1.2 Ensure the Image Profile VIB acceptance level is configured properly

Information

A VIB (vSphere Installation Bundle) is a collection of files that are packaged into an archive. The VIB contains
a signature file that is used to verify the level of trust. The ESXi Image Profile supports four VIB acceptance levels:

1. VMware Certified - VIBs created, tested, and signed by VMware
2. VMware Accepted - VIBs created by a VMware partner but tested and signed by
VMware
3. Partner Supported - VIBs created, tested, and signed by a certified VMware partner
4. Community Supported - VIBs that have not been tested by VMware or a VMware
partner

*Rationale*

The ESXi Image Profile should only allow signed VIBs because an unsigned VIB represents untested code installed on an ESXi host.
Also, use of unsigned VIBs will cause hypervisor Secure Boot to fail to configure. Community Supported VIBs do not have digital signatures.
To protect the security and integrity of your ESXi hosts, do not allow unsigned (CommunitySupported) VIBs to be installed on your hosts.

Solution

To implement the recommended configuration state, run the following PowerCLI
command-# Set the Software AcceptanceLevel for each host

Foreach ($VMHost in Get-VMHost ) {
$ESXCli = Get-EsxCli -VMHost $VMHost
$ESXCli.software.acceptance.Set('PartnerSupported')
}

See Also

https://workbench.cisecurity.org/files/2168

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7(5), CSCv7|2.2

Plugin: Unix

Control ID: 43b16443d480a1c192f0af8f45be87d29dc377c6bcf0457991553374ae9f2f2b