UCF STIG Viewer Logo

The ESXi host must enable Secure Boot.


Overview

Finding ID Version Rule ID IA Controls Severity
V-239327 ESXI-67-000076 SV-239327r674910_rule Medium
Description
Secure Boot is a protocol of UEFI firmware that ensures the integrity of the boot process from hardware up through to the OS. Secure Boot for ESXi requires support from the firmware and requires that all ESXi kernel modules, drivers, and vSphere Installation Bundles (VIBs) be signed by VMware or a partner subordinate.
STIG Date
VMware vSphere 6.7 ESXi Security Technical Implementation Guide 2022-01-05

Details

Check Text ( C-42560r674908_chk )
Temporarily enable SSH, connect to the ESXi host, and run the following command:

/usr/lib/vmware/secureboot/bin/secureBoot.py -s

If the output is not "Enabled", this is a finding.
Fix Text (F-42519r674909_fix)
Temporarily enable SSH, connect to the ESXi host, and run the following command:

/usr/lib/vmware/secureboot/bin/secureBoot.py -c

If the output indicates that Secure Boot cannot be enabled, correct the discrepancies and try again. If the discrepancies cannot be rectified, this finding is downgraded to a CAT III.

Consult vendor documentation and boot the host into BIOS setup mode. Enable UEFI boot mode and Secure Boot. Restart the host.

Temporarily enable SSH, connect to the ESXi host, and run the following command to verify that Secure Boot is enabled:

/usr/lib/vmware/secureboot/bin/secureBoot.py -s