Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-239302 | ESXI-67-000047 | SV-239302r674835_rule | High |
Description |
---|
Verify the ESXi Image Profile to only allow signed VIBs. An unsigned VIB represents untested code installed on an ESXi host. The ESXi Image profile supports four acceptance levels: 1. VMwareCertified - VIBs created, tested, and signed by VMware 2. VMwareAccepted - VIBs created by a VMware partner but tested and signed by VMware 3. PartnerSupported - VIBs created, tested, and signed by a certified VMware partner 4. CommunitySupported - VIBs that have not been tested by VMware or a VMware partner CommunitySupported VIBs are not supported and do not have a digital signature. To protect the security and integrity of ESXi hosts, do not allow unsigned (CommunitySupported) VIBs to be installed on hosts. Satisfies: SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650 |
STIG | Date |
---|---|
VMware vSphere 6.7 ESXi Security Technical Implementation Guide | 2022-01-05 |
Check Text ( C-42535r674833_chk ) |
---|
From the vSphere Client, select the ESXi host and go to Configure >> System >> Security Profile. Under "Host Image Profile Acceptance Level", view the acceptance level. or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: $esxcli = Get-EsxCli -v2 $esxcli.software.acceptance.get.Invoke() If the acceptance level is "CommunitySupported", this is a finding. |
Fix Text (F-42494r674834_fix) |
---|
From the vSphere Client, select the ESXi host and go to Configure >> System >> Security Profile. Under "Host Image Profile Acceptance Level", click "Edit". Using the pull-down selection, set the acceptance level to be "VMwareCertified", "VMwareAccepted", or "PartnerSupported". or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: $esxcli = Get-EsxCli -v2 $arguments = $esxcli.software.acceptance.set.CreateArgs() $arguments.level = "PartnerSupported" $esxcli.software.acceptance.set.Invoke($arguments) Note: "VMwareCertified" or "VMwareAccepted" may be substituted for "PartnerSupported", depending on local requirements. These are also case sensitive. |