1.3 Ensure no unauthorized kernel modules are loaded on the host

Information

ESXi hosts by default do not permit the loading of kernel modules that lack valid digital
signatures. This feature can be overridden which would result in unauthorized kernel
modules to be loaded.

*Rationale*

VMware provides digital signatures for kernel modules. By default the ESXi host does not
permit loading of kernel modules that lack a valid digital signature. However, this behavior
can be overridden allowing unauthorized kernel modules to be loaded. Untested or
malicious kernel modules loaded on the ESXi host can put the host at risk for instability
and/or exploitation.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

To implement the recommended configuration state, run the following PowerCLI
command-# To disable a module-
$ESXCli = Get-EsxCli -VMHost MyHost
$ESXCli.system.module.set($false, $false, 'MyModuleName')

Note- evacuate VMs and place the host into maintenance mode before disabling kernel
modules.

See Also

https://workbench.cisecurity.org/files/2168

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7(5), CSCv7|2.2

Plugin: Unix

Control ID: f092777d4d890782cc43b7531beaac1427cbce320e94bcb8255dd706f1d21a8d