6.5
Table Of Contents
- Secure Configuration
- Contents
- Secure Configuration
- vRealize Operations Manager Security Posture
- Secure Deployment of vRealize Operations Manager
- Secure Configuration of vRealize Operations Manager
- Secure the vRealize Operations Manager Console
- Change the Root Password
- Managing Secure Shell, Administrative Accounts, and Console Access
- Enable or Disable Secure Shell on a vRealize Operations Manager node
- Create a Local Administrative Account for Secure Shell
- Restrict Secure Shell Access
- Maintain Secure Shell Key File Permissions
- Harden the Secure Shell Server Configuration
- Harden the Secure Shell Client Configuration
- Disable Direct Logins as Root
- Disable SSH Access for the Admin User Account
- Set Boot Loader Authentication
- Single-User or Maintenance Mode Authentication
- Monitor Minimal Necessary User Accounts
- Monitor Minimal Necessary Groups
- Resetting the vRealize Operations Manager Administrator Password (Linux)
- Configure NTP on VMware Appliances
- Disable the TCP Timestamp Response on Linux
- Enable FIPS 140-2 Mode
- TLS for Data in Transit
- Application Resources That Must be Protected
- Configure PostgreSQL Client Authentication
- Apache Configuration
- Disable Configuration Modes
- Managing Nonessential Software Components
- Secure the USB Mass Storage Handler
- Secure the Bluetooth Protocol Handler
- Secure the Stream Control Transmission Protocol
- Secure the Datagram Congestion Control Protocol
- Secure Reliable Datagram Sockets Protocol
- Secure the Transparent Inter-Process Communication Protocol
- Secure Internet Packet Exchange Protocol
- Secure Appletalk Protocol
- Secure DECnet Protocol
- Secure Firewire Module
- Kernel Message Logging
- Linux Installed Deployment
- Endpoint Operations Management Agent
- Additional Secure Configuration Activities
- Network Security and Secure Communication
- Configuring Network Settings for Virtual Application Installation
- Prevent User Control of Network Interfaces
- Set the Queue Size for TCP Backlog
- Deny ICMPv4 Echoes to Broadcast Address
- Configure the Host System to Disable IPv4 Proxy ARP
- Configure the Host System to Ignore IPv4 ICMP Redirect Messages
- Configure the Host System to Ignore IPv6 ICMP Redirect Messages
- Configure the Host System to Deny IPv4 ICMP Redirects
- Configure the Host System to Log IPv4 Martian Packets
- Configure the Host System to use IPv4 Reverse Path Filtering
- Configure the Host System to Deny IPv4 Forwarding
- Configure the Host System to Deny Forwarding of IPv4 Source Routed Packets
- Configure the Host System to Deny IPv6 Forwarding
- Configure the Host System to Use IPv4 TCP Syncookies
- Configure the Host System to Deny IPv6 Router Advertisements
- Configure the Host System to Deny IPv6 Router Solicitations
- Configure the Host System to Deny IPv6 Router Preference in Router Solicitations
- Configure the Host System to Deny IPv6 Router Prefix
- Configure the Host System to Deny IPv6 Router Advertisement Hop Limit Settings
- Configure the Host System to Deny IPv6 Router Advertisement Autoconf Settings
- Configure the Host System to Deny IPv6 Neighbor Solicitations
- Configure the Host System to Restrict IPv6 Maximum Addresses
- Configuring Ports and Protocols
- Configuring Network Settings for Virtual Application Installation
- Auditing and Logging on your vRealize Operations Manager System
- Index
Disable Configuration Modes
As a best practice, when you install, congure, or maintain vRealize Operations Manager, you can modify
the conguration or seings to enable troubleshooting and debugging of your installation.
Catalog and audit each of the changes you make to ensure that they are properly secured. Do not put the
changes into production if you are not sure that your conguration changes are correctly secured.
Verifying the Host Server's Secure Configuration
For the secure operation of vRealize Operations Manager, you must secure and verify the hardening
activities.
For more information, see the Red Hat Enterprise Linux 6 hardening guidance in accordance with your
organization's security policies.
Endpoint Operations Management Agent
The Endpoint Operations Management agent adds agent-based discovery and monitoring capabilities to
vRealize Operations Manager.
The Endpoint Operations Management agent is installed on the hosts directly and might or might not be at
the same level of trust as the Endpoint Operations Management server. Therefore, you must verify that the
agents are securely installed.
Security Best Practices for Running Endpoint Operations Management Agents
You must follow certain security best practices while using user accounts.
n
For a silent installation, remove any credentials and server certicate thumbprints that were stored in
the AGENT_HOME/conf/agent.properties le.
n
Use a vRealize Operations Manager user account reserved specically for
Endpoint Operations Management agent registration. For more information, see the topic called "Roles
and Privileges" in vRealize Operations Manager in the vRealize Operations Manager Help.
n
Disable the vRealize Operations Manager user account that you use for agent registration after the
installation is over. You must enable the user’s access for agent administration activities. For more
information, see the topic called Conguring Users and Groups in vRealize Operations Manager in the
vRealize Operations Manager Help.
n
If a system that runs an agent is compromised, you can revoke the agent certicate using the
vRealize Operations Manager user interface by removing the agent resource. See the section called
Revoking an Agent for more detail.
Minimum Required Permissions for Agent Functionality
You require permissions to install and modify a service. If you want to discover a running process, the user
account you use to run the agent must also have privileges to access the processes and programs. For
Windows operating system installations, you require permissions to install and modify a service. For Linux
installations, you require permission to install the agent as a service, if you install the agent using a RPM
installer.
The minimum credentials that are required for the agent to register with the vRealize Operations Manager
server are those for a user granted the Agent Manager role, without any assignment to objects within the
system.
Secure Configuration
34 VMware, Inc.