6.5
Table Of Contents
- Secure Configuration
- Contents
- Secure Configuration
- vRealize Operations Manager Security Posture
- Secure Deployment of vRealize Operations Manager
- Secure Configuration of vRealize Operations Manager
- Secure the vRealize Operations Manager Console
- Change the Root Password
- Managing Secure Shell, Administrative Accounts, and Console Access
- Enable or Disable Secure Shell on a vRealize Operations Manager node
- Create a Local Administrative Account for Secure Shell
- Restrict Secure Shell Access
- Maintain Secure Shell Key File Permissions
- Harden the Secure Shell Server Configuration
- Harden the Secure Shell Client Configuration
- Disable Direct Logins as Root
- Disable SSH Access for the Admin User Account
- Set Boot Loader Authentication
- Single-User or Maintenance Mode Authentication
- Monitor Minimal Necessary User Accounts
- Monitor Minimal Necessary Groups
- Resetting the vRealize Operations Manager Administrator Password (Linux)
- Configure NTP on VMware Appliances
- Disable the TCP Timestamp Response on Linux
- Enable FIPS 140-2 Mode
- TLS for Data in Transit
- Application Resources That Must be Protected
- Configure PostgreSQL Client Authentication
- Apache Configuration
- Disable Configuration Modes
- Managing Nonessential Software Components
- Secure the USB Mass Storage Handler
- Secure the Bluetooth Protocol Handler
- Secure the Stream Control Transmission Protocol
- Secure the Datagram Congestion Control Protocol
- Secure Reliable Datagram Sockets Protocol
- Secure the Transparent Inter-Process Communication Protocol
- Secure Internet Packet Exchange Protocol
- Secure Appletalk Protocol
- Secure DECnet Protocol
- Secure Firewire Module
- Kernel Message Logging
- Linux Installed Deployment
- Endpoint Operations Management Agent
- Additional Secure Configuration Activities
- Network Security and Secure Communication
- Configuring Network Settings for Virtual Application Installation
- Prevent User Control of Network Interfaces
- Set the Queue Size for TCP Backlog
- Deny ICMPv4 Echoes to Broadcast Address
- Configure the Host System to Disable IPv4 Proxy ARP
- Configure the Host System to Ignore IPv4 ICMP Redirect Messages
- Configure the Host System to Ignore IPv6 ICMP Redirect Messages
- Configure the Host System to Deny IPv4 ICMP Redirects
- Configure the Host System to Log IPv4 Martian Packets
- Configure the Host System to use IPv4 Reverse Path Filtering
- Configure the Host System to Deny IPv4 Forwarding
- Configure the Host System to Deny Forwarding of IPv4 Source Routed Packets
- Configure the Host System to Deny IPv6 Forwarding
- Configure the Host System to Use IPv4 TCP Syncookies
- Configure the Host System to Deny IPv6 Router Advertisements
- Configure the Host System to Deny IPv6 Router Solicitations
- Configure the Host System to Deny IPv6 Router Preference in Router Solicitations
- Configure the Host System to Deny IPv6 Router Prefix
- Configure the Host System to Deny IPv6 Router Advertisement Hop Limit Settings
- Configure the Host System to Deny IPv6 Router Advertisement Autoconf Settings
- Configure the Host System to Deny IPv6 Neighbor Solicitations
- Configure the Host System to Restrict IPv6 Maximum Addresses
- Configuring Ports and Protocols
- Configuring Network Settings for Virtual Application Installation
- Auditing and Logging on your vRealize Operations Manager System
- Index
Agent Certificate Revocation and Update of Certificates
The reissue ow is initiated from the agent using the setup command line argument. When an agent that is
already registered uses the setup command line argument ep-agent.sh setup and lls in the required
credentials, a new registerAgent command is sent to the server.
The server detects that the agent is already registered and sends the agent a new client certicate without
creating another agent resource. On the agent side, the new client certicate replaces the old one. In cases
where the server certicate is modied and you run the ep-agent.sh setup command, you will see a
message that asks you to trust the new certicate. You can alternatively provide the new server certicate
thumbprint in the agent.properties le prior to running the ep-agent.sh setup command, in order to make
the process silent.
Prerequisites
Manage agent privilege to revoke and update certicates.
Procedure
u
On Linux based operating systems, run the ep-agent.sh setup command on the agent host. On
Windows based operating systems, run the ep-agent.bat setup command.
If the agent detects that the server certicate has been modied, a message is displayed. Accept the new
certicate if you trust it and it is valid.
Patching and Updating the Endpoint Operations Management Agent
If required, new Endpoint Operations Management agent bundles are available independent of
vRealize Operations Manager releases.
Patches or updates are not provided for the Endpoint Operations Management agent. You must install the
latest available version of the agent that includes the latest security xes. Critical security xes will be
communicated as per the VMware security advisory guidance. See the topic on Security Advisories.
Additional Secure Configuration Activities
Verify the server user accounts and delete unnecessary applications from the host servers. Block
unnecessary ports and disable the services running on your host server that are not required.
Verify Server User Account Settings
It is recommended that you verify that no unnecessary user accounts exist for local and domain user
accounts and seings.
Restrict any user account not related to the functioning of the application to those accounts required for
administration, maintenance, and troubleshooting. Restrict remote access from domain user accounts to the
minimum required to maintain the server. Strictly control and audit these accounts.
Delete and Disable Unnecessary Applications
Delete the unnecessary applications from the host servers. Each additional and unnecessary application
increases the risk of exposure because of their unknown or unpatched vulnerabilities.
Chapter 3 Secure Configuration of vRealize Operations Manager
VMware, Inc. 39