Secure Configuration VRealize Operations. Manager 6.6 V Realize Operations 66

User Manual: Pdf vRealize Operations Manager - 6.6 - Secure Configuration User Guide for VMware vRealize Software, Free Instruction Manual

Open the PDF directly: View PDF PDF.
Page Count: 52

DownloadSecure Configuration - VRealize Operations. Manager 6.6 V Realize Operations Vrealize-operations-manager-66-secure-configuration
Open PDF In BrowserView PDF
Secure Configuration
vRealize Operations Manager 6.6

Secure Configuration

You can find the most up-to-date technical documentation on the VMware Web site at:
https://docs.vmware.com/
The VMware Web site also provides the latest product updates.
If you have comments about this documentation, submit your feedback to:
docfeedback@vmware.com

Copyright © 2017 VMware, Inc. All rights reserved. Copyright and trademark information.

VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com

2

VMware, Inc.

Contents

Secure Configuration

5

1 vRealize Operations Manager Security Posture 7
2 Secure Deployment of vRealize Operations Manager 9
Verify the Integrity of Installation Media 9
Hardening the Deployed Software Infrastructure 9
Reviewing Installed and Unsupported Software 10
VMware Security Advisories and Patches 10

3 Secure Configuration of vRealize Operations Manager 11

Secure the vRealize Operations Manager Console 12
Change the Root Password 12
Managing Secure Shell, Administrative Accounts, and Console Access 13
Set Boot Loader Authentication 17
Single-User or Maintenance Mode Authentication 18
Monitor Minimal Necessary User Accounts 18
Monitor Minimal Necessary Groups 18
Resetting the vRealize Operations Manager Administrator Password (Linux) 19
Configure NTP on VMware Appliances 20
Disable the TCP Timestamp Response on Linux 20
Enable FIPS 140-2 Mode 20
TLS for Data in Transit 21
Enabling TLS on Localhost Connections 24
Application Resources That Must be Protected 25
Configure PostgreSQL Client Authentication 26
Apache Configuration 27
Disable Configuration Modes 28
Managing Nonessential Software Components 28
End Point Operations Management Agent 31
Additional Secure Configuration Activities 37

4 Network Security and Secure Communication 39

Configuring Network Settings for Virtual Application Installation
Configuring Ports and Protocols 47

39

5 Auditing and Logging on your vRealize Operations Manager System 49
Securing the Remote Logging Server
Use an Authorized NTP Server 49
Client Browser Considerations 49

VMware, Inc.

49

3

Secure Configuration

Index

4

51

VMware, Inc.

Secure Configuration

The documentation for Secure Configuration is intended to serve as a secure baseline for the deployment of
vRealize Operations Manager. Refer to this document when you are using system-monitoring tools to
ensure that the secure baseline configuration is monitored and maintained for any unexpected changes on
an ongoing basis.
Hardening activities that are not already set by default can be carried out manually.

Intended Audience
This information is intended for administrators of vRealize Operations Manager.

VMware Technical Publications Glossary
VMware Technical Publications provides a glossary of terms that might be unfamiliar to you. For definitions
of terms as they are used in VMware technical documentation, go to
http://www.vmware.com/support/pubs.

VMware, Inc.

5

Secure Configuration

6

VMware, Inc.

vRealize Operations Manager
Security Posture

1

The security posture of vRealize Operations Manager assumes a complete secure environment based on
system and network configuration, organizational security policies, and best practices. It is important that
you perform the hardening activities according to your organization's security policies and best practices.
The document is broken down into the following sections:
Secure Deployment
n
n

Secure Configuration

n

Network Security

n

Communication

The guide details the installation of the Virtual Application.
To ensure that your system is securely hardened, review the recommendations and assess them against your
organization's security policies and risk exposure.

VMware, Inc.

7

Secure Configuration

8

VMware, Inc.

Secure Deployment of
vRealize Operations Manager

2

You must verify the integrity of the installation media before you install the product to ensure authenticity
of the downloaded files.
This chapter includes the following topics:
n

“Verify the Integrity of Installation Media,” on page 9

n

“Hardening the Deployed Software Infrastructure,” on page 9

n

“Reviewing Installed and Unsupported Software,” on page 10

n

“VMware Security Advisories and Patches,” on page 10

Verify the Integrity of Installation Media
After you download the media, use the MD5/SHA1 sum value to verify the integrity of the download.
Always verify the SHA1 hash after you download an ISO, offline bundle, or patch to ensure the integrity
and authenticity of the downloaded files. If you obtain physical media from VMware and the security seal is
broken, return the software to VMware for a replacement.
Procedure
u

Compare the MD5/SHA1 hash output with the value posted on the VMware Web site.
SHA1 or MD5 hash should match.
Note The vRealize Operations Manager 6.x-x.pak files are signed by the VMware software
publishing certificate. vRealize Operations Manager validates the signature of the PAK file before
installation.

Hardening the Deployed Software Infrastructure
As part of your hardening process, you must harden the deployed software infrastructure that supports
your VMware system.
Before you harden your VMware system, review and address security deficiencies in your supporting
software infrastructure to create a completely hardened and secure environment. Software infrastructure
elements to consider include operating system components, supporting software, and database software.
Address security concerns in these and other components according to the manufacturer's
recommendations and other relevant security protocols.

VMware, Inc.

9

Secure Configuration

Hardening the VMware vSphere Environment
vRealize Operations Manager relies on a secure VMware vSphere environment to achieve the greatest
benefits and a secured infrastructure.
Assess the VMware vSphere environment and verify that the appropriate level of vSphere hardening
guidance is enforced and maintained.
For more guidance about hardening, see http://www.vmware.com/security/hardening-guides.html.

Reviewing Installed and Unsupported Software
Vulnerabilities in unused software might increase the risk of unauthorized system access and disruption of
availability. Review the software that is installed on VMware host machines and evaluate its use.
Do not install software that is not required for the secure operation of the system on any of the
vRealize Operations Manager node hosts. Uninstall unused or nonessential software.
Installing unsupported, untested, or unapproved software on infrastructure products such as
vRealize Operations Manager is a threat to the infrastructure.
To minimize the threat to the infrastructure, do not install or use any third-party software that is not
supported by VMware on VMware supplied hosts.
Assess your vRealize Operations Manager deployment and inventory of installed products to verify that no
unsupported software is installed.
For more information about the support policies for third-party products, see the VMware support at
http://www.vmware.com/security/hardening-guides.html.

Verify Third-Party Software
Do not use third-party software that VMware does not support. Verify that all third-party software is
securely configured and patched in accordance with third-party vendor guidance.
Inauthentic, insecure, or unpatched vulnerabilities of third-party software installed on VMware host
machines might put the system at risk of unauthorized access and disruption of availability. All software
that VMware does not supply must be appropriately secured and patched.
If you must use third-party software that VMware does not support, consult the third-party vendor for
secure configuration and patching requirements.

VMware Security Advisories and Patches
VMware occasionally releases security advisories for products. Being aware of these advisories can ensure
that you have the safest underlying product and that the product is not vulnerable to known threats.
Assess the vRealize Operations Manager installation, patching, and upgrade history and verify that the
released VMware Security Advisories are followed and enforced.
It is recommended that you always remain on the most recent vRealize Operations Manager release, as this
will include the most recent security fixes also.
For more information about the current VMware security advisories, see
http://www.vmware.com/security/advisories/.

10

VMware, Inc.

Secure Configuration of
vRealize Operations Manager

3

As a security best practice, you must secure the vRealize Operations Manager console and manage Secure
Shell (SSH), administrative accounts, and console access. Ensure that your system is deployed with secure
transmission channels.
You must also follow certain security best practices for running End Point Operations Management agents.
This chapter includes the following topics:
n

“Secure the vRealize Operations Manager Console,” on page 12

n

“Change the Root Password,” on page 12

n

“Managing Secure Shell, Administrative Accounts, and Console Access,” on page 13

n

“Set Boot Loader Authentication,” on page 17

n

“Single-User or Maintenance Mode Authentication,” on page 18

n

“Monitor Minimal Necessary User Accounts,” on page 18

n

“Monitor Minimal Necessary Groups,” on page 18

n

“Resetting the vRealize Operations Manager Administrator Password (Linux),” on page 19

n

“Configure NTP on VMware Appliances,” on page 20

n

“Disable the TCP Timestamp Response on Linux,” on page 20

n

“Enable FIPS 140-2 Mode,” on page 20

n

“TLS for Data in Transit,” on page 21

n

“Enabling TLS on Localhost Connections,” on page 24

n

“Application Resources That Must be Protected,” on page 25

n

“Configure PostgreSQL Client Authentication,” on page 26

n

“Apache Configuration,” on page 27

n

“Disable Configuration Modes,” on page 28

n

“Managing Nonessential Software Components,” on page 28

n

“End Point Operations Management Agent,” on page 31

n

“Additional Secure Configuration Activities,” on page 37

VMware, Inc.

11

Secure Configuration

Secure the vRealize Operations Manager Console
After you install vRealize Operations Manager, you must log in for the first time and secure the console of
each node in the cluster.
Prerequisites
Install vRealize Operations Manager.
Procedure
1

Locate the node console in vCenter or by direct access.
In vCenter, press Alt+F1 to access the login prompt. For security reasons, vRealize Operations Manager
remote terminal sessions are disabled by default.

2

Log in as root.
vRealize Operations Manager does not allow you to access the command prompt until you create a root
password.

3

At the password prompt, press Enter.

4

At the old password prompt, press Enter.

5

At the prompt for a new password, enter the root password that you want and note it for future
reference.

6

Reenter the root password.

7

Log out of the console.

Change the Root Password
You can change the root password for any vRealize Operations Manager master or data node at any time by
using the console.
The root user bypasses the pam_cracklib module password complexity check, which is found in
etc/pam.d/common-password. All hardened appliances enable enforce_for_root for the pw_history module,
found in the etc/pam.d/common-password file. The system remembers the last five passwords by default. Old
passwords are stored for each user in the /etc/security/opasswd file.
Prerequisites
Verify that the root password for the appliance meets your organization’s corporate password complexity
requirements. If the account password starts with $6$, it uses a sha512 hash. This is the standard hash for all
hardened appliances.
Procedure
1

Run the # passwd command at the root shell of the appliance.

2

To verify the hash of the root password, log in as root and run the # more /etc/shadow command.
The hash information appears.

3

12

If the root password does not contain a sha512 hash, run the passwd command to change it.

VMware, Inc.

Chapter 3 Secure Configuration of vRealize Operations Manager

Manage Password Expiry
Configure all account password expirations in accordance with your organization's security policies.
By default, all hardened VMware appliances use a 60-day password expiry. On most hardened appliances,
the root account is set to a 365-day password expiry. As a best practice, verify that the expiry on all accounts
meets security and operation requirements standards.
If the root password expires, you cannot reinstate it. You must implement site-specific policies to prevent
administrative and root passwords from expiring.
Procedure
1

Log in to your virtual appliance machines as root and run the # more /etc/shadow command to verify
the password expiry on all accounts.

2

To modify the expiry of the root account, run the # passwd -x 365 root command.
In this command, 365 specifies the number of days until password expiry. Use the same command to
modify any user, substituting the specific account for root and replacing the number of days to meet
the expiry standards of the organization.
By default, the root password is set for 365 days.

Managing Secure Shell, Administrative Accounts, and Console
Access
For remote connections, all hardened appliances include the Secure Shell (SSH) protocol. SSH is disabled by
default on the hardened appliance.
SSH is an interactive command-line environment that supports remote connections to a
vRealize Operations Manager node. SSH requires high-privileged user account credentials. SSH activities
generally bypass the role-based access control (RBAC) and audit controls of the
vRealize Operations Manager node.
As a best practice, disable SSH in a production environment and enable it only to diagnose or troubleshoot
problems that you cannot resolve by other means. Leave it enabled only while needed for a specific purpose
and in accordance with your organization's security policies. If you enable SSH, ensure that it is protected
against attack and that you enable it only for as long as required. Depending on your vSphere configuration,
you can enable or disable SSH when you deploy your Open Virtualization Format (OVF) template.
As a simple test to determine whether SSH is enabled on a machine, try to open a connection by using SSH.
If the connection opens and requests credentials, then SSH is enabled and is available for making
connections.

Secure Shell Root User
Because VMware appliances do not include preconfigured default user accounts, the root account can use
SSH to directly log in by default. Disable SSH as root as soon as possible.
To meet the compliance standards for nonrepudiation, the SSH server on all hardened appliances is
preconfigured with the AllowGroups wheel entry to restrict SSH access to the secondary group wheel. For
separation of duties, you can modify the AllowGroups wheel entry in the /etc/ssh/sshd_config file to use
another group such as sshd.
The wheel group is enabled with the pam_wheel module for superuser access, so members of the wheel
group can use the su-root command, where the root password is required. Group separation enables users
to use SSH to the appliance, but not to use the su command to log in as root. Do not remove or modify other
entries in the AllowGroups field, which ensures proper appliance function. After making a change, restart
the SSH daemon by running the # service sshd restart command.

VMware, Inc.

13

Secure Configuration

Enable or Disable Secure Shell on a vRealize Operations Manager node
You can enable Secure Shell (SSH) on a vRealize Operations Manager node for troubleshooting. For
example, to troubleshoot a server, you might require console access to the server. This is through SSH.
Disable SSH on a vRealize Operations Manager node for normal operation.
Procedure
1

Access the console of the vRealize Operations Manager node from vCenter.

2

Press Alt + F1 to access the login prompt then log in.

3

Run the #chkconfig command.

4

If the sshd service is off, run the #chkconfig sshd on command.

5

Run the #service sshd start command to start the sshd service.

6

Run the #service sshd stop command to stop the sshd service.

Create a Local Administrative Account for Secure Shell
You must create local administrative accounts that can be used as Secure Shell (SSH) and that are members
of the secondary wheel group, or both before you remove the root SSH access.
Before you disable direct root access, test that authorized administrators can access SSH by using
AllowGroups, and that they can use the wheel group and the su command to log in as root.
Procedure
1

Log in as root and run the following commands.
# useradd -d /home/vropsuser -g users -G wheel –m
# passwd username

Wheel is the group specified in AllowGroups for SSH access. To add multiple secondary groups, use -G
wheel,sshd.
2

Switch to the user and provide a new password to ensure password complexity checking.
# su – username
username@hostname:~>passwd

If the password complexity is met, the password updates. If the password complexity is not met, the
password reverts to the original password, and you must rerun the password command.
After you create the login accounts to allow SSH remote access and use the su command to log in as
root using the wheel access, you can remove the root account from the SSH direct login.
3

To remove direct login to SSH, modify the /etc/ssh/sshd_config file by replacing (#)PermitRootLogin

yes with PermitRootLogin no.

What to do next
Disable direct logins as root. By default, the hardened appliances allow direct login to root through the
console. After you create administrative accounts for nonrepudiation and test them for wheel access (suroot), disable direct root logins by editing the /etc/securetty file as root and replacing the tty1 entry with
console.

14

VMware, Inc.

Chapter 3 Secure Configuration of vRealize Operations Manager

Restrict Secure Shell Access
As part of your system hardening process, restrict Secure Shell (SSH) access by configuring the
tcp_wrappers package appropriately on all VMware virtual appliance host machines. Also maintain
required SSH key file permissions on these appliances.
All VMware virtual appliances include the tcp_wrappers package to allow tcp-supported daemons to
control the network subnets that can access the libwrapped daemons. By default, the /etc/hosts.allow file
contains a generic entry, sshd: ALL : ALLOW, that allows all access to the secure shell. Restrict this access as
appropriate for your organization.
Procedure
1

Open the /etc/hosts.allow file on your virtual appliance host machine in a text editor.

2

Change the generic entry in your production environment to include only the local host entries and the
management network subnet for secure operations.
sshd:127.0.0.1 : ALLOW
sshd: [::1] : ALLOW
sshd: 10.0.0.0 :ALLOW

In this example, all local host connections and connections that the clients make on the 10.0.0.0 subnet
are allowed.
3

Add all appropriate machine identification, for example, host name, IP address, fully qualified domain
name (FQDN), and loopback.

4

Save the file and close it.

Maintain Secure Shell Key File Permissions
To maintain an appropriate level of security, configure Secure Shell (SSH) key file permissions.
Procedure
1

View the public host key files, located in /etc/ssh/*key.pub.

2

Verify that these files are owned by root, that the group is owned by root, and that the files have
permissions set to 0644.
The permissions are (-rw-r--r--).

3

Close all files.

4

View the private host key files, located in /etc/ssh/*key.

5

Verify that root owns these files and the group, and that the files have permissions set to 0600.
The permissions are (-rw-------).

6

Close all files.

Harden the Secure Shell Server Configuration
Where possible, the Virtual Application Installation (OVF) has a default hardened configuration. Users can
verify that their configuration is appropriately hardened by examining the server and client service in the
global options section of the configuration file.
If possible, restrict use of the SSH server to a management subnet in the /etc/hosts.allow file.

VMware, Inc.

15

Secure Configuration

Procedure
1

2

Open the /etc/ssh/sshd_config server configuration file and verify that the settings are correct.
Setting

Status

Server Daemon Protocol

Protocol 2

Ciphers

Ciphers aes256-ctr,aes128-ctr

TCP Forwarding

AllowTCPForwarding no

Server Gateway Ports

Gateway Ports no

X11 Forwarding

X11Forwarding no

SSH Service

Use the AllowGroups field and specify a group permitted to access
and add members to the secondary group for users permitted to ue
the service.

GSSAPI Authentication

GSSAPIAuthentication no, if unused

Kerberos Authentication

KerberosAuthentication no, if unused

Local Variables (AcceptEnv global option)

Set to disabled by commenting out or enabled for only LC_*
or LANG variables

Tunnel Configuration

PermitTunnel no

Network Sessions

MaxSessions 1

Strict Mode Checking

Strict Modes yes

Privilege Separation

UsePrivilegeSeparation yes

rhosts RSA Authentication

RhostsRSAAuthentication no

Compression

Compression delayed or Compression no

Message Authentication code

MACs hmac-sha1

User Access Restriction

PermitUserEnvironment no

Save your changes and close the file.

Harden the Secure Shell Client Configuration
As part of your system hardening monitoring process, verify hardening of the SSH client by examining the
SSH client configuration file on virtual appliance host machines to ensure that it is configured according to
VMware guidelines.
Procedure
1

2

16

Open the SSH client configuration file, /etc/ssh/ssh_config, and verify that the settings in the global
options section are correct.
Setting

Status

Client Protocol

Protocol 2

Client Gateway Ports

Gateway Ports no

GSSAPI Authentication

GSSAPIAuthentication no

Local Variables (SendEnv global
option)

Provide only LC_* or LANG variables

CBC Ciphers

Ciphers aes256-ctr,aes128-ctr

Message Authentication Codes

Used in the MACs hmac-sha1 entry only

Save your changes and close the file.

VMware, Inc.

Chapter 3 Secure Configuration of vRealize Operations Manager

Disable Direct Logins as Root
By default, the hardened appliances allow you to use the console to log in directly as root. As a security best
practice, you can disable direct logins after you create an administrative account for nonrepudiation and test
it for wheel access by using the su-root command.
Prerequisites
n

Complete the steps in the topic called “Create a Local Administrative Account for Secure Shell,” on
page 14.

n

Verify that you have tested accessing the system as an administrator before you disable direct root
logins.

Procedure
1

Log in as root and navigate to the /etc/securetty file.
You can access this file from the command prompt.

2

Replace the tty1 entry with console.

Disable SSH Access for the Admin User Account
As a security best practice, you can disable SSH access for the admin user account. The
vRealize Operations Manager admin account and the Linux admin account share the same password.
Disabling SSH access to the admin user enforces defense in depth by ensuring all users of SSH first login to
a lesser privileged service account with a password that differs from the vRealize Operations Manager
admin account and then switch user to a higher privilege such as the admin or root.
Procedure
1

Edit the /etc/ssh/sshd_config file.
You can access this file from the command prompt.

2

Add the DenyUsers admin entry anywhere in the file and save the file.

3

To restart the sshd server, run the service sshd restart command.

Set Boot Loader Authentication
To provide an appropriate level of security, configure boot loader authentication on your VMware virtual
appliances. If the system boot loader requires no authentication, users with console access to the system
might be able to alter the system boot configuration or boot the system to single user or maintenance mode,
which can result in denial of service or unauthorized system access.
Because boot loader authentication is not set by default on the VMware virtual appliances, you must create a
GRUB password to configure it.
Procedure
1

Verify whether a boot password exists by locating the password --md5  line in
the /boot/grub/menu.lst file on your virtual appliances.

2

If no password exists, run the # /usr/sbin/grub-md5-crypt command on your virtual appliance.
An MD5 password is generated, and the command supplies the md5 hash output.

3

VMware, Inc.

Append the password to the menu.lst file by running the # password --md5  command.

17

Secure Configuration

Single-User or Maintenance Mode Authentication
If the system does not require valid root authentication before it boots into single-user or maintenance
mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the
system.
Procedure
u

Review the/etc/inittab file and ensure that the following two lines appear: ls:S:wait:/etc/init.d/rc
S and ~~:S:respawn:/sbin/sulogin.

Monitor Minimal Necessary User Accounts
You must monitor existing user accounts and ensure that any unnecessary user accounts are removed.
Procedure
u

Run the host:~ # cat /etc/passwd command and verify the minimal necessary user accounts:
bin:x:1:1:bin:/bin:/bin/bash
daemon:x:2:2:Daemon:/sbin:/bin/bash
haldaemon:x:101:102:User for haldaemon:/var/run/hald:/bin/false
mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false
man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash
messagebus:x:100:101:User for D-Bus:/var/run/dbus:/bin/false
nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash
ntp:x:74:106:NTP daemon:/var/lib/ntp:/bin/false
polkituser:x:103:104:PolicyKit:/var/run/PolicyKit:/bin/false
postfix:x:51:51:Postfix Daemon:/var/spool/postfix:/bin/false
root:x:0:0:root:/root:/bin/bash
sshd:x:71:65:SSH daemon:/var/lib/sshd:/bin/false
suse-ncc:x:104:107:Novell Customer Center User:/var/lib/YaST2/suse-ncc-fakehome:/bin/bash
uuidd:x:102:103:User for uuidd:/var/run/uuidd:/bin/false
wwwrun:x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/false
nginx:x:105:108:user for nginx:/var/lib/nginx:/bin/false
admin:x:1000:1003::/home/admin:/bin/bash
tcserver:x:1001:1004:tc Server User:/home/tcserver:/bin/bash
postgres:x:1002:100::/var/vmware/vpostgres/9.3:/bin/bash

Monitor Minimal Necessary Groups
You must monitor existing groups and members to ensure that any unnecessary groups or group access is
removed.
Procedure
u

Run the :~ # cat /etc/group command to verify the minimum necessary groups and group
membership.
audio:x:17:
bin:x:1:daemon
cdrom:x:20:
console:x:21:
daemon:x:2:
dialout:x:16:u1,tcserver,postgres
disk:x:6:
floppy:x:19:

18

VMware, Inc.

Chapter 3 Secure Configuration of vRealize Operations Manager

haldaemon:!:102:
kmem:x:9:
mail:x:12:
man:x:62:
messagebus:!:101:
modem:x:43:
nobody:x:65533:
nogroup:x:65534:nobody
ntp:!:106:
polkituser:!:105:
public:x:32:
root:x:0:admin
shadow:x:15:
sshd:!:65:
suse-ncc:!:107:
sys:x:3:
tape:!:103:
trusted:x:42:
tty:x:5:
utmp:x:22:
uuidd:!:104:
video:x:33:u1,tcserver,postgres
wheel:x:10:root,admin
www:x:8:
xok:x:41:
maildrop:!:1001:
postfix:!:51:
users:x:100:
vami:!:1002:root
nginx:!:108:
admin:!:1003:
vfabric:!:1004:admin,wwwrun

Resetting the vRealize Operations Manager Administrator Password
(Linux)
As a security best practice, you can reset the vRealize Operations Manager password on Linux clusters for
vApp or Linux installations.
Procedure
1

Log in to the remote console of the master node as root.

2

Enter the $VMWARE_PYTHON_BIN $VCOPS_BASE/../vmwarevcopssuite/utilities/sliceConfiguration/bin/vcopsSetAdminPassword.py --reset command and
follow the prompts.

VMware, Inc.

19

Secure Configuration

Configure NTP on VMware Appliances
For critical time sourcing, disable host time synchronization and use the Network Time Protocol (NTP) on
VMware appliances. You must configure a trusted remote NTP server for time synchronization. The NTP
server must be an authoritative time server or at least synchronized with an authoritative time server.
The NTP daemon on VMware virtual appliances provides synchronized time services. NTP is disabled by
default, so you need to configure it manually. If possible, use NTP in production environments to track user
actions and to detect potential malicious attacks and intrusions through accurate audit and log keeping. For
information about NTP security notices, see the NTP Web site.
The NTP configuration file is located in the /etc/ntp.conf file on each appliance.
Procedure
1

Navigate to the /etc/ntp.conf configuration file on your virtual appliance host machine.

2

Set the file ownership to root:root.

3

Set the permissions to 0640.

4

To mitigate the risk of a denial-of-service amplification attack on the NTP service, open
the /etc/ntp.conf file and ensure that the restrict lines appear in the file.
restrict
restrict
restrict
restrict

5

default kod nomodify notrap nopeer noquery
-6 default kod nomodify notrap nopeer noquery
127.0.0.1
-6 ::1

Save any changes and close the files.
For information on NTP security notices, see http://support.ntp.org/bin/view/Main/SecurityNotice.

Disable the TCP Timestamp Response on Linux
Use the TCP timestamp response to approximate the remote host's uptime and aid in further attacks.
Additionally, some operating systems can be fingerprinted based on the behavior of their TCP time stamps.
Procedure
u

Disable the TCP timestamp response on Linux.
a

To set the value of net.ipv4.tcp_timestamps to 0, run the sysctl -w net.ipv4.tcp_timestamps=0
command.

b

Add the ipv4.tcp_timestamps=0 value in the default sysctl.conf file.

Enable FIPS 140-2 Mode
The version of OpenSSL that is shipped with vRealize Operations Manager 6.3 and later releases is FIPS
140-2 certified. However, the FIPS mode is not enabled by default.
You can enable the FIPS mode if there is a security compliance requirement to use FIPS certified
cryptographic algorithms with the FIPS mode enabled.
Procedure
1

To replace the mod_ssl.so file run the following command:
cd /usr/lib64/apache2-prefork/
cp mod_ssl.so mod_ssl.so.old
cp mod_ssl.so.FIPSON.openssl1.0.2 mod_ssl.so

20

VMware, Inc.

Chapter 3 Secure Configuration of vRealize Operations Manager

2

Modify your Apache2 configuration by editing the /etc/apache2/ssl-global.conf file.

3

Search for the  line and add the SSLFIPS on directive below it.

4

To reset the Apache configuration, run the service apache2 restart command.

TLS for Data in Transit
As a security best practice, ensure that the system is deployed with secure transmission channels.

Configure Strong Protocols for vRealize Operations Manager
Protocols such as SSLv2 and SSLv3 are no longer considered secure. In addition, it is recommended that you
disable TLS 1.0. Enable only TLS 1.1 and TLS 1.2.

Verify the Correct Use of Protocols in Apache HTTPD
vRealize Operations Manager disables SSLv2 and SSLv3 by default. You must disable weak protocols on all
load balancers before you put the system into production.
Procedure
1

Run the grep SSLProtocol /usr/lib/vmware-vcopssuite/utilities/conf/vcops-apache.conf | grep v '#' command from the command prompt to verify that SSLv2 and SSLv3 are disabled.
If the protocols are disabled, the command returns the following output: SSLProtocol All -SSLv2 SSLv3

2

To also disable the TLS 1.0 protocol, run the sed -i "/^[^#]*SSLProtocol/ c\SSLProtocol All -SSLv2
-SSLv3 -TLSv1" /usr/lib/vmware-vcopssuite/utilities/conf/vcops-apache.conf command from the
command prompt.

3

To restart the Apache2 server, run the /etc/init.d/apache2 restart command from the command
prompt.

Verify the Correct Use of Protocols in the GemFire TLS Handler
vRealize Operations Manager disables SSLv3 by default. You must disable weak protocols on all load
balancers before you put the system into production.
Procedure
1

Verify that the protocols are enabled. To verify that the protocols are enabled, run the following
commands on each node:
grep cluster-ssl-protocol /usr/lib/vmware-vcops/user/conf/gemfire.properties | grep -v '#'

The following result is expected:
cluster-ssl-protocols=TLSv1.2 TLSv1.1 TLSv1
grep cluster-ssl-protocol /usr/lib/vmware-vcops/user/conf/gemfire.native.properties | grep v '#'

The following result is expected:
cluster-ssl-protocols=TLSv1.2 TLSv1.1 TLSv1
grep cluster-ssl-protocol /usr/lib/vmware-vcops/user/conf/gemfire.locator.properties | grep v '#'

The following result is expected:
cluster-ssl-protocols=TLSv1.2 TLSv1.1 TLSv1

VMware, Inc.

21

Secure Configuration

2

Disable TLS 1.0.
a

Navigate to the administrator user interface at url/admin .

b

Click Bring Offline.

c

To disable SSLv3 and TLS 1.0, run the following commands:
sed -i "/^[^#]*cluster-ssl-protocol/ c\cluster-ssl-protocols=TLSv1.2
TLSv1.1" /usr/lib/vmware-vcops/user/conf/gemfire.properties
sed -i "/^[^#]*cluster-ssl-protocol/ c\cluster-ssl-protocols=TLSv1.2
TLSv1.1" /usr/lib/vmware-vcops/user/conf/gemfire.native.properties
sed -i "/^[^#]*cluster-ssl-protocol/ c\cluster-ssl-protocols=TLSv1.2
TLSv1.1" /usr/lib/vmware-vcops/user/conf/gemfire.locator.properties

Repeat this step for each node

3

d

Navigate to the administrator user interface.

e

Click Bring Online.

Reenable TLS 1.0.
a

Navigate to the administrator user interface to bring the cluster offline: url/admin.

b

Click Bring Offline.

c

To ensure that SSLv3 and TLS 1.0 are disabled, run the following commands:
sed -i
TLSv1"
sed -i
TLSv1"
sed -i
TLSv1"

"/^[^#]*cluster-ssl-protocol/ c\cluster-ssl-protocols=TLSv1.2 TLSv1.1
/usr/lib/vmware-vcops/user/conf/gemfire.properties
"/^[^#]*cluster-ssl-protocol/ c\cluster-ssl-protocols=TLSv1.2 TLSv1.1
/usr/lib/vmware-vcops/user/conf/gemfire.native.properties
"/^[^#]*cluster-ssl-protocol/ c\cluster-ssl-protocols=TLSv1.2 TLSv1.1
/usr/lib/vmware-vcops/user/conf/gemfire.locator.properties

Repeat this step for each node.
d

Navigate to the administrator user interface to bring the cluster online.

e

Click Bring Online.

Configure vRealize Operations Manager to Use Strong Ciphers
For maximum security, you must configure vRealize Operations Manager components to use strong ciphers.
To ensure that only strong ciphers are selected, disable the use of weak ciphers. Configure the server to
support only strong ciphers and to use sufficiently large key sizes. Also, configure the ciphers in a suitable
order.
vRealize Operations Manager disables the use of cipher suites using the DHE key exchange by default.
Ensure that you disable the same weak cipher suites on all load balancers before you put the system into
production.

Using Strong Ciphers
The encryption cipher negotiated between the server and the browser determines the key exchange method
and encryption strength that is used in a TLS session.

22

VMware, Inc.

Chapter 3 Secure Configuration of vRealize Operations Manager

Verify the Correct Use of Cipher Suites in Apache HTTPD
For maximum security, verify the correct use of cipher suites in Apache httpd.
Procedure
1

To verify the correct use of cipher suites in Apache httpd, run the grep
SSLCipherSuite /usr/lib/vmware-vcopssuite/utilities/conf/vcops-apache.conf | grep -v '#'

command from the command prompt.
If Apache httpd uses the correct cipher suites, the command returns the following output:
SSLCipherSuite kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:!aNULL!ADH:!
EXP:!MD5:!3DES:!CAMELLIA:!PSK:!SRP:!DH

2

To configure the correct use of cipher suites, run the sed -i "/^[^#]*SSLCipherSuite/
c\SSLCipherSuite kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:\!aNULL\!
ADH:\!EXP:\!MD5:\!3DES:\!CAMELLIA:\!PSK:\!SRP:\!DH" /usr/lib/vmwarevcopssuite/utilities/conf/vcops-apache.conf command from the command prompt.

Run this command if the output in Step 1 is not as expected.
This command disables all cipher suites that use DH and DHE key exchange methods.
3

Run the /etc/init.d/apache2 restart command from the command prompt to restart the Apache2
server.

4

To reenable DH, remove !DH from the cipher suites by running the sed -i "/^[^#]*SSLCipherSuite/
c\SSLCipherSuite kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:\!aNULL\!
ADH:\!EXP:\!MD5:\!3DES:\!CAMELLIA:\!PSK:\!SRP" /usr/lib/vmwarevcopssuite/utilities/conf/vcops-apache.conf command from the command prompt.

5

Run the /etc/init.d/apache2 restart command from the command prompt to restart the Apache2
server.

Verify the Correct Use of Cipher Suites in GemFire TLS Handler
For maximum security, verify the correct use of cipher suites in GemFire TLS Handler.
Procedure
1

To verify that the cipher suites are enabled, run the following commands on each node to verify that the
protocols are enabled:
grep cluster-ssl-ciphers /usr/lib/vmware-vcops/user/conf/gemfire.properties | grep -v '#'
grep cluster-ssl-ciphers /usr/lib/vmware-vcops/user/conf/gemfire.native.properties | grep -v
'#'
grep cluster-ssl-ciphers /usr/lib/vmware-vcops/user/conf/gemfire.locator.properties | grep -v
'#'

2

VMware, Inc.

Configure the correct cipher suites.
a

Navigate to the administrator user interface at URL/admin.

b

To bring the cluster offline, click Bring Offline.

23

Secure Configuration

c

To configure the correct cipher suites, run the following commands:
sed -i "/^[^#]*cluster-ssl-ciphers/ c\cluster-sslciphers=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" /usr/lib/vmwarevcops/user/conf/gemfire.properties
sed -i "/^[^#]*cluster-ssl-ciphers/ c\cluster-sslciphers=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" /usr/lib/vmwarevcops/user/conf/gemfire.native.properties
sed -i "/^[^#]*cluster-ssl-ciphers/ c\cluster-sslciphers=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" /usr/lib/vmwarevcops/user/conf/gemfire.locator.properties

Repeat this step for each node.
d

Navigate to the administrator user interface at URL/admin.

e

Click Bring Online.

Enabling TLS on Localhost Connections
By default, the localhost connections to the PostgreSQL database do not use TLS. To enable TLS, you have to
either generate a self-signed certificate with OpenSSL or provide your own certificate.
To enable TLS on localhost connections to PostgreSQL, complete the following steps:
1

“Generate or Provide Your Own Self-Signed Certificate with OpenSSL,” on page 24

2

“Install the Certificate for PostgreSQL,” on page 24

3

“Enable TLS on PostgreSQL,” on page 25

Generate or Provide Your Own Self-Signed Certificate with OpenSSL
Localhost connections to the PostgreSQL database do not use TLS. To enable TLS, you can generate your
own self-signed certificate with OpenSSL or provide your own certificate.
n

To generate a self-signed certificate with OpenSSL, run the following commands:
openssl req -new -text -out cert.req
openssl rsa -in privkey.pem -out cert.pem
openssl req -x509 -in cert.req -text -key cert.pem -out cert.cert

n

To provide your own certificate, complete the following steps:
n

Modify the ownership of the CAcerts.crt file to postgres.

n

Edit the postgresql.conf file to include the directive ssl_ca_file = 'CAcerts.crt.
If you are using a certificate with a CA chain, you must add a CAcerts.crt file containing the
intermediate and root CA certificates to the same directory.

Install the Certificate for PostgreSQL
You must install the certificate for PostgreSQL when you enable TLS on localhost connections to
PostgreSQL.
Procedure

24

1

Copy the cert.pem file to /storage/db/vcops/vpostgres/data/server.key.

2

Copy the cert.cert file to /storage/db/vcops/vpostgres/data/server.crt.

3

Run the chmod 600 /storage/db/vcops/vpostgres/data/server.key command.

VMware, Inc.

Chapter 3 Secure Configuration of vRealize Operations Manager

4

Run the chmod 600 /storage/db/vcops/vpostgres/data/server.crt command.

5

Run the chown postgres /storage/db/vcops/vpostgres/data/server.key and chown
postgres /storage/db/vcops/vpostgres/data/server.crt commands to change the ownership of the
server.crt and server.key files from root to postgres.

Enable TLS on PostgreSQL
You must edit the postgresql.conf file to enable TLS on localhost connections to PostgreSQL.
Procedure
u

Edit the postgresql.conf file at /storage/db/vcops/vpostgres/data/ and make the following changes:
a

Set ssl = on.

b

Set ssl_cert_file = 'server.crt'.

c

Set ssl_key_file = 'server.key'.

Application Resources That Must be Protected
As a security best practice, ensure that the application resources are protected.
Follow the steps to ensure that the application resources are protected.
Procedure
1

Run the Find / -path /proc -prune -o -type f -perm +6000 -ls command to verify that the files
have a well defined SUID and GUID bits set.
The following list appears:

VMware, Inc.

354131
24 -rwsr-xr-x
354126
20 -rwxr-sr-x
helper
354125
20 -rwxr-sr-x
grant-helper
354130
24 -rwxr-sr-x
helper
354127
12 -rwsr-x--helper-pam
354128
16 -rwxr-sr-x
helper
73886
84 -rwsr-xr-x
73888
88 -rwsr-xr-x
73887
20 -rwsr-xr-x
73890
84 -rwsr-xr-x
73799
73889
73884
73885
73916
296275
353804
278545
278585
278544
278638
278637

240
20
92
88
40
28
816
36
40
40
72
100

-rwsr-xr-x
-rwsr-xr-x
-rwsr-xr-x
-rwsr-xr-x
-rwsr-x---rwsr-xr-x
-r-xr-sr-x
-rwsr-xr-x
-rwsr-xr-x
-rwsr-xr-x
-rwsr-xr-x
-rwsr-xr-x

1 polkituser root 23176 /usr/lib/PolicyKit/polkit-set-default-helper
1 root
polkituser
19208 /usr/lib/PolicyKit/polkit-grant1 root

polkituser

19008 /usr/lib/PolicyKit/polkit-explicit-

1 root

polkituser

23160 /usr/lib/PolicyKit/polkit-revoke-

1 root

polkituser

10744 /usr/lib/PolicyKit/polkit-grant-

1 root

polkituser

14856 /usr/lib/PolicyKit/polkit-read-auth-

1
1
1
1

root
root
root
root

shadow
shadow
shadow
root

77848
85952
19320
81856

1
1
1
1
1
1
1
1
1
1
1
1

root
root
root
root
root
root
root
root
root
root
root
root

root
root
shadow
shadow
trusted
root
mail
root
root
root
root
root

238488
19416
86200
82472
40432
26945
829672
35792
40016
40048
69240
94808

/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/expiry
/usr/bin/passwd
/usr/bin/sudo
/usr/bin/newgrp
/usr/bin/chage
/usr/bin/chfn
/usr/bin/crontab
/usr/lib64/pt_chown
/usr/sbin/sendmail
/bin/ping6
/bin/su
/bin/ping
/bin/umount
/bin/mount

25

Secure Configuration

475333
helper
41001
41118

2

48 -rwsr-x---

1 root

messagebus

36 -rwsr-xr-x
12 -rwsr-xr-x

1 root
1 root

shadow
shadow

47912 /lib64/dbus-1/dbus-daemon-launch35688 /sbin/unix_chkpwd
10736 /sbin/unix2_chkpwd

Run the find / -path */proc -prune -o -nouser -o -nogroup command to verify that all the files in
the vApp have an owner.
All the files have an owner if there are no results.

3

Run the find / -name "*.*" -type f -perm -a+w | xargs ls -ldb command to verify that none of the
files are world writable files by reviewing permissions of all the files on the vApp.
None of the files must include the permission xx2.

4

Run the find / -path */proc -prune -o ! -user root -o -user admin -print command to verify that
the files are owned by the correct user.
All the files belong to either root or admin if there are no results.

5

Run the find /usr/lib/vmware-casa/ -type f -perm -o=w command to ensure that files in
the /usr/lib/vmware-casa/ directory are not world writable.
There must be no results.

6

Run the find /usr/lib/vmware-vcops/ -type f -perm -o=w command to ensure that files in
the /usr/lib/vmware-vcops/ directory are not world writable.
There must be no results.

7

Run the find /usr/lib/vmware-vcopssuite/ -type f -perm -o=w command to ensure that files in
the /usr/lib/vmware-vcopssuite/ directory are not world writable.
There must be no results.

Configure PostgreSQL Client Authentication
You can configure the system for client authentication. You can configure the system for local trust
authentication. This allows any local user, including the database super user to connect as a PostgreSQL user
without a password. If you want to provide a strong defense and if you do not have significant trust in all
local user accounts, use another authentication method. The md5 method is set by default. Verify that md5
is set for all local and host connections.
You can find the client authentication configuration settings for the postgres service instance
in /storage/db/vcops/vpostgres/data/pg_hba.conf. Verify that md5 is set for all local and host connections.
The client authentication configuration settings for the postgres-repl service instance can be found
in /storage/db/vcops/vpostgres/repl/pg_hba.conf. Verify that md5 is set for all local and host connections.
Note Do not modify client configuration settings for the postgres user account.

26

VMware, Inc.

Chapter 3 Secure Configuration of vRealize Operations Manager

Apache Configuration
Disable Web Directory Browsing
As a security best practice, ensure that a user cannot bowse through a directory because it can increase the
risk of exposure to directory traversal attacks.
Procedure
u

Verify that web directory browsing is disabled for all directories.
a

Open the /etc/apache2/default-server.conf and /usr/lib/vmwarevcopssuite/utilities/conf/vcops-apache.conf files in a text editor.

b

Verify that for each  listing, the option called Indexes for the relevant tag is omitted
from the Options line.

Remove the Sample Code for the Apache2 Server
Apache includes two sample Common Gateway Interface (CGI) scripts, printenv and test-cgi. A
production Web server must contain only components that are operationally necessary. These components
have the potential to disclose critical information about the system to an attacker.
As a security best practice, delete the CGI scripts from the cgi-bin directory.
Procedure
u

To remove test-cgi and prinenv scripts, run the rm /usr/share/doc/packages/apache2/test-cgi and
rm /usr/share/doc/packages/apache2/printenv commands.

Verify Server Tokens for the Apache2 Server
As part of your system hardening process, verify server tokens for the Apache2 server. The Web server
response header of an HTTP response can contain several fields of information. Information includes the
requested HTML page, the Web server type and version, the operating system and version, and ports
associated with the Web server. This information provides malicious users important information without
the use of extensive tools.
The directive ServerTokens must be set to Prod. For example, ServerTokens Prod. This directive controls
whether the response header field of the server that is sent back to clients includes a description of the
operating system and information about compiled-in modules.
Procedure
1

To verify server tokens, run the cat /etc/apache2/sysconfig.d/global.conf | grep ServerTokens
command.

2

To modify ServerTokens OS to ServerTokens Prod, run the sed -i
's/\(ServerTokens\s\+\)OS/\1Prod/g' /etc/apache2/sysconfig.d/global.conf command.

Disable the Trace Method for the Apache2 Server
In standard production operations, use of diagnostics can reveal undiscovered vulnerabilities that lead to
compromised data. To prevent misuse of data, disable the HTTP Trace method.
Procedure
1

VMware, Inc.

To verify the Trace method for the Apache2 server, run the following command grep
TraceEnable /usr/lib/vmware-vcopssuite/utilities/conf/vcops-apache.conf.

27

Secure Configuration

2

To disable the Trace method for the Apache2 server, run the following command sed -i
"/^[^#]*TraceEnable/ c\TraceEnable off" /usr/lib/vmware-vcopssuite/utilities/conf/vcopsapache.conf.

Disable Configuration Modes
As a best practice, when you install, configure, or maintain vRealize Operations Manager, you can modify
the configuration or settings to enable troubleshooting and debugging of your installation.
Catalog and audit each of the changes you make to ensure that they are properly secured. Do not put the
changes into production if you are not sure that your configuration changes are correctly secured.

Managing Nonessential Software Components
To minimize security risks, remove or configure nonessential software from your
vRealize Operations Manager host machines.
Configure all software that you do not remove in accordance with manufacturer recommendations and
security best practices to minimize its potential to create security breaches.

Secure the USB Mass Storage Handler
Secure the USB mass storage handler to prevent it from loading by default on vRealize appliances and to
prevent its use as the USB device handler with the vRealize appliances. Potential attackers can exploit this
handler to install malicious software.
Procedure
1

Open the/etc/modprobe.conf.local file in a text editor.

2

Ensure that the install usb-storage /bin/true line appears in the file.

3

Save the file and close it.

Secure the Bluetooth Protocol Handler
Secure the Bluetooth protocol handler on your vRealize Appliances to prevent potential attackers from
exploiting it.
Binding the Bluetooth protocol to the network stack is unnecessary and can increase the attack surface of the
host. Prevent the Bluetooth protocol handler module from loading by default on vRealize Appliances.
Procedure
1

Open the /etc/modprobe.conf.local file in a text editor.

2

Ensure that the line install bluetooth /bin/true appears in this file.

3

Save the file and close it.

Secure the Stream Control Transmission Protocol
Prevent the Stream Control Transmission Protocol (SCTP) module from loading on vRealize appliances by
default. Potential attackers could exploit this protocol to compromise your system.
Configure your system to prevent the SCTP module from loading unless it is absolutely necessary. SCTP is
an unused IETF-standardized transport layer protocol. Binding this protocol to the network stack increases
the attack surface of the host. Unprivileged local processes might cause the kernel to dynamically load a
protocol handler by using the protocol to open a socket.

28

VMware, Inc.

Chapter 3 Secure Configuration of vRealize Operations Manager

Procedure
1

Open the /etc/modprobe.conf.local file in a text editor.

2

Ensure that the following line appears in this file.
install sctp /bin/true

3

Save the file and close it.

Secure the Datagram Congestion Control Protocol
As part of your system hardening activities, prevent the Datagram Congestion Control Protocol (DCCP)
module from loading on vRealize appliances by default. Potential attackers can exploit this protocol to
compromise your system.
Avoid loading the DCCP module, unless it is absolutely necessary. DCCP is a proposed transport layer
protocol, which is not used. Binding this protocol to the network stack increases the attack surface of the
host. Unprivileged local processes can cause the kernel to dynamically load a protocol handler by using the
protocol to open a socket.
Procedure
1

Open the /etc/modprobe.conf.local file in a text editor.

2

Ensure that the DCCP lines appear in the file.
install dccp /bin/true
install dccp_ipv4 /bin/true
install dccp_ipv6 /bin/true

3

Save the file and close it.

Secure Reliable Datagram Sockets Protocol
As part of your system hardening activities, prevent the Reliable Datagram Sockets (RDS) protocol from
loading on your vRealize appliances by default. Potential attackers can exploit this protocol to compromise
your system.
Binding the RDS protocol to the network stack increases the attack surface of the host. Unprivileged local
processes might cause the kernel to dynamically load a protocol handler by using the protocol to open a
socket.
Procedure
1

Open the /etc/modprobe.conf.local file in a text editor.

2

Ensure that the install rds /bin/true line appears in this file.

3

Save the file and close it.

Secure the Transparent Inter-Process Communication Protocol
As part of your system hardening activities, prevent the Transparent Inter-Process Communication protocol
(TIPC) from loading on your virtual appliance host machines by default. Potential attackers can exploit this
protocol to compromise your system.
Binding the TIPC protocol to the network stack increases the attack surface of the host. Unprivileged local
processes can cause the kernel to dynamically load a protocol handler by using the protocol to open a
socket.
Procedure
1

VMware, Inc.

Open the /etc/modprobe.conf.local file in a text editor.

29

Secure Configuration

2

Ensure that the install tipc /bin/true line appears in this file.

3

Save the file and close it.

Secure Internet Packet Exchange Protocol
Prevent the Internetwork Packet Exchange (IPX) protocol from loading vRealize appliances by default.
Potential attackers could exploit this protocol to compromise your system.
Avoid loading the IPX protocol module unless it is absolutely necessary. IPX protocol is an obsolete
network-layer protocol. Binding this protocol to the network stack increases the attack surface of the host.
Unprivileged local processes might cause the system to dynamically load a protocol handler by using the
protocol to open a socket.
Procedure
1

Open the /etc/modprobe.conf.local file in a text editor.

2

Ensure that the line install ipx /bin/true appears in this file.

3

Save the file and close it.

Secure Appletalk Protocol
Prevent the Appletalk protocol from loading on vRealize appliances by default. Potential attackers might
exploit this protocol to compromise your system.
Avoid loading the Appletalk Protocol module unless it is absolutely necessary. Binding this protocol to the
network stack increases the attack surface of the host. Unprivileged local processes might cause the system
to dynamically load a protocol handler by using the protocol to open a socket.
Procedure
1

Open the /etc/modprobe.conf.local file in a text editor.

2

Ensure that the line install appletalk /bin/true appears in this file.

3

Save the file and close it.

Secure DECnet Protocol
Prevent the DECnet protocol from loading on your system by default. Potential attackers might exploit this
protocol to compromise your system.
Avoid loading the DECnet Protocol module unless it is absolutely necessary. Binding this protocol to the
network stack increases the attack surface of the host. Unprivileged local processes could cause the system
to dynamically load a protocol handler by using the protocol to open a socket.
Procedure
1

Open the DECnet Protocol /etc/modprobe.conf.local file in a text editor.

2

Ensure that the line install decnet /bin/true appears in this file.

3

Save the file and close it.

Secure Firewire Module
Prevent the Firewire module from loading on vRealize appliances by default. Potential attackers might
exploit this protocol to compromise your system.
Avoid loading the Firewire module unless it is absolutely necessary.

30

VMware, Inc.

Chapter 3 Secure Configuration of vRealize Operations Manager

Procedure
1

Open the /etc/modprobe.conf.local file in a text editor.

2

Ensure that the line install ieee1394 /bin/true appears in this file.

3

Save the file and close it.

Kernel Message Logging
The kernel.printk specification in the /etc/sysctl.conf file specifies the kernel print logging
specifications.
There are 4 values specified:
n

console loglevel. The lowest priority of messages printed to the console.

n

default loglevel. The lowest level for messages without a specific log level.

n

The lowest possible level for the console log level.

n

The default value for console log level.

There are eight possible entries per value.
n

define KERN_EMERG "<0>" /* system is unusable */

n

define KERN_ALERT "<1>" /* action must be taken immediately */

n

define KERN_CRIT "<2>" /* critical conditions */

n

define KERN_ERR "<3>" /* error conditions */

n

define KERN_WARNING "<4>" /* warning conditions */

n

define KERN_NOTICE "<5>" /* normal but significant condition */

n

define KERN_INFO "<6>" /* informational */

n

define KERN_DEBUG "<7>" /* debug-level messages */

Set the kernel.printk values to 3 4 1 7 and ensure that the line kernel.printk=3 4 1 7 exists in
the /etc/sysctl.conf file.

End Point Operations Management Agent
The End Point Operations Management agent adds agent-based discovery and monitoring capabilities to
vRealize Operations Manager.
The End Point Operations Management agent is installed on the hosts directly and might or might not be at
the same level of trust as the End Point Operations Management server. Therefore, you must verify that the
agents are securely installed.

Security Best Practices for Running End Point Operations Management Agents
You must follow certain security best practices while using user accounts.
n

For a silent installation, remove any credentials and server certificate thumbprints that were stored in
the AGENT_HOME/conf/agent.properties file.

n

Use a vRealize Operations Manager user account reserved specifically for
End Point Operations Management agent registration. For more information, see the topic called "Roles
and Privileges" in vRealize Operations Manager in the vRealize Operations Manager Help.

VMware, Inc.

31

Secure Configuration

n

Disable the vRealize Operations Manager user account that you use for agent registration after the
installation is over. You must enable the user’s access for agent administration activities. For more
information, see the topic called Configuring Users and Groups in vRealize Operations Manager in the
vRealize Operations Manager Help.

n

If a system that runs an agent is compromised, you can revoke the agent certificate using the
vRealize Operations Manager user interface by removing the agent resource. See the section called
Revoking an Agent for more detail.

Minimum Required Permissions for Agent Functionality
You require permissions to install and modify a service. If you want to discover a running process, the user
account you use to run the agent must also have privileges to access the processes and programs. For
Windows operating system installations, you require permissions to install and modify a service. For Linux
installations, you require permission to install the agent as a service, if you install the agent using a RPM
installer.
The minimum credentials that are required for the agent to register with the vRealize Operations Manager
server are those for a user granted the Agent Manager role, without any assignment to objects within the
system.

Linux Based Platform Files and Permissions
After you install the End Point Operations Management agent, the owner is the user that installs the agent.
The installation directory and file permissions such as 600 and 700, are set to the owner when the user who
installs the End Point Operations Management agent extracts the TAR file or installs the RPM.
Note When you extract the ZIP file, the permissions might not be correctly applied. Verify and ensure that
the permissions are correct.
All the files that are created and written to by the agent are given 700 permissions with the owner being the
user who runs the agent.
Table 3‑1. Linux Files and Permissions
Directory or File

Permissi
ons

Groups or
Users

Read

Write

Execute

agent directory/bin

700

Owner

Yes

Yes

Yes

Group

No

No

No

All

No

No

No

Owner

Yes

Yes

Yes

Group

No

No

No

All

No

No

No

Owner

Yes

Yes

No

Group

No

No

No

All

No

No

No

Owner

Yes

Yes

Yes

Group

No

No

No

All

No

No

No

Owner

Yes

Yes

No

Group

No

No

No

All

No

No

No

agent directory/conf

agent directory/log

agent directory/data

agent directory/bin/epagent.bat

32

700

700

700

600

VMware, Inc.

Chapter 3 Secure Configuration of vRealize Operations Manager

Table 3‑1. Linux Files and Permissions (Continued)
Directory or File
agent directory/bin/epagent.sh

agent directory/conf/*

Permissi
ons

Groups or
Users

Read

Write

Execute

700

Owner

Yes

Yes

Yes

Group

No

No

No

All

No

No

No

Owner

Yes

Yes

Yes

Group

No

No

No

All

No

No

No

Owner

Yes

Yes

No

Group

No

No

No

All

No

No

No

Owner

Yes

Yes

No

Group

No

No

No

All

No

No

No

600

(all files in the conf
directory)
agent directory/log/*

600

(all files in the log
directory)
agent directory/data/*

600

(all files in the data
directory)

Windows Based Platform Files and Permissions
For a Windows based installation of the End Point Operations Management agent, the user installing the
agent must have permissions to install and modify the service.
After you install the End Point Operations Management agent, the installation folder including all
subdirectories and files should only be accessible by the SYSTEM, the administrators group, and the
installation user. When you install the End Point Operations Management agent using ep-agent.bat, ensure
that the hardening process succeeds. As the user installing the agent, it is advised that you take note of any
error messages. If the hardening process fails, the user can apply these permissions manually.
Table 3‑2. Windows Files and Permissions
Directory or File
/bin

Groups or
Users

Full Control

Modify

Read and
Execute

Read

Write

SYSTEM

Yes

-

-

-

-

Administrator

Yes

-

-

-

-

Installation
User

Yes

-

-

-

-

-

-

-

-

Users
/conf

SYSTEM

Yes

-

-

-

-

Administrator

Yes

-

-

-

-

Installation
User

Yes

-

-

-

-

-

-

-

-

Users
/log

SYSTEM

Yes

-

-

-

-

Administrator

Yes

-

-

-

-

Installation
User

Yes

-

-

-

-

-

-

-

-

-

-

-

-

Users
/data

VMware, Inc.

SYSTEM

Yes

33

Secure Configuration

Table 3‑2. Windows Files and Permissions (Continued)
Directory or File

Groups or
Users

Full Control

Modify

Read and
Execute

Read

Write

Administrator

Yes

-

-

-

-

Installation
User

Yes

-

-

-

-

-

-

-

-

Users
/bin/hqagent.bat

SYSTEM

Yes

-

-

-

-

Administrator

Yes

-

-

-

-

Installation
User

Yes

-

-

-

-

-

-

-

-

Users
/bin/hqagent.sh

SYSTEM

Yes

-

-

-

-

Administrator

Yes

-

-

-

-

Installation
User

Yes

-

-

-

-

-

-

-

-

Users
/conf/*
(all files in the conf
directory)

SYSTEM

Yes

-

-

-

-

Administrator

Yes

-

-

-

-

Installation
User

Yes

-

-

-

-

-

-

-

-

Users
/log/*
(all files in the log
directory)

SYSTEM

Yes

-

-

-

-

Administrator

Yes

-

-

-

-

Installation
User

Yes

-

-

-

-

-

-

-

-

Users
/data/*
(all files in data
directory)

SYSTEM

Yes

-

-

-

-

Administrator

Yes

-

-

-

-

Installation
User

Yes

-

-

-

-

-

-

-

-

Users

34

VMware, Inc.

Chapter 3 Secure Configuration of vRealize Operations Manager

Open Ports on Agent Host
The agent process listens for commands on two ports 127.0.0.1:2144 and 127.0.0.1:32000 that are
configurable. These ports might be arbitrarily assigned, and so, the exact port number might vary. The agent
does not open ports on external interfaces.
Table 3‑3. Minimum Required Ports
Port

Protocol

Direction

Comments

443

TCP

Outgoing

Used by the agent for outgoing connections over HTTP, TCP, or ICMP.

2144

TCP

Listening

Internal Only. Configurable. Used for inter-process communication between
the agent and the command line that loads and configures it. The agent process
listens on this port.
Note The port number is assigned arbitrarily and might differ.

32000

TCP

Listening

Internal Only. Configurable. Used for inter-process communication between
the agent and the command line that loads and configures it. The agent process
listens on this port.
Note The port number is assigned arbitrarily and might differ.

Revoking an Agent
If for any reason you need to revoke an agent, for example when a system with a running agent is
compromised, you can delete the agent resource from the system. Any subsequent request will fail
verification.
Use the vRealize Operations Manager user interface to revoke the agent certificate by removing the agent
resource. For more information, see “Removing the Agent Resource,” on page 35.
When the system is secured again, you can reinstate the agent. For more information, see “Reinstate an
Agent Resource,” on page 36.

Removing the Agent Resource
You can use the vRealize Operations Manager to revoke the agent certificate by removing the agent
resource.
Prerequisites
To preserve the continuity of the resource with previously recorded metric data, take a record of the
End Point Operations Management agent token that is displayed in the resource details.
Procedure
1

Navigate to the Inventory Explorer in the vRealize Operations Manager user interface.

2

Open the Adapter Types tree.

3

Open the EP Ops Adapter list.

4

Select EP Ops Agent - *HOST_DNS_NAME*.

5

Click Edit Object.

6

Record the agent ID, which is the agent token string.

7

Close the Edit Object dialog box .

8

Select EP Ops Agent - *HOST_DNS_NAME* and click Delete Object.

VMware, Inc.

35

Secure Configuration

Reinstate an Agent Resource
When the secure state of a system is recovered, you can reinstate a revoked agent. This ensures that the
agent continues to report on the same resources without losing historical data. To do this you must create a
new End Point Operations Management token file by using the same token recorded before you removed
the agent resource. See the section called Removing The Agent Resource.
Prerequisites
n

Ensure that you have the recorded End Point Operations Management token string.

n

Use the resource token recorded prior to removing the agent resource from the
vRealize Operations Manager server.

n

Ensure that you have the Manage Agent privilege.

Procedure
1

Create the agent token file with the user that runs the agent.
For example, run the command to create a token file containing the 123-456-789 token.
n

On Linux:
echo 123-456-789 > /etc/epops/epops-token

n

On Windows:
echo 123-456-789 > %PROGRAMDATA%\VMware\Ep Ops Agent\epops-token

In the example, the token file is written to the default token location for that platform
2

Install a new agent and register it with the vRealize Operations Manager server. Ensure that the agent
loads the token you inserted in the token file.
You must have the Manage Agent privilege to perform this action.

Agent Certificate Revocation and Update of Certificates
The reissue flow is initiated from the agent using the setup command line argument. When an agent that is
already registered uses the setup command line argument ep-agent.sh setup and fills in the required
credentials, a new registerAgent command is sent to the server.
The server detects that the agent is already registered and sends the agent a new client certificate without
creating another agent resource. On the agent side, the new client certificate replaces the old one. In cases
where the server certificate is modified and you run the ep-agent.sh setup command, you will see a
message that asks you to trust the new certificate. You can alternatively provide the new server certificate
thumbprint in the agent.properties file prior to running the ep-agent.sh setup command, in order to make
the process silent.
Prerequisites
Manage agent privilege to revoke and update certificates.
Procedure
u

On Linux based operating systems, run the ep-agent.sh setup command on the agent host. On
Windows based operating systems, run the ep-agent.bat setup command.
If the agent detects that the server certificate has been modified, a message is displayed. Accept the new
certificate if you trust it and it is valid.

36

VMware, Inc.

Chapter 3 Secure Configuration of vRealize Operations Manager

Patching and Updating the End Point Operations Management Agent
If required, new End Point Operations Management agent bundles are available independent of
vRealize Operations Manager releases.
Patches or updates are not provided for the End Point Operations Management agent. You must install the
latest available version of the agent that includes the latest security fixes. Critical security fixes will be
communicated as per the VMware security advisory guidance. See the topic on Security Advisories.

Additional Secure Configuration Activities
Verify the server user accounts and delete unnecessary applications from the host servers. Block
unnecessary ports and disable the services running on your host server that are not required.

Verify Server User Account Settings
It is recommended that you verify that no unnecessary user accounts exist for local and domain user
accounts and settings.
Restrict any user account not related to the functioning of the application to those accounts required for
administration, maintenance, and troubleshooting. Restrict remote access from domain user accounts to the
minimum required to maintain the server. Strictly control and audit these accounts.

Delete and Disable Unnecessary Applications
Delete the unnecessary applications from the host servers. Each additional and unnecessary application
increases the risk of exposure because of their unknown or unpatched vulnerabilities.

Disabling Unnecessary Ports and Services
Verify the host server's firewall for the list of open ports that allow traffic.
Block all the ports that are not listed as a minimum requirement for vRealize Operations Manager in the
“Configuring Ports and Protocols,” on page 47 section of this document, or are not required. In addition,
audit the services running on your host server and disable those that are not required.

VMware, Inc.

37

Secure Configuration

38

VMware, Inc.

Network Security and Secure
Communication

4

As a security best practice, review and edit the network communication settings of your VMware virtual
appliances and host machines. You must also configure the minimum incoming and outgoing ports for
vRealize Operations Manager.
This chapter includes the following topics:
n

“Configuring Network Settings for Virtual Application Installation,” on page 39

n

“Configuring Ports and Protocols,” on page 47

Configuring Network Settings for Virtual Application Installation
To ensure that your VMware virtual appliance and host machines allow only safe and essential
communication, review and edit their network communication settings.

Prevent User Control of Network Interfaces
As a security best practice, restrict the ability to change the network interface setting to privileged users. If
users manipulate network interfaces, it might result in bypassing network security mechanisms or denial of
service. Ensure that network interfaces are not configured for user control.
Procedure
1

To verify user control settings, run the #grep -i '^USERCONTROL=' /etc/sysconfig/network/ifcfg*
command.

2

Make sure that each interface is set to NO.

Set the Queue Size for TCP Backlog
As a security best practice, configure a default TCP backlog queue size on VMware appliance host machines.
To mitigate TCP denial or service attacks, set an appropriate default size for the TCP backlog queue size. The
recommended default setting is 1280.
Procedure
1

VMware, Inc.

Run the # cat /proc/sys/net/ipv4/tcp_max_syn_backlog command on each VMware appliance host
machine.

39

Secure Configuration

2

Set the queue size for TCP backlog.
a

Open the /etc/sysctl.conf file in a text editor.

b

Set the default TCP backlog queue size by adding the following entry to the file.
net.ipv4.tcp_max_syn_backlog=1280

c

Save your changes and close the file.

Deny ICMPv4 Echoes to Broadcast Address
Responses to broadcast Internet Control Message Protocol (ICMP) echoes provide an attack vector for
amplification attacks and can facilitate network mapping by malicious agents. Configuring your system to
ignore ICMPv4 echoes provides protection against such attacks.
Procedure
1

Run the # cat /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts command to verify that the system is
not sending responses to ICMP broadcast address echo requests.

2

Configure the host system to deny ICMPv4 broadcast address echo requests.
a

Open the /etc/sysctl.conf file in a text editor.

b

If the value for this entry is not set to 1, add the net.ipv4.icmp_echo_ignore_broadcasts=1 entry.

c

Save the changes and close the file.

Configure the Host System to Disable IPv4 Proxy ARP
IPv4 Proxy ARP allows a system to send responses to ARP requests on one interface on behalf of hosts
connected to another interface. You must disable IPv4 Proxy ARP to prevent unauthorized information
sharing. Disable the setting to prevent leakage of addressing information between the attached network
segments.
Procedure
1

Run the # grep [01] /proc/sys/net/ipv4/conf/*/proxy_arp|egrep "default|all" command to verify
whether the Proxy ARP is disabled.

2

Configure the host system to disable IPv4 Proxy ARP.
a

Open the /etc/sysctl.conf file in a text editor.

b

If the values are not set to 0, add the entries or update the existing entries accordingly. Set the value
to 0.
net.ipv4.conf.all.proxy_arp=0
net.ipv4.conf.default.proxy_arp=0

c

Save any changes you made and close the file.

Configure the Host System to Ignore IPv4 ICMP Redirect Messages
As a security best practice, verify that the host system ignores IPv4 Internet Control Message Protocol
(ICMP) redirect messages. A malicious ICMP redirect message can allow a man-in-the-middle attack to
occur. Routers use ICMP redirect messages to notify hosts that a more direct route exists for a destination.
These messages modify the host's route table and are unauthenticated.
Procedure
1

40

Run the # grep [01] /proc/sys/net/ipv4/conf/*/accept_redirects|egrep "default|all" command
on the host system to check whether the host system ignores IPv4 redirect messages.

VMware, Inc.

Chapter 4 Network Security and Secure Communication

2

Configure the host system to ignore IPv4 ICMP redirect messages.
a

Open the /etc/sysctl.conf file.

b

If the values are not set to 0, add the following entries to the file or update the existing entries
accordingly. Set the value to 0.
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0

c

Save the changes and close the file.

Configure the Host System to Ignore IPv6 ICMP Redirect Messages
As a security best practice, verify that the host system ignores IPv6 Internet Control Message Protocol
(ICMP) redirect messages. A malicious ICMP redirect message might allow a man-in-the-middle attack to
occur. Routers use ICMP redirect messages to tell hosts that a more direct route exists for a destination.
These messages modify the host's route table and are unauthenticated.
Procedure
1

Run the # grep [01] /proc/sys/net/ipv6/conf/*/accept_redirects|egrep "default|all" command
on the host system and check whether it ignores IPv6 redirect messages.

2

Configure the host system to ignore IPv6 ICMP redirect messages.
a

Open the /etc/sysctl.conf to configure the host system to ignore the IPv6 redirect messages.

b

If the values are not set to 0, add the following entries to the file or update the existing entries
accordingly. Set the value to 0.
net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.default.accept_redirects=0

c

Save the changes and close the file.

Configure the Host System to Deny IPv4 ICMP Redirects
As a security best practice, verify that the host system denies IPv4 Internet Control Message Protocol (ICMP)
redirects. Routers use ICMP redirect messages to inform servers that a direct route exists for a particular
destination. These messages contain information from the system's route table that might reveal portions of
the network topology.
Procedure
1

Run the # grep [01] /proc/sys/net/ipv4/conf/*/send_redirects|egrep "default|all" on the host
system to verify whether it denies IPv4 ICMP redirects.

2

Configure the host system to deny IPv4 ICMP redirects.
a

Open the /etc/sysctl.conf file to configure the host system.

b

If the values are not set to 0, add the following entries to the file or update the existing entries
accordingly. Set the value to 0.
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0

c

VMware, Inc.

Save the changes and close the file.

41

Secure Configuration

Configure the Host System to Log IPv4 Martian Packets
As a security best practice, verify that the host system logs IPv4 Martian packets. Martian packets contain
addresses that the system knows to be invalid. Configure the host system to log the messages so that you
can identify misconfigurations or attacks in progress.
Procedure
1

Run the # grep [01] /proc/sys/net/ipv4/conf/*/log_martians|egrep "default|all" command to
check whether the host logs IPv4 Martian packets.

2

Configure the host system to log IPv4 Martian packets.
a

Open the /etc/sysctl.conf file to configure the host system.

b

If the values are not set to 1, add the following entries to the file or update the existing entries
accordingly. Set the value to 1.
net.ipv4.conf.all.log_martians=1
net.ipv4.conf.default.log_martians=1

c

Save the changes and close the file.

Configure the Host System to use IPv4 Reverse Path Filtering
As a security best practice, configure your host machines to use IPv4 reverse path filtering. Reverse path
filtering protects against spoofed source addresses by causing the system to discard packets with source
addresses that have no route or if the route does not point towards the originating interface.
Configure your system to use reverse-path filtering whenever possible. Depending on the system role,
reverse-path filtering might cause legitimate traffic to be discarded. In such cases, you might need to use a
more permissive mode or disable reverse-path filtering altogether.
Procedure
1

Run the # grep [01] /proc/sys/net/ipv4/conf/*/rp_filter|egrep "default|all" command on the
host system to check whether the system uses IPv4 reverse path filtering.

2

Configure the host system to use IPv4 reverse path filtering.
a

Open the /etc/sysctl.conf file to configure the host system.

b

If the values are not set to 1, add the following entries to the file or update the existing entries
accordingly. Set the value to 1.
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1

c

Save the changes and close the file.

Configure the Host System to Deny IPv4 Forwarding
As a security best practice, verify that the host system denies IPv4 forwarding. If the system is configured
for IP forwarding and is not a designated router, it could be used to bypass network security by providing a
path for communication that is not filtered by network devices.
Procedure
1

42

Run the # cat /proc/sys/net/ipv4/ip_forward command to verify whether the host denies IPv4
forwarding.

VMware, Inc.

Chapter 4 Network Security and Secure Communication

2

Configure the host system to deny IPv4 forwarding.
a

Open the /etc/sysctl.conf to configure the host system.

b

If the value is not set to 0, add the following entry to the file or update the existing entry
accordingly. Set the value to 0.
net.ipv4.ip_forward=0

c

Save the changes and close the file.

Configure the Host System to Deny Forwarding of IPv4 Source Routed Packets
Source-routed packets allow the source of the packet to suggest that routers forward the packet along a
different path than what is configured on the router, which can be used to bypass network security
measures.
This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is
enabled and the system is functioning as a router.
Procedure
1

Run the # grep [01] /proc/sys/net/ipv4/conf/*/accept_source_route|egrep "default|all"
command to verify whether the system does not use IPv4 source routed packets

2

Configure the host system to deny forwarding of IPv4 source routed packets.
a

Open the /etc/sysctl.conf file with a text editor.

b

If the values are not set to 0, ensure that net.ipv4.conf.all.accept_source_route=0 and the
et.ipv4.conf.default.accept_source_route=0 are set to 0.

c

Save and close the file.

Configure the Host System to Deny IPv6 Forwarding
As a security best practice, verify that the host system denies IPv6 forwarding. If the system is configured
for IP forwarding and is not a designated router, it can be used to bypass network security by providing a
path for communication that is not filtered by network devices.
Procedure
1

Run the # grep [01] /proc/sys/net/ipv6/conf/*/forwarding|egrep "default|all" command to verify
whether the host denies IPv6 forwarding.

2

Configure the host system to deny IPv6 forwarding.
a

Open the /etc/sysctl.conf to configure the host system.

b

If the values are not set to 0, add the following entries to the file or update the existing entries
accordingly. Set the value to 0.
net.ipv6.conf.all.forwarding=0
net.ipv6.conf.default.forwarding=0

c

VMware, Inc.

Save the changes and close the file.

43

Secure Configuration

Configure the Host System to Use IPv4 TCP Syncookies
As a security best practice, verify that the host system uses IPv4 Transmission Control Protocol (TCP)
Syncookies. A TCP SYN flood attack might cause a denial of service by filling a system's TCP connection
table with connections in the SYN_RCVD state. Syncookies are used so as not to track a connection until a
subsequent ACK is received, verifying that the initiator is attempting a valid connection and is not a flood
source.
This technique does not operate in a fully standards-compliant manner, but is only activated when a flood
condition is detected, and allows defence of the system while continuing to service valid requests.
Procedure
1

Run the # cat /proc/sys/net/ipv4/tcp_syncookies command to verify whether the host system uses
IPv4 TCP Syncookies.

2

Configure the host system to use IPv4 TCP syncookies.
a

Open the /etc/sysctl.conf to configure the host system.

b

If the value is not set to 1, add the following entry to the file or update the existing entry
accordingly. Set the value to 1.
net.ipv4.tcp_syncookies=1

c

Save the changes and close the file.

Configure the Host System to Deny IPv6 Router Advertisements
As a security best practice, verify that the host system denies the acceptance of router advertisements and
Internet Control Message Protocol (ICMP) redirects unless necessary. A feature of IPv6 is how systems can
configure their networking devices by automatically using information from the network. From a security
perspective, it is preferable to manually set important configuration information rather than accepting it
from the network in an unauthenticated way.
Procedure
1

Run the # grep [01] /proc/sys/net/ipv6/conf/*/accept_ra|egrep "default|all" command on the
host system to verify whether the system denies the acceptance of router advertisements and ICMP
redirects unless necessary.

2

Configure the host system to deny IPv6 router advertisements.
a

Open the /etc/sysctl.conf file.

b

If the values are not set to 0, add the following entries to the file or update the existing entries
accordingly. Set the value to 0.
net.ipv6.conf.all.accept_ra=0
net.ipv6.conf.default.accept_ra=0

c

44

Save the changes and close the file.

VMware, Inc.

Chapter 4 Network Security and Secure Communication

Configure the Host System to Deny IPv6 Router Solicitations
As a security best practice, verify that host system denies IPv6 router solicitations unless necessary. The
router solicitations setting determines how many router solicitations are sent when bringing up the
interface. If addresses are assigned statically, there is no need to send any solicitations.
Procedure
1

Run the # grep [01] /proc/sys/net/ipv6/conf/*/router_solicitations|egrep "default|all"
command to verify whether the host system denies IPv6 router solicitations unless necessary.

2

Configure the host system to deny IPv6 router solicitations.
a

Open the /etc/sysctl.conf.

b

If the values are not set to 0, add the following entries to the file or update the existing entries
accordingly. Set the value to 0.
net.ipv6.conf.all.router_solicitations=0
net.ipv6.conf.default.router_solicitations=0

c

Save the changes and close the file.

Configure the Host System to Deny IPv6 Router Preference in Router
Solicitations
As a security best practice, verify that your host system denies IPv6 router solicitations unless necessary. The
router preference in the solicitations setting determines router preferences. If addresses are assigned
statically, there is no need to receive any router preference for solicitations.
Procedure
1

Run the # grep [01] /proc/sys/net/ipv6/conf/*/accept_ra_rtr_pref|egrep "default|all" on the
host system to verify whether the host system denies IPv6 router solicitations.

2

Configure the host system to deny IPv6 router preference in router solicitations.
a

Open the /etc/sysctl.conf file.

b

If the values are not set to 0, add the following entries to the file or update the existing entries
accordingly. Set the value to 0.
net.ipv6.conf.all.accept_ra_rtr_pref=0
net.ipv6.conf.default.accept_ra_rtr_pref=0

c

Save the changes and close the file.

Configure the Host System to Deny IPv6 Router Prefix
As a security best practice, verify that the host system denies IPv6 router prefix information unless
necessary. The accept ra pinfo setting controls whether the system accepts prefix information from the
router. If addresses are statically assigned, the system does not receive any router prefix information.
Procedure
1

VMware, Inc.

Run the # grep [01] /proc/sys/net/ipv6/conf/*/accept_ra_pinfo|egrep "default|all" to verify if
that system denies IPv6 router prefix information.

45

Secure Configuration

2

Configure the host system to deny IPv6 router prefix.
a

Open the /etc/sysctl.conf file.

b

If the values are not set to 0, add the following entries to the file or update the existing entries
accordingly. Set the value to 0.
net.ipv6.conf.all.accept_ra_pinfo=0
net.ipv6.conf.default.accept_ra_pinfo=0

c

Save the changes and close the file.

Configure the Host System to Deny IPv6 Router Advertisement Hop Limit
Settings
As a security best practice, verify that the host system denies IPv6 router advertisement Hop Limit settings
from a router advertisement unless necessary. The accept_ra_defrtr setting controls whether the system
will accept Hop Limit settings from a router advertisement. Setting it to 0 prevents a router from changing
your default IPv6 Hop Limit for outgoing packets.
Procedure
1

Run the # grep [01] /proc/sys/net/ipv6/conf/*/accept_ra_defrtr|egrep "default|all" command
to verify that the host system denies IPv6 router Hop Limit settings.

2

If the values are not set to 0, configure the host system to deny IPv6 router advertisement Hop Limit
settings.
a

Open the /etc/sysctl.conf file.

b

If the values are not set to 0, add the following entries to the file or update the existing entries
accordingly. Set the value to 0.
net.ipv6.conf.all.accept_ra_defrtr=0
net.ipv6.conf.default.accept_ra_defrtr=0

c

Save the changes and close the file.

Configure the Host System to Deny IPv6 Router Advertisement Autoconf
Settings
As a security best practice, verify that the host system denies IPv6 router advertisement autoconf settings.
The autoconf setting controls whether router advertisements can cause the system to assign a global unicast
address to an interface.
Procedure
1

Run the # grep [01] /proc/sys/net/ipv6/conf/*/autoconf|egrep "default|all" command to verify
whether the host system denies IPv6 router advertisement autoconf settings.

2

If the values are not set to 0, configure the host system to deny IPv6 router advertisement autoconf
settings.
a

Open the /etc/sysctl.conf file.

b

If the values are not set to 0, add the following entries to the file or update the existing entries
accordingly. Set the value to 0.
net.ipv6.conf.all.autoconf=0
net.ipv6.conf.default.autoconf=0

c

46

Save the changes and close the file.

VMware, Inc.

Chapter 4 Network Security and Secure Communication

Configure the Host System to Deny IPv6 Neighbor Solicitations
As a security best practice, verify that the host system denies IPv6 neighbor solicitations unless necessary.
The dad_transmits setting determines how many neighbor solicitations are to be sent out per address
including global and link-local, when you bring up an interface to ensure the desired address is unique on
the network.
Procedure
1

Run the # grep [01] /proc/sys/net/ipv6/conf/*/dad_transmits|egrep "default|all" command to
verify whether the host system denies IPv6 neighbor solicitations.

2

If the values are not set to 0, configure the host system to deny IPv6 neighbor solicitations.
a

Open the /etc/sysctl.conf file.

b

If the values are not set to 0, add the following entries to the file or update the existing entries
accordingly. Set the value to 0.
net.ipv6.conf.all.dad_transmits=0
net.ipv6.conf.default.dad_transmits=0

c

Save the changes and close the file.

Configure the Host System to Restrict IPv6 Maximum Addresses
As a security best practice, verify that the host restricts the maximum number of IPv6 addresses that can be
assigned. The maximum addresses setting determines how many global unicast IPv6 addresses can be
assigned to each interface. The default is 16 but you must set the number to the statically configured global
addresses required.
Procedure
1

Run the # grep [1] /proc/sys/net/ipv6/conf/*/max_addresses|egrep "default|all" command to
verify whether the host system restricts the maximum number of IPv6 addresses that can be assigned.

2

If the values are not set to 1, configure the host system to restrict the maximum number of IPv6
addresses that can be assigned.
a

Open the /etc/sysctl.conf file.

b

Add the following entries to the file or update the existing entries accordingly. Set the value to 1.
net.ipv6.conf.all.max_addresses=1
net.ipv6.conf.default.max_addresses=1

c

Save the changes and close the file.

Configuring Ports and Protocols
As a security best practice, disable all non-essential ports and protocols.
Configure the minimum incoming and outgoing ports for vRealize Operations Manager components as
required for important system components to operate in production.

VMware, Inc.

47

Secure Configuration

Minimum Default Incoming Ports
As a security best practice, configure the incoming ports required for vRealize Operations Manager to
operate in production.
Table 4‑1. Minimum Required Incoming Ports
Port

Protocol

Comments

443

TCP

Used to access the vRealize Operations Manager user
interface and the vRealize Operations Manager
administrator interface.

123

UDP

Used by vRealize Operations Manager for Network
Time Protocol (NTP) synchronization to the master
node.

5433

TCP

Used by the master and replica nodes to replicate the
global database (vPostgreSQL ) when high availability is
enabled .

7001

TCP

Used by Cassandra for secure inter-node cluster
communication.
Do not expose this port to the internet. Add this port to a
firewall.

9042

TCP

Used by Cassandra for secure client-related
communication among nodes.
Do not expose this port to the internet. Add this port to a
firewall.

6061

TCP

Used by clients to connect to the GemFire Locator to get
connection information to servers in the distributed
system. Also monitors server load to send clients to the
least-loaded servers.

10000-10010

TCP and UDP

GemFire Server ephemeral port range used for unicast
UDP messaging and for TCP failure detection in a peerto-peer distributed system.

20000-20010

TCP and UDP

GemFire Locator ephemeral port range used for unicast
UDP messaging and for TCP failure detection in a peerto-peer distributed system.

Table 4‑2. Optional Incoming Ports

48

Port

Protocol

Comments

22

TCP

Optional. Secure Shell (SSH). The SSH
service listening on port 22, or any
other port, must be disabled in a
production environment, and port 22
must be closed.

80

TCP

Optional. Redirects to 443.

3091-3101

TCP

When Horizon View is installed, used
to access data for
vRealize Operations Manager from
Horizon View.

VMware, Inc.

Auditing and Logging on your
vRealize Operations Manager System

5

As a security best practice, set up auditing and logging on your vRealize Operations Manager system.
The detailed implementation of auditing and logging is outside the scope of this document.
Remote logging to a central log host provides a secure store for logs. By collecting log files to a central host,
you can easily monitor the environment with a single tool. You can also perform aggregate analysis and
search for coordinated attacks on multiple entities within the infrastructure. Logging to a secure, centralized
log server can help prevent log tampering and also provide a long-term audit record.
This chapter includes the following topics:
n

“Securing the Remote Logging Server,” on page 49

n

“Use an Authorized NTP Server,” on page 49

n

“Client Browser Considerations,” on page 49

Securing the Remote Logging Server
As a security best practice, ensure that the remote logging server can be configured only by an authorized
user and is secure.
Attackers who breach the security of your host machine might search for and attempt to tamper with log
files to cover their tracks and maintain control without being discovered.

Use an Authorized NTP Server
Ensure that all the host systems use the same relative time source, including the relevant localization offset.
You can correlate the relative time source to an agreed-upon time standard such as Coordinated Universal
Time (UTC).
You can easily track and correlate an intruder's actions when you review the relevant log files. Incorrect time
settings can make it difficult to inspect and correlate log files to detect attacks, and can make auditing
inaccurate. You can use at the least three NTP servers from outside time sources or configure a few local
NTP servers on a trusted network that obtain their time from at least three outside time sources.

Client Browser Considerations
As a security best practice, do not use vRealize Operations Manager from untrusted or unpatched clients or
from clients that use browser extensions.

VMware, Inc.

49

Secure Configuration

50

VMware, Inc.

Index

A
administrative accounts 13
agent certificate revocation 36
apache configuration 27
Apache httpd 21
application resources, protect 25
auditing 49
authorized NTP server 49

B
best practices, End Point Operations
Management agents 31
Bluetooth protocol handler 28
boot loader authentication 17
browser considerations 49

C
cipher suites in GemFire 23
cipher suites in Apache httpd 23
client configuration, secure shell 16
configuration, PostgreSQL client
authentication 26
configuration modes, disable 28
configure 28
configure network settings for OVF 39
configure network time protocol 20
console access 13

D
data in transit 21
Datagram Congestion Control Protocol 29
DECnet Protocol, secure 30
deny forwarding 43
deny ICMPv4 echoes to broadcast address 40
deny IPv6 router settings 46
deny IPv6 router advertisement hop limit 46
disable, unnecessary applications 37
disable browsing 27
disable direct logins 17
disable directory browsing 27
disable SSH access for the admin user
account 17
disable TCP timestamp response 20
disable the trace method:Apache2 server 27
disable unnecessary ports 37

VMware, Inc.

disable unnecessary services 37

E
enable TLS on PostgreSQL 25
enabling FIPS 140-2 mode 20
enabling TLS 24
End Point Operations Management agent 31

F
file permissions, secure shell 15

G
GemFire TLS handler protocols 21
generate a self-signed certificate with
OpenSSL 24
glossary 5

H
hardening infrastructure 9
hardening for Linux installation 10
hardening the vSphere environment 10

I
infrastructure, hardening 9
install the certificate for PostgreSQL 24
intended audience 5
inventory of unsupported software 10
IPV4 source routed packets 43
IPv4, deny 1Pv4 forwarding 42
IPv4, deny IPv4 ICMP redirects 41
IPv4, disable proxy ARP 40
IPv4, ignore ICMP redirect messages 40
IPv4, ignore IPv4 reverse path filtering 42
IPv4, log IPv4 Martian packets 42
IPv4, use IPv4 TCP syncookies 44
IPv6 autoconf settings 46
IPv6, deny IPv6 forwarding 43
IPv6, deny IPv6 neighbor solicitations 47
IPv6, deny IPv6 router advertisements 44
IPv6, deny IPv6 router prefix 45
IPv6, deny IPv6 router solicitations 45
IPv6, deny IPv6 router preference in router
solicitations 45
IPv6, ignore ICMP redirect messages 41
IPv6, restrict IPv6 maximum addresses 47

51

Secure Configuration

K
kernel message logging 31

L
local administrative account, creating 14
logging 49

M
maintenance mode authentication 18
managing nonessential software 28
minimal necessary groups 18
minimal user accounts 18
minimum incoming ports 48
minimum permissions, agent functionality 32
monitor minimal necessary groups 18
monitor minimal user accounts 18

N
network settings 39

O
open ports on agent host 35
OVF, network settings 39

P
password expiry 13
patching 37
platform files and permissions, Linux 32
platform files and permissions, Windows 33
ports
incoming 39
outgoing 39
ports and protocols, configuring 47
prevent user control 39

R
reinstate an agent resource 36
remote logging server > securing 49
remove the agent resource 35
removing sample code:Apache2 server 27
resetting the password on Linux clusters 19
review installed software 10
revoking an agent 35
root password, change 12
root user, secure shell 13

S
secure
Appletalk Protocol 30
Firewire Module 30
Internet Packet Exchange Protocol 30

52

Reliable Datagram Sockets protocol 29
Transparent Inter-Process Communication
protocol 29
secure configuration 11
Secure Shell, restricting access 15
secure configuration activities 37
secure deployment of vRealize Operations
Manager 9
secure remote logging server 49
secure shell client configuration 16
secure shell file permissions 15
secure shell server configuration 15
Secure Shell, managing 13
secure the console 12
security posture 7
security advisories, patches 10
server configuration, secure shell 15
single-user authentication 18
Stream Control Transmission Protocol 28
strong ciphers, configure 22
strong protocols, configure 21

T
TCP backlog queue size 39
third-party software 10
TLS for data in transit 21

U
unnecessary applications, delete 37
updates 37
updating certificates 36
USB mass storage handler 28

V
verify, server user account settings 37
verify server tokens:apache2 server 27
verifying the installation media 9
virtual appliances
Bluetooth protocol handler 28
boot loader authentication 17
configure network time protocol 20
enable or disable Secure Shell 14
USB mass storage handler 28
virtual machines, disable IPv4 proxy ARP 40
virtual machines, deny ICMPv4 echoes to
broadcast address 40
vRealize Operations Manager administrative
password 19

VMware, Inc.



Source Exif Data:
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.5
Linearized                      : No
Author                          : VMware, Inc.
Create Date                     : 2017:07:31 23:03:36-08:00
Modify Date                     : 2017:07:31 23:03:36-08:00
Creator                         : AH XSL Formatter V6.3 MR1 for Windows (x64) : 6.3.2.23978 (2016/03/18 11:26JST)
Producer                        : Antenna House PDF Output Library 6.3.762 (Windows (x64))
Title                           : Secure Configuration - vRealize Operations.  Manager 6.6
Trapped                         : False
Page Count                      : 52
Page Mode                       : UseOutlines
Page Layout                     : SinglePage
Language                        : EN
EXIF Metadata provided by EXIF.tools

Navigation menu