6.6
Table Of Contents
- Secure Configuration
- Contents
- Secure Configuration
- vRealize Operations Manager Security Posture
- Secure Deployment of vRealize Operations Manager
- Secure Configuration of vRealize Operations Manager
- Secure the vRealize Operations Manager Console
- Change the Root Password
- Managing Secure Shell, Administrative Accounts, and Console Access
- Enable or Disable Secure Shell on a vRealize Operations Manager node
- Create a Local Administrative Account for Secure Shell
- Restrict Secure Shell Access
- Maintain Secure Shell Key File Permissions
- Harden the Secure Shell Server Configuration
- Harden the Secure Shell Client Configuration
- Disable Direct Logins as Root
- Disable SSH Access for the Admin User Account
- Set Boot Loader Authentication
- Single-User or Maintenance Mode Authentication
- Monitor Minimal Necessary User Accounts
- Monitor Minimal Necessary Groups
- Resetting the vRealize Operations Manager Administrator Password (Linux)
- Configure NTP on VMware Appliances
- Disable the TCP Timestamp Response on Linux
- Enable FIPS 140-2 Mode
- TLS for Data in Transit
- Enabling TLS on Localhost Connections
- Application Resources That Must be Protected
- Configure PostgreSQL Client Authentication
- Apache Configuration
- Disable Configuration Modes
- Managing Nonessential Software Components
- Secure the USB Mass Storage Handler
- Secure the Bluetooth Protocol Handler
- Secure the Stream Control Transmission Protocol
- Secure the Datagram Congestion Control Protocol
- Secure Reliable Datagram Sockets Protocol
- Secure the Transparent Inter-Process Communication Protocol
- Secure Internet Packet Exchange Protocol
- Secure Appletalk Protocol
- Secure DECnet Protocol
- Secure Firewire Module
- Kernel Message Logging
- End Point Operations Management Agent
- Additional Secure Configuration Activities
- Network Security and Secure Communication
- Configuring Network Settings for Virtual Application Installation
- Prevent User Control of Network Interfaces
- Set the Queue Size for TCP Backlog
- Deny ICMPv4 Echoes to Broadcast Address
- Configure the Host System to Disable IPv4 Proxy ARP
- Configure the Host System to Ignore IPv4 ICMP Redirect Messages
- Configure the Host System to Ignore IPv6 ICMP Redirect Messages
- Configure the Host System to Deny IPv4 ICMP Redirects
- Configure the Host System to Log IPv4 Martian Packets
- Configure the Host System to use IPv4 Reverse Path Filtering
- Configure the Host System to Deny IPv4 Forwarding
- Configure the Host System to Deny Forwarding of IPv4 Source Routed Packets
- Configure the Host System to Deny IPv6 Forwarding
- Configure the Host System to Use IPv4 TCP Syncookies
- Configure the Host System to Deny IPv6 Router Advertisements
- Configure the Host System to Deny IPv6 Router Solicitations
- Configure the Host System to Deny IPv6 Router Preference in Router Solicitations
- Configure the Host System to Deny IPv6 Router Prefix
- Configure the Host System to Deny IPv6 Router Advertisement Hop Limit Settings
- Configure the Host System to Deny IPv6 Router Advertisement Autoconf Settings
- Configure the Host System to Deny IPv6 Neighbor Solicitations
- Configure the Host System to Restrict IPv6 Maximum Addresses
- Configuring Ports and Protocols
- Configuring Network Settings for Virtual Application Installation
- Auditing and Logging on your vRealize Operations Manager System
- Index
Auditing and Logging on your
vRealize Operations Manager System 5
As a security best practice, set up auditing and logging on your vRealize Operations Manager system.
The detailed implementation of auditing and logging is outside the scope of this document.
Remote logging to a central log host provides a secure store for logs. By collecting log les to a central host,
you can easily monitor the environment with a single tool. You can also perform aggregate analysis and
search for coordinated aacks on multiple entities within the infrastructure. Logging to a secure, centralized
log server can help prevent log tampering and also provide a long-term audit record.
This chapter includes the following topics:
n
“Securing the Remote Logging Server,” on page 49
n
“Use an Authorized NTP Server,” on page 49
n
“Client Browser Considerations,” on page 49
Securing the Remote Logging Server
As a security best practice, ensure that the remote logging server can be congured only by an authorized
user and is secure.
Aackers who breach the security of your host machine might search for and aempt to tamper with log
les to cover their tracks and maintain control without being discovered.
Use an Authorized NTP Server
Ensure that all the host systems use the same relative time source, including the relevant localization oset.
You can correlate the relative time source to an agreed-upon time standard such as Coordinated Universal
Time (UTC).
You can easily track and correlate an intruder's actions when you review the relevant log les. Incorrect time
seings can make it dicult to inspect and correlate log les to detect aacks, and can make auditing
inaccurate. You can use at the least three NTP servers from outside time sources or congure a few local
NTP servers on a trusted network that obtain their time from at least three outside time sources.
Client Browser Considerations
As a security best practice, do not use vRealize Operations Manager from untrusted or unpatched clients or
from clients that use browser extensions.
VMware, Inc.
49