Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-63823 | ESXI-06-100047 | SV-78313r1_rule | High |
Description |
---|
Verify the ESXi Image Profile to only allow signed VIBs. An unsigned VIB represents untested code installed on an ESXi host. The ESXi Image profile supports four acceptance levels: (1) VMwareCertified - VIBs created, tested and signed by VMware (2) VMwareAccepted - VIBs created by a VMware partner but tested and signed by VMware, (3) PartnerSupported - VIBs created, tested and signed by a certified VMware partner (4) CommunitySupported - VIBs that have not been tested by VMware or a VMware partner. Community Supported VIBs are not supported and do not have a digital signature. To protect the security and integrity of your ESXi hosts do not allow unsigned (CommunitySupported) VIBs to be installed on your hosts. |
STIG | Date |
---|---|
VMware vSphere ESXi 6.0 Security Technical Implementation Guide | 2019-01-04 |
Check Text ( C-64573r1_chk ) |
---|
From the vSphere Client select the ESXi Host and go to Configuration >> Security Profile. Under "Host Image Profile Acceptance Level" view the acceptance level. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: $esxcli = Get-EsxCli $esxcli.software.acceptance.get() If the acceptance level is CommunitySupported, this is a finding. |
Fix Text (F-69751r1_fix) |
---|
From the vSphere Client select the ESXi Host and go to Configuration >> Security Profile. Under "Host Image Profile Acceptance Level" edit the acceptance level to be either VMwareCertified, VMwareAccepted, or PartnerSupported. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: $esxcli = Get-EsxCli $esxcli.software.acceptance.Set("PartnerSupported") Note: VMwareCertified or VMwareAccepted may be substituted for PartnerSupported, depending upon local requirements. |