2.5 (L1) Host must only run binaries delivered via signed VIB

Information

The ESXi host is configured to only execute binaries originating from a valid, signed vSphere Installable Bundle (VIB) to enhance the integrity of the system. This measure thwarts attackers' attempts to use prebuilt toolkits on the host. The parameter governing this behavior is VMkernel.Boot.execInstalledOnly with a recommended setting of True.

Ensuring the execution of only signed binaries significantly mitigates the risk of running malicious or unverified code, thus enhancing the host's security posture.

Solution

Impact:

This security control may hinder the installation or execution of third-party unsigned software, potentially impacting the flexibility and extensibility of the ESXi host environment.

See Also

https://workbench.cisecurity.org/benchmarks/15784

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|CM-7(2), 800-53|CM-8(3), 800-53|CM-10, 800-53|CM-11, 800-53|SI-3, CSCv7|2.2, CSCv7|8.2

Plugin: VMware

Control ID: 93dc16ede983e017da41ea28409c7b98d664ca05a1d7a7d30eed46da1ddbc61b