Secure Configuration VRealize Operations. Manager 6.6 V Realize Operations 66
User Manual: Pdf vRealize Operations Manager - 6.6 - Secure Configuration User Guide for VMware vRealize Software, Free Instruction Manual
Open the PDF directly: View PDF .
Page Count: 52
Download | ![]() |
Open PDF In Browser | View PDF |
Secure Configuration vRealize Operations Manager 6.6 Secure Configuration You can find the most up-to-date technical documentation on the VMware Web site at: https://docs.vmware.com/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com Copyright © 2017 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com 2 VMware, Inc. Contents Secure Configuration 5 1 vRealize Operations Manager Security Posture 7 2 Secure Deployment of vRealize Operations Manager 9 Verify the Integrity of Installation Media 9 Hardening the Deployed Software Infrastructure 9 Reviewing Installed and Unsupported Software 10 VMware Security Advisories and Patches 10 3 Secure Configuration of vRealize Operations Manager 11 Secure the vRealize Operations Manager Console 12 Change the Root Password 12 Managing Secure Shell, Administrative Accounts, and Console Access 13 Set Boot Loader Authentication 17 Single-User or Maintenance Mode Authentication 18 Monitor Minimal Necessary User Accounts 18 Monitor Minimal Necessary Groups 18 Resetting the vRealize Operations Manager Administrator Password (Linux) 19 Configure NTP on VMware Appliances 20 Disable the TCP Timestamp Response on Linux 20 Enable FIPS 140-2 Mode 20 TLS for Data in Transit 21 Enabling TLS on Localhost Connections 24 Application Resources That Must be Protected 25 Configure PostgreSQL Client Authentication 26 Apache Configuration 27 Disable Configuration Modes 28 Managing Nonessential Software Components 28 End Point Operations Management Agent 31 Additional Secure Configuration Activities 37 4 Network Security and Secure Communication 39 Configuring Network Settings for Virtual Application Installation Configuring Ports and Protocols 47 39 5 Auditing and Logging on your vRealize Operations Manager System 49 Securing the Remote Logging Server Use an Authorized NTP Server 49 Client Browser Considerations 49 VMware, Inc. 49 3 Secure Configuration Index 4 51 VMware, Inc. Secure Configuration The documentation for Secure Configuration is intended to serve as a secure baseline for the deployment of vRealize Operations Manager. Refer to this document when you are using system-monitoring tools to ensure that the secure baseline configuration is monitored and maintained for any unexpected changes on an ongoing basis. Hardening activities that are not already set by default can be carried out manually. Intended Audience This information is intended for administrators of vRealize Operations Manager. VMware Technical Publications Glossary VMware Technical Publications provides a glossary of terms that might be unfamiliar to you. For definitions of terms as they are used in VMware technical documentation, go to http://www.vmware.com/support/pubs. VMware, Inc. 5 Secure Configuration 6 VMware, Inc. vRealize Operations Manager Security Posture 1 The security posture of vRealize Operations Manager assumes a complete secure environment based on system and network configuration, organizational security policies, and best practices. It is important that you perform the hardening activities according to your organization's security policies and best practices. The document is broken down into the following sections: Secure Deployment n n Secure Configuration n Network Security n Communication The guide details the installation of the Virtual Application. To ensure that your system is securely hardened, review the recommendations and assess them against your organization's security policies and risk exposure. VMware, Inc. 7 Secure Configuration 8 VMware, Inc. Secure Deployment of vRealize Operations Manager 2 You must verify the integrity of the installation media before you install the product to ensure authenticity of the downloaded files. This chapter includes the following topics: n “Verify the Integrity of Installation Media,” on page 9 n “Hardening the Deployed Software Infrastructure,” on page 9 n “Reviewing Installed and Unsupported Software,” on page 10 n “VMware Security Advisories and Patches,” on page 10 Verify the Integrity of Installation Media After you download the media, use the MD5/SHA1 sum value to verify the integrity of the download. Always verify the SHA1 hash after you download an ISO, offline bundle, or patch to ensure the integrity and authenticity of the downloaded files. If you obtain physical media from VMware and the security seal is broken, return the software to VMware for a replacement. Procedure u Compare the MD5/SHA1 hash output with the value posted on the VMware Web site. SHA1 or MD5 hash should match. Note The vRealize Operations Manager 6.x-x.pak files are signed by the VMware software publishing certificate. vRealize Operations Manager validates the signature of the PAK file before installation. Hardening the Deployed Software Infrastructure As part of your hardening process, you must harden the deployed software infrastructure that supports your VMware system. Before you harden your VMware system, review and address security deficiencies in your supporting software infrastructure to create a completely hardened and secure environment. Software infrastructure elements to consider include operating system components, supporting software, and database software. Address security concerns in these and other components according to the manufacturer's recommendations and other relevant security protocols. VMware, Inc. 9 Secure Configuration Hardening the VMware vSphere Environment vRealize Operations Manager relies on a secure VMware vSphere environment to achieve the greatest benefits and a secured infrastructure. Assess the VMware vSphere environment and verify that the appropriate level of vSphere hardening guidance is enforced and maintained. For more guidance about hardening, see http://www.vmware.com/security/hardening-guides.html. Reviewing Installed and Unsupported Software Vulnerabilities in unused software might increase the risk of unauthorized system access and disruption of availability. Review the software that is installed on VMware host machines and evaluate its use. Do not install software that is not required for the secure operation of the system on any of the vRealize Operations Manager node hosts. Uninstall unused or nonessential software. Installing unsupported, untested, or unapproved software on infrastructure products such as vRealize Operations Manager is a threat to the infrastructure. To minimize the threat to the infrastructure, do not install or use any third-party software that is not supported by VMware on VMware supplied hosts. Assess your vRealize Operations Manager deployment and inventory of installed products to verify that no unsupported software is installed. For more information about the support policies for third-party products, see the VMware support at http://www.vmware.com/security/hardening-guides.html. Verify Third-Party Software Do not use third-party software that VMware does not support. Verify that all third-party software is securely configured and patched in accordance with third-party vendor guidance. Inauthentic, insecure, or unpatched vulnerabilities of third-party software installed on VMware host machines might put the system at risk of unauthorized access and disruption of availability. All software that VMware does not supply must be appropriately secured and patched. If you must use third-party software that VMware does not support, consult the third-party vendor for secure configuration and patching requirements. VMware Security Advisories and Patches VMware occasionally releases security advisories for products. Being aware of these advisories can ensure that you have the safest underlying product and that the product is not vulnerable to known threats. Assess the vRealize Operations Manager installation, patching, and upgrade history and verify that the released VMware Security Advisories are followed and enforced. It is recommended that you always remain on the most recent vRealize Operations Manager release, as this will include the most recent security fixes also. For more information about the current VMware security advisories, see http://www.vmware.com/security/advisories/. 10 VMware, Inc. Secure Configuration of vRealize Operations Manager 3 As a security best practice, you must secure the vRealize Operations Manager console and manage Secure Shell (SSH), administrative accounts, and console access. Ensure that your system is deployed with secure transmission channels. You must also follow certain security best practices for running End Point Operations Management agents. This chapter includes the following topics: n “Secure the vRealize Operations Manager Console,” on page 12 n “Change the Root Password,” on page 12 n “Managing Secure Shell, Administrative Accounts, and Console Access,” on page 13 n “Set Boot Loader Authentication,” on page 17 n “Single-User or Maintenance Mode Authentication,” on page 18 n “Monitor Minimal Necessary User Accounts,” on page 18 n “Monitor Minimal Necessary Groups,” on page 18 n “Resetting the vRealize Operations Manager Administrator Password (Linux),” on page 19 n “Configure NTP on VMware Appliances,” on page 20 n “Disable the TCP Timestamp Response on Linux,” on page 20 n “Enable FIPS 140-2 Mode,” on page 20 n “TLS for Data in Transit,” on page 21 n “Enabling TLS on Localhost Connections,” on page 24 n “Application Resources That Must be Protected,” on page 25 n “Configure PostgreSQL Client Authentication,” on page 26 n “Apache Configuration,” on page 27 n “Disable Configuration Modes,” on page 28 n “Managing Nonessential Software Components,” on page 28 n “End Point Operations Management Agent,” on page 31 n “Additional Secure Configuration Activities,” on page 37 VMware, Inc. 11 Secure Configuration Secure the vRealize Operations Manager Console After you install vRealize Operations Manager, you must log in for the first time and secure the console of each node in the cluster. Prerequisites Install vRealize Operations Manager. Procedure 1 Locate the node console in vCenter or by direct access. In vCenter, press Alt+F1 to access the login prompt. For security reasons, vRealize Operations Manager remote terminal sessions are disabled by default. 2 Log in as root. vRealize Operations Manager does not allow you to access the command prompt until you create a root password. 3 At the password prompt, press Enter. 4 At the old password prompt, press Enter. 5 At the prompt for a new password, enter the root password that you want and note it for future reference. 6 Reenter the root password. 7 Log out of the console. Change the Root Password You can change the root password for any vRealize Operations Manager master or data node at any time by using the console. The root user bypasses the pam_cracklib module password complexity check, which is found in etc/pam.d/common-password. All hardened appliances enable enforce_for_root for the pw_history module, found in the etc/pam.d/common-password file. The system remembers the last five passwords by default. Old passwords are stored for each user in the /etc/security/opasswd file. Prerequisites Verify that the root password for the appliance meets your organization’s corporate password complexity requirements. If the account password starts with $6$, it uses a sha512 hash. This is the standard hash for all hardened appliances. Procedure 1 Run the # passwd command at the root shell of the appliance. 2 To verify the hash of the root password, log in as root and run the # more /etc/shadow command. The hash information appears. 3 12 If the root password does not contain a sha512 hash, run the passwd command to change it. VMware, Inc. Chapter 3 Secure Configuration of vRealize Operations Manager Manage Password Expiry Configure all account password expirations in accordance with your organization's security policies. By default, all hardened VMware appliances use a 60-day password expiry. On most hardened appliances, the root account is set to a 365-day password expiry. As a best practice, verify that the expiry on all accounts meets security and operation requirements standards. If the root password expires, you cannot reinstate it. You must implement site-specific policies to prevent administrative and root passwords from expiring. Procedure 1 Log in to your virtual appliance machines as root and run the # more /etc/shadow command to verify the password expiry on all accounts. 2 To modify the expiry of the root account, run the # passwd -x 365 root command. In this command, 365 specifies the number of days until password expiry. Use the same command to modify any user, substituting the specific account for root and replacing the number of days to meet the expiry standards of the organization. By default, the root password is set for 365 days. Managing Secure Shell, Administrative Accounts, and Console Access For remote connections, all hardened appliances include the Secure Shell (SSH) protocol. SSH is disabled by default on the hardened appliance. SSH is an interactive command-line environment that supports remote connections to a vRealize Operations Manager node. SSH requires high-privileged user account credentials. SSH activities generally bypass the role-based access control (RBAC) and audit controls of the vRealize Operations Manager node. As a best practice, disable SSH in a production environment and enable it only to diagnose or troubleshoot problems that you cannot resolve by other means. Leave it enabled only while needed for a specific purpose and in accordance with your organization's security policies. If you enable SSH, ensure that it is protected against attack and that you enable it only for as long as required. Depending on your vSphere configuration, you can enable or disable SSH when you deploy your Open Virtualization Format (OVF) template. As a simple test to determine whether SSH is enabled on a machine, try to open a connection by using SSH. If the connection opens and requests credentials, then SSH is enabled and is available for making connections. Secure Shell Root User Because VMware appliances do not include preconfigured default user accounts, the root account can use SSH to directly log in by default. Disable SSH as root as soon as possible. To meet the compliance standards for nonrepudiation, the SSH server on all hardened appliances is preconfigured with the AllowGroups wheel entry to restrict SSH access to the secondary group wheel. For separation of duties, you can modify the AllowGroups wheel entry in the /etc/ssh/sshd_config file to use another group such as sshd. The wheel group is enabled with the pam_wheel module for superuser access, so members of the wheel group can use the su-root command, where the root password is required. Group separation enables users to use SSH to the appliance, but not to use the su command to log in as root. Do not remove or modify other entries in the AllowGroups field, which ensures proper appliance function. After making a change, restart the SSH daemon by running the # service sshd restart command. VMware, Inc. 13 Secure Configuration Enable or Disable Secure Shell on a vRealize Operations Manager node You can enable Secure Shell (SSH) on a vRealize Operations Manager node for troubleshooting. For example, to troubleshoot a server, you might require console access to the server. This is through SSH. Disable SSH on a vRealize Operations Manager node for normal operation. Procedure 1 Access the console of the vRealize Operations Manager node from vCenter. 2 Press Alt + F1 to access the login prompt then log in. 3 Run the #chkconfig command. 4 If the sshd service is off, run the #chkconfig sshd on command. 5 Run the #service sshd start command to start the sshd service. 6 Run the #service sshd stop command to stop the sshd service. Create a Local Administrative Account for Secure Shell You must create local administrative accounts that can be used as Secure Shell (SSH) and that are members of the secondary wheel group, or both before you remove the root SSH access. Before you disable direct root access, test that authorized administrators can access SSH by using AllowGroups, and that they can use the wheel group and the su command to log in as root. Procedure 1 Log in as root and run the following commands. # useradd -d /home/vropsuser -g users -G wheel –m # passwd username Wheel is the group specified in AllowGroups for SSH access. To add multiple secondary groups, use -G wheel,sshd. 2 Switch to the user and provide a new password to ensure password complexity checking. # su – username username@hostname:~>passwd If the password complexity is met, the password updates. If the password complexity is not met, the password reverts to the original password, and you must rerun the password command. After you create the login accounts to allow SSH remote access and use the su command to log in as root using the wheel access, you can remove the root account from the SSH direct login. 3 To remove direct login to SSH, modify the /etc/ssh/sshd_config file by replacing (#)PermitRootLogin yes with PermitRootLogin no. What to do next Disable direct logins as root. By default, the hardened appliances allow direct login to root through the console. After you create administrative accounts for nonrepudiation and test them for wheel access (suroot), disable direct root logins by editing the /etc/securetty file as root and replacing the tty1 entry with console. 14 VMware, Inc. Chapter 3 Secure Configuration of vRealize Operations Manager Restrict Secure Shell Access As part of your system hardening process, restrict Secure Shell (SSH) access by configuring the tcp_wrappers package appropriately on all VMware virtual appliance host machines. Also maintain required SSH key file permissions on these appliances. All VMware virtual appliances include the tcp_wrappers package to allow tcp-supported daemons to control the network subnets that can access the libwrapped daemons. By default, the /etc/hosts.allow file contains a generic entry, sshd: ALL : ALLOW, that allows all access to the secure shell. Restrict this access as appropriate for your organization. Procedure 1 Open the /etc/hosts.allow file on your virtual appliance host machine in a text editor. 2 Change the generic entry in your production environment to include only the local host entries and the management network subnet for secure operations. sshd:127.0.0.1 : ALLOW sshd: [::1] : ALLOW sshd: 10.0.0.0 :ALLOW In this example, all local host connections and connections that the clients make on the 10.0.0.0 subnet are allowed. 3 Add all appropriate machine identification, for example, host name, IP address, fully qualified domain name (FQDN), and loopback. 4 Save the file and close it. Maintain Secure Shell Key File Permissions To maintain an appropriate level of security, configure Secure Shell (SSH) key file permissions. Procedure 1 View the public host key files, located in /etc/ssh/*key.pub. 2 Verify that these files are owned by root, that the group is owned by root, and that the files have permissions set to 0644. The permissions are (-rw-r--r--). 3 Close all files. 4 View the private host key files, located in /etc/ssh/*key. 5 Verify that root owns these files and the group, and that the files have permissions set to 0600. The permissions are (-rw-------). 6 Close all files. Harden the Secure Shell Server Configuration Where possible, the Virtual Application Installation (OVF) has a default hardened configuration. Users can verify that their configuration is appropriately hardened by examining the server and client service in the global options section of the configuration file. If possible, restrict use of the SSH server to a management subnet in the /etc/hosts.allow file. VMware, Inc. 15 Secure Configuration Procedure 1 2 Open the /etc/ssh/sshd_config server configuration file and verify that the settings are correct. Setting Status Server Daemon Protocol Protocol 2 Ciphers Ciphers aes256-ctr,aes128-ctr TCP Forwarding AllowTCPForwarding no Server Gateway Ports Gateway Ports no X11 Forwarding X11Forwarding no SSH Service Use the AllowGroups field and specify a group permitted to access and add members to the secondary group for users permitted to ue the service. GSSAPI Authentication GSSAPIAuthentication no, if unused Kerberos Authentication KerberosAuthentication no, if unused Local Variables (AcceptEnv global option) Set to disabled by commenting out or enabled for only LC_* or LANG variables Tunnel Configuration PermitTunnel no Network Sessions MaxSessions 1 Strict Mode Checking Strict Modes yes Privilege Separation UsePrivilegeSeparation yes rhosts RSA Authentication RhostsRSAAuthentication no Compression Compression delayed or Compression no Message Authentication code MACs hmac-sha1 User Access Restriction PermitUserEnvironment no Save your changes and close the file. Harden the Secure Shell Client Configuration As part of your system hardening monitoring process, verify hardening of the SSH client by examining the SSH client configuration file on virtual appliance host machines to ensure that it is configured according to VMware guidelines. Procedure 1 2 16 Open the SSH client configuration file, /etc/ssh/ssh_config, and verify that the settings in the global options section are correct. Setting Status Client Protocol Protocol 2 Client Gateway Ports Gateway Ports no GSSAPI Authentication GSSAPIAuthentication no Local Variables (SendEnv global option) Provide only LC_* or LANG variables CBC Ciphers Ciphers aes256-ctr,aes128-ctr Message Authentication Codes Used in the MACs hmac-sha1 entry only Save your changes and close the file. VMware, Inc. Chapter 3 Secure Configuration of vRealize Operations Manager Disable Direct Logins as Root By default, the hardened appliances allow you to use the console to log in directly as root. As a security best practice, you can disable direct logins after you create an administrative account for nonrepudiation and test it for wheel access by using the su-root command. Prerequisites n Complete the steps in the topic called “Create a Local Administrative Account for Secure Shell,” on page 14. n Verify that you have tested accessing the system as an administrator before you disable direct root logins. Procedure 1 Log in as root and navigate to the /etc/securetty file. You can access this file from the command prompt. 2 Replace the tty1 entry with console. Disable SSH Access for the Admin User Account As a security best practice, you can disable SSH access for the admin user account. The vRealize Operations Manager admin account and the Linux admin account share the same password. Disabling SSH access to the admin user enforces defense in depth by ensuring all users of SSH first login to a lesser privileged service account with a password that differs from the vRealize Operations Manager admin account and then switch user to a higher privilege such as the admin or root. Procedure 1 Edit the /etc/ssh/sshd_config file. You can access this file from the command prompt. 2 Add the DenyUsers admin entry anywhere in the file and save the file. 3 To restart the sshd server, run the service sshd restart command. Set Boot Loader Authentication To provide an appropriate level of security, configure boot loader authentication on your VMware virtual appliances. If the system boot loader requires no authentication, users with console access to the system might be able to alter the system boot configuration or boot the system to single user or maintenance mode, which can result in denial of service or unauthorized system access. Because boot loader authentication is not set by default on the VMware virtual appliances, you must create a GRUB password to configure it. Procedure 1 Verify whether a boot password exists by locating the password --md5line in the /boot/grub/menu.lst file on your virtual appliances. 2 If no password exists, run the # /usr/sbin/grub-md5-crypt command on your virtual appliance. An MD5 password is generated, and the command supplies the md5 hash output. 3 VMware, Inc. Append the password to the menu.lst file by running the # password --md5 command. 17 Secure Configuration Single-User or Maintenance Mode Authentication If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. Procedure u Review the/etc/inittab file and ensure that the following two lines appear: ls:S:wait:/etc/init.d/rc S and ~~:S:respawn:/sbin/sulogin. Monitor Minimal Necessary User Accounts You must monitor existing user accounts and ensure that any unnecessary user accounts are removed. Procedure u Run the host:~ # cat /etc/passwd command and verify the minimal necessary user accounts: bin:x:1:1:bin:/bin:/bin/bash daemon:x:2:2:Daemon:/sbin:/bin/bash haldaemon:x:101:102:User for haldaemon:/var/run/hald:/bin/false mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash messagebus:x:100:101:User for D-Bus:/var/run/dbus:/bin/false nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash ntp:x:74:106:NTP daemon:/var/lib/ntp:/bin/false polkituser:x:103:104:PolicyKit:/var/run/PolicyKit:/bin/false postfix:x:51:51:Postfix Daemon:/var/spool/postfix:/bin/false root:x:0:0:root:/root:/bin/bash sshd:x:71:65:SSH daemon:/var/lib/sshd:/bin/false suse-ncc:x:104:107:Novell Customer Center User:/var/lib/YaST2/suse-ncc-fakehome:/bin/bash uuidd:x:102:103:User for uuidd:/var/run/uuidd:/bin/false wwwrun:x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/false nginx:x:105:108:user for nginx:/var/lib/nginx:/bin/false admin:x:1000:1003::/home/admin:/bin/bash tcserver:x:1001:1004:tc Server User:/home/tcserver:/bin/bash postgres:x:1002:100::/var/vmware/vpostgres/9.3:/bin/bash Monitor Minimal Necessary Groups You must monitor existing groups and members to ensure that any unnecessary groups or group access is removed. Procedure u Run the :~ # cat /etc/group command to verify the minimum necessary groups and group membership. audio:x:17: bin:x:1:daemon cdrom:x:20: console:x:21: daemon:x:2: dialout:x:16:u1,tcserver,postgres disk:x:6: floppy:x:19: 18 VMware, Inc. Chapter 3 Secure Configuration of vRealize Operations Manager haldaemon:!:102: kmem:x:9: mail:x:12: man:x:62: messagebus:!:101: modem:x:43: nobody:x:65533: nogroup:x:65534:nobody ntp:!:106: polkituser:!:105: public:x:32: root:x:0:admin shadow:x:15: sshd:!:65: suse-ncc:!:107: sys:x:3: tape:!:103: trusted:x:42: tty:x:5: utmp:x:22: uuidd:!:104: video:x:33:u1,tcserver,postgres wheel:x:10:root,admin www:x:8: xok:x:41: maildrop:!:1001: postfix:!:51: users:x:100: vami:!:1002:root nginx:!:108: admin:!:1003: vfabric:!:1004:admin,wwwrun Resetting the vRealize Operations Manager Administrator Password (Linux) As a security best practice, you can reset the vRealize Operations Manager password on Linux clusters for vApp or Linux installations. Procedure 1 Log in to the remote console of the master node as root. 2 Enter the $VMWARE_PYTHON_BIN $VCOPS_BASE/../vmwarevcopssuite/utilities/sliceConfiguration/bin/vcopsSetAdminPassword.py --reset command and follow the prompts. VMware, Inc. 19 Secure Configuration Configure NTP on VMware Appliances For critical time sourcing, disable host time synchronization and use the Network Time Protocol (NTP) on VMware appliances. You must configure a trusted remote NTP server for time synchronization. The NTP server must be an authoritative time server or at least synchronized with an authoritative time server. The NTP daemon on VMware virtual appliances provides synchronized time services. NTP is disabled by default, so you need to configure it manually. If possible, use NTP in production environments to track user actions and to detect potential malicious attacks and intrusions through accurate audit and log keeping. For information about NTP security notices, see the NTP Web site. The NTP configuration file is located in the /etc/ntp.conf file on each appliance. Procedure 1 Navigate to the /etc/ntp.conf configuration file on your virtual appliance host machine. 2 Set the file ownership to root:root. 3 Set the permissions to 0640. 4 To mitigate the risk of a denial-of-service amplification attack on the NTP service, open the /etc/ntp.conf file and ensure that the restrict lines appear in the file. restrict restrict restrict restrict 5 default kod nomodify notrap nopeer noquery -6 default kod nomodify notrap nopeer noquery 127.0.0.1 -6 ::1 Save any changes and close the files. For information on NTP security notices, see http://support.ntp.org/bin/view/Main/SecurityNotice. Disable the TCP Timestamp Response on Linux Use the TCP timestamp response to approximate the remote host's uptime and aid in further attacks. Additionally, some operating systems can be fingerprinted based on the behavior of their TCP time stamps. Procedure u Disable the TCP timestamp response on Linux. a To set the value of net.ipv4.tcp_timestamps to 0, run the sysctl -w net.ipv4.tcp_timestamps=0 command. b Add the ipv4.tcp_timestamps=0 value in the default sysctl.conf file. Enable FIPS 140-2 Mode The version of OpenSSL that is shipped with vRealize Operations Manager 6.3 and later releases is FIPS 140-2 certified. However, the FIPS mode is not enabled by default. You can enable the FIPS mode if there is a security compliance requirement to use FIPS certified cryptographic algorithms with the FIPS mode enabled. Procedure 1 To replace the mod_ssl.so file run the following command: cd /usr/lib64/apache2-prefork/ cp mod_ssl.so mod_ssl.so.old cp mod_ssl.so.FIPSON.openssl1.0.2 mod_ssl.so 20 VMware, Inc. Chapter 3 Secure Configuration of vRealize Operations Manager 2 Modify your Apache2 configuration by editing the /etc/apache2/ssl-global.conf file. 3 Search for the line and add the SSLFIPS on directive below it. 4 To reset the Apache configuration, run the service apache2 restart command. TLS for Data in Transit As a security best practice, ensure that the system is deployed with secure transmission channels. Configure Strong Protocols for vRealize Operations Manager Protocols such as SSLv2 and SSLv3 are no longer considered secure. In addition, it is recommended that you disable TLS 1.0. Enable only TLS 1.1 and TLS 1.2. Verify the Correct Use of Protocols in Apache HTTPD vRealize Operations Manager disables SSLv2 and SSLv3 by default. You must disable weak protocols on all load balancers before you put the system into production. Procedure 1 Run the grep SSLProtocol /usr/lib/vmware-vcopssuite/utilities/conf/vcops-apache.conf | grep v '#' command from the command prompt to verify that SSLv2 and SSLv3 are disabled. If the protocols are disabled, the command returns the following output: SSLProtocol All -SSLv2 SSLv3 2 To also disable the TLS 1.0 protocol, run the sed -i "/^[^#]*SSLProtocol/ c\SSLProtocol All -SSLv2 -SSLv3 -TLSv1" /usr/lib/vmware-vcopssuite/utilities/conf/vcops-apache.conf command from the command prompt. 3 To restart the Apache2 server, run the /etc/init.d/apache2 restart command from the command prompt. Verify the Correct Use of Protocols in the GemFire TLS Handler vRealize Operations Manager disables SSLv3 by default. You must disable weak protocols on all load balancers before you put the system into production. Procedure 1 Verify that the protocols are enabled. To verify that the protocols are enabled, run the following commands on each node: grep cluster-ssl-protocol /usr/lib/vmware-vcops/user/conf/gemfire.properties | grep -v '#' The following result is expected: cluster-ssl-protocols=TLSv1.2 TLSv1.1 TLSv1 grep cluster-ssl-protocol /usr/lib/vmware-vcops/user/conf/gemfire.native.properties | grep v '#' The following result is expected: cluster-ssl-protocols=TLSv1.2 TLSv1.1 TLSv1 grep cluster-ssl-protocol /usr/lib/vmware-vcops/user/conf/gemfire.locator.properties | grep v '#' The following result is expected: cluster-ssl-protocols=TLSv1.2 TLSv1.1 TLSv1 VMware, Inc. 21 Secure Configuration 2 Disable TLS 1.0. a Navigate to the administrator user interface at url/admin . b Click Bring Offline. c To disable SSLv3 and TLS 1.0, run the following commands: sed -i "/^[^#]*cluster-ssl-protocol/ c\cluster-ssl-protocols=TLSv1.2 TLSv1.1" /usr/lib/vmware-vcops/user/conf/gemfire.properties sed -i "/^[^#]*cluster-ssl-protocol/ c\cluster-ssl-protocols=TLSv1.2 TLSv1.1" /usr/lib/vmware-vcops/user/conf/gemfire.native.properties sed -i "/^[^#]*cluster-ssl-protocol/ c\cluster-ssl-protocols=TLSv1.2 TLSv1.1" /usr/lib/vmware-vcops/user/conf/gemfire.locator.properties Repeat this step for each node 3 d Navigate to the administrator user interface. e Click Bring Online. Reenable TLS 1.0. a Navigate to the administrator user interface to bring the cluster offline: url/admin. b Click Bring Offline. c To ensure that SSLv3 and TLS 1.0 are disabled, run the following commands: sed -i TLSv1" sed -i TLSv1" sed -i TLSv1" "/^[^#]*cluster-ssl-protocol/ c\cluster-ssl-protocols=TLSv1.2 TLSv1.1 /usr/lib/vmware-vcops/user/conf/gemfire.properties "/^[^#]*cluster-ssl-protocol/ c\cluster-ssl-protocols=TLSv1.2 TLSv1.1 /usr/lib/vmware-vcops/user/conf/gemfire.native.properties "/^[^#]*cluster-ssl-protocol/ c\cluster-ssl-protocols=TLSv1.2 TLSv1.1 /usr/lib/vmware-vcops/user/conf/gemfire.locator.properties Repeat this step for each node. d Navigate to the administrator user interface to bring the cluster online. e Click Bring Online. Configure vRealize Operations Manager to Use Strong Ciphers For maximum security, you must configure vRealize Operations Manager components to use strong ciphers. To ensure that only strong ciphers are selected, disable the use of weak ciphers. Configure the server to support only strong ciphers and to use sufficiently large key sizes. Also, configure the ciphers in a suitable order. vRealize Operations Manager disables the use of cipher suites using the DHE key exchange by default. Ensure that you disable the same weak cipher suites on all load balancers before you put the system into production. Using Strong Ciphers The encryption cipher negotiated between the server and the browser determines the key exchange method and encryption strength that is used in a TLS session. 22 VMware, Inc. Chapter 3 Secure Configuration of vRealize Operations Manager Verify the Correct Use of Cipher Suites in Apache HTTPD For maximum security, verify the correct use of cipher suites in Apache httpd. Procedure 1 To verify the correct use of cipher suites in Apache httpd, run the grep SSLCipherSuite /usr/lib/vmware-vcopssuite/utilities/conf/vcops-apache.conf | grep -v '#' command from the command prompt. If Apache httpd uses the correct cipher suites, the command returns the following output: SSLCipherSuite kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:!aNULL!ADH:! EXP:!MD5:!3DES:!CAMELLIA:!PSK:!SRP:!DH 2 To configure the correct use of cipher suites, run the sed -i "/^[^#]*SSLCipherSuite/ c\SSLCipherSuite kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:\!aNULL\! ADH:\!EXP:\!MD5:\!3DES:\!CAMELLIA:\!PSK:\!SRP:\!DH" /usr/lib/vmwarevcopssuite/utilities/conf/vcops-apache.conf command from the command prompt. Run this command if the output in Step 1 is not as expected. This command disables all cipher suites that use DH and DHE key exchange methods. 3 Run the /etc/init.d/apache2 restart command from the command prompt to restart the Apache2 server. 4 To reenable DH, remove !DH from the cipher suites by running the sed -i "/^[^#]*SSLCipherSuite/ c\SSLCipherSuite kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:\!aNULL\! ADH:\!EXP:\!MD5:\!3DES:\!CAMELLIA:\!PSK:\!SRP" /usr/lib/vmwarevcopssuite/utilities/conf/vcops-apache.conf command from the command prompt. 5 Run the /etc/init.d/apache2 restart command from the command prompt to restart the Apache2 server. Verify the Correct Use of Cipher Suites in GemFire TLS Handler For maximum security, verify the correct use of cipher suites in GemFire TLS Handler. Procedure 1 To verify that the cipher suites are enabled, run the following commands on each node to verify that the protocols are enabled: grep cluster-ssl-ciphers /usr/lib/vmware-vcops/user/conf/gemfire.properties | grep -v '#' grep cluster-ssl-ciphers /usr/lib/vmware-vcops/user/conf/gemfire.native.properties | grep -v '#' grep cluster-ssl-ciphers /usr/lib/vmware-vcops/user/conf/gemfire.locator.properties | grep -v '#' 2 VMware, Inc. Configure the correct cipher suites. a Navigate to the administrator user interface at URL/admin. b To bring the cluster offline, click Bring Offline. 23 Secure Configuration c To configure the correct cipher suites, run the following commands: sed -i "/^[^#]*cluster-ssl-ciphers/ c\cluster-sslciphers=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" /usr/lib/vmwarevcops/user/conf/gemfire.properties sed -i "/^[^#]*cluster-ssl-ciphers/ c\cluster-sslciphers=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" /usr/lib/vmwarevcops/user/conf/gemfire.native.properties sed -i "/^[^#]*cluster-ssl-ciphers/ c\cluster-sslciphers=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" /usr/lib/vmwarevcops/user/conf/gemfire.locator.properties Repeat this step for each node. d Navigate to the administrator user interface at URL/admin. e Click Bring Online. Enabling TLS on Localhost Connections By default, the localhost connections to the PostgreSQL database do not use TLS. To enable TLS, you have to either generate a self-signed certificate with OpenSSL or provide your own certificate. To enable TLS on localhost connections to PostgreSQL, complete the following steps: 1 “Generate or Provide Your Own Self-Signed Certificate with OpenSSL,” on page 24 2 “Install the Certificate for PostgreSQL,” on page 24 3 “Enable TLS on PostgreSQL,” on page 25 Generate or Provide Your Own Self-Signed Certificate with OpenSSL Localhost connections to the PostgreSQL database do not use TLS. To enable TLS, you can generate your own self-signed certificate with OpenSSL or provide your own certificate. n To generate a self-signed certificate with OpenSSL, run the following commands: openssl req -new -text -out cert.req openssl rsa -in privkey.pem -out cert.pem openssl req -x509 -in cert.req -text -key cert.pem -out cert.cert n To provide your own certificate, complete the following steps: n Modify the ownership of the CAcerts.crt file to postgres. n Edit the postgresql.conf file to include the directive ssl_ca_file = 'CAcerts.crt. If you are using a certificate with a CA chain, you must add a CAcerts.crt file containing the intermediate and root CA certificates to the same directory. Install the Certificate for PostgreSQL You must install the certificate for PostgreSQL when you enable TLS on localhost connections to PostgreSQL. Procedure 24 1 Copy the cert.pem file to /storage/db/vcops/vpostgres/data/server.key. 2 Copy the cert.cert file to /storage/db/vcops/vpostgres/data/server.crt. 3 Run the chmod 600 /storage/db/vcops/vpostgres/data/server.key command. VMware, Inc. Chapter 3 Secure Configuration of vRealize Operations Manager 4 Run the chmod 600 /storage/db/vcops/vpostgres/data/server.crt command. 5 Run the chown postgres /storage/db/vcops/vpostgres/data/server.key and chown postgres /storage/db/vcops/vpostgres/data/server.crt commands to change the ownership of the server.crt and server.key files from root to postgres. Enable TLS on PostgreSQL You must edit the postgresql.conf file to enable TLS on localhost connections to PostgreSQL. Procedure u Edit the postgresql.conf file at /storage/db/vcops/vpostgres/data/ and make the following changes: a Set ssl = on. b Set ssl_cert_file = 'server.crt'. c Set ssl_key_file = 'server.key'. Application Resources That Must be Protected As a security best practice, ensure that the application resources are protected. Follow the steps to ensure that the application resources are protected. Procedure 1 Run the Find / -path /proc -prune -o -type f -perm +6000 -ls command to verify that the files have a well defined SUID and GUID bits set. The following list appears: VMware, Inc. 354131 24 -rwsr-xr-x 354126 20 -rwxr-sr-x helper 354125 20 -rwxr-sr-x grant-helper 354130 24 -rwxr-sr-x helper 354127 12 -rwsr-x--helper-pam 354128 16 -rwxr-sr-x helper 73886 84 -rwsr-xr-x 73888 88 -rwsr-xr-x 73887 20 -rwsr-xr-x 73890 84 -rwsr-xr-x 73799 73889 73884 73885 73916 296275 353804 278545 278585 278544 278638 278637 240 20 92 88 40 28 816 36 40 40 72 100 -rwsr-xr-x -rwsr-xr-x -rwsr-xr-x -rwsr-xr-x -rwsr-x---rwsr-xr-x -r-xr-sr-x -rwsr-xr-x -rwsr-xr-x -rwsr-xr-x -rwsr-xr-x -rwsr-xr-x 1 polkituser root 23176 /usr/lib/PolicyKit/polkit-set-default-helper 1 root polkituser 19208 /usr/lib/PolicyKit/polkit-grant1 root polkituser 19008 /usr/lib/PolicyKit/polkit-explicit- 1 root polkituser 23160 /usr/lib/PolicyKit/polkit-revoke- 1 root polkituser 10744 /usr/lib/PolicyKit/polkit-grant- 1 root polkituser 14856 /usr/lib/PolicyKit/polkit-read-auth- 1 1 1 1 root root root root shadow shadow shadow root 77848 85952 19320 81856 1 1 1 1 1 1 1 1 1 1 1 1 root root root root root root root root root root root root root root shadow shadow trusted root mail root root root root root 238488 19416 86200 82472 40432 26945 829672 35792 40016 40048 69240 94808 /usr/bin/chsh /usr/bin/gpasswd /usr/bin/expiry /usr/bin/passwd /usr/bin/sudo /usr/bin/newgrp /usr/bin/chage /usr/bin/chfn /usr/bin/crontab /usr/lib64/pt_chown /usr/sbin/sendmail /bin/ping6 /bin/su /bin/ping /bin/umount /bin/mount 25 Secure Configuration 475333 helper 41001 41118 2 48 -rwsr-x--- 1 root messagebus 36 -rwsr-xr-x 12 -rwsr-xr-x 1 root 1 root shadow shadow 47912 /lib64/dbus-1/dbus-daemon-launch35688 /sbin/unix_chkpwd 10736 /sbin/unix2_chkpwd Run the find / -path */proc -prune -o -nouser -o -nogroup command to verify that all the files in the vApp have an owner. All the files have an owner if there are no results. 3 Run the find / -name "*.*" -type f -perm -a+w | xargs ls -ldb command to verify that none of the files are world writable files by reviewing permissions of all the files on the vApp. None of the files must include the permission xx2. 4 Run the find / -path */proc -prune -o ! -user root -o -user admin -print command to verify that the files are owned by the correct user. All the files belong to either root or admin if there are no results. 5 Run the find /usr/lib/vmware-casa/ -type f -perm -o=w command to ensure that files in the /usr/lib/vmware-casa/ directory are not world writable. There must be no results. 6 Run the find /usr/lib/vmware-vcops/ -type f -perm -o=w command to ensure that files in the /usr/lib/vmware-vcops/ directory are not world writable. There must be no results. 7 Run the find /usr/lib/vmware-vcopssuite/ -type f -perm -o=w command to ensure that files in the /usr/lib/vmware-vcopssuite/ directory are not world writable. There must be no results. Configure PostgreSQL Client Authentication You can configure the system for client authentication. You can configure the system for local trust authentication. This allows any local user, including the database super user to connect as a PostgreSQL user without a password. If you want to provide a strong defense and if you do not have significant trust in all local user accounts, use another authentication method. The md5 method is set by default. Verify that md5 is set for all local and host connections. You can find the client authentication configuration settings for the postgres service instance in /storage/db/vcops/vpostgres/data/pg_hba.conf. Verify that md5 is set for all local and host connections. The client authentication configuration settings for the postgres-repl service instance can be found in /storage/db/vcops/vpostgres/repl/pg_hba.conf. Verify that md5 is set for all local and host connections. Note Do not modify client configuration settings for the postgres user account. 26 VMware, Inc. Chapter 3 Secure Configuration of vRealize Operations Manager Apache Configuration Disable Web Directory Browsing As a security best practice, ensure that a user cannot bowse through a directory because it can increase the risk of exposure to directory traversal attacks. Procedure u Verify that web directory browsing is disabled for all directories. a Open the /etc/apache2/default-server.conf and /usr/lib/vmwarevcopssuite/utilities/conf/vcops-apache.conf files in a text editor. b Verify that for each listing, the option called Indexes for the relevant tag is omitted from the Options line. Remove the Sample Code for the Apache2 Server Apache includes two sample Common Gateway Interface (CGI) scripts, printenv and test-cgi. A production Web server must contain only components that are operationally necessary. These components have the potential to disclose critical information about the system to an attacker. As a security best practice, delete the CGI scripts from the cgi-bin directory. Procedure u To remove test-cgi and prinenv scripts, run the rm /usr/share/doc/packages/apache2/test-cgi and rm /usr/share/doc/packages/apache2/printenv commands. Verify Server Tokens for the Apache2 Server As part of your system hardening process, verify server tokens for the Apache2 server. The Web server response header of an HTTP response can contain several fields of information. Information includes the requested HTML page, the Web server type and version, the operating system and version, and ports associated with the Web server. This information provides malicious users important information without the use of extensive tools. The directive ServerTokens must be set to Prod. For example, ServerTokens Prod. This directive controls whether the response header field of the server that is sent back to clients includes a description of the operating system and information about compiled-in modules. Procedure 1 To verify server tokens, run the cat /etc/apache2/sysconfig.d/global.conf | grep ServerTokens command. 2 To modify ServerTokens OS to ServerTokens Prod, run the sed -i 's/\(ServerTokens\s\+\)OS/\1Prod/g' /etc/apache2/sysconfig.d/global.conf command. Disable the Trace Method for the Apache2 Server In standard production operations, use of diagnostics can reveal undiscovered vulnerabilities that lead to compromised data. To prevent misuse of data, disable the HTTP Trace method. Procedure 1 VMware, Inc. To verify the Trace method for the Apache2 server, run the following command grep TraceEnable /usr/lib/vmware-vcopssuite/utilities/conf/vcops-apache.conf. 27 Secure Configuration 2 To disable the Trace method for the Apache2 server, run the following command sed -i "/^[^#]*TraceEnable/ c\TraceEnable off" /usr/lib/vmware-vcopssuite/utilities/conf/vcopsapache.conf. Disable Configuration Modes As a best practice, when you install, configure, or maintain vRealize Operations Manager, you can modify the configuration or settings to enable troubleshooting and debugging of your installation. Catalog and audit each of the changes you make to ensure that they are properly secured. Do not put the changes into production if you are not sure that your configuration changes are correctly secured. Managing Nonessential Software Components To minimize security risks, remove or configure nonessential software from your vRealize Operations Manager host machines. Configure all software that you do not remove in accordance with manufacturer recommendations and security best practices to minimize its potential to create security breaches. Secure the USB Mass Storage Handler Secure the USB mass storage handler to prevent it from loading by default on vRealize appliances and to prevent its use as the USB device handler with the vRealize appliances. Potential attackers can exploit this handler to install malicious software. Procedure 1 Open the/etc/modprobe.conf.local file in a text editor. 2 Ensure that the install usb-storage /bin/true line appears in the file. 3 Save the file and close it. Secure the Bluetooth Protocol Handler Secure the Bluetooth protocol handler on your vRealize Appliances to prevent potential attackers from exploiting it. Binding the Bluetooth protocol to the network stack is unnecessary and can increase the attack surface of the host. Prevent the Bluetooth protocol handler module from loading by default on vRealize Appliances. Procedure 1 Open the /etc/modprobe.conf.local file in a text editor. 2 Ensure that the line install bluetooth /bin/true appears in this file. 3 Save the file and close it. Secure the Stream Control Transmission Protocol Prevent the Stream Control Transmission Protocol (SCTP) module from loading on vRealize appliances by default. Potential attackers could exploit this protocol to compromise your system. Configure your system to prevent the SCTP module from loading unless it is absolutely necessary. SCTP is an unused IETF-standardized transport layer protocol. Binding this protocol to the network stack increases the attack surface of the host. Unprivileged local processes might cause the kernel to dynamically load a protocol handler by using the protocol to open a socket. 28 VMware, Inc. Chapter 3 Secure Configuration of vRealize Operations Manager Procedure 1 Open the /etc/modprobe.conf.local file in a text editor. 2 Ensure that the following line appears in this file. install sctp /bin/true 3 Save the file and close it. Secure the Datagram Congestion Control Protocol As part of your system hardening activities, prevent the Datagram Congestion Control Protocol (DCCP) module from loading on vRealize appliances by default. Potential attackers can exploit this protocol to compromise your system. Avoid loading the DCCP module, unless it is absolutely necessary. DCCP is a proposed transport layer protocol, which is not used. Binding this protocol to the network stack increases the attack surface of the host. Unprivileged local processes can cause the kernel to dynamically load a protocol handler by using the protocol to open a socket. Procedure 1 Open the /etc/modprobe.conf.local file in a text editor. 2 Ensure that the DCCP lines appear in the file. install dccp /bin/true install dccp_ipv4 /bin/true install dccp_ipv6 /bin/true 3 Save the file and close it. Secure Reliable Datagram Sockets Protocol As part of your system hardening activities, prevent the Reliable Datagram Sockets (RDS) protocol from loading on your vRealize appliances by default. Potential attackers can exploit this protocol to compromise your system. Binding the RDS protocol to the network stack increases the attack surface of the host. Unprivileged local processes might cause the kernel to dynamically load a protocol handler by using the protocol to open a socket. Procedure 1 Open the /etc/modprobe.conf.local file in a text editor. 2 Ensure that the install rds /bin/true line appears in this file. 3 Save the file and close it. Secure the Transparent Inter-Process Communication Protocol As part of your system hardening activities, prevent the Transparent Inter-Process Communication protocol (TIPC) from loading on your virtual appliance host machines by default. Potential attackers can exploit this protocol to compromise your system. Binding the TIPC protocol to the network stack increases the attack surface of the host. Unprivileged local processes can cause the kernel to dynamically load a protocol handler by using the protocol to open a socket. Procedure 1 VMware, Inc. Open the /etc/modprobe.conf.local file in a text editor. 29 Secure Configuration 2 Ensure that the install tipc /bin/true line appears in this file. 3 Save the file and close it. Secure Internet Packet Exchange Protocol Prevent the Internetwork Packet Exchange (IPX) protocol from loading vRealize appliances by default. Potential attackers could exploit this protocol to compromise your system. Avoid loading the IPX protocol module unless it is absolutely necessary. IPX protocol is an obsolete network-layer protocol. Binding this protocol to the network stack increases the attack surface of the host. Unprivileged local processes might cause the system to dynamically load a protocol handler by using the protocol to open a socket. Procedure 1 Open the /etc/modprobe.conf.local file in a text editor. 2 Ensure that the line install ipx /bin/true appears in this file. 3 Save the file and close it. Secure Appletalk Protocol Prevent the Appletalk protocol from loading on vRealize appliances by default. Potential attackers might exploit this protocol to compromise your system. Avoid loading the Appletalk Protocol module unless it is absolutely necessary. Binding this protocol to the network stack increases the attack surface of the host. Unprivileged local processes might cause the system to dynamically load a protocol handler by using the protocol to open a socket. Procedure 1 Open the /etc/modprobe.conf.local file in a text editor. 2 Ensure that the line install appletalk /bin/true appears in this file. 3 Save the file and close it. Secure DECnet Protocol Prevent the DECnet protocol from loading on your system by default. Potential attackers might exploit this protocol to compromise your system. Avoid loading the DECnet Protocol module unless it is absolutely necessary. Binding this protocol to the network stack increases the attack surface of the host. Unprivileged local processes could cause the system to dynamically load a protocol handler by using the protocol to open a socket. Procedure 1 Open the DECnet Protocol /etc/modprobe.conf.local file in a text editor. 2 Ensure that the line install decnet /bin/true appears in this file. 3 Save the file and close it. Secure Firewire Module Prevent the Firewire module from loading on vRealize appliances by default. Potential attackers might exploit this protocol to compromise your system. Avoid loading the Firewire module unless it is absolutely necessary. 30 VMware, Inc. Chapter 3 Secure Configuration of vRealize Operations Manager Procedure 1 Open the /etc/modprobe.conf.local file in a text editor. 2 Ensure that the line install ieee1394 /bin/true appears in this file. 3 Save the file and close it. Kernel Message Logging The kernel.printk specification in the /etc/sysctl.conf file specifies the kernel print logging specifications. There are 4 values specified: n console loglevel. The lowest priority of messages printed to the console. n default loglevel. The lowest level for messages without a specific log level. n The lowest possible level for the console log level. n The default value for console log level. There are eight possible entries per value. n define KERN_EMERG "<0>" /* system is unusable */ n define KERN_ALERT "<1>" /* action must be taken immediately */ n define KERN_CRIT "<2>" /* critical conditions */ n define KERN_ERR "<3>" /* error conditions */ n define KERN_WARNING "<4>" /* warning conditions */ n define KERN_NOTICE "<5>" /* normal but significant condition */ n define KERN_INFO "<6>" /* informational */ n define KERN_DEBUG "<7>" /* debug-level messages */ Set the kernel.printk values to 3 4 1 7 and ensure that the line kernel.printk=3 4 1 7 exists in the /etc/sysctl.conf file. End Point Operations Management Agent The End Point Operations Management agent adds agent-based discovery and monitoring capabilities to vRealize Operations Manager. The End Point Operations Management agent is installed on the hosts directly and might or might not be at the same level of trust as the End Point Operations Management server. Therefore, you must verify that the agents are securely installed. Security Best Practices for Running End Point Operations Management Agents You must follow certain security best practices while using user accounts. n For a silent installation, remove any credentials and server certificate thumbprints that were stored in the AGENT_HOME/conf/agent.properties file. n Use a vRealize Operations Manager user account reserved specifically for End Point Operations Management agent registration. For more information, see the topic called "Roles and Privileges" in vRealize Operations Manager in the vRealize Operations Manager Help. VMware, Inc. 31 Secure Configuration n Disable the vRealize Operations Manager user account that you use for agent registration after the installation is over. You must enable the user’s access for agent administration activities. For more information, see the topic called Configuring Users and Groups in vRealize Operations Manager in the vRealize Operations Manager Help. n If a system that runs an agent is compromised, you can revoke the agent certificate using the vRealize Operations Manager user interface by removing the agent resource. See the section called Revoking an Agent for more detail. Minimum Required Permissions for Agent Functionality You require permissions to install and modify a service. If you want to discover a running process, the user account you use to run the agent must also have privileges to access the processes and programs. For Windows operating system installations, you require permissions to install and modify a service. For Linux installations, you require permission to install the agent as a service, if you install the agent using a RPM installer. The minimum credentials that are required for the agent to register with the vRealize Operations Manager server are those for a user granted the Agent Manager role, without any assignment to objects within the system. Linux Based Platform Files and Permissions After you install the End Point Operations Management agent, the owner is the user that installs the agent. The installation directory and file permissions such as 600 and 700, are set to the owner when the user who installs the End Point Operations Management agent extracts the TAR file or installs the RPM. Note When you extract the ZIP file, the permissions might not be correctly applied. Verify and ensure that the permissions are correct. All the files that are created and written to by the agent are given 700 permissions with the owner being the user who runs the agent. Table 3‑1. Linux Files and Permissions Directory or File Permissi ons Groups or Users Read Write Execute agent directory/bin 700 Owner Yes Yes Yes Group No No No All No No No Owner Yes Yes Yes Group No No No All No No No Owner Yes Yes No Group No No No All No No No Owner Yes Yes Yes Group No No No All No No No Owner Yes Yes No Group No No No All No No No agent directory/conf agent directory/log agent directory/data agent directory/bin/epagent.bat 32 700 700 700 600 VMware, Inc. Chapter 3 Secure Configuration of vRealize Operations Manager Table 3‑1. Linux Files and Permissions (Continued) Directory or File agent directory/bin/epagent.sh agent directory/conf/* Permissi ons Groups or Users Read Write Execute 700 Owner Yes Yes Yes Group No No No All No No No Owner Yes Yes Yes Group No No No All No No No Owner Yes Yes No Group No No No All No No No Owner Yes Yes No Group No No No All No No No 600 (all files in the conf directory) agent directory/log/* 600 (all files in the log directory) agent directory/data/* 600 (all files in the data directory) Windows Based Platform Files and Permissions For a Windows based installation of the End Point Operations Management agent, the user installing the agent must have permissions to install and modify the service. After you install the End Point Operations Management agent, the installation folder including all subdirectories and files should only be accessible by the SYSTEM, the administrators group, and the installation user. When you install the End Point Operations Management agent using ep-agent.bat, ensure that the hardening process succeeds. As the user installing the agent, it is advised that you take note of any error messages. If the hardening process fails, the user can apply these permissions manually. Table 3‑2. Windows Files and Permissions Directory or File /bin Groups or Users Full Control Modify Read and Execute Read Write SYSTEM Yes - - - - Administrator Yes - - - - Installation User Yes - - - - - - - - Users /conf SYSTEM Yes - - - - Administrator Yes - - - - Installation User Yes - - - - - - - - Users /log SYSTEM Yes - - - - Administrator Yes - - - - Installation User Yes - - - - - - - - - - - - Users /data VMware, Inc. SYSTEM Yes 33 Secure Configuration Table 3‑2. Windows Files and Permissions (Continued) Directory or File Groups or Users Full Control Modify Read and Execute Read Write Administrator Yes - - - - Installation User Yes - - - - - - - - Users /bin/hqagent.bat SYSTEM Yes - - - - Administrator Yes - - - - Installation User Yes - - - - - - - - Users /bin/hqagent.sh SYSTEM Yes - - - - Administrator Yes - - - - Installation User Yes - - - - - - - - Users /conf/* (all files in the conf directory) SYSTEM Yes - - - - Administrator Yes - - - - Installation User Yes - - - - - - - - Users /log/* (all files in the log directory) SYSTEM Yes - - - - Administrator Yes - - - - Installation User Yes - - - - - - - - Users /data/* (all files in data directory) SYSTEM Yes - - - - Administrator Yes - - - - Installation User Yes - - - - - - - - Users 34 VMware, Inc. Chapter 3 Secure Configuration of vRealize Operations Manager Open Ports on Agent Host The agent process listens for commands on two ports 127.0.0.1:2144 and 127.0.0.1:32000 that are configurable. These ports might be arbitrarily assigned, and so, the exact port number might vary. The agent does not open ports on external interfaces. Table 3‑3. Minimum Required Ports Port Protocol Direction Comments 443 TCP Outgoing Used by the agent for outgoing connections over HTTP, TCP, or ICMP. 2144 TCP Listening Internal Only. Configurable. Used for inter-process communication between the agent and the command line that loads and configures it. The agent process listens on this port. Note The port number is assigned arbitrarily and might differ. 32000 TCP Listening Internal Only. Configurable. Used for inter-process communication between the agent and the command line that loads and configures it. The agent process listens on this port. Note The port number is assigned arbitrarily and might differ. Revoking an Agent If for any reason you need to revoke an agent, for example when a system with a running agent is compromised, you can delete the agent resource from the system. Any subsequent request will fail verification. Use the vRealize Operations Manager user interface to revoke the agent certificate by removing the agent resource. For more information, see “Removing the Agent Resource,” on page 35. When the system is secured again, you can reinstate the agent. For more information, see “Reinstate an Agent Resource,” on page 36. Removing the Agent Resource You can use the vRealize Operations Manager to revoke the agent certificate by removing the agent resource. Prerequisites To preserve the continuity of the resource with previously recorded metric data, take a record of the End Point Operations Management agent token that is displayed in the resource details. Procedure 1 Navigate to the Inventory Explorer in the vRealize Operations Manager user interface. 2 Open the Adapter Types tree. 3 Open the EP Ops Adapter list. 4 Select EP Ops Agent - *HOST_DNS_NAME*. 5 Click Edit Object. 6 Record the agent ID, which is the agent token string. 7 Close the Edit Object dialog box . 8 Select EP Ops Agent - *HOST_DNS_NAME* and click Delete Object. VMware, Inc. 35 Secure Configuration Reinstate an Agent Resource When the secure state of a system is recovered, you can reinstate a revoked agent. This ensures that the agent continues to report on the same resources without losing historical data. To do this you must create a new End Point Operations Management token file by using the same token recorded before you removed the agent resource. See the section called Removing The Agent Resource. Prerequisites n Ensure that you have the recorded End Point Operations Management token string. n Use the resource token recorded prior to removing the agent resource from the vRealize Operations Manager server. n Ensure that you have the Manage Agent privilege. Procedure 1 Create the agent token file with the user that runs the agent. For example, run the command to create a token file containing the 123-456-789 token. n On Linux: echo 123-456-789 > /etc/epops/epops-token n On Windows: echo 123-456-789 > %PROGRAMDATA%\VMware\Ep Ops Agent\epops-token In the example, the token file is written to the default token location for that platform 2 Install a new agent and register it with the vRealize Operations Manager server. Ensure that the agent loads the token you inserted in the token file. You must have the Manage Agent privilege to perform this action. Agent Certificate Revocation and Update of Certificates The reissue flow is initiated from the agent using the setup command line argument. When an agent that is already registered uses the setup command line argument ep-agent.sh setup and fills in the required credentials, a new registerAgent command is sent to the server. The server detects that the agent is already registered and sends the agent a new client certificate without creating another agent resource. On the agent side, the new client certificate replaces the old one. In cases where the server certificate is modified and you run the ep-agent.sh setup command, you will see a message that asks you to trust the new certificate. You can alternatively provide the new server certificate thumbprint in the agent.properties file prior to running the ep-agent.sh setup command, in order to make the process silent. Prerequisites Manage agent privilege to revoke and update certificates. Procedure u On Linux based operating systems, run the ep-agent.sh setup command on the agent host. On Windows based operating systems, run the ep-agent.bat setup command. If the agent detects that the server certificate has been modified, a message is displayed. Accept the new certificate if you trust it and it is valid. 36 VMware, Inc. Chapter 3 Secure Configuration of vRealize Operations Manager Patching and Updating the End Point Operations Management Agent If required, new End Point Operations Management agent bundles are available independent of vRealize Operations Manager releases. Patches or updates are not provided for the End Point Operations Management agent. You must install the latest available version of the agent that includes the latest security fixes. Critical security fixes will be communicated as per the VMware security advisory guidance. See the topic on Security Advisories. Additional Secure Configuration Activities Verify the server user accounts and delete unnecessary applications from the host servers. Block unnecessary ports and disable the services running on your host server that are not required. Verify Server User Account Settings It is recommended that you verify that no unnecessary user accounts exist for local and domain user accounts and settings. Restrict any user account not related to the functioning of the application to those accounts required for administration, maintenance, and troubleshooting. Restrict remote access from domain user accounts to the minimum required to maintain the server. Strictly control and audit these accounts. Delete and Disable Unnecessary Applications Delete the unnecessary applications from the host servers. Each additional and unnecessary application increases the risk of exposure because of their unknown or unpatched vulnerabilities. Disabling Unnecessary Ports and Services Verify the host server's firewall for the list of open ports that allow traffic. Block all the ports that are not listed as a minimum requirement for vRealize Operations Manager in the “Configuring Ports and Protocols,” on page 47 section of this document, or are not required. In addition, audit the services running on your host server and disable those that are not required. VMware, Inc. 37 Secure Configuration 38 VMware, Inc. Network Security and Secure Communication 4 As a security best practice, review and edit the network communication settings of your VMware virtual appliances and host machines. You must also configure the minimum incoming and outgoing ports for vRealize Operations Manager. This chapter includes the following topics: n “Configuring Network Settings for Virtual Application Installation,” on page 39 n “Configuring Ports and Protocols,” on page 47 Configuring Network Settings for Virtual Application Installation To ensure that your VMware virtual appliance and host machines allow only safe and essential communication, review and edit their network communication settings. Prevent User Control of Network Interfaces As a security best practice, restrict the ability to change the network interface setting to privileged users. If users manipulate network interfaces, it might result in bypassing network security mechanisms or denial of service. Ensure that network interfaces are not configured for user control. Procedure 1 To verify user control settings, run the #grep -i '^USERCONTROL=' /etc/sysconfig/network/ifcfg* command. 2 Make sure that each interface is set to NO. Set the Queue Size for TCP Backlog As a security best practice, configure a default TCP backlog queue size on VMware appliance host machines. To mitigate TCP denial or service attacks, set an appropriate default size for the TCP backlog queue size. The recommended default setting is 1280. Procedure 1 VMware, Inc. Run the # cat /proc/sys/net/ipv4/tcp_max_syn_backlog command on each VMware appliance host machine. 39 Secure Configuration 2 Set the queue size for TCP backlog. a Open the /etc/sysctl.conf file in a text editor. b Set the default TCP backlog queue size by adding the following entry to the file. net.ipv4.tcp_max_syn_backlog=1280 c Save your changes and close the file. Deny ICMPv4 Echoes to Broadcast Address Responses to broadcast Internet Control Message Protocol (ICMP) echoes provide an attack vector for amplification attacks and can facilitate network mapping by malicious agents. Configuring your system to ignore ICMPv4 echoes provides protection against such attacks. Procedure 1 Run the # cat /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts command to verify that the system is not sending responses to ICMP broadcast address echo requests. 2 Configure the host system to deny ICMPv4 broadcast address echo requests. a Open the /etc/sysctl.conf file in a text editor. b If the value for this entry is not set to 1, add the net.ipv4.icmp_echo_ignore_broadcasts=1 entry. c Save the changes and close the file. Configure the Host System to Disable IPv4 Proxy ARP IPv4 Proxy ARP allows a system to send responses to ARP requests on one interface on behalf of hosts connected to another interface. You must disable IPv4 Proxy ARP to prevent unauthorized information sharing. Disable the setting to prevent leakage of addressing information between the attached network segments. Procedure 1 Run the # grep [01] /proc/sys/net/ipv4/conf/*/proxy_arp|egrep "default|all" command to verify whether the Proxy ARP is disabled. 2 Configure the host system to disable IPv4 Proxy ARP. a Open the /etc/sysctl.conf file in a text editor. b If the values are not set to 0, add the entries or update the existing entries accordingly. Set the value to 0. net.ipv4.conf.all.proxy_arp=0 net.ipv4.conf.default.proxy_arp=0 c Save any changes you made and close the file. Configure the Host System to Ignore IPv4 ICMP Redirect Messages As a security best practice, verify that the host system ignores IPv4 Internet Control Message Protocol (ICMP) redirect messages. A malicious ICMP redirect message can allow a man-in-the-middle attack to occur. Routers use ICMP redirect messages to notify hosts that a more direct route exists for a destination. These messages modify the host's route table and are unauthenticated. Procedure 1 40 Run the # grep [01] /proc/sys/net/ipv4/conf/*/accept_redirects|egrep "default|all" command on the host system to check whether the host system ignores IPv4 redirect messages. VMware, Inc. Chapter 4 Network Security and Secure Communication 2 Configure the host system to ignore IPv4 ICMP redirect messages. a Open the /etc/sysctl.conf file. b If the values are not set to 0, add the following entries to the file or update the existing entries accordingly. Set the value to 0. net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0 c Save the changes and close the file. Configure the Host System to Ignore IPv6 ICMP Redirect Messages As a security best practice, verify that the host system ignores IPv6 Internet Control Message Protocol (ICMP) redirect messages. A malicious ICMP redirect message might allow a man-in-the-middle attack to occur. Routers use ICMP redirect messages to tell hosts that a more direct route exists for a destination. These messages modify the host's route table and are unauthenticated. Procedure 1 Run the # grep [01] /proc/sys/net/ipv6/conf/*/accept_redirects|egrep "default|all" command on the host system and check whether it ignores IPv6 redirect messages. 2 Configure the host system to ignore IPv6 ICMP redirect messages. a Open the /etc/sysctl.conf to configure the host system to ignore the IPv6 redirect messages. b If the values are not set to 0, add the following entries to the file or update the existing entries accordingly. Set the value to 0. net.ipv6.conf.all.accept_redirects=0 net.ipv6.conf.default.accept_redirects=0 c Save the changes and close the file. Configure the Host System to Deny IPv4 ICMP Redirects As a security best practice, verify that the host system denies IPv4 Internet Control Message Protocol (ICMP) redirects. Routers use ICMP redirect messages to inform servers that a direct route exists for a particular destination. These messages contain information from the system's route table that might reveal portions of the network topology. Procedure 1 Run the # grep [01] /proc/sys/net/ipv4/conf/*/send_redirects|egrep "default|all" on the host system to verify whether it denies IPv4 ICMP redirects. 2 Configure the host system to deny IPv4 ICMP redirects. a Open the /etc/sysctl.conf file to configure the host system. b If the values are not set to 0, add the following entries to the file or update the existing entries accordingly. Set the value to 0. net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0 c VMware, Inc. Save the changes and close the file. 41 Secure Configuration Configure the Host System to Log IPv4 Martian Packets As a security best practice, verify that the host system logs IPv4 Martian packets. Martian packets contain addresses that the system knows to be invalid. Configure the host system to log the messages so that you can identify misconfigurations or attacks in progress. Procedure 1 Run the # grep [01] /proc/sys/net/ipv4/conf/*/log_martians|egrep "default|all" command to check whether the host logs IPv4 Martian packets. 2 Configure the host system to log IPv4 Martian packets. a Open the /etc/sysctl.conf file to configure the host system. b If the values are not set to 1, add the following entries to the file or update the existing entries accordingly. Set the value to 1. net.ipv4.conf.all.log_martians=1 net.ipv4.conf.default.log_martians=1 c Save the changes and close the file. Configure the Host System to use IPv4 Reverse Path Filtering As a security best practice, configure your host machines to use IPv4 reverse path filtering. Reverse path filtering protects against spoofed source addresses by causing the system to discard packets with source addresses that have no route or if the route does not point towards the originating interface. Configure your system to use reverse-path filtering whenever possible. Depending on the system role, reverse-path filtering might cause legitimate traffic to be discarded. In such cases, you might need to use a more permissive mode or disable reverse-path filtering altogether. Procedure 1 Run the # grep [01] /proc/sys/net/ipv4/conf/*/rp_filter|egrep "default|all" command on the host system to check whether the system uses IPv4 reverse path filtering. 2 Configure the host system to use IPv4 reverse path filtering. a Open the /etc/sysctl.conf file to configure the host system. b If the values are not set to 1, add the following entries to the file or update the existing entries accordingly. Set the value to 1. net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.default.rp_filter=1 c Save the changes and close the file. Configure the Host System to Deny IPv4 Forwarding As a security best practice, verify that the host system denies IPv4 forwarding. If the system is configured for IP forwarding and is not a designated router, it could be used to bypass network security by providing a path for communication that is not filtered by network devices. Procedure 1 42 Run the # cat /proc/sys/net/ipv4/ip_forward command to verify whether the host denies IPv4 forwarding. VMware, Inc. Chapter 4 Network Security and Secure Communication 2 Configure the host system to deny IPv4 forwarding. a Open the /etc/sysctl.conf to configure the host system. b If the value is not set to 0, add the following entry to the file or update the existing entry accordingly. Set the value to 0. net.ipv4.ip_forward=0 c Save the changes and close the file. Configure the Host System to Deny Forwarding of IPv4 Source Routed Packets Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than what is configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router. Procedure 1 Run the # grep [01] /proc/sys/net/ipv4/conf/*/accept_source_route|egrep "default|all" command to verify whether the system does not use IPv4 source routed packets 2 Configure the host system to deny forwarding of IPv4 source routed packets. a Open the /etc/sysctl.conf file with a text editor. b If the values are not set to 0, ensure that net.ipv4.conf.all.accept_source_route=0 and the et.ipv4.conf.default.accept_source_route=0 are set to 0. c Save and close the file. Configure the Host System to Deny IPv6 Forwarding As a security best practice, verify that the host system denies IPv6 forwarding. If the system is configured for IP forwarding and is not a designated router, it can be used to bypass network security by providing a path for communication that is not filtered by network devices. Procedure 1 Run the # grep [01] /proc/sys/net/ipv6/conf/*/forwarding|egrep "default|all" command to verify whether the host denies IPv6 forwarding. 2 Configure the host system to deny IPv6 forwarding. a Open the /etc/sysctl.conf to configure the host system. b If the values are not set to 0, add the following entries to the file or update the existing entries accordingly. Set the value to 0. net.ipv6.conf.all.forwarding=0 net.ipv6.conf.default.forwarding=0 c VMware, Inc. Save the changes and close the file. 43 Secure Configuration Configure the Host System to Use IPv4 TCP Syncookies As a security best practice, verify that the host system uses IPv4 Transmission Control Protocol (TCP) Syncookies. A TCP SYN flood attack might cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies are used so as not to track a connection until a subsequent ACK is received, verifying that the initiator is attempting a valid connection and is not a flood source. This technique does not operate in a fully standards-compliant manner, but is only activated when a flood condition is detected, and allows defence of the system while continuing to service valid requests. Procedure 1 Run the # cat /proc/sys/net/ipv4/tcp_syncookies command to verify whether the host system uses IPv4 TCP Syncookies. 2 Configure the host system to use IPv4 TCP syncookies. a Open the /etc/sysctl.conf to configure the host system. b If the value is not set to 1, add the following entry to the file or update the existing entry accordingly. Set the value to 1. net.ipv4.tcp_syncookies=1 c Save the changes and close the file. Configure the Host System to Deny IPv6 Router Advertisements As a security best practice, verify that the host system denies the acceptance of router advertisements and Internet Control Message Protocol (ICMP) redirects unless necessary. A feature of IPv6 is how systems can configure their networking devices by automatically using information from the network. From a security perspective, it is preferable to manually set important configuration information rather than accepting it from the network in an unauthenticated way. Procedure 1 Run the # grep [01] /proc/sys/net/ipv6/conf/*/accept_ra|egrep "default|all" command on the host system to verify whether the system denies the acceptance of router advertisements and ICMP redirects unless necessary. 2 Configure the host system to deny IPv6 router advertisements. a Open the /etc/sysctl.conf file. b If the values are not set to 0, add the following entries to the file or update the existing entries accordingly. Set the value to 0. net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0 c 44 Save the changes and close the file. VMware, Inc. Chapter 4 Network Security and Secure Communication Configure the Host System to Deny IPv6 Router Solicitations As a security best practice, verify that host system denies IPv6 router solicitations unless necessary. The router solicitations setting determines how many router solicitations are sent when bringing up the interface. If addresses are assigned statically, there is no need to send any solicitations. Procedure 1 Run the # grep [01] /proc/sys/net/ipv6/conf/*/router_solicitations|egrep "default|all" command to verify whether the host system denies IPv6 router solicitations unless necessary. 2 Configure the host system to deny IPv6 router solicitations. a Open the /etc/sysctl.conf. b If the values are not set to 0, add the following entries to the file or update the existing entries accordingly. Set the value to 0. net.ipv6.conf.all.router_solicitations=0 net.ipv6.conf.default.router_solicitations=0 c Save the changes and close the file. Configure the Host System to Deny IPv6 Router Preference in Router Solicitations As a security best practice, verify that your host system denies IPv6 router solicitations unless necessary. The router preference in the solicitations setting determines router preferences. If addresses are assigned statically, there is no need to receive any router preference for solicitations. Procedure 1 Run the # grep [01] /proc/sys/net/ipv6/conf/*/accept_ra_rtr_pref|egrep "default|all" on the host system to verify whether the host system denies IPv6 router solicitations. 2 Configure the host system to deny IPv6 router preference in router solicitations. a Open the /etc/sysctl.conf file. b If the values are not set to 0, add the following entries to the file or update the existing entries accordingly. Set the value to 0. net.ipv6.conf.all.accept_ra_rtr_pref=0 net.ipv6.conf.default.accept_ra_rtr_pref=0 c Save the changes and close the file. Configure the Host System to Deny IPv6 Router Prefix As a security best practice, verify that the host system denies IPv6 router prefix information unless necessary. The accept ra pinfo setting controls whether the system accepts prefix information from the router. If addresses are statically assigned, the system does not receive any router prefix information. Procedure 1 VMware, Inc. Run the # grep [01] /proc/sys/net/ipv6/conf/*/accept_ra_pinfo|egrep "default|all" to verify if that system denies IPv6 router prefix information. 45 Secure Configuration 2 Configure the host system to deny IPv6 router prefix. a Open the /etc/sysctl.conf file. b If the values are not set to 0, add the following entries to the file or update the existing entries accordingly. Set the value to 0. net.ipv6.conf.all.accept_ra_pinfo=0 net.ipv6.conf.default.accept_ra_pinfo=0 c Save the changes and close the file. Configure the Host System to Deny IPv6 Router Advertisement Hop Limit Settings As a security best practice, verify that the host system denies IPv6 router advertisement Hop Limit settings from a router advertisement unless necessary. The accept_ra_defrtr setting controls whether the system will accept Hop Limit settings from a router advertisement. Setting it to 0 prevents a router from changing your default IPv6 Hop Limit for outgoing packets. Procedure 1 Run the # grep [01] /proc/sys/net/ipv6/conf/*/accept_ra_defrtr|egrep "default|all" command to verify that the host system denies IPv6 router Hop Limit settings. 2 If the values are not set to 0, configure the host system to deny IPv6 router advertisement Hop Limit settings. a Open the /etc/sysctl.conf file. b If the values are not set to 0, add the following entries to the file or update the existing entries accordingly. Set the value to 0. net.ipv6.conf.all.accept_ra_defrtr=0 net.ipv6.conf.default.accept_ra_defrtr=0 c Save the changes and close the file. Configure the Host System to Deny IPv6 Router Advertisement Autoconf Settings As a security best practice, verify that the host system denies IPv6 router advertisement autoconf settings. The autoconf setting controls whether router advertisements can cause the system to assign a global unicast address to an interface. Procedure 1 Run the # grep [01] /proc/sys/net/ipv6/conf/*/autoconf|egrep "default|all" command to verify whether the host system denies IPv6 router advertisement autoconf settings. 2 If the values are not set to 0, configure the host system to deny IPv6 router advertisement autoconf settings. a Open the /etc/sysctl.conf file. b If the values are not set to 0, add the following entries to the file or update the existing entries accordingly. Set the value to 0. net.ipv6.conf.all.autoconf=0 net.ipv6.conf.default.autoconf=0 c 46 Save the changes and close the file. VMware, Inc. Chapter 4 Network Security and Secure Communication Configure the Host System to Deny IPv6 Neighbor Solicitations As a security best practice, verify that the host system denies IPv6 neighbor solicitations unless necessary. The dad_transmits setting determines how many neighbor solicitations are to be sent out per address including global and link-local, when you bring up an interface to ensure the desired address is unique on the network. Procedure 1 Run the # grep [01] /proc/sys/net/ipv6/conf/*/dad_transmits|egrep "default|all" command to verify whether the host system denies IPv6 neighbor solicitations. 2 If the values are not set to 0, configure the host system to deny IPv6 neighbor solicitations. a Open the /etc/sysctl.conf file. b If the values are not set to 0, add the following entries to the file or update the existing entries accordingly. Set the value to 0. net.ipv6.conf.all.dad_transmits=0 net.ipv6.conf.default.dad_transmits=0 c Save the changes and close the file. Configure the Host System to Restrict IPv6 Maximum Addresses As a security best practice, verify that the host restricts the maximum number of IPv6 addresses that can be assigned. The maximum addresses setting determines how many global unicast IPv6 addresses can be assigned to each interface. The default is 16 but you must set the number to the statically configured global addresses required. Procedure 1 Run the # grep [1] /proc/sys/net/ipv6/conf/*/max_addresses|egrep "default|all" command to verify whether the host system restricts the maximum number of IPv6 addresses that can be assigned. 2 If the values are not set to 1, configure the host system to restrict the maximum number of IPv6 addresses that can be assigned. a Open the /etc/sysctl.conf file. b Add the following entries to the file or update the existing entries accordingly. Set the value to 1. net.ipv6.conf.all.max_addresses=1 net.ipv6.conf.default.max_addresses=1 c Save the changes and close the file. Configuring Ports and Protocols As a security best practice, disable all non-essential ports and protocols. Configure the minimum incoming and outgoing ports for vRealize Operations Manager components as required for important system components to operate in production. VMware, Inc. 47 Secure Configuration Minimum Default Incoming Ports As a security best practice, configure the incoming ports required for vRealize Operations Manager to operate in production. Table 4‑1. Minimum Required Incoming Ports Port Protocol Comments 443 TCP Used to access the vRealize Operations Manager user interface and the vRealize Operations Manager administrator interface. 123 UDP Used by vRealize Operations Manager for Network Time Protocol (NTP) synchronization to the master node. 5433 TCP Used by the master and replica nodes to replicate the global database (vPostgreSQL ) when high availability is enabled . 7001 TCP Used by Cassandra for secure inter-node cluster communication. Do not expose this port to the internet. Add this port to a firewall. 9042 TCP Used by Cassandra for secure client-related communication among nodes. Do not expose this port to the internet. Add this port to a firewall. 6061 TCP Used by clients to connect to the GemFire Locator to get connection information to servers in the distributed system. Also monitors server load to send clients to the least-loaded servers. 10000-10010 TCP and UDP GemFire Server ephemeral port range used for unicast UDP messaging and for TCP failure detection in a peerto-peer distributed system. 20000-20010 TCP and UDP GemFire Locator ephemeral port range used for unicast UDP messaging and for TCP failure detection in a peerto-peer distributed system. Table 4‑2. Optional Incoming Ports 48 Port Protocol Comments 22 TCP Optional. Secure Shell (SSH). The SSH service listening on port 22, or any other port, must be disabled in a production environment, and port 22 must be closed. 80 TCP Optional. Redirects to 443. 3091-3101 TCP When Horizon View is installed, used to access data for vRealize Operations Manager from Horizon View. VMware, Inc. Auditing and Logging on your vRealize Operations Manager System 5 As a security best practice, set up auditing and logging on your vRealize Operations Manager system. The detailed implementation of auditing and logging is outside the scope of this document. Remote logging to a central log host provides a secure store for logs. By collecting log files to a central host, you can easily monitor the environment with a single tool. You can also perform aggregate analysis and search for coordinated attacks on multiple entities within the infrastructure. Logging to a secure, centralized log server can help prevent log tampering and also provide a long-term audit record. This chapter includes the following topics: n “Securing the Remote Logging Server,” on page 49 n “Use an Authorized NTP Server,” on page 49 n “Client Browser Considerations,” on page 49 Securing the Remote Logging Server As a security best practice, ensure that the remote logging server can be configured only by an authorized user and is secure. Attackers who breach the security of your host machine might search for and attempt to tamper with log files to cover their tracks and maintain control without being discovered. Use an Authorized NTP Server Ensure that all the host systems use the same relative time source, including the relevant localization offset. You can correlate the relative time source to an agreed-upon time standard such as Coordinated Universal Time (UTC). You can easily track and correlate an intruder's actions when you review the relevant log files. Incorrect time settings can make it difficult to inspect and correlate log files to detect attacks, and can make auditing inaccurate. You can use at the least three NTP servers from outside time sources or configure a few local NTP servers on a trusted network that obtain their time from at least three outside time sources. Client Browser Considerations As a security best practice, do not use vRealize Operations Manager from untrusted or unpatched clients or from clients that use browser extensions. VMware, Inc. 49 Secure Configuration 50 VMware, Inc. Index A administrative accounts 13 agent certificate revocation 36 apache configuration 27 Apache httpd 21 application resources, protect 25 auditing 49 authorized NTP server 49 B best practices, End Point Operations Management agents 31 Bluetooth protocol handler 28 boot loader authentication 17 browser considerations 49 C cipher suites in GemFire 23 cipher suites in Apache httpd 23 client configuration, secure shell 16 configuration, PostgreSQL client authentication 26 configuration modes, disable 28 configure 28 configure network settings for OVF 39 configure network time protocol 20 console access 13 D data in transit 21 Datagram Congestion Control Protocol 29 DECnet Protocol, secure 30 deny forwarding 43 deny ICMPv4 echoes to broadcast address 40 deny IPv6 router settings 46 deny IPv6 router advertisement hop limit 46 disable, unnecessary applications 37 disable browsing 27 disable direct logins 17 disable directory browsing 27 disable SSH access for the admin user account 17 disable TCP timestamp response 20 disable the trace method:Apache2 server 27 disable unnecessary ports 37 VMware, Inc. disable unnecessary services 37 E enable TLS on PostgreSQL 25 enabling FIPS 140-2 mode 20 enabling TLS 24 End Point Operations Management agent 31 F file permissions, secure shell 15 G GemFire TLS handler protocols 21 generate a self-signed certificate with OpenSSL 24 glossary 5 H hardening infrastructure 9 hardening for Linux installation 10 hardening the vSphere environment 10 I infrastructure, hardening 9 install the certificate for PostgreSQL 24 intended audience 5 inventory of unsupported software 10 IPV4 source routed packets 43 IPv4, deny 1Pv4 forwarding 42 IPv4, deny IPv4 ICMP redirects 41 IPv4, disable proxy ARP 40 IPv4, ignore ICMP redirect messages 40 IPv4, ignore IPv4 reverse path filtering 42 IPv4, log IPv4 Martian packets 42 IPv4, use IPv4 TCP syncookies 44 IPv6 autoconf settings 46 IPv6, deny IPv6 forwarding 43 IPv6, deny IPv6 neighbor solicitations 47 IPv6, deny IPv6 router advertisements 44 IPv6, deny IPv6 router prefix 45 IPv6, deny IPv6 router solicitations 45 IPv6, deny IPv6 router preference in router solicitations 45 IPv6, ignore ICMP redirect messages 41 IPv6, restrict IPv6 maximum addresses 47 51 Secure Configuration K kernel message logging 31 L local administrative account, creating 14 logging 49 M maintenance mode authentication 18 managing nonessential software 28 minimal necessary groups 18 minimal user accounts 18 minimum incoming ports 48 minimum permissions, agent functionality 32 monitor minimal necessary groups 18 monitor minimal user accounts 18 N network settings 39 O open ports on agent host 35 OVF, network settings 39 P password expiry 13 patching 37 platform files and permissions, Linux 32 platform files and permissions, Windows 33 ports incoming 39 outgoing 39 ports and protocols, configuring 47 prevent user control 39 R reinstate an agent resource 36 remote logging server > securing 49 remove the agent resource 35 removing sample code:Apache2 server 27 resetting the password on Linux clusters 19 review installed software 10 revoking an agent 35 root password, change 12 root user, secure shell 13 S secure Appletalk Protocol 30 Firewire Module 30 Internet Packet Exchange Protocol 30 52 Reliable Datagram Sockets protocol 29 Transparent Inter-Process Communication protocol 29 secure configuration 11 Secure Shell, restricting access 15 secure configuration activities 37 secure deployment of vRealize Operations Manager 9 secure remote logging server 49 secure shell client configuration 16 secure shell file permissions 15 secure shell server configuration 15 Secure Shell, managing 13 secure the console 12 security posture 7 security advisories, patches 10 server configuration, secure shell 15 single-user authentication 18 Stream Control Transmission Protocol 28 strong ciphers, configure 22 strong protocols, configure 21 T TCP backlog queue size 39 third-party software 10 TLS for data in transit 21 U unnecessary applications, delete 37 updates 37 updating certificates 36 USB mass storage handler 28 V verify, server user account settings 37 verify server tokens:apache2 server 27 verifying the installation media 9 virtual appliances Bluetooth protocol handler 28 boot loader authentication 17 configure network time protocol 20 enable or disable Secure Shell 14 USB mass storage handler 28 virtual machines, disable IPv4 proxy ARP 40 virtual machines, deny ICMPv4 echoes to broadcast address 40 vRealize Operations Manager administrative password 19 VMware, Inc.
Source Exif Data:
File Type : PDF File Type Extension : pdf MIME Type : application/pdf PDF Version : 1.5 Linearized : No Author : VMware, Inc. Create Date : 2017:07:31 23:03:36-08:00 Modify Date : 2017:07:31 23:03:36-08:00 Creator : AH XSL Formatter V6.3 MR1 for Windows (x64) : 6.3.2.23978 (2016/03/18 11:26JST) Producer : Antenna House PDF Output Library 6.3.762 (Windows (x64)) Title : Secure Configuration - vRealize Operations. Manager 6.6 Trapped : False Page Count : 52 Page Mode : UseOutlines Page Layout : SinglePage Language : ENEXIF Metadata provided by EXIF.tools