1.2 Ensure the Image Profile VIB acceptance level is configured properly

Information

A VIB (vSphere Installation Bundle) is a collection of files that are packaged into an archive. The VIB contains a signature file that is used to verify the level of trust. The ESXi Image Profile supports four VIB acceptance levels:

VMware Certified - VIBs created, tested, and signed by VMware

VMware Accepted - VIBs created by a VMware partner but tested and signed by VMware

Partner Supported - VIBs created, tested, and signed by a certified VMware partner

Community Supported - VIBs that have not been tested by VMware or a VMware partner

Rationale:

The ESXi Image Profile should only allow signed VIBs because an unsigned VIB represents untested code installed on an ESXi host. Also, use of unsigned VIBs will cause hypervisor Secure Boot to fail to configure. Community Supported VIBs do not have digital signatures. To protect the security and integrity of your ESXi hosts, do not allow unsigned (CommunitySupported) VIBs to be installed on your hosts.

Solution

To implement the recommended configuration state, run the following PowerCLI command (in the example code, the level is Partner Supported):

# Set the Software AcceptanceLevel for each host<span>
Foreach ($VMHost in Get-VMHost ) {
$ESXCli = Get-EsxCli -VMHost $VMHost
$ESXCli.software.acceptance.Set('PartnerSupported')
}

Default Value:

Partner Supported

See Also

https://workbench.cisecurity.org/benchmarks/8020

Item Details

Category: SYSTEM AND SERVICES ACQUISITION

References: 800-53|SA-22, CSCv7|2.2

Plugin: Unix

Control ID: 2c8cd6638b9660960d80f92ace848271a653a27fcd14756329a6bfb92dac94f3