Secure Configuration vRealize Operations Manager 6.5 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs.
Secure Configuration You can find the most up-to-date technical documentation on the VMware Web site at: http://www.vmware.com/support/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com Copyright © 2017 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com 2 VMware, Inc.
Contents Secure Configuration 5 1 vRealize Operations Manager Security Posture 7 2 Secure Deployment of vRealize Operations Manager 9 Verify the Integrity of Installation Media 9 Hardening the Deployed Software Infrastructure 9 Reviewing Installed and Unsupported Software 10 VMware Security Advisories and Patches 10 3 Secure Configuration of vRealize Operations Manager 13 Secure the vRealize Operations Manager Console 14 Change the Root Password 14 Managing Secure Shell, Administrative Accounts, and Co
Secure Configuration Index 4 53 VMware, Inc.
Secure Configuration The documentation for Secure Configuration is intended to serve as a secure baseline for the deployment of vRealize Operations Manager. Refer to this document when you are using system-monitoring tools to ensure that the secure baseline configuration is monitored and maintained for any unexpected changes on an ongoing basis. Hardening activities that are not already set by default can be carried out manually.
Secure Configuration 6 VMware, Inc.
vRealize Operations Manager Security Posture 1 The security posture of vRealize Operations Manager assumes a complete secure environment based on system and network configuration, organizational security policies, and best practices. It is important that you perform the hardening activities according to your organization's security policies and best practices.
Secure Configuration 8 VMware, Inc.
Secure Deployment of vRealize Operations Manager 2 You must verify the integrity of the installation media before you install the product to ensure authenticity of the downloaded files.
Secure Configuration Hardening the VMware vSphere Environment vRealize Operations Manager relies on a secure VMware vSphere environment to achieve the greatest benefits and a secured infrastructure. Assess the VMware vSphere environment and verify that the appropriate level of vSphere hardening guidance is enforced and maintained. For more guidance about hardening, see http://www.vmware.com/security/hardening-guides.html.
Chapter 2 Secure Deployment of vRealize Operations Manager It is recommended that you always remain on the most recent vRealize Operations Manager release, as this will include the most recent security fixes also. For more information about the current VMware security advisories, see http://www.vmware.com/security/advisories/. VMware, Inc.
Secure Configuration 12 VMware, Inc.
Secure Configuration of vRealize Operations Manager 3 As a security best practice, you must secure the vRealize Operations Manager console and manage Secure Shell (SSH), administrative accounts, and console access. Ensure that your system is deployed with secure transmission channels. You must also follow certain security best practices for running Endpoint Operations Management agents.
Secure Configuration Secure the vRealize Operations Manager Console After you install vRealize Operations Manager, you must log in for the first time and secure the console of each node in the cluster. Prerequisites Install vRealize Operations Manager. Procedure 1 Locate the node console in vCenter or by direct access. In vCenter, press Alt+F1 to access the login prompt. For security reasons, vRealize Operations Manager remote terminal sessions are disabled by default. 2 Log in as root.
Chapter 3 Secure Configuration of vRealize Operations Manager Manage Password Expiry Configure all account password expirations in accordance with your organization's security policies. By default, all hardened VMware appliances use a 60-day password expiry. On most hardened appliances, the root account is set to a 365-day password expiry. As a best practice, verify that the expiry on all accounts meets security and operation requirements standards. If the root password expires, you cannot reinstate it.
Secure Configuration Enable or Disable Secure Shell on a vRealize Operations Manager node You can enable Secure Shell (SSH) on a vRealize Operations Manager node for troubleshooting. For example, to troubleshoot a server, you might require console access to the server. This is through SSH. Disable SSH on a vRealize Operations Manager node for normal operation. Procedure 1 Access the console of the vRealize Operations Manager node from vCenter. 2 Press Alt + F1 to access the login prompt then log in.
Chapter 3 Secure Configuration of vRealize Operations Manager Restrict Secure Shell Access As part of your system hardening process, restrict Secure Shell (SSH) access by configuring the tcp_wrappers package appropriately on all VMware virtual appliance host machines. Also maintain required SSH key file permissions on these appliances. All VMware virtual appliances include the tcp_wrappers package to allow tcp-supported daemons to control the network subnets that can access the libwrapped daemons.
Secure Configuration Procedure 1 2 Open the /etc/ssh/sshd_config server configuration file and verify that the settings are correct. Setting Status Server Daemon Protocol Protocol 2 Ciphers Ciphers aes256-ctr,aes128-ctr TCP Forwarding AllowTCPForwarding no Server Gateway Ports Gateway Ports no X11 Forwarding X11Forwarding no SSH Service Use the AllowGroups field and specify a group permitted to access and add members to the secondary group for users permitted to ue the service.
Chapter 3 Secure Configuration of vRealize Operations Manager Disable Direct Logins as Root By default, the hardened appliances allow you to use the console to log in directly as root. As a security best practice, you can disable direct logins after you create an administrative account for nonrepudiation and test it for wheel access by using the su-root command. Prerequisites n Complete the steps in the topic called “Create a Local Administrative Account for Secure Shell,” on page 16.
Secure Configuration Single-User or Maintenance Mode Authentication If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. Procedure u Review the/etc/inittab file and ensure that the following two lines appear: ls:S:wait:/etc/init.d/rc S and ~~:S:respawn:/sbin/sulogin.
Chapter 3 Secure Configuration of vRealize Operations Manager haldaemon:!:102: kmem:x:9: mail:x:12: man:x:62: messagebus:!:101: modem:x:43: nobody:x:65533: nogroup:x:65534:nobody ntp:!:106: polkituser:!:105: public:x:32: root:x:0:admin shadow:x:15: sshd:!:65: suse-ncc:!:107: sys:x:3: tape:!:103: trusted:x:42: tty:x:5: utmp:x:22: uuidd:!:104: video:x:33:u1,tcserver,postgres wheel:x:10:root,admin www:x:8: xok:x:41: maildrop:!:1001: postfix:!:51: users:x:100: vami:!:1002:root nginx:!:108: admin:!:1003: vfabri
Secure Configuration Configure NTP on VMware Appliances For critical time sourcing, disable host time synchronization and use the Network Time Protocol (NTP) on VMware appliances. You must configure a trusted remote NTP server for time synchronization. The NTP server must be an authoritative time server or at least synchronized with an authoritative time server. The NTP daemon on VMware virtual appliances provides synchronized time services. NTP is disabled by default, so you need to configure it manually.
Chapter 3 Secure Configuration of vRealize Operations Manager 2 Modify your Apache2 configuration by editing the /etc/apache2/ssl-global.conf file. 3 Search for the line and add the SSLFIPS on directive below it. 4 To reset the Apache configuration, run the service apache2 restart command. TLS for Data in Transit As a security best practice, ensure that the system is deployed with secure transmission channels.
Secure Configuration 2 Disable TLS 1.0. a Navigate to the administrator user interface at url/admin . b Click Bring Offline. c To disable SSLv3 and TLS 1.0, run the following commands: sed -i "/^[^#]*cluster-ssl-protocol/ c\cluster-ssl-protocols=TLSv1.2 TLSv1.1" /usr/lib/vmware-vcops/user/conf/gemfire.properties sed -i "/^[^#]*cluster-ssl-protocol/ c\cluster-ssl-protocols=TLSv1.2 TLSv1.1" /usr/lib/vmware-vcops/user/conf/gemfire.native.properties sed -i "/^[^#]*cluster-ssl-protocol/ c\cluster-ssl-prot
Chapter 3 Secure Configuration of vRealize Operations Manager Verify the Correct Use of Cipher Suites in Apache HTTPD For maximum security, verify the correct use of cipher suites in Apache httpd. Procedure 1 To verify the correct use of cipher suites in Apache httpd, run the grep SSLCipherSuite /usr/lib/vmware-vcopssuite/utilities/conf/vcops-apache.conf | grep -v '#' command from the command prompt.
Secure Configuration c To configure the correct cipher suites, run the following commands: sed -i "/^[^#]*cluster-ssl-ciphers/ c\cluster-sslciphers=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" /usr/lib/vmwarevcops/user/conf/gemfire.properties sed -i "/^[^#]*cluster-ssl-ciphers/ c\cluster-sslciphers=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" /usr/lib/vmwarevcops/user/conf/gemfire.native.properties sed -i "/^[^#]*cluster-ssl-ciphers/ c\cluster-sslciphers=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" /usr/lib/vmwarevcops/use
Chapter 3 Secure Configuration of vRealize Operations Manager 475333 helper 41001 41118 2 48 -rwsr-x--- 1 root messagebus 36 -rwsr-xr-x 12 -rwsr-xr-x 1 root 1 root shadow shadow 47912 /lib64/dbus-1/dbus-daemon-launch35688 /sbin/unix_chkpwd 10736 /sbin/unix2_chkpwd Run the find / -path */proc -prune -o -nouser -o -nogroup command to verify that all the files in the vApp have an owner. All the files have an owner if there are no results. 3 Run the find / -name "*.
Secure Configuration Apache Configuration Disable Web Directory Browsing As a security best practice, ensure that a user cannot bowse through a directory because it can increase the risk of exposure to directory traversal attacks. Procedure u Verify that web directory browsing is disabled for all directories. a Open the /etc/apache2/default-server.conf and /usr/lib/vmwarevcopssuite/utilities/conf/vcops-apache.conf files in a text editor.
Chapter 3 Secure Configuration of vRealize Operations Manager 2 To disable the Trace method for the Apache2 server, run the following command sed -i "/^[^#]*TraceEnable/ c\TraceEnable off" /usr/lib/vmware-vcopssuite/utilities/conf/vcopsapache.conf. Disable Configuration Modes As a best practice, when you install, configure, or maintain vRealize Operations Manager, you can modify the configuration or settings to enable troubleshooting and debugging of your installation.
Secure Configuration Procedure 1 Open the /etc/modprobe.conf.local file in a text editor. 2 Ensure that the following line appears in this file. install sctp /bin/true 3 Save the file and close it. Secure the Datagram Congestion Control Protocol As part of your system hardening activities, prevent the Datagram Congestion Control Protocol (DCCP) module from loading on vRealize appliances by default. Potential attackers can exploit this protocol to compromise your system.
Chapter 3 Secure Configuration of vRealize Operations Manager 2 Ensure that the install tipc /bin/true line appears in this file. 3 Save the file and close it. Secure Internet Packet Exchange Protocol Prevent the Internetwork Packet Exchange (IPX) protocol from loading vRealize appliances by default. Potential attackers could exploit this protocol to compromise your system. Avoid loading the IPX protocol module unless it is absolutely necessary. IPX protocol is an obsolete network-layer protocol.
Secure Configuration Procedure 1 Open the /etc/modprobe.conf.local file in a text editor. 2 Ensure that the line install ieee1394 /bin/true appears in this file. 3 Save the file and close it. Kernel Message Logging The kernel.printk specification in the /etc/sysctl.conf file specifies the kernel print logging specifications. There are 4 values specified: n console loglevel. The lowest priority of messages printed to the console. n default loglevel.
Chapter 3 Secure Configuration of vRealize Operations Manager TLS for Data in Transit As a security best practice, ensure that the system is deployed with secure transmission channels. Configure Strong Protocols for vRealize Operations Manager Protocols such as SSLv2 and SSLv3 are no longer considered secure including SSLv2 and SSLv3. As a best security practice for transport layer protection, provide support for only the TLS protocols.
Secure Configuration Disable Configuration Modes As a best practice, when you install, configure, or maintain vRealize Operations Manager, you can modify the configuration or settings to enable troubleshooting and debugging of your installation. Catalog and audit each of the changes you make to ensure that they are properly secured. Do not put the changes into production if you are not sure that your configuration changes are correctly secured.
Chapter 3 Secure Configuration of vRealize Operations Manager Linux Based Platform Files and Permissions After you install the Endpoint Operations Management agent, the owner is the user that installs the agent. The installation directory and file permissions such as 600 and 700, are set to the owner when the user who installs the Endpoint Operations Management agent extracts the TAR file or installs the RPM. Note When you extract the ZIP file, the permissions might not be correctly applied.
Secure Configuration Windows Based Platform Files and Permissions For a Windows based installation of the Endpoint Operations Management agent, the user installing the agent must have permissions to install and modify the service. After you install the Endpoint Operations Management agent, the installation folder including all subdirectories and files should only be accessible by the SYSTEM, the administrators group, and the installation user.
Chapter 3 Secure Configuration of vRealize Operations Manager Table 3‑2.
Secure Configuration Removing the Agent Resource You can use the vRealize Operations Manager to revoke the agent certificate by removing the agent resource. Prerequisites To preserve the continuity of the resource with previously recorded metric data, take a record of the Endpoint Operations Management agent token that is displayed in the resource details. Procedure 1 Navigate to the Inventory Explorer in the vRealize Operations Manager user interface. 2 Open the Adapter Types tree.
Chapter 3 Secure Configuration of vRealize Operations Manager Agent Certificate Revocation and Update of Certificates The reissue flow is initiated from the agent using the setup command line argument. When an agent that is already registered uses the setup command line argument ep-agent.sh setup and fills in the required credentials, a new registerAgent command is sent to the server.
Secure Configuration Disabling Unnecessary Ports and Services Verify the host server's firewall for the list of open ports that allow traffic. Block all the ports that are not listed as a minimum requirement for vRealize Operations Manager in the “Configuring Ports and Protocols,” on page 49 section of this document, or are not required. In addition, audit the services running on your host server and disable those that are not required. 40 VMware, Inc.
Network Security and Secure Communication 4 As a security best practice, review and edit the network communication settings of your VMware virtual appliances and host machines. You must also configure the minimum incoming and outgoing ports for vRealize Operations Manager.
Secure Configuration 2 Set the queue size for TCP backlog. a Open the /etc/sysctl.conf file in a text editor. b Set the default TCP backlog queue size by adding the following entry to the file. net.ipv4.tcp_max_syn_backlog=1280 c Save your changes and close the file. Deny ICMPv4 Echoes to Broadcast Address Responses to broadcast Internet Control Message Protocol (ICMP) echoes provide an attack vector for amplification attacks and can facilitate network mapping by malicious agents.
Chapter 4 Network Security and Secure Communication 2 Configure the host system to ignore IPv4 ICMP redirect messages. a Open the /etc/sysctl.conf file. b If the values are not set to 0, add the following entries to the file or update the existing entries accordingly. Set the value to 0. net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0 c Save the changes and close the file.
Secure Configuration Configure the Host System to Log IPv4 Martian Packets As a security best practice, verify that the host system logs IPv4 Martian packets. Martian packets contain addresses that the system knows to be invalid. Configure the host system to log the messages so that you can identify misconfigurations or attacks in progress. Procedure 1 Run the # grep [01] /proc/sys/net/ipv4/conf/*/log_martians|egrep "default|all" command to check whether the host logs IPv4 Martian packets.
Chapter 4 Network Security and Secure Communication 2 Configure the host system to deny IPv4 forwarding. a Open the /etc/sysctl.conf to configure the host system. b If the value is not set to 0, add the following entry to the file or update the existing entry accordingly. Set the value to 0. net.ipv4.ip_forward=0 c Save the changes and close the file.
Secure Configuration Configure the Host System to Use IPv4 TCP Syncookies As a security best practice, verify that the host system uses IPv4 Transmission Control Protocol (TCP) Syncookies. A TCP SYN flood attack might cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies are used so as not to track a connection until a subsequent ACK is received, verifying that the initiator is attempting a valid connection and is not a flood source.
Chapter 4 Network Security and Secure Communication Configure the Host System to Deny IPv6 Router Solicitations As a security best practice, verify that host system denies IPv6 router solicitations unless necessary. The router solicitations setting determines how many router solicitations are sent when bringing up the interface. If addresses are assigned statically, there is no need to send any solicitations.
Secure Configuration 2 Configure the host system to deny IPv6 router prefix. a Open the /etc/sysctl.conf file. b If the values are not set to 0, add the following entries to the file or update the existing entries accordingly. Set the value to 0. net.ipv6.conf.all.accept_ra_pinfo=0 net.ipv6.conf.default.accept_ra_pinfo=0 c Save the changes and close the file.
Chapter 4 Network Security and Secure Communication Configure the Host System to Deny IPv6 Neighbor Solicitations As a security best practice, verify that the host system denies IPv6 neighbor solicitations unless necessary. The dad_transmits setting determines how many neighbor solicitations are to be sent out per address including global and link-local, when you bring up an interface to ensure the desired address is unique on the network.
Secure Configuration Minimum Default Incoming Ports As a security best practice, configure the incoming ports required for vRealize Operations Manager to operate in production. Table 4‑1. Minimum Required Incoming Ports Port Protocol Comments 443 TCP Used to access the vRealize Operations Manager user interface and the vRealize Operations Manager administrator interface. 123 UDP Used by vRealize Operations Manager for Network Time Protocol (NTP) synchronization to the master node.
Auditing and Logging on your vRealize Operations Manager System 5 As a security best practice, set up auditing and logging on your vRealize Operations Manager system. The detailed implementation of auditing and logging is outside the scope of this document. Remote logging to a central log host provides a secure store for logs. By collecting log files to a central host, you can easily monitor the environment with a single tool.
Secure Configuration 52 VMware, Inc.
Index A administrative accounts 15 agent certificate revocation 39 apache configuration 28 Apache httpd 23 application resources, protect 26 auditing 51 authorized NTP server 51 B best practices, End Point Operations Management agents 34 Bluetooth protocol handler 29 boot loader authentication 19 browser considerations 51 C cipher suites in GemFire 25 cipher suites in Apache httpd 25 client configuration, secure shell 18 configuration, PostgreSQL client authentication 27 configuration modes, disable 29,
Secure Configuration K kernel message logging 32 L Linux installed deployment 32 local administrative account, creating 16 logging 51 M maintenance mode authentication 20 managing nonessential software 29 minimal necessary groups 20 minimal user accounts 20 minimum incoming ports 50 minimum permissions, agent functionality 34 monitor minimal necessary groups 20 monitor minimal user accounts 20 N network settings 41 network time protocol 32 O open ports on agent host 37 OVF, network settings 41 P passw
Index W weak ciphers, configure 33 VMware, Inc.
Secure Configuration 56 VMware, Inc.
