Note: This article covers material present in Version 1 Revision 3 and below. Topics found below may be mitigated in the most current version of the ESXi 5 STIG. Ensure you are using the most current version of the DISA STIG documents.
Had a colleague point out to me that I gave a pass on a STIG finding for ESXi 5 Server that is, in fact, not that straight forward. I wanted to take a moment to break that finding out and give some additional guidance.
SRG-OS-99999-ESXI5-000158 – Unauthorized Kernel Modules Must Not Be Loaded on Host
So the key word here is “unauthorized”. What do they mean? Well, they are talking about unsigned kernel modules, but there’s a trick to even that. Per the STIG no kernel module may be loaded that lacks a digital signature… so lets look at how we can do this check.
Right off I’ll tell you there’s at least two ways, likely more, to knock this out. By default there are a LOT of kernel modules on a default ESXi Server install, too many to go through by hand per the instructions in the STIG. How can we make this easier.