Detections
Analytics
ESXI-67-000047 - The ESXi Image Profile and vSphere Installation Bundle (VIB) Acceptance Levels must be verified.
Information
Verify the ESXi Image Profile to only allow signed VIBs. An unsigned VIB represents untested code installed on an ESXi host. The ESXi Image profile supports four acceptance levels:1. VMwareCertified - VIBs created, tested, and signed by VMware
2. VMwareAccepted - VIBs created by a VMware partner but tested and signed by VMware
3. PartnerSupported - VIBs created, tested, and signed by a certified VMware partner
4. CommunitySupported - VIBs that have not been tested by VMware or a VMware partner
CommunitySupported VIBs are not supported and do not have a digital signature. To protect the security and integrity of ESXi hosts, do not allow unsigned (CommunitySupported) VIBs to be installed on hosts.
Satisfies: SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650
Solution
From the vSphere Client, select the ESXi host and go to Configure >> System >> Security Profile.Under 'Host Image Profile Acceptance Level', click 'Edit'.
Using the pull-down selection, set the acceptance level to be 'VMwareCertified', 'VMwareAccepted', or 'PartnerSupported'.
or
From a PowerCLI command prompt while connected to the ESXi host, run the following commands:
$esxcli = Get-EsxCli -v2
$arguments = $esxcli.software.acceptance.set.CreateArgs()
$arguments.level = 'PartnerSupported'
$esxcli.software.acceptance.set.Invoke($arguments)
Note: 'VMwareCertified' or 'VMwareAccepted' may be substituted for 'PartnerSupported', depending on local requirements. These are also case sensitive.
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_6-7_Y23M07_STIG.zip
Item Details
Audit Name: DISA STIG VMware vSphere 6.7 ESXi OS v1r3
Category: CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|CM-5(3), 800-53|CM-7(5)(b), 800-53|SC-28(1), CAT|I, CCI|CCI-001749, CCI|CCI-001774, CCI|CCI-002475, Rule-ID|SV-239302r878138_rule, STIG-ID|ESXI-67-000047, Vuln-ID|V-239302
Plugin: Unix
Control ID: d359ccc45a95d4cf785e38bf1aa63e5d951c11e895d0e16434353a15ca0ab823