vrealize-automation-62-hardening

Recommendations

Info

VMware vRealize Automation 6.2 Hardening GuideThe vRealize Hardening Tool UI appears.In Categories, select the hardening activities that you want to execute.Select Dry Run, and click Execute, if you want to verify the changes to be made before they are made to thesystem.Click Execute to run the vRealize Hardening Tool based on the selections you made.Run the vRealize Hardening Tool in CLI ModeRun the following commands to use the vRealize Hardening Tool in CLI mode.Change to the directory where the vRealize Hardening Tool resides by running the following command.cd To verify that the vRealize Hardening Tool without making any changes, run the following command.ansible-playbook -i baseline/v1.0/roles/inventory.yamlbaseline/v1.0/roles/start.yaml –checkChanges are not made to the system.To run the vRealize Hardening Tool and make changes to the system, run the following command.ansible-playbook -i baseline/my_inventory.yaml baseline/vRA.yaml --tagsapache2,create_admin_user,lighttpd,ntp,pwd_expiry,rabbitmq,tcserverEach comma-separated tag is associated with a hardening activity that is supported by the vRealize HardeningTool. If you do not want to run a hardening activity, you can omit it from the command.T E C H N I C A L W H I T E P A P E R / 8
VMware vRealize Automation 6.2 Hardening GuidevRealize Hardening Tool CategoriesThe following table correlates the hardening activity with the UI and command line options.Hardening Activity UI Option Command Line TagApache Server Response Header Apache2 Configuration apache2Create Local Administrative Account Linux Admin Usercreate_admin_userFor SSHLighttpd Server Response Headers Lighttpd Configuration lighttpdConfigure NTP Network Time Protocol ntpModify root Password Expiry Root Password Expiry pwd_expiryDisabling SSLv3 on RabbitMQ RabbitMQ Configuration rabbitmqTcserver Response Server Header TcServer Configuration tcserverSecure DeploymentVerifying the Integrity of Installation MediaVerify the integrity of the installation media before you install the product.Always verify the SHA1 hash after you download an ISO, offline bundle, or patch to ensure integrity and authenticityof the downloaded files. If you obtain physical media from VMware and the security seal is broken, return the softwareto VMware for a replacement.After you download the media, use the MD5/SHA1 sum value to verify the integrity of the download. Compare theMD5/SHA1 hash output with the value posted on the VMware Web site. SHA1 or MD5 hash should match.For more information about verifying the integrity of the installation media, see http://kb.vmware.com/kb/1537.Hardening InfrastructureHardening the VMware vSphere EnvironmentvRealize Automation relies on a secure VMware vSphere environment to achieve the greatest benefits and a securedinfrastructure.Assess the VMware vSphere environment and verify that the appropriate level of vSphere hardening guidance isenforced and maintained.For more guidance about hardening, see http://www.vmware.com/security/hardening-guides.html.Verify Hardening of the Infrastructure as a Service HostReview the recommendations set out in the appropriate Windows hardening and secure best practice guidelines, andensure that your Windows Server host is appropriately hardened. Not following the hardening recommendations mightresult in exposure to known security vulnerabilities from insecure components on Windows releases.To verify that your version is supported, see the vRealize Automation Support Matrix.Contact your Microsoft vendor about the correct guidance for hardening practices of Microsoft products.T E C H N I C A L W H I T E P A P E R / 9
Page 1 and 2: VMwarevRealize AutomationHardening
Page 3 and 4: VMware vRealize Automation 6.2 Hard
Page 7: VMware vRealize Automation 6.2 Hard
Page 17 and 18: Bootloader AuthenticationIf the sys
Page 19 and 20: section.[{ssl, [{versions, ['tlsv1.
Page 21 and 22: The preferred server cipher is TLS_
Page 23 and 24: ]},{rabbit, [{ssl_listeners, [5672]
Page 25 and 26: 499900 48 -rwsr-x--- 1 root message
Page 27 and 28: PostgreSQL (vRealize Appliance)Clie
Page 29 and 30: Prevent the Bluetooth protocol hand
Page 31 and 32: Appletalk ProtocolYou should preven
Page 33 and 34: Verify Host Server’s Secure Basel
Page 35 and 36: Delete and Disable Unnecessary Appl
Page 37 and 38: Identity ApplianceCreate a blank se
Page 39 and 40: Disable IPv4 Proxy ARPIPv4 Proxy AR
Page 41 and 42: Deny IPv4 forwardingIf the system i
Page 43 and 44: Deny IPv6 Router PrefixThe accept r
Page 45 and 46: Ports Required to be Exposed to Adm
Page 47 and 48: Minimum Required Outgoing PortsCOMP

vrealize-automation-62-hardening

Create successful ePaper yourself

Delete template?

Save as template?