Automation

 View Only

  • 1.  Why can not disable unsigned module in esxi 7

    Posted Jan 22, 2023 05:28 PM

    I used this command to disable all unsigned module

    Get-VMHost -Name '192.168.218.132' -PipelineVariable esx |
    ForEach-Object -Process {
    $esxcli = Get-EsxCli -VMHost $esx -V2
    $esxcli.system.module.list.Invoke() |
    ForEach-Object -Process {
    $esxcli.system.module.get.Invoke(@{module="$($_.Name)"}) |
    Where-Object { $_.SignedStatus -eq 'Unsigned'} |
    ForEach-Object -Process {
    $esxcli.system.module.set.Invoke(@{module="$($_.Module)";enabled=$false})
    }
    }
    }

    But when I check by using this command

     

    # List the system modules and Signature Info for each host
    Foreach ($VMHost in Get-VMHost ) {
    $ESXCli = Get-EsxCli -VMHost $VMHost
    $ESXCli.system.module.list() | Foreach {
    $ESXCli.system.module.get($_.Name) | Select @{N="VMHost";E={$VMHost}},
    Module, License, Modulefile, Version, SignedStatus, SignatureDigest,
    SignatureFingerPrint
    }
    }

    VMHost : 192.168.218.132
    Module : nfsclient
    License : VMware
    ModuleFile : /usr/lib/vmware/vmkmod/nfsclient
    Version : Built on: Jun 30 2022
    SignedStatus : Unsigned
    SignatureDigest : 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000
    SignatureFingerPrint : 0000 0000 0000 0000 0000 0000 0000 0000

    VMHost : 192.168.218.132
    Module : swapobj
    License : VMware
    ModuleFile : /usr/lib/vmware/vmkmod/swapobj
    Version :
    SignedStatus : Unsigned
    SignatureDigest : 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000
    SignatureFingerPrint : 0000 0000 0000 0000 0000 0000 0000 0000

    Unsinged module still exist.

     

    Thank you in advance

     



  • 2.  RE: Why can not disable unsigned module in esxi 7

    Posted Jan 22, 2023 05:59 PM

    Are you sure you can "remove' a module at all?
    The script you are using disables a module, but does not remove it afaik.

    Modules are part of a VIB, you can remove VIBs with $esxcli.software.vib.remove.Invoke(@{vibname='xyz'})

     



  • 3.  RE: Why can not disable unsigned module in esxi 7

    Posted Jan 24, 2023 04:30 PM

    Thank you for your answer.

    I just want to harden the server following CIS1.3  Ensure no unauthorized kernel modules are loaded on the host 

    After I run this 

    # List the system modules and Signature Info for each host
    Foreach ($VMHost in Get-VMHost ) {
    $ESXCli = Get-EsxCli -VMHost $VMHost
    $ESXCli.system.module.list() | Foreach {
    $ESXCli.system.module.get($_.Name) | Select @{N="VMHost";E={$VMHost}},
    Module, License, Modulefile, Version, SignedStatus, SignatureDigest,
    SignatureFingerPrint
    }
    }

    There are so many unsigned modules that I'd like to disable following the CIS recommendation

    This machine is the default installation and evaluation mode.

    I'm not sure whether I can harden it or not.

     

    Thank you

     

     

     

     



  • 4.  RE: Why can not disable unsigned module in esxi 7

    Posted Jan 24, 2023 05:18 PM

    The CIS advisory recommends to "disable" unsigned modules.
    They don't mention anything about removal.

    The code you used does disable the module.



  • 5.  RE: Why can not disable unsigned module in esxi 7

    Posted Jan 26, 2023 04:51 PM

    Thank you.

    Last question I guess. How I can check whether the modules are already disabled? 

     



  • 6.  RE: Why can not disable unsigned module in esxi 7

    Posted Jan 26, 2023 05:20 PM

    The command

    returns all modules with the properties IsEnabled and IsLoaded