls/PHTN-30-000109.rb

@@ -7,11 +7,12 @@
 
 Expected result:
 
+/etc/ssh/ssh_host_dsa_key permissions are 600 and owned by root:root
 /etc/ssh/ssh_host_ecdsa_key permissions are 600 and owned by root:root
 /etc/ssh/ssh_host_ed25519_key permissions are 600 and owned by root:root
 /etc/ssh/ssh_host_rsa_key permissions are 600 and owned by root:root
 
-If the output does not match the expected result, this is a finding.'
+If any key file listed is not owned by root or not group owned by root or does not have permissions of "0600", this is a finding.'
   desc 'fix', 'At the command line, run the following commands for each returned file:
 
 # chmod 600 <file>

vsphere/7.0/vcsa/inspec/vmware-vcsa-7.0-stig-baseline/photon/inspec.yml

@@ -5,7 +5,7 @@ copyright: The Authors
 copyright_email:
 license: Apache-2.0
 summary: An InSpec Compliance Profile
-version: 1.0.2
+version: 1.0.3
 
 inputs:
 - name: verbose

vsphere/7.0/vsphere/ansible/vmware-esxi-7.0-stig-ansible-hardening/README.md

@@ -1,4 +1,9 @@
 # vmware-esxi-7.0-stig-ansible-hardening
+## NOTICE
+This playbook is currently not maintained by the VMware team with no support provided.
+
+## Overview
+
 VMware vSphere ESXi 7.0 STIG Readiness Guide Ansible Playbook
 
 Version: Version 1 Release 4: 28 October 2022 

vsphere/7.0/vsphere/ansible/vmware-vm-7.0-stig-ansible-hardening/README.md

@@ -1,5 +1,10 @@
 
 # vmware-vm-7.0-stig-ansible-hardening
+## NOTICE
+This playbook is currently not maintained by the VMware team with no support provided.
+
+## Overview
+
 VMware vSphere VM 7.0 STIG Readiness Guide Ansible Playbook
 
 Version: Version 1 Release 4: 28 October 2022 

vsphere/7.0/vsphere/inspec/vmware-vsphere-7.0-stig-baseline/CHANGELOG.md

@@ -1,5 +1,10 @@
 # Change Log
 
+## [7.0 Version 1 Release 3 Official STIG] (2024-01-22)
+
+#### Release Notes
+- Updated metadata to match release of official STIG for vSphere 7 V1R3 for vCenter and VM STIGs
+
 ## [7.0 Version 1 Release 2 Official STIG] (2023-07-26)
 
 #### Release Notes

vsphere/7.0/vsphere/inspec/vmware-vsphere-7.0-stig-baseline/README.md

@@ -1,7 +1,7 @@
 # vmware-vsphere-7.0-stig-baseline
 VMware vSphere vCenter Appliance 7.0 STIG Chef InSpec Profile  
 InSpec profile for vSphere 7.0 vCenter, ESXi, and VM controls. Does not include appliance level controls  
-Version: Release 1 Version 2 Date: 26 July 2023  
+Version: Release 1 Version 3 Date: 22 January 2024   
 STIG Type: Official STIG 
 
 ## Overview

vsphere/7.0/vsphere/inspec/vmware-vsphere-7.0-stig-baseline/inputs-example.yml

@@ -20,7 +20,7 @@ mgtVlanId: "101"
 # If snmp is used in the environment change to true.
 snmpEnabled: "false"
 # Enter the latest build number for ESXi.
-esxiBuildNumber: "21424296"
+esxiBuildNumber: "22348816"
 # vCenter
 # Enter the environment specific syslog server vCenter should be forwarding logs to.
 syslogServers:

vsphere/7.0/vsphere/inspec/vmware-vsphere-7.0-stig-baseline/inspec.yml

@@ -1,11 +1,11 @@
 name: vmware-vsphere-7.0-stig-baseline
-title: InSpec Wrapper Profile for VMware vSphere 7.0 STIG Version 1 Release 2
+title: InSpec Wrapper Profile for VMware vSphere 7.0 STIG Version 1 Release 3
 maintainer: SCOPE/VMTA
 copyright: The Authors
 copyright_email: [email protected]
 license: Apache-2.0
 summary: An InSpec Compliance Profile that runs PowerCLI audit tests on ESXI, VMs, and vCenter
-version: 1.0.2
+version: 1.0.3
 
 depends:
   - name: esxi

vsphere/7.0/vsphere/inspec/vmware-vsphere-7.0-stig-baseline/vcenter/controls/VCSA-70-000268.rb

@@ -22,7 +22,7 @@
 Get-VDSwitch | Get-VDSecurityPolicy
 Get-VDPortgroup | ?{$_.IsUplink -eq $false} | Get-VDSecurityPolicy
 
-If the "Forged Transmits" policy is set to accept for a nonuplink port, this is a finding.'
+If the "Forged Transmits" policy is set to accept for a nonuplink port, and is not documented as an exception, this is a finding.'
   desc 'fix', 'From the vSphere Client, go to "Networking".
 
 Select a distributed switch and then select a port group.

vsphere/7.0/vsphere/inspec/vmware-vsphere-7.0-stig-baseline/vcenter/controls/VCSA-70-000270.rb

@@ -20,7 +20,7 @@
 Get-VDSwitch | Get-VDSecurityPolicy
 Get-VDPortgroup | ?{$_.IsUplink -eq $false} | Get-VDSecurityPolicy
 
-If the "Promiscuous Mode" policy is set to "Accept", this is a finding.'
+If the "Promiscuous Mode" policy is set to "Accept", and is not documented as an exception, this is a finding.'
   desc 'fix', 'From the vSphere Client, go to "Networking".
 
 Select a distributed switch and then select a port group.

vsphere/7.0/vsphere/inspec/vmware-vsphere-7.0-stig-baseline/vcenter/inspec.yml

@@ -6,7 +6,7 @@ copyright: The Authors
 copyright_email: 
 license: Apache-2.0
 summary: An InSpec Compliance Profile
-version: 1.0.2
+version: 1.0.3
 
 inputs:
   - name: embeddedIdp

vsphere/7.0/vsphere/inspec/vmware-vsphere-7.0-stig-baseline/vm/controls/VMCH-70-000029.rb

@@ -13,7 +13,7 @@
 
 From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:
 
-Get-VM | Where {($_.ExtensionData.Config.FtEncryptionMode -ne "ftEncryptionOpportunistic") -and ($_.ExtensionData.Config.FtEncryptionMode -ne "ftEncryptionRequired")}
+Get-VM | Where {$_.ExtensionData.Config.FtEncryptionMode -eq "ftEncryptionDisabled"}
 
 If the setting does not have a value of "Opportunistic" or "Required", this is a finding.'
   desc 'fix', 'From the vSphere Client, select the Virtual Machine, right-click, and go to Edit Settings >> VM Options tab >> Encryption >> FT Encryption.

vsphere/7.0/vsphere/inspec/vmware-vsphere-7.0-stig-baseline/vm/inspec.yml

@@ -6,7 +6,7 @@ copyright: The Authors
 copyright_email: 
 license: Apache-2.0
 summary: An InSpec Compliance Profile
-version: 1.0.2
+version: 1.0.3
 
 inputs:
   - name: vmName