6.5
Table Of Contents
- Secure Configuration
- Contents
- Secure Configuration
- vRealize Operations Manager Security Posture
- Secure Deployment of vRealize Operations Manager
- Secure Configuration of vRealize Operations Manager
- Secure the vRealize Operations Manager Console
- Change the Root Password
- Managing Secure Shell, Administrative Accounts, and Console Access
- Enable or Disable Secure Shell on a vRealize Operations Manager node
- Create a Local Administrative Account for Secure Shell
- Restrict Secure Shell Access
- Maintain Secure Shell Key File Permissions
- Harden the Secure Shell Server Configuration
- Harden the Secure Shell Client Configuration
- Disable Direct Logins as Root
- Disable SSH Access for the Admin User Account
- Set Boot Loader Authentication
- Single-User or Maintenance Mode Authentication
- Monitor Minimal Necessary User Accounts
- Monitor Minimal Necessary Groups
- Resetting the vRealize Operations Manager Administrator Password (Linux)
- Configure NTP on VMware Appliances
- Disable the TCP Timestamp Response on Linux
- Enable FIPS 140-2 Mode
- TLS for Data in Transit
- Application Resources That Must be Protected
- Configure PostgreSQL Client Authentication
- Apache Configuration
- Disable Configuration Modes
- Managing Nonessential Software Components
- Secure the USB Mass Storage Handler
- Secure the Bluetooth Protocol Handler
- Secure the Stream Control Transmission Protocol
- Secure the Datagram Congestion Control Protocol
- Secure Reliable Datagram Sockets Protocol
- Secure the Transparent Inter-Process Communication Protocol
- Secure Internet Packet Exchange Protocol
- Secure Appletalk Protocol
- Secure DECnet Protocol
- Secure Firewire Module
- Kernel Message Logging
- Linux Installed Deployment
- Endpoint Operations Management Agent
- Additional Secure Configuration Activities
- Network Security and Secure Communication
- Configuring Network Settings for Virtual Application Installation
- Prevent User Control of Network Interfaces
- Set the Queue Size for TCP Backlog
- Deny ICMPv4 Echoes to Broadcast Address
- Configure the Host System to Disable IPv4 Proxy ARP
- Configure the Host System to Ignore IPv4 ICMP Redirect Messages
- Configure the Host System to Ignore IPv6 ICMP Redirect Messages
- Configure the Host System to Deny IPv4 ICMP Redirects
- Configure the Host System to Log IPv4 Martian Packets
- Configure the Host System to use IPv4 Reverse Path Filtering
- Configure the Host System to Deny IPv4 Forwarding
- Configure the Host System to Deny Forwarding of IPv4 Source Routed Packets
- Configure the Host System to Deny IPv6 Forwarding
- Configure the Host System to Use IPv4 TCP Syncookies
- Configure the Host System to Deny IPv6 Router Advertisements
- Configure the Host System to Deny IPv6 Router Solicitations
- Configure the Host System to Deny IPv6 Router Preference in Router Solicitations
- Configure the Host System to Deny IPv6 Router Prefix
- Configure the Host System to Deny IPv6 Router Advertisement Hop Limit Settings
- Configure the Host System to Deny IPv6 Router Advertisement Autoconf Settings
- Configure the Host System to Deny IPv6 Neighbor Solicitations
- Configure the Host System to Restrict IPv6 Maximum Addresses
- Configuring Ports and Protocols
- Configuring Network Settings for Virtual Application Installation
- Auditing and Logging on your vRealize Operations Manager System
- Index
c To congure the correct cipher suites, run the following commands:
sed -i "/^[^#]*cluster-ssl-ciphers/ c\cluster-ssl-
ciphers=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" /usr/lib/vmware-
vcops/user/conf/gemfire.properties
sed -i "/^[^#]*cluster-ssl-ciphers/ c\cluster-ssl-
ciphers=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" /usr/lib/vmware-
vcops/user/conf/gemfire.native.properties
sed -i "/^[^#]*cluster-ssl-ciphers/ c\cluster-ssl-
ciphers=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" /usr/lib/vmware-
vcops/user/conf/gemfire.locator.properties
Repeat this step for each node.
d Navigate to the administrator user interface at URL/admin.
e Click Bring Online.
Application Resources That Must be Protected
As a security best practice, ensure that the application resources are protected.
Follow the steps to ensure that the application resources are protected.
Procedure
1 Run the Find / -path /proc -prune -o -type f -perm +6000 -ls command to verify that the les
have a well dened SUID and GUID bits set.
The following list appears:
354131 24 -rwsr-xr-x 1 polkituser root 23176 /usr/lib/PolicyKit/polkit-set-default-helper
354126 20 -rwxr-sr-x 1 root polkituser 19208 /usr/lib/PolicyKit/polkit-grant-
helper
354125 20 -rwxr-sr-x 1 root polkituser 19008 /usr/lib/PolicyKit/polkit-explicit-
grant-helper
354130 24 -rwxr-sr-x 1 root polkituser 23160 /usr/lib/PolicyKit/polkit-revoke-
helper
354127 12 -rwsr-x--- 1 root polkituser 10744 /usr/lib/PolicyKit/polkit-grant-
helper-pam
354128 16 -rwxr-sr-x 1 root polkituser 14856 /usr/lib/PolicyKit/polkit-read-auth-
helper
73886 84 -rwsr-xr-x 1 root shadow 77848 /usr/bin/chsh
73888 88 -rwsr-xr-x 1 root shadow 85952 /usr/bin/gpasswd
73887 20 -rwsr-xr-x 1 root shadow 19320 /usr/bin/expiry
73890 84 -rwsr-xr-x 1 root root 81856 /usr/bin/passwd
73799 240 -rwsr-xr-x 1 root root 238488 /usr/bin/sudo
73889 20 -rwsr-xr-x 1 root root 19416 /usr/bin/newgrp
73884 92 -rwsr-xr-x 1 root shadow 86200 /usr/bin/chage
73885 88 -rwsr-xr-x 1 root shadow 82472 /usr/bin/chfn
73916 40 -rwsr-x--- 1 root trusted 40432 /usr/bin/crontab
296275 28 -rwsr-xr-x 1 root root 26945 /usr/lib64/pt_chown
353804 816 -r-xr-sr-x 1 root mail 829672 /usr/sbin/sendmail
278545 36 -rwsr-xr-x 1 root root 35792 /bin/ping6
278585 40 -rwsr-xr-x 1 root root 40016 /bin/su
278544 40 -rwsr-xr-x 1 root root 40048 /bin/ping
278638 72 -rwsr-xr-x 1 root root 69240 /bin/umount
278637 100 -rwsr-xr-x 1 root root 94808 /bin/mount
Secure Configuration
26 VMware, Inc.