Details
The ESXi Image Profiles supports four VIB acceptance levels. A VIB (vSphere Installation
Bundle) is a collection of files that are packaged into an archive. The VIB contains a
signature file that is used to verify the level of trust.
*Rationale*
Verify the ESXi Image Profile to only allow signed VIBs. An unsigned VIB represents
untested code installed on an ESXi host.The ESXi Image profile supports four acceptance levels-1. VMwareCertified – VIBs created, tested and signed by VMware
2. VMwareAccepted – VIBs created by a VMware partner but tested and signed by
VMware
3. PartnerSupported – VIBs created, tested and signed by a certified VMware partner
4. CommunitySupported – VIBs that have not been tested by VMware or a VMware
partner.Community Supported VIBs are not supported and do not have a digital signature. To
protect the security and integrity of your ESXi hosts do not allow unsigned
(CommunitySupported) VIBs to be installed on your hosts.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
To implement the recommended configuration state, run the following PowerCLI
command-# Set the Software AcceptanceLevel for each host
Foreach ($VMHost in Get-VMHost ) {$ESXCli = Get-EsxCli -VMHost $VMHost $ESXCli.software.acceptance.Set(‘PartnerSupported’)}
Default Value-The default level is PartnerSupported
Supportive Information
The following resource is also helpful.
This control applies to the following type of system VMware.