As a security best practice, you must secure the
VMware Aria Operations console and manage Secure Shell (SSH), administrative accounts, and console access. Ensure that your system is deployed with secure transmission channels.
Activating FIPS 140-2 FIPS 140-2 accreditation validates that an encryption solution meets a specific set of requirements designed to protect the cryptographic module from being cracked, altered, or otherwise tampered with. When FIPS 140-2 mode is activated, any secure communication to or from VMware Aria Operations 8.4 and above uses cryptographic algorithms or protocols that are allowed by the United States Federal Information Processing Standards (FIPS). FIPS mode turns on the cipher suites that comply with FIPS 140-2. Security related libraries that are shipped with VMware Aria Operations 8.4 and above are FIPS 140-2 certified. However, the FIPS 140-2 mode is not activated by default. FIPS 140-2 mode can be activated if there is a security compliance requirement to use FIPS certified cryptographic algorithms with the FIPS mode activated.
Secure the VMware Aria Operations Console After you install VMware Aria Operations, you must log in for the first time and secure the console of each node in the cluster.
Change the Root Password You can change the root password for any VMware Aria Operations primary or data node at any time by using the console.
Managing Secure Shell, Administrative Accounts, and Console Access For remote connections, all hardened appliances include the Secure Shell (SSH) protocol. SSH is deactivated by default on the hardened appliance.
Set Boot Loader Authentication To provide an appropriate level of security, configure boot loader authentication on your VMware virtual appliances. If the system boot loader requires no authentication, users with console access to the system might be able to alter the system boot configuration or boot the system to single user or maintenance mode, which can result in denial of service or unauthorized system access.
Monitor Minimal Necessary User Accounts You must monitor existing user accounts and ensure that any unnecessary user accounts are removed.
Monitor Minimal Necessary Groups You must monitor existing groups and members to ensure that any unnecessary groups or group access is removed.
Resetting the VMware Aria Operations Administrator Password As a security best practice, you can reset the VMware Aria Operations admin password for vApp installations.
Configure NTP on VMware Aria Operations For critical time sourcing, deactivate host time synchronization and use the Network Time Protocol (NTP) on VMware appliances. You must configure a trusted remote NTP server for time synchronization. The NTP server must be an authoritative time server or at least synchronized with an authoritative time server.
Deactivate the TCP Timestamp Response on Linux Use the TCP timestamp response to approximate the remote host's uptime and aid in further attacks. Additionally, some operating systems can be fingerprinted based on the behavior of their TCP time stamps.
TLS for Data in Transit As a security best practice, ensure that the system is deployed with secure transmission channels.
Activating TLS on Localhost Connections By default, the localhost connections to the PostgreSQL database do not use TLS. To activate TLS, you have to either generate a self-signed certificate with OpenSSL or provide your own certificate.
Application Resources That Must be Protected As a security best practice, ensure that the application resources are protected.
Deactivate Configuration Modes As a best practice, when you install, configure, or maintain VMware Aria Operations, you can modify the configuration or settings to activate troubleshooting and debugging of your installation.
Managing Nonessential Software Components To minimize security risks, remove or configure nonessential software from your VMware Aria Operations host machines.
Additional Secure Configuration Activities Block unnecessary ports on your host server that are not required.