#CyberAwarenessMonth: Enable Executable Controls on ESXi

October 07, 2021

(It’s October so that means it’s #CyberAwarenessMonth! We should all be working to improve our security posture throughout the rest of the year, but October is a good time to talk about it collectively. We’ll be publishing a post every weekday with something actionable you can do RIGHT NOW to help make your security better.)

Are you limiting what can be installed on ESXi?

vSphere has some great ways to ensure that software installed on ESXi is legitimate, and that software that isn’t part of what was installed for ESXi cannot run. A common misconception is that ESXi is Linux. It isn’t, but there are a lot of similarities in the way it does things. Most Linux distributions manage files using a package manager, like RPM. ESXi has a type of package manager built in, too, and the packages are called “VIBs.” VIB stands for “vSphere Installable Bundle” and it’s similar to a Zip archive or a tarball (.tar.gz) file in concept. VIBs carry other information, though, too, specifically signatures to indicate that they are authentic.

The signature on a VIB also indicates who generated the VIB, specifically whether it was VMware, a partner, or someone else. Based on this information, vSphere Administrators can control whether ESXi lets these files be installed or not. ESXi calls it the “acceptance level.”

Beyond that, we can ask ESXi to not run executable files that didn’t come from a VIB. We do this through the use of the VMkernel.Boot.execInstalledOnly advanced parameter.

Before I set these on my hosts is there anything to think about?

Great question! If you have third-party tools or VIBs installed you’ll want to make sure you don’t set the acceptance level higher than what they have. The vSphere documentation has the methods to audit this, using esxcli on the ESXi Shell, but being security-minded we don’t want to enable SSH. We can do it with PowerCLI. Replace $ESXi with the name of your ESXi host:

$esxcli = Get-EsxCli -VMHost $ESXi -V2
$esxcli.software.acceptance.get.Invoke()
$esxcli.software.vib.list.Invoke()

This will return the list of installed VIBs. You will see the field “AcceptanceLevel” and be able to tell where you stand. To filter in PowerCLI you can use:

$esxcli.software.vib.list.Invoke() |Where-Object {$_.AcceptanceLevel -eq 'VMwareAccepted'}

or:

$esxcli.software.vib.list.Invoke() |Where-Object {$_.AcceptanceLevel -ne 'VMwareCertified'}

-eq means “equals” and -ne is “not equals." It's also worth noting that anytime you see an esxcli command you can use this format in PowerCLI. For example, the "esxcli system stats installtime get" command could also be "$esxcli.system.stats.installtime.get.Invoke()" in PowerCLI. And, if you type "$esxcli." and hit tab, PowerShell will automatically start suggesting things. Super helpful!

For the VMkernel.Boot.execInstalledOnly command the question would be whether you or something else is running software on ESXi that wasn’t installed via a VIB. Probably not, but it might be worth enabling slowly and/or in a test environment first.

How do I set these?

You can configure these settings through the vSphere Client, or through PowerCLI:

$esxcli = Get-EsxCli -VMHost $ESXi -V2
$arguments = $esxcli.software.acceptance.set.CreateArgs()
$arguments.level = " PartnerSupported"
$esxcli.software.acceptance.set.Invoke($arguments)

Your options for acceptance levels, from highest security to lowest, are: VMwareCertified, VMwareAccepted, PartnerSupported, or CommunitySupported. We recommend setting it as high as you can. CommunitySupported VIBs are unsigned and effectively “anything goes,” so we do not recommend that.

Advanced parameters are a little more straightforward:

Get-AdvancedSetting -Entity $ESXi -Name "VMkernel.Boot.execInstalledOnly" | Set-AdvancedSetting -Value True -Confirm:$false

The -Confirm:$false flag keeps it from asking you about this change every time.

What happens if one of my VIBs is CommunitySupported?

From time to time we are asked about the safety of installing unsigned VIBs, ones marked as “CommunitySupported.” We absolutely do not recommend installing unsigned software on ESXi. Software from vendors that are part of the VMware ecosystem should be signed as at least “PartnerSupported.”

Come Back Tomorrow For More

This is the fourth installment of our posts for Cybersecurity Awareness Month. Other posts are at:

As always, you can find good security guidance from VMware itself in the form of the vSphere Security Configuration Guide. It gets updated following vSphere releases so check back to make sure you’re using the latest version.

 

Filter Tags

Security Cloud Foundation Cloud Foundation 3.9 Cloud Foundation 4 Cloud Foundation 4.2 Cloud Foundation 4.2.1 Cloud Foundation 4.3 Cloud Foundation 4.3.1 ESXi ESXi 6.5 ESXi 6.7 ESXi 7 vCenter Server vCenter Server 6.5 vCenter Server 6.7 vCenter Server 7 vSphere vSphere 6.5 vSphere 6.7 vSphere 7 Blog