Check: ESXI-65-000076
VMware vSphere 6.5 ESXi STIG:
ESXI-65-000076
(in versions v2 r4 through v1 r1)
Title
The ESXi host must enable Secure Boot. (Cat II impact)
Discussion
Secure Boot is a protocol of UEFI firmware that ensures the integrity of the boot process from hardware up through to the OS. Secure Boot for ESXi requires support from the firmware and it requires that all ESXi kernel modules, drivers, and VIBs be signed by VMware or a partner subordinate.
Check Content
Temporarily enable SSH, connect to the ESXi host and run the following command: /usr/lib/vmware/secureboot/bin/secureBoot.py -s If the output is not Enabled, this is a finding.
Fix Text
Temporarily enable SSH, connect to the ESXi host and run the following command: /usr/lib/vmware/secureboot/bin/secureBoot.py -c If the output indicates that Secure Boot cannot be enabled, correct the discrepancies and try again. If the discrepancies cannot be rectified this finding is downgraded to a CAT III. Consult your vendor documentation and boot the host into BIOS setup mode. Enable UEFI boot mode and Secure Boot. Restart the host. Temporarily enable SSH, connect to the ESXi host and run the following command to verify that Secure Boot is enabled: /usr/lib/vmware/secureboot/bin/secureBoot.py -s
Additional Identifiers
Rule ID: SV-207673r388482_rule
Vulnerability ID: V-207673
Group Title: SRG-OS-000480-VMM-002000
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |