vrealize-automation-62-hardening

Recommendations

Info

VMware vRealize Automation 6.2 Hardening GuideEnsure that the TCP forwarding is disabled by using the entry AllowTCPForwarding no.Ensure that the Gateway Ports are disabled by using the entry GatewayPorts no.Ensure that X11 forwarding is disabled by using the entry X11Forwarding no.Restrict the use of the SSH service by using the AllowGroups field, and specifying a group to allow access andadd members to the secondary group for users permitted to use the service.Ensure that GSSAPI authentication is disabled by using the entry GSSAPIAuthentication no if unused.Ensure that Kerberos authentication is disabled by using the entry KerberosAuthentication no if unused.Ensure that local variables are set to “disabled by commenting out” or “enabled for only LC_* or LANGvariables”. This can be verified by finding the property named AcceptEnv and its value as mentioned earlier.Ensure that tunnels are disabled by using the entry PermitTunnel no. Ensure that network sessions are limited to a single session by using the entry MaxSessions 1.Restrict per user concurrent connection to 1, from root or any other user. /etc/security/limits.confalso needs to be changed.Ensure that strict mode checking is enabled by using the entry StrictModes yes.Ensure that privilege separation is enabled by using the entry UsePrivilegeSeparation yes.Ensure that rhosts RSA authentication is disabled by using the entry RhostsRSAAuthentication no.Ensure that compression is either delayed or disabled by using the entry Compression delayed or Compressionno.Ensure that ‘Message authentication code’ is used by using the entry MACs hmac-sha1.Ensure that disabling users to bypass access restriction by using the entry PermitUserEnvironment no.If possible, restrict the use of the SSH server to a management subnet in the /etc/hosts.allow file.Harden the SSH Client ConfigurationVerify that the following settings are made in the global options section of the configuration file for the SSH client,which is located in the /etc/ssh/ssh_config file. Ensure that the client is configured to run version 2 of the protocol by using the entry Protocol 2.Ensure that the client Gateway Ports are disabled by using the entry GatewayPorts no.Ensure that the GSSAPI authentication is disabled by using the entry GSSAPIAuthentication no.Ensure that only locale variables are set by finding the SendEnv global option and verify that only LC_* or LANGvariables are provided.Ensure CBC ciphers are not used by verifying that Ciphers aes256-ctr, aes128-ctr are the only listed ciphers.Ensure that only message authentication codes are used in the entry MACs hmac-sha1.Disable Direct Logins as rootBy default, the hardened appliances allow direct login to root via the console. After administrative accounts are createdfor non-repudiation and tested for wheel access (su-root), direct root logins can be disabled by editing the/etc/security file as root and replacing the tty1 entry with console.T E C H N I C A L W H I T E P A P E R / 16
Bootloader AuthenticationIf the system's boot loader does not require authentication, users with console access to the system might be able toalter the system boot configuration or boot the system into single user or maintenance mode, which could result indenial of service or unauthorized privileged access to the system. Because this is not set by default on the VMwareVAs, you are required to configure it.To verify a boot password exists. In /boot/grub/menu.lst locate the following line:password --md5 To create a GRUB boot password:Run the following command:# /usr/sbin/grub-md5-cryptAn MD5 password is generated. After the password is supplied, the command supplies the md5 hash output.Append the password to the menu.lst file by running the following command:# password --md5 NTP ServiceFor critical time sourcing, disable host time synchronization and use NTP. NTP is recommended in production as ameans to accurately track user actions and to realize potential malicious attacks and intrusion through accurate auditand log keeping.The ntp daemon is included on the appliance, and is used to provide synchronized time services. The configuration filefor NTP is located in /etc/ntp.conf.For the vRealize and Identity Appliances, you can enable the NTP service and add time servers in the Admin tab in theVAMI.Configure NTPVerify the protection of the /etc/ntp.conf configuration file.Set the file ownership to root:root.Set the permissions to 0640.To mitigate the risk of a Denial of Service amplification attack on the NTP service, ensure that the following linesappear in the /etc/ntp.conf file:• restrict default kod nomodify notrap nopeer noquery• restrict -6 default kod nomodify notrap nopeer noquery• restrict 127.0.0.1• restrict -6 ::1The vRealize Hardening Tool supports this <strong>hardening</strong> activity with the “Network Time Protocol” option.For information on NTP security notices, see http://support.ntp.org/bin/view/Main/SecurityNotice.VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.comCopyright © 2008-2014 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed athttp://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respectivecompanies.17
Page 1 and 2: VMwarevRealize AutomationHardening
Page 3 and 4: VMware vRealize Automation 6.2 Hard
Page 15: VMware vRealize Automation 6.2 Hard
Page 19 and 20: section.[{ssl, [{versions, ['tlsv1.
Page 21 and 22: The preferred server cipher is TLS_
Page 23 and 24: ]},{rabbit, [{ssl_listeners, [5672]
Page 25 and 26: 499900 48 -rwsr-x--- 1 root message
Page 27 and 28: PostgreSQL (vRealize Appliance)Clie
Page 29 and 30: Prevent the Bluetooth protocol hand
Page 31 and 32: Appletalk ProtocolYou should preven
Page 33 and 34: Verify Host Server’s Secure Basel
Page 35 and 36: Delete and Disable Unnecessary Appl
Page 37 and 38: Identity ApplianceCreate a blank se
Page 39 and 40: Disable IPv4 Proxy ARPIPv4 Proxy AR
Page 41 and 42: Deny IPv4 forwardingIf the system i
Page 43 and 44: Deny IPv6 Router PrefixThe accept r
Page 45 and 46: Ports Required to be Exposed to Adm
Page 47 and 48: Minimum Required Outgoing PortsCOMP

vrealize-automation-62-hardening

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?