Secure Configuration VRealize Operations. Manager 6.6 V Realize Operations 66

User Manual: Pdf vRealize Operations Manager - 6.6 - Secure Configuration User Guide for VMware vRealize Software, Free Instruction Manual

Open the PDF directly: View PDF PDF.
Page Count: 52

Secure Configuration
vRealize Operations Manager 6.6
Secure Configuration
2 VMware, Inc.
You can find the most up-to-date technical documentation on the VMware Web site at:
hps://docs.vmware.com/
The VMware Web site also provides the latest product updates.
If you have comments about this documentation, submit your feedback to:
docfeedback@vmware.com
Copyright © 2017 VMware, Inc. All rights reserved. Copyright and trademark information.
VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
Contents
Secure Conguration 5
1vRealize Operations Manager Security Posture 7
2Secure Deployment of vRealize Operations Manager 9
Verify the Integrity of Installation Media 9
Hardening the Deployed Software Infrastructure 9
Reviewing Installed and Unsupported Software 10
VMware Security Advisories and Patches 10
3Secure Conguration of vRealize Operations Manager 11
Secure the vRealize Operations Manager Console 12
Change the Root Password 12
Managing Secure Shell, Administrative Accounts, and Console Access 13
Set Boot Loader Authentication 17
Single-User or Maintenance Mode Authentication 18
Monitor Minimal Necessary User Accounts 18
Monitor Minimal Necessary Groups 18
Reseing the vRealize Operations Manager Administrator Password (Linux) 19
Congure NTP on VMware Appliances 20
Disable the TCP Timestamp Response on Linux 20
Enable FIPS 140-2 Mode 20
TLS for Data in Transit 21
Enabling TLS on Localhost Connections 24
Application Resources That Must be Protected 25
Congure PostgreSQL Client Authentication 26
Apache Conguration 27
Disable Conguration Modes 28
Managing Nonessential Software Components 28
End Point Operations Management Agent 31
Additional Secure Conguration Activities 37
4Network Security and Secure Communication 39
Conguring Network Seings for Virtual Application Installation 39
Conguring Ports and Protocols 47
5Auditing and Logging on your vRealize Operations Manager System 49
Securing the Remote Logging Server 49
Use an Authorized NTP Server 49
Client Browser Considerations 49
VMware, Inc. 3
Index 51
Secure Configuration
4 VMware, Inc.
Secure Configuration
The documentation for Secure Conguration is intended to serve as a secure baseline for the deployment of
vRealize Operations Manager. Refer to this document when you are using system-monitoring tools to
ensure that the secure baseline conguration is monitored and maintained for any unexpected changes on
an ongoing basis.
Hardening activities that are not already set by default can be carried out manually.
Intended Audience
This information is intended for administrators of vRealize Operations Manager.
VMware Technical Publications Glossary
VMware Technical Publications provides a glossary of terms that might be unfamiliar to you. For denitions
of terms as they are used in VMware technical documentation, go to
hp://www.vmware.com/support/pubs.
VMware, Inc. 5
Secure Configuration
6 VMware, Inc.
vRealize Operations Manager
Security Posture 1
The security posture of vRealize Operations Manager assumes a complete secure environment based on
system and network conguration, organizational security policies, and best practices. It is important that
you perform the hardening activities according to your organization's security policies and best practices.
The document is broken down into the following sections:
nSecure Deployment
nSecure Conguration
nNetwork Security
nCommunication
The guide details the installation of the Virtual Application.
To ensure that your system is securely hardened, review the recommendations and assess them against your
organization's security policies and risk exposure.
VMware, Inc. 7
Secure Configuration
8 VMware, Inc.
Secure Deployment of
vRealize Operations Manager 2
You must verify the integrity of the installation media before you install the product to ensure authenticity
of the downloaded les.
This chapter includes the following topics:
n“Verify the Integrity of Installation Media,” on page 9
n“Hardening the Deployed Software Infrastructure,” on page 9
n“Reviewing Installed and Unsupported Software,” on page 10
n“VMware Security Advisories and Patches,” on page 10
Verify the Integrity of Installation Media
After you download the media, use the MD5/SHA1 sum value to verify the integrity of the download.
Always verify the SHA1 hash after you download an ISO, oine bundle, or patch to ensure the integrity
and authenticity of the downloaded les. If you obtain physical media from VMware and the security seal is
broken, return the software to VMware for a replacement.
Procedure
uCompare the MD5/SHA1 hash output with the value posted on the VMware Web site.
SHA1 or MD5 hash should match.
N The vRealize Operations Manager 6.x-x.pak les are signed by the VMware software
publishing certicate. vRealize Operations Manager validates the signature of the PAK le before
installation.
Hardening the Deployed Software Infrastructure
As part of your hardening process, you must harden the deployed software infrastructure that supports
your VMware system.
Before you harden your VMware system, review and address security deciencies in your supporting
software infrastructure to create a completely hardened and secure environment. Software infrastructure
elements to consider include operating system components, supporting software, and database software.
Address security concerns in these and other components according to the manufacturer's
recommendations and other relevant security protocols.
VMware, Inc. 9
Hardening the VMware vSphere Environment
vRealize Operations Manager relies on a secure VMware vSphere environment to achieve the greatest
benets and a secured infrastructure.
Assess the VMware vSphere environment and verify that the appropriate level of vSphere hardening
guidance is enforced and maintained.
For more guidance about hardening, see hp://www.vmware.com/security/hardening-guides.html.
Reviewing Installed and Unsupported Software
Vulnerabilities in unused software might increase the risk of unauthorized system access and disruption of
availability. Review the software that is installed on VMware host machines and evaluate its use.
Do not install software that is not required for the secure operation of the system on any of the
vRealize Operations Manager node hosts. Uninstall unused or nonessential software.
Installing unsupported, untested, or unapproved software on infrastructure products such as
vRealize Operations Manager is a threat to the infrastructure.
To minimize the threat to the infrastructure, do not install or use any third-party software that is not
supported by VMware on VMware supplied hosts.
Assess your vRealize Operations Manager deployment and inventory of installed products to verify that no
unsupported software is installed.
For more information about the support policies for third-party products, see the VMware support at
hp://www.vmware.com/security/hardening-guides.html.
Verify Third-Party Software
Do not use third-party software that VMware does not support. Verify that all third-party software is
securely congured and patched in accordance with third-party vendor guidance.
Inauthentic, insecure, or unpatched vulnerabilities of third-party software installed on VMware host
machines might put the system at risk of unauthorized access and disruption of availability. All software
that VMware does not supply must be appropriately secured and patched.
If you must use third-party software that VMware does not support, consult the third-party vendor for
secure conguration and patching requirements.
VMware Security Advisories and Patches
VMware occasionally releases security advisories for products. Being aware of these advisories can ensure
that you have the safest underlying product and that the product is not vulnerable to known threats.
Assess the vRealize Operations Manager installation, patching, and upgrade history and verify that the
released VMware Security Advisories are followed and enforced.
It is recommended that you always remain on the most recent vRealize Operations Manager release, as this
will include the most recent security xes also.
For more information about the current VMware security advisories, see
hp://www.vmware.com/security/advisories/.
Secure Configuration
10 VMware, Inc.
Secure Configuration of
vRealize Operations Manager 3
As a security best practice, you must secure the vRealize Operations Manager console and manage Secure
Shell (SSH), administrative accounts, and console access. Ensure that your system is deployed with secure
transmission channels.
You must also follow certain security best practices for running End Point Operations Management agents.
This chapter includes the following topics:
n“Secure the vRealize Operations Manager Console,” on page 12
n“Change the Root Password,” on page 12
n“Managing Secure Shell, Administrative Accounts, and Console Access,” on page 13
n“Set Boot Loader Authentication,” on page 17
n“Single-User or Maintenance Mode Authentication,” on page 18
n“Monitor Minimal Necessary User Accounts,” on page 18
n“Monitor Minimal Necessary Groups,” on page 18
n“Reseing the vRealize Operations Manager Administrator Password (Linux),” on page 19
n“Congure NTP on VMware Appliances,” on page 20
n“Disable the TCP Timestamp Response on Linux,” on page 20
n“Enable FIPS 140-2 Mode,” on page 20
n“TLS for Data in Transit,” on page 21
n“Enabling TLS on Localhost Connections,” on page 24
nApplication Resources That Must be Protected,” on page 25
n“Congure PostgreSQL Client Authentication,” on page 26
nApache Conguration,” on page 27
n“Disable Conguration Modes,” on page 28
n“Managing Nonessential Software Components,” on page 28
n“End Point Operations Management Agent,” on page 31
nAdditional Secure Conguration Activities,” on page 37
VMware, Inc. 11
Secure the vRealize Operations Manager Console
After you install vRealize Operations Manager, you must log in for the rst time and secure the console of
each node in the cluster.
Prerequisites
Install vRealize Operations Manager.
Procedure
1 Locate the node console in vCenter or by direct access.
In vCenter, press Alt+F1 to access the login prompt. For security reasons, vRealize Operations Manager
remote terminal sessions are disabled by default.
2 Log in as root.
vRealize Operations Manager does not allow you to access the command prompt until you create a root
password.
3 At the password prompt, press Enter.
4 At the old password prompt, press Enter.
5 At the prompt for a new password, enter the root password that you want and note it for future
reference.
6 Reenter the root password.
7 Log out of the console.
Change the Root Password
You can change the root password for any vRealize Operations Manager master or data node at any time by
using the console.
The root user bypasses the pam_cracklib module password complexity check, which is found in
etc/pam.d/common-password. All hardened appliances enable enforce_for_root for the pw_history module,
found in the etc/pam.d/common-password le. The system remembers the last ve passwords by default. Old
passwords are stored for each user in the /etc/security/opasswd le.
Prerequisites
Verify that the root password for the appliance meets your organization’s corporate password complexity
requirements. If the account password starts with $6$, it uses a sha512 hash. This is the standard hash for all
hardened appliances.
Procedure
1 Run the # passwd command at the root shell of the appliance.
2 To verify the hash of the root password, log in as root and run the # more /etc/shadow command.
The hash information appears.
3 If the root password does not contain a sha512 hash, run the passwd command to change it.
Secure Configuration
12 VMware, Inc.
Manage Password Expiry
Congure all account password expirations in accordance with your organization's security policies.
By default, all hardened VMware appliances use a 60-day password expiry. On most hardened appliances,
the root account is set to a 365-day password expiry. As a best practice, verify that the expiry on all accounts
meets security and operation requirements standards.
If the root password expires, you cannot reinstate it. You must implement site-specic policies to prevent
administrative and root passwords from expiring.
Procedure
1 Log in to your virtual appliance machines as root and run the # more /etc/shadow command to verify
the password expiry on all accounts.
2 To modify the expiry of the root account, run the # passwd -x 365 root command.
In this command, 365 species the number of days until password expiry. Use the same command to
modify any user, substituting the specic account for root and replacing the number of days to meet
the expiry standards of the organization.
By default, the root password is set for 365 days.
Managing Secure Shell, Administrative Accounts, and Console
Access
For remote connections, all hardened appliances include the Secure Shell (SSH) protocol. SSH is disabled by
default on the hardened appliance.
SSH is an interactive command-line environment that supports remote connections to a
vRealize Operations Manager node. SSH requires high-privileged user account credentials. SSH activities
generally bypass the role-based access control (RBAC) and audit controls of the
vRealize Operations Manager node.
As a best practice, disable SSH in a production environment and enable it only to diagnose or troubleshoot
problems that you cannot resolve by other means. Leave it enabled only while needed for a specic purpose
and in accordance with your organization's security policies. If you enable SSH, ensure that it is protected
against aack and that you enable it only for as long as required. Depending on your vSphere conguration,
you can enable or disable SSH when you deploy your Open Virtualization Format (OVF) template.
As a simple test to determine whether SSH is enabled on a machine, try to open a connection by using SSH.
If the connection opens and requests credentials, then SSH is enabled and is available for making
connections.
Secure Shell Root User
Because VMware appliances do not include precongured default user accounts, the root account can use
SSH to directly log in by default. Disable SSH as root as soon as possible.
To meet the compliance standards for nonrepudiation, the SSH server on all hardened appliances is
precongured with the AllowGroups wheel entry to restrict SSH access to the secondary group wheel. For
separation of duties, you can modify the AllowGroups wheel entry in the /etc/ssh/sshd_config le to use
another group such as sshd.
The wheel group is enabled with the pam_wheel module for superuser access, so members of the wheel
group can use the su-root command, where the root password is required. Group separation enables users
to use SSH to the appliance, but not to use the su command to log in as root. Do not remove or modify other
entries in the AllowGroups eld, which ensures proper appliance function. After making a change, restart
the SSH daemon by running the # service sshd restart command.
Chapter 3 Secure Configuration of vRealize Operations Manager
VMware, Inc. 13
Enable or Disable Secure Shell on a vRealize Operations Manager node
You can enable Secure Shell (SSH) on a vRealize Operations Manager node for troubleshooting. For
example, to troubleshoot a server, you might require console access to the server. This is through SSH.
Disable SSH on a vRealize Operations Manager node for normal operation.
Procedure
1 Access the console of the vRealize Operations Manager node from vCenter.
2 Press Alt + F1 to access the login prompt then log in.
3 Run the #chkconfig command.
4 If the sshd service is o, run the #chkconfig sshd on command.
5 Run the #service sshd start command to start the sshd service.
6 Run the #service sshd stop command to stop the sshd service.
Create a Local Administrative Account for Secure Shell
You must create local administrative accounts that can be used as Secure Shell (SSH) and that are members
of the secondary wheel group, or both before you remove the root SSH access.
Before you disable direct root access, test that authorized administrators can access SSH by using
AllowGroups, and that they can use the wheel group and the su command to log in as root.
Procedure
1 Log in as root and run the following commands.
# useradd -d /home/vropsuser -g users -G wheel –m
# passwd username
Wheel is the group specied in AllowGroups for SSH access. To add multiple secondary groups, use -G
wheel,sshd.
2 Switch to the user and provide a new password to ensure password complexity checking.
# su – username
username@hostname:~>passwd
If the password complexity is met, the password updates. If the password complexity is not met, the
password reverts to the original password, and you must rerun the password command.
After you create the login accounts to allow SSH remote access and use the su command to log in as
root using the wheel access, you can remove the root account from the SSH direct login.
3 To remove direct login to SSH, modify the /etc/ssh/sshd_config le by replacing (#)PermitRootLogin
yes with PermitRootLogin no.
What to do next
Disable direct logins as root. By default, the hardened appliances allow direct login to root through the
console. After you create administrative accounts for nonrepudiation and test them for wheel access (su-
root), disable direct root logins by editing the /etc/securetty le as root and replacing the tty1 entry with
console.
Secure Configuration
14 VMware, Inc.
Restrict Secure Shell Access
As part of your system hardening process, restrict Secure Shell (SSH) access by conguring the
tcp_wrappers package appropriately on all VMware virtual appliance host machines. Also maintain
required SSH key le permissions on these appliances.
All VMware virtual appliances include the tcp_wrappers package to allow tcp-supported daemons to
control the network subnets that can access the libwrapped daemons. By default, the /etc/hosts.allow le
contains a generic entry, sshd: ALL : ALLOW, that allows all access to the secure shell. Restrict this access as
appropriate for your organization.
Procedure
1 Open the /etc/hosts.allow le on your virtual appliance host machine in a text editor.
2 Change the generic entry in your production environment to include only the local host entries and the
management network subnet for secure operations.
sshd:127.0.0.1 : ALLOW
sshd: [::1] : ALLOW
sshd: 10.0.0.0 :ALLOW
In this example, all local host connections and connections that the clients make on the 10.0.0.0 subnet
are allowed.
3 Add all appropriate machine identication, for example, host name, IP address, fully qualied domain
name (FQDN), and loopback.
4 Save the le and close it.
Maintain Secure Shell Key File Permissions
To maintain an appropriate level of security, congure Secure Shell (SSH) key le permissions.
Procedure
1 View the public host key les, located in /etc/ssh/*key.pub.
2 Verify that these les are owned by root, that the group is owned by root, and that the les have
permissions set to 0644.
The permissions are (-rw-r--r--).
3 Close all les.
4 View the private host key les, located in /etc/ssh/*key.
5 Verify that root owns these les and the group, and that the les have permissions set to 0600.
The permissions are (-rw-------).
6 Close all les.
Harden the Secure Shell Server Configuration
Where possible, the Virtual Application Installation (OVF) has a default hardened conguration. Users can
verify that their conguration is appropriately hardened by examining the server and client service in the
global options section of the conguration le.
If possible, restrict use of the SSH server to a management subnet in the /etc/hosts.allow le.
Chapter 3 Secure Configuration of vRealize Operations Manager
VMware, Inc. 15
Procedure
1 Open the /etc/ssh/sshd_config server conguration le and verify that the seings are correct.
Setting Status
Server Daemon Protocol Protocol 2
Ciphers Ciphers aes256-ctr,aes128-ctr
TCP Forwarding AllowTCPForwarding no
Server Gateway Ports Gateway Ports no
X11 Forwarding X11Forwarding no
SSH Service Use the AllowGroups eld and specify a group permied to access
and add members to the secondary group for users permied to ue
the service.
GSSAPI Authentication GSSAPIAuthentication no, if unused
Kerberos Authentication KerberosAuthentication no, if unused
Local Variables (AcceptEnv global option) Set to disabled by commenting out or enabled for only LC_*
or LANG variables
Tunnel Conguration PermitTunnel no
Network Sessions MaxSessions 1
Strict Mode Checking Strict Modes yes
Privilege Separation UsePrivilegeSeparation yes
rhosts RSA Authentication RhostsRSAAuthentication no
Compression Compression delayed or Compression no
Message Authentication code MACs hmac-sha1
User Access Restriction PermitUserEnvironment no
2 Save your changes and close the le.
Harden the Secure Shell Client Configuration
As part of your system hardening monitoring process, verify hardening of the SSH client by examining the
SSH client conguration le on virtual appliance host machines to ensure that it is congured according to
VMware guidelines.
Procedure
1 Open the SSH client conguration le, /etc/ssh/ssh_config, and verify that the seings in the global
options section are correct.
Setting Status
Client Protocol Protocol 2
Client Gateway Ports Gateway Ports no
GSSAPI Authentication GSSAPIAuthentication no
Local Variables (SendEnv global
option)
Provide only LC_* or LANG variables
CBC Ciphers Ciphers aes256-ctr,aes128-ctr
Message Authentication Codes Used in the MACs hmac-sha1 entry only
2 Save your changes and close the le.
Secure Configuration
16 VMware, Inc.
Disable Direct Logins as Root
By default, the hardened appliances allow you to use the console to log in directly as root. As a security best
practice, you can disable direct logins after you create an administrative account for nonrepudiation and test
it for wheel access by using the su-root command.
Prerequisites
nComplete the steps in the topic called “Create a Local Administrative Account for Secure Shell,” on
page 14.
nVerify that you have tested accessing the system as an administrator before you disable direct root
logins.
Procedure
1 Log in as root and navigate to the /etc/securetty le.
You can access this le from the command prompt.
2 Replace the tty1 entry with console.
Disable SSH Access for the Admin User Account
As a security best practice, you can disable SSH access for the admin user account. The
vRealize Operations Manager admin account and the Linux admin account share the same password.
Disabling SSH access to the admin user enforces defense in depth by ensuring all users of SSH rst login to
a lesser privileged service account with a password that diers from the vRealize Operations Manager
admin account and then switch user to a higher privilege such as the admin or root.
Procedure
1 Edit the /etc/ssh/sshd_config le.
You can access this le from the command prompt.
2 Add the DenyUsers admin entry anywhere in the le and save the le.
3 To restart the sshd server, run the service sshd restart command.
Set Boot Loader Authentication
To provide an appropriate level of security, congure boot loader authentication on your VMware virtual
appliances. If the system boot loader requires no authentication, users with console access to the system
might be able to alter the system boot conguration or boot the system to single user or maintenance mode,
which can result in denial of service or unauthorized system access.
Because boot loader authentication is not set by default on the VMware virtual appliances, you must create a
GRUB password to congure it.
Procedure
1 Verify whether a boot password exists by locating the password --md5 <password-hash> line in
the /boot/grub/menu.lst le on your virtual appliances.
2 If no password exists, run the # /usr/sbin/grub-md5-crypt command on your virtual appliance.
An MD5 password is generated, and the command supplies the md5 hash output.
3 Append the password to the menu.lst le by running the # password --md5 <hash from grub-md5-
crypt> command.
Chapter 3 Secure Configuration of vRealize Operations Manager
VMware, Inc. 17
Single-User or Maintenance Mode Authentication
If the system does not require valid root authentication before it boots into single-user or maintenance
mode, anyone who invokes single-user or maintenance mode is granted privileged access to all les on the
system.
Procedure
uReview the/etc/inittab le and ensure that the following two lines appear: ls:S:wait:/etc/init.d/rc
S and ~~:S:respawn:/sbin/sulogin.
Monitor Minimal Necessary User Accounts
You must monitor existing user accounts and ensure that any unnecessary user accounts are removed.
Procedure
uRun the host:~ # cat /etc/passwd command and verify the minimal necessary user accounts:
bin:x:1:1:bin:/bin:/bin/bash
daemon:x:2:2:Daemon:/sbin:/bin/bash
haldaemon:x:101:102:User for haldaemon:/var/run/hald:/bin/false
mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false
man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash
messagebus:x:100:101:User for D-Bus:/var/run/dbus:/bin/false
nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash
ntp:x:74:106:NTP daemon:/var/lib/ntp:/bin/false
polkituser:x:103:104:PolicyKit:/var/run/PolicyKit:/bin/false
postfix:x:51:51:Postfix Daemon:/var/spool/postfix:/bin/false
root:x:0:0:root:/root:/bin/bash
sshd:x:71:65:SSH daemon:/var/lib/sshd:/bin/false
suse-ncc:x:104:107:Novell Customer Center User:/var/lib/YaST2/suse-ncc-fakehome:/bin/bash
uuidd:x:102:103:User for uuidd:/var/run/uuidd:/bin/false
wwwrun:x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/false
nginx:x:105:108:user for nginx:/var/lib/nginx:/bin/false
admin:x:1000:1003::/home/admin:/bin/bash
tcserver:x:1001:1004:tc Server User:/home/tcserver:/bin/bash
postgres:x:1002:100::/var/vmware/vpostgres/9.3:/bin/bash
Monitor Minimal Necessary Groups
You must monitor existing groups and members to ensure that any unnecessary groups or group access is
removed.
Procedure
uRun the <host>:~ # cat /etc/group command to verify the minimum necessary groups and group
membership.
audio:x:17:
bin:x:1:daemon
cdrom:x:20:
console:x:21:
daemon:x:2:
dialout:x:16:u1,tcserver,postgres
disk:x:6:
floppy:x:19:
Secure Configuration
18 VMware, Inc.
haldaemon:!:102:
kmem:x:9:
mail:x:12:
man:x:62:
messagebus:!:101:
modem:x:43:
nobody:x:65533:
nogroup:x:65534:nobody
ntp:!:106:
polkituser:!:105:
public:x:32:
root:x:0:admin
shadow:x:15:
sshd:!:65:
suse-ncc:!:107:
sys:x:3:
tape:!:103:
trusted:x:42:
tty:x:5:
utmp:x:22:
uuidd:!:104:
video:x:33:u1,tcserver,postgres
wheel:x:10:root,admin
www:x:8:
xok:x:41:
maildrop:!:1001:
postfix:!:51:
users:x:100:
vami:!:1002:root
nginx:!:108:
admin:!:1003:
vfabric:!:1004:admin,wwwrun
Resetting the vRealize Operations Manager Administrator Password
(Linux)
As a security best practice, you can reset the vRealize Operations Manager password on Linux clusters for
vApp or Linux installations.
Procedure
1 Log in to the remote console of the master node as root.
2 Enter the $VMWARE_PYTHON_BIN $VCOPS_BASE/../vmware-
vcopssuite/utilities/sliceConfiguration/bin/vcopsSetAdminPassword.py --reset command and
follow the prompts.
Chapter 3 Secure Configuration of vRealize Operations Manager
VMware, Inc. 19
Configure NTP on VMware Appliances
For critical time sourcing, disable host time synchronization and use the Network Time Protocol (NTP) on
VMware appliances. You must congure a trusted remote NTP server for time synchronization. The NTP
server must be an authoritative time server or at least synchronized with an authoritative time server.
The NTP daemon on VMware virtual appliances provides synchronized time services. NTP is disabled by
default, so you need to congure it manually. If possible, use NTP in production environments to track user
actions and to detect potential malicious aacks and intrusions through accurate audit and log keeping. For
information about NTP security notices, see the NTP Web site.
The NTP conguration le is located in the /etc/ntp.conf le on each appliance.
Procedure
1 Navigate to the /etc/ntp.conf conguration le on your virtual appliance host machine.
2 Set the le ownership to root:root.
3 Set the permissions to 0640.
4 To mitigate the risk of a denial-of-service amplication aack on the NTP service, open
the /etc/ntp.conf le and ensure that the restrict lines appear in the le.
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict -6 ::1
5 Save any changes and close the les.
For information on NTP security notices, see hp://support.ntp.org/bin/view/Main/SecurityNotice.
Disable the TCP Timestamp Response on Linux
Use the TCP timestamp response to approximate the remote host's uptime and aid in further aacks.
Additionally, some operating systems can be ngerprinted based on the behavior of their TCP time stamps.
Procedure
uDisable the TCP timestamp response on Linux.
a To set the value of net.ipv4.tcp_timestamps to 0, run the sysctl -w net.ipv4.tcp_timestamps=0
command.
b Add the ipv4.tcp_timestamps=0 value in the default sysctl.conf le.
Enable FIPS 140-2 Mode
The version of OpenSSL that is shipped with vRealize Operations Manager 6.3 and later releases is FIPS
140-2 certied. However, the FIPS mode is not enabled by default.
You can enable the FIPS mode if there is a security compliance requirement to use FIPS certied
cryptographic algorithms with the FIPS mode enabled.
Procedure
1 To replace the mod_ssl.so le run the following command:
cd /usr/lib64/apache2-prefork/
cp mod_ssl.so mod_ssl.so.old
cp mod_ssl.so.FIPSON.openssl1.0.2 mod_ssl.so
Secure Configuration
20 VMware, Inc.
2 Modify your Apache2 conguration by editing the /etc/apache2/ssl-global.conf le.
3 Search for the <IfModule mod_ssl.c> line and add the SSLFIPS on directive below it.
4 To reset the Apache conguration, run the service apache2 restart command.
TLS for Data in Transit
As a security best practice, ensure that the system is deployed with secure transmission channels.
Configure Strong Protocols for vRealize Operations Manager
Protocols such as SSLv2 and SSLv3 are no longer considered secure. In addition, it is recommended that you
disable TLS 1.0. Enable only TLS 1.1 and TLS 1.2.
Verify the Correct Use of Protocols in Apache HTTPD
vRealize Operations Manager disables SSLv2 and SSLv3 by default. You must disable weak protocols on all
load balancers before you put the system into production.
Procedure
1 Run the grep SSLProtocol /usr/lib/vmware-vcopssuite/utilities/conf/vcops-apache.conf | grep -
v '#' command from the command prompt to verify that SSLv2 and SSLv3 are disabled.
If the protocols are disabled, the command returns the following output: SSLProtocol All -SSLv2 -
SSLv3
2 To also disable the TLS 1.0 protocol, run the sed -i "/^[^#]*SSLProtocol/ c\SSLProtocol All -SSLv2
-SSLv3 -TLSv1" /usr/lib/vmware-vcopssuite/utilities/conf/vcops-apache.conf command from the
command prompt.
3 To restart the Apache2 server, run the /etc/init.d/apache2 restart command from the command
prompt.
Verify the Correct Use of Protocols in the GemFire TLS Handler
vRealize Operations Manager disables SSLv3 by default. You must disable weak protocols on all load
balancers before you put the system into production.
Procedure
1 Verify that the protocols are enabled. To verify that the protocols are enabled, run the following
commands on each node:
grep cluster-ssl-protocol /usr/lib/vmware-vcops/user/conf/gemfire.properties | grep -v '#'
The following result is expected:
cluster-ssl-protocols=TLSv1.2 TLSv1.1 TLSv1
grep cluster-ssl-protocol /usr/lib/vmware-vcops/user/conf/gemfire.native.properties | grep -
v '#'
The following result is expected:
cluster-ssl-protocols=TLSv1.2 TLSv1.1 TLSv1
grep cluster-ssl-protocol /usr/lib/vmware-vcops/user/conf/gemfire.locator.properties | grep -
v '#'
The following result is expected:
cluster-ssl-protocols=TLSv1.2 TLSv1.1 TLSv1
Chapter 3 Secure Configuration of vRealize Operations Manager
VMware, Inc. 21
2 Disable TLS 1.0.
a Navigate to the administrator user interface at url/admin .
b Click Bring .
c To disable SSLv3 and TLS 1.0, run the following commands:
sed -i "/^[^#]*cluster-ssl-protocol/ c\cluster-ssl-protocols=TLSv1.2
TLSv1.1" /usr/lib/vmware-vcops/user/conf/gemfire.properties
sed -i "/^[^#]*cluster-ssl-protocol/ c\cluster-ssl-protocols=TLSv1.2
TLSv1.1" /usr/lib/vmware-vcops/user/conf/gemfire.native.properties
sed -i "/^[^#]*cluster-ssl-protocol/ c\cluster-ssl-protocols=TLSv1.2
TLSv1.1" /usr/lib/vmware-vcops/user/conf/gemfire.locator.properties
Repeat this step for each node
d Navigate to the administrator user interface.
e Click Bring Online.
3 Reenable TLS 1.0.
a Navigate to the administrator user interface to bring the cluster oine: url/admin.
b Click Bring .
c To ensure that SSLv3 and TLS 1.0 are disabled, run the following commands:
sed -i "/^[^#]*cluster-ssl-protocol/ c\cluster-ssl-protocols=TLSv1.2 TLSv1.1
TLSv1" /usr/lib/vmware-vcops/user/conf/gemfire.properties
sed -i "/^[^#]*cluster-ssl-protocol/ c\cluster-ssl-protocols=TLSv1.2 TLSv1.1
TLSv1" /usr/lib/vmware-vcops/user/conf/gemfire.native.properties
sed -i "/^[^#]*cluster-ssl-protocol/ c\cluster-ssl-protocols=TLSv1.2 TLSv1.1
TLSv1" /usr/lib/vmware-vcops/user/conf/gemfire.locator.properties
Repeat this step for each node.
d Navigate to the administrator user interface to bring the cluster online.
e Click Bring Online.
Configure vRealize Operations Manager to Use Strong Ciphers
For maximum security, you must congure vRealize Operations Manager components to use strong ciphers.
To ensure that only strong ciphers are selected, disable the use of weak ciphers. Congure the server to
support only strong ciphers and to use suciently large key sizes. Also, congure the ciphers in a suitable
order.
vRealize Operations Manager disables the use of cipher suites using the DHE key exchange by default.
Ensure that you disable the same weak cipher suites on all load balancers before you put the system into
production.
Using Strong Ciphers
The encryption cipher negotiated between the server and the browser determines the key exchange method
and encryption strength that is used in a TLS session.
Secure Configuration
22 VMware, Inc.
Verify the Correct Use of Cipher Suites in Apache HTTPD
For maximum security, verify the correct use of cipher suites in Apache hpd.
Procedure
1 To verify the correct use of cipher suites in Apache hpd, run the grep
SSLCipherSuite /usr/lib/vmware-vcopssuite/utilities/conf/vcops-apache.conf | grep -v '#'
command from the command prompt.
If Apache hpd uses the correct cipher suites, the command returns the following output:
SSLCipherSuite kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:!aNULL!ADH:!
EXP:!MD5:!3DES:!CAMELLIA:!PSK:!SRP:!DH
2 To congure the correct use of cipher suites, run the sed -i "/^[^#]*SSLCipherSuite/
c\SSLCipherSuite kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:\!aNULL\!
ADH:\!EXP:\!MD5:\!3DES:\!CAMELLIA:\!PSK:\!SRP:\!DH" /usr/lib/vmware-
vcopssuite/utilities/conf/vcops-apache.conf command from the command prompt.
Run this command if the output in Step 1 is not as expected.
This command disables all cipher suites that use DH and DHE key exchange methods.
3 Run the /etc/init.d/apache2 restart command from the command prompt to restart the Apache2
server.
4 To reenable DH, remove !DH from the cipher suites by running the sed -i "/^[^#]*SSLCipherSuite/
c\SSLCipherSuite kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:\!aNULL\!
ADH:\!EXP:\!MD5:\!3DES:\!CAMELLIA:\!PSK:\!SRP" /usr/lib/vmware-
vcopssuite/utilities/conf/vcops-apache.conf command from the command prompt.
5 Run the /etc/init.d/apache2 restart command from the command prompt to restart the Apache2
server.
Verify the Correct Use of Cipher Suites in GemFire TLS Handler
For maximum security, verify the correct use of cipher suites in GemFire TLS Handler.
Procedure
1 To verify that the cipher suites are enabled, run the following commands on each node to verify that the
protocols are enabled:
grep cluster-ssl-ciphers /usr/lib/vmware-vcops/user/conf/gemfire.properties | grep -v '#'
grep cluster-ssl-ciphers /usr/lib/vmware-vcops/user/conf/gemfire.native.properties | grep -v
'#'
grep cluster-ssl-ciphers /usr/lib/vmware-vcops/user/conf/gemfire.locator.properties | grep -v
'#'
2Congure the correct cipher suites.
a Navigate to the administrator user interface at URL/admin.
b To bring the cluster oine, click Bring .
Chapter 3 Secure Configuration of vRealize Operations Manager
VMware, Inc. 23
c To congure the correct cipher suites, run the following commands:
sed -i "/^[^#]*cluster-ssl-ciphers/ c\cluster-ssl-
ciphers=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" /usr/lib/vmware-
vcops/user/conf/gemfire.properties
sed -i "/^[^#]*cluster-ssl-ciphers/ c\cluster-ssl-
ciphers=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" /usr/lib/vmware-
vcops/user/conf/gemfire.native.properties
sed -i "/^[^#]*cluster-ssl-ciphers/ c\cluster-ssl-
ciphers=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" /usr/lib/vmware-
vcops/user/conf/gemfire.locator.properties
Repeat this step for each node.
d Navigate to the administrator user interface at URL/admin.
e Click Bring Online.
Enabling TLS on Localhost Connections
By default, the localhost connections to the PostgreSQL database do not use TLS. To enable TLS, you have to
either generate a self-signed certicate with OpenSSL or provide your own certicate.
To enable TLS on localhost connections to PostgreSQL, complete the following steps:
1“Generate or Provide Your Own Self-Signed Certicate with OpenSSL,” on page 24
2“Install the Certicate for PostgreSQL,” on page 24
3“Enable TLS on PostgreSQL,” on page 25
Generate or Provide Your Own Self-Signed Certificate with OpenSSL
Localhost connections to the PostgreSQL database do not use TLS. To enable TLS, you can generate your
own self-signed certicate with OpenSSL or provide your own certicate.
nTo generate a self-signed certicate with OpenSSL, run the following commands:
openssl req -new -text -out cert.req
openssl rsa -in privkey.pem -out cert.pem
openssl req -x509 -in cert.req -text -key cert.pem -out cert.cert
nTo provide your own certicate, complete the following steps:
nModify the ownership of the CAcerts.crt le to postgres.
nEdit the postgresql.conf le to include the directive ssl_ca_file = 'CAcerts.crt.
If you are using a certicate with a CA chain, you must add a CAcerts.crt le containing the
intermediate and root CA certicates to the same directory.
Install the Certificate for PostgreSQL
You must install the certicate for PostgreSQL when you enable TLS on localhost connections to
PostgreSQL.
Procedure
1 Copy the cert.pem le to /storage/db/vcops/vpostgres/data/server.key.
2 Copy the cert.cert le to /storage/db/vcops/vpostgres/data/server.crt.
3 Run the chmod 600 /storage/db/vcops/vpostgres/data/server.key command.
Secure Configuration
24 VMware, Inc.
4 Run the chmod 600 /storage/db/vcops/vpostgres/data/server.crt command.
5 Run the chown postgres /storage/db/vcops/vpostgres/data/server.key and chown
postgres /storage/db/vcops/vpostgres/data/server.crt commands to change the ownership of the
server.crt and server.key les from root to postgres.
Enable TLS on PostgreSQL
You must edit the postgresql.conf le to enable TLS on localhost connections to PostgreSQL.
Procedure
uEdit the postgresql.conf le at /storage/db/vcops/vpostgres/data/ and make the following changes:
a Set ssl = on.
b Set ssl_cert_file = 'server.crt'.
c Set ssl_key_file = 'server.key'.
Application Resources That Must be Protected
As a security best practice, ensure that the application resources are protected.
Follow the steps to ensure that the application resources are protected.
Procedure
1 Run the Find / -path /proc -prune -o -type f -perm +6000 -ls command to verify that the les
have a well dened SUID and GUID bits set.
The following list appears:
354131 24 -rwsr-xr-x 1 polkituser root 23176 /usr/lib/PolicyKit/polkit-set-default-helper
354126 20 -rwxr-sr-x 1 root polkituser 19208 /usr/lib/PolicyKit/polkit-grant-
helper
354125 20 -rwxr-sr-x 1 root polkituser 19008 /usr/lib/PolicyKit/polkit-explicit-
grant-helper
354130 24 -rwxr-sr-x 1 root polkituser 23160 /usr/lib/PolicyKit/polkit-revoke-
helper
354127 12 -rwsr-x--- 1 root polkituser 10744 /usr/lib/PolicyKit/polkit-grant-
helper-pam
354128 16 -rwxr-sr-x 1 root polkituser 14856 /usr/lib/PolicyKit/polkit-read-auth-
helper
73886 84 -rwsr-xr-x 1 root shadow 77848 /usr/bin/chsh
73888 88 -rwsr-xr-x 1 root shadow 85952 /usr/bin/gpasswd
73887 20 -rwsr-xr-x 1 root shadow 19320 /usr/bin/expiry
73890 84 -rwsr-xr-x 1 root root 81856 /usr/bin/passwd
73799 240 -rwsr-xr-x 1 root root 238488 /usr/bin/sudo
73889 20 -rwsr-xr-x 1 root root 19416 /usr/bin/newgrp
73884 92 -rwsr-xr-x 1 root shadow 86200 /usr/bin/chage
73885 88 -rwsr-xr-x 1 root shadow 82472 /usr/bin/chfn
73916 40 -rwsr-x--- 1 root trusted 40432 /usr/bin/crontab
296275 28 -rwsr-xr-x 1 root root 26945 /usr/lib64/pt_chown
353804 816 -r-xr-sr-x 1 root mail 829672 /usr/sbin/sendmail
278545 36 -rwsr-xr-x 1 root root 35792 /bin/ping6
278585 40 -rwsr-xr-x 1 root root 40016 /bin/su
278544 40 -rwsr-xr-x 1 root root 40048 /bin/ping
278638 72 -rwsr-xr-x 1 root root 69240 /bin/umount
278637 100 -rwsr-xr-x 1 root root 94808 /bin/mount
Chapter 3 Secure Configuration of vRealize Operations Manager
VMware, Inc. 25
475333 48 -rwsr-x--- 1 root messagebus 47912 /lib64/dbus-1/dbus-daemon-launch-
helper
41001 36 -rwsr-xr-x 1 root shadow 35688 /sbin/unix_chkpwd
41118 12 -rwsr-xr-x 1 root shadow 10736 /sbin/unix2_chkpwd
2 Run the find / -path */proc -prune -o -nouser -o -nogroup command to verify that all the les in
the vApp have an owner.
All the les have an owner if there are no results.
3 Run the find / -name "*.*" -type f -perm -a+w | xargs ls -ldb command to verify that none of the
les are world writable les by reviewing permissions of all the les on the vApp.
None of the les must include the permission xx2.
4 Run the find / -path */proc -prune -o ! -user root -o -user admin -print command to verify that
the les are owned by the correct user.
All the les belong to either root or admin if there are no results.
5 Run the find /usr/lib/vmware-casa/ -type f -perm -o=w command to ensure that les in
the /usr/lib/vmware-casa/ directory are not world writable.
There must be no results.
6 Run the find /usr/lib/vmware-vcops/ -type f -perm -o=w command to ensure that les in
the /usr/lib/vmware-vcops/ directory are not world writable.
There must be no results.
7 Run the find /usr/lib/vmware-vcopssuite/ -type f -perm -o=w command to ensure that les in
the /usr/lib/vmware-vcopssuite/ directory are not world writable.
There must be no results.
Configure PostgreSQL Client Authentication
You can congure the system for client authentication. You can congure the system for local trust
authentication. This allows any local user, including the database super user to connect as a PostgreSQL user
without a password. If you want to provide a strong defense and if you do not have signicant trust in all
local user accounts, use another authentication method. The md5 method is set by default. Verify that md5
is set for all local and host connections.
You can nd the client authentication conguration seings for the postgres service instance
in /storage/db/vcops/vpostgres/data/pg_hba.conf. Verify that md5 is set for all local and host connections.
The client authentication conguration seings for the postgres-repl service instance can be found
in /storage/db/vcops/vpostgres/repl/pg_hba.conf. Verify that md5 is set for all local and host connections.
N Do not modify client conguration seings for the postgres user account.
Secure Configuration
26 VMware, Inc.
Apache Configuration
Disable Web Directory Browsing
As a security best practice, ensure that a user cannot bowse through a directory because it can increase the
risk of exposure to directory traversal aacks.
Procedure
uVerify that web directory browsing is disabled for all directories.
a Open the /etc/apache2/default-server.conf and /usr/lib/vmware-
vcopssuite/utilities/conf/vcops-apache.conf les in a text editor.
bVerify that for each <Directory> listing, the option called Indexes for the relevant tag is omied
from the Options line.
Remove the Sample Code for the Apache2 Server
Apache includes two sample Common Gateway Interface (CGI) scripts, printenv and test-cgi. A
production Web server must contain only components that are operationally necessary. These components
have the potential to disclose critical information about the system to an aacker.
As a security best practice, delete the CGI scripts from the cgi-bin directory.
Procedure
uTo remove test-cgi and prinenv scripts, run the rm /usr/share/doc/packages/apache2/test-cgi and
rm /usr/share/doc/packages/apache2/printenv commands.
Verify Server Tokens for the Apache2 Server
As part of your system hardening process, verify server tokens for the Apache2 server. The Web server
response header of an HTTP response can contain several elds of information. Information includes the
requested HTML page, the Web server type and version, the operating system and version, and ports
associated with the Web server. This information provides malicious users important information without
the use of extensive tools.
The directive ServerTokens must be set to Prod. For example, ServerTokens Prod. This directive controls
whether the response header eld of the server that is sent back to clients includes a description of the
operating system and information about compiled-in modules.
Procedure
1 To verify server tokens, run the cat /etc/apache2/sysconfig.d/global.conf | grep ServerTokens
command.
2 To modify ServerTokens OS to ServerTokens Prod, run the sed -i
's/\(ServerTokens\s\+\)OS/\1Prod/g' /etc/apache2/sysconfig.d/global.conf command.
Disable the Trace Method for the Apache2 Server
In standard production operations, use of diagnostics can reveal undiscovered vulnerabilities that lead to
compromised data. To prevent misuse of data, disable the HTTP Trace method.
Procedure
1 To verify the Trace method for the Apache2 server, run the following command grep
TraceEnable /usr/lib/vmware-vcopssuite/utilities/conf/vcops-apache.conf.
Chapter 3 Secure Configuration of vRealize Operations Manager
VMware, Inc. 27
2 To disable the Trace method for the Apache2 server, run the following command sed -i
"/^[^#]*TraceEnable/ c\TraceEnable off" /usr/lib/vmware-vcopssuite/utilities/conf/vcops-
apache.conf.
Disable Configuration Modes
As a best practice, when you install, congure, or maintain vRealize Operations Manager, you can modify
the conguration or seings to enable troubleshooting and debugging of your installation.
Catalog and audit each of the changes you make to ensure that they are properly secured. Do not put the
changes into production if you are not sure that your conguration changes are correctly secured.
Managing Nonessential Software Components
To minimize security risks, remove or congure nonessential software from your
vRealize Operations Manager host machines.
Congure all software that you do not remove in accordance with manufacturer recommendations and
security best practices to minimize its potential to create security breaches.
Secure the USB Mass Storage Handler
Secure the USB mass storage handler to prevent it from loading by default on vRealize appliances and to
prevent its use as the USB device handler with the vRealize appliances. Potential aackers can exploit this
handler to install malicious software.
Procedure
1 Open the/etc/modprobe.conf.local le in a text editor.
2 Ensure that the install usb-storage /bin/true line appears in the le.
3 Save the le and close it.
Secure the Bluetooth Protocol Handler
Secure the Bluetooth protocol handler on your vRealize Appliances to prevent potential aackers from
exploiting it.
Binding the Bluetooth protocol to the network stack is unnecessary and can increase the aack surface of the
host. Prevent the Bluetooth protocol handler module from loading by default on vRealize Appliances.
Procedure
1 Open the /etc/modprobe.conf.local le in a text editor.
2 Ensure that the line install bluetooth /bin/true appears in this le.
3 Save the le and close it.
Secure the Stream Control Transmission Protocol
Prevent the Stream Control Transmission Protocol (SCTP) module from loading on vRealize appliances by
default. Potential aackers could exploit this protocol to compromise your system.
Congure your system to prevent the SCTP module from loading unless it is absolutely necessary. SCTP is
an unused IETF-standardized transport layer protocol. Binding this protocol to the network stack increases
the aack surface of the host. Unprivileged local processes might cause the kernel to dynamically load a
protocol handler by using the protocol to open a socket.
Secure Configuration
28 VMware, Inc.
Procedure
1 Open the /etc/modprobe.conf.local le in a text editor.
2 Ensure that the following line appears in this le.
install sctp /bin/true
3 Save the le and close it.
Secure the Datagram Congestion Control Protocol
As part of your system hardening activities, prevent the Datagram Congestion Control Protocol (DCCP)
module from loading on vRealize appliances by default. Potential aackers can exploit this protocol to
compromise your system.
Avoid loading the DCCP module, unless it is absolutely necessary. DCCP is a proposed transport layer
protocol, which is not used. Binding this protocol to the network stack increases the aack surface of the
host. Unprivileged local processes can cause the kernel to dynamically load a protocol handler by using the
protocol to open a socket.
Procedure
1 Open the /etc/modprobe.conf.local le in a text editor.
2 Ensure that the DCCP lines appear in the le.
install dccp /bin/true
install dccp_ipv4 /bin/true
install dccp_ipv6 /bin/true
3 Save the le and close it.
Secure Reliable Datagram Sockets Protocol
As part of your system hardening activities, prevent the Reliable Datagram Sockets (RDS) protocol from
loading on your vRealize appliances by default. Potential aackers can exploit this protocol to compromise
your system.
Binding the RDS protocol to the network stack increases the aack surface of the host. Unprivileged local
processes might cause the kernel to dynamically load a protocol handler by using the protocol to open a
socket.
Procedure
1 Open the /etc/modprobe.conf.local le in a text editor.
2 Ensure that the install rds /bin/true line appears in this le.
3 Save the le and close it.
Secure the Transparent Inter-Process Communication Protocol
As part of your system hardening activities, prevent the Transparent Inter-Process Communication protocol
(TIPC) from loading on your virtual appliance host machines by default. Potential aackers can exploit this
protocol to compromise your system.
Binding the TIPC protocol to the network stack increases the aack surface of the host. Unprivileged local
processes can cause the kernel to dynamically load a protocol handler by using the protocol to open a
socket.
Procedure
1 Open the /etc/modprobe.conf.local le in a text editor.
Chapter 3 Secure Configuration of vRealize Operations Manager
VMware, Inc. 29
2 Ensure that the install tipc /bin/true line appears in this le.
3 Save the le and close it.
Secure Internet Packet Exchange Protocol
Prevent the Internetwork Packet Exchange (IPX) protocol from loading vRealize appliances by default.
Potential aackers could exploit this protocol to compromise your system.
Avoid loading the IPX protocol module unless it is absolutely necessary. IPX protocol is an obsolete
network-layer protocol. Binding this protocol to the network stack increases the aack surface of the host.
Unprivileged local processes might cause the system to dynamically load a protocol handler by using the
protocol to open a socket.
Procedure
1 Open the /etc/modprobe.conf.local le in a text editor.
2 Ensure that the line install ipx /bin/true appears in this le.
3 Save the le and close it.
Secure Appletalk Protocol
Prevent the Appletalk protocol from loading on vRealize appliances by default. Potential aackers might
exploit this protocol to compromise your system.
Avoid loading the Appletalk Protocol module unless it is absolutely necessary. Binding this protocol to the
network stack increases the aack surface of the host. Unprivileged local processes might cause the system
to dynamically load a protocol handler by using the protocol to open a socket.
Procedure
1 Open the /etc/modprobe.conf.local le in a text editor.
2 Ensure that the line install appletalk /bin/true appears in this le.
3 Save the le and close it.
Secure DECnet Protocol
Prevent the DECnet protocol from loading on your system by default. Potential aackers might exploit this
protocol to compromise your system.
Avoid loading the DECnet Protocol module unless it is absolutely necessary. Binding this protocol to the
network stack increases the aack surface of the host. Unprivileged local processes could cause the system
to dynamically load a protocol handler by using the protocol to open a socket.
Procedure
1 Open the DECnet Protocol /etc/modprobe.conf.local le in a text editor.
2 Ensure that the line install decnet /bin/true appears in this le.
3 Save the le and close it.
Secure Firewire Module
Prevent the Firewire module from loading on vRealize appliances by default. Potential aackers might
exploit this protocol to compromise your system.
Avoid loading the Firewire module unless it is absolutely necessary.
Secure Configuration
30 VMware, Inc.
Procedure
1 Open the /etc/modprobe.conf.local le in a text editor.
2 Ensure that the line install ieee1394 /bin/true appears in this le.
3 Save the le and close it.
Kernel Message Logging
The kernel.printk specication in the /etc/sysctl.conf le species the kernel print logging
specications.
There are 4 values specied:
nconsole loglevel. The lowest priority of messages printed to the console.
ndefault loglevel. The lowest level for messages without a specic log level.
nThe lowest possible level for the console log level.
nThe default value for console log level.
There are eight possible entries per value.
ndefine KERN_EMERG "<0>" /* system is unusable */
ndefine KERN_ALERT "<1>" /* action must be taken immediately */
ndefine KERN_CRIT "<2>" /* critical conditions */
ndefine KERN_ERR "<3>" /* error conditions */
ndefine KERN_WARNING "<4>" /* warning conditions */
ndefine KERN_NOTICE "<5>" /* normal but significant condition */
ndefine KERN_INFO "<6>" /* informational */
ndefine KERN_DEBUG "<7>" /* debug-level messages */
Set the kernel.printk values to 3 4 1 7 and ensure that the line kernel.printk=3 4 1 7 exists in
the /etc/sysctl.conf le.
End Point Operations Management Agent
The End Point Operations Management agent adds agent-based discovery and monitoring capabilities to
vRealize Operations Manager.
The End Point Operations Management agent is installed on the hosts directly and might or might not be at
the same level of trust as the End Point Operations Management server. Therefore, you must verify that the
agents are securely installed.
Security Best Practices for Running End Point Operations Management Agents
You must follow certain security best practices while using user accounts.
nFor a silent installation, remove any credentials and server certicate thumbprints that were stored in
the AGENT_HOME/conf/agent.properties le.
nUse a vRealize Operations Manager user account reserved specically for
End Point Operations Management agent registration. For more information, see the topic called "Roles
and Privileges" in vRealize Operations Manager in the vRealize Operations Manager Help.
Chapter 3 Secure Configuration of vRealize Operations Manager
VMware, Inc. 31
nDisable the vRealize Operations Manager user account that you use for agent registration after the
installation is over. You must enable the users access for agent administration activities. For more
information, see the topic called Conguring Users and Groups in vRealize Operations Manager in the
vRealize Operations Manager Help.
nIf a system that runs an agent is compromised, you can revoke the agent certicate using the
vRealize Operations Manager user interface by removing the agent resource. See the section called
Revoking an Agent for more detail.
Minimum Required Permissions for Agent Functionality
You require permissions to install and modify a service. If you want to discover a running process, the user
account you use to run the agent must also have privileges to access the processes and programs. For
Windows operating system installations, you require permissions to install and modify a service. For Linux
installations, you require permission to install the agent as a service, if you install the agent using a RPM
installer.
The minimum credentials that are required for the agent to register with the vRealize Operations Manager
server are those for a user granted the Agent Manager role, without any assignment to objects within the
system.
Linux Based Platform Files and Permissions
After you install the End Point Operations Management agent, the owner is the user that installs the agent.
The installation directory and le permissions such as 600 and 700, are set to the owner when the user who
installs the End Point Operations Management agent extracts the TAR le or installs the RPM.
N When you extract the ZIP le, the permissions might not be correctly applied. Verify and ensure that
the permissions are correct.
All the les that are created and wrien to by the agent are given 700 permissions with the owner being the
user who runs the agent.
Table 31. Linux Files and Permissions
Directory or File
Permissi
ons
Groups or
Users Read Write Execute
agent directory/bin 700 Owner Yes Yes Yes
Group No No No
All No No No
agent directory/conf 700 Owner Yes Yes Yes
Group No No No
All No No No
agent directory/log 700 Owner Yes Yes No
Group No No No
All No No No
agent directory/data 700 Owner Yes Yes Yes
Group No No No
All No No No
agent directory/bin/ep-
agent.bat
600 Owner Yes Yes No
Group No No No
All No No No
Secure Configuration
32 VMware, Inc.
Table 31. Linux Files and Permissions (Continued)
Directory or File
Permissi
ons
Groups or
Users Read Write Execute
agent directory/bin/ep-
agent.sh
700 Owner Yes Yes Yes
Group No No No
All No No No
agent directory/conf/*
(all les in the conf
directory)
600 Owner Yes Yes Yes
Group No No No
All No No No
agent directory/log/*
(all les in the log
directory)
600 Owner Yes Yes No
Group No No No
All No No No
agent directory/data/*
(all les in the data
directory)
600 Owner Yes Yes No
Group No No No
All No No No
Windows Based Platform Files and Permissions
For a Windows based installation of the End Point Operations Management agent, the user installing the
agent must have permissions to install and modify the service.
After you install the End Point Operations Management agent, the installation folder including all
subdirectories and les should only be accessible by the SYSTEM, the administrators group, and the
installation user. When you install the End Point Operations Management agent using ep-agent.bat, ensure
that the hardening process succeeds. As the user installing the agent, it is advised that you take note of any
error messages. If the hardening process fails, the user can apply these permissions manually.
Table 32. Windows Files and Permissions
Directory or File
Groups or
Users Full Control Modify
Read and
Execute Read Write
<agent
directory>/bin
SYSTEM Yes - - - -
Administrator Yes - - - -
Installation
User
Yes - - - -
Users - - - -
<agent
directory>/conf
SYSTEM Yes - - - -
Administrator Yes - - - -
Installation
User
Yes - - - -
Users - - - -
<agent
directory>/log
SYSTEM Yes - - - -
Administrator Yes - - - -
Installation
User
Yes - - - -
Users - - - -
<agent
directory>/data
SYSTEM Yes - - - -
Chapter 3 Secure Configuration of vRealize Operations Manager
VMware, Inc. 33
Table 32. Windows Files and Permissions (Continued)
Directory or File
Groups or
Users Full Control Modify
Read and
Execute Read Write
Administrator Yes - - - -
Installation
User
Yes - - - -
Users - - - -
<agent
directory>/bin/hq-
agent.bat
SYSTEM Yes - - - -
Administrator Yes - - - -
Installation
User
Yes - - - -
Users - - - -
<agent
directory>/bin/hq-
agent.sh
SYSTEM Yes - - - -
Administrator Yes - - - -
Installation
User
Yes - - - -
Users - - - -
<agent
directory>/conf/*
(all les in the conf
directory)
SYSTEM Yes - - - -
Administrator Yes - - - -
Installation
User
Yes - - - -
Users - - - -
<agent
directory>/log/*
(all les in the log
directory)
SYSTEM Yes - - - -
Administrator Yes - - - -
Installation
User
Yes - - - -
Users - - - -
<agent
directory>/data/*
(all les in data
directory)
SYSTEM Yes - - - -
Administrator Yes - - - -
Installation
User
Yes - - - -
Users - - - -
Secure Configuration
34 VMware, Inc.
Open Ports on Agent Host
The agent process listens for commands on two ports 127.0.0.1:2144 and 127.0.0.1:32000 that are
congurable. These ports might be arbitrarily assigned, and so, the exact port number might vary. The agent
does not open ports on external interfaces.
Table 33. Minimum Required Ports
Port Protocol Direction Comments
443 TCP Outgoing Used by the agent for outgoing connections over HTTP, TCP, or ICMP.
2144 TCP Listening Internal Only. Congurable. Used for inter-process communication between
the agent and the command line that loads and congures it. The agent process
listens on this port.
N The port number is assigned arbitrarily and might dier.
32000 TCP Listening Internal Only. Congurable. Used for inter-process communication between
the agent and the command line that loads and congures it. The agent process
listens on this port.
N The port number is assigned arbitrarily and might dier.
Revoking an Agent
If for any reason you need to revoke an agent, for example when a system with a running agent is
compromised, you can delete the agent resource from the system. Any subsequent request will fail
verication.
Use the vRealize Operations Manager user interface to revoke the agent certicate by removing the agent
resource. For more information, see “Removing the Agent Resource,” on page 35.
When the system is secured again, you can reinstate the agent. For more information, see “Reinstate an
Agent Resource,” on page 36.
Removing the Agent Resource
You can use the vRealize Operations Manager to revoke the agent certicate by removing the agent
resource.
Prerequisites
To preserve the continuity of the resource with previously recorded metric data, take a record of the
End Point Operations Management agent token that is displayed in the resource details.
Procedure
1 Navigate to the Inventory Explorer in the vRealize Operations Manager user interface.
2 Open the Adapter Types tree.
3 Open the EP Ops Adapter list.
4 Select EP Ops Agent - *HOST_DNS_NAME*.
5 Click Edit Object.
6 Record the agent ID, which is the agent token string.
7 Close the Edit Object dialog box .
8 Select EP Ops Agent - *HOST_DNS_NAME* and click Delete Object.
Chapter 3 Secure Configuration of vRealize Operations Manager
VMware, Inc. 35
Reinstate an Agent Resource
When the secure state of a system is recovered, you can reinstate a revoked agent. This ensures that the
agent continues to report on the same resources without losing historical data. To do this you must create a
new End Point Operations Management token le by using the same token recorded before you removed
the agent resource. See the section called Removing The Agent Resource.
Prerequisites
nEnsure that you have the recorded End Point Operations Management token string.
nUse the resource token recorded prior to removing the agent resource from the
vRealize Operations Manager server.
nEnsure that you have the Manage Agent privilege.
Procedure
1 Create the agent token le with the user that runs the agent.
For example, run the command to create a token le containing the 123-456-789 token.
nOn Linux:
echo 123-456-789 > /etc/epops/epops-token
nOn Windows:
echo 123-456-789 > %PROGRAMDATA%\VMware\Ep Ops Agent\epops-token
In the example, the token le is wrien to the default token location for that platform
2 Install a new agent and register it with the vRealize Operations Manager server. Ensure that the agent
loads the token you inserted in the token le.
You must have the Manage Agent privilege to perform this action.
Agent Certificate Revocation and Update of Certificates
The reissue ow is initiated from the agent using the setup command line argument. When an agent that is
already registered uses the setup command line argument ep-agent.sh setup and lls in the required
credentials, a new registerAgent command is sent to the server.
The server detects that the agent is already registered and sends the agent a new client certicate without
creating another agent resource. On the agent side, the new client certicate replaces the old one. In cases
where the server certicate is modied and you run the ep-agent.sh setup command, you will see a
message that asks you to trust the new certicate. You can alternatively provide the new server certicate
thumbprint in the agent.properties le prior to running the ep-agent.sh setup command, in order to make
the process silent.
Prerequisites
Manage agent privilege to revoke and update certicates.
Procedure
uOn Linux based operating systems, run the ep-agent.sh setup command on the agent host. On
Windows based operating systems, run the ep-agent.bat setup command.
If the agent detects that the server certicate has been modied, a message is displayed. Accept the new
certicate if you trust it and it is valid.
Secure Configuration
36 VMware, Inc.
Patching and Updating the End Point Operations Management Agent
If required, new End Point Operations Management agent bundles are available independent of
vRealize Operations Manager releases.
Patches or updates are not provided for the End Point Operations Management agent. You must install the
latest available version of the agent that includes the latest security xes. Critical security xes will be
communicated as per the VMware security advisory guidance. See the topic on Security Advisories.
Additional Secure Configuration Activities
Verify the server user accounts and delete unnecessary applications from the host servers. Block
unnecessary ports and disable the services running on your host server that are not required.
Verify Server User Account Settings
It is recommended that you verify that no unnecessary user accounts exist for local and domain user
accounts and seings.
Restrict any user account not related to the functioning of the application to those accounts required for
administration, maintenance, and troubleshooting. Restrict remote access from domain user accounts to the
minimum required to maintain the server. Strictly control and audit these accounts.
Delete and Disable Unnecessary Applications
Delete the unnecessary applications from the host servers. Each additional and unnecessary application
increases the risk of exposure because of their unknown or unpatched vulnerabilities.
Disabling Unnecessary Ports and Services
Verify the host server's rewall for the list of open ports that allow trac.
Block all the ports that are not listed as a minimum requirement for vRealize Operations Manager in the
“Conguring Ports and Protocols,” on page 47 section of this document, or are not required. In addition,
audit the services running on your host server and disable those that are not required.
Chapter 3 Secure Configuration of vRealize Operations Manager
VMware, Inc. 37
Secure Configuration
38 VMware, Inc.
Network Security and Secure
Communication 4
As a security best practice, review and edit the network communication seings of your VMware virtual
appliances and host machines. You must also congure the minimum incoming and outgoing ports for
vRealize Operations Manager.
This chapter includes the following topics:
n“Conguring Network Seings for Virtual Application Installation,” on page 39
n“Conguring Ports and Protocols,” on page 47
Configuring Network Settings for Virtual Application Installation
To ensure that your VMware virtual appliance and host machines allow only safe and essential
communication, review and edit their network communication seings.
Prevent User Control of Network Interfaces
As a security best practice, restrict the ability to change the network interface seing to privileged users. If
users manipulate network interfaces, it might result in bypassing network security mechanisms or denial of
service. Ensure that network interfaces are not congured for user control.
Procedure
1 To verify user control seings, run the #grep -i '^USERCONTROL=' /etc/sysconfig/network/ifcfg*
command.
2 Make sure that each interface is set to NO.
Set the Queue Size for TCP Backlog
As a security best practice, congure a default TCP backlog queue size on VMware appliance host machines.
To mitigate TCP denial or service aacks, set an appropriate default size for the TCP backlog queue size. The
recommended default seing is 1280.
Procedure
1 Run the # cat /proc/sys/net/ipv4/tcp_max_syn_backlog command on each VMware appliance host
machine.
VMware, Inc. 39
2 Set the queue size for TCP backlog.
a Open the /etc/sysctl.conf le in a text editor.
b Set the default TCP backlog queue size by adding the following entry to the le.
net.ipv4.tcp_max_syn_backlog=1280
c Save your changes and close the le.
Deny ICMPv4 Echoes to Broadcast Address
Responses to broadcast Internet Control Message Protocol (ICMP) echoes provide an aack vector for
amplication aacks and can facilitate network mapping by malicious agents. Conguring your system to
ignore ICMPv4 echoes provides protection against such aacks.
Procedure
1 Run the # cat /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts command to verify that the system is
not sending responses to ICMP broadcast address echo requests.
2Congure the host system to deny ICMPv4 broadcast address echo requests.
a Open the /etc/sysctl.conf le in a text editor.
b If the value for this entry is not set to 1, add the net.ipv4.icmp_echo_ignore_broadcasts=1 entry.
c Save the changes and close the le.
Configure the Host System to Disable IPv4 Proxy ARP
IPv4 Proxy ARP allows a system to send responses to ARP requests on one interface on behalf of hosts
connected to another interface. You must disable IPv4 Proxy ARP to prevent unauthorized information
sharing. Disable the seing to prevent leakage of addressing information between the aached network
segments.
Procedure
1 Run the # grep [01] /proc/sys/net/ipv4/conf/*/proxy_arp|egrep "default|all" command to verify
whether the Proxy ARP is disabled.
2Congure the host system to disable IPv4 Proxy ARP.
a Open the /etc/sysctl.conf le in a text editor.
b If the values are not set to 0, add the entries or update the existing entries accordingly. Set the value
to 0.
net.ipv4.conf.all.proxy_arp=0
net.ipv4.conf.default.proxy_arp=0
c Save any changes you made and close the le.
Configure the Host System to Ignore IPv4 ICMP Redirect Messages
As a security best practice, verify that the host system ignores IPv4 Internet Control Message Protocol
(ICMP) redirect messages. A malicious ICMP redirect message can allow a man-in-the-middle aack to
occur. Routers use ICMP redirect messages to notify hosts that a more direct route exists for a destination.
These messages modify the host's route table and are unauthenticated.
Procedure
1 Run the # grep [01] /proc/sys/net/ipv4/conf/*/accept_redirects|egrep "default|all" command
on the host system to check whether the host system ignores IPv4 redirect messages.
Secure Configuration
40 VMware, Inc.
2Congure the host system to ignore IPv4 ICMP redirect messages.
a Open the /etc/sysctl.conf le.
b If the values are not set to 0, add the following entries to the le or update the existing entries
accordingly. Set the value to 0.
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
c Save the changes and close the le.
Configure the Host System to Ignore IPv6 ICMP Redirect Messages
As a security best practice, verify that the host system ignores IPv6 Internet Control Message Protocol
(ICMP) redirect messages. A malicious ICMP redirect message might allow a man-in-the-middle aack to
occur. Routers use ICMP redirect messages to tell hosts that a more direct route exists for a destination.
These messages modify the host's route table and are unauthenticated.
Procedure
1 Run the # grep [01] /proc/sys/net/ipv6/conf/*/accept_redirects|egrep "default|all" command
on the host system and check whether it ignores IPv6 redirect messages.
2Congure the host system to ignore IPv6 ICMP redirect messages.
a Open the /etc/sysctl.conf to congure the host system to ignore the IPv6 redirect messages.
b If the values are not set to 0, add the following entries to the le or update the existing entries
accordingly. Set the value to 0.
net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.default.accept_redirects=0
c Save the changes and close the le.
Configure the Host System to Deny IPv4 ICMP Redirects
As a security best practice, verify that the host system denies IPv4 Internet Control Message Protocol (ICMP)
redirects. Routers use ICMP redirect messages to inform servers that a direct route exists for a particular
destination. These messages contain information from the system's route table that might reveal portions of
the network topology.
Procedure
1 Run the # grep [01] /proc/sys/net/ipv4/conf/*/send_redirects|egrep "default|all" on the host
system to verify whether it denies IPv4 ICMP redirects.
2Congure the host system to deny IPv4 ICMP redirects.
a Open the /etc/sysctl.conf le to congure the host system.
b If the values are not set to 0, add the following entries to the le or update the existing entries
accordingly. Set the value to 0.
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0
c Save the changes and close the le.
Chapter 4 Network Security and Secure Communication
VMware, Inc. 41
Configure the Host System to Log IPv4 Martian Packets
As a security best practice, verify that the host system logs IPv4 Martian packets. Martian packets contain
addresses that the system knows to be invalid. Congure the host system to log the messages so that you
can identify miscongurations or aacks in progress.
Procedure
1 Run the # grep [01] /proc/sys/net/ipv4/conf/*/log_martians|egrep "default|all" command to
check whether the host logs IPv4 Martian packets.
2Congure the host system to log IPv4 Martian packets.
a Open the /etc/sysctl.conf le to congure the host system.
b If the values are not set to 1, add the following entries to the le or update the existing entries
accordingly. Set the value to 1.
net.ipv4.conf.all.log_martians=1
net.ipv4.conf.default.log_martians=1
c Save the changes and close the le.
Configure the Host System to use IPv4 Reverse Path Filtering
As a security best practice, congure your host machines to use IPv4 reverse path ltering. Reverse path
ltering protects against spoofed source addresses by causing the system to discard packets with source
addresses that have no route or if the route does not point towards the originating interface.
Congure your system to use reverse-path ltering whenever possible. Depending on the system role,
reverse-path ltering might cause legitimate trac to be discarded. In such cases, you might need to use a
more permissive mode or disable reverse-path ltering altogether.
Procedure
1 Run the # grep [01] /proc/sys/net/ipv4/conf/*/rp_filter|egrep "default|all" command on the
host system to check whether the system uses IPv4 reverse path ltering.
2Congure the host system to use IPv4 reverse path ltering.
a Open the /etc/sysctl.conf le to congure the host system.
b If the values are not set to 1, add the following entries to the le or update the existing entries
accordingly. Set the value to 1.
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1
c Save the changes and close the le.
Configure the Host System to Deny IPv4 Forwarding
As a security best practice, verify that the host system denies IPv4 forwarding. If the system is congured
for IP forwarding and is not a designated router, it could be used to bypass network security by providing a
path for communication that is not ltered by network devices.
Procedure
1 Run the # cat /proc/sys/net/ipv4/ip_forward command to verify whether the host denies IPv4
forwarding.
Secure Configuration
42 VMware, Inc.
2Congure the host system to deny IPv4 forwarding.
a Open the /etc/sysctl.conf to congure the host system.
b If the value is not set to 0, add the following entry to the le or update the existing entry
accordingly. Set the value to 0.
net.ipv4.ip_forward=0
c Save the changes and close the le.
Configure the Host System to Deny Forwarding of IPv4 Source Routed Packets
Source-routed packets allow the source of the packet to suggest that routers forward the packet along a
dierent path than what is congured on the router, which can be used to bypass network security
measures.
This requirement applies only to the forwarding of source-routed trac, such as when IPv4 forwarding is
enabled and the system is functioning as a router.
Procedure
1 Run the # grep [01] /proc/sys/net/ipv4/conf/*/accept_source_route|egrep "default|all"
command to verify whether the system does not use IPv4 source routed packets
2Congure the host system to deny forwarding of IPv4 source routed packets.
a Open the /etc/sysctl.conf le with a text editor.
b If the values are not set to 0, ensure that net.ipv4.conf.all.accept_source_route=0 and the
et.ipv4.conf.default.accept_source_route=0 are set to 0.
c Save and close the le.
Configure the Host System to Deny IPv6 Forwarding
As a security best practice, verify that the host system denies IPv6 forwarding. If the system is congured
for IP forwarding and is not a designated router, it can be used to bypass network security by providing a
path for communication that is not ltered by network devices.
Procedure
1 Run the # grep [01] /proc/sys/net/ipv6/conf/*/forwarding|egrep "default|all" command to verify
whether the host denies IPv6 forwarding.
2Congure the host system to deny IPv6 forwarding.
a Open the /etc/sysctl.conf to congure the host system.
b If the values are not set to 0, add the following entries to the le or update the existing entries
accordingly. Set the value to 0.
net.ipv6.conf.all.forwarding=0
net.ipv6.conf.default.forwarding=0
c Save the changes and close the le.
Chapter 4 Network Security and Secure Communication
VMware, Inc. 43
Configure the Host System to Use IPv4 TCP Syncookies
As a security best practice, verify that the host system uses IPv4 Transmission Control Protocol (TCP)
Syncookies. A TCP SYN ood aack might cause a denial of service by lling a system's TCP connection
table with connections in the SYN_RCVD state. Syncookies are used so as not to track a connection until a
subsequent ACK is received, verifying that the initiator is aempting a valid connection and is not a ood
source.
This technique does not operate in a fully standards-compliant manner, but is only activated when a ood
condition is detected, and allows defence of the system while continuing to service valid requests.
Procedure
1 Run the # cat /proc/sys/net/ipv4/tcp_syncookies command to verify whether the host system uses
IPv4 TCP Syncookies.
2Congure the host system to use IPv4 TCP syncookies.
a Open the /etc/sysctl.conf to congure the host system.
b If the value is not set to 1, add the following entry to the le or update the existing entry
accordingly. Set the value to 1.
net.ipv4.tcp_syncookies=1
c Save the changes and close the le.
Configure the Host System to Deny IPv6 Router Advertisements
As a security best practice, verify that the host system denies the acceptance of router advertisements and
Internet Control Message Protocol (ICMP) redirects unless necessary. A feature of IPv6 is how systems can
congure their networking devices by automatically using information from the network. From a security
perspective, it is preferable to manually set important conguration information rather than accepting it
from the network in an unauthenticated way.
Procedure
1 Run the # grep [01] /proc/sys/net/ipv6/conf/*/accept_ra|egrep "default|all" command on the
host system to verify whether the system denies the acceptance of router advertisements and ICMP
redirects unless necessary.
2Congure the host system to deny IPv6 router advertisements.
a Open the /etc/sysctl.conf le.
b If the values are not set to 0, add the following entries to the le or update the existing entries
accordingly. Set the value to 0.
net.ipv6.conf.all.accept_ra=0
net.ipv6.conf.default.accept_ra=0
c Save the changes and close the le.
Secure Configuration
44 VMware, Inc.
Configure the Host System to Deny IPv6 Router Solicitations
As a security best practice, verify that host system denies IPv6 router solicitations unless necessary. The
router solicitations seing determines how many router solicitations are sent when bringing up the
interface. If addresses are assigned statically, there is no need to send any solicitations.
Procedure
1 Run the # grep [01] /proc/sys/net/ipv6/conf/*/router_solicitations|egrep "default|all"
command to verify whether the host system denies IPv6 router solicitations unless necessary.
2Congure the host system to deny IPv6 router solicitations.
a Open the /etc/sysctl.conf.
b If the values are not set to 0, add the following entries to the le or update the existing entries
accordingly. Set the value to 0.
net.ipv6.conf.all.router_solicitations=0
net.ipv6.conf.default.router_solicitations=0
c Save the changes and close the le.
Configure the Host System to Deny IPv6 Router Preference in Router
Solicitations
As a security best practice, verify that your host system denies IPv6 router solicitations unless necessary. The
router preference in the solicitations seing determines router preferences. If addresses are assigned
statically, there is no need to receive any router preference for solicitations.
Procedure
1 Run the # grep [01] /proc/sys/net/ipv6/conf/*/accept_ra_rtr_pref|egrep "default|all" on the
host system to verify whether the host system denies IPv6 router solicitations.
2Congure the host system to deny IPv6 router preference in router solicitations.
a Open the /etc/sysctl.conf le.
b If the values are not set to 0, add the following entries to the le or update the existing entries
accordingly. Set the value to 0.
net.ipv6.conf.all.accept_ra_rtr_pref=0
net.ipv6.conf.default.accept_ra_rtr_pref=0
c Save the changes and close the le.
Configure the Host System to Deny IPv6 Router Prefix
As a security best practice, verify that the host system denies IPv6 router prex information unless
necessary. The accept ra pinfo seing controls whether the system accepts prex information from the
router. If addresses are statically assigned, the system does not receive any router prex information.
Procedure
1 Run the # grep [01] /proc/sys/net/ipv6/conf/*/accept_ra_pinfo|egrep "default|all" to verify if
that system denies IPv6 router prex information.
Chapter 4 Network Security and Secure Communication
VMware, Inc. 45
2Congure the host system to deny IPv6 router prex.
a Open the /etc/sysctl.conf le.
b If the values are not set to 0, add the following entries to the le or update the existing entries
accordingly. Set the value to 0.
net.ipv6.conf.all.accept_ra_pinfo=0
net.ipv6.conf.default.accept_ra_pinfo=0
c Save the changes and close the le.
Configure the Host System to Deny IPv6 Router Advertisement Hop Limit
Settings
As a security best practice, verify that the host system denies IPv6 router advertisement Hop Limit seings
from a router advertisement unless necessary. The accept_ra_defrtr seing controls whether the system
will accept Hop Limit seings from a router advertisement. Seing it to 0 prevents a router from changing
your default IPv6 Hop Limit for outgoing packets.
Procedure
1 Run the # grep [01] /proc/sys/net/ipv6/conf/*/accept_ra_defrtr|egrep "default|all" command
to verify that the host system denies IPv6 router Hop Limit seings.
2 If the values are not set to 0, congure the host system to deny IPv6 router advertisement Hop Limit
seings.
a Open the /etc/sysctl.conf le.
b If the values are not set to 0, add the following entries to the le or update the existing entries
accordingly. Set the value to 0.
net.ipv6.conf.all.accept_ra_defrtr=0
net.ipv6.conf.default.accept_ra_defrtr=0
c Save the changes and close the le.
Configure the Host System to Deny IPv6 Router Advertisement Autoconf
Settings
As a security best practice, verify that the host system denies IPv6 router advertisement autoconf seings.
The autoconf seing controls whether router advertisements can cause the system to assign a global unicast
address to an interface.
Procedure
1 Run the # grep [01] /proc/sys/net/ipv6/conf/*/autoconf|egrep "default|all" command to verify
whether the host system denies IPv6 router advertisement autoconf seings.
2 If the values are not set to 0, congure the host system to deny IPv6 router advertisement autoconf
seings.
a Open the /etc/sysctl.conf le.
b If the values are not set to 0, add the following entries to the le or update the existing entries
accordingly. Set the value to 0.
net.ipv6.conf.all.autoconf=0
net.ipv6.conf.default.autoconf=0
c Save the changes and close the le.
Secure Configuration
46 VMware, Inc.
Configure the Host System to Deny IPv6 Neighbor Solicitations
As a security best practice, verify that the host system denies IPv6 neighbor solicitations unless necessary.
The dad_transmits seing determines how many neighbor solicitations are to be sent out per address
including global and link-local, when you bring up an interface to ensure the desired address is unique on
the network.
Procedure
1 Run the # grep [01] /proc/sys/net/ipv6/conf/*/dad_transmits|egrep "default|all" command to
verify whether the host system denies IPv6 neighbor solicitations.
2 If the values are not set to 0, congure the host system to deny IPv6 neighbor solicitations.
a Open the /etc/sysctl.conf le.
b If the values are not set to 0, add the following entries to the le or update the existing entries
accordingly. Set the value to 0.
net.ipv6.conf.all.dad_transmits=0
net.ipv6.conf.default.dad_transmits=0
c Save the changes and close the le.
Configure the Host System to Restrict IPv6 Maximum Addresses
As a security best practice, verify that the host restricts the maximum number of IPv6 addresses that can be
assigned. The maximum addresses seing determines how many global unicast IPv6 addresses can be
assigned to each interface. The default is 16 but you must set the number to the statically congured global
addresses required.
Procedure
1 Run the # grep [1] /proc/sys/net/ipv6/conf/*/max_addresses|egrep "default|all" command to
verify whether the host system restricts the maximum number of IPv6 addresses that can be assigned.
2 If the values are not set to 1, congure the host system to restrict the maximum number of IPv6
addresses that can be assigned.
a Open the /etc/sysctl.conf le.
b Add the following entries to the le or update the existing entries accordingly. Set the value to 1.
net.ipv6.conf.all.max_addresses=1
net.ipv6.conf.default.max_addresses=1
c Save the changes and close the le.
Configuring Ports and Protocols
As a security best practice, disable all non-essential ports and protocols.
Congure the minimum incoming and outgoing ports for vRealize Operations Manager components as
required for important system components to operate in production.
Chapter 4 Network Security and Secure Communication
VMware, Inc. 47
Minimum Default Incoming Ports
As a security best practice, congure the incoming ports required for vRealize Operations Manager to
operate in production.
Table 41. Minimum Required Incoming Ports
Port Protocol Comments
443 TCP Used to access the vRealize Operations Manager user
interface and the vRealize Operations Manager
administrator interface.
123 UDP Used by vRealize Operations Manager for Network
Time Protocol (NTP) synchronization to the master
node.
5433 TCP Used by the master and replica nodes to replicate the
global database (vPostgreSQL ) when high availability is
enabled .
7001 TCP Used by Cassandra for secure inter-node cluster
communication.
Do not expose this port to the internet. Add this port to a
rewall.
9042 TCP Used by Cassandra for secure client-related
communication among nodes.
Do not expose this port to the internet. Add this port to a
rewall.
6061 TCP Used by clients to connect to the GemFire Locator to get
connection information to servers in the distributed
system. Also monitors server load to send clients to the
least-loaded servers.
10000-10010 TCP and UDP GemFire Server ephemeral port range used for unicast
UDP messaging and for TCP failure detection in a peer-
to-peer distributed system.
20000-20010 TCP and UDP GemFire Locator ephemeral port range used for unicast
UDP messaging and for TCP failure detection in a peer-
to-peer distributed system.
Table 42. Optional Incoming Ports
Port Protocol Comments
22 TCP Optional. Secure Shell (SSH). The SSH
service listening on port 22, or any
other port, must be disabled in a
production environment, and port 22
must be closed.
80 TCP Optional. Redirects to 443.
3091-3101 TCP When Horizon View is installed, used
to access data for
vRealize Operations Manager from
Horizon View.
Secure Configuration
48 VMware, Inc.
Auditing and Logging on your
vRealize Operations Manager System 5
As a security best practice, set up auditing and logging on your vRealize Operations Manager system.
The detailed implementation of auditing and logging is outside the scope of this document.
Remote logging to a central log host provides a secure store for logs. By collecting log les to a central host,
you can easily monitor the environment with a single tool. You can also perform aggregate analysis and
search for coordinated aacks on multiple entities within the infrastructure. Logging to a secure, centralized
log server can help prevent log tampering and also provide a long-term audit record.
This chapter includes the following topics:
n“Securing the Remote Logging Server,” on page 49
n“Use an Authorized NTP Server,” on page 49
n“Client Browser Considerations,” on page 49
Securing the Remote Logging Server
As a security best practice, ensure that the remote logging server can be congured only by an authorized
user and is secure.
Aackers who breach the security of your host machine might search for and aempt to tamper with log
les to cover their tracks and maintain control without being discovered.
Use an Authorized NTP Server
Ensure that all the host systems use the same relative time source, including the relevant localization oset.
You can correlate the relative time source to an agreed-upon time standard such as Coordinated Universal
Time (UTC).
You can easily track and correlate an intruder's actions when you review the relevant log les. Incorrect time
seings can make it dicult to inspect and correlate log les to detect aacks, and can make auditing
inaccurate. You can use at the least three NTP servers from outside time sources or congure a few local
NTP servers on a trusted network that obtain their time from at least three outside time sources.
Client Browser Considerations
As a security best practice, do not use vRealize Operations Manager from untrusted or unpatched clients or
from clients that use browser extensions.
VMware, Inc. 49
Secure Configuration
50 VMware, Inc.
Index
A
administrative accounts 13
agent certificate revocation 36
apache configuration 27
Apache httpd 21
application resources, protect 25
auditing 49
authorized NTP server 49
B
best practices, End Point Operations
Management agents 31
Bluetooth protocol handler 28
boot loader authentication 17
browser considerations 49
C
cipher suites in GemFire 23
cipher suites in Apache httpd 23
client configuration, secure shell 16
configuration, PostgreSQL client
authentication 26
configuration modes, disable 28
configure 28
configure network settings for OVF 39
configure network time protocol 20
console access 13
D
data in transit 21
Datagram Congestion Control Protocol 29
DECnet Protocol, secure 30
deny forwarding 43
deny ICMPv4 echoes to broadcast address 40
deny IPv6 router settings 46
deny IPv6 router advertisement hop limit 46
disable, unnecessary applications 37
disable browsing 27
disable direct logins 17
disable directory browsing 27
disable SSH access for the admin user
account 17
disable TCP timestamp response 20
disable the trace method:Apache2 server 27
disable unnecessary ports 37
disable unnecessary services 37
E
enable TLS on PostgreSQL 25
enabling FIPS 140-2 mode 20
enabling TLS 24
End Point Operations Management agent 31
F
file permissions, secure shell 15
G
GemFire TLS handler protocols 21
generate a self-signed certificate with
OpenSSL 24
glossary 5
H
hardening infrastructure 9
hardening for Linux installation 10
hardening the vSphere environment 10
I
infrastructure, hardening 9
install the certificate for PostgreSQL 24
intended audience 5
inventory of unsupported software 10
IPV4 source routed packets 43
IPv4, deny 1Pv4 forwarding 42
IPv4, deny IPv4 ICMP redirects 41
IPv4, disable proxy ARP 40
IPv4, ignore ICMP redirect messages 40
IPv4, ignore IPv4 reverse path filtering 42
IPv4, log IPv4 Martian packets 42
IPv4, use IPv4 TCP syncookies 44
IPv6 autoconf settings 46
IPv6, deny IPv6 forwarding 43
IPv6, deny IPv6 neighbor solicitations 47
IPv6, deny IPv6 router advertisements 44
IPv6, deny IPv6 router prefix 45
IPv6, deny IPv6 router solicitations 45
IPv6, deny IPv6 router preference in router
solicitations 45
IPv6, ignore ICMP redirect messages 41
IPv6, restrict IPv6 maximum addresses 47
VMware, Inc. 51
K
kernel message logging 31
L
local administrative account, creating 14
logging 49
M
maintenance mode authentication 18
managing nonessential software 28
minimal necessary groups 18
minimal user accounts 18
minimum incoming ports 48
minimum permissions, agent functionality 32
monitor minimal necessary groups 18
monitor minimal user accounts 18
N
network settings 39
O
open ports on agent host 35
OVF, network settings 39
P
password expiry 13
patching 37
platform files and permissions, Linux 32
platform files and permissions, Windows 33
ports
incoming 39
outgoing 39
ports and protocols, configuring 47
prevent user control 39
R
reinstate an agent resource 36
remote logging server > securing 49
remove the agent resource 35
removing sample code:Apache2 server 27
resetting the password on Linux clusters 19
review installed software 10
revoking an agent 35
root password, change 12
root user, secure shell 13
S
secure
Appletalk Protocol 30
Firewire Module 30
Internet Packet Exchange Protocol 30
Reliable Datagram Sockets protocol 29
Transparent Inter-Process Communication
protocol 29
secure configuration 11
Secure Shell, restricting access 15
secure configuration activities 37
secure deployment of vRealize Operations
Manager 9
secure remote logging server 49
secure shell client configuration 16
secure shell file permissions 15
secure shell server configuration 15
Secure Shell, managing 13
secure the console 12
security posture 7
security advisories, patches 10
server configuration, secure shell 15
single-user authentication 18
Stream Control Transmission Protocol 28
strong ciphers, configure 22
strong protocols, configure 21
T
TCP backlog queue size 39
third-party software 10
TLS for data in transit 21
U
unnecessary applications, delete 37
updates 37
updating certificates 36
USB mass storage handler 28
V
verify, server user account settings 37
verify server tokens:apache2 server 27
verifying the installation media 9
virtual appliances
Bluetooth protocol handler 28
boot loader authentication 17
configure network time protocol 20
enable or disable Secure Shell 14
USB mass storage handler 28
virtual machines, disable IPv4 proxy ARP 40
virtual machines, deny ICMPv4 echoes to
broadcast address 40
vRealize Operations Manager administrative
password 19
Secure Configuration
52 VMware, Inc.

Navigation menu