vrealize-automation-62-hardening

Recommendations

Info

Deny IPv6 Router advertisementsA feature of IPv6 is how systems can configure their networking devices by automatically using information from thenetwork. From a security perspective, manually configuring important configuration information is preferable toaccepting it from the network in an unauthenticated way.Verify that the system denies the acceptance of router advertisements and ICMP redirects unless necessary.Run the following command.# grep [01] /proc/sys/net/ipv6/conf/*/accept_ra|egrep "default|all"If the value for both are not set to zero, add the following entries to the /etc/sysctl.conf file to set the valueto 0.net.ipv6.conf.all.accept_ra=0net.ipv6.conf.default.accept_ra=0Deny IPv6 Router SolicitationsThe router solicitations setting determines how many router solicitations are sent when bringing up the interface. Ifaddresses are statically assigned, there is no need to send any solicitations.Verify that system denies IPv6 router solicitations unless necessary.Run the following command.# grep [01] /proc/sys/net/ipv6/conf/*/router_solicitations|egrep"default|all"If the value for both are not set to zero, add the following entries to the /etc/sysctl.conf file to set the valueto 0.net.ipv6.conf.all.router_solicitations=0net.ipv6.conf.default.router_solicitations=0Deny IPv6 Router Preference in Router SolicitationsThe router preference in solicitations setting determines router preferences. If addresses are statically assigned, there isno need to receive any router preference for solicitations.Verify that the system denies IPv6 router solicitations unless necessary.Run the following command.# grep [01] /proc/sys/net/ipv6/conf/*/accept_ra_rtr_pref|egrep "default|all"If the value for both are not set to zero, add the following entries to the /etc/sysctl.conf file to set the valueto 0.net.ipv6.conf.all.accept_ra_rtr_pref=0net.ipv6.conf.default.accept_ra_rtr_pref=0VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.comCopyright © 2008-2014 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed athttp://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respectivecompanies.42
Deny IPv6 Router PrefixThe accept ra pinfo setting controls whether the system will accept prefix info from the router. If addresses arestatically assigned, there is no need to receive any router prefix information.Verify that the system denies IPv6 router prefix information unless necessary.Run the following command.# grep [01] /proc/sys/net/ipv6/conf/*/accept_ra_pinfo|egrep "default|all"If the value for both are not set to zero, add the following entries to the /etc/sysctl.conf file to set the valueto 0.net.ipv6.conf.all.accept_ra_pinfo=0net.ipv6.conf.default.accept_ra_pinfo=0Deny IPv6 Router Advertisement Hop Limit SettingsThe accept_ra_defrtr setting controls whether the system will accept Hop Limit settings from a router advertisement.Setting it to 0 prevents a router from changing your default IPv6 Hop Limit for outgoing packets.Verify that the system denies IPv6 router hop limit settings unless necessary.Run the following command.# grep [01] /proc/sys/net/ipv6/conf/*/accept_ra_defrtr|egrep "default|all"If the value for both are not set to zero, add the following entries to the /etc/sysctl.conf file to set the valueto 0.net.ipv6.conf.all.accept_ra_defrtr=0net.ipv6.conf.default.accept_ra_defrtr=0Deny IPv6 Router Advertisement Autoconf SettingsThe autoconf setting controls whether router advertisements can cause the system to assign a global unicast address toan interface.Verify that the system denies IPv6 router autoconf settings unless necessary.Run the following command.# grep [01] /proc/sys/net/ipv6/conf/*/autoconf|egrep "default|all"If the value for both are not set to zero, add the following entries to the /etc/sysctl.conf file to set the valueto 0.net.ipv6.conf.all.autoconf=0net.ipv6.conf.default.autoconf=0VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.comCopyright © 2008-2014 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed athttp://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respectivecompanies.43
Page 1 and 2: VMwarevRealize AutomationHardening
Page 3 and 4: VMware vRealize Automation 6.2 Hard
Page 17 and 18: Bootloader AuthenticationIf the sys
Page 19 and 20: section.[{ssl, [{versions, ['tlsv1.
Page 21 and 22: The preferred server cipher is TLS_
Page 23 and 24: ]},{rabbit, [{ssl_listeners, [5672]
Page 25 and 26: 499900 48 -rwsr-x--- 1 root message
Page 27 and 28: PostgreSQL (vRealize Appliance)Clie
Page 29 and 30: Prevent the Bluetooth protocol hand
Page 31 and 32: Appletalk ProtocolYou should preven
Page 33 and 34: Verify Host Server’s Secure Basel
Page 35 and 36: Delete and Disable Unnecessary Appl
Page 37 and 38: Identity ApplianceCreate a blank se
Page 39 and 40: Disable IPv4 Proxy ARPIPv4 Proxy AR
Page 41: Deny IPv4 forwardingIf the system i
Page 45 and 46: Ports Required to be Exposed to Adm
Page 47 and 48: Minimum Required Outgoing PortsCOMP

vrealize-automation-62-hardening

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?