ThanapatJK
Contributor
Contributor

Why can not disable unsigned module in esxi 7

I used this command to disable all unsigned module

Get-VMHost -Name '192.168.218.132' -PipelineVariable esx |
ForEach-Object -Process {
$esxcli = Get-EsxCli -VMHost $esx -V2
$esxcli.system.module.list.Invoke() |
ForEach-Object -Process {
$esxcli.system.module.get.Invoke(@{module="$($_.Name)"}) |
Where-Object { $_.SignedStatus -eq 'Unsigned'} |
ForEach-Object -Process {
$esxcli.system.module.set.Invoke(@{module="$($_.Module)";enabled=$false})
}
}
}

But when I check by using this command

 

# List the system modules and Signature Info for each host
Foreach ($VMHost in Get-VMHost ) {
$ESXCli = Get-EsxCli -VMHost $VMHost
$ESXCli.system.module.list() | Foreach {
$ESXCli.system.module.get($_.Name) | Select @{N="VMHost";E={$VMHost}},
Module, License, Modulefile, Version, SignedStatus, SignatureDigest,
SignatureFingerPrint
}
}

VMHost : 192.168.218.132
Module : nfsclient
License : VMware
ModuleFile : /usr/lib/vmware/vmkmod/nfsclient
Version : Built on: Jun 30 2022
SignedStatus : Unsigned
SignatureDigest : 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000
SignatureFingerPrint : 0000 0000 0000 0000 0000 0000 0000 0000

VMHost : 192.168.218.132
Module : swapobj
License : VMware
ModuleFile : /usr/lib/vmware/vmkmod/swapobj
Version :
SignedStatus : Unsigned
SignatureDigest : 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000
SignatureFingerPrint : 0000 0000 0000 0000 0000 0000 0000 0000

Unsinged module still exist.

 

Thank you in advance

 

0 Kudos
5 Replies
LucD
Leadership
Leadership

Are you sure you can "remove' a module at all?
The script you are using disables a module, but does not remove it afaik.

Modules are part of a VIB, you can remove VIBs with $esxcli.software.vib.remove.Invoke(@{vibname='xyz'})

 


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
ThanapatJK
Contributor
Contributor

Thank you for your answer.

I just want to harden the server following CIS1.3  Ensure no unauthorized kernel modules are loaded on the host 

After I run this 

# List the system modules and Signature Info for each host
Foreach ($VMHost in Get-VMHost ) {
$ESXCli = Get-EsxCli -VMHost $VMHost
$ESXCli.system.module.list() | Foreach {
$ESXCli.system.module.get($_.Name) | Select @{N="VMHost";E={$VMHost}},
Module, License, Modulefile, Version, SignedStatus, SignatureDigest,
SignatureFingerPrint
}
}

There are so many unsigned modules that I'd like to disable following the CIS recommendation

This machine is the default installation and evaluation mode.

I'm not sure whether I can harden it or not.

 

Thank you

 

 

 

 

0 Kudos
LucD
Leadership
Leadership

The CIS advisory recommends to "disable" unsigned modules.
They don't mention anything about removal.

The code you used does disable the module.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
ThanapatJK
Contributor
Contributor

Thank you.

Last question I guess. How I can check whether the modules are already disabled? 

 

0 Kudos
LucD
Leadership
Leadership

The command

$esxcli.system.module.list.invoke()

returns all modules with the properties IsEnabled and IsLoaded


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference