Details
A VIB (vSphere Installation Bundle) is a collection of files that are packaged into an archive. The VIB contains
a signature file that is used to verify the level of trust. The ESXi Image Profile supports four VIB acceptance levels:
1. VMware Certified – VIBs created, tested, and signed by VMware
2. VMware Accepted – VIBs created by a VMware partner but tested and signed by
VMware
3. Partner Supported – VIBs created, tested, and signed by a certified VMware partner
4. Community Supported – VIBs that have not been tested by VMware or a VMware
partner
*Rationale*
The ESXi Image Profile should only allow signed VIBs because an unsigned VIB represents untested code installed on an ESXi host.
Also, use of unsigned VIBs will cause hypervisor Secure Boot to fail to configure. Community Supported VIBs do not have digital signatures.
To protect the security and integrity of your ESXi hosts, do not allow unsigned (CommunitySupported) VIBs to be installed on your hosts.
Solution
To implement the recommended configuration state, run the following PowerCLI
command-# Set the Software AcceptanceLevel for each host
Foreach ($VMHost in Get-VMHost ) {
$ESXCli = Get-EsxCli -VMHost $VMHost
$ESXCli.software.acceptance.Set(‘PartnerSupported’)
}
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Unix.