Information
ESXi hosts by default do not permit the loading of kernel modules that lack valid digital signatures. This feature can be overridden, which would allow unauthorized kernel modules to be loaded.
Rationale:
VMware provides digital signatures for kernel modules. Untested or malicious kernel modules loaded on the ESXi host can put the host at risk for instability and/or exploitation.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Secure the host by disabling unsigned modules and removing the offending VIBs from the host.
To implement the recommended configuration state, run the following PowerCLI command:
# To disable a module:
$ESXCli = Get-EsxCli -VMHost 'MyHostName_or_IPaddress'
$ESXCli.system.module.set($false, $false, 'MyModuleName')
Note: evacuate VMs and place the host into maintenance mode before disabling kernel modules.