VMware ESXi execInstalledOnly: Understanding the Security Feature and Its Configurations

VMware ESXi is a powerful virtualization platform that provides a secure and reliable environment for running virtual machines. One of the security features in VMware ESXi is the execInstalledOnly functionality, which restricts the execution of files that are not part of a valid vSphere Installation Bundle (VIB). In this article, we will explore what execInstalledOnly is, how it works, and how to configure it in VMware ESXi.

What is execInstalledOnly?

execInstalledOnly is a security feature in VMware ESXi that prevents the execution of files that are not part of a valid VIB. A VIB is a package that contains binary files, an XML definition file that describes the content of the binaries, and a digital signature file that protects the integrity of the VIB and identifies its author.

When a VIB is installed on a VMware ESXi server, the system checks the digital signature to ensure that the package is authentic and has not been tampered with. If the digital signature is valid, the system allows the installation of the VIB and the execution of the binary files it contains.

However, if a file that is not part of a valid VIB is attempted to be executed on the server, the execInstalledOnly feature will prevent it from running. This feature is designed to protect the server from executing unknown or malicious code, which can be used in attacks such as ransomware.

How does execInstalledOnly work?

execInstalledOnly works by checking the digital signature of each file that is attempted to be executed on the server. If the file is part of a valid VIB, the system will allow its execution. However, if the file is not part of a valid VIB, the system will prevent its execution and display an error message.

The execInstalledOnly feature is enabled by default in all versions of VMware ESXi up to and including version 8.0. In these versions, the feature is only checked at runtime, meaning that it is not checked during the installation of VIBs.

In VMware ESXi 8.0, the execInstalledOnly feature is enabled both at runtime and at kernel level. This provides an additional layer of security for the server, as it will prevent the execution of unknown or malicious code even before it reaches the runtime phase.

How to configure execInstalledOnly in VMware ESXi?

To configure execInstalledOnly in VMware ESXi, you can use the esxcli command-line tool. Here are some examples of how to configure this feature:

1. To view the current status of the execInstalledOnly feature, you can use the following command:

esxcli software vib list

This will display a list of all installed VIBs on the server, along with their current status.

2. To disable the execInstalledOnly feature at runtime, you can use the following command:

esxcli system settings advanced set -o “/User/execinstalledonly” -i 0

This will disable the feature and allow the execution of files that are not part of a valid VIB.

3. To enable the execInstalledOnly feature at runtime, you can use the following command:

esxcli system settings advanced set -o “/User/execinstalledonly” -i 1

This will enable the feature and prevent the execution of files that are not part of a valid VIB.

4. To view the current status of the execInstalledOnly feature at kernel level, you can use the following command:

esxcli system settings kernel list -o execinstalledonly

This will display the current status of the feature at the kernel level.

5. To disable the execInstalledOnly feature at kernel level, you can use the following command:

esxcli system settings kernel set -s execinstalledonly -v FALSE

This will disable the feature and allow the execution of files that are not part of a valid VIB.

6. To enable the execInstalledOnly feature at kernel level, you can use the following command:

esxcli system settings kernel set -s execinstalledonly -v TRUE

This will enable the feature and prevent the execution of files that are not part of a valid VIB.

Conclusion

execInstalledOnly is a security feature in VMware ESXi that restricts the execution of files that are not part of a valid vSphere Installation Bundle (VIB). The feature is enabled by default in all versions of VMware ESXi up to and including version 8.0, and can be configured using the esxcli command-line tool.

By understanding how the execInstalledOnly feature works and how to configure it, you can better protect your VMware ESXi server from unknown or malicious code, and ensure a secure and reliable virtualization environment.