6.6
Table Of Contents
- Secure Configuration
- Contents
- Secure Configuration
- vRealize Operations Manager Security Posture
- Secure Deployment of vRealize Operations Manager
- Secure Configuration of vRealize Operations Manager
- Secure the vRealize Operations Manager Console
- Change the Root Password
- Managing Secure Shell, Administrative Accounts, and Console Access
- Enable or Disable Secure Shell on a vRealize Operations Manager node
- Create a Local Administrative Account for Secure Shell
- Restrict Secure Shell Access
- Maintain Secure Shell Key File Permissions
- Harden the Secure Shell Server Configuration
- Harden the Secure Shell Client Configuration
- Disable Direct Logins as Root
- Disable SSH Access for the Admin User Account
- Set Boot Loader Authentication
- Single-User or Maintenance Mode Authentication
- Monitor Minimal Necessary User Accounts
- Monitor Minimal Necessary Groups
- Resetting the vRealize Operations Manager Administrator Password (Linux)
- Configure NTP on VMware Appliances
- Disable the TCP Timestamp Response on Linux
- Enable FIPS 140-2 Mode
- TLS for Data in Transit
- Enabling TLS on Localhost Connections
- Application Resources That Must be Protected
- Configure PostgreSQL Client Authentication
- Apache Configuration
- Disable Configuration Modes
- Managing Nonessential Software Components
- Secure the USB Mass Storage Handler
- Secure the Bluetooth Protocol Handler
- Secure the Stream Control Transmission Protocol
- Secure the Datagram Congestion Control Protocol
- Secure Reliable Datagram Sockets Protocol
- Secure the Transparent Inter-Process Communication Protocol
- Secure Internet Packet Exchange Protocol
- Secure Appletalk Protocol
- Secure DECnet Protocol
- Secure Firewire Module
- Kernel Message Logging
- End Point Operations Management Agent
- Additional Secure Configuration Activities
- Network Security and Secure Communication
- Configuring Network Settings for Virtual Application Installation
- Prevent User Control of Network Interfaces
- Set the Queue Size for TCP Backlog
- Deny ICMPv4 Echoes to Broadcast Address
- Configure the Host System to Disable IPv4 Proxy ARP
- Configure the Host System to Ignore IPv4 ICMP Redirect Messages
- Configure the Host System to Ignore IPv6 ICMP Redirect Messages
- Configure the Host System to Deny IPv4 ICMP Redirects
- Configure the Host System to Log IPv4 Martian Packets
- Configure the Host System to use IPv4 Reverse Path Filtering
- Configure the Host System to Deny IPv4 Forwarding
- Configure the Host System to Deny Forwarding of IPv4 Source Routed Packets
- Configure the Host System to Deny IPv6 Forwarding
- Configure the Host System to Use IPv4 TCP Syncookies
- Configure the Host System to Deny IPv6 Router Advertisements
- Configure the Host System to Deny IPv6 Router Solicitations
- Configure the Host System to Deny IPv6 Router Preference in Router Solicitations
- Configure the Host System to Deny IPv6 Router Prefix
- Configure the Host System to Deny IPv6 Router Advertisement Hop Limit Settings
- Configure the Host System to Deny IPv6 Router Advertisement Autoconf Settings
- Configure the Host System to Deny IPv6 Neighbor Solicitations
- Configure the Host System to Restrict IPv6 Maximum Addresses
- Configuring Ports and Protocols
- Configuring Network Settings for Virtual Application Installation
- Auditing and Logging on your vRealize Operations Manager System
- Index
Configure the Host System to Use IPv4 TCP Syncookies
As a security best practice, verify that the host system uses IPv4 Transmission Control Protocol (TCP)
Syncookies. A TCP SYN ood aack might cause a denial of service by lling a system's TCP connection
table with connections in the SYN_RCVD state. Syncookies are used so as not to track a connection until a
subsequent ACK is received, verifying that the initiator is aempting a valid connection and is not a ood
source.
This technique does not operate in a fully standards-compliant manner, but is only activated when a ood
condition is detected, and allows defence of the system while continuing to service valid requests.
Procedure
1 Run the # cat /proc/sys/net/ipv4/tcp_syncookies command to verify whether the host system uses
IPv4 TCP Syncookies.
2 Congure the host system to use IPv4 TCP syncookies.
a Open the /etc/sysctl.conf to congure the host system.
b If the value is not set to 1, add the following entry to the le or update the existing entry
accordingly. Set the value to 1.
net.ipv4.tcp_syncookies=1
c Save the changes and close the le.
Configure the Host System to Deny IPv6 Router Advertisements
As a security best practice, verify that the host system denies the acceptance of router advertisements and
Internet Control Message Protocol (ICMP) redirects unless necessary. A feature of IPv6 is how systems can
congure their networking devices by automatically using information from the network. From a security
perspective, it is preferable to manually set important conguration information rather than accepting it
from the network in an unauthenticated way.
Procedure
1 Run the # grep [01] /proc/sys/net/ipv6/conf/*/accept_ra|egrep "default|all" command on the
host system to verify whether the system denies the acceptance of router advertisements and ICMP
redirects unless necessary.
2 Congure the host system to deny IPv6 router advertisements.
a Open the /etc/sysctl.conf le.
b If the values are not set to 0, add the following entries to the le or update the existing entries
accordingly. Set the value to 0.
net.ipv6.conf.all.accept_ra=0
net.ipv6.conf.default.accept_ra=0
c Save the changes and close the le.
Secure Configuration
44 VMware, Inc.