vrealize-automation-62-hardening

Recommendations

Info

VMware vRealize Automation 6.2 Hardening GuideTo enable or disable SSH on the vRealize Appliance, go to the Web Management Console and click the Admin tab.SSH root UserDo not allow SSH as root. Because appliances do not include default user accounts, the root account will still be able todirectly log in by using SSH. To meet the compliance standards for non-repudiation, the SSH server on all hardenedappliances comes preconfigured with the AllowGroups wheel entry to restrict SSH access to the secondary groupwheel.For separation of duties, the AllowGroups wheel entry can be modified in /etc/ssh/sshd_config to useanother group such as sshd. The wheel group is enabled with the pam_wheel module for su access, so members of thewheel group are allowed to su-root, where the root password is required. Group separation provides a method for usersto SSH to the appliance, but not to su to root. Do not remove or modify other entries in the AllowGroups field, whichensures proper appliance functionality. After making a change, you must restart the SSH daemon by running thecommand: # service sshd restart.Create Local Administrative Account For SSHBefore you remove the root SSH access, you must create local administrative accounts that can be used as ssh, aremembers of the secondary wheel group, or both.Log in as root and run the following commands:# useradd -d /home/vcacuser -g users -G wheel –m# passwd usernameWhere: wheel is the group specified in AllowGroups for ssh access. To add multiple secondary groups, use –Gwheel,sshd.The vRealize Hardening Tool supports the creation of this user by using the “Linux Admin User” option, but youmust manually set the password.Switch to the user and provide a new password so that password complexity checking is enforced.# su – usernameusername@hostname:~>passwdIf the password complexity is met, the password change is successful. If the password complexity is not met, thepassword reverts to the original password. Rerun the command to set a compliant password for the user.After login accounts to allow SSH remote access and wheel access (su-root) are created, the root account can beremoved from SSH direct login.Before disabling direct root access, test that authorized administrators can access SSH by using AllowGroups, and testthat they can su to root by using the wheel group.Remove direct login to SSH.Modify the /etc/ssh/sshd_config file and make the following replacements:• Replace (#)PermitRootLogin yes with PermitRootLogin noEnter # service sshd restart to restart the sshd service.Alternatively, you can enable or disable ssh by performing the following steps.Log in as root on the vRealize Appliance.Navigate to the Web Management Console (VAMI).Click the Admin tab, and select or deselect the Administrator SSH login enabled check box.T E C H N I C A L W H I T E P A P E R / 14
VMware vRealize Automation 6.2 Hardening GuideRestrict SSH AccessSSH access should also be restricted with the proper entries to limit access. All VMware virtual appliances include thetcp_wrappers package to allow tcp supported daemons to control the network subnets that can access the libwrappeddaemons. By default, the /etc/hosts.allow file contains a generic entry, Sshd: ALL : ALLOW, that allowsall access to the secure shell.The generic entry should be changed for production environments to include only the localhost entries and themanagement networn subnet for secure operations, as shown in the following example:Sshd:127.0.0.1 : ALLOWSshd: [::1] : ALLOWSshd: 10.0.0.0 :ALLOWIn this example, all localhost connections and connections made by clients on the 10.0.0.0 subnet are allowed.Make sure to add all of the representation with which a machine can be identified, for example, hostname, IP add,FQDN, loopback, and so on.Maintain SSH Key File PermissionsThe following SSH key file permissions must be maintained:Verify that the public host key files, located in /etc/ssh/*key.pub, are owned by root, group owned by root,and have permissions set to 0644. (-rw-r--r--)Verify that the private host key files, located in /etc/ssh/*key, are owned by root, group owned by root, andhave permissions set to 0600. (-rw-------)SSH PortBy default, the SSHD listens on Port 22. You can choose not to change this, but if there were attackers looking forpossible connections to break into, they would first be looking for the most common ports such as 22. Changing theport number considerably reduces the number of automated attacks performed by systematic attackers or ZombieComputers. On the other hand, changing the port number forces the configuration of this alternative port on all of theclients that want to connect to you.To change the listening port number:Log in as root and edit the /etc/ssh/sshd_config file.Change #Port 22 to Port .Restart the sshd service by running the following command.# service sshd restartNOTE: Remember to update your firewall settings accordingly to allow the new port.Harden the SSH Server ConfigurationWhere possible, the vRealize Appliance ships with a default hardened state, and many of these recommendations arealready set. The following recommendations are provided to harden the server and client service in the global optionssection of the configuration file.Open the server configuration file, /etc/ssh/sshd_config, and verify the following settings: Ensure that the daemon is configured to run version 2 of the protocol by using the entry Protocol 2.Ensure that the CBC ciphers are not used by verifying that Ciphers aes256-ctr, aes128-ctr are the only cipherslisted.T E C H N I C A L W H I T E P A P E R / 15
Page 1 and 2: VMwarevRealize AutomationHardening
Page 3 and 4: VMware vRealize Automation 6.2 Hard
Page 13: VMware vRealize Automation 6.2 Hard
Page 17 and 18: Bootloader AuthenticationIf the sys
Page 19 and 20: section.[{ssl, [{versions, ['tlsv1.
Page 21 and 22: The preferred server cipher is TLS_
Page 23 and 24: ]},{rabbit, [{ssl_listeners, [5672]
Page 25 and 26: 499900 48 -rwsr-x--- 1 root message
Page 27 and 28: PostgreSQL (vRealize Appliance)Clie
Page 29 and 30: Prevent the Bluetooth protocol hand
Page 31 and 32: Appletalk ProtocolYou should preven
Page 33 and 34: Verify Host Server’s Secure Basel
Page 35 and 36: Delete and Disable Unnecessary Appl
Page 37 and 38: Identity ApplianceCreate a blank se
Page 39 and 40: Disable IPv4 Proxy ARPIPv4 Proxy AR
Page 41 and 42: Deny IPv4 forwardingIf the system i
Page 43 and 44: Deny IPv6 Router PrefixThe accept r
Page 45 and 46: Ports Required to be Exposed to Adm
Page 47 and 48: Minimum Required Outgoing PortsCOMP

vrealize-automation-62-hardening

Create successful ePaper yourself

Delete template?

Save as template?