6.5
Table Of Contents
- Secure Configuration
- Contents
- Secure Configuration
- vRealize Operations Manager Security Posture
- Secure Deployment of vRealize Operations Manager
- Secure Configuration of vRealize Operations Manager
- Secure the vRealize Operations Manager Console
- Change the Root Password
- Managing Secure Shell, Administrative Accounts, and Console Access
- Enable or Disable Secure Shell on a vRealize Operations Manager node
- Create a Local Administrative Account for Secure Shell
- Restrict Secure Shell Access
- Maintain Secure Shell Key File Permissions
- Harden the Secure Shell Server Configuration
- Harden the Secure Shell Client Configuration
- Disable Direct Logins as Root
- Disable SSH Access for the Admin User Account
- Set Boot Loader Authentication
- Single-User or Maintenance Mode Authentication
- Monitor Minimal Necessary User Accounts
- Monitor Minimal Necessary Groups
- Resetting the vRealize Operations Manager Administrator Password (Linux)
- Configure NTP on VMware Appliances
- Disable the TCP Timestamp Response on Linux
- Enable FIPS 140-2 Mode
- TLS for Data in Transit
- Application Resources That Must be Protected
- Configure PostgreSQL Client Authentication
- Apache Configuration
- Disable Configuration Modes
- Managing Nonessential Software Components
- Secure the USB Mass Storage Handler
- Secure the Bluetooth Protocol Handler
- Secure the Stream Control Transmission Protocol
- Secure the Datagram Congestion Control Protocol
- Secure Reliable Datagram Sockets Protocol
- Secure the Transparent Inter-Process Communication Protocol
- Secure Internet Packet Exchange Protocol
- Secure Appletalk Protocol
- Secure DECnet Protocol
- Secure Firewire Module
- Kernel Message Logging
- Linux Installed Deployment
- Endpoint Operations Management Agent
- Additional Secure Configuration Activities
- Network Security and Secure Communication
- Configuring Network Settings for Virtual Application Installation
- Prevent User Control of Network Interfaces
- Set the Queue Size for TCP Backlog
- Deny ICMPv4 Echoes to Broadcast Address
- Configure the Host System to Disable IPv4 Proxy ARP
- Configure the Host System to Ignore IPv4 ICMP Redirect Messages
- Configure the Host System to Ignore IPv6 ICMP Redirect Messages
- Configure the Host System to Deny IPv4 ICMP Redirects
- Configure the Host System to Log IPv4 Martian Packets
- Configure the Host System to use IPv4 Reverse Path Filtering
- Configure the Host System to Deny IPv4 Forwarding
- Configure the Host System to Deny Forwarding of IPv4 Source Routed Packets
- Configure the Host System to Deny IPv6 Forwarding
- Configure the Host System to Use IPv4 TCP Syncookies
- Configure the Host System to Deny IPv6 Router Advertisements
- Configure the Host System to Deny IPv6 Router Solicitations
- Configure the Host System to Deny IPv6 Router Preference in Router Solicitations
- Configure the Host System to Deny IPv6 Router Prefix
- Configure the Host System to Deny IPv6 Router Advertisement Hop Limit Settings
- Configure the Host System to Deny IPv6 Router Advertisement Autoconf Settings
- Configure the Host System to Deny IPv6 Neighbor Solicitations
- Configure the Host System to Restrict IPv6 Maximum Addresses
- Configuring Ports and Protocols
- Configuring Network Settings for Virtual Application Installation
- Auditing and Logging on your vRealize Operations Manager System
- Index
Restrict Secure Shell Access
As part of your system hardening process, restrict Secure Shell (SSH) access by conguring the
tcp_wrappers package appropriately on all VMware virtual appliance host machines. Also maintain
required SSH key le permissions on these appliances.
All VMware virtual appliances include the tcp_wrappers package to allow tcp-supported daemons to
control the network subnets that can access the libwrapped daemons. By default, the /etc/hosts.allow le
contains a generic entry, sshd: ALL : ALLOW, that allows all access to the secure shell. Restrict this access as
appropriate for your organization.
Procedure
1 Open the /etc/hosts.allow le on your virtual appliance host machine in a text editor.
2 Change the generic entry in your production environment to include only the local host entries and the
management network subnet for secure operations.
sshd:127.0.0.1 : ALLOW
sshd: [::1] : ALLOW
sshd: 10.0.0.0 :ALLOW
In this example, all local host connections and connections that the clients make on the 10.0.0.0 subnet
are allowed.
3 Add all appropriate machine identication, for example, host name, IP address, fully qualied domain
name (FQDN), and loopback.
4 Save the le and close it.
Maintain Secure Shell Key File Permissions
To maintain an appropriate level of security, congure Secure Shell (SSH) key le permissions.
Procedure
1 View the public host key les, located in /etc/ssh/*key.pub.
2 Verify that these les are owned by root, that the group is owned by root, and that the les have
permissions set to 0644.
The permissions are (-rw-r--r--).
3 Close all les.
4 View the private host key les, located in /etc/ssh/*key.
5 Verify that root owns these les and the group, and that the les have permissions set to 0600.
The permissions are (-rw-------).
6 Close all les.
Harden the Secure Shell Server Configuration
Where possible, the Virtual Application Installation (OVF) has a default hardened conguration. Users can
verify that their conguration is appropriately hardened by examining the server and client service in the
global options section of the conguration le.
If possible, restrict use of the SSH server to a management subnet in the /etc/hosts.allow le.
Chapter 3 Secure Configuration of vRealize Operations Manager
VMware, Inc. 17