6.5
Table Of Contents
- Secure Configuration
- Contents
- Secure Configuration
- vRealize Operations Manager Security Posture
- Secure Deployment of vRealize Operations Manager
- Secure Configuration of vRealize Operations Manager
- Secure the vRealize Operations Manager Console
- Change the Root Password
- Managing Secure Shell, Administrative Accounts, and Console Access
- Enable or Disable Secure Shell on a vRealize Operations Manager node
- Create a Local Administrative Account for Secure Shell
- Restrict Secure Shell Access
- Maintain Secure Shell Key File Permissions
- Harden the Secure Shell Server Configuration
- Harden the Secure Shell Client Configuration
- Disable Direct Logins as Root
- Disable SSH Access for the Admin User Account
- Set Boot Loader Authentication
- Single-User or Maintenance Mode Authentication
- Monitor Minimal Necessary User Accounts
- Monitor Minimal Necessary Groups
- Resetting the vRealize Operations Manager Administrator Password (Linux)
- Configure NTP on VMware Appliances
- Disable the TCP Timestamp Response on Linux
- Enable FIPS 140-2 Mode
- TLS for Data in Transit
- Application Resources That Must be Protected
- Configure PostgreSQL Client Authentication
- Apache Configuration
- Disable Configuration Modes
- Managing Nonessential Software Components
- Secure the USB Mass Storage Handler
- Secure the Bluetooth Protocol Handler
- Secure the Stream Control Transmission Protocol
- Secure the Datagram Congestion Control Protocol
- Secure Reliable Datagram Sockets Protocol
- Secure the Transparent Inter-Process Communication Protocol
- Secure Internet Packet Exchange Protocol
- Secure Appletalk Protocol
- Secure DECnet Protocol
- Secure Firewire Module
- Kernel Message Logging
- Linux Installed Deployment
- Endpoint Operations Management Agent
- Additional Secure Configuration Activities
- Network Security and Secure Communication
- Configuring Network Settings for Virtual Application Installation
- Prevent User Control of Network Interfaces
- Set the Queue Size for TCP Backlog
- Deny ICMPv4 Echoes to Broadcast Address
- Configure the Host System to Disable IPv4 Proxy ARP
- Configure the Host System to Ignore IPv4 ICMP Redirect Messages
- Configure the Host System to Ignore IPv6 ICMP Redirect Messages
- Configure the Host System to Deny IPv4 ICMP Redirects
- Configure the Host System to Log IPv4 Martian Packets
- Configure the Host System to use IPv4 Reverse Path Filtering
- Configure the Host System to Deny IPv4 Forwarding
- Configure the Host System to Deny Forwarding of IPv4 Source Routed Packets
- Configure the Host System to Deny IPv6 Forwarding
- Configure the Host System to Use IPv4 TCP Syncookies
- Configure the Host System to Deny IPv6 Router Advertisements
- Configure the Host System to Deny IPv6 Router Solicitations
- Configure the Host System to Deny IPv6 Router Preference in Router Solicitations
- Configure the Host System to Deny IPv6 Router Prefix
- Configure the Host System to Deny IPv6 Router Advertisement Hop Limit Settings
- Configure the Host System to Deny IPv6 Router Advertisement Autoconf Settings
- Configure the Host System to Deny IPv6 Neighbor Solicitations
- Configure the Host System to Restrict IPv6 Maximum Addresses
- Configuring Ports and Protocols
- Configuring Network Settings for Virtual Application Installation
- Auditing and Logging on your vRealize Operations Manager System
- Index
Single-User or Maintenance Mode Authentication
If the system does not require valid root authentication before it boots into single-user or maintenance
mode, anyone who invokes single-user or maintenance mode is granted privileged access to all les on the
system.
Procedure
u
Review the/etc/inittab le and ensure that the following two lines appear: ls:S:wait:/etc/init.d/rc
S and ~~:S:respawn:/sbin/sulogin.
Monitor Minimal Necessary User Accounts
You must monitor existing user accounts and ensure that any unnecessary user accounts are removed.
Procedure
u
Run the host:~ # cat /etc/passwd command and verify the minimal necessary user accounts:
bin:x:1:1:bin:/bin:/bin/bash
daemon:x:2:2:Daemon:/sbin:/bin/bash
haldaemon:x:101:102:User for haldaemon:/var/run/hald:/bin/false
mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false
man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash
messagebus:x:100:101:User for D-Bus:/var/run/dbus:/bin/false
nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash
ntp:x:74:106:NTP daemon:/var/lib/ntp:/bin/false
polkituser:x:103:104:PolicyKit:/var/run/PolicyKit:/bin/false
postfix:x:51:51:Postfix Daemon:/var/spool/postfix:/bin/false
root:x:0:0:root:/root:/bin/bash
sshd:x:71:65:SSH daemon:/var/lib/sshd:/bin/false
suse-ncc:x:104:107:Novell Customer Center User:/var/lib/YaST2/suse-ncc-fakehome:/bin/bash
uuidd:x:102:103:User for uuidd:/var/run/uuidd:/bin/false
wwwrun:x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/false
nginx:x:105:108:user for nginx:/var/lib/nginx:/bin/false
admin:x:1000:1003::/home/admin:/bin/bash
tcserver:x:1001:1004:tc Server User:/home/tcserver:/bin/bash
postgres:x:1002:100::/var/vmware/vpostgres/9.3:/bin/bash
Monitor Minimal Necessary Groups
You must monitor existing groups and members to ensure that any unnecessary groups or group access is
removed.
Procedure
u
Run the <host>:~ # cat /etc/group command to verify the minimum necessary groups and group
membership.
audio:x:17:
bin:x:1:daemon
cdrom:x:20:
console:x:21:
daemon:x:2:
dialout:x:16:u1,tcserver,postgres
disk:x:6:
floppy:x:19:
Secure Configuration
20 VMware, Inc.