1.3 Ensure no unauthorized kernel modules are loaded on the host

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version


ESXi hosts by default do not permit the loading of kernel modules that lack valid digital signatures. This feature can be overridden, which would allow unauthorized kernel modules to be loaded.


VMware provides digital signatures for kernel modules. Untested or malicious kernel modules loaded on the ESXi host can put the host at risk for instability and/or exploitation.


This is the default behavior therefor impact is low to none.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.


Secure the host by disabling unsigned modules and removing the offending VIBs from the host.
To implement the recommended configuration state, run the following PowerCLI command:

# To disable a module:
$ESXCli = Get-EsxCli -VMHost 'MyHostName_or_IPaddress'
$ESXCli.system.module.set($false, $false, 'MyModuleName')

Note: evacuate VMs and place the host into maintenance mode before disabling kernel modules.

See Also