6.6
Table Of Contents
- Secure Configuration
- Contents
- Secure Configuration
- vRealize Operations Manager Security Posture
- Secure Deployment of vRealize Operations Manager
- Secure Configuration of vRealize Operations Manager
- Secure the vRealize Operations Manager Console
- Change the Root Password
- Managing Secure Shell, Administrative Accounts, and Console Access
- Enable or Disable Secure Shell on a vRealize Operations Manager node
- Create a Local Administrative Account for Secure Shell
- Restrict Secure Shell Access
- Maintain Secure Shell Key File Permissions
- Harden the Secure Shell Server Configuration
- Harden the Secure Shell Client Configuration
- Disable Direct Logins as Root
- Disable SSH Access for the Admin User Account
- Set Boot Loader Authentication
- Single-User or Maintenance Mode Authentication
- Monitor Minimal Necessary User Accounts
- Monitor Minimal Necessary Groups
- Resetting the vRealize Operations Manager Administrator Password (Linux)
- Configure NTP on VMware Appliances
- Disable the TCP Timestamp Response on Linux
- Enable FIPS 140-2 Mode
- TLS for Data in Transit
- Enabling TLS on Localhost Connections
- Application Resources That Must be Protected
- Configure PostgreSQL Client Authentication
- Apache Configuration
- Disable Configuration Modes
- Managing Nonessential Software Components
- Secure the USB Mass Storage Handler
- Secure the Bluetooth Protocol Handler
- Secure the Stream Control Transmission Protocol
- Secure the Datagram Congestion Control Protocol
- Secure Reliable Datagram Sockets Protocol
- Secure the Transparent Inter-Process Communication Protocol
- Secure Internet Packet Exchange Protocol
- Secure Appletalk Protocol
- Secure DECnet Protocol
- Secure Firewire Module
- Kernel Message Logging
- End Point Operations Management Agent
- Additional Secure Configuration Activities
- Network Security and Secure Communication
- Configuring Network Settings for Virtual Application Installation
- Prevent User Control of Network Interfaces
- Set the Queue Size for TCP Backlog
- Deny ICMPv4 Echoes to Broadcast Address
- Configure the Host System to Disable IPv4 Proxy ARP
- Configure the Host System to Ignore IPv4 ICMP Redirect Messages
- Configure the Host System to Ignore IPv6 ICMP Redirect Messages
- Configure the Host System to Deny IPv4 ICMP Redirects
- Configure the Host System to Log IPv4 Martian Packets
- Configure the Host System to use IPv4 Reverse Path Filtering
- Configure the Host System to Deny IPv4 Forwarding
- Configure the Host System to Deny Forwarding of IPv4 Source Routed Packets
- Configure the Host System to Deny IPv6 Forwarding
- Configure the Host System to Use IPv4 TCP Syncookies
- Configure the Host System to Deny IPv6 Router Advertisements
- Configure the Host System to Deny IPv6 Router Solicitations
- Configure the Host System to Deny IPv6 Router Preference in Router Solicitations
- Configure the Host System to Deny IPv6 Router Prefix
- Configure the Host System to Deny IPv6 Router Advertisement Hop Limit Settings
- Configure the Host System to Deny IPv6 Router Advertisement Autoconf Settings
- Configure the Host System to Deny IPv6 Neighbor Solicitations
- Configure the Host System to Restrict IPv6 Maximum Addresses
- Configuring Ports and Protocols
- Configuring Network Settings for Virtual Application Installation
- Auditing and Logging on your vRealize Operations Manager System
- Index
4 Run the chmod 600 /storage/db/vcops/vpostgres/data/server.crt command.
5 Run the chown postgres /storage/db/vcops/vpostgres/data/server.key and chown
postgres /storage/db/vcops/vpostgres/data/server.crt commands to change the ownership of the
server.crt and server.key les from root to postgres.
Enable TLS on PostgreSQL
You must edit the postgresql.conf le to enable TLS on localhost connections to PostgreSQL.
Procedure
u
Edit the postgresql.conf le at /storage/db/vcops/vpostgres/data/ and make the following changes:
a Set ssl = on.
b Set ssl_cert_file = 'server.crt'.
c Set ssl_key_file = 'server.key'.
Application Resources That Must be Protected
As a security best practice, ensure that the application resources are protected.
Follow the steps to ensure that the application resources are protected.
Procedure
1 Run the Find / -path /proc -prune -o -type f -perm +6000 -ls command to verify that the les
have a well dened SUID and GUID bits set.
The following list appears:
354131 24 -rwsr-xr-x 1 polkituser root 23176 /usr/lib/PolicyKit/polkit-set-default-helper
354126 20 -rwxr-sr-x 1 root polkituser 19208 /usr/lib/PolicyKit/polkit-grant-
helper
354125 20 -rwxr-sr-x 1 root polkituser 19008 /usr/lib/PolicyKit/polkit-explicit-
grant-helper
354130 24 -rwxr-sr-x 1 root polkituser 23160 /usr/lib/PolicyKit/polkit-revoke-
helper
354127 12 -rwsr-x--- 1 root polkituser 10744 /usr/lib/PolicyKit/polkit-grant-
helper-pam
354128 16 -rwxr-sr-x 1 root polkituser 14856 /usr/lib/PolicyKit/polkit-read-auth-
helper
73886 84 -rwsr-xr-x 1 root shadow 77848 /usr/bin/chsh
73888 88 -rwsr-xr-x 1 root shadow 85952 /usr/bin/gpasswd
73887 20 -rwsr-xr-x 1 root shadow 19320 /usr/bin/expiry
73890 84 -rwsr-xr-x 1 root root 81856 /usr/bin/passwd
73799 240 -rwsr-xr-x 1 root root 238488 /usr/bin/sudo
73889 20 -rwsr-xr-x 1 root root 19416 /usr/bin/newgrp
73884 92 -rwsr-xr-x 1 root shadow 86200 /usr/bin/chage
73885 88 -rwsr-xr-x 1 root shadow 82472 /usr/bin/chfn
73916 40 -rwsr-x--- 1 root trusted 40432 /usr/bin/crontab
296275 28 -rwsr-xr-x 1 root root 26945 /usr/lib64/pt_chown
353804 816 -r-xr-sr-x 1 root mail 829672 /usr/sbin/sendmail
278545 36 -rwsr-xr-x 1 root root 35792 /bin/ping6
278585 40 -rwsr-xr-x 1 root root 40016 /bin/su
278544 40 -rwsr-xr-x 1 root root 40048 /bin/ping
278638 72 -rwsr-xr-x 1 root root 69240 /bin/umount
278637 100 -rwsr-xr-x 1 root root 94808 /bin/mount
Chapter 3 Secure Configuration of vRealize Operations Manager
VMware, Inc. 25