Configure vCenter Security Hardening Settings
For the security hardening of vCenter, there are two additional parameters that must be configured manually in addition to the ones set via the automated script. For information on the automated script, see Automation Script for Setting STIG Parameters.
To configure these two additional vCenter Security Hardening settings:
SUMMARY STEPS
- Set the
vpxd.hostPasswordLength
parameter to 32. - Disable the vCenter Server Datastore browser.
DETAILED STEPS
Step 1 |
Set the
|
Step 2 |
Disable the vCenter Server Datastore browser.
|
Automation Script for Setting STIG Parameters
The STIG automation script for setting the STIG parameters for the Controller VMs, ESXi hosts, and vCenter in an HX Cluster can be executed either from the Controller VM or from a server with the following specification:
-
Ubuntu Version: 16.04.4 LTS (Xenial Xerus)
-
Python Version: 2.7.12
-
Packages required: pyvmomi
The script, the configuration file, and log file are present on the controller VM at location. The file names are:
-
/usr/share/secureshell-config/configureStig.py
-
/var/log/hyperflex/check_and_enable_stig.log
-
/var/log/hyperflex/apply_stig.log
The following versions are supported for multiple ESXi and vCenter versions:
-
v 6.0
-
v 6.5
-
v 6.7
-
v 7.0
For more information on the parameters, see https://hxsrc.cisco.com/bitbucket-eng-chn-sjc1.cisco.com/HXDP/cypress@master/-/blob/src/sysmgmt/stig/config/stig_parameters.ini Valid log in credentials are required.
To run the STIG automation script, Log in to cluster or any of the controller VM and run the command configureStig
or run this script /usr/share/secureshell-config/configureStig.py
.
To set the STIG parameters manually for security hardening, see the following sections:
-
For ESXi hosts, see Set STIG Parameters for ESXi Hosts.
-
For Controller VMs, see Set STIG Parameters for Controller VMs.
-
For vCenter, see Set STIG Parameters for vCenter.
-
For the ESXi Welcome message, see Set ESXi Welcome Message.
Note |
1. When an HX cluster is expanded where STIG is already enabled, the STIG settings are automatically applied to the newly added hosts and VMs. If STIG is not enabled on the cluster the script needs to be run again or the settings have to be manually applied. 2. Currently if user wants to reset the STIG settings, this has to be done manually. |
Set STIG Parameters for ESXi Hosts
This procedure provides the instructions for manually setting the STIG parameters for ESXi hosts.
Warning |
This causes the ESXi shell to be disabled after 900 seconds, which causes the HX upgrade to fail. |
To manually set the STIG parameters for ESXi hosts:
Steps for vCenter Version 6.0 Using vSphere Web Client:
This workflow is for use with HyperFlex Release 5.0(1c) and earlier.
-
Browse to the host in the vSphere Web client inventory.
-
Click the Manage tab and click Settings.
-
Under System, select Advanced System Settings.
-
Select
UserVars.ESXiShellTimeOut
and click the Edit icon. -
Enter the idle timeout setting.
-
Restart the SSH service for the timeout to take effect.
-
Select the host.
-
Click the Manage tab and click Settings.
-
Under System, select Security Profile.
-
In the Services section, click Edit.
-
Select SSH.
-
Click Restart.
-
Click OK.
-
-
Click OK.
Steps for vCenter Version 6.5 and 6.7 Using vSphere Web Client:
This workflow is for use with HyperFlex Release 5.0(2a) and 5.5(x).
-
Browse to the host in the vSphere Web Client inventory.
-
Click Configure.
-
Under System, select Advanced System Settings.
-
Select
UserVars.ESXiShellTimeOut
and click the Edit icon. -
Enter the Value.
-
Restart the SSH service for the timeout to take effect.
-
Select the host.
-
Click the Manage tab and click Settings.
-
Under System, select Security Profile.
-
In the Services section, click Edit.
-
Select SSH.
-
Click Restart.
-
Click OK.
-
Steps for vCenter Version 7.0:
This workflow is for use with HyperFlex Release 6.0(1a) and later.
Configure STIG:Configure stig on a cluster by running the configureStig
command on the HX shell or by invoking the REST API :
-
CLI:
configureStig
-
REST API:https://%3Ccluster-ip%3E/supportservice/v1/stig/apply
Usage: curl -X 'PUT' 'https://<cluster-ip>/supportservice/v1/stig/apply' -H 'accept: application/json'
Verify STIG Settings:After stig is enbled on a cluster, verify the compliance using the check stig command or the rest API:
-
CLI:
python3 /opt/hyperflex/storfs-stig/check_stig_all_nodes.py
-
REST API:https://%3Ccluster-ip%3E/supportservice/v1/stig/check
Usage: curl -X 'PUT' 'https://<cluster-ip>/supportservice/v1/stig/check' -H 'accept: application/json'
Set STIG Parameters for Controller VMs
This procedure provides the instructions for setting the STIG parameters for Controller VMs:
Note |
It is recommended that you set this parameter for the VMs in the cluster one at a time. Each time after powering on the VM, wait for the cluster state to be healthy before proceeding to the next one. |
Procedure
Step 1 |
To set the STIG parameters for vCenter version 6.0 using vSphere web client:
|
Step 2 |
To set the STIG parameters for vCenter version 6.5 using vSphere web client:
|
Set STIG Parameters for vCenter
This procedure provides the instructions for setting the STIG parameters for vCenter:
Procedure
To set the STIG parameters for vCenter, see Configure vCenter Security Hardening Settings. |
Set ESXi Welcome Message
To manually set the ESXi Welcome message:
Procedure
Step 1 |
Using the vSphere Client, select the ESXi host in the Inventory. |
||
Step 2 |
Click the Configuration tab. |
||
Step 3 |
Click Advanced Settings under Software. |
||
Step 4 |
Click Annotations. |
||
Step 5 |
Enter the desired text in the Annotations.WelcomeMessage field. |
||
Step 6 |
Click OK. Or, you can use the following procedure:
|
Communications, Services, Bias-free Language, and Additional Information
-
To receive timely, relevant information from Cisco, sign up at Cisco Profile Manager.
-
To get the business impact you’re looking for with the technologies that matter, visit Cisco Services.
-
To submit a service request, visit Cisco Support.
-
To discover and browse secure, validated enterprise-class apps, products, solutions and services, visit Cisco Marketplace.
-
To obtain general networking, training, and certification titles, visit Cisco Press.
-
To find warranty information for a specific product or product family, access Cisco Warranty Finder.
Documentation Feedback
To provide feedback about Cisco technical documentation, use the feedback form available in the right pane of every online document.
Cisco Bug Search Tool
Cisco Bug Search Tool (BST) is a web-based tool that acts as a gateway to the Cisco bug tracking system that maintains a comprehensive list of defects and vulnerabilities in Cisco products and software. BST provides you with detailed defect information about your products and software.
Bias-Free Language
The documentation set for this product strives to use bias-free language. For purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on standards documentation, or language that is used by a referenced third-party product.