Download - vSphere Hardening Guide

vSphereHardeningGuide:ConsoleOSConfigurationRevisionB:Publicdraft(January2010)

ConsoleNetworkProtectionESXincludesabuiltinfirewallbetweentheserviceconsoleandthenetwork.Toensuretheintegrityoftheserviceconsole,VMwarehasreducedthenumberoffirewallportsthatareopenbydefault.Atinstallationtime,theserviceconsolefirewallisconfiguredtoblockallincomingandoutgoingtrafficexceptforports902,80,443,and22,whichareusedforbasiccommunicationwithESX.ThissettingenforcesahighlevelofsecurityfortheESXhost.MediumSecurityblocksallincomingtrafficexceptonthedefaultports(902,443,80,and22),andanyportsusersspecificallyopen.Outgoingtrafficisnotblocked.LowSecuritydoesnotblockeitherincomingoroutgoingtraffic.Thissettingisequivalenttoremovingthefirewall.BecausetheportsopenbydefaultontheESXarestrictlylimited,additionalportsmayneedtobeopenafterinstallationforthirdpartyapplicationssuchasmanagement,storage,NTP,etc.Forinstance,abackupagentmayusespecificportssuchas13720,13724,13782,and13783.ThelistofportsusedbyESXmaybefoundinthisKBarticle:http://kb.vmware.com/kb/1012382

ConfigurationElement Description

CodeNumber CON01

Name EnsureESXFirewallisconfiguredtoHighSecurity

Description ESXServerincludesabuiltinfirewallbetweentheserviceconsoleandthenetwork.AHighSecuritysettingdisablesalloutboundtrafficandonlyallowsselectedinboundtraffic.

RiskorControl Preventionofnetwork‐basedexploits

RecommendationLevel Enterprise

Parametersorobjectsconfiguration

ThefollowingcommandsconfigureHighSecurityonthefirewall

esxcfg‐firewall‐‐blockIncoming

esxcfg‐firewall‐‐blockOutgoing

Test Ensurethatoutboundconnectionsareblockedandonlyselectedinboundconnectionsareallowed


CodeNumber CON02

Name Limitnetworkaccesstoapplicationsandservices

Description Asasecuritybestpractice,disablingandremovingservicesandapplicationsthataren’trequiredisadvisable.TheESXServiceConsole,bydefault,hasanumberofavailableservicesthatshouldbedisabledunlessrequiredforbusiness.Also,ensurethatlimiteduseofexternalsoftwarewithintheserviceconsole.Examplesofadditionalsoftwarethatmaybeacceptabletorunintheserviceconsolewouldbemanagementandbackupagents.

Formoreinformationandrecommendationsonrunningthird‐partysoftwareintheserviceconsole,seehttp://www.vmware.com/vmtn/resources/516

RiskorControl Preventionofnetwork‐basedexploits



Allservicesnotrequiredexplicitlyforbusinesspurposesshouldbedisabled.

Test Runthe“esxcfg‐firewall–query”commandtodeterminewhatservicesareenabled.Todisableaservice,executethe“esxcfg‐firewall–d<servicename>”command.

ConsoleManagementAlthoughtheESXServiceConsoleisderivedfromRedHatLinux,itisauniqueoperatingplatformthatshouldnotbemanagedasatrueLinuxhost.Assuch,theServiceConsoleshouldbemanagedaccordingtoVMwareandothervirtualizationsecuritybestpractices,whichmaydifferfrommanywell‐knownLinux‐focusedbestpracticesinsomeways.

Ifyoufollowthebestpracticeofisolatingthenetworkfortheserviceconsole,thereisnoreasontorunanyantivirusorothersuchsecurityagents,andtheiruseisnotnecessarilyrecommended.However,ifyourenvironmentrequiresthatsuchagentsbeused,useaversiondesignedtorunonRedHatEnterpriseLinux3,Update6.

OperationalElement Description

CodeNumber COM01

Name DonotapplyRedHatpatchestotheServiceConsole,

Description AlthoughtheESXServiceConsoleisderivedfromRedHatLinux,itisimportantthatyounottreattheserviceconsolelikeaLinuxhostwhenitcomestopatching.NeverapplypatchesissuedbyRedHatoranyotherthird‐partyvendor.

RiskorControl TheserviceconsoleisgeneratedfromaRedHatLinuxdistributionthathasbeenmodifiedtoprovideexactlythefunctionalitynecessarytocommunicatewithandallowmanagementoftheVMkernel.AnyadditionalsoftwareinstalledshouldnotmakeassumptionsaboutwhatRPMpackagesarepresent,northatthesoftwarecanmodifythem.Inseveralcases,thepackagesthatdoexisthavebeenmodifiedespeciallyforESX.


Conditionorsteps ApplyonlypatchesthatarepublishedbyVMwarespecificallyfortheversionsofESXthatyouhaveinuse.Thesearepublishedfordownloadperiodically,aswellasonanas‐neededbasisforsecurityfixes.Youcanreceivenotificationsforsecurity‐relatedpatchesbysigningupforemailnotificationsathttp://www.vmware.com/security.


CodeNumber COM02

Name DonotrelyupontoolsthatonlycheckforRedHatpatches

Description YoushouldneveruseascannertoanalyzethesecurityoftheserviceconsoleunlessthescannerisspecificallydesignedtoworkwithyourversionofESX.

RiskorControl ScannersthatassumetheserviceconsoleisastandardRedHatLinuxdistributionroutinelyyieldfalsepositives.Thesescannerstypicallylookonlyforstringsinthenamesofsoftware,andthereforedonotaccountforthefactthatVMwarereleasescustomversionsofpackageswithspecialnameswhenprovidingsecurityfixes.Becausethesespecialnamesareunknowntothescanners,theyflagthemasvulnerabilitieswheninrealitytheyarenot.


Conditionorsteps YoushoulduseonlyscannersthatspecificallytreattheESXserviceconsoleasauniquetarget.Formoreinformation,seethesection“SecurityPatchesandSecurityVulnerabilityScanningSoftware”inthechapter“ServiceConsoleSecurity”oftheESXServer4ConfigurationGuide.


CodeNumber COM03

Name DoNotManagetheServiceConsoleasaRedHatLinuxHost

Description Theusualredhat‐config‐*commandsarenotpresent,norareothercomponentssuchastheXserver.

RiskorControl AttemptstomanagetheServiceConsoleasatypicalRedHatLinuxhostcouldresultinmisconfigurationsthataffectsecurity,includingavailability.


Conditionorsteps ManagetheServiceconolseusingpurpose‐builtcommands,suchasvmkfstoolsandtheesxcfg‐*commands.


CodeNumber COM04

Name UsevSphereClientandvCentertoAdministertheHostsInsteadofServiceConsole

Description Thebestmeasuretopreventsecurityincidentsintheserviceconsoleistoavoidaccessingitifatallpossible.YoucanperformmanyofthetasksnecessarytoconfigureandmaintaintheESXhostusingthevSphereClient,eitherconnecteddirectlytothehostor,betteryet,goingthroughvCenter.Anotheralternativeistousearemotescriptinginterface,suchastheVIPerlToolkitortheremotecommandlineinterface(RemoteCLI).TheseinterfacesarebuiltonthesameAPIthatvSphereClientandvCenteruse,soanyscriptusingthemautomaticallyenjoysthesamebenefitsofauthentication,authorization,andauditing.

RiskorControl M:HandM:AG


Conditionorsteps SecuritypoliciesandprocessesshouldbewrittentorequiretheuseoftheremoteAPIbasedtoolswhereverpossible.Accountswithdirectserviceconsoleaccessshouldbelimitedtotheminimumnumberofadministratorspossible.

Someadvancedtasks,suchasinitialconfigurationforpasswordpolicies,cannotbeperformedviathevSphereClient.Forthesetasks,youmustlogintotheserviceconsole.Also,ifyouloseyourconnectiontothehost,executingcertainofthesecommandsthroughthecommandlineinterfacemaybeyouronlyrecourse—forexample,ifthenetworkconnectionfailsandyouarethereforeunabletoconnectusingvSphereClient.

ConsolePasswordPolicies


CodeNumber COP01

Name UseaDirectoryServiceforAuthentication

Description AdvancedconfigurationandtroubleshootingofanESXhostmayrequirelocalprivilegedaccesstotheserviceconsole.Forthesetasks,youshouldsetupindividualhost‐localizeduseraccountsandgroupsforthefewadministratorswithoverallresponsibilityforyourvirtualinfrastructure.Ideally,theseaccountsshouldcorrespondtorealindividualsandnotbe

accountssharedbymultiplepeople.Althoughyoucancreateontheserviceconsoleofeachhostlocalaccountsthatcorrespondtoeachglobalaccount,thispresentstheproblemofhavingtomanageusernamesandpasswordsinmultipleplaces.Itismuchbettertouseadirectoryservice,suchasNISorLDAP,todefineandauthenticateusersontheserviceconsole,soyoudonothavetocreatelocaluseraccounts.

RiskorControl Low

AccessVectoristhemanagementnetwork(AV:A/AC:L:Au:S/C:?/I:?/A:?)



Inthedefaultinstallation,ESX3.5‐4.0cannotuseActiveDirectorytodefineuseraccounts.However,itcanuseActiveDirectorytoauthenticateusers.Inotherwords,youcandefineindividualuseraccountsonthehost,thenusethelocalActiveDirectorydomaintomanagethepasswordsandaccountstatus.Youmustcreatealocalaccountforeachuserthatrequireslocalaccessontheserviceconsole.Thisshouldnotbeseenasaburden;ingeneral,onlyrelativelyfewpeopleshouldhaveaccesstotheserviceconsole,soitisbetterthatthedefaultisfornoonetohaveaccessunlessyouhavecreatedanaccountexplicitlyforthatuser.

AD,NIS,Kerberos,andLDAPareallsupporteddirectoryservices.Authenticationontheserviceconsoleiscontrolledbythecommandesxcfg‐auth.Youcanfindinformationonthiscommandinitsmanpage.Typemanesxcfg‐authatthecommandlinewhenloggedintotheserviceconsole.ForinformationonauthenticationwithActiveDirectory,seethetechnicalnoteathttp://www.vmware.com/vmtn/resources/582.

Itisalsopossibletousethird‐partypackages,suchasWinbindorCentrify,toprovidetighterintegrationwithActiveDirectory.Consultthedocumentationforthosesolutionsforguidanceonhowtodeploythemsecurely.

Test Theesxcfg‐auth–probecommandwilllistallofthefilesthataregeneratedandeditedbytheesxcfg‐authcommand.Theentriesinthosefileswillbedifferentdependingonwhichauthenticationmechanismyouchoose.

Configuration Description

Element

CodeNumber COP02

Name EstablishaPasswordPolicyforPasswordComplexity

Description Thesecontrolsensurethatuserscreatepasswordsthatarehardforpasswordgeneratorstodetermine.Insteadofusingwords,acommontechniqueforensuringpasswordcomplexityistouseamemorablephrase,thenderiveapasswordfromit—forexample,byusingthefirstletterofeachword.

Thedefaultpam_cracklib.soplug‐inprovidessufficientpasswordstrengthenforcementformostenvironments.However,ifthepam_cracklib.soplug‐inisnotstringentenoughforyourneeds,youcanchangetheparametersusedforthepam_cracklib.soplug‐inorusethepam_passwdqc.soplug‐ininstead.Youchangetheplug‐inusingtheesxcfg‐auth–usepamqccommand.

RiskorControl Thisrecommendationaddressestheriskofpasswordsbeingguessedorcracked.

RecommendationLevel

DMZ


esxcfgauthusepamqc

Thiscommandrequires6parametersinthefollowingorder:‐ minimumlengthofasinglecharacterclasspassword‐ minimumlengthofapasswordthathascharactersfrom2

characterclasses‐ minimumnumberofwordsinapassphrase‐ minimumlengthofapasswordthathascharactersfrom3

characterclasses‐ minimumlengthofapasswordthathascharactersfrom4

characterclasses‐ maximumnumberofcharactersreusedfromtheprevious

password

Ifyoupassavalueof‐1foranyofthesixparametersitdisablesthatoption.

Forexamplethecommandline:

esxcfgauthusepamqc=1111281

disablesthefirstthreeparameters,requiresa12characterpasswordusingcharactersfrom3characterclassesoran8characterpasswordthatusescharactersfrom4characterclassesanddisablesthefinalparameter.

Test Checkthefollowinglineinthe/etc/pam.d/systemauthgenericfile:

“passwordrequired/lib/security/$ISA/pam_passwdqc.so”:

ifnotextstringisdisplayed,thecomplexityisnotset.Ifthereisatextstringattheendofthisline,ensurethatitmeetsyourpolicy.


CodeNumber COP03

Name EstablishaPasswordPolicyforPasswordHistory

Description Keepingapasswordhistorymitigatestheriskofauserreusingapreviouslyusedpasswordtoooften.


RecommendationLevel DMZ


Ifitdoesnotalreadyexistcreateapasswordhistoryfile:

touch/etc/security/opasswd

chmod600/etc/security/opasswd

Setthenumberofpasswordstoretainformatching:

Editthe/etc/pam.d/system‐authfileandaddthestring“remember=x”wherexisthenumberofpasswordstoretaintotheendofthefollowingline:

“passwordsufficient/lib/security/$ISA/pam_unix.so”

Test Checkforthepresenceofthestring“remember=”andensurethatthevalueisincompliancewithyourinternalpolicy.


CodeNumber COP04

Name EstablishaMaximumPasswordAgingPolicy

Description Thesecontrolsgovernhowlongauserpasswordcanbeactivebeforetheuserisrequiredtochangeit.

RiskorControl Theyhelpensurethatpasswordschangeoftenenoughthatifanattackerobtainsapasswordthroughsniffingorsocialengineering,theattackercannotcontinuetoaccesstheESXhostindefinitely.



Tosetthemaximumpasswordageusethefollowingcommand:

esxcfgauth–passmaxdays=n

wherenisthemaximumnumberofdaysforapasswordtolive.

Test Runthefollowingcommandtoseewhatthepasswordmaximulifesettingissetto:

grep–imax_days/etc/login.defs

Thisnumbershouldbecomparedtoyourpolicy.


CodeNumber COP05

Name EstablishaPasswordPolicyforMinimumDaysBeforeaPasswordisChanged

Description Asthemaximumnumberofdaysforapasswordtoliveisimportant,therealsoneedstobeaminimumnumberofdaysaswell.Thiswillmitigatetheriskofauserchangingapasswordenoughtimestobeabletoreusetheirfavoritepasswordthatisoutsideofthepasswordreusepolicy.




esxcfgauth–passmindays=n

Test Runthefollowingcommandtoseewhatthepasswordminimumlifesettingissetto:

“grep–imin_days/etc/login.defs”

Thisnumbershouldbecomparedtoyourpolicy.


CodeNumber COP06

Name Ensurethatvpxuserauto‐passwordchangeinvCentermeetspolicy

Description BydefaultthevpxuserpasswordwillbeautomaticallychangedbyvCentereveryXnumberofdays.Ensurethatthissettingmeetsyourpoliciesandifnot,configuretomeetpasswordagingpolicies.NotethatitisveryimportantthatthepasswordagingpolicyshouldnotbeshorterthantheintervalthatissettoautomaticallychangethevpxuserpasswordorvCentercouldgetlockedoutofanESXHost.

RiskorControl Ifanattackerobtainsthevpxuserpasswordthroughbrute‐force,itcanonlybeusedforalimitedamountoftime.



vCenterServerAdvancedSettings:vCenterVirtualCenter.VimPasswordExpirationInDays

Test EnsurethatvCenterVirtualCenter.VimPasswordExpirationInDaysvalueissetlowerthanthepasswordagingpolicyontheCOS.

ConsoleLoggingProperandthoroughloggingallowsyoutokeeptrackofanyunusualactivitythatmightbeaprecursortoanattackandalsoallowsyoutodoapostmortemonanycompromisedsystemsandlearnhowtopreventattacksfromhappeninginthefuture.ThesyslogdaemonperformsthesystemlogginginESX.Youcanaccessthelogfilesintheserviceconsolebygoingtothe/var/log/directory.SeveraltypesoflogfilesgeneratedbyESXareshowninthefollowingtable.

Component Location Purpose

Vmkernel /var/log/vmkernel RecordsactivitiesrelatedtothevirtualmachinesandESX

VMkernelwarnings

/var/log/vmkwarning Recordsactivitieswiththevirtualmachines

VMkernelsummary

/var/log/vmksummary UsedtodetermineuptimeandavailabilitystatisticsforESX;human‐readablesummaryfoundin/var/log/vmksummary.txt

ESXhostagentlog

/var/log/vmware/hostd.log ContainsinformationontheagentthatmanagesandconfigurestheESXhostanditsvirtualmachines

Virtualmachines

Thesamedirectoryastheaffectedvirtualmachine’sconfigurationfiles;namedvmware.logandvmware‐*.log

Containinformationwhenavirtualmachinecrashesorendsabnormally

vCenteragent /var/log/vmware/vpx ContainsinformationontheagentthatcommunicateswithvCenter

Webaccess Filesin/var/log/vmware/webAccess

RecordsinformationonWeb‐basedaccesstoESX

Serviceconsole

/var/log/messages ContainallgenerallogmessagesusedtotroubleshootvirtualmachinesorESX

Authenticationlog

/var/log/secure Containsrecordsofconnectionsthatrequireauthentication,suchasVMwaredaemonsandactionsinitiatedbythexinetddaemon.

Thelogfilesprovideanimportanttoolfordiagnosingsecuritybreachesaswellasothersystemissues.Theyalsoprovidekeysourcesofauditinformation.Inadditiontostoringloginformationinfilesonthelocalfilesystem,youcansendthisloginformationtoaremotesystem.Thesyslogprogramistypicallyusedforcomputersystemmanagementandsecurityauditing,anditcanservethesepurposeswellforESXhosts.Youcanselectindividualserviceconsolecomponentsforwhichyouwantthelogssenttoaremotesystem.


CodeNumber COL01

Name Configuresysloglogging

Description Remoteloggingtoacentralhostprovidesawaytogreatlyincreaseadministrationcapabilities.Bygatheringlogfilesontoacentralhost,youcaneasilymonitorallhostswithasingletoolaswellasdoaggregateanalysisandsearchingtolookforsuchthingsascoordinatedattacksonmultiplehosts.

RiskorControl Loggingtoasecure,centralizedlogservercanhelppreventlogtamperingandprovidesalong‐termauditrecord.



Syslogbehavioriscontrolledbytheconfigurationfile/etc/syslog.conf.Forlogsyouwanttosendtoaremoteloghost,addalinewith@<loghost.company.com>afterthemessagetype,where<loghost.company.com>isthenameofahostconfiguredtorecordremotelogfiles.Makesurethatthishostnamecanbeproperlyresolved,puttinganentryinthenameservicemapsifneeded.

Example:

local6.warning@<loghost.company.com>

Aftermodifyingthefile,tellthesyslogdaemontorereaditbyissuingthefollowingcommand:

kill‐SIGHUP`cat/var/run/syslogd.pid`

Ataminimumthefollowingfilesshouldbeloggedtoaremotesyslogserver:

/var/log/vmkernel‐Recursive

/var/log/secure‐Recursive

/var/log/messages

/var/log/vmware/*log.

/var/log/vmware/aam/*log

/var/log/vmware/aam/*err

/var/log/vmware/webAccess/.*log

/var/log/vmware/vpx/vpxa.log

/vmfs/volumes/<vmpath>/vmware.log–forallVM’swherevmpathisthepathtotheVM.

Test Tocheckthatremoteloggingisconfigured:cat /etc/syslog.conf | grep @

Tocheckthatremoteloggingtrafficispermittedoutboundfromthehost:esxcfg-firewall –q | grep 514

Tocheckthatsyslogserviceisconfiguredtorun:chkconfig –list | grep syslog


CodeNumber COL02

Name ConfigureNTPtimesynchronization

Description Byensuringthatallsystemsusethesamerelativetimesource(includingtherelevantlocalizationoffset),andthattherelativetimesourcecanbecorrelatedtoanagreed‐upontimestandard(suchasCoordinatedUniversalTime—UTC),youcanmakeitsimplertotrackandcorrelateanintruder’sactionswhenreviewingtherelevantlogfiles.

RiskorControl Incorrecttimesettingscouldmakeitdifficulttoinspectandcorrelatelogfilestodetectattacks,andwouldmakeauditinginaccurate.



NTPcanbeconfiguredonanESXhostusingthevSphereClient,orusingaremotecommandlinesuchasvCLIorPowerCLI.

Test • QuerytheNTPconfigurationtomakesurethatavalidtimesourcehasbeenconfigured,

• MakesurethattheNTPserviceisrunningonthehost

ConsoleHardening

ConfigurationElement

Description

CodeNumber COH01

Name Partitionthedisktopreventtherootfilesystemfromfillingup

Description Iftherootfilesystemfillsup,itcanseriouslydegradetheperformanceofESXmanagementcapabilitiesorevenmakethemunresponsive.

WhenyouinstallESX4.0,thedefaultpartitioningcreatesonly3partitions.Toprotectagainsttherootfilesystemfillingup,youcancreateadditionalseparatepartitionsforthedirectories/home,/tmp,and/var/log.Thesearealldirectoriesthathavethepotentialtofillup,andiftheyarenotisolatedfromtherootpartition,youcouldexperienceadenialofserviceiftherootpartitionisfullandunabletoacceptanymorewrites.TheChapter“ESXPartitioning”intheESXandvCenterServerInstallationGuidecoversdiskpartitionsinmoredetail.

http://pubs.vmware.com/vsp40u1/install/c_esx_partitioning.html#1_9_18_1

RiskorControl Preventsadenial‐of‐serviceagainstthemanagementofthathost

RecommendationLevel

Enterprise


/etc/fstab

Test Runthe“df”commandandensurethatthedirectoriesfor/home,/tmp,and/var/logaremountedontheirownpartitions.

ParameterElement Description

CodeNumber COH02

Name DisableAutomaticMountingofUSBDevices

Description ExternalUSBdrivescanbeconnectedtotheESXhostandbeloadedautomaticallyontheserviceconsole.TheUSBdrivemustbemountedbeforeyoucanuseit,butdriversareloadedtorecognizethedevice.

Threat AttackersmaybeabletorunmaliciouscodeontheESXhostandgoundetectedbecausetheUSBdriveisexternal.

RecommendationLevel SSLF

Parametersetting Bydefault,automaticUSBdrivemountingisenabled,butitisrecommendedthatyoudisablethisfeaturebyeditingtheserviceconsolefile/etc/modules.confandcommentingoutthelinecontainingaliasusb‐controllerbyplacingapoundsign(#)atthebeginning.

Effectonfunctionality ThereisariskthataUSB‐basedkeyboardandmousewillceasetofunctionproperlyafterimplementingthisstep.Itisrecommendedthatyouverifythatmouseandkeyboardcontinuetooperatenormallyandnotimplementthisstepiftheydonot.

Positiveevidence Ifthelinecontainingaliasusb‐controlerhasapoundsign(#)atthebeginningoftheline,thisisapositivetest.

Negativeevidence Ifthelinecontainingaliasusb‐controlerdoesnothaveapoundsign(#)atthebeginningoftheline,thisisanegativetest.

Theserviceconsolehasanumberoffilesthatspecifyitsconfigurations: /etc/profile /etc/ssh/sshd_config /etc/pam.d/system‐auth /etc/grub.conf /etc/krb.conf /etc/krb5.conf /etc/krb.realms /etc/login.defs /etc/openldap/ldap.conf /etc/nscd.conf /etc/ntp /etc/ntp.conf /etc/passwd /etc/group /etc/nsswitch.conf /etc/resolv.conf

/etc/sudoers /etc/shadowInaddition,ESXconfigurationfileslocatedinthe/etc/vmwaredirectorystorealltheVMkernelinformation.NotallofthesefilesareactuallyusedbyyourparticularESXdeployment,butallthefilesarelistedforcompleteness.


CodeNumber COH03

Name EstablishandMaintainFileSystemIntegrity

Description ItiscriticaltomonitortheintegrityofcertaincriticalsystemfileswithintheESXServiceConsole.Inaddition,thepermissionsofnumerouscriticalfilesshouldbeconfiguredtopreventunnecessaryaccessfromoccurring.

RiskorControl


Conditionorsteps Configurationfilesshouldbemonitoredforintegrityandunauthorizedtampering,usingacommercialtoolsuchasTripwire,orbyusingachecksumtoolsuchassha1sum,whichisincludedintheserviceconsole.Thesefilesshouldalsobebackedupregularly,eitherusingbackupagentsorbydoingbackupsbasedonfilecopying.

OperationalElement

Description

CodeNumber COH04

Name Ensurepermissionsofimportantfilesandutilitycommandshavenotbeenchangedfromdefault.

Description Variousfilesandutilitiesareinstalledwithparticularfilepermissionstoenablecertainfunctionalitywithoutrequiringunnecessaryprivilegelevelsfortheuseraccessingthem.

RiskorControl ChangingpermissionsfromdefaultontheseimportantfilescanhaveanaffectonthefunctionalityoftheESXhostandcouldpotentiallycausethesecommandstonotrunproperlyandassuchcauseadenialofservice.

RecommendationLevel

DMZ

Conditionorsteps

The/usr/sbin/esxcfg‐*commands,whichareallinstalledbydefaultwithpermissions555.

Thelogfilesdiscussedintheprevioussection,whichallhavepermissions600,exceptforthedirectory/var/log/vmware/webAccess,whichhaspermissions755,andthevirtualmachinelogfiles,whichhavepermissions644.

CertainsystemcommandsthathavetheSUIDbit.Thesecommandsarelistedhere:

http://pubs.vmware.com/vsp40u1/server_config/r_default_setuid_applications.html

Forallofthesefiles,theuserandgroupownershouldberoot.

ConsoleAccess

ParameterElement

Description

CodeNumber COA01

Name Preventtamperingatboottime

Description Agrubpasswordcanbeusedtopreventusersfrombootingintosingleusermodeorpassingoptionstothekernelduringboot.

Threat Bypassinginbootparameters,itmightbepossibletoinfluencethehostsothatitbehavesimproperly,perhapsinamannerthatishardtodetect.

RecommendationLevel

DMZ

Parametersetting DuringtheESXinstallation,theAdvancedoptionallowsyoutosetagrubpassword.Thiscanalsobesetbydirectlyediting/boot/grub.conf..SeetheChapter“InstallingVMwareESX”intheESXandvCenterServerInstallationGuideformoredetails.

Effectonfunctionality

Unlessthepasswordisentered,theserverbootsonlythekernelwiththedefaultoptions.

Positiveevidence Duringboot,itshouldnotbepossibletochangebootparameterswithoutenteringthecorrectpassword

Negativeevidence Thereisnopasswordconfiguredin/boot/grub.conf


CodeNumber COA02

Name RequireAuthenticationforSingleUserMode

Description Anyonewithphysicalaccesscanaccesstheserviceconsoleasrootifapasswordisnotsetforsingleusermodeaccess.

Threat Whenthisrecommendationisfollowed,thenifanattackergainsaccesstotheconsole,theycanonlyloginasanordinaryuserandwon’tnecessarilybeabletoescalateprivilegelevelwithoutadditionaleffort.


Parametersetting Addtheline

~~:S:wait:/sbin/sulogin

to/etc/inittab

Effectonfunctionality Iftherootpasswordislostthentherewillbenowaytoaccessthesystem.

Positiveevidence Checkforevidenceoftheline


to/etc/inittab

Ifitexiststhisisapositivetest.

Negativeevidence Checkforevidenceoftheline


to/etc/inittab

Ifitdoesnoexistthisisanegativetest.


CodeNumber COA03

Name EnsurerootaccessviaSSHisdisabled

Description Becausetherootuseroftheserviceconsolehasalmostunlimitedcapabilities,securingthisaccountisthemostimportantstepyoucantaketosecuretheESXhost.Bydefault,allinsecureprotocols,suchasFTP,Telnet,andHTTP,aredisabled.RemoteaccessviaSSHisenabled,butnotfortherootaccount.Youcancopyfilesremotelytoandfromtheserviceconsoleusinganscp(securecp)client,suchasWinSCP.

Threat EnablingremoterootaccessoverSSHoranyotherprotocolisnotrecommended,becauseitopensthesystemtonetwork‐basedattackshouldsomeoneobtaintherootpassword.


Parametersetting Theline“PermitRootLogin”inthe/etc/sshd_confshouldbesetto“no”

Effectonfunctionality TherootuserwillnotbeabletologinviaSSH.

Positiveevidence Iftheline“PermitRootLoginno”inthe/etc/sshd_confexistsanditdoesnotstartwithapoundsign(#),thisisapositivefinding.

Negativeevidence Iftheline“PermitRootLoginyes”inthe/etc/sshd_confexists,orisprefacedbyapoundsign(#),orthethe“PermitRootLogin”parameterdoesnotexistinthefile,thisisanegativefinding.


CodeNumber COA04

Name DisallowDirectrootLogin

Description YoucandisallowrootaccessevenontheconsoleoftheESXhost—thatis,whenyouloginusingascreenandkeyboardattachedtotheserveritself,ortoaremotesessionattachedtotheserver’sconsole.Thisapproachforcesanyonewhowantstoaccessthesystemtofirstloginusingaregularuseraccount,thenusesudoorsutoperformtasks.

Theneteffectisthatadministratorscancontinuetoaccessthesystem,buttheyneverhavetologinasroot.Instead,theyusesudotoperformparticulartasksorsutoperformarbitrarycommands.

Threat Whenthisrecommendationisfollowed,thenifanattackergainsaccesstotheconsole,theycanonlyloginasanordinaryuserandwon’tnecessarilybeabletoescalateprivilegelevelwithoutadditionaleffort.


Parametersetting Topreventdirectrootloginontheconsole,modifythefile/etc/securettytobeempty.Whileloggedinasroot,enterthefollowingcommand:

cat/dev/null>/etc/securetty

Youshouldfirstcreateanonprivilegedaccountonthehosttoenablelogins,otherwiseyoucouldfindyourselflockedoutofthehost.Thisnonprivilegedaccountshouldbealocalaccount—thatis,onethatdoesnotrequireremoteauthentication—sothatifthenetworkconnectiontothedirectoryserviceislost,accesstothehostisstillpossible.Youcanassurethisaccessbydefiningalocalpasswordforthisaccount,usingthepasswdcommand.

Effectonfunctionality Afteryoudothis,onlynonprivilegedaccountsareallowedtologinattheconsole.Rootloginattheconsolewillnolongerbepossible.

Positiveevidence /etc/securettyisempty.

Negativeevidence /etc/securettyisnotempty.


CodeNumber COA05

Name Limitaccesstothesucommand.

Description Becausesuissuchapowerfulcommand,youshouldlimitaccesstoit.Bydefault,onlyusersthataremembersofthewheelgroupintheserviceconsolehavepermissiontorunsu.Ifauserattemptstorunsu‐togainrootprivilegesandthatuserisnotamemberofthewheelgroup,thesu‐attemptfailsandtheeventislogged.

Threat


Parametersetting Besidescontrollingwhohasaccesstothesucommand,

throughthepluggableauthenticationmodule(PAM)infrastructure,youcanspecifywhattypeofauthenticationisrequiredtosuccessfullyexecutethecommand.Inthecaseofthesucommand,therelevantPAMconfigurationfileis/etc/pam.d/su.Toallowonlymembersofthewheelgrouptoexecutethesucommand,andthenonlyafterauthenticatingwithapassword,findthelinebeginningwithauthrequiredandremovetheleadingpoundsign(#)soitreads:

authrequired/lib/security/$ISA/pam_wheel.souse_uid

Effectonfunctionality Preventsusersthatarenotinthewheelgroupfromrunningthesucommand.

Positiveevidence authrequired/lib/security/$ISA/pam_wheel.souse_uiddoesnothaveleadingpoundsign(#).

Negativeevidence authrequired/lib/security/$ISA/pam_wheel.souse_uidhasleadingpoundsign(#).

Thesudoutilityshouldbeusedtocontrolwhatprivilegedcommandsuserscanrunwhileloggedintotheserviceconsole.Amongthecommandsyoushouldregulatearealloftheesxcfg‐*commandsaswellasthosethatconfigurenetworkingandotherhardwareontheESXhost.Youshoulddecidewhatsetofcommandsshouldbeavailabletomorejunioradministratorsandwhatcommandsyoushouldallowonlysenioradministratorstoexecute.Youcanalsousesudotorestrictaccesstothesucommand.Usethefollowingtipstohelpyouconfiguresudo:

‐ Configurelocalandremotesudologging(seeMaintainProperLogging“MaintainProperLogging”onpage12).

‐ Createaspecialgroup,suchasvi_admins,andallowonlymembersofthatgrouptousesudo.

‐ Usesudoaliasestodeterminetheauthorizationscheme,thenaddandremoveusersinthealiasdefinitionsinsteadofinthecommandsspecification.

‐ Becarefultopermitonlytheminimumnecessaryoperationstoeachuserandalias.Permitveryfewuserstorunthesucommand,becausesuopensashellthathasfullrootprivilegesbutisnotauditable.

‐ Ifyouhaveconfiguredauthenticationusingadirectoryservice,sudousesitbydefaultforitsownauthentication.Thisbehavioriscontrolledbythe/etc/pam.d/sudofile,onthelineforauth.Thedefaultsetting—service=system‐auth—tellssudotousewhateverauthenticationschemehasbeensetgloballyusingtheesxcfg‐authcommand.

‐ Requireuserstoentertheirownpasswordswhenperformingoperations.Thisisthedefaultsetting.Donotrequiretherootpassword,becausethis

presentsasecurityrisk,anddonotdisablepasswordchecking.Insudotheauthenticationpersistsforabriefperiodoftimebeforesudoasksforapasswordagain.

Forfurtherinformationandguidelinesforusingsudo,seehttp://www.gratisoft.us/sudo/.


CodeNumber COA06

Name Configureandusesudotocontroladministrativeaccess

Description Thesudoutilityshouldbeusedtocontrolwhatprivilegedcommandsuserscanrunwhileloggedintotheserviceconsole.

RiskorControl



Parameterstobeconfiguredareinthe/etc/sudoersfile.

Amongthecommandsyoushouldregulatearealloftheesxcfg‐*commandsaswellasthosethatconfigurenetworkingandotherhardwareontheESXhost.Youshoulddecidewhatsetofcommandsshouldbeavailabletomorejunioradministratorsandwhatcommandsyoushouldallowonlysenioradministratorstoexecute.Youcanalsousesudotorestrictaccesstothesucommand.Becauseeachsituationwillbedifferent,eachconfigurationwillbedifferent,sonospecificguidancecanbegivenhere.

Test Checktheconfigurationinthe/etc/sudoersfileandensurethatitmeetsyourpolicy.