VMware vRealize Operations Manager - 6.6 User Manual
Secure Configuration
vRealize Operations Manager 6.6
Secure Configuration
You can find the most up-to-date technical documentation on the VMware Web site at:
hps://docs.vmware.com/
The VMware Web site also provides the latest product updates.
If you have comments about this documentation, submit your feedback to:
docfeedback@vmware.com
Copyright © 2017 VMware, Inc. All rights reserved. Copyright and trademark information.
VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
2 VMware, Inc.
Contents
Secure Conguration 5
vRealize Operations Manager Security Posture 7
1
Secure Deployment of vRealize Operations Manager 9
2
Verify the Integrity of Installation Media 9
Hardening the Deployed Software Infrastructure 9
Reviewing Installed and Unsupported Software 10
VMware Security Advisories and Patches 10
Secure Conguration of vRealize Operations Manager 11
3
Secure the vRealize Operations Manager Console 12
Change the Root Password 12
Managing Secure Shell, Administrative Accounts, and Console Access 13
Set Boot Loader Authentication 17
Single-User or Maintenance Mode Authentication 18
Monitor Minimal Necessary User Accounts 18
Monitor Minimal Necessary Groups 18
Reseing the vRealize Operations Manager Administrator Password (Linux) 19
Congure NTP on VMware Appliances 20
Disable the TCP Timestamp Response on Linux 20
Enable FIPS 140-2 Mode 20
TLS for Data in Transit 21
Enabling TLS on Localhost Connections 24
Application Resources That Must be Protected 25
Congure PostgreSQL Client Authentication 26
Apache Conguration 27
Disable Conguration Modes 28
Managing Nonessential Software Components 28
End Point Operations Management Agent 31
Additional Secure Conguration Activities 37
VMware, Inc.
Network Security and Secure Communication 39
4
Conguring Network Seings for Virtual Application Installation 39
Conguring Ports and Protocols 47
Auditing and Logging on your vRealize Operations Manager System 49
5
Securing the Remote Logging Server 49
Use an Authorized NTP Server 49
Client Browser Considerations 49
3
Secure Configuration
Index 51
4 VMware, Inc.
Secure Configuration
The documentation for Secure Conguration is intended to serve as a secure baseline for the deployment of
vRealize Operations Manager. Refer to this document when you are using system-monitoring tools to
ensure that the secure baseline conguration is monitored and maintained for any unexpected changes on
an ongoing basis.
Hardening activities that are not already set by default can be carried out manually.
Intended Audience
This information is intended for administrators of vRealize Operations Manager.
VMware Technical Publications Glossary
VMware Technical Publications provides a glossary of terms that might be unfamiliar to you. For denitions
of terms as they are used in VMware technical documentation, go to
hp://www.vmware.com/support/pubs.
VMware, Inc.
5
Secure Configuration
6 VMware, Inc.
vRealize Operations Manager
Security Posture 1
The security posture of vRealize Operations Manager assumes a complete secure environment based on
system and network conguration, organizational security policies, and best practices. It is important that
you perform the hardening activities according to your organization's security policies and best practices.
The document is broken down into the following sections:
Secure Deployment
n
Secure Conguration
n
Network Security
n
Communication
n
The guide details the installation of the Virtual Application.
To ensure that your system is securely hardened, review the recommendations and assess them against your
organization's security policies and risk exposure.
VMware, Inc.
7
Secure Configuration
8 VMware, Inc.
Secure Deployment of
vRealize Operations Manager 2
You must verify the integrity of the installation media before you install the product to ensure authenticity
of the downloaded les.
This chapter includes the following topics:
“Verify the Integrity of Installation Media,” on page 9
n
“Hardening the Deployed Software Infrastructure,” on page 9
n
“Reviewing Installed and Unsupported Software,” on page 10
n
“VMware Security Advisories and Patches,” on page 10
n
Verify the Integrity of Installation Media
After you download the media, use the MD5/SHA1 sum value to verify the integrity of the download.
Always verify the SHA1 hash after you download an ISO, oine bundle, or patch to ensure the integrity
and authenticity of the downloaded les. If you obtain physical media from VMware and the security seal is
broken, return the software to VMware for a replacement.
Procedure
Compare the MD5/SHA1 hash output with the value posted on the VMware Web site.
u
SHA1 or MD5 hash should match.
N The vRealize Operations Manager 6.x-x.pak les are signed by the VMware software
publishing certicate. vRealize Operations Manager validates the signature of the PAK le before
installation.
Hardening the Deployed Software Infrastructure
As part of your hardening process, you must harden the deployed software infrastructure that supports
your VMware system.
Before you harden your VMware system, review and address security deciencies in your supporting
software infrastructure to create a completely hardened and secure environment. Software infrastructure
elements to consider include operating system components, supporting software, and database software.
Address security concerns in these and other components according to the manufacturer's
recommendations and other relevant security protocols.
VMware, Inc.
9
Secure Configuration
Hardening the VMware vSphere Environment
vRealize Operations Manager relies on a secure VMware vSphere environment to achieve the greatest
benets and a secured infrastructure.
Assess the VMware vSphere environment and verify that the appropriate level of vSphere hardening
guidance is enforced and maintained.
For more guidance about hardening, see hp://www.vmware.com/security/hardening-guides.html.
Reviewing Installed and Unsupported Software
Vulnerabilities in unused software might increase the risk of unauthorized system access and disruption of
availability. Review the software that is installed on VMware host machines and evaluate its use.
Do not install software that is not required for the secure operation of the system on any of the
vRealize Operations Manager node hosts. Uninstall unused or nonessential software.
Installing unsupported, untested, or unapproved software on infrastructure products such as
vRealize Operations Manager is a threat to the infrastructure.
To minimize the threat to the infrastructure, do not install or use any third-party software that is not
supported by VMware on VMware supplied hosts.
Assess your vRealize Operations Manager deployment and inventory of installed products to verify that no
unsupported software is installed.
For more information about the support policies for third-party products, see the VMware support at
hp://www.vmware.com/security/hardening-guides.html.
Verify Third-Party Software
Do not use third-party software that VMware does not support. Verify that all third-party software is
securely congured and patched in accordance with third-party vendor guidance.
Inauthentic, insecure, or unpatched vulnerabilities of third-party software installed on VMware host
machines might put the system at risk of unauthorized access and disruption of availability. All software
that VMware does not supply must be appropriately secured and patched.
If you must use third-party software that VMware does not support, consult the third-party vendor for
secure conguration and patching requirements.
VMware Security Advisories and Patches
VMware occasionally releases security advisories for products. Being aware of these advisories can ensure
that you have the safest underlying product and that the product is not vulnerable to known threats.
Assess the vRealize Operations Manager installation, patching, and upgrade history and verify that the
released VMware Security Advisories are followed and enforced.
It is recommended that you always remain on the most recent vRealize Operations Manager release, as this
will include the most recent security xes also.
For more information about the current VMware security advisories, see
hp://www.vmware.com/security/advisories/.
10 VMware, Inc.
Secure Configuration of
vRealize Operations Manager 3
As a security best practice, you must secure the vRealize Operations Manager console and manage Secure
Shell (SSH), administrative accounts, and console access. Ensure that your system is deployed with secure
transmission channels.
You must also follow certain security best practices for running End Point Operations Management agents.
This chapter includes the following topics:
“Secure the vRealize Operations Manager Console,” on page 12
n
“Change the Root Password,” on page 12
n
“Managing Secure Shell, Administrative Accounts, and Console Access,” on page 13
n
“Set Boot Loader Authentication,” on page 17
n
“Single-User or Maintenance Mode Authentication,” on page 18
n
“Monitor Minimal Necessary User Accounts,” on page 18
n
“Monitor Minimal Necessary Groups,” on page 18
n
“Reseing the vRealize Operations Manager Administrator Password (Linux),” on page 19
n
“Congure NTP on VMware Appliances,” on page 20
n
“Disable the TCP Timestamp Response on Linux,” on page 20
n
“Enable FIPS 140-2 Mode,” on page 20
n
“TLS for Data in Transit,” on page 21
n
“Enabling TLS on Localhost Connections,” on page 24
n
“Application Resources That Must be Protected,” on page 25
n
“Congure PostgreSQL Client Authentication,” on page 26
n
“Apache Conguration,” on page 27
n
“Disable Conguration Modes,” on page 28
n
“Managing Nonessential Software Components,” on page 28
n
“End Point Operations Management Agent,” on page 31
n
“Additional Secure Conguration Activities,” on page 37
n
VMware, Inc.
11
Secure Configuration
Secure the vRealize Operations Manager Console
After you install vRealize Operations Manager, you must log in for the rst time and secure the console of
each node in the cluster.
Prerequisites
Install vRealize Operations Manager.
Procedure
1 Locate the node console in vCenter or by direct access.
In vCenter, press Alt+F1 to access the login prompt. For security reasons, vRealize Operations Manager
remote terminal sessions are disabled by default.
2 Log in as root.
vRealize Operations Manager does not allow you to access the command prompt until you create a root
password.
3 At the password prompt, press Enter.
4 At the old password prompt, press Enter.
5 At the prompt for a new password, enter the root password that you want and note it for future
reference.
6 Reenter the root password.
7 Log out of the console.
Change the Root Password
You can change the root password for any vRealize Operations Manager master or data node at any time by
using the console.
The root user bypasses the pam_cracklib module password complexity check, which is found in
etc/pam.d/common-password. All hardened appliances enable enforce_for_root for the pw_history module,
found in the etc/pam.d/common-password le. The system remembers the last ve passwords by default. Old
passwords are stored for each user in the /etc/security/opasswd le.
Prerequisites
Verify that the root password for the appliance meets your organization’s corporate password complexity
requirements. If the account password starts with $6$, it uses a sha512 hash. This is the standard hash for all
hardened appliances.
Procedure
1 Run the # passwd command at the root shell of the appliance.
2 To verify the hash of the root password, log in as root and run the # more /etc/shadow command.
The hash information appears.
3 If the root password does not contain a sha512 hash, run the passwd command to change it.
12 VMware, Inc.
Chapter 3 Secure Configuration of vRealize Operations Manager
Manage Password Expiry
Congure all account password expirations in accordance with your organization's security policies.
By default, all hardened VMware appliances use a 60-day password expiry. On most hardened appliances,
the root account is set to a 365-day password expiry. As a best practice, verify that the expiry on all accounts
meets security and operation requirements standards.
If the root password expires, you cannot reinstate it. You must implement site-specic policies to prevent
administrative and root passwords from expiring.
Procedure
1 Log in to your virtual appliance machines as root and run the # more /etc/shadow command to verify
the password expiry on all accounts.
2 To modify the expiry of the root account, run the # passwd -x 365 root command.
In this command, 365 species the number of days until password expiry. Use the same command to
modify any user, substituting the specic account for root and replacing the number of days to meet
the expiry standards of the organization.
By default, the root password is set for 365 days.
Managing Secure Shell, Administrative Accounts, and Console Access
For remote connections, all hardened appliances include the Secure Shell (SSH) protocol. SSH is disabled by
default on the hardened appliance.
SSH is an interactive command-line environment that supports remote connections to a
vRealize Operations Manager node. SSH requires high-privileged user account credentials. SSH activities
generally bypass the role-based access control (RBAC) and audit controls of the
vRealize Operations Manager node.
As a best practice, disable SSH in a production environment and enable it only to diagnose or troubleshoot
problems that you cannot resolve by other means. Leave it enabled only while needed for a specic purpose
and in accordance with your organization's security policies. If you enable SSH, ensure that it is protected
against aack and that you enable it only for as long as required. Depending on your vSphere conguration,
you can enable or disable SSH when you deploy your Open Virtualization Format (OVF) template.
As a simple test to determine whether SSH is enabled on a machine, try to open a connection by using SSH.
If the connection opens and requests credentials, then SSH is enabled and is available for making
connections.
Secure Shell Root User
Because VMware appliances do not include precongured default user accounts, the root account can use
SSH to directly log in by default. Disable SSH as root as soon as possible.
To meet the compliance standards for nonrepudiation, the SSH server on all hardened appliances is
precongured with the AllowGroups wheel entry to restrict SSH access to the secondary group wheel. For
separation of duties, you can modify the AllowGroups wheel entry in the /etc/ssh/sshd_config le to use
another group such as sshd.
The wheel group is enabled with the pam_wheel module for superuser access, so members of the wheel
group can use the su-root command, where the root password is required. Group separation enables users
to use SSH to the appliance, but not to use the su command to log in as root. Do not remove or modify other
entries in the AllowGroups eld, which ensures proper appliance function. After making a change, restart
the SSH daemon by running the # service sshd restart command.
VMware, Inc. 13
Secure Configuration
Enable or Disable Secure Shell on a vRealize Operations Manager node
You can enable Secure Shell (SSH) on a vRealize Operations Manager node for troubleshooting. For
example, to troubleshoot a server, you might require console access to the server. This is through SSH.
Disable SSH on a vRealize Operations Manager node for normal operation.
Procedure
1 Access the console of the vRealize Operations Manager node from vCenter.
2 Press Alt + F1 to access the login prompt then log in.
3 Run the #chkconfig command.
4 If the sshd service is o, run the #chkconfig sshd on command.
5 Run the #service sshd start command to start the sshd service.
6 Run the #service sshd stop command to stop the sshd service.
Create a Local Administrative Account for Secure Shell
You must create local administrative accounts that can be used as Secure Shell (SSH) and that are members
of the secondary wheel group, or both before you remove the root SSH access.
Before you disable direct root access, test that authorized administrators can access SSH by using
AllowGroups, and that they can use the wheel group and the su command to log in as root.
Procedure
1 Log in as root and run the following commands.
# useradd -d /home/vropsuser -g users -G wheel –m
# passwd username
Wheel is the group specied in AllowGroups for SSH access. To add multiple secondary groups, use -G
wheel,sshd.
2 Switch to the user and provide a new password to ensure password complexity checking.
# su – username
username@hostname:~>passwd
If the password complexity is met, the password updates. If the password complexity is not met, the
password reverts to the original password, and you must rerun the password command.
After you create the login accounts to allow SSH remote access and use the su command to log in as
root using the wheel access, you can remove the root account from the SSH direct login.
3 To remove direct login to SSH, modify the /etc/ssh/sshd_config le by replacing (#)PermitRootLogin
yes with PermitRootLogin no.
What to do next
Disable direct logins as root. By default, the hardened appliances allow direct login to root through the
console. After you create administrative accounts for nonrepudiation and test them for wheel access (su-
root), disable direct root logins by editing the /etc/securetty le as root and replacing the tty1 entry with
console.
14 VMware, Inc.
Chapter 3 Secure Configuration of vRealize Operations Manager
Restrict Secure Shell Access
As part of your system hardening process, restrict Secure Shell (SSH) access by conguring the
tcp_wrappers package appropriately on all VMware virtual appliance host machines. Also maintain
required SSH key le permissions on these appliances.
All VMware virtual appliances include the tcp_wrappers package to allow tcp-supported daemons to
control the network subnets that can access the libwrapped daemons. By default, the /etc/hosts.allow le
contains a generic entry, sshd: ALL : ALLOW, that allows all access to the secure shell. Restrict this access as
appropriate for your organization.
Procedure
1 Open the /etc/hosts.allow le on your virtual appliance host machine in a text editor.
2 Change the generic entry in your production environment to include only the local host entries and the
management network subnet for secure operations.
sshd:127.0.0.1 : ALLOW
sshd: [::1] : ALLOW
sshd: 10.0.0.0 :ALLOW
In this example, all local host connections and connections that the clients make on the 10.0.0.0 subnet
are allowed.
3 Add all appropriate machine identication, for example, host name, IP address, fully qualied domain
name (FQDN), and loopback.
4 Save the le and close it.
Maintain Secure Shell Key File Permissions
To maintain an appropriate level of security, congure Secure Shell (SSH) key le permissions.
Procedure
1 View the public host key les, located in /etc/ssh/*key.pub.
2 Verify that these les are owned by root, that the group is owned by root, and that the les have
permissions set to 0644.
The permissions are (-rw-r--r--).
3 Close all les.
4 View the private host key les, located in /etc/ssh/*key.
5 Verify that root owns these les and the group, and that the les have permissions set to 0600.
The permissions are (-rw-------).
6 Close all les.
Harden the Secure Shell Server Configuration
Where possible, the Virtual Application Installation (OVF) has a default hardened conguration. Users can
verify that their conguration is appropriately hardened by examining the server and client service in the
global options section of the conguration le.
If possible, restrict use of the SSH server to a management subnet in the /etc/hosts.allow le.
VMware, Inc. 15
Secure Configuration
Procedure
1 Open the /etc/ssh/sshd_config server conguration le and verify that the seings are correct.
Setting Status
Server Daemon Protocol Protocol 2
Ciphers Ciphers aes256-ctr,aes128-ctr
TCP Forwarding AllowTCPForwarding no
Server Gateway Ports Gateway Ports no
X11 Forwarding X11Forwarding no
SSH Service Use the AllowGroups eld and specify a group permied to access
GSSAPI Authentication GSSAPIAuthentication no, if unused
Kerberos Authentication KerberosAuthentication no, if unused
Local Variables (AcceptEnv global option)
Tunnel Conguration PermitTunnel no
Network Sessions MaxSessions 1
Strict Mode Checking Strict Modes yes
Privilege Separation UsePrivilegeSeparation yes
rhosts RSA Authentication RhostsRSAAuthentication no
Compression Compression delayed or Compression no
Message Authentication code MACs hmac-sha1
User Access Restriction PermitUserEnvironment no
and add members to the secondary group for users permied to ue
the service.
Set to disabled by commenting out or enabled for only LC_*
or LANG variables
2 Save your changes and close the le.
Harden the Secure Shell Client Configuration
As part of your system hardening monitoring process, verify hardening of the SSH client by examining the
SSH client conguration le on virtual appliance host machines to ensure that it is congured according to
VMware guidelines.
Procedure
1 Open the SSH client conguration le, /etc/ssh/ssh_config, and verify that the seings in the global
options section are correct.
Setting Status
Client Protocol
Client Gateway Ports
GSSAPI Authentication
Local Variables (SendEnv global
option)
CBC Ciphers
Message Authentication Codes
2 Save your changes and close the le.
Protocol 2
Gateway Ports no
GSSAPIAuthentication no
Provide only LC_* or LANG variables
Ciphers aes256-ctr,aes128-ctr
Used in the MACs hmac-sha1 entry only
16 VMware, Inc.
Loading...