The vCenter Appliance is a SuSE Linux VM that ships fully hardened by VMware to the DoD STIG specifications. There are a few site specific settings you must perform to complete the hardening. This post provides the steps to complete the process.
1) Change the root password. Login to the appliance and as root, run:
> passwd
New password:
Retype new password:
Password changed.
> cat /etc/shadow | grep root
root:$6$(truncated)
If the root password starts with a $6$ hash, this confirms it is using a sha512 hash.
2) Set password expiry. Change the root expiry from 3 years to 1 year.
> passwd -x 365 root
Password expiry information changed.
3) Execute the Dodscript.sh script.
> cd /etc/
> ./dodscript.sh
Shutting down auditd done
Starting auditd
4) You may be a company or site that has a custom banner. If so, edit (and verify) the banners to replace the DoD language with your own.
> vi /opt/vmware/etc/isv/welcometextDoD and paste in your banner.
> cat /opt/vmware/etc/isv/welcometextDoD > /etc/issue (linked to issue.DoD)
> cat /opt/vmware/etc/isv/welcometextDoD > /opt/vmware/etc/isv/welcometext
> cat /opt/vmware/etc/isv/welcometextDoD > /opt/vmware/etc/isv/welcometext.template
5) Configure secure shell, admin accounts, and console access on the appliance. Add a user account that can su to root:
> useradd -s /bin/bash -m -d /home/(your username) -g users -G wheel (your username)
> passwd <your username>
Changing password for (your username)
New password:
Retype new password:
Password changed.
> su – (your username) to verify.
a) Test ability to su to root and verify identity:
> su – root
Password:
Last login: Sat 19 12 12:51:26 UTC 2016 from PC on pts/1
Directory: /root
Tue Mar 19 13:18:33 UTC 2016
> whoami
root
b) Note: The step below isn’t included in the documentation but if you don’t do it you will be locked out.
> vi /etc/security/access.conf
At the end of the file change -:ALL:ALL to +:ALL:ALL
c) Test that the user you just created can login via SSH and su – root before you proceed. Use ssh cli, PuTTY, etc.
> ssh -v (your username)@(your vCenter appliance hostname or IP)
Once logged in:
> su – root
d) Disable direct root SSH access to the appliance.
> vi /etc/ssh/sshd_config
change PermitRootLogin yes to PermitRootLogin no
e) Restrict SSH to the local network of the appliance.
> vi /etc/hosts.allow and add the following:
sshd:127.0.0.1:ALLOW
sshd:[::1]:ALLOW
sshd:(the same network your appliance is on):ALLOW
f) Restart sshd to read the changes:
> service sshd restart
Shutting down SSH daemon done
Starting SSH daemon
g) Disable direct root console login on the appliance. This means you must first login as a user and su to root. After setting this, when you try to login on the appliance console as root, it should say login incorrect.
> vi /etc/securetty
Set the first two lines as follows:
#tty1
console
6) Verify time synchronization. Recall that NTP is configured when you first import and setup the appliance. As root, verify:
> service ntp status
remote refid st t when poll reach delay offset jitter
=============================================
192.168.1.252 .LOCL. 1 u 37 64 1 1.145 459.906 0.001
192.168.1.252 192.168.1.253 2 u 36 64 1 1.273 464.924 0.001
Checking for network time protocol daemon (NTPD): Running
7) Setup log forwarding with syslog-ng and auditd. Uncomment and edit the following lines to fit your remote syslog server IP address:
> vi /etc/syslog-ng/syslog-ng.conf
destination logserver { udp(“Syslog_svr_IP_Address” port(514));};
log {source(src); destination(logserver);};
a) Restart the service.
> service syslog restart
Shutting down syslog services done
Starting syslog services
b) Send your audit data to syslog.
> vi /etc/audisp/plugins.d/syslog.conf
change active=no to active=yes
c) Restart auditd.
> service auditd restart
Shutting down auditd done
Starting auditd
d) Tune audit performance.
> vi /etc/audisp/audispd.conf
change the following to 1280 and 8
q_depth = 1280
priority_boost = 8
e) Control the number and rotation of log files.
> vi /etc/logrotate.d/syslog
change all entries for rotate 15 to rotate 7
> vi /etc/logrotate.d/audit
change all entries for rotate 15 to rotate 7
8) Set a boot loader or grub password.
> cat /boot/grub/menu.lst | grep password
password –md5 (a_long_hash_will_be_here)
a) Create a password for grub. This is how the sequence goes: you enter grub and run the md5crypt command to create a hashed password. Once you type in the password, the hash is presented. Copy the password hash. Run the quit command to return to the root shell.
> grub
grub> md5crypt
Password: (Enter your password here)
Encrypted: (a_long_hash_will_be_here)
grub> quit
b) Add the following to the third line of the file:
> vi /boot/grub/menu.lst
password –md5 (the password hash from above)
9) Configure NFS and NIS. If you are not using NFS or NIS, disabled the services. You probably aren’t using them.
> chkconfig ypbind off
> chkconfig nfs off
> chkconfig rpcbind off
> service ypbind stop
> service nfs stop
> service rpcbind stop
10) Reboot to refresh your system and seat all of the changes.
> reboot