VMware vRealize Operations Manager - 6.4 User Manual

Secure Configuration
vRealize Operations Manager 6.4
Secure Configuration
You can find the most up-to-date technical documentation on the VMware Web site at:
hps://docs.vmware.com/
The VMware Web site also provides the latest product updates.
If you have comments about this documentation, submit your feedback to:
Copyright © 2017 VMware, Inc. All rights reserved. Copyright and trademark information.
VMware, Inc.
3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com
2 VMware, Inc.

Contents

Secure Conguration 5
vRealize Operations Manager Security Posture 7
1
Secure Deployment of vRealize Operations Manager 9
2
Verify the Integrity of Installation Media 9
Hardening the Deployed Software Infrastructure 9
Reviewing Installed and Unsupported Software 10
VMware Security Advisories and Patches 11
Secure Conguration of vRealize Operations Manager 13
3
Secure the vRealize Operations Manager Console 14
Change the Root Password 14
Managing Secure Shell, Administrative Accounts, and Console Access 15
Set Boot Loader Authentication 19
Single-User or Maintenance Mode Authentication 20
Monitor Minimal Necessary User Accounts 20
Monitor Minimal Necessary Groups 20
Reseing the vRealize Operations Manager Administrator Password (Linux) 21
Congure NTP on VMware Appliances 22
Disable the TCP Timestamp Response on Linux 22
Enable FIPS 140-2 Mode 22
TLS for Data in Transit 23
Application Resources That Must be Protected 26
Congure PostgreSQL Client Authentication 27
Apache Conguration 28
Disable Conguration Modes 29
Managing Nonessential Software Components 29
Windows Installed Deployment 32
Linux Installed Deployment 34
Endpoint Operations Management Agent 36
Additional Secure Conguration Activities 41
VMware, Inc.
Network Security and Secure Communication 43
4
Conguring Network Seings for Virtual Application Installation 43
Conguring Ports and Protocols 51
Auditing and Logging on your vRealize Operations Manager System 53
5
Securing the Remote Logging Server 53
Use an Authorized NTP Server 53
Client Browser Considerations 53
3
Secure Configuration
Index 55
4 VMware, Inc.

Secure Configuration

The documentation for Secure Conguration is intended to serve as a secure baseline for the deployment of vRealize Operations Manager. Refer to this document when you are using system-monitoring tools to ensure that the secure baseline conguration is monitored and maintained for any unexpected changes on an ongoing basis.
Hardening activities that are not already set by default can be carried out manually.
Intended Audience
This information is intended for administrators of vRealize Operations Manager.
VMware Technical Publications Glossary
VMware Technical Publications provides a glossary of terms that might be unfamiliar to you. For denitions of terms as they are used in VMware technical documentation, go to
hp://www.vmware.com/support/pubs.
VMware, Inc.
5
Secure Configuration
6 VMware, Inc.
vRealize Operations Manager
Security Posture 1
The security posture of vRealize Operations Manager assumes a complete secure environment based on system and network conguration, organizational security policies, and best practices. It is important that you perform the hardening activities according to your organization's security policies and best practices.
The document is broken down into the following sections:
Secure Deployment
n
Secure Conguration
n
Network Security
n
Communication
n
The guide details the installation of the Virtual Application. However, the following deployment types are also discussed:
“Linux Installed Deployment,” on page 34
n
“Windows Installed Deployment,” on page 32
n
To ensure that your system is securely hardened, review the recommendations and assess them against your organization's security policies and risk exposure.
VMware, Inc.
7
Secure Configuration
8 VMware, Inc.
Secure Deployment of
vRealize Operations Manager 2
You must verify the integrity of the installation media before you install the product to ensure authenticity of the downloaded les.
This chapter includes the following topics:
“Verify the Integrity of Installation Media,” on page 9
n
“Hardening the Deployed Software Infrastructure,” on page 9
n
“Reviewing Installed and Unsupported Software,” on page 10
n
“VMware Security Advisories and Patches,” on page 11
n

Verify the Integrity of Installation Media

After you download the media, use the MD5/SHA1 sum value to verify the integrity of the download. Always verify the SHA1 hash after you download an ISO, oine bundle, or patch to ensure the integrity and authenticity of the downloaded les. If you obtain physical media from VMware and the security seal is broken, return the software to VMware for a replacement.
Procedure
Compare the MD5/SHA1 hash output with the value posted on the VMware Web site.
u
SHA1 or MD5 hash should match.
N The vRealize Operations Manager 6.x-x.pak les are signed by the VMware software publishing certicate. vRealize Operations Manager validates the signature of the PAK le before installation.

Hardening the Deployed Software Infrastructure

As part of your hardening process, you must harden the deployed software infrastructure that supports your VMware system.
Before you harden your VMware system, review and address security deciencies in your supporting software infrastructure to create a completely hardened and secure environment. Software infrastructure elements to consider include operating system components, supporting software, and database software. Address security concerns in these and other components according to the manufacturer's recommendations and other relevant security protocols.
VMware, Inc.
9
Secure Configuration

Hardening the VMware vSphere Environment

vRealize Operations Manager relies on a secure VMware vSphere environment to achieve the greatest benets and a secured infrastructure.
Assess the VMware vSphere environment and verify that the appropriate level of vSphere hardening guidance is enforced and maintained.
For more guidance about hardening, see hp://www.vmware.com/security/hardening-guides.html.
Hardening for Linux Installation
Review the recommendations set out in the appropriate Linux hardening and secure best practice guidelines, and ensure that your Linux hosts are appropriately hardened. If you do not follow the hardening recommendations, the system might be exposed to known security vulnerabilities from insecure components on Linux releases.
vRealize Operations Manager is supported for installation on Red Hat Enterprise Linux (RHEL) 6, starting with version 6.5.
Hardening for Windows Installation
Review the recommendations set out in the appropriate Windows hardening and secure best practice guidelines, and ensure that your Windows Server host is appropriately hardened. If you do not follow the hardening recommendations, the system might be exposed to known security vulnerabilities from insecure components on Windows releases.
Contact your Microsoft vendor for hardening practices of Microsoft products.

Reviewing Installed and Unsupported Software

Vulnerabilities in unused software might increase the risk of unauthorized system access and disruption of availability. Review the software that is installed on VMware host machines and evaluate its use.
Do not install software that is not required for the secure operation of the system on any of the vRealize Operations Manager node hosts. Uninstall unused or nonessential software.
Installing unsupported, untested, or unapproved software on infrastructure products such as vRealize Operations Manager is a threat to the infrastructure.
To minimize the threat to the infrastructure, do not install or use any third-party software that is not supported by VMware on VMware supplied hosts.
Assess your vRealize Operations Manager deployment and inventory of installed products to verify that no unsupported software is installed.
For more information about the support policies for third-party products, see the VMware support at
hps://www.vmware.com/support/policies/thirdparty.html.

Verify Third-Party Software

Do not use third-party software that VMware does not support. Verify that all third-party software is securely congured and patched in accordance with third-party vendor guidance.
Inauthentic, insecure, or unpatched vulnerabilities of third-party software installed on VMware host machines might put the system at risk of unauthorized access and disruption of availability. All software that VMware does not supply must be appropriately secured and patched.
If you must use third-party software that VMware does not support, consult the third-party vendor for secure conguration and patching requirements.
10 VMware, Inc.

VMware Security Advisories and Patches

VMware occasionally releases security advisories for products. Being aware of these advisories can ensure that you have the safest underlying product and that the product is not vulnerable to known threats.
Assess the vRealize Operations Manager installation, patching, and upgrade history and verify that the released VMware Security Advisories are followed and enforced.
It is recommended that you always remain on the most recent vRealize Operations Manager release, as this will include the most recent security xes also.
For more information about the current VMware security advisories, see
hp://www.vmware.com/security/advisories/.
Chapter 2 Secure Deployment of vRealize Operations Manager
VMware, Inc. 11
Secure Configuration
12 VMware, Inc.
Secure Configuration of
vRealize Operations Manager 3
As a security best practice, you must secure the vRealize Operations Manager console and manage Secure Shell (SSH), administrative accounts, and console access. Ensure that your system is deployed with secure transmission channels.
You must also follow certain security best practices for running Endpoint Operations Management agents.
This chapter includes the following topics:
“Secure the vRealize Operations Manager Console,” on page 14
n
“Change the Root Password,” on page 14
n
“Managing Secure Shell, Administrative Accounts, and Console Access,” on page 15
n
“Set Boot Loader Authentication,” on page 19
n
“Single-User or Maintenance Mode Authentication,” on page 20
n
“Monitor Minimal Necessary User Accounts,” on page 20
n
“Monitor Minimal Necessary Groups,” on page 20
n
“Reseing the vRealize Operations Manager Administrator Password (Linux),” on page 21
n
“Congure NTP on VMware Appliances,” on page 22
n
“Disable the TCP Timestamp Response on Linux,” on page 22
n
“Enable FIPS 140-2 Mode,” on page 22
n
“TLS for Data in Transit,” on page 23
n
“Application Resources That Must be Protected,” on page 26
n
“Congure PostgreSQL Client Authentication,” on page 27
n
“Apache Conguration,” on page 28
n
“Disable Conguration Modes,” on page 29
n
“Managing Nonessential Software Components,” on page 29
n
“Windows Installed Deployment,” on page 32
n
“Linux Installed Deployment,” on page 34
n
“Endpoint Operations Management Agent,” on page 36
n
“Additional Secure Conguration Activities,” on page 41
n
VMware, Inc.
13
Secure Configuration

Secure the vRealize Operations Manager Console

After you install vRealize Operations Manager, you must log in for the rst time and secure the console of each node in the cluster.
Prerequisites
Install vRealize Operations Manager.
Procedure
1 Locate the node console in vCenter or by direct access.
In vCenter, press Alt+F1 to access the login prompt. For security reasons, vRealize Operations Manager remote terminal sessions are disabled by default.
2 Log in as root.
vRealize Operations Manager does not allow you to access the command prompt until you create a root password.
3 At the password prompt, press Enter.
4 At the old password prompt, press Enter.
5 At the prompt for a new password, enter the root password that you want and note it for future
reference.
6 Reenter the root password.
7 Log out of the console.

Change the Root Password

You can change the root password for any vRealize Operations Manager master or data node at any time by using the console.
The root user bypasses the pam_cracklib module password complexity check, which is found in
etc/pam.d/common-password. All hardened appliances enable enforce_for_root for the pw_history module,
found in the etc/pam.d/common-password le. The system remembers the last ve passwords by default. Old passwords are stored for each user in the /etc/security/opasswd le.
Prerequisites
Verify that the root password for the appliance meets your organization’s corporate password complexity requirements. If the account password starts with $6$, it uses a sha512 hash. This is the standard hash for all hardened appliances.
Procedure
1 Run the # passwd command at the root shell of the appliance.
2 To verify the hash of the root password, log in as root and run the # more /etc/shadow command.
The hash information appears.
3 If the root password does not contain a sha512 hash, run the passwd command to change it.
14 VMware, Inc.
Chapter 3 Secure Configuration of vRealize Operations Manager

Manage Password Expiry

Congure all account password expirations in accordance with your organization's security policies.
By default, all hardened VMware appliances use a 60-day password expiry. On most hardened appliances, the root account is set to a 365-day password expiry. As a best practice, verify that the expiry on all accounts meets security and operation requirements standards.
If the root password expires, you cannot reinstate it. You must implement site-specic policies to prevent administrative and root passwords from expiring.
Procedure
1 Log in to your virtual appliance machines as root and run the # more /etc/shadow command to verify
the password expiry on all accounts.
2 To modify the expiry of the root account, run the # passwd -x 365 root command.
In this command, 365 species the number of days until password expiry. Use the same command to modify any user, substituting the specic account for root and replacing the number of days to meet the expiry standards of the organization.
By default, the root password is set for 365 days.

Managing Secure Shell, Administrative Accounts, and Console Access

For remote connections, all hardened appliances include the Secure Shell (SSH) protocol. SSH is disabled by default on the hardened appliance.
SSH is an interactive command-line environment that supports remote connections to a vRealize Operations Manager node. SSH requires high-privileged user account credentials. SSH activities generally bypass the role-based access control (RBAC) and audit controls of the vRealize Operations Manager node.
As a best practice, disable SSH in a production environment and enable it only to diagnose or troubleshoot problems that you cannot resolve by other means. Leave it enabled only while needed for a specic purpose and in accordance with your organization's security policies. If you enable SSH, ensure that it is protected against aack and that you enable it only for as long as required. Depending on your vSphere conguration, you can enable or disable SSH when you deploy your Open Virtualization Format (OVF) template.
As a simple test to determine whether SSH is enabled on a machine, try to open a connection by using SSH. If the connection opens and requests credentials, then SSH is enabled and is available for making connections.
Secure Shell Root User
Because VMware appliances do not include precongured default user accounts, the root account can use SSH to directly log in by default. Disable SSH as root as soon as possible.
To meet the compliance standards for nonrepudiation, the SSH server on all hardened appliances is precongured with the AllowGroups wheel entry to restrict SSH access to the secondary group wheel. For separation of duties, you can modify the AllowGroups wheel entry in the /etc/ssh/sshd_config le to use another group such as sshd.
The wheel group is enabled with the pam_wheel module for superuser access, so members of the wheel group can use the su-root command, where the root password is required. Group separation enables users to use SSH to the appliance, but not to use the su command to log in as root. Do not remove or modify other entries in the AllowGroups eld, which ensures proper appliance function. After making a change, restart the SSH daemon by running the # service sshd restart command.
VMware, Inc. 15
Secure Configuration

Enable or Disable Secure Shell on a vRealize Operations Manager node

You can enable Secure Shell (SSH) on a vRealize Operations Manager node for troubleshooting. For example, to troubleshoot a server, you might require console access to the server. This is through SSH. Disable SSH on a vRealize Operations Manager node for normal operation.
Procedure
1 Access the console of the vRealize Operations Manager node from vCenter.
2 Press Alt + F1 to access the login prompt then log in.
3 Run the #chkconfig command.
4 If the sshd service is o, run the #chkconfig sshd on command.
5 Run the #service sshd start command to start the sshd service.
6 Run the #service sshd stop command to stop the sshd service.

Create a Local Administrative Account for Secure Shell

You must create local administrative accounts that can be used as Secure Shell (SSH) and that are members of the secondary wheel group, or both before you remove the root SSH access.
Before you disable direct root access, test that authorized administrators can access SSH by using
AllowGroups, and that they can use the wheel group and the su command to log in as root.
Procedure
1 Log in as root and run the following commands.
# useradd -d /home/vropsuser -g users -G wheel –m
# passwd username
Wheel is the group specied in AllowGroups for SSH access. To add multiple secondary groups, use -G
wheel,sshd.
2 Switch to the user and provide a new password to ensure password complexity checking.
# su – username
username@hostname:~>passwd
If the password complexity is met, the password updates. If the password complexity is not met, the password reverts to the original password, and you must rerun the password command.
After you create the login accounts to allow SSH remote access and use the su command to log in as root using the wheel access, you can remove the root account from the SSH direct login.
3 To remove direct login to SSH, modify the /etc/ssh/sshd_config le by replacing (#)PermitRootLogin
yes with PermitRootLogin no.
What to do next
Disable direct logins as root. By default, the hardened appliances allow direct login to root through the console. After you create administrative accounts for nonrepudiation and test them for wheel access (su-
root), disable direct root logins by editing the /etc/securetty le as root and replacing the tty1 entry with console.
16 VMware, Inc.
Chapter 3 Secure Configuration of vRealize Operations Manager

Restrict Secure Shell Access

As part of your system hardening process, restrict Secure Shell (SSH) access by conguring the tcp_wrappers package appropriately on all VMware virtual appliance host machines. Also maintain required SSH key le permissions on these appliances.
All VMware virtual appliances include the tcp_wrappers package to allow tcp-supported daemons to control the network subnets that can access the libwrapped daemons. By default, the /etc/hosts.allow le contains a generic entry, sshd: ALL : ALLOW, that allows all access to the secure shell. Restrict this access as appropriate for your organization.
Procedure
1 Open the /etc/hosts.allow le on your virtual appliance host machine in a text editor.
2 Change the generic entry in your production environment to include only the local host entries and the
management network subnet for secure operations.
sshd:127.0.0.1 : ALLOW
sshd: [::1] : ALLOW
sshd: 10.0.0.0 :ALLOW
In this example, all local host connections and connections that the clients make on the 10.0.0.0 subnet are allowed.
3 Add all appropriate machine identication, for example, host name, IP address, fully qualied domain
name (FQDN), and loopback.
4 Save the le and close it.

Maintain Secure Shell Key File Permissions

To maintain an appropriate level of security, congure Secure Shell (SSH) key le permissions.
Procedure
1 View the public host key les, located in /etc/ssh/*key.pub.
2 Verify that these les are owned by root, that the group is owned by root, and that the les have
permissions set to 0644.
The permissions are (-rw-r--r--).
3 Close all les.
4 View the private host key les, located in /etc/ssh/*key.
5 Verify that root owns these les and the group, and that the les have permissions set to 0600.
The permissions are (-rw-------).
6 Close all les.

Harden the Secure Shell Server Configuration

Where possible, the Virtual Application Installation (OVF) has a default hardened conguration. Users can verify that their conguration is appropriately hardened by examining the server and client service in the global options section of the conguration le.
If possible, restrict use of the SSH server to a management subnet in the /etc/hosts.allow le.
VMware, Inc. 17
Secure Configuration
Procedure
1 Open the /etc/ssh/sshd_config server conguration le and verify that the seings are correct.
Setting Status
Server Daemon Protocol Protocol 2
Ciphers Ciphers aes256-ctr,aes128-ctr
TCP Forwarding AllowTCPForwarding no
Server Gateway Ports Gateway Ports no
X11 Forwarding X11Forwarding no
SSH Service Use the AllowGroups eld and specify a group permied to access
GSSAPI Authentication GSSAPIAuthentication no, if unused
Kerberos Authentication KerberosAuthentication no, if unused
Local Variables (AcceptEnv global option)
Tunnel Conguration PermitTunnel no
Network Sessions MaxSessions 1
Strict Mode Checking Strict Modes yes
Privilege Separation UsePrivilegeSeparation yes
rhosts RSA Authentication RhostsRSAAuthentication no
Compression Compression delayed or Compression no
Message Authentication code MACs hmac-sha1
User Access Restriction PermitUserEnvironment no
and add members to the secondary group for users permied to ue the service.
Set to disabled by commenting out or enabled for only LC_*
or LANG variables
2 Save your changes and close the le.

Harden the Secure Shell Client Configuration

As part of your system hardening monitoring process, verify hardening of the SSH client by examining the SSH client conguration le on virtual appliance host machines to ensure that it is congured according to VMware guidelines.
Procedure
1 Open the SSH client conguration le, /etc/ssh/ssh_config, and verify that the seings in the global
options section are correct.
Setting Status
Client Protocol
Client Gateway Ports
GSSAPI Authentication
Local Variables (SendEnv global option)
CBC Ciphers
Message Authentication Codes
2 Save your changes and close the le.
Protocol 2
Gateway Ports no
GSSAPIAuthentication no
Provide only LC_* or LANG variables
Ciphers aes256-ctr,aes128-ctr
Used in the MACs hmac-sha1 entry only
18 VMware, Inc.
Loading...
+ 40 hidden pages