6.6
Table Of Contents
- Secure Configuration
- Contents
- Secure Configuration
- vRealize Operations Manager Security Posture
- Secure Deployment of vRealize Operations Manager
- Secure Configuration of vRealize Operations Manager
- Secure the vRealize Operations Manager Console
- Change the Root Password
- Managing Secure Shell, Administrative Accounts, and Console Access
- Enable or Disable Secure Shell on a vRealize Operations Manager node
- Create a Local Administrative Account for Secure Shell
- Restrict Secure Shell Access
- Maintain Secure Shell Key File Permissions
- Harden the Secure Shell Server Configuration
- Harden the Secure Shell Client Configuration
- Disable Direct Logins as Root
- Disable SSH Access for the Admin User Account
- Set Boot Loader Authentication
- Single-User or Maintenance Mode Authentication
- Monitor Minimal Necessary User Accounts
- Monitor Minimal Necessary Groups
- Resetting the vRealize Operations Manager Administrator Password (Linux)
- Configure NTP on VMware Appliances
- Disable the TCP Timestamp Response on Linux
- Enable FIPS 140-2 Mode
- TLS for Data in Transit
- Enabling TLS on Localhost Connections
- Application Resources That Must be Protected
- Configure PostgreSQL Client Authentication
- Apache Configuration
- Disable Configuration Modes
- Managing Nonessential Software Components
- Secure the USB Mass Storage Handler
- Secure the Bluetooth Protocol Handler
- Secure the Stream Control Transmission Protocol
- Secure the Datagram Congestion Control Protocol
- Secure Reliable Datagram Sockets Protocol
- Secure the Transparent Inter-Process Communication Protocol
- Secure Internet Packet Exchange Protocol
- Secure Appletalk Protocol
- Secure DECnet Protocol
- Secure Firewire Module
- Kernel Message Logging
- End Point Operations Management Agent
- Additional Secure Configuration Activities
- Network Security and Secure Communication
- Configuring Network Settings for Virtual Application Installation
- Prevent User Control of Network Interfaces
- Set the Queue Size for TCP Backlog
- Deny ICMPv4 Echoes to Broadcast Address
- Configure the Host System to Disable IPv4 Proxy ARP
- Configure the Host System to Ignore IPv4 ICMP Redirect Messages
- Configure the Host System to Ignore IPv6 ICMP Redirect Messages
- Configure the Host System to Deny IPv4 ICMP Redirects
- Configure the Host System to Log IPv4 Martian Packets
- Configure the Host System to use IPv4 Reverse Path Filtering
- Configure the Host System to Deny IPv4 Forwarding
- Configure the Host System to Deny Forwarding of IPv4 Source Routed Packets
- Configure the Host System to Deny IPv6 Forwarding
- Configure the Host System to Use IPv4 TCP Syncookies
- Configure the Host System to Deny IPv6 Router Advertisements
- Configure the Host System to Deny IPv6 Router Solicitations
- Configure the Host System to Deny IPv6 Router Preference in Router Solicitations
- Configure the Host System to Deny IPv6 Router Prefix
- Configure the Host System to Deny IPv6 Router Advertisement Hop Limit Settings
- Configure the Host System to Deny IPv6 Router Advertisement Autoconf Settings
- Configure the Host System to Deny IPv6 Neighbor Solicitations
- Configure the Host System to Restrict IPv6 Maximum Addresses
- Configuring Ports and Protocols
- Configuring Network Settings for Virtual Application Installation
- Auditing and Logging on your vRealize Operations Manager System
- Index
Manage Password Expiry
Congure all account password expirations in accordance with your organization's security policies.
By default, all hardened VMware appliances use a 60-day password expiry. On most hardened appliances,
the root account is set to a 365-day password expiry. As a best practice, verify that the expiry on all accounts
meets security and operation requirements standards.
If the root password expires, you cannot reinstate it. You must implement site-specic policies to prevent
administrative and root passwords from expiring.
Procedure
1 Log in to your virtual appliance machines as root and run the # more /etc/shadow command to verify
the password expiry on all accounts.
2 To modify the expiry of the root account, run the # passwd -x 365 root command.
In this command, 365 species the number of days until password expiry. Use the same command to
modify any user, substituting the specic account for root and replacing the number of days to meet
the expiry standards of the organization.
By default, the root password is set for 365 days.
Managing Secure Shell, Administrative Accounts, and Console
Access
For remote connections, all hardened appliances include the Secure Shell (SSH) protocol. SSH is disabled by
default on the hardened appliance.
SSH is an interactive command-line environment that supports remote connections to a
vRealize Operations Manager node. SSH requires high-privileged user account credentials. SSH activities
generally bypass the role-based access control (RBAC) and audit controls of the
vRealize Operations Manager node.
As a best practice, disable SSH in a production environment and enable it only to diagnose or troubleshoot
problems that you cannot resolve by other means. Leave it enabled only while needed for a specic purpose
and in accordance with your organization's security policies. If you enable SSH, ensure that it is protected
against aack and that you enable it only for as long as required. Depending on your vSphere conguration,
you can enable or disable SSH when you deploy your Open Virtualization Format (OVF) template.
As a simple test to determine whether SSH is enabled on a machine, try to open a connection by using SSH.
If the connection opens and requests credentials, then SSH is enabled and is available for making
connections.
Secure Shell Root User
Because VMware appliances do not include precongured default user accounts, the root account can use
SSH to directly log in by default. Disable SSH as root as soon as possible.
To meet the compliance standards for nonrepudiation, the SSH server on all hardened appliances is
precongured with the AllowGroups wheel entry to restrict SSH access to the secondary group wheel. For
separation of duties, you can modify the AllowGroups wheel entry in the /etc/ssh/sshd_config le to use
another group such as sshd.
The wheel group is enabled with the pam_wheel module for superuser access, so members of the wheel
group can use the su-root command, where the root password is required. Group separation enables users
to use SSH to the appliance, but not to use the su command to log in as root. Do not remove or modify other
entries in the AllowGroups eld, which ensures proper appliance function. After making a change, restart
the SSH daemon by running the # service sshd restart command.
Chapter 3 Secure Configuration of vRealize Operations Manager
VMware, Inc. 13