Scanning ESXi hosts from Tenable fails with error "Failed to enumerate VIBs: empty key"
search cancel

Scanning ESXi hosts from Tenable fails with error "Failed to enumerate VIBs: empty key"

book

Article ID: 393768

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

  • Unable to perform Tenable scanning on ESXi hosts.
  • Scanning of ESXi hosts from Tenable fails with the following error message:

"Failed to enumerate VIBs: empty key"

  • Tenable performs the following API call below to list the ESXi host components. 

curl -k -X GET -H "vmware-api-session-id:<SESSION ID>" https://<VC FQDN>/api/esx/hosts/host-<HOST NUMBER/software/installed-components

  • When running this command manually outside of Tenable the results show an empty list of {}

 

Environment

vSphere ESXi 7.0.x

 

Cause

This issue is caused by ESXi hosts being provisioned via Auto Deploy in a stateless configuration. Auto Deploy installs ESXi directly into the host's memory, where the deployment server maintains all host state information.

Resolution

To ensure successful scanning via Tenable, ESXi hosts must be provisioned in a stateful manner using VMware vSphere Lifecycle Manager (vLCM). In a stateful configuration, the ESXi image is persisted to local host storage upon the initial boot. This local persistence ensures that host components are correctly indexed and available for discovery during security  scans.

For more information on see how to migrate from stateless to stateful

Powered by Wolken Software