To ensure continued access to the VMware Aria Operations for Logs cluster nodes, you must manage the life cycle of the accounts passwords for the VMware Aria Operations for Logs appliance.

In VMware Cloud Foundation, SDDC Manager manages the life cycle of critical accounts used by and integrated within the system. SDDC Manager provides the ability to rotate, update, or re-mediate component passwords. Unlike the password rotation, which generates a randomized password, the password update allows you to provide the password that you want for the particular account.

If a password expires, you must reset the password in the component. After you reset the password, you must re-mediate the password. Password remediation updates the new password in the SDDC Manager database.

To resolve any errors that might have occurred during password rotation or updates, you must use password remediation. Password remediation synchronizes the password of the component account stored in VMware Aria Operations for Logs with the updated password.

Password Policies for VMware Aria Operations for Logs

Within VMware Aria Operations for Logs, you can enforce password polices for access through the virtual appliance console and SSH. You can configure these password policies by using the pluggable authentication module (PAM) that is part of the operating system of the virtual appliance. The password policies apply only to local user accounts.

Password Expiration Policy for VMware Aria Operations for Logs

You manage the password expiration policy on a user basis. You can modify the configuration for a user to refine the settings and adhere to the policies and regulatory standards of your organization. The default configuration is shown in the following table.

Table 1. Default Password Expiration Policy for VMware Aria Operations for Logs

Local User

Setting

Default

Description

root

maxdays

99999

Maximum number of days between password change.

mindays

0

Minimum number of days between password change.

warndays

7

Number of days of warning before a password expires.

Password Complexity Policy for VMware Aria Operations for Logs

You manage the password complexity policy by using the /etc/pam.d/system-password file. You can edit and modify the configuration to refine the settings and adhere to the policies of your organization and regulatory standards. The default configuration is shown in the following table.

Table 2. Password Complexity Policy for VMware Aria Operations for Logs

Setting

Default

Description

dcredit

-1

Minimum number of numerical characters required.

ucredit

-1

Minimum number of uppercase characters required.

lcredit

-1

Minimum number of lowercase characters required.

ocredit

-1

Minimum number of special characters required.

minlen

8

Minimum total number of characters required.

minclass

4

Minimum number of character classes required (e.g., uppercase, lowercase, numerical, special.)

difok

4

Minimum number of unique characters different from the previous password.

retry

3

Maximum number of retries allowed.

maxrepeat

0

Maximum number of sequential characters allowed.

remember

5

Maximum number of previous passwords remembered.

Account Lockout Policy for VMware Aria Operations for Logs

You manage the account lockout policy by using the /etc/pam.d/system-auth file. You can edit and modify the configuration to refine the settings and adhere to the policies of your organization and regulatory standards. The default configuration is shown in the following table.

Table 3. Default Account Lockout Policy for VMware Aria Operations for Logs

Setting

Default

Description

deny

3

Maximum number of authentication failures before the account is locked.

unlock_time

0

Amount of time in seconds that the account remains locked.

root_unlock_time

600

Amount of time in seconds that the root account remains locked.

Table 4. Design Decisions on Password Policies for VMware Aria Operations for Logs

Decision ID

Design Decision

Design Justification

Design Implication

ILA-VAOL-SEC-005

Configure the password expiration policy for each VMware Aria Operations for Logs appliance.

  • You configure the password expiration policy for the VMware Aria Operations for Logs appliance to align with the requirements of your organization which might be based on industry compliance standards.

  • The policy is applicable only to the local VMware Aria Operations for Logs appliance users.

You can manage the password expiration policy on the VMware Aria Operations for Logs appliance by using the virtual appliance console or ssh client.

ILA-VAOL-SEC-006

Configure the password complexity policy for the VMware Aria Operations for Logs appliance.

  • You configure the password complexity policy for VMware Aria Operations for Logs to align with the requirements of your organization which might be based on industry compliance standards.

  • The policy is applicable only to the local VMware Aria Operations for Logs users.

You can manage the password complexity policy on the VMware Aria Operations for Logs appliance by using the virtual appliance console or a Secure Shell (SSH) client.

ILA-VAOL-SEC-007

Configure the account lockout policy for each VMware Aria Operations for Logs appliance.

  • You configure the account lockout policy for VMware Aria Operations for Logs to align with the requirements of your organization which might be based on industry compliance standards.

  • The policy is applicable only to the local VMware Aria Operations for Logs appliance users.

You can manage the account lockout policy on the VMware Aria Operations for Logs appliance by using the virtual appliance console or a Secure Shell (SSH) client.

VMware Aria Operations for Logs Password Management

Changing the passwords periodically or when certain events occur, such as an administrator leaving your organization, increases the security posture and health of the system.

For more information, see the Password Management documentation for VMware Cloud Foundation.

Table 5. Design Decision on Password Management for VMware Aria Operations for Logs

Decision ID

Design Decision

Design Justification

Design Implication

ILA-VAOL-SEC-008

Change the VMware Aria Operations for Logsroot password on a recurring or event-initiated schedule by using the SDDC Manager user interface or API.

  • By default, the password for the VMware Aria Operations for Logsroot account expires every 365 days.

  • When VMware Aria Operations for Logs is deployed into a VMware Cloud Foundation environment in VMware Aria Suite Lifecycle, the root password is managed from the SDDC Manager user interface or API, not VMware Aria Suite Lifecycle.

By using SDDC Manager, you manage the password change or automated password rotation schedule for the VMware Aria Operations for Logsroot account in accordance with your organizational policies and regulatory standards.

ILA-VAOL-SEC-009

Change the VMware Aria Operations for Logsadmin account password on a recurring or event-initiated schedule by using the SDDC Manager UI or API.

When VMware Aria Operations for Logs is deployed into a VMware Cloud Foundation environment in VMware Aria Suite Lifecycle, the admin password is managed from the SDDC Manager user interface or API, not VMware Aria Suite Lifecycle.

You must routinely perform the password change for the admin account by using the SDDC Manager UI or API.