1.3 Ensure no unauthorized kernel modules are loaded on the host


ESXi hosts by default do not permit the loading of kernel modules that lack valid digital
signatures. This feature can be overridden which would result in unauthorized kernel
modules to be loaded.


VMware provides digital signatures for kernel modules. By default the ESXi host does not
permit loading of kernel modules that lack a valid digital signature. However, this behavior
can be overridden allowing unauthorized kernel modules to be loaded. Untested or
malicious kernel modules loaded on the ESXi host can put the host at risk for instability
and/or exploitation.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.


To implement the recommended configuration state, run the following PowerCLI
command-# To disable a module-
$ESXCli = Get-EsxCli -VMHost MyHost
$ESXCli.system.module.set($false, $false, 'MyModuleName')

Note- evacuate VMs and place the host into maintenance mode before disabling kernel

See Also


Item Details


References: 800-53|CM-7(5), CSCv7|2.2

Plugin: Unix

Control ID: f092777d4d890782cc43b7531beaac1427cbce320e94bcb8255dd706f1d21a8d