1.3 (L1) Ensure no unauthorized kernel modules are loaded on the host

Information

ESXi hosts by default do not permit the loading of kernel modules that lack valid digital signatures. This feature can be overridden, which would allow unauthorized kernel modules to be loaded.

VMware provides digital signatures for kernel modules. Untested or malicious kernel modules loaded on the ESXi host can put the host at risk for instability and/or exploitation.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Secure the host by disabling unsigned modules and removing the offending VIBs from the host.

To implement the recommended configuration state, run the following PowerCLI command:

# To disable a module:
$ESXCli = Get-EsxCli -VMHost "MyHostName_or_IPaddress"
$ESXCli.system.module.set($false, $false, "MyModuleName")

Note: evacuate VMs and place the host into maintenance mode before disabling kernel modules.

Impact:

This is the default behavior therefor impact is low to none.

See Also

https://workbench.cisecurity.org/benchmarks/15334

Item Details

Category: SYSTEM AND SERVICES ACQUISITION

References: 800-53|SA-22, CSCv7|2.2

Plugin: Unix

Control ID: 267185d4f9e5d541d1be13a84a5f47973f4212b1b95d06d087e6a70326fe0efe