The purpose of this article is to document the warnings on the hosts where enforcement levels of one or more security domains in changed to "warning" or "disabled"

The following vSphere warnings are observed on an ESXi host when a user changes the enforcement level of one of the security domains on the host.

esx.audit.uw.secpolicy.alldomains.level.changed
 "The enforcement level for all security domains has been changed to warning. The enforcement level must always be set to enforcing."

esx.audit.uw.secpolicy.domain.level.changed
 "The enforcement level for security domain <domain-name> has been changed to disabled. The enforcement level must always be set to enforcing."
For more information about VOB messages, see Using the VMkernel Observations for Creating Alarms.

With vSphere 8.0 release, most daemons running on ESXi will have their custom security domain with required access privileges defined.
Domains on ESXi have 3 kinds of enforcement levels:

• "enforcing": Any resource not defined in the domain definition will be denied.
• "warning":  A resource not defined in the domain definition will be granted, but the event will be logged in vmkernel log.
• "disabled": A resource not defined in the domain definition will be granted, and the event will not be logged in vmkernel log.

It is recommended to keep the enforcement level of all domains as "enforcing". Changing the enforcement level of a domain puts the host at a security risk.
So, in the event where this occurs, a VOB is generated(and a corresponding event which is displayed in the vCenter UI) to notify the user of the same.
The only scenario where customers are advised to change the domain enforcement level is one in which a daemon requires a privilege which is not defined in the domain. In that case, users should change the enforcement level of the domain to "warning" or "disabled". With 8.0 release, domain enforcement changes will be persistent across reboot.

It is highly recommended to keep the enforcement level of all the domains to "enforcing", except for a scenario where a domain is missing some privilege required by a daemon.