2.4 (L1) Host image profile acceptance level must be PartnerSupported or higher

Information

The acceptance level on ESXi regulates the type of software that can be installed on the system, with four distinct levels: VMwareCertified, VMwareAccepted, PartnerSupported, and CommunitySupported. It's advised to set the acceptance level to PartnerSupported or higher to ensure that only tested and digitally signed vSphere Installation Bundles (VIBs) are allowed for installation.

The ESXi Image Profile should only allow signed VIBs because an unsigned VIB represents untested code installed on an ESXi host. Also, use of unsigned VIBs will cause hypervisor Secure Boot to fail to configure. Community Supported VIBs do not have digital signatures. To protect the security and integrity of your ESXi hosts, do not allow unsigned (CommunitySupported) VIBs to be installed on your hosts.

Solution

To verify the host image profile acceptance level perform the following:

- From the vSphere Web Client, select the host.
- Click Configure then under System select Security Profile
- Under Host Image Profile Acceptance Level select Edit
- In the dropdown select one of the following - VMware Certified VMware Accepted or Partner Supported

To implement the recommended configuration state, run the following PowerCLI command (in the example code, the level is Partner Supported):

# Set the Software AcceptanceLevel for each host<span>
Foreach ($VMHost in Get-VMHost ) {
$ESXCli = Get-EsxCli -VMHost $VMHost
$ESXCli.software.acceptance.Set("PartnerSupported")
}

Impact:

Restricting the acceptance level to PartnerSupported or higher prevents the installation of CommunitySupported packages, which are unsigned and hence, potentially unreliable or insecure. This restriction, while enhancing security, might limit the range of software that can be installed on the ESXi host.

See Also

https://workbench.cisecurity.org/benchmarks/15784

Item Details

Category: SYSTEM AND SERVICES ACQUISITION

References: 800-53|SA-22, CSCv7|2.2

Plugin: Unix

Control ID: 983cc98bf55955b19cb359a93de78cff19c7f71fb32d4debd6addd43af1b220a