6.5
Table Of Contents
- Secure Configuration
- Contents
- Secure Configuration
- vRealize Operations Manager Security Posture
- Secure Deployment of vRealize Operations Manager
- Secure Configuration of vRealize Operations Manager
- Secure the vRealize Operations Manager Console
- Change the Root Password
- Managing Secure Shell, Administrative Accounts, and Console Access
- Enable or Disable Secure Shell on a vRealize Operations Manager node
- Create a Local Administrative Account for Secure Shell
- Restrict Secure Shell Access
- Maintain Secure Shell Key File Permissions
- Harden the Secure Shell Server Configuration
- Harden the Secure Shell Client Configuration
- Disable Direct Logins as Root
- Disable SSH Access for the Admin User Account
- Set Boot Loader Authentication
- Single-User or Maintenance Mode Authentication
- Monitor Minimal Necessary User Accounts
- Monitor Minimal Necessary Groups
- Resetting the vRealize Operations Manager Administrator Password (Linux)
- Configure NTP on VMware Appliances
- Disable the TCP Timestamp Response on Linux
- Enable FIPS 140-2 Mode
- TLS for Data in Transit
- Application Resources That Must be Protected
- Configure PostgreSQL Client Authentication
- Apache Configuration
- Disable Configuration Modes
- Managing Nonessential Software Components
- Secure the USB Mass Storage Handler
- Secure the Bluetooth Protocol Handler
- Secure the Stream Control Transmission Protocol
- Secure the Datagram Congestion Control Protocol
- Secure Reliable Datagram Sockets Protocol
- Secure the Transparent Inter-Process Communication Protocol
- Secure Internet Packet Exchange Protocol
- Secure Appletalk Protocol
- Secure DECnet Protocol
- Secure Firewire Module
- Kernel Message Logging
- Linux Installed Deployment
- Endpoint Operations Management Agent
- Additional Secure Configuration Activities
- Network Security and Secure Communication
- Configuring Network Settings for Virtual Application Installation
- Prevent User Control of Network Interfaces
- Set the Queue Size for TCP Backlog
- Deny ICMPv4 Echoes to Broadcast Address
- Configure the Host System to Disable IPv4 Proxy ARP
- Configure the Host System to Ignore IPv4 ICMP Redirect Messages
- Configure the Host System to Ignore IPv6 ICMP Redirect Messages
- Configure the Host System to Deny IPv4 ICMP Redirects
- Configure the Host System to Log IPv4 Martian Packets
- Configure the Host System to use IPv4 Reverse Path Filtering
- Configure the Host System to Deny IPv4 Forwarding
- Configure the Host System to Deny Forwarding of IPv4 Source Routed Packets
- Configure the Host System to Deny IPv6 Forwarding
- Configure the Host System to Use IPv4 TCP Syncookies
- Configure the Host System to Deny IPv6 Router Advertisements
- Configure the Host System to Deny IPv6 Router Solicitations
- Configure the Host System to Deny IPv6 Router Preference in Router Solicitations
- Configure the Host System to Deny IPv6 Router Prefix
- Configure the Host System to Deny IPv6 Router Advertisement Hop Limit Settings
- Configure the Host System to Deny IPv6 Router Advertisement Autoconf Settings
- Configure the Host System to Deny IPv6 Neighbor Solicitations
- Configure the Host System to Restrict IPv6 Maximum Addresses
- Configuring Ports and Protocols
- Configuring Network Settings for Virtual Application Installation
- Auditing and Logging on your vRealize Operations Manager System
- Index
2 Set the queue size for TCP backlog.
a Open the /etc/sysctl.conf le in a text editor.
b Set the default TCP backlog queue size by adding the following entry to the le.
net.ipv4.tcp_max_syn_backlog=1280
c Save your changes and close the le.
Deny ICMPv4 Echoes to Broadcast Address
Responses to broadcast Internet Control Message Protocol (ICMP) echoes provide an aack vector for
amplication aacks and can facilitate network mapping by malicious agents. Conguring your system to
ignore ICMPv4 echoes provides protection against such aacks.
Procedure
1 Run the # cat /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts command to verify that the system is
not sending responses to ICMP broadcast address echo requests.
2 Congure the host system to deny ICMPv4 broadcast address echo requests.
a Open the /etc/sysctl.conf le in a text editor.
b If the value for this entry is not set to 1, add the net.ipv4.icmp_echo_ignore_broadcasts=1 entry.
c Save the changes and close the le.
Configure the Host System to Disable IPv4 Proxy ARP
IPv4 Proxy ARP allows a system to send responses to ARP requests on one interface on behalf of hosts
connected to another interface. You must disable IPv4 Proxy ARP to prevent unauthorized information
sharing. Disable the seing to prevent leakage of addressing information between the aached network
segments.
Procedure
1 Run the # grep [01] /proc/sys/net/ipv4/conf/*/proxy_arp|egrep "default|all" command to verify
whether the Proxy ARP is disabled.
2 Congure the host system to disable IPv4 Proxy ARP.
a Open the /etc/sysctl.conf le in a text editor.
b If the values are not set to 0, add the entries or update the existing entries accordingly. Set the value
to 0.
net.ipv4.conf.all.proxy_arp=0
net.ipv4.conf.default.proxy_arp=0
c Save any changes you made and close the le.
Configure the Host System to Ignore IPv4 ICMP Redirect Messages
As a security best practice, verify that the host system ignores IPv4 Internet Control Message Protocol
(ICMP) redirect messages. A malicious ICMP redirect message can allow a man-in-the-middle aack to
occur. Routers use ICMP redirect messages to notify hosts that a more direct route exists for a destination.
These messages modify the host's route table and are unauthenticated.
Procedure
1 Run the # grep [01] /proc/sys/net/ipv4/conf/*/accept_redirects|egrep "default|all" command
on the host system to check whether the host system ignores IPv4 redirect messages.
Secure Configuration
42 VMware, Inc.