Secure Configuration vRealize Operations Manager 6.
Secure Configuration You can find the most up-to-date technical documentation on the VMware Web site at: https://docs.vmware.com/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com Copyright © 2017 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com 2 VMware, Inc.
Contents Secure Configuration 5 1 vRealize Operations Manager Security Posture 7 2 Secure Deployment of vRealize Operations Manager 9 Verify the Integrity of Installation Media 9 Hardening the Deployed Software Infrastructure 9 Reviewing Installed and Unsupported Software 10 VMware Security Advisories and Patches 11 3 Secure Configuration of vRealize Operations Manager 13 Secure the vRealize Operations Manager Console 14 Change the Root Password 14 Managing Secure Shell, Administrative Accounts, and Co
Secure Configuration Index 4 55 VMware, Inc.
Secure Configuration The documentation for Secure Configuration is intended to serve as a secure baseline for the deployment of vRealize Operations Manager. Refer to this document when you are using system-monitoring tools to ensure that the secure baseline configuration is monitored and maintained for any unexpected changes on an ongoing basis. Hardening activities that are not already set by default can be carried out manually.
Secure Configuration 6 VMware, Inc.
vRealize Operations Manager Security Posture 1 The security posture of vRealize Operations Manager assumes a complete secure environment based on system and network configuration, organizational security policies, and best practices. It is important that you perform the hardening activities according to your organization's security policies and best practices.
Secure Configuration 8 VMware, Inc.
Secure Deployment of vRealize Operations Manager 2 You must verify the integrity of the installation media before you install the product to ensure authenticity of the downloaded files.
Secure Configuration Hardening the VMware vSphere Environment vRealize Operations Manager relies on a secure VMware vSphere environment to achieve the greatest benefits and a secured infrastructure. Assess the VMware vSphere environment and verify that the appropriate level of vSphere hardening guidance is enforced and maintained. For more guidance about hardening, see http://www.vmware.com/security/hardening-guides.html.
Chapter 2 Secure Deployment of vRealize Operations Manager VMware Security Advisories and Patches VMware occasionally releases security advisories for products. Being aware of these advisories can ensure that you have the safest underlying product and that the product is not vulnerable to known threats. Assess the vRealize Operations Manager installation, patching, and upgrade history and verify that the released VMware Security Advisories are followed and enforced.
Secure Configuration 12 VMware, Inc.
Secure Configuration of vRealize Operations Manager 3 As a security best practice, you must secure the vRealize Operations Manager console and manage Secure Shell (SSH), administrative accounts, and console access. Ensure that your system is deployed with secure transmission channels. You must also follow certain security best practices for running Endpoint Operations Management agents.
Secure Configuration Secure the vRealize Operations Manager Console After you install vRealize Operations Manager, you must log in for the first time and secure the console of each node in the cluster. Prerequisites Install vRealize Operations Manager. Procedure 1 Locate the node console in vCenter or by direct access. In vCenter, press Alt+F1 to access the login prompt. For security reasons, vRealize Operations Manager remote terminal sessions are disabled by default. 2 Log in as root.
Chapter 3 Secure Configuration of vRealize Operations Manager Manage Password Expiry Configure all account password expirations in accordance with your organization's security policies. By default, all hardened VMware appliances use a 60-day password expiry. On most hardened appliances, the root account is set to a 365-day password expiry. As a best practice, verify that the expiry on all accounts meets security and operation requirements standards. If the root password expires, you cannot reinstate it.
Secure Configuration Enable or Disable Secure Shell on a vRealize Operations Manager node You can enable Secure Shell (SSH) on a vRealize Operations Manager node for troubleshooting. For example, to troubleshoot a server, you might require console access to the server. This is through SSH. Disable SSH on a vRealize Operations Manager node for normal operation. Procedure 1 Access the console of the vRealize Operations Manager node from vCenter. 2 Press Alt + F1 to access the login prompt then log in.
Chapter 3 Secure Configuration of vRealize Operations Manager Restrict Secure Shell Access As part of your system hardening process, restrict Secure Shell (SSH) access by configuring the tcp_wrappers package appropriately on all VMware virtual appliance host machines. Also maintain required SSH key file permissions on these appliances. All VMware virtual appliances include the tcp_wrappers package to allow tcp-supported daemons to control the network subnets that can access the libwrapped daemons.
Secure Configuration Procedure 1 2 Open the /etc/ssh/sshd_config server configuration file and verify that the settings are correct. Setting Status Server Daemon Protocol Protocol 2 Ciphers Ciphers aes256-ctr,aes128-ctr TCP Forwarding AllowTCPForwarding no Server Gateway Ports Gateway Ports no X11 Forwarding X11Forwarding no SSH Service Use the AllowGroups field and specify a group permitted to access and add members to the secondary group for users permitted to ue the service.
Chapter 3 Secure Configuration of vRealize Operations Manager Disable Direct Logins as Root By default, the hardened appliances allow you to use the console to log in directly as root. As a security best practice, you can disable direct logins after you create an administrative account for nonrepudiation and test it for wheel access by using the su-root command. Prerequisites n Complete the steps in the topic called “Create a Local Administrative Account for Secure Shell,” on page 16.
Secure Configuration Single-User or Maintenance Mode Authentication If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. Procedure u Review the/etc/inittab file and ensure that the following two lines appear: ls:S:wait:/etc/init.d/rc S and ~~:S:respawn:/sbin/sulogin.
Chapter 3 Secure Configuration of vRealize Operations Manager haldaemon:!:102: kmem:x:9: mail:x:12: man:x:62: messagebus:!:101: modem:x:43: nobody:x:65533: nogroup:x:65534:nobody ntp:!:106: polkituser:!:105: public:x:32: root:x:0:admin shadow:x:15: sshd:!:65: suse-ncc:!:107: sys:x:3: tape:!:103: trusted:x:42: tty:x:5: utmp:x:22: uuidd:!:104: video:x:33:u1,tcserver,postgres wheel:x:10:root,admin www:x:8: xok:x:41: maildrop:!:1001: postfix:!:51: users:x:100: vami:!:1002:root nginx:!:108: admin:!:1003: vfabri
Secure Configuration Configure NTP on VMware Appliances For critical time sourcing, disable host time synchronization and use the Network Time Protocol (NTP) on VMware appliances. You must configure a trusted remote NTP server for time synchronization. The NTP server must be an authoritative time server or at least synchronized with an authoritative time server. The NTP daemon on VMware virtual appliances provides synchronized time services. NTP is disabled by default, so you need to configure it manually.
Chapter 3 Secure Configuration of vRealize Operations Manager 2 Modify your Apache2 configuration by editing the /etc/apache2/ssl-global.conf file. 3 Search for the line and add the SSLFIPS on directive below it. 4 To reset the Apache configuration, run the service apache2 restart command. TLS for Data in Transit As a security best practice, ensure that the system is deployed with secure transmission channels.
Secure Configuration 2 Disable TLS 1.0. a Navigate to the administrator user interface at url/admin . b Click Bring Offline. c To disable SSLv3 and TLS 1.0, run the following commands: sed -i "/^[^#]*cluster-ssl-protocol/ c\cluster-ssl-protocols=TLSv1.2 TLSv1.1" /usr/lib/vmware-vcops/user/conf/gemfire.properties sed -i "/^[^#]*cluster-ssl-protocol/ c\cluster-ssl-protocols=TLSv1.2 TLSv1.1" /usr/lib/vmware-vcops/user/conf/gemfire.native.properties sed -i "/^[^#]*cluster-ssl-protocol/ c\cluster-ssl-prot
Chapter 3 Secure Configuration of vRealize Operations Manager Verify the Correct Use of Cipher Suites in Apache HTTPD For maximum security, verify the correct use of cipher suites in Apache httpd. Procedure 1 To verify the correct use of cipher suites in Apache httpd, run the grep SSLCipherSuite /usr/lib/vmware-vcopssuite/utilities/conf/vcops-apache.conf | grep -v '#' command from the command prompt.
Secure Configuration c To configure the correct cipher suites, run the following commands: sed -i "/^[^#]*cluster-ssl-ciphers/ c\cluster-sslciphers=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" /usr/lib/vmwarevcops/user/conf/gemfire.properties sed -i "/^[^#]*cluster-ssl-ciphers/ c\cluster-sslciphers=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" /usr/lib/vmwarevcops/user/conf/gemfire.native.properties sed -i "/^[^#]*cluster-ssl-ciphers/ c\cluster-sslciphers=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" /usr/lib/vmwarevcops/use
Chapter 3 Secure Configuration of vRealize Operations Manager 475333 helper 41001 41118 2 48 -rwsr-x--- 1 root messagebus 36 -rwsr-xr-x 12 -rwsr-xr-x 1 root 1 root shadow shadow 47912 /lib64/dbus-1/dbus-daemon-launch35688 /sbin/unix_chkpwd 10736 /sbin/unix2_chkpwd Run the find / -path */proc -prune -o -nouser -o -nogroup command to verify that all the files in the vApp have an owner. All the files have an owner if there are no results. 3 Run the find / -name "*.
Secure Configuration Apache Configuration Disable Web Directory Browsing As a security best practice, ensure that a user cannot bowse through a directory because it can increase the risk of exposure to directory traversal attacks. Procedure u Verify that web directory browsing is disabled for all directories. a Open the /etc/apache2/default-server.conf and /usr/lib/vmwarevcopssuite/utilities/conf/vcops-apache.conf files in a text editor.
Chapter 3 Secure Configuration of vRealize Operations Manager 2 To disable the Trace method for the Apache2 server, run the following command sed -i "/^[^#]*TraceEnable/ c\TraceEnable off" /usr/lib/vmware-vcopssuite/utilities/conf/vcopsapache.conf. Disable Configuration Modes As a best practice, when you install, configure, or maintain vRealize Operations Manager, you can modify the configuration or settings to enable troubleshooting and debugging of your installation.
Secure Configuration Procedure 1 Open the /etc/modprobe.conf.local file in a text editor. 2 Ensure that the following line appears in this file. install sctp /bin/true 3 Save the file and close it. Secure the Datagram Congestion Control Protocol As part of your system hardening activities, prevent the Datagram Congestion Control Protocol (DCCP) module from loading on vRealize appliances by default. Potential attackers can exploit this protocol to compromise your system.
Chapter 3 Secure Configuration of vRealize Operations Manager 2 Ensure that the install tipc /bin/true line appears in this file. 3 Save the file and close it. Secure Internet Packet Exchange Protocol Prevent the Internetwork Packet Exchange (IPX) protocol from loading vRealize appliances by default. Potential attackers could exploit this protocol to compromise your system. Avoid loading the IPX protocol module unless it is absolutely necessary. IPX protocol is an obsolete network-layer protocol.
Secure Configuration Procedure 1 Open the /etc/modprobe.conf.local file in a text editor. 2 Ensure that the line install ieee1394 /bin/true appears in this file. 3 Save the file and close it. Kernel Message Logging The kernel.printk specification in the /etc/sysctl.conf file specifies the kernel print logging specifications. There are 4 values specified: n console loglevel. The lowest priority of messages printed to the console. n default loglevel.
Chapter 3 Secure Configuration of vRealize Operations Manager TLS for Data in Transit As a security best practice, ensure that the system is deployed with secure transmission channels. Configure vRealize Operations Manager to Use Strong Ciphers The encryption strength that is used in a TLS session is determined by the encryption cipher negotiated between the server and the browser. To ensure that only strong ciphers are selected, you must modify the server to disable the use of weak ciphers.
Secure Configuration Disable Configuration Modes As a best practice, when you install, configure, or maintain vRealize Operations Manager, you can modify the configuration or settings to enable troubleshooting and debugging of your installation. Catalog and audit each of the changes you make to ensure that they are properly secured. Do not put the changes into production if you are not sure that your configuration changes are correctly secured.
Chapter 3 Secure Configuration of vRealize Operations Manager Configure vRealize Operations Manager to Use Strong Ciphers The encryption strength that is used in a TLS session is determined by the encryption cipher negotiated between the server and the browser. To ensure that only strong ciphers are selected, you must modify the server to disable the use of weak ciphers. In addition, you must configure the ciphers in a suitable order.
Secure Configuration Endpoint Operations Management Agent The Endpoint Operations Management agent adds agent-based discovery and monitoring capabilities to vRealize Operations Manager. The Endpoint Operations Management agent is installed on the hosts directly and might or might not be at the same level of trust as the Endpoint Operations Management server. Therefore, you must verify that the agents are securely installed.
Chapter 3 Secure Configuration of vRealize Operations Manager Table 3‑1.
Secure Configuration Table 3‑2.
Chapter 3 Secure Configuration of vRealize Operations Manager Table 3‑2. Windows Files and Permissions (Continued) Directory or File /data/* (all files in data directory) Groups or Users Full Control Modify Read and Execute Read Write SYSTEM Yes - - - - Administrator Yes - - - - Installation User Yes - - - - - - - - Users Open Ports on Agent Host The agent process listens for commands on two ports 127.0.0.1:2144 and 127.0.0.1:32000 that are configurable.
Secure Configuration 4 Select EP Ops Agent - *HOST_DNS_NAME*. 5 Click Edit Object. 6 Record the agent ID, which is the agent token string. 7 Close the Edit Object dialog box . 8 Select EP Ops Agent - *HOST_DNS_NAME* and click Delete Object. Reinstate an Agent Resource When the secure state of a system is recovered, you can reinstate a revoked agent. This ensures that the agent continues to report on the same resources without losing historical data.
Chapter 3 Secure Configuration of vRealize Operations Manager Procedure u On Linux based operating systems, run the ep-agent.sh setup command on the agent host. On Windows based operating systems, run the ep-agent.bat setup command. If the agent detects that the server certificate has been modified, a message is displayed. Accept the new certificate if you trust it and it is valid.
Secure Configuration 42 VMware, Inc.
Network Security and Secure Communication 4 As a security best practice, review and edit the network communication settings of your VMware virtual appliances and host machines. You must also configure the minimum incoming and outgoing ports for vRealize Operations Manager.
Secure Configuration 2 Set the queue size for TCP backlog. a Open the /etc/sysctl.conf file in a text editor. b Set the default TCP backlog queue size by adding the following entry to the file. net.ipv4.tcp_max_syn_backlog=1280 c Save your changes and close the file. Deny ICMPv4 Echoes to Broadcast Address Responses to broadcast Internet Control Message Protocol (ICMP) echoes provide an attack vector for amplification attacks and can facilitate network mapping by malicious agents.
Chapter 4 Network Security and Secure Communication 2 Configure the host system to ignore IPv4 ICMP redirect messages. a Open the /etc/sysctl.conf file. b If the values are not set to 0, add the following entries to the file or update the existing entries accordingly. Set the value to 0. net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0 c Save the changes and close the file.
Secure Configuration Configure the Host System to Log IPv4 Martian Packets As a security best practice, verify that the host system logs IPv4 Martian packets. Martian packets contain addresses that the system knows to be invalid. Configure the host system to log the messages so that you can identify misconfigurations or attacks in progress. Procedure 1 Run the # grep [01] /proc/sys/net/ipv4/conf/*/log_martians|egrep "default|all" command to check whether the host logs IPv4 Martian packets.
Chapter 4 Network Security and Secure Communication 2 Configure the host system to deny IPv4 forwarding. a Open the /etc/sysctl.conf to configure the host system. b If the value is not set to 0, add the following entry to the file or update the existing entry accordingly. Set the value to 0. net.ipv4.ip_forward=0 c Save the changes and close the file.
Secure Configuration Configure the Host System to Use IPv4 TCP Syncookies As a security best practice, verify that the host system uses IPv4 Transmission Control Protocol (TCP) Syncookies. A TCP SYN flood attack might cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies are used so as not to track a connection until a subsequent ACK is received, verifying that the initiator is attempting a valid connection and is not a flood source.
Chapter 4 Network Security and Secure Communication Configure the Host System to Deny IPv6 Router Solicitations As a security best practice, verify that host system denies IPv6 router solicitations unless necessary. The router solicitations setting determines how many router solicitations are sent when bringing up the interface. If addresses are assigned statically, there is no need to send any solicitations.
Secure Configuration 2 Configure the host system to deny IPv6 router prefix. a Open the /etc/sysctl.conf file. b If the values are not set to 0, add the following entries to the file or update the existing entries accordingly. Set the value to 0. net.ipv6.conf.all.accept_ra_pinfo=0 net.ipv6.conf.default.accept_ra_pinfo=0 c Save the changes and close the file.
Chapter 4 Network Security and Secure Communication Configure the Host System to Deny IPv6 Neighbor Solicitations As a security best practice, verify that the host system denies IPv6 neighbor solicitations unless necessary. The dad_transmits setting determines how many neighbor solicitations are to be sent out per address including global and link-local, when you bring up an interface to ensure the desired address is unique on the network.
Secure Configuration Minimum Default Incoming Ports As a security best practice, configure the incoming ports required for vRealize Operations Manager to operate in production. Table 4‑1. Minimum Required Incoming Ports Port Protocol Comments 443 TCP Used to access the vRealize Operations Manager user interface and the vRealize Operations Manager administrator interface. 123 UDP Used by vRealize Operations Manager for Network Time Protocol (NTP) synchronization to the master node.
Auditing and Logging on your vRealize Operations Manager System 5 As a security best practice, set up auditing and logging on your vRealize Operations Manager system. The detailed implementation of auditing and logging is outside the scope of this document. Remote logging to a central log host provides a secure store for logs. By collecting log files to a central host, you can easily monitor the environment with a single tool.
Secure Configuration 54 VMware, Inc.
Index A administrative accounts 15 agent certificate revocation 40 apache configuration 28 Apache httpd 23 application resources, protect 26 auditing 53 authorized NTP server 53 B best practices, End Point Operations Management agents 36 Bluetooth protocol handler 29 boot loader authentication 19 browser considerations 53 C cipher suites in GemFire 25 cipher suites in Apache httpd 25 client configuration, secure shell 18 configuration, PostgreSQL client authentication 27 configuration modes, disable 29,
Secure Configuration IPv6, deny IPv6 router preference in router solicitations 49 IPv6, ignore ICMP redirect messages 45 IPv6, restrict IPv6 maximum addresses 51 K kernel message logging 32 L local administrative account, creating 16 logging 53 M maintenance mode authentication 20 managing nonessential software 29 minimal necessary groups 20 minimal user accounts 20 minimum incoming ports 52 minimum permissions, agent functionality 36 monitor minimal necessary groups 20 monitor minimal user accounts 20
Index vRealize Operations Manager administrative password 21 W weak ciphers, configure 33, 35 Windows time service 32 VMware, Inc.
Secure Configuration 58 VMware, Inc.
