6.6
Table Of Contents
- Secure Configuration
- Contents
- Secure Configuration
- vRealize Operations Manager Security Posture
- Secure Deployment of vRealize Operations Manager
- Secure Configuration of vRealize Operations Manager
- Secure the vRealize Operations Manager Console
- Change the Root Password
- Managing Secure Shell, Administrative Accounts, and Console Access
- Enable or Disable Secure Shell on a vRealize Operations Manager node
- Create a Local Administrative Account for Secure Shell
- Restrict Secure Shell Access
- Maintain Secure Shell Key File Permissions
- Harden the Secure Shell Server Configuration
- Harden the Secure Shell Client Configuration
- Disable Direct Logins as Root
- Disable SSH Access for the Admin User Account
- Set Boot Loader Authentication
- Single-User or Maintenance Mode Authentication
- Monitor Minimal Necessary User Accounts
- Monitor Minimal Necessary Groups
- Resetting the vRealize Operations Manager Administrator Password (Linux)
- Configure NTP on VMware Appliances
- Disable the TCP Timestamp Response on Linux
- Enable FIPS 140-2 Mode
- TLS for Data in Transit
- Enabling TLS on Localhost Connections
- Application Resources That Must be Protected
- Configure PostgreSQL Client Authentication
- Apache Configuration
- Disable Configuration Modes
- Managing Nonessential Software Components
- Secure the USB Mass Storage Handler
- Secure the Bluetooth Protocol Handler
- Secure the Stream Control Transmission Protocol
- Secure the Datagram Congestion Control Protocol
- Secure Reliable Datagram Sockets Protocol
- Secure the Transparent Inter-Process Communication Protocol
- Secure Internet Packet Exchange Protocol
- Secure Appletalk Protocol
- Secure DECnet Protocol
- Secure Firewire Module
- Kernel Message Logging
- End Point Operations Management Agent
- Additional Secure Configuration Activities
- Network Security and Secure Communication
- Configuring Network Settings for Virtual Application Installation
- Prevent User Control of Network Interfaces
- Set the Queue Size for TCP Backlog
- Deny ICMPv4 Echoes to Broadcast Address
- Configure the Host System to Disable IPv4 Proxy ARP
- Configure the Host System to Ignore IPv4 ICMP Redirect Messages
- Configure the Host System to Ignore IPv6 ICMP Redirect Messages
- Configure the Host System to Deny IPv4 ICMP Redirects
- Configure the Host System to Log IPv4 Martian Packets
- Configure the Host System to use IPv4 Reverse Path Filtering
- Configure the Host System to Deny IPv4 Forwarding
- Configure the Host System to Deny Forwarding of IPv4 Source Routed Packets
- Configure the Host System to Deny IPv6 Forwarding
- Configure the Host System to Use IPv4 TCP Syncookies
- Configure the Host System to Deny IPv6 Router Advertisements
- Configure the Host System to Deny IPv6 Router Solicitations
- Configure the Host System to Deny IPv6 Router Preference in Router Solicitations
- Configure the Host System to Deny IPv6 Router Prefix
- Configure the Host System to Deny IPv6 Router Advertisement Hop Limit Settings
- Configure the Host System to Deny IPv6 Router Advertisement Autoconf Settings
- Configure the Host System to Deny IPv6 Neighbor Solicitations
- Configure the Host System to Restrict IPv6 Maximum Addresses
- Configuring Ports and Protocols
- Configuring Network Settings for Virtual Application Installation
- Auditing and Logging on your vRealize Operations Manager System
- Index
Open Ports on Agent Host
The agent process listens for commands on two ports 127.0.0.1:2144 and 127.0.0.1:32000 that are
congurable. These ports might be arbitrarily assigned, and so, the exact port number might vary. The agent
does not open ports on external interfaces.
Table 3‑3. Minimum Required Ports
Port Protocol Direction Comments
443 TCP Outgoing Used by the agent for outgoing connections over HTTP, TCP, or ICMP.
2144 TCP Listening Internal Only. Congurable. Used for inter-process communication between
the agent and the command line that loads and congures it. The agent process
listens on this port.
N The port number is assigned arbitrarily and might dier.
32000 TCP Listening Internal Only. Congurable. Used for inter-process communication between
the agent and the command line that loads and congures it. The agent process
listens on this port.
N The port number is assigned arbitrarily and might dier.
Revoking an Agent
If for any reason you need to revoke an agent, for example when a system with a running agent is
compromised, you can delete the agent resource from the system. Any subsequent request will fail
verication.
Use the vRealize Operations Manager user interface to revoke the agent certicate by removing the agent
resource. For more information, see “Removing the Agent Resource,” on page 35.
When the system is secured again, you can reinstate the agent. For more information, see “Reinstate an
Agent Resource,” on page 36.
Removing the Agent Resource
You can use the vRealize Operations Manager to revoke the agent certicate by removing the agent
resource.
Prerequisites
To preserve the continuity of the resource with previously recorded metric data, take a record of the
End Point Operations Management agent token that is displayed in the resource details.
Procedure
1 Navigate to the Inventory Explorer in the vRealize Operations Manager user interface.
2 Open the Adapter Types tree.
3 Open the EP Ops Adapter list.
4 Select EP Ops Agent - *HOST_DNS_NAME*.
5 Click Edit Object.
6 Record the agent ID, which is the agent token string.
7 Close the Edit Object dialog box .
8 Select EP Ops Agent - *HOST_DNS_NAME* and click Delete Object.
Chapter 3 Secure Configuration of vRealize Operations Manager
VMware, Inc. 35