In a previous article, I described how to activate UEFI Boot, which will disable the ESXi OS from loading 3rd party packages.
What is execInstalledOnly enforcement?
execInstalledOnly will ensure that non-signed scripts can be run against the ESXi. Important to understand it doesn’t deny you the ability to run scripts against vCenter, which is very useful for IaC system operations.
The execInstalledOnly setting prevents the execution of custom code in ESXi, causing the ESXi host to reject any code not installed via a signed VIB package from a certified partner.
How do I activate it?
In vSphere 7, the setting was not enabled by default and had to be activated by the operations staff. In vSphere 8, it is enabled by default (if the prerequisites are met).
To check the configuration status, run the command:
esxcli system settings encryption get
First we need to enable UEFI Secure Boot – See this article
When Secure boot is enabled
esxcli system settings encryption get
Mode: TPM
Require Executables Only From Installed VIBs: false
Require Secure Boot: trueIn instances where the execInstalledOnly enforcement is activated, the status of Require Executables Only From Installed VIBs will reflect a value of true. Conversely, if the execInstalledOnly enforcement is deactivated, the status of Require Executables Only From Installed VIBs will exhibit a value of false. To activate the execInstalledOnly enforcement, it is imperative that the secure boot enforcement is also enabled; in this scenario, the status of Require Secure Boot will display true.
Should the Mode be displayed as NONE, it is imperative to enable the Trusted Platform Module (TPM) in the host firmware and configure the mode by executing the subsequent command:
esxcli system settings encryption set --mode=TPMMore details on different settings that can be defined:
Usage: esxcli system settings encryption set [cmd options]
Description:
set Set the encryption mode and policy.
Cmd options:
-m|--mode=<str> Set the encryption mode.
-e|--require-exec-installed-only=<bool>
Require executables to be loaded only from installed VIBs.
-s|--require-secure-boot=<bool>
Require secure boot.
Verification that the setting has been set
esxcli system settings encryption get
Mode: TPM
Require Executables Only From Installed VIBs: true
Require Secure Boot: trueHow does it work?
If a script is attempted to be executed, the ESXi kernel will not allow the script to run. It will return a message stating the operation is not permitted
Challenges?
VMware files are released in Python. There are several reports that hackers have avoided this protection by running ransomware and other malicious scripts using Python.
vmware-esxi-encrypted-python-script-ransomware
Another challenge is if the attacker has root access on the ESXi it is fairly easy for them to disable the setting before running the script.
Usage: esxcli system settings advanced {cmd} [cmd options]
Available Commands:
add Add a user defined advanced option to the /UserVars/ advanced option tree.
list List the advanced options available from the VMkernel.
remove Remove a user defined advanced option from the /UserVars/ advanced option tree.
set Set the value of an advanced option.
esxcli system settings advanced set -o /User/execInstalledOnly -i 0With the code above the script will be allowed to be runned.
Why enable?
This security setting isn’t fault-proof. However, not all ransomware is in Python scripts, and not all hackers will get root access to the ESXi host. Adding this setting as one of several security features will improve your environment, making it more secure and less likely to be compromised.
In the following articles I will look more on how to secure ESXi, vSphere, and you infrastructure as a whole.
