6.6
Table Of Contents
- Secure Configuration
- Contents
- Secure Configuration
- vRealize Operations Manager Security Posture
- Secure Deployment of vRealize Operations Manager
- Secure Configuration of vRealize Operations Manager
- Secure the vRealize Operations Manager Console
- Change the Root Password
- Managing Secure Shell, Administrative Accounts, and Console Access
- Enable or Disable Secure Shell on a vRealize Operations Manager node
- Create a Local Administrative Account for Secure Shell
- Restrict Secure Shell Access
- Maintain Secure Shell Key File Permissions
- Harden the Secure Shell Server Configuration
- Harden the Secure Shell Client Configuration
- Disable Direct Logins as Root
- Disable SSH Access for the Admin User Account
- Set Boot Loader Authentication
- Single-User or Maintenance Mode Authentication
- Monitor Minimal Necessary User Accounts
- Monitor Minimal Necessary Groups
- Resetting the vRealize Operations Manager Administrator Password (Linux)
- Configure NTP on VMware Appliances
- Disable the TCP Timestamp Response on Linux
- Enable FIPS 140-2 Mode
- TLS for Data in Transit
- Enabling TLS on Localhost Connections
- Application Resources That Must be Protected
- Configure PostgreSQL Client Authentication
- Apache Configuration
- Disable Configuration Modes
- Managing Nonessential Software Components
- Secure the USB Mass Storage Handler
- Secure the Bluetooth Protocol Handler
- Secure the Stream Control Transmission Protocol
- Secure the Datagram Congestion Control Protocol
- Secure Reliable Datagram Sockets Protocol
- Secure the Transparent Inter-Process Communication Protocol
- Secure Internet Packet Exchange Protocol
- Secure Appletalk Protocol
- Secure DECnet Protocol
- Secure Firewire Module
- Kernel Message Logging
- End Point Operations Management Agent
- Additional Secure Configuration Activities
- Network Security and Secure Communication
- Configuring Network Settings for Virtual Application Installation
- Prevent User Control of Network Interfaces
- Set the Queue Size for TCP Backlog
- Deny ICMPv4 Echoes to Broadcast Address
- Configure the Host System to Disable IPv4 Proxy ARP
- Configure the Host System to Ignore IPv4 ICMP Redirect Messages
- Configure the Host System to Ignore IPv6 ICMP Redirect Messages
- Configure the Host System to Deny IPv4 ICMP Redirects
- Configure the Host System to Log IPv4 Martian Packets
- Configure the Host System to use IPv4 Reverse Path Filtering
- Configure the Host System to Deny IPv4 Forwarding
- Configure the Host System to Deny Forwarding of IPv4 Source Routed Packets
- Configure the Host System to Deny IPv6 Forwarding
- Configure the Host System to Use IPv4 TCP Syncookies
- Configure the Host System to Deny IPv6 Router Advertisements
- Configure the Host System to Deny IPv6 Router Solicitations
- Configure the Host System to Deny IPv6 Router Preference in Router Solicitations
- Configure the Host System to Deny IPv6 Router Prefix
- Configure the Host System to Deny IPv6 Router Advertisement Hop Limit Settings
- Configure the Host System to Deny IPv6 Router Advertisement Autoconf Settings
- Configure the Host System to Deny IPv6 Neighbor Solicitations
- Configure the Host System to Restrict IPv6 Maximum Addresses
- Configuring Ports and Protocols
- Configuring Network Settings for Virtual Application Installation
- Auditing and Logging on your vRealize Operations Manager System
- Index
K
kernel message logging 31
L
local administrative account, creating 14
logging 49
M
maintenance mode authentication 18
managing nonessential software 28
minimal necessary groups 18
minimal user accounts 18
minimum incoming ports 48
minimum permissions, agent functionality 32
monitor minimal necessary groups 18
monitor minimal user accounts 18
N
network settings 39
O
open ports on agent host 35
OVF, network settings 39
P
password expiry 13
patching 37
platform files and permissions, Linux 32
platform files and permissions, Windows 33
ports
incoming 39
outgoing 39
ports and protocols, configuring 47
prevent user control 39
R
reinstate an agent resource 36
remote logging server > securing 49
remove the agent resource 35
removing sample code:Apache2 server 27
resetting the password on Linux clusters 19
review installed software 10
revoking an agent 35
root password, change 12
root user, secure shell 13
S
secure
Appletalk Protocol 30
Firewire Module 30
Internet Packet Exchange Protocol 30
Reliable Datagram Sockets protocol 29
Transparent Inter-Process Communication
protocol 29
secure configuration 11
Secure Shell, restricting access 15
secure configuration activities 37
secure deployment of vRealize Operations
Manager 9
secure remote logging server 49
secure shell client configuration 16
secure shell file permissions 15
secure shell server configuration 15
Secure Shell, managing 13
secure the console 12
security posture 7
security advisories, patches 10
server configuration, secure shell 15
single-user authentication 18
Stream Control Transmission Protocol 28
strong ciphers, configure 22
strong protocols, configure 21
T
TCP backlog queue size 39
third-party software 10
TLS for data in transit 21
U
unnecessary applications, delete 37
updates 37
updating certificates 36
USB mass storage handler 28
V
verify, server user account settings 37
verify server tokens:apache2 server 27
verifying the installation media 9
virtual appliances
Bluetooth protocol handler 28
boot loader authentication 17
configure network time protocol 20
enable or disable Secure Shell 14
USB mass storage handler 28
virtual machines, disable IPv4 proxy ARP 40
virtual machines, deny ICMPv4 echoes to
broadcast address 40
vRealize Operations Manager administrative
password 19
Secure Configuration
52 VMware, Inc.