6.6
Table Of Contents
- Secure Configuration
- Contents
- Secure Configuration
- vRealize Operations Manager Security Posture
- Secure Deployment of vRealize Operations Manager
- Secure Configuration of vRealize Operations Manager
- Secure the vRealize Operations Manager Console
- Change the Root Password
- Managing Secure Shell, Administrative Accounts, and Console Access
- Enable or Disable Secure Shell on a vRealize Operations Manager node
- Create a Local Administrative Account for Secure Shell
- Restrict Secure Shell Access
- Maintain Secure Shell Key File Permissions
- Harden the Secure Shell Server Configuration
- Harden the Secure Shell Client Configuration
- Disable Direct Logins as Root
- Disable SSH Access for the Admin User Account
- Set Boot Loader Authentication
- Single-User or Maintenance Mode Authentication
- Monitor Minimal Necessary User Accounts
- Monitor Minimal Necessary Groups
- Resetting the vRealize Operations Manager Administrator Password (Linux)
- Configure NTP on VMware Appliances
- Disable the TCP Timestamp Response on Linux
- Enable FIPS 140-2 Mode
- TLS for Data in Transit
- Enabling TLS on Localhost Connections
- Application Resources That Must be Protected
- Configure PostgreSQL Client Authentication
- Apache Configuration
- Disable Configuration Modes
- Managing Nonessential Software Components
- Secure the USB Mass Storage Handler
- Secure the Bluetooth Protocol Handler
- Secure the Stream Control Transmission Protocol
- Secure the Datagram Congestion Control Protocol
- Secure Reliable Datagram Sockets Protocol
- Secure the Transparent Inter-Process Communication Protocol
- Secure Internet Packet Exchange Protocol
- Secure Appletalk Protocol
- Secure DECnet Protocol
- Secure Firewire Module
- Kernel Message Logging
- End Point Operations Management Agent
- Additional Secure Configuration Activities
- Network Security and Secure Communication
- Configuring Network Settings for Virtual Application Installation
- Prevent User Control of Network Interfaces
- Set the Queue Size for TCP Backlog
- Deny ICMPv4 Echoes to Broadcast Address
- Configure the Host System to Disable IPv4 Proxy ARP
- Configure the Host System to Ignore IPv4 ICMP Redirect Messages
- Configure the Host System to Ignore IPv6 ICMP Redirect Messages
- Configure the Host System to Deny IPv4 ICMP Redirects
- Configure the Host System to Log IPv4 Martian Packets
- Configure the Host System to use IPv4 Reverse Path Filtering
- Configure the Host System to Deny IPv4 Forwarding
- Configure the Host System to Deny Forwarding of IPv4 Source Routed Packets
- Configure the Host System to Deny IPv6 Forwarding
- Configure the Host System to Use IPv4 TCP Syncookies
- Configure the Host System to Deny IPv6 Router Advertisements
- Configure the Host System to Deny IPv6 Router Solicitations
- Configure the Host System to Deny IPv6 Router Preference in Router Solicitations
- Configure the Host System to Deny IPv6 Router Prefix
- Configure the Host System to Deny IPv6 Router Advertisement Hop Limit Settings
- Configure the Host System to Deny IPv6 Router Advertisement Autoconf Settings
- Configure the Host System to Deny IPv6 Neighbor Solicitations
- Configure the Host System to Restrict IPv6 Maximum Addresses
- Configuring Ports and Protocols
- Configuring Network Settings for Virtual Application Installation
- Auditing and Logging on your vRealize Operations Manager System
- Index
Hardening the VMware vSphere Environment
vRealize Operations Manager relies on a secure VMware vSphere environment to achieve the greatest
benets and a secured infrastructure.
Assess the VMware vSphere environment and verify that the appropriate level of vSphere hardening
guidance is enforced and maintained.
For more guidance about hardening, see hp://www.vmware.com/security/hardening-guides.html.
Reviewing Installed and Unsupported Software
Vulnerabilities in unused software might increase the risk of unauthorized system access and disruption of
availability. Review the software that is installed on VMware host machines and evaluate its use.
Do not install software that is not required for the secure operation of the system on any of the
vRealize Operations Manager node hosts. Uninstall unused or nonessential software.
Installing unsupported, untested, or unapproved software on infrastructure products such as
vRealize Operations Manager is a threat to the infrastructure.
To minimize the threat to the infrastructure, do not install or use any third-party software that is not
supported by VMware on VMware supplied hosts.
Assess your vRealize Operations Manager deployment and inventory of installed products to verify that no
unsupported software is installed.
For more information about the support policies for third-party products, see the VMware support at
hp://www.vmware.com/security/hardening-guides.html.
Verify Third-Party Software
Do not use third-party software that VMware does not support. Verify that all third-party software is
securely congured and patched in accordance with third-party vendor guidance.
Inauthentic, insecure, or unpatched vulnerabilities of third-party software installed on VMware host
machines might put the system at risk of unauthorized access and disruption of availability. All software
that VMware does not supply must be appropriately secured and patched.
If you must use third-party software that VMware does not support, consult the third-party vendor for
secure conguration and patching requirements.
VMware Security Advisories and Patches
VMware occasionally releases security advisories for products. Being aware of these advisories can ensure
that you have the safest underlying product and that the product is not vulnerable to known threats.
Assess the vRealize Operations Manager installation, patching, and upgrade history and verify that the
released VMware Security Advisories are followed and enforced.
It is recommended that you always remain on the most recent vRealize Operations Manager release, as this
will include the most recent security xes also.
For more information about the current VMware security advisories, see
hp://www.vmware.com/security/advisories/.
Secure Configuration
10 VMware, Inc.