3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
2 VMware, Inc.
Contents
Secure Conguration5
vRealize Operations Manager Security Posture7
1
Secure Deployment of vRealize Operations Manager9
2
Verify the Integrity of Installation Media 9
Hardening the Deployed Software Infrastructure 9
Reviewing Installed and Unsupported Software 10
VMware Security Advisories and Patches 11
Secure Conguration of vRealize Operations Manager13
3
Secure the vRealize Operations Manager Console 14
Change the Root Password 14
Managing Secure Shell, Administrative Accounts, and Console Access 15
Set Boot Loader Authentication 19
Single-User or Maintenance Mode Authentication 20
Monitor Minimal Necessary User Accounts 20
Monitor Minimal Necessary Groups 20
Reseing the vRealize Operations Manager Administrator Password (Linux) 21
Congure NTP on VMware Appliances 22
Disable the TCP Timestamp Response on Linux 22
Enable FIPS 140-2 Mode 22
TLS for Data in Transit 23
Application Resources That Must be Protected 26
Congure PostgreSQL Client Authentication 27
Apache Conguration 28
Disable Conguration Modes 29
Managing Nonessential Software Components 29
Windows Installed Deployment 32
Linux Installed Deployment 34
Endpoint Operations Management Agent 36
Additional Secure Conguration Activities 41
VMware, Inc.
Network Security and Secure Communication43
4
Conguring Network Seings for Virtual Application Installation 43
Conguring Ports and Protocols 51
Auditing and Logging on your vRealize Operations Manager System53
5
Securing the Remote Logging Server 53
Use an Authorized NTP Server 53
Client Browser Considerations 53
3
Secure Configuration
Index55
4 VMware, Inc.
Secure Configuration
The documentation for Secure Conguration is intended to serve as a secure baseline for the deployment of
vRealize Operations Manager. Refer to this document when you are using system-monitoring tools to
ensure that the secure baseline conguration is monitored and maintained for any unexpected changes on
an ongoing basis.
Hardening activities that are not already set by default can be carried out manually.
Intended Audience
This information is intended for administrators of vRealize Operations Manager.
VMware Technical Publications Glossary
VMware Technical Publications provides a glossary of terms that might be unfamiliar to you. For denitions
of terms as they are used in VMware technical documentation, go to
hp://www.vmware.com/support/pubs.
VMware, Inc.
5
Secure Configuration
6 VMware, Inc.
vRealize Operations Manager
Security Posture1
The security posture of vRealize Operations Manager assumes a complete secure environment based on
system and network conguration, organizational security policies, and best practices. It is important that
you perform the hardening activities according to your organization's security policies and best practices.
The document is broken down into the following sections:
Secure Deployment
n
Secure Conguration
n
Network Security
n
Communication
n
The guide details the installation of the Virtual Application. However, the following deployment types are
also discussed:
“Linux Installed Deployment,” on page 34
n
“Windows Installed Deployment,” on page 32
n
To ensure that your system is securely hardened, review the recommendations and assess them against your
organization's security policies and risk exposure.
VMware, Inc.
7
Secure Configuration
8 VMware, Inc.
Secure Deployment of
vRealize Operations Manager2
You must verify the integrity of the installation media before you install the product to ensure authenticity
of the downloaded les.
This chapter includes the following topics:
“Verify the Integrity of Installation Media,” on page 9
n
“Hardening the Deployed Software Infrastructure,” on page 9
n
“Reviewing Installed and Unsupported Software,” on page 10
n
“VMware Security Advisories and Patches,” on page 11
n
Verify the Integrity of Installation Media
After you download the media, use the MD5/SHA1 sum value to verify the integrity of the download.
Always verify the SHA1 hash after you download an ISO, oine bundle, or patch to ensure the integrity
and authenticity of the downloaded les. If you obtain physical media from VMware and the security seal is
broken, return the software to VMware for a replacement.
Procedure
Compare the MD5/SHA1 hash output with the value posted on the VMware Web site.
u
SHA1 or MD5 hash should match.
N The vRealize Operations Manager 6.x-x.pakles are signed by the VMware software
publishing certicate. vRealize Operations Manager validates the signature of the PAK le before
installation.
Hardening the Deployed Software Infrastructure
As part of your hardening process, you must harden the deployed software infrastructure that supports
your VMware system.
Before you harden your VMware system, review and address security deciencies in your supporting
software infrastructure to create a completely hardened and secure environment. Software infrastructure
elements to consider include operating system components, supporting software, and database software.
Address security concerns in these and other components according to the manufacturer's
recommendations and other relevant security protocols.
VMware, Inc.
9
Secure Configuration
Hardening the VMware vSphere Environment
vRealize Operations Manager relies on a secure VMware vSphere environment to achieve the greatest
benets and a secured infrastructure.
Assess the VMware vSphere environment and verify that the appropriate level of vSphere hardening
guidance is enforced and maintained.
For more guidance about hardening, see hp://www.vmware.com/security/hardening-guides.html.
Hardening for Linux Installation
Review the recommendations set out in the appropriate Linux hardening and secure best practice
guidelines, and ensure that your Linux hosts are appropriately hardened. If you do not follow the hardening
recommendations, the system might be exposed to known security vulnerabilities from insecure
components on Linux releases.
vRealize Operations Manager is supported for installation on Red Hat Enterprise Linux (RHEL) 6, starting
with version 6.5.
Hardening for Windows Installation
Review the recommendations set out in the appropriate Windows hardening and secure best practice
guidelines, and ensure that your Windows Server host is appropriately hardened. If you do not follow the
hardening recommendations, the system might be exposed to known security vulnerabilities from insecure
components on Windows releases.
Contact your Microsoft vendor for hardening practices of Microsoft products.
Reviewing Installed and Unsupported Software
Vulnerabilities in unused software might increase the risk of unauthorized system access and disruption of
availability. Review the software that is installed on VMware host machines and evaluate its use.
Do not install software that is not required for the secure operation of the system on any of the
vRealize Operations Manager node hosts. Uninstall unused or nonessential software.
Installing unsupported, untested, or unapproved software on infrastructure products such as
vRealize Operations Manager is a threat to the infrastructure.
To minimize the threat to the infrastructure, do not install or use any third-party software that is not
supported by VMware on VMware supplied hosts.
Assess your vRealize Operations Manager deployment and inventory of installed products to verify that no
unsupported software is installed.
For more information about the support policies for third-party products, see the VMware support at
Do not use third-party software that VMware does not support. Verify that all third-party software is
securely congured and patched in accordance with third-party vendor guidance.
Inauthentic, insecure, or unpatched vulnerabilities of third-party software installed on VMware host
machines might put the system at risk of unauthorized access and disruption of availability. All software
that VMware does not supply must be appropriately secured and patched.
If you must use third-party software that VMware does not support, consult the third-party vendor for
secure conguration and patching requirements.
10 VMware, Inc.
VMware Security Advisories and Patches
VMware occasionally releases security advisories for products. Being aware of these advisories can ensure
that you have the safest underlying product and that the product is not vulnerable to known threats.
Assess the vRealize Operations Manager installation, patching, and upgrade history and verify that the
released VMware Security Advisories are followed and enforced.
It is recommended that you always remain on the most recent vRealize Operations Manager release, as this
will include the most recent security xes also.
For more information about the current VMware security advisories, see
hp://www.vmware.com/security/advisories/.
Chapter 2 Secure Deployment of vRealize Operations Manager
VMware, Inc. 11
Secure Configuration
12 VMware, Inc.
Secure Configuration of
vRealize Operations Manager3
As a security best practice, you must secure the vRealize Operations Manager console and manage Secure
Shell (SSH), administrative accounts, and console access. Ensure that your system is deployed with secure
transmission channels.
You must also follow certain security best practices for running Endpoint Operations Management agents.
This chapter includes the following topics:
“Secure the vRealize Operations Manager Console,” on page 14
n
“Change the Root Password,” on page 14
n
“Managing Secure Shell, Administrative Accounts, and Console Access,” on page 15
n
“Set Boot Loader Authentication,” on page 19
n
“Single-User or Maintenance Mode Authentication,” on page 20
n
“Monitor Minimal Necessary User Accounts,” on page 20
n
“Monitor Minimal Necessary Groups,” on page 20
n
“Reseing the vRealize Operations Manager Administrator Password (Linux),” on page 21
n
“Congure NTP on VMware Appliances,” on page 22
n
“Disable the TCP Timestamp Response on Linux,” on page 22
n
“Enable FIPS 140-2 Mode,” on page 22
n
“TLS for Data in Transit,” on page 23
n
“Application Resources That Must be Protected,” on page 26
n
“Congure PostgreSQL Client Authentication,” on page 27
n
“Apache Conguration,” on page 28
n
“Disable Conguration Modes,” on page 29
n
“Managing Nonessential Software Components,” on page 29
n
“Windows Installed Deployment,” on page 32
n
“Linux Installed Deployment,” on page 34
n
“Endpoint Operations Management Agent,” on page 36
n
“Additional Secure Conguration Activities,” on page 41
n
VMware, Inc.
13
Secure Configuration
Secure the vRealize Operations Manager Console
After you install vRealize Operations Manager, you must log in for the rst time and secure the console of
each node in the cluster.
Prerequisites
Install vRealize Operations Manager.
Procedure
1Locate the node console in vCenter or by direct access.
In vCenter, press Alt+F1 to access the login prompt. For security reasons, vRealize Operations Manager
remote terminal sessions are disabled by default.
2Log in as root.
vRealize Operations Manager does not allow you to access the command prompt until you create a root
password.
3At the password prompt, press Enter.
4At the old password prompt, press Enter.
5At the prompt for a new password, enter the root password that you want and note it for future
reference.
6Reenter the root password.
7Log out of the console.
Change the Root Password
You can change the root password for any vRealize Operations Manager master or data node at any time by
using the console.
The root user bypasses the pam_cracklib module password complexity check, which is found in
etc/pam.d/common-password. All hardened appliances enable enforce_for_root for the pw_history module,
found in the etc/pam.d/common-passwordle. The system remembers the last ve passwords by default. Old
passwords are stored for each user in the /etc/security/opasswdle.
Prerequisites
Verify that the root password for the appliance meets your organization’s corporate password complexity
requirements. If the account password starts with $6$, it uses a sha512 hash. This is the standard hash for all
hardened appliances.
Procedure
1Run the # passwd command at the root shell of the appliance.
2To verify the hash of the root password, log in as root and run the # more /etc/shadow command.
The hash information appears.
3If the root password does not contain a sha512 hash, run the passwd command to change it.
14 VMware, Inc.
Chapter 3 Secure Configuration of vRealize Operations Manager
Manage Password Expiry
Congure all account password expirations in accordance with your organization's security policies.
By default, all hardened VMware appliances use a 60-day password expiry. On most hardened appliances,
the root account is set to a 365-day password expiry. As a best practice, verify that the expiry on all accounts
meets security and operation requirements standards.
If the root password expires, you cannot reinstate it. You must implement site-specic policies to prevent
administrative and root passwords from expiring.
Procedure
1Log in to your virtual appliance machines as root and run the # more /etc/shadow command to verify
the password expiry on all accounts.
2To modify the expiry of the root account, run the # passwd -x 365 root command.
In this command, 365 species the number of days until password expiry. Use the same command to
modify any user, substituting the specic account for root and replacing the number of days to meet
the expiry standards of the organization.
By default, the root password is set for 365 days.
Managing Secure Shell, Administrative Accounts, and Console
Access
For remote connections, all hardened appliances include the Secure Shell (SSH) protocol. SSH is disabled by
default on the hardened appliance.
SSH is an interactive command-line environment that supports remote connections to a
vRealize Operations Manager node. SSH requires high-privileged user account credentials. SSH activities
generally bypass the role-based access control (RBAC) and audit controls of the
vRealize Operations Manager node.
As a best practice, disable SSH in a production environment and enable it only to diagnose or troubleshoot
problems that you cannot resolve by other means. Leave it enabled only while needed for a specic purpose
and in accordance with your organization's security policies. If you enable SSH, ensure that it is protected
against aack and that you enable it only for as long as required. Depending on your vSphere conguration,
you can enable or disable SSH when you deploy your Open Virtualization Format (OVF) template.
As a simple test to determine whether SSH is enabled on a machine, try to open a connection by using SSH.
If the connection opens and requests credentials, then SSH is enabled and is available for making
connections.
Secure Shell Root User
Because VMware appliances do not include precongured default user accounts, the root account can use
SSH to directly log in by default. Disable SSH as root as soon as possible.
To meet the compliance standards for nonrepudiation, the SSH server on all hardened appliances is
precongured with the AllowGroups wheel entry to restrict SSH access to the secondary group wheel. For
separation of duties, you can modify the AllowGroups wheel entry in the /etc/ssh/sshd_configle to use
another group such as sshd.
The wheel group is enabled with the pam_wheel module for superuser access, so members of the wheel
group can use the su-root command, where the root password is required. Group separation enables users
to use SSH to the appliance, but not to use the su command to log in as root. Do not remove or modify other
entries in the AllowGroups eld, which ensures proper appliance function. After making a change, restart
the SSH daemon by running the # service sshd restart command.
VMware, Inc. 15
Secure Configuration
Enable or Disable Secure Shell on a vRealize Operations Manager node
You can enable Secure Shell (SSH) on a vRealize Operations Manager node for troubleshooting. For
example, to troubleshoot a server, you might require console access to the server. This is through SSH.
Disable SSH on a vRealize Operations Manager node for normal operation.
Procedure
1Access the console of the vRealize Operations Manager node from vCenter.
2Press Alt + F1 to access the login prompt then log in.
3Run the #chkconfig command.
4If the sshd service is o, run the #chkconfig sshd on command.
5Run the #service sshd start command to start the sshd service.
6Run the #service sshd stop command to stop the sshd service.
Create a Local Administrative Account for Secure Shell
You must create local administrative accounts that can be used as Secure Shell (SSH) and that are members
of the secondary wheel group, or both before you remove the root SSH access.
Before you disable direct root access, test that authorized administrators can access SSH by using
AllowGroups, and that they can use the wheel group and the su command to log in as root.
Procedure
1Log in as root and run the following commands.
# useradd -d /home/vropsuser -g users -G wheel –m
# passwd username
Wheel is the group specied in AllowGroups for SSH access. To add multiple secondary groups, use -G
wheel,sshd.
2Switch to the user and provide a new password to ensure password complexity checking.
# su – username
username@hostname:~>passwd
If the password complexity is met, the password updates. If the password complexity is not met, the
password reverts to the original password, and you must rerun the password command.
After you create the login accounts to allow SSH remote access and use the su command to log in as
root using the wheel access, you can remove the root account from the SSH direct login.
3To remove direct login to SSH, modify the /etc/ssh/sshd_configle by replacing (#)PermitRootLogin
yes with PermitRootLogin no.
What to do next
Disable direct logins as root. By default, the hardened appliances allow direct login to root through the
console. After you create administrative accounts for nonrepudiation and test them for wheel access (su-
root), disable direct root logins by editing the /etc/securetty le as root and replacing the tty1 entry with
console.
16 VMware, Inc.
Chapter 3 Secure Configuration of vRealize Operations Manager
Restrict Secure Shell Access
As part of your system hardening process, restrict Secure Shell (SSH) access by conguring the
tcp_wrappers package appropriately on all VMware virtual appliance host machines. Also maintain
required SSH key le permissions on these appliances.
All VMware virtual appliances include the tcp_wrappers package to allow tcp-supported daemons to
control the network subnets that can access the libwrapped daemons. By default, the /etc/hosts.allowle
contains a generic entry, sshd: ALL : ALLOW, that allows all access to the secure shell. Restrict this access as
appropriate for your organization.
Procedure
1Open the /etc/hosts.allowle on your virtual appliance host machine in a text editor.
2Change the generic entry in your production environment to include only the local host entries and the
management network subnet for secure operations.
sshd:127.0.0.1 : ALLOW
sshd: [::1] : ALLOW
sshd: 10.0.0.0 :ALLOW
In this example, all local host connections and connections that the clients make on the 10.0.0.0 subnet
are allowed.
3Add all appropriate machine identication, for example, host name, IP address, fully qualied domain
name (FQDN), and loopback.
4Save the le and close it.
Maintain Secure Shell Key File Permissions
To maintain an appropriate level of security, congure Secure Shell (SSH) key le permissions.
Procedure
1View the public host key les, located in /etc/ssh/*key.pub.
2Verify that these les are owned by root, that the group is owned by root, and that the les have
permissions set to 0644.
The permissions are (-rw-r--r--).
3Close all les.
4View the private host key les, located in /etc/ssh/*key.
5Verify that root owns these les and the group, and that the les have permissions set to 0600.
The permissions are (-rw-------).
6Close all les.
Harden the Secure Shell Server Configuration
Where possible, the Virtual Application Installation (OVF) has a default hardened conguration. Users can
verify that their conguration is appropriately hardened by examining the server and client service in the
global options section of the congurationle.
If possible, restrict use of the SSH server to a management subnet in the /etc/hosts.allowle.
VMware, Inc. 17
Secure Configuration
Procedure
1Open the /etc/ssh/sshd_config server congurationle and verify that the seings are correct.
SettingStatus
Server Daemon ProtocolProtocol 2
CiphersCiphers aes256-ctr,aes128-ctr
TCP ForwardingAllowTCPForwarding no
Server Gateway PortsGateway Ports no
X11 ForwardingX11Forwarding no
SSH ServiceUse the AllowGroups eld and specify a group permied to access
GSSAPI AuthenticationGSSAPIAuthentication no, if unused
Kerberos AuthenticationKerberosAuthentication no, if unused
Local Variables (AcceptEnv global option)
Tunnel CongurationPermitTunnel no
Network SessionsMaxSessions 1
Strict Mode CheckingStrict Modes yes
Privilege SeparationUsePrivilegeSeparation yes
rhosts RSA AuthenticationRhostsRSAAuthentication no
CompressionCompression delayed or Compression no
Message Authentication codeMACs hmac-sha1
User Access RestrictionPermitUserEnvironment no
and add members to the secondary group for users permied to ue
the service.
Set to disabled by commenting out or enabled for only LC_*
or LANG variables
2Save your changes and close the le.
Harden the Secure Shell Client Configuration
As part of your system hardening monitoring process, verify hardening of the SSH client by examining the
SSH client congurationle on virtual appliance host machines to ensure that it is congured according to
VMware guidelines.
Procedure
1Open the SSH client congurationle,/etc/ssh/ssh_config, and verify that the seings in the global
options section are correct.
SettingStatus
Client Protocol
Client Gateway Ports
GSSAPI Authentication
Local Variables (SendEnv global
option)
CBC Ciphers
Message Authentication Codes
2Save your changes and close the le.
Protocol 2
Gateway Ports no
GSSAPIAuthentication no
Provide only LC_* or LANG variables
Ciphers aes256-ctr,aes128-ctr
Used in the MACs hmac-sha1 entry only
18 VMware, Inc.
Loading...
+ 40 hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.