Check: ESXI-67-000047
VMware vSphere 6.7 ESXi STIG:
ESXI-67-000047
(in versions v1 r3 through v1 r1)
Title
The ESXi Image Profile and vSphere Installation Bundle (VIB) Acceptance Levels must be verified. (Cat I impact)
Discussion
Verify the ESXi Image Profile to only allow signed VIBs. An unsigned VIB represents untested code installed on an ESXi host. The ESXi Image profile supports four acceptance levels: 1. VMwareCertified - VIBs created, tested, and signed by VMware 2. VMwareAccepted - VIBs created by a VMware partner but tested and signed by VMware 3. PartnerSupported - VIBs created, tested, and signed by a certified VMware partner 4. CommunitySupported - VIBs that have not been tested by VMware or a VMware partner CommunitySupported VIBs are not supported and do not have a digital signature. To protect the security and integrity of ESXi hosts, do not allow unsigned (CommunitySupported) VIBs to be installed on hosts. Satisfies: SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650
Check Content
From the vSphere Client, select the ESXi host and go to Configure >> System >> Security Profile. Under "Host Image Profile Acceptance Level", view the acceptance level. or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: $esxcli = Get-EsxCli -v2 $esxcli.software.acceptance.get.Invoke() If the acceptance level is "CommunitySupported", this is a finding.
Fix Text
From the vSphere Client, select the ESXi host and go to Configure >> System >> Security Profile. Under "Host Image Profile Acceptance Level", click "Edit". Using the pull-down selection, set the acceptance level to be "VMwareCertified", "VMwareAccepted", or "PartnerSupported". or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: $esxcli = Get-EsxCli -v2 $arguments = $esxcli.software.acceptance.set.CreateArgs() $arguments.level = "PartnerSupported" $esxcli.software.acceptance.set.Invoke($arguments) Note: "VMwareCertified" or "VMwareAccepted" may be substituted for "PartnerSupported", depending on local requirements. These are also case sensitive.
Additional Identifiers
Rule ID: SV-239302r878138_rule
Vulnerability ID: V-239302
Group Title: SRG-OS-000366-VMM-001430
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001749 |
The information system prevents the installation of organization-defined software components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization. |
CCI-001774 |
The organization employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system. |
CCI-002475 |
The information system implements cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest on organization-defined information system components. |