ESXI-06-100047 - The VMM must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs and guest VMs by verifying Image Profile and VIP Acceptance Levels.

Information

Verify the ESXi Image Profile to only allow signed VIBs. An unsigned VIB represents untested code installed on an ESXi host. The ESXi Image profile supports four acceptance levels:

(1) VMwareCertified - VIBs created, tested and signed by VMware
(2) VMwareAccepted - VIBs created by a VMware partner but tested and signed by VMware,
(3) PartnerSupported - VIBs created, tested and signed by a certified VMware partner
(4) CommunitySupported - VIBs that have not been tested by VMware or a VMware partner.

Community Supported VIBs are not supported and do not have a digital signature. To protect the security and integrity of your ESXi hosts do not allow unsigned (CommunitySupported) VIBs to be installed on your hosts.

Solution

From the vSphere Client select the ESXi Host and go to Configuration >> Security Profile. Under 'Host Image Profile Acceptance Level' edit the acceptance level to be either VMwareCertified, VMwareAccepted, or PartnerSupported.

or

From a PowerCLI command prompt while connected to the ESXi host run the following commands:

$esxcli = Get-EsxCli
$esxcli.software.acceptance.Set('PartnerSupported')

Note: VMwareCertified or VMwareAccepted may be substituted for PartnerSupported, depending upon local requirements.

See Also

http://iasecontent.disa.mil/stigs/zip/U_VMware_vSphere_6-0_ESXi_V1R5_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7(5)(b), CAT|I, CCI|CCI-001774, Group-ID|V-63823, Rule-ID|SV-78313r1_rule, STIG-ID|ESXI-06-100047, Vuln-ID|V-63823

Plugin: Unix

Control ID: 505453c503dc177e18b1a449317cc154754af8f82ba2a8ac6ddc822c4a91d277