Hopefully by now you’ve read Part 1. In there we discussed the new security features of many new VMware virtual appliances, including some that are being released with vSphere 5.5. In this post and the two following, we’ll start the discussion on how to enable your virtual appliances to be compliant with site-specific requirements. If you’re falling under DISA STIG requirements, the next few posts are for you! It’s time to get your geek on with Parts 2, 3 & 4!
Meeting Site-Specific Security Compliance Goals
In every setting, there will always be some level of customization that’s needed to meet site-specific security goals. These are things like
- root password use
- Password complexity policies
- Login banner requirements
- Password expirations
- SSH settings
- Time settings
- Logging requirements
- Boot loader lockdown
- NFS/NIS settings
All of these settings may have unique values based on what regulations you fall under in your environment and are unique enough to not be easily covered out of the box in the VMware Hardened Virtual Appliance OS. This article will go into some detail on how to address these settings with the VMware Hardened Virtual Appliances called out in Part 1.
NOTE: Changing any of these settings is intended for advanced level admins
Most VMware Hardened Virtual Appliances will either allow the modification of the root password during initial setup, or will be pre-installed with the root password set to ‘vmware’. It is highly recommended to change the root password for both password complexity and the cryptographic hashing in order to meet STIG or site-specific compliance requirements.
NOTE: In some cases like VCSA and VCO, the root user account can be modified in the VMware Appliance Management Infrastructure (VAMI) user interface. VCOPs also provides the ability to modify the root password through a customer admin interface. If deploying one of these appliances, please consult the admin/user guide for the specific product on how to modify the root password.
To change the root password at the command line, use the command ‘passwd’ at the root shell of the appliance.
NOTE: the root user bypasses the pam_cracklib module password complexity check (found in /etc/pam.d/common-password). It is imperative to manually ensure that the root password meets the corporate password complexity requirements of your organization.
To check the hash of the root password, as root:
The password field is the second field of the shadow file. If account passwords start with “$6$”, then the password is using a sha512 hash. This is the standard hash for all hardened appliances. If the root password does not contain a sha512 hash, run the ‘passwd’ command to change it.
NOTE: All hardened appliances enable “enforce_for_root” for the pw_history module (found in /etc/pam.d/common-password), so the last five passwords will be remembered by default. Old passwords are stored for each user in the /etc/security/opasswd file. To re-use the same password, delete the entry for the root user in the file. Re-using the same password is not recommended once the system is in production.
Super Important! Read the "VMware Hardened Virtual Appliance Operations Guide" for the new appliances when they become available, specifically the part about password expirations! You should review the password expiration settings on the virtual appliance at deployment time. The last thing you want is to have the password expire on you when you really need it!
It is highly recommended to check the expiry on all accounts to meet both security and operational requirements standards. This is where good organizational compliance polices come into play. A procedure that ensures administrators do not forget to change their passwords within the active period is very important to implement.
NOTE: If the root account expires, there will be no supported method in the appliance to re-instate the root password!
On the VCSA you can easily change password expiration from the Admin tab of the VAMI interface or by using the chage utility at the command line. My VMware colleague, William Lam, has written about this issue. Follow him on Twitter for more info. For the other VMware Hardened Virtual Appliances, see the instructions below.
To meet the compliance standard of the STIG, user accounts should be set to 60 days, and service accounts can be set to 365 days. All VMware Hardened Virtual Appliances are set to create accounts with a 60 day password expiry by default with the exception of VMware vCenter Virtual Appliance (VCSA) which is set to 90 days. On most VMware Hardened Virtual Appliances, the root account is set to a 365 day password expiry.
As root, run the following command to check the password expiry of all accounts:
# more /etc/shadow
The password expiry is the fifth field of the shadow file. In this example, the root expiry is set to 1095 days (3 years).
To modify the expiry of the root account run the following command as root:
# passwd –x 365 root
This will change the root password expiry to 365 days. Use the same command to modify any user, substituting ‘root’ for the specific account, and replacing the number of days to meet the expiry standards of the organization.
Thanks for reading,