In a previous article, I described how to activate UEFI Boot, which will disable the ESXi OS from loading 3rd party packages.

What is execInstalledOnly enforcement?

execInstalledOnly will ensure that non-signed scripts can be run against the ESXi. Important to understand it doesn’t deny you the ability to run scripts against vCenter, which is very useful for IaC system operations.

The execInstalledOnly setting prevents the execution of custom code in ESXi, causing the ESXi host to reject any code not installed via a signed VIB package from a certified partner.

How do I activate it?

In vSphere 7, the setting was not enabled by default and had to be activated by the operations staff. In vSphere 8, it is enabled by default (if the prerequisites are met).

To check the configuration status, run the command:

esxcli system settings encryption get

First we need to enable UEFI Secure Boot – See this article

When Secure boot is enabled

esxcli system settings encryption get
   Mode: TPM
   Require Executables Only From Installed VIBs: false
   Require Secure Boot: true

In instances where the execInstalledOnly enforcement is activated, the status of Require Executables Only From Installed VIBs will reflect a value of true. Conversely, if the execInstalledOnly enforcement is deactivated, the status of Require Executables Only From Installed VIBs will exhibit a value of false. To activate the execInstalledOnly enforcement, it is imperative that the secure boot enforcement is also enabled; in this scenario, the status of Require Secure Boot will display true.

Should the Mode be displayed as NONE, it is imperative to enable the Trusted Platform Module (TPM) in the host firmware and configure the mode by executing the subsequent command:

esxcli system settings encryption set --mode=TPM

More details on different settings that can be defined:

Usage: esxcli system settings encryption set [cmd options]

Description:
  set                   Set the encryption mode and policy.

Cmd options:
  -m|--mode=<str>       Set the encryption mode.
  -e|--require-exec-installed-only=<bool>
                        Require executables to be loaded only from installed VIBs.
  -s|--require-secure-boot=<bool>
                        Require secure boot.

Verification that the setting has been set

esxcli system settings encryption get
   Mode: TPM
   Require Executables Only From Installed VIBs: true
   Require Secure Boot: true

How does it work?

If a script is attempted to be executed, the ESXi kernel will not allow the script to run. It will return a message stating the operation is not permitted

Challenges?

VMware files are released in Python. There are several reports that hackers have avoided this protection by running ransomware and other malicious scripts using Python.

vmware-esxi-encrypted-python-script-ransomware

Another challenge is if the attacker has root access on the ESXi it is fairly easy for them to disable the setting before running the script.

Usage: esxcli system settings advanced {cmd} [cmd options]

Available Commands:
  add                   Add a user defined advanced option to the /UserVars/ advanced option tree.
  list                  List the advanced options available from the VMkernel.
  remove                Remove a user defined advanced option from the /UserVars/ advanced option tree.
  set                   Set the value of an advanced option.
esxcli system settings advanced set -o /User/execInstalledOnly -i 0

With the code above the script will be allowed to be runned.

Why enable?

This security setting isn’t fault-proof. However, not all ransomware is in Python scripts, and not all hackers will get root access to the ESXi host. Adding this setting as one of several security features will improve your environment, making it more secure and less likely to be compromised.

In the following articles I will look more on how to secure ESXi, vSphere, and you infrastructure as a whole.

Leave a Reply

Your email address will not be published. Required fields are marked *

Share on Social Media