To ensure continued access to the VMware Aria Operations for Logs cluster nodes, you must manage the life cycle of the accounts passwords for the VMware Aria Operations for Logs appliance.
In VMware Cloud Foundation, SDDC Manager manages the life cycle of critical accounts used by and integrated within the system. SDDC Manager provides the ability to rotate, update, or re-mediate component passwords. Unlike the password rotation, which generates a randomized password, the password update allows you to provide the password that you want for the particular account.
If a password expires, you must reset the password in the component. After you reset the password, you must re-mediate the password. Password remediation updates the new password in the SDDC Manager database.
To resolve any errors that might have occurred during password rotation or updates, you must use password remediation. Password remediation synchronizes the password of the component account stored in VMware Aria Operations for Logs with the updated password.
Password Policies for VMware Aria Operations for Logs
Within VMware Aria Operations for Logs, you can enforce password polices for access through the virtual appliance console and SSH. You can configure these password policies by using the pluggable authentication module (PAM) that is part of the operating system of the virtual appliance. The password policies apply only to local user accounts.
Password Expiration Policy for VMware Aria Operations for Logs
You manage the password expiration policy on a user basis. You can modify the configuration for a user to refine the settings and adhere to the policies and regulatory standards of your organization. The default configuration is shown in the following table.
Local User |
Setting |
Default |
Description |
|---|---|---|---|
| root |
|
99999 |
Maximum number of days between password change |
|
0 |
Minimum number of days between password change |
|
|
7 |
Number of days of warning before a password expires |
Password Complexity Policy for VMware Aria Operations for Logs
You manage the password complexity policy by using the /etc/pam.d/system-password file. You can edit and modify the configuration to refine the settings and adhere to the policies of your organization and regulatory standards. The default configuration is shown in the following table.
Setting |
Sample value |
Description |
|---|---|---|
|
-1 |
Maximum number of digits that generate a credit |
|
-1 |
Maximum number of uppercase characters that generate a credit |
|
-1 |
Maximum number of lowercase characters that generate a credit |
|
-1 |
Maximum number of other characters that generate a credit |
|
8 |
Minimum password length |
|
4 |
Minimum number of character types that must be used (for example, uppercase, lowercase, digits, and so on) |
|
4 |
Minimum number of characters that must be different from the old password |
|
3 |
Maximum number of reties |
|
0 |
Maximum number of identical consecutive characters in the new password |
|
5 |
Maximum number of passwords the system remembers |
Account Lockout Policy for VMware Aria Operations for Logs
You manage the account lockout policy by using the /etc/pam.d/system-auth file. You can edit and modify the configuration to refine the settings and adhere to the policies of your organization and regulatory standards. The default configuration is shown in the following table.
Setting |
Default |
Description |
|---|---|---|
|
3 |
Maximum number of authentication failures before the account is locked |
|
0 |
Amount of time in seconds that the account remains locked |
|
600 |
Amount of time in seconds that the root account remains locked |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
|---|---|---|---|
ILA-VAOL-SEC-005 |
Configure the password expiration policy for each VMware Aria Operations for Logs appliance. |
|
You can manage the password expiration policy on the VMware Aria Operations for Logs appliance by using the virtual appliance console or ssh client. |
ILA-VAOL-SEC-006 |
Configure the password complexity policy for the VMware Aria Operations for Logs appliance. |
|
You can manage the password complexity policy on the VMware Aria Operations for Logs appliance by using the virtual appliance console or a Secure Shell (SSH) client. |
ILA-VAOL-SEC-007 |
Configure the account lockout policy for each VMware Aria Operations for Logs appliance. |
|
You can manage the account lockout policy on the VMware Aria Operations for Logs appliance by using the virtual appliance console or a Secure Shell (SSH) client. |
VMware Aria Operations for Logs Password Management
Changing the passwords periodically or when certain events occur, such as an administrator leaving your organization, increases the security posture and health of the system.
For more information, see the Password Management documentation for VMware Cloud Foundation.
Decision ID |
Design Decision |
Design Justification |
Design Implication |
|---|---|---|---|
ILA-VAOL-SEC-008 |
Change the VMware Aria Operations for Logsroot password on a recurring or event-initiated schedule by using the SDDC Manager user interface or API. |
|
By using SDDC Manager, you manage the password change or automated password rotation schedule for the VMware Aria Operations for Logsroot account in accordance with your organizational policies and regulatory standards. |
ILA-VAOL-SEC-009 |
Change the VMware Aria Operations for Logsadmin account password on a recurring or event-initiated schedule by using the SDDC Manager UI or API. |
When VMware Aria Operations for Logs is deployed into a VMware Cloud Foundation environment in VMware Aria Suite Lifecycle, the admin password is managed from the SDDC Manager user interface or API, not VMware Aria Suite Lifecycle. |
You must routinely perform the password change for the admin account by using the SDDC Manager UI or API. |
