6.5
Table Of Contents
- Secure Configuration
- Contents
- Secure Configuration
- vRealize Operations Manager Security Posture
- Secure Deployment of vRealize Operations Manager
- Secure Configuration of vRealize Operations Manager
- Secure the vRealize Operations Manager Console
- Change the Root Password
- Managing Secure Shell, Administrative Accounts, and Console Access
- Enable or Disable Secure Shell on a vRealize Operations Manager node
- Create a Local Administrative Account for Secure Shell
- Restrict Secure Shell Access
- Maintain Secure Shell Key File Permissions
- Harden the Secure Shell Server Configuration
- Harden the Secure Shell Client Configuration
- Disable Direct Logins as Root
- Disable SSH Access for the Admin User Account
- Set Boot Loader Authentication
- Single-User or Maintenance Mode Authentication
- Monitor Minimal Necessary User Accounts
- Monitor Minimal Necessary Groups
- Resetting the vRealize Operations Manager Administrator Password (Linux)
- Configure NTP on VMware Appliances
- Disable the TCP Timestamp Response on Linux
- Enable FIPS 140-2 Mode
- TLS for Data in Transit
- Application Resources That Must be Protected
- Configure PostgreSQL Client Authentication
- Apache Configuration
- Disable Configuration Modes
- Managing Nonessential Software Components
- Secure the USB Mass Storage Handler
- Secure the Bluetooth Protocol Handler
- Secure the Stream Control Transmission Protocol
- Secure the Datagram Congestion Control Protocol
- Secure Reliable Datagram Sockets Protocol
- Secure the Transparent Inter-Process Communication Protocol
- Secure Internet Packet Exchange Protocol
- Secure Appletalk Protocol
- Secure DECnet Protocol
- Secure Firewire Module
- Kernel Message Logging
- Linux Installed Deployment
- Endpoint Operations Management Agent
- Additional Secure Configuration Activities
- Network Security and Secure Communication
- Configuring Network Settings for Virtual Application Installation
- Prevent User Control of Network Interfaces
- Set the Queue Size for TCP Backlog
- Deny ICMPv4 Echoes to Broadcast Address
- Configure the Host System to Disable IPv4 Proxy ARP
- Configure the Host System to Ignore IPv4 ICMP Redirect Messages
- Configure the Host System to Ignore IPv6 ICMP Redirect Messages
- Configure the Host System to Deny IPv4 ICMP Redirects
- Configure the Host System to Log IPv4 Martian Packets
- Configure the Host System to use IPv4 Reverse Path Filtering
- Configure the Host System to Deny IPv4 Forwarding
- Configure the Host System to Deny Forwarding of IPv4 Source Routed Packets
- Configure the Host System to Deny IPv6 Forwarding
- Configure the Host System to Use IPv4 TCP Syncookies
- Configure the Host System to Deny IPv6 Router Advertisements
- Configure the Host System to Deny IPv6 Router Solicitations
- Configure the Host System to Deny IPv6 Router Preference in Router Solicitations
- Configure the Host System to Deny IPv6 Router Prefix
- Configure the Host System to Deny IPv6 Router Advertisement Hop Limit Settings
- Configure the Host System to Deny IPv6 Router Advertisement Autoconf Settings
- Configure the Host System to Deny IPv6 Neighbor Solicitations
- Configure the Host System to Restrict IPv6 Maximum Addresses
- Configuring Ports and Protocols
- Configuring Network Settings for Virtual Application Installation
- Auditing and Logging on your vRealize Operations Manager System
- Index
Disable Direct Logins as Root
By default, the hardened appliances allow you to use the console to log in directly as root. As a security best
practice, you can disable direct logins after you create an administrative account for nonrepudiation and test
it for wheel access by using the su-root command.
Prerequisites
n
Complete the steps in the topic called “Create a Local Administrative Account for Secure Shell,” on
page 16.
n
Verify that you have tested accessing the system as an administrator before you disable direct root
logins.
Procedure
1 Log in as root and navigate to the /etc/securetty le.
You can access this le from the command prompt.
2 Replace the tty1 entry with console.
Disable SSH Access for the Admin User Account
As a security best practice, you can disable SSH access for the admin user account. The
vRealize Operations Manager admin account and the Linux admin account share the same password.
Disabling SSH access to the admin user enforces defense in depth by ensuring all users of SSH rst login to
a lesser privileged service account with a password that diers from the vRealize Operations Manager
admin account and then switch user to a higher privilege such as the admin or root.
Procedure
1 Edit the /etc/ssh/sshd_config le.
You can access this le from the command prompt.
2 Add the DenyUsers admin entry anywhere in the le and save the le.
3 To restart the sshd server, run the service sshd restart command.
Set Boot Loader Authentication
To provide an appropriate level of security, congure boot loader authentication on your VMware virtual
appliances. If the system boot loader requires no authentication, users with console access to the system
might be able to alter the system boot conguration or boot the system to single user or maintenance mode,
which can result in denial of service or unauthorized system access.
Because boot loader authentication is not set by default on the VMware virtual appliances, you must create a
GRUB password to congure it.
Procedure
1 Verify whether a boot password exists by locating the password --md5 <password-hash> line in
the /boot/grub/menu.lst le on your virtual appliances.
2 If no password exists, run the # /usr/sbin/grub-md5-crypt command on your virtual appliance.
An MD5 password is generated, and the command supplies the md5 hash output.
3 Append the password to the menu.lst le by running the # password --md5 <hash from grub-md5-
crypt> command.
Chapter 3 Secure Configuration of vRealize Operations Manager
VMware, Inc. 19