6.6
Table Of Contents
- Secure Configuration
- Contents
- Secure Configuration
- vRealize Operations Manager Security Posture
- Secure Deployment of vRealize Operations Manager
- Secure Configuration of vRealize Operations Manager
- Secure the vRealize Operations Manager Console
- Change the Root Password
- Managing Secure Shell, Administrative Accounts, and Console Access
- Enable or Disable Secure Shell on a vRealize Operations Manager node
- Create a Local Administrative Account for Secure Shell
- Restrict Secure Shell Access
- Maintain Secure Shell Key File Permissions
- Harden the Secure Shell Server Configuration
- Harden the Secure Shell Client Configuration
- Disable Direct Logins as Root
- Disable SSH Access for the Admin User Account
- Set Boot Loader Authentication
- Single-User or Maintenance Mode Authentication
- Monitor Minimal Necessary User Accounts
- Monitor Minimal Necessary Groups
- Resetting the vRealize Operations Manager Administrator Password (Linux)
- Configure NTP on VMware Appliances
- Disable the TCP Timestamp Response on Linux
- Enable FIPS 140-2 Mode
- TLS for Data in Transit
- Enabling TLS on Localhost Connections
- Application Resources That Must be Protected
- Configure PostgreSQL Client Authentication
- Apache Configuration
- Disable Configuration Modes
- Managing Nonessential Software Components
- Secure the USB Mass Storage Handler
- Secure the Bluetooth Protocol Handler
- Secure the Stream Control Transmission Protocol
- Secure the Datagram Congestion Control Protocol
- Secure Reliable Datagram Sockets Protocol
- Secure the Transparent Inter-Process Communication Protocol
- Secure Internet Packet Exchange Protocol
- Secure Appletalk Protocol
- Secure DECnet Protocol
- Secure Firewire Module
- Kernel Message Logging
- End Point Operations Management Agent
- Additional Secure Configuration Activities
- Network Security and Secure Communication
- Configuring Network Settings for Virtual Application Installation
- Prevent User Control of Network Interfaces
- Set the Queue Size for TCP Backlog
- Deny ICMPv4 Echoes to Broadcast Address
- Configure the Host System to Disable IPv4 Proxy ARP
- Configure the Host System to Ignore IPv4 ICMP Redirect Messages
- Configure the Host System to Ignore IPv6 ICMP Redirect Messages
- Configure the Host System to Deny IPv4 ICMP Redirects
- Configure the Host System to Log IPv4 Martian Packets
- Configure the Host System to use IPv4 Reverse Path Filtering
- Configure the Host System to Deny IPv4 Forwarding
- Configure the Host System to Deny Forwarding of IPv4 Source Routed Packets
- Configure the Host System to Deny IPv6 Forwarding
- Configure the Host System to Use IPv4 TCP Syncookies
- Configure the Host System to Deny IPv6 Router Advertisements
- Configure the Host System to Deny IPv6 Router Solicitations
- Configure the Host System to Deny IPv6 Router Preference in Router Solicitations
- Configure the Host System to Deny IPv6 Router Prefix
- Configure the Host System to Deny IPv6 Router Advertisement Hop Limit Settings
- Configure the Host System to Deny IPv6 Router Advertisement Autoconf Settings
- Configure the Host System to Deny IPv6 Neighbor Solicitations
- Configure the Host System to Restrict IPv6 Maximum Addresses
- Configuring Ports and Protocols
- Configuring Network Settings for Virtual Application Installation
- Auditing and Logging on your vRealize Operations Manager System
- Index
Configure NTP on VMware Appliances
For critical time sourcing, disable host time synchronization and use the Network Time Protocol (NTP) on
VMware appliances. You must congure a trusted remote NTP server for time synchronization. The NTP
server must be an authoritative time server or at least synchronized with an authoritative time server.
The NTP daemon on VMware virtual appliances provides synchronized time services. NTP is disabled by
default, so you need to congure it manually. If possible, use NTP in production environments to track user
actions and to detect potential malicious aacks and intrusions through accurate audit and log keeping. For
information about NTP security notices, see the NTP Web site.
The NTP conguration le is located in the /etc/ntp.conf le on each appliance.
Procedure
1 Navigate to the /etc/ntp.conf conguration le on your virtual appliance host machine.
2 Set the le ownership to root:root.
3 Set the permissions to 0640.
4 To mitigate the risk of a denial-of-service amplication aack on the NTP service, open
the /etc/ntp.conf le and ensure that the restrict lines appear in the le.
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict -6 ::1
5 Save any changes and close the les.
For information on NTP security notices, see hp://support.ntp.org/bin/view/Main/SecurityNotice.
Disable the TCP Timestamp Response on Linux
Use the TCP timestamp response to approximate the remote host's uptime and aid in further aacks.
Additionally, some operating systems can be ngerprinted based on the behavior of their TCP time stamps.
Procedure
u
Disable the TCP timestamp response on Linux.
a To set the value of net.ipv4.tcp_timestamps to 0, run the sysctl -w net.ipv4.tcp_timestamps=0
command.
b Add the ipv4.tcp_timestamps=0 value in the default sysctl.conf le.
Enable FIPS 140-2 Mode
The version of OpenSSL that is shipped with vRealize Operations Manager 6.3 and later releases is FIPS
140-2 certied. However, the FIPS mode is not enabled by default.
You can enable the FIPS mode if there is a security compliance requirement to use FIPS certied
cryptographic algorithms with the FIPS mode enabled.
Procedure
1 To replace the mod_ssl.so le run the following command:
cd /usr/lib64/apache2-prefork/
cp mod_ssl.so mod_ssl.so.old
cp mod_ssl.so.FIPSON.openssl1.0.2 mod_ssl.so
Secure Configuration
20 VMware, Inc.