6.6
Table Of Contents
- Secure Configuration
- Contents
- Secure Configuration
- vRealize Operations Manager Security Posture
- Secure Deployment of vRealize Operations Manager
- Secure Configuration of vRealize Operations Manager
- Secure the vRealize Operations Manager Console
- Change the Root Password
- Managing Secure Shell, Administrative Accounts, and Console Access
- Enable or Disable Secure Shell on a vRealize Operations Manager node
- Create a Local Administrative Account for Secure Shell
- Restrict Secure Shell Access
- Maintain Secure Shell Key File Permissions
- Harden the Secure Shell Server Configuration
- Harden the Secure Shell Client Configuration
- Disable Direct Logins as Root
- Disable SSH Access for the Admin User Account
- Set Boot Loader Authentication
- Single-User or Maintenance Mode Authentication
- Monitor Minimal Necessary User Accounts
- Monitor Minimal Necessary Groups
- Resetting the vRealize Operations Manager Administrator Password (Linux)
- Configure NTP on VMware Appliances
- Disable the TCP Timestamp Response on Linux
- Enable FIPS 140-2 Mode
- TLS for Data in Transit
- Enabling TLS on Localhost Connections
- Application Resources That Must be Protected
- Configure PostgreSQL Client Authentication
- Apache Configuration
- Disable Configuration Modes
- Managing Nonessential Software Components
- Secure the USB Mass Storage Handler
- Secure the Bluetooth Protocol Handler
- Secure the Stream Control Transmission Protocol
- Secure the Datagram Congestion Control Protocol
- Secure Reliable Datagram Sockets Protocol
- Secure the Transparent Inter-Process Communication Protocol
- Secure Internet Packet Exchange Protocol
- Secure Appletalk Protocol
- Secure DECnet Protocol
- Secure Firewire Module
- Kernel Message Logging
- End Point Operations Management Agent
- Additional Secure Configuration Activities
- Network Security and Secure Communication
- Configuring Network Settings for Virtual Application Installation
- Prevent User Control of Network Interfaces
- Set the Queue Size for TCP Backlog
- Deny ICMPv4 Echoes to Broadcast Address
- Configure the Host System to Disable IPv4 Proxy ARP
- Configure the Host System to Ignore IPv4 ICMP Redirect Messages
- Configure the Host System to Ignore IPv6 ICMP Redirect Messages
- Configure the Host System to Deny IPv4 ICMP Redirects
- Configure the Host System to Log IPv4 Martian Packets
- Configure the Host System to use IPv4 Reverse Path Filtering
- Configure the Host System to Deny IPv4 Forwarding
- Configure the Host System to Deny Forwarding of IPv4 Source Routed Packets
- Configure the Host System to Deny IPv6 Forwarding
- Configure the Host System to Use IPv4 TCP Syncookies
- Configure the Host System to Deny IPv6 Router Advertisements
- Configure the Host System to Deny IPv6 Router Solicitations
- Configure the Host System to Deny IPv6 Router Preference in Router Solicitations
- Configure the Host System to Deny IPv6 Router Prefix
- Configure the Host System to Deny IPv6 Router Advertisement Hop Limit Settings
- Configure the Host System to Deny IPv6 Router Advertisement Autoconf Settings
- Configure the Host System to Deny IPv6 Neighbor Solicitations
- Configure the Host System to Restrict IPv6 Maximum Addresses
- Configuring Ports and Protocols
- Configuring Network Settings for Virtual Application Installation
- Auditing and Logging on your vRealize Operations Manager System
- Index
Apache Configuration
Disable Web Directory Browsing
As a security best practice, ensure that a user cannot bowse through a directory because it can increase the
risk of exposure to directory traversal aacks.
Procedure
u
Verify that web directory browsing is disabled for all directories.
a Open the /etc/apache2/default-server.conf and /usr/lib/vmware-
vcopssuite/utilities/conf/vcops-apache.conf les in a text editor.
b
Verify that for each <Directory> listing, the option called Indexes for the relevant tag is omied
from the Options line.
Remove the Sample Code for the Apache2 Server
Apache includes two sample Common Gateway Interface (CGI) scripts, printenv and test-cgi. A
production Web server must contain only components that are operationally necessary. These components
have the potential to disclose critical information about the system to an aacker.
As a security best practice, delete the CGI scripts from the cgi-bin directory.
Procedure
u
To remove test-cgi and prinenv scripts, run the rm /usr/share/doc/packages/apache2/test-cgi and
rm /usr/share/doc/packages/apache2/printenv commands.
Verify Server Tokens for the Apache2 Server
As part of your system hardening process, verify server tokens for the Apache2 server. The Web server
response header of an HTTP response can contain several elds of information. Information includes the
requested HTML page, the Web server type and version, the operating system and version, and ports
associated with the Web server. This information provides malicious users important information without
the use of extensive tools.
The directive ServerTokens must be set to Prod. For example, ServerTokens Prod. This directive controls
whether the response header eld of the server that is sent back to clients includes a description of the
operating system and information about compiled-in modules.
Procedure
1 To verify server tokens, run the cat /etc/apache2/sysconfig.d/global.conf | grep ServerTokens
command.
2 To modify ServerTokens OS to ServerTokens Prod, run the sed -i
's/\(ServerTokens\s\+\)OS/\1Prod/g' /etc/apache2/sysconfig.d/global.conf command.
Disable the Trace Method for the Apache2 Server
In standard production operations, use of diagnostics can reveal undiscovered vulnerabilities that lead to
compromised data. To prevent misuse of data, disable the HTTP Trace method.
Procedure
1 To verify the Trace method for the Apache2 server, run the following command grep
TraceEnable /usr/lib/vmware-vcopssuite/utilities/conf/vcops-apache.conf.
Chapter 3 Secure Configuration of vRealize Operations Manager
VMware, Inc. 27