Secure Configuration vRealize Operations Manager 6.
Secure Configuration You can find the most up-to-date technical documentation on the VMware Web site at: https://docs.vmware.com/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com Copyright © 2017 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com 2 VMware, Inc.
Contents Secure Configuration 5 1 vRealize Operations Manager Security Posture 7 2 Secure Deployment of vRealize Operations Manager 9 Verify the Integrity of Installation Media 9 Hardening the Deployed Software Infrastructure 9 Reviewing Installed and Unsupported Software 10 VMware Security Advisories and Patches 10 3 Secure Configuration of vRealize Operations Manager 11 Secure the vRealize Operations Manager Console 12 Change the Root Password 12 Managing Secure Shell, Administrative Accounts, and Co
Secure Configuration Index 4 51 VMware, Inc.
Secure Configuration The documentation for Secure Configuration is intended to serve as a secure baseline for the deployment of vRealize Operations Manager. Refer to this document when you are using system-monitoring tools to ensure that the secure baseline configuration is monitored and maintained for any unexpected changes on an ongoing basis. Hardening activities that are not already set by default can be carried out manually.
Secure Configuration 6 VMware, Inc.
vRealize Operations Manager Security Posture 1 The security posture of vRealize Operations Manager assumes a complete secure environment based on system and network configuration, organizational security policies, and best practices. It is important that you perform the hardening activities according to your organization's security policies and best practices.
Secure Configuration 8 VMware, Inc.
Secure Deployment of vRealize Operations Manager 2 You must verify the integrity of the installation media before you install the product to ensure authenticity of the downloaded files.
Secure Configuration Hardening the VMware vSphere Environment vRealize Operations Manager relies on a secure VMware vSphere environment to achieve the greatest benefits and a secured infrastructure. Assess the VMware vSphere environment and verify that the appropriate level of vSphere hardening guidance is enforced and maintained. For more guidance about hardening, see http://www.vmware.com/security/hardening-guides.html.
Secure Configuration of vRealize Operations Manager 3 As a security best practice, you must secure the vRealize Operations Manager console and manage Secure Shell (SSH), administrative accounts, and console access. Ensure that your system is deployed with secure transmission channels. You must also follow certain security best practices for running End Point Operations Management agents.
Secure Configuration Secure the vRealize Operations Manager Console After you install vRealize Operations Manager, you must log in for the first time and secure the console of each node in the cluster. Prerequisites Install vRealize Operations Manager. Procedure 1 Locate the node console in vCenter or by direct access. In vCenter, press Alt+F1 to access the login prompt. For security reasons, vRealize Operations Manager remote terminal sessions are disabled by default. 2 Log in as root.
Chapter 3 Secure Configuration of vRealize Operations Manager Manage Password Expiry Configure all account password expirations in accordance with your organization's security policies. By default, all hardened VMware appliances use a 60-day password expiry. On most hardened appliances, the root account is set to a 365-day password expiry. As a best practice, verify that the expiry on all accounts meets security and operation requirements standards. If the root password expires, you cannot reinstate it.
Secure Configuration Enable or Disable Secure Shell on a vRealize Operations Manager node You can enable Secure Shell (SSH) on a vRealize Operations Manager node for troubleshooting. For example, to troubleshoot a server, you might require console access to the server. This is through SSH. Disable SSH on a vRealize Operations Manager node for normal operation. Procedure 1 Access the console of the vRealize Operations Manager node from vCenter. 2 Press Alt + F1 to access the login prompt then log in.
Chapter 3 Secure Configuration of vRealize Operations Manager Restrict Secure Shell Access As part of your system hardening process, restrict Secure Shell (SSH) access by configuring the tcp_wrappers package appropriately on all VMware virtual appliance host machines. Also maintain required SSH key file permissions on these appliances. All VMware virtual appliances include the tcp_wrappers package to allow tcp-supported daemons to control the network subnets that can access the libwrapped daemons.
Secure Configuration Procedure 1 2 Open the /etc/ssh/sshd_config server configuration file and verify that the settings are correct. Setting Status Server Daemon Protocol Protocol 2 Ciphers Ciphers aes256-ctr,aes128-ctr TCP Forwarding AllowTCPForwarding no Server Gateway Ports Gateway Ports no X11 Forwarding X11Forwarding no SSH Service Use the AllowGroups field and specify a group permitted to access and add members to the secondary group for users permitted to ue the service.
Chapter 3 Secure Configuration of vRealize Operations Manager Disable Direct Logins as Root By default, the hardened appliances allow you to use the console to log in directly as root. As a security best practice, you can disable direct logins after you create an administrative account for nonrepudiation and test it for wheel access by using the su-root command. Prerequisites n Complete the steps in the topic called “Create a Local Administrative Account for Secure Shell,” on page 14.
Secure Configuration Single-User or Maintenance Mode Authentication If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. Procedure u Review the/etc/inittab file and ensure that the following two lines appear: ls:S:wait:/etc/init.d/rc S and ~~:S:respawn:/sbin/sulogin.
Chapter 3 Secure Configuration of vRealize Operations Manager haldaemon:!:102: kmem:x:9: mail:x:12: man:x:62: messagebus:!:101: modem:x:43: nobody:x:65533: nogroup:x:65534:nobody ntp:!:106: polkituser:!:105: public:x:32: root:x:0:admin shadow:x:15: sshd:!:65: suse-ncc:!:107: sys:x:3: tape:!:103: trusted:x:42: tty:x:5: utmp:x:22: uuidd:!:104: video:x:33:u1,tcserver,postgres wheel:x:10:root,admin www:x:8: xok:x:41: maildrop:!:1001: postfix:!:51: users:x:100: vami:!:1002:root nginx:!:108: admin:!:1003: vfabri
Secure Configuration Configure NTP on VMware Appliances For critical time sourcing, disable host time synchronization and use the Network Time Protocol (NTP) on VMware appliances. You must configure a trusted remote NTP server for time synchronization. The NTP server must be an authoritative time server or at least synchronized with an authoritative time server. The NTP daemon on VMware virtual appliances provides synchronized time services. NTP is disabled by default, so you need to configure it manually.
Chapter 3 Secure Configuration of vRealize Operations Manager 2 Modify your Apache2 configuration by editing the /etc/apache2/ssl-global.conf file. 3 Search for the line and add the SSLFIPS on directive below it. 4 To reset the Apache configuration, run the service apache2 restart command. TLS for Data in Transit As a security best practice, ensure that the system is deployed with secure transmission channels.
Secure Configuration 2 Disable TLS 1.0. a Navigate to the administrator user interface at url/admin . b Click Bring Offline. c To disable SSLv3 and TLS 1.0, run the following commands: sed -i "/^[^#]*cluster-ssl-protocol/ c\cluster-ssl-protocols=TLSv1.2 TLSv1.1" /usr/lib/vmware-vcops/user/conf/gemfire.properties sed -i "/^[^#]*cluster-ssl-protocol/ c\cluster-ssl-protocols=TLSv1.2 TLSv1.1" /usr/lib/vmware-vcops/user/conf/gemfire.native.properties sed -i "/^[^#]*cluster-ssl-protocol/ c\cluster-ssl-prot
Chapter 3 Secure Configuration of vRealize Operations Manager Verify the Correct Use of Cipher Suites in Apache HTTPD For maximum security, verify the correct use of cipher suites in Apache httpd. Procedure 1 To verify the correct use of cipher suites in Apache httpd, run the grep SSLCipherSuite /usr/lib/vmware-vcopssuite/utilities/conf/vcops-apache.conf | grep -v '#' command from the command prompt.
Secure Configuration c To configure the correct cipher suites, run the following commands: sed -i "/^[^#]*cluster-ssl-ciphers/ c\cluster-sslciphers=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" /usr/lib/vmwarevcops/user/conf/gemfire.properties sed -i "/^[^#]*cluster-ssl-ciphers/ c\cluster-sslciphers=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" /usr/lib/vmwarevcops/user/conf/gemfire.native.properties sed -i "/^[^#]*cluster-ssl-ciphers/ c\cluster-sslciphers=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" /usr/lib/vmwarevcops/use
Chapter 3 Secure Configuration of vRealize Operations Manager 4 Run the chmod 600 /storage/db/vcops/vpostgres/data/server.crt command. 5 Run the chown postgres /storage/db/vcops/vpostgres/data/server.key and chown postgres /storage/db/vcops/vpostgres/data/server.crt commands to change the ownership of the server.crt and server.key files from root to postgres. Enable TLS on PostgreSQL You must edit the postgresql.conf file to enable TLS on localhost connections to PostgreSQL.
Secure Configuration 475333 helper 41001 41118 2 48 -rwsr-x--- 1 root messagebus 36 -rwsr-xr-x 12 -rwsr-xr-x 1 root 1 root shadow shadow 47912 /lib64/dbus-1/dbus-daemon-launch35688 /sbin/unix_chkpwd 10736 /sbin/unix2_chkpwd Run the find / -path */proc -prune -o -nouser -o -nogroup command to verify that all the files in the vApp have an owner. All the files have an owner if there are no results. 3 Run the find / -name "*.
Chapter 3 Secure Configuration of vRealize Operations Manager Apache Configuration Disable Web Directory Browsing As a security best practice, ensure that a user cannot bowse through a directory because it can increase the risk of exposure to directory traversal attacks. Procedure u Verify that web directory browsing is disabled for all directories. a Open the /etc/apache2/default-server.conf and /usr/lib/vmwarevcopssuite/utilities/conf/vcops-apache.conf files in a text editor.
Secure Configuration 2 To disable the Trace method for the Apache2 server, run the following command sed -i "/^[^#]*TraceEnable/ c\TraceEnable off" /usr/lib/vmware-vcopssuite/utilities/conf/vcopsapache.conf. Disable Configuration Modes As a best practice, when you install, configure, or maintain vRealize Operations Manager, you can modify the configuration or settings to enable troubleshooting and debugging of your installation.
Chapter 3 Secure Configuration of vRealize Operations Manager Procedure 1 Open the /etc/modprobe.conf.local file in a text editor. 2 Ensure that the following line appears in this file. install sctp /bin/true 3 Save the file and close it. Secure the Datagram Congestion Control Protocol As part of your system hardening activities, prevent the Datagram Congestion Control Protocol (DCCP) module from loading on vRealize appliances by default.
Secure Configuration 2 Ensure that the install tipc /bin/true line appears in this file. 3 Save the file and close it. Secure Internet Packet Exchange Protocol Prevent the Internetwork Packet Exchange (IPX) protocol from loading vRealize appliances by default. Potential attackers could exploit this protocol to compromise your system. Avoid loading the IPX protocol module unless it is absolutely necessary. IPX protocol is an obsolete network-layer protocol.
Chapter 3 Secure Configuration of vRealize Operations Manager Procedure 1 Open the /etc/modprobe.conf.local file in a text editor. 2 Ensure that the line install ieee1394 /bin/true appears in this file. 3 Save the file and close it. Kernel Message Logging The kernel.printk specification in the /etc/sysctl.conf file specifies the kernel print logging specifications. There are 4 values specified: n console loglevel. The lowest priority of messages printed to the console. n default loglevel.
Secure Configuration n Disable the vRealize Operations Manager user account that you use for agent registration after the installation is over. You must enable the user’s access for agent administration activities. For more information, see the topic called Configuring Users and Groups in vRealize Operations Manager in the vRealize Operations Manager Help.
Chapter 3 Secure Configuration of vRealize Operations Manager Table 3‑1. Linux Files and Permissions (Continued) Directory or File agent directory/bin/epagent.
Secure Configuration Table 3‑2. Windows Files and Permissions (Continued) Directory or File Groups or Users Full Control Modify Read and Execute Read Write Administrator Yes - - - - Installation User Yes - - - - - - - - Users /bin/hqagent.bat SYSTEM Yes - - - - Administrator Yes - - - - Installation User Yes - - - - - - - - Users /bin/hqagent.
Chapter 3 Secure Configuration of vRealize Operations Manager Open Ports on Agent Host The agent process listens for commands on two ports 127.0.0.1:2144 and 127.0.0.1:32000 that are configurable. These ports might be arbitrarily assigned, and so, the exact port number might vary. The agent does not open ports on external interfaces. Table 3‑3. Minimum Required Ports Port Protocol Direction Comments 443 TCP Outgoing Used by the agent for outgoing connections over HTTP, TCP, or ICMP.
Secure Configuration Reinstate an Agent Resource When the secure state of a system is recovered, you can reinstate a revoked agent. This ensures that the agent continues to report on the same resources without losing historical data. To do this you must create a new End Point Operations Management token file by using the same token recorded before you removed the agent resource. See the section called Removing The Agent Resource.
Chapter 3 Secure Configuration of vRealize Operations Manager Patching and Updating the End Point Operations Management Agent If required, new End Point Operations Management agent bundles are available independent of vRealize Operations Manager releases. Patches or updates are not provided for the End Point Operations Management agent. You must install the latest available version of the agent that includes the latest security fixes.
Secure Configuration 38 VMware, Inc.
Network Security and Secure Communication 4 As a security best practice, review and edit the network communication settings of your VMware virtual appliances and host machines. You must also configure the minimum incoming and outgoing ports for vRealize Operations Manager.
Secure Configuration 2 Set the queue size for TCP backlog. a Open the /etc/sysctl.conf file in a text editor. b Set the default TCP backlog queue size by adding the following entry to the file. net.ipv4.tcp_max_syn_backlog=1280 c Save your changes and close the file. Deny ICMPv4 Echoes to Broadcast Address Responses to broadcast Internet Control Message Protocol (ICMP) echoes provide an attack vector for amplification attacks and can facilitate network mapping by malicious agents.
Chapter 4 Network Security and Secure Communication 2 Configure the host system to ignore IPv4 ICMP redirect messages. a Open the /etc/sysctl.conf file. b If the values are not set to 0, add the following entries to the file or update the existing entries accordingly. Set the value to 0. net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0 c Save the changes and close the file.
Secure Configuration Configure the Host System to Log IPv4 Martian Packets As a security best practice, verify that the host system logs IPv4 Martian packets. Martian packets contain addresses that the system knows to be invalid. Configure the host system to log the messages so that you can identify misconfigurations or attacks in progress. Procedure 1 Run the # grep [01] /proc/sys/net/ipv4/conf/*/log_martians|egrep "default|all" command to check whether the host logs IPv4 Martian packets.
Chapter 4 Network Security and Secure Communication 2 Configure the host system to deny IPv4 forwarding. a Open the /etc/sysctl.conf to configure the host system. b If the value is not set to 0, add the following entry to the file or update the existing entry accordingly. Set the value to 0. net.ipv4.ip_forward=0 c Save the changes and close the file.
Secure Configuration Configure the Host System to Use IPv4 TCP Syncookies As a security best practice, verify that the host system uses IPv4 Transmission Control Protocol (TCP) Syncookies. A TCP SYN flood attack might cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies are used so as not to track a connection until a subsequent ACK is received, verifying that the initiator is attempting a valid connection and is not a flood source.
Chapter 4 Network Security and Secure Communication Configure the Host System to Deny IPv6 Router Solicitations As a security best practice, verify that host system denies IPv6 router solicitations unless necessary. The router solicitations setting determines how many router solicitations are sent when bringing up the interface. If addresses are assigned statically, there is no need to send any solicitations.
Secure Configuration 2 Configure the host system to deny IPv6 router prefix. a Open the /etc/sysctl.conf file. b If the values are not set to 0, add the following entries to the file or update the existing entries accordingly. Set the value to 0. net.ipv6.conf.all.accept_ra_pinfo=0 net.ipv6.conf.default.accept_ra_pinfo=0 c Save the changes and close the file.
Chapter 4 Network Security and Secure Communication Configure the Host System to Deny IPv6 Neighbor Solicitations As a security best practice, verify that the host system denies IPv6 neighbor solicitations unless necessary. The dad_transmits setting determines how many neighbor solicitations are to be sent out per address including global and link-local, when you bring up an interface to ensure the desired address is unique on the network.
Secure Configuration Minimum Default Incoming Ports As a security best practice, configure the incoming ports required for vRealize Operations Manager to operate in production. Table 4‑1. Minimum Required Incoming Ports Port Protocol Comments 443 TCP Used to access the vRealize Operations Manager user interface and the vRealize Operations Manager administrator interface. 123 UDP Used by vRealize Operations Manager for Network Time Protocol (NTP) synchronization to the master node.
Auditing and Logging on your vRealize Operations Manager System 5 As a security best practice, set up auditing and logging on your vRealize Operations Manager system. The detailed implementation of auditing and logging is outside the scope of this document. Remote logging to a central log host provides a secure store for logs. By collecting log files to a central host, you can easily monitor the environment with a single tool.
Secure Configuration 50 VMware, Inc.
Index A administrative accounts 13 agent certificate revocation 36 apache configuration 27 Apache httpd 21 application resources, protect 25 auditing 49 authorized NTP server 49 B best practices, End Point Operations Management agents 31 Bluetooth protocol handler 28 boot loader authentication 17 browser considerations 49 C cipher suites in GemFire 23 cipher suites in Apache httpd 23 client configuration, secure shell 16 configuration, PostgreSQL client authentication 26 configuration modes, disable 28 c
Secure Configuration K kernel message logging 31 L local administrative account, creating 14 logging 49 M maintenance mode authentication 18 managing nonessential software 28 minimal necessary groups 18 minimal user accounts 18 minimum incoming ports 48 minimum permissions, agent functionality 32 monitor minimal necessary groups 18 monitor minimal user accounts 18 N network settings 39 O open ports on agent host 35 OVF, network settings 39 P password expiry 13 patching 37 platform files and permission
