vrealize-automation-62-hardening

Recommendations

Info

When choosing to use the Postgres DB on the vRealize Appliance as a separate DB, you need to make changes tosecure it. Follow all <strong>hardening</strong> recommendations for the vRealize Appliance and enable only the services and portsrequired for running the Postgres DB.Disable Configuration ModesWhen installing, configuring, or maintaining vRealize Automation you might want to change some configurations andsettings to enable troubleshooting and debugging of your installation. You should catalog and audit each of the changesyou make to ensure that these are properly secured following their required use. Do not put in to production if you arenot sure that your configuration changes are correctly secured.Session Timeout (vRealize Appliance)The session timeout on user inactivity is 30 minutes by default. If you want to adjust this session time out to conform toyour organization’s security policy, make the following changes to the web.xml file.Edit the /usr/lib/vcac/server/webapps/vcac/WEB-INF/web.xml file.Find session-config and set the session-timeout value.30COOKIE/Restart the Apache server by running the following commands./etc/init.d/apache2 stop/etc/init.d/apache2 startUnrequired Software ComponentsApplication Services Example ContentThe Application Services appliance contains a content server that has unpatched example content. To prevent misuse,you should secure this content server prior to using it in a production environment. For more information about how tosecure the content server, see Using Application Services in the VMware vRealize Automation 6.2 DocumentationCenter.USB Mass Storage HandlerThe USB mass storage handler module should be prevented from loading and from being used as the USB devicehandler with the vRealize Appliances. It is not necessary and could be used to install malicious software.Prevent the USB mass storage handler module from loading by default on vRealize Appliances.Review the /etc/modprobe.conf.local file and ensure that the following line appear.:install usb-storage /bin/trueBluetooth Protocol HandlerThe Bluetooth protocol handler module should be prevented from loading because binding the Bluetooth protocol tothe network stack is unnecessary and can unwillingly increase the attack surface of the host.VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.comCopyright © 2008-2014 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed athttp://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respectivecompanies.28
Prevent the Bluetooth protocol handler module from loading by default on vRealize Appliances.Review the /etc/modprobe.conf.local file and ensure that the following line appears.install bluetooth /bin/trueStream Control Transmission Protocol (SCTP)The Stream Control Transmission Protocol (SCTP) module should be prevented from loading unless it is absolutelynecessary. SCTP is an IETF-standardized transport layer protocol, which is not used. Binding this protocol to thenetwork stack increases the attack surface of the host. Unprivileged local processes could cause the kernel todynamically load a protocol handler by opening a socket by using the protocol.Prevent the SCTP module from loading by default on vRealize Appliances.Review the /etc/modprobe.conf.local file and ensure that the following appears.install sctp /bin/trueDatagram Congestion Control Protocol (DCCP)The Datagram Congestion Control Protocol (DCCP) module should be prevented from loading unless it is absolutelynecessary. DCCP is a proposed transport layer protocol, which is not used. Binding this protocol to the network stackincreases the attack surface of the host. Unprivileged local processes could cause the kernel to dynamically load aprotocol handler by using the protocol to open a socket.Prevent the DCCP module from loading by default on vRealize Appliances.Review the /etc/modprobe.conf.local file and ensure that the following lines appears.install dccp /bin/trueinstall dccp_ipv4 /bin/trueinstall dccp_ipv6 /bin/trueNetwork BridgingThe network bridging module should be prevented from loading unless it is absolutely necessary, because it has thepotential to bypass network partitioning and security.Configure the system to not use bridging by default on vRealize Appliances.Run the following command.# rmmod bridgeReview the /etc/modprobe.conf.local file and ensure that the following line appears.install bridge /bin/falseReliable Datagram Sockets (RDS) ProtocolThe Reliable Datagram Sockets (RDS) Protocol module should be prevented from loading unless it is absolutelynecessary. Binding this protocol to the network stack increases the attack surface of the host. Unprivileged localprocesses could cause the system to dynamically load a protocol handler by using the protocol to open a socket.Prevent the RDS module from loading by default on vRealize Appliances.Review the /etc/modprobe.conf.local file and ensure that the following line appears.install rds /bin/trueVMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.comCopyright © 2008-2014 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed athttp://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respectivecompanies.29
Page 1 and 2: VMwarevRealize AutomationHardening
Page 3 and 4: VMware vRealize Automation 6.2 Hard
Page 17 and 18: Bootloader AuthenticationIf the sys
Page 19 and 20: section.[{ssl, [{versions, ['tlsv1.
Page 21 and 22: The preferred server cipher is TLS_
Page 23 and 24: ]},{rabbit, [{ssl_listeners, [5672]
Page 25 and 26: 499900 48 -rwsr-x--- 1 root message
Page 27: PostgreSQL (vRealize Appliance)Clie
Page 31 and 32: Appletalk ProtocolYou should preven
Page 33 and 34: Verify Host Server’s Secure Basel
Page 35 and 36: Delete and Disable Unnecessary Appl
Page 37 and 38: Identity ApplianceCreate a blank se
Page 39 and 40: Disable IPv4 Proxy ARPIPv4 Proxy AR
Page 41 and 42: Deny IPv4 forwardingIf the system i
Page 43 and 44: Deny IPv6 Router PrefixThe accept r
Page 45 and 46: Ports Required to be Exposed to Adm
Page 47 and 48: Minimum Required Outgoing PortsCOMP

vrealize-automation-62-hardening

Create successful ePaper yourself

Delete template?

Save as template?