I used this command to disable all unsigned module
Get-VMHost -Name '192.168.218.132' -PipelineVariable esx |
ForEach-Object -Process {
$esxcli = Get-EsxCli -VMHost $esx -V2
$esxcli.system.module.list.Invoke() |
ForEach-Object -Process {
$esxcli.system.module.get.Invoke(@{module="$($_.Name)"}) |
Where-Object { $_.SignedStatus -eq 'Unsigned'} |
ForEach-Object -Process {
$esxcli.system.module.set.Invoke(@{module="$($_.Module)";enabled=$false})
}
}
}
But when I check by using this command
# List the system modules and Signature Info for each host
Foreach ($VMHost in Get-VMHost ) {
$ESXCli = Get-EsxCli -VMHost $VMHost
$ESXCli.system.module.list() | Foreach {
$ESXCli.system.module.get($_.Name) | Select @{N="VMHost";E={$VMHost}},
Module, License, Modulefile, Version, SignedStatus, SignatureDigest,
SignatureFingerPrint
}
}
VMHost : 192.168.218.132
Module : nfsclient
License : VMware
ModuleFile : /usr/lib/vmware/vmkmod/nfsclient
Version : Built on: Jun 30 2022
SignedStatus : Unsigned
SignatureDigest : 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000
SignatureFingerPrint : 0000 0000 0000 0000 0000 0000 0000 0000
VMHost : 192.168.218.132
Module : swapobj
License : VMware
ModuleFile : /usr/lib/vmware/vmkmod/swapobj
Version :
SignedStatus : Unsigned
SignatureDigest : 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000
SignatureFingerPrint : 0000 0000 0000 0000 0000 0000 0000 0000
Unsinged module still exist.
Thank you in advance
Are you sure you can "remove' a module at all?
The script you are using disables a module, but does not remove it afaik.
Modules are part of a VIB, you can remove VIBs with $esxcli.software.vib.remove.Invoke(@{vibname='xyz'})
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Thank you for your answer.
I just want to harden the server following CIS1.3 Ensure no unauthorized kernel modules are loaded on the host
After I run this
# List the system modules and Signature Info for each host
Foreach ($VMHost in Get-VMHost ) {
$ESXCli = Get-EsxCli -VMHost $VMHost
$ESXCli.system.module.list() | Foreach {
$ESXCli.system.module.get($_.Name) | Select @{N="VMHost";E={$VMHost}},
Module, License, Modulefile, Version, SignedStatus, SignatureDigest,
SignatureFingerPrint
}
}
There are so many unsigned modules that I'd like to disable following the CIS recommendation
This machine is the default installation and evaluation mode.
I'm not sure whether I can harden it or not.
Thank you
The CIS advisory recommends to "disable" unsigned modules.
They don't mention anything about removal.
The code you used does disable the module.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Thank you.
Last question I guess. How I can check whether the modules are already disabled?
The command
$esxcli.system.module.list.invoke()
returns all modules with the properties IsEnabled and IsLoaded
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference