6.4
Table Of Contents
- Secure Configuration
- Contents
- Secure Configuration
- vRealize Operations Manager Security Posture
- Secure Deployment of vRealize Operations Manager
- Secure Configuration of vRealize Operations Manager
- Secure the vRealize Operations Manager Console
- Change the Root Password
- Managing Secure Shell, Administrative Accounts, and Console Access
- Enable or Disable Secure Shell on a vRealize Operations Manager node
- Create a Local Administrative Account for Secure Shell
- Restrict Secure Shell Access
- Maintain Secure Shell Key File Permissions
- Harden the Secure Shell Server Configuration
- Harden the Secure Shell Client Configuration
- Disable Direct Logins as Root
- Disable SSH Access for the Admin User Account
- Set Boot Loader Authentication
- Single-User or Maintenance Mode Authentication
- Monitor Minimal Necessary User Accounts
- Monitor Minimal Necessary Groups
- Resetting the vRealize Operations Manager Administrator Password (Linux)
- Configure NTP on VMware Appliances
- Disable the TCP Timestamp Response on Linux
- Enable FIPS 140-2 Mode
- TLS for Data in Transit
- Application Resources That Must be Protected
- Configure PostgreSQL Client Authentication
- Apache Configuration
- Disable Configuration Modes
- Managing Nonessential Software Components
- Secure the USB Mass Storage Handler
- Secure the Bluetooth Protocol Handler
- Secure the Stream Control Transmission Protocol
- Secure the Datagram Congestion Control Protocol
- Secure Reliable Datagram Sockets Protocol
- Secure the Transparent Inter-Process Communication Protocol
- Secure Internet Packet Exchange Protocol
- Secure Appletalk Protocol
- Secure DECnet Protocol
- Secure Firewire Module
- Kernel Message Logging
- Windows Installed Deployment
- Linux Installed Deployment
- Endpoint Operations Management Agent
- Additional Secure Configuration Activities
- Network Security and Secure Communication
- Configuring Network Settings for Virtual Application Installation
- Prevent User Control of Network Interfaces
- Set the Queue Size for TCP Backlog
- Deny ICMPv4 Echoes to Broadcast Address
- Configure the Host System to Disable IPv4 Proxy ARP
- Configure the Host System to Ignore IPv4 ICMP Redirect Messages
- Configure the Host System to Ignore IPv6 ICMP Redirect Messages
- Configure the Host System to Deny IPv4 ICMP Redirects
- Configure the Host System to Log IPv4 Martian Packets
- Configure the Host System to use IPv4 Reverse Path Filtering
- Configure the Host System to Deny IPv4 Forwarding
- Configure the Host System to Deny Forwarding of IPv4 Source Routed Packets
- Configure the Host System to Deny IPv6 Forwarding
- Configure the Host System to Use IPv4 TCP Syncookies
- Configure the Host System to Deny IPv6 Router Advertisements
- Configure the Host System to Deny IPv6 Router Solicitations
- Configure the Host System to Deny IPv6 Router Preference in Router Solicitations
- Configure the Host System to Deny IPv6 Router Prefix
- Configure the Host System to Deny IPv6 Router Advertisement Hop Limit Settings
- Configure the Host System to Deny IPv6 Router Advertisement Autoconf Settings
- Configure the Host System to Deny IPv6 Neighbor Solicitations
- Configure the Host System to Restrict IPv6 Maximum Addresses
- Configuring Ports and Protocols
- Configuring Network Settings for Virtual Application Installation
- Auditing and Logging on your vRealize Operations Manager System
- Index
Index
A
administrative accounts 15
agent certificate revocation 40
apache configuration 28
Apache httpd 23
application resources, protect 26
auditing 53
authorized NTP server 53
B
best practices, End Point Operations
Management agents 36
Bluetooth protocol handler 29
boot loader authentication 19
browser considerations 53
C
cipher suites in GemFire 25
cipher suites in Apache httpd 25
client configuration, secure shell 18
configuration, PostgreSQL client
authentication 27
configuration modes, disable 29, 34, 35
configure 29
configure network settings for OVF 43
configure network time protocol 22
configure strong protocols 33, 34
console access 15
D
data in transit 23, 33, 34
Datagram Congestion Control Protocol 30
DECnet Protocol, secure 31
deny forwarding 47
deny ICMPv4 echoes to broadcast address 44
deny IPv6 router settings 50
deny IPv6 router advertisement hop limit 50
Diffie-Hellman 35
Diffie-Hellman key exchange 33
disable, unnecessary applications 41
disable browsing 28
disable direct logins 19
disable directory browsing 28
disable SSH access for the admin user
account 19
disable TCP timestamp response 22
disable the trace method:Apache2 server 28
disable unnecessary ports 41
disable unnecessary services 41
disable weak ciphers 33, 35
E
enabling FIPS 140-2 mode 22
End Point Operations Management agent 36
F
file permissions, secure shell 17
G
GemFire TLS handler protocols 23
glossary 5
H
hardening infrastructure 9
hardening for Linux installation 10
hardening for windows installation 10
hardening the vSphere environment 10
host server secure configuration 35
host server securely configured 34
host server's secure baseline 34
I
infrastructure, hardening 9
intended audience 5
inventory of unsupported software 10
IPV4 source routed packets 47
IPv4, deny 1Pv4 forwarding 46
IPv4, deny IPv4 ICMP redirects 45
IPv4, disable proxy ARP 44
IPv4, ignore ICMP redirect messages 44
IPv4, ignore IPv4 reverse path filtering 46
IPv4, log IPv4 Martian packets 46
IPv4, use IPv4 TCP syncookies 48
IPv6 autoconf settings 50
IPv6, deny IPv6 forwarding 47
IPv6, deny IPv6 neighbor solicitations 51
IPv6, deny IPv6 router advertisements 48
IPv6, deny IPv6 router prefix 49
IPv6, deny IPv6 router solicitations 49
VMware, Inc.
55