6.5
Table Of Contents
- Secure Configuration
- Contents
- Secure Configuration
- vRealize Operations Manager Security Posture
- Secure Deployment of vRealize Operations Manager
- Secure Configuration of vRealize Operations Manager
- Secure the vRealize Operations Manager Console
- Change the Root Password
- Managing Secure Shell, Administrative Accounts, and Console Access
- Enable or Disable Secure Shell on a vRealize Operations Manager node
- Create a Local Administrative Account for Secure Shell
- Restrict Secure Shell Access
- Maintain Secure Shell Key File Permissions
- Harden the Secure Shell Server Configuration
- Harden the Secure Shell Client Configuration
- Disable Direct Logins as Root
- Disable SSH Access for the Admin User Account
- Set Boot Loader Authentication
- Single-User or Maintenance Mode Authentication
- Monitor Minimal Necessary User Accounts
- Monitor Minimal Necessary Groups
- Resetting the vRealize Operations Manager Administrator Password (Linux)
- Configure NTP on VMware Appliances
- Disable the TCP Timestamp Response on Linux
- Enable FIPS 140-2 Mode
- TLS for Data in Transit
- Application Resources That Must be Protected
- Configure PostgreSQL Client Authentication
- Apache Configuration
- Disable Configuration Modes
- Managing Nonessential Software Components
- Secure the USB Mass Storage Handler
- Secure the Bluetooth Protocol Handler
- Secure the Stream Control Transmission Protocol
- Secure the Datagram Congestion Control Protocol
- Secure Reliable Datagram Sockets Protocol
- Secure the Transparent Inter-Process Communication Protocol
- Secure Internet Packet Exchange Protocol
- Secure Appletalk Protocol
- Secure DECnet Protocol
- Secure Firewire Module
- Kernel Message Logging
- Linux Installed Deployment
- Endpoint Operations Management Agent
- Additional Secure Configuration Activities
- Network Security and Secure Communication
- Configuring Network Settings for Virtual Application Installation
- Prevent User Control of Network Interfaces
- Set the Queue Size for TCP Backlog
- Deny ICMPv4 Echoes to Broadcast Address
- Configure the Host System to Disable IPv4 Proxy ARP
- Configure the Host System to Ignore IPv4 ICMP Redirect Messages
- Configure the Host System to Ignore IPv6 ICMP Redirect Messages
- Configure the Host System to Deny IPv4 ICMP Redirects
- Configure the Host System to Log IPv4 Martian Packets
- Configure the Host System to use IPv4 Reverse Path Filtering
- Configure the Host System to Deny IPv4 Forwarding
- Configure the Host System to Deny Forwarding of IPv4 Source Routed Packets
- Configure the Host System to Deny IPv6 Forwarding
- Configure the Host System to Use IPv4 TCP Syncookies
- Configure the Host System to Deny IPv6 Router Advertisements
- Configure the Host System to Deny IPv6 Router Solicitations
- Configure the Host System to Deny IPv6 Router Preference in Router Solicitations
- Configure the Host System to Deny IPv6 Router Prefix
- Configure the Host System to Deny IPv6 Router Advertisement Hop Limit Settings
- Configure the Host System to Deny IPv6 Router Advertisement Autoconf Settings
- Configure the Host System to Deny IPv6 Neighbor Solicitations
- Configure the Host System to Restrict IPv6 Maximum Addresses
- Configuring Ports and Protocols
- Configuring Network Settings for Virtual Application Installation
- Auditing and Logging on your vRealize Operations Manager System
- Index
475333 48 -rwsr-x--- 1 root messagebus 47912 /lib64/dbus-1/dbus-daemon-launch-
helper
41001 36 -rwsr-xr-x 1 root shadow 35688 /sbin/unix_chkpwd
41118 12 -rwsr-xr-x 1 root shadow 10736 /sbin/unix2_chkpwd
2 Run the find / -path */proc -prune -o -nouser -o -nogroup command to verify that all the les in
the vApp have an owner.
All the les have an owner if there are no results.
3 Run the find / -name "*.*" -type f -perm -a+w | xargs ls -ldb command to verify that none of the
les are world writable les by reviewing permissions of all the les on the vApp.
None of the les must include the permission xx2.
4 Run the find / -path */proc -prune -o ! -user root -o -user admin -print command to verify that
the les are owned by the correct user.
All the les belong to either root or admin if there are no results.
5 Run the find /usr/lib/vmware-casa/ -type f -perm -o=w command to ensure that les in
the /usr/lib/vmware-casa/ directory are not world writable.
There must be no results.
6 Run the find /usr/lib/vmware-vcops/ -type f -perm -o=w command to ensure that les in
the /usr/lib/vmware-vcops/ directory are not world writable.
There must be no results.
7 Run the find /usr/lib/vmware-vcopssuite/ -type f -perm -o=w command to ensure that les in
the /usr/lib/vmware-vcopssuite/ directory are not world writable.
There must be no results.
Configure PostgreSQL Client Authentication
You can congure the system for client authentication. You can congure the system for local trust
authentication. This allows any local user, including the database super user to connect as a PostgreSQL user
without a password. If you want to provide a strong defense and if you do not have signicant trust in all
local user accounts, use another authentication method. The md5 method is set by default. Verify that md5
is set for all local and host connections.
You can nd the client authentication conguration seings for the postgres service instance
in /storage/db/vcops/vpostgres/data/pg_hba.conf. Verify that md5 is set for all local and host connections.
The client authentication conguration seings for the postgres-repl service instance can be found
in /storage/db/vcops/vpostgres/repl/pg_hba.conf. Verify that md5 is set for all local and host connections.
N Do not modify client conguration seings for the postgres user account.
Chapter 3 Secure Configuration of vRealize Operations Manager
VMware, Inc. 27