6.6
Table Of Contents
- Secure Configuration
- Contents
- Secure Configuration
- vRealize Operations Manager Security Posture
- Secure Deployment of vRealize Operations Manager
- Secure Configuration of vRealize Operations Manager
- Secure the vRealize Operations Manager Console
- Change the Root Password
- Managing Secure Shell, Administrative Accounts, and Console Access
- Enable or Disable Secure Shell on a vRealize Operations Manager node
- Create a Local Administrative Account for Secure Shell
- Restrict Secure Shell Access
- Maintain Secure Shell Key File Permissions
- Harden the Secure Shell Server Configuration
- Harden the Secure Shell Client Configuration
- Disable Direct Logins as Root
- Disable SSH Access for the Admin User Account
- Set Boot Loader Authentication
- Single-User or Maintenance Mode Authentication
- Monitor Minimal Necessary User Accounts
- Monitor Minimal Necessary Groups
- Resetting the vRealize Operations Manager Administrator Password (Linux)
- Configure NTP on VMware Appliances
- Disable the TCP Timestamp Response on Linux
- Enable FIPS 140-2 Mode
- TLS for Data in Transit
- Enabling TLS on Localhost Connections
- Application Resources That Must be Protected
- Configure PostgreSQL Client Authentication
- Apache Configuration
- Disable Configuration Modes
- Managing Nonessential Software Components
- Secure the USB Mass Storage Handler
- Secure the Bluetooth Protocol Handler
- Secure the Stream Control Transmission Protocol
- Secure the Datagram Congestion Control Protocol
- Secure Reliable Datagram Sockets Protocol
- Secure the Transparent Inter-Process Communication Protocol
- Secure Internet Packet Exchange Protocol
- Secure Appletalk Protocol
- Secure DECnet Protocol
- Secure Firewire Module
- Kernel Message Logging
- End Point Operations Management Agent
- Additional Secure Configuration Activities
- Network Security and Secure Communication
- Configuring Network Settings for Virtual Application Installation
- Prevent User Control of Network Interfaces
- Set the Queue Size for TCP Backlog
- Deny ICMPv4 Echoes to Broadcast Address
- Configure the Host System to Disable IPv4 Proxy ARP
- Configure the Host System to Ignore IPv4 ICMP Redirect Messages
- Configure the Host System to Ignore IPv6 ICMP Redirect Messages
- Configure the Host System to Deny IPv4 ICMP Redirects
- Configure the Host System to Log IPv4 Martian Packets
- Configure the Host System to use IPv4 Reverse Path Filtering
- Configure the Host System to Deny IPv4 Forwarding
- Configure the Host System to Deny Forwarding of IPv4 Source Routed Packets
- Configure the Host System to Deny IPv6 Forwarding
- Configure the Host System to Use IPv4 TCP Syncookies
- Configure the Host System to Deny IPv6 Router Advertisements
- Configure the Host System to Deny IPv6 Router Solicitations
- Configure the Host System to Deny IPv6 Router Preference in Router Solicitations
- Configure the Host System to Deny IPv6 Router Prefix
- Configure the Host System to Deny IPv6 Router Advertisement Hop Limit Settings
- Configure the Host System to Deny IPv6 Router Advertisement Autoconf Settings
- Configure the Host System to Deny IPv6 Neighbor Solicitations
- Configure the Host System to Restrict IPv6 Maximum Addresses
- Configuring Ports and Protocols
- Configuring Network Settings for Virtual Application Installation
- Auditing and Logging on your vRealize Operations Manager System
- Index
Procedure
1 Open the /etc/ssh/sshd_config server conguration le and verify that the seings are correct.
Setting Status
Server Daemon Protocol Protocol 2
Ciphers Ciphers aes256-ctr,aes128-ctr
TCP Forwarding AllowTCPForwarding no
Server Gateway Ports Gateway Ports no
X11 Forwarding X11Forwarding no
SSH Service Use the AllowGroups eld and specify a group permied to access
and add members to the secondary group for users permied to ue
the service.
GSSAPI Authentication GSSAPIAuthentication no, if unused
Kerberos Authentication KerberosAuthentication no, if unused
Local Variables (AcceptEnv global option)
Set to disabled by commenting out or enabled for only LC_*
or LANG variables
Tunnel Conguration PermitTunnel no
Network Sessions MaxSessions 1
Strict Mode Checking Strict Modes yes
Privilege Separation UsePrivilegeSeparation yes
rhosts RSA Authentication RhostsRSAAuthentication no
Compression Compression delayed or Compression no
Message Authentication code MACs hmac-sha1
User Access Restriction PermitUserEnvironment no
2 Save your changes and close the le.
Harden the Secure Shell Client Configuration
As part of your system hardening monitoring process, verify hardening of the SSH client by examining the
SSH client conguration le on virtual appliance host machines to ensure that it is congured according to
VMware guidelines.
Procedure
1 Open the SSH client conguration le, /etc/ssh/ssh_config, and verify that the seings in the global
options section are correct.
Setting Status
Client Protocol
Protocol 2
Client Gateway Ports
Gateway Ports no
GSSAPI Authentication
GSSAPIAuthentication no
Local Variables (SendEnv global
option)
Provide only LC_* or LANG variables
CBC Ciphers
Ciphers aes256-ctr,aes128-ctr
Message Authentication Codes
Used in the MACs hmac-sha1 entry only
2 Save your changes and close the le.
Secure Configuration
16 VMware, Inc.