Mataupu lalafi
1 CISCO Fa'afefea ona Fa'atulaga vCenter Saogalemu Fa'amalosi Seti
2 Fa'atonuga o le Fa'aaogaina o Mea
3 Pepa / Punaoa
3.1 Fa'asinomaga
4 Fa'amatalaga Fa'atatau

CISCO-LOGOCISCO Fa'afefea ona Fa'atulaga vCenter Saogalemu Fa'amalosi Seti

CISCO-Fa'afefea-e-Fa'a-vCenter-Security-Fa'ama'a-Fa'atonu-OloaFa'atonu vCenter Saogalemu Fa'ama'a'a Fa'atonu Fa'atonu vCenter Saogalemu Fa'amalo Fa'amatalaga Fa'amatalaga o Mea

O le oloa o se vCenter puipuiga malu meafaigaluega lea e mafai ai e tagata fa'aoga ona fa'atulaga isi fa'amaufa'ailoga mo le vCenter. O lo'o tu'uina atu ai se fa'amatalaga fa'aautomatika mo le fa'atulagaina o STIG (Security Technical Implementation Guide) ma fa'atagaina fo'i le fa'atulagaina o tusi lesona o nisi fa'atulagaga.

Fa'atonuga o le Fa'aaogaina o Mea

Fa'atulaga vCenter Saogalemu Fa'amalosi Fa'atonu

Ina ia fetuutuunai le vCenter Security Hardening settings, mulimuli i laasaga nei:

  1. Ia fa'amautinoa ua uma ona fa'atinoina le fa'asologa otometi mo le setiina o tapula'a STIG. Va'ai i le vaega o le tusi lesona "Automation Script for Set STIG Parameters" mo nisi fa'amatalaga.
  2. Fa'atonu ma le lima ia fa'aopoopo e lua vCenter Security Hardening settings e ala i le mulimuli i le fa'agasologa o lo'o i lalo:

Taualumaga

  1. Laasaga 1: [Fa'aofi fa'amatalaga Laasaga 1 iinei]
  2. Laasaga 2: [Fa'aofi fa'amatalaga Laasaga 2 iinei]

Otometi Tusi mo le Fa'atulagaina STIG Parameters

O lo'o tu'uina atu e le oloa se fa'amatalaga fa'autometi mo le fa'atulagaina o fa'amaufa'ailoga STIG mo le Pule VM, 'au ESXi, ma le vCenter i totonu o le HX Cluster. O le tusitusiga e mafai ona faʻatinoina mai le Pule VM poʻo se 'auʻaunaga ma faʻamatalaga patino. Ina ia faʻatautaia le STIG automation script, mulimuli i laasaga nei:

python stig_security_settings.py

Seti le STIG Parameters mo ESXi Hosts

O le oloa e mafai ai e tagata faʻaoga ona setiina ma le lima STIG parakalafa mo ESXi au. Ae ui i lea, e taua le maitauina o le faʻalauteleina o se fuifui HX e le otometi ona faʻaogaina le STIG faʻatulagaina i tagata fou faʻaopoopo ma VM. Ina ia setiina ma le lima le STIG mo 'au ESXi, mulimuli i laasaga nei:

Laasaga mo vCenter Version 6.0 Fa'aaogaina vSphere Web Tagata fa'atau

  1. Su'e ile talimalo ile vSphere Web lisi o tagata o tausia.
  2. Kiliki le Manage tab ma kiliki Seti.
  3. I lalo o le System, filifili Faʻatonu Faʻatonu Faʻatonu.
  4. Filifili le UserVars.ESXiShellTimeOut ma kiliki le Fa'atonu icon.
  5. Ulufale i le fa'atulagaina o le taimi fa'aletonu.
  6. Toe amata le auaunaga SSH mo le taimi fa'agata e aoga.

Fa'atulaga vCenter Saogalemu Fa'amalosi Fa'atonu

Mo le faʻamaʻaʻaina o le vCenter, e lua isi faʻamaufaʻailoga e tatau ona faʻapipiʻiina ma le lima faʻaopoopo i mea e faʻapipiʻi e ala i le faʻasologa otometi. Mo fa'amatalaga e uiga i le fa'asologa otometi, va'ai le Automation Script mo Seti Parameter STIG, i le itulau 2.
Ina ia fa'atulaga nei fa'aopoopo e lua vCenter Security Hardening settings:

Taualumaga

Laasaga 1Seti le vpxd.hostPasswordLength parameter ile 32.

  • Ole umi ole password ole vpxuser e 32 mataitusi.
  • Ole umi ole uputatala vpxuser e le tatau lava ona suia i lalo ole umi ole taimi ole 32 mataitusi.
  • Mai le vSphere Web Tagata fa'atau, alu ile vCenter Inventory Lists >> vCenter Servers >> Filifili lau vCenter Server >> Pulea >> Fa'atonu >> Fa'atonu Fa'atonu. Kiliki Fa'asa'o ma fa'asa'o le config.vpxd.hostPasswordLength fa'atulagaina i le 32, pe afai e le o iai le tau, fatuina e ala i le fa'aofiina o mea taua i totonu o le Key ma Value fields. Ona kiliki lea o le Add.
  • Afai e mana'omia, e sui le faiga fa'aupuga umi, su'e le vCenter Server configuration file "vpxd.cfg" i luga o le faiga o loʻo faʻaogaina ai le vCenter Server ma faʻasaʻo le vpxd.hostPasswordLength parameter.
  • Toe amata le vCenter Server.

Laasaga 2Taofi le vCenter Server Datastore browser.

  • Taofi le auaunaga VirtualCenter Server.
  • Su'e le vpxd.cfg file i luga o le faiga o loʻo faʻaogaina ai le vCenter Server.
  • Tatala le vpxd.cfg file fa'aogaina ose fa'atonu tusitusiga.
  • Su'e le ma le tags ma fa'aopoopo le fa'amatalaga lea i totonu tags, fa'aalia e pei ona taua i lalo: sese
  • Faasaoina suiga ile vpxd.cfg file.
  • Amata le auaunaga VirtualCenter Server.

Otometi Tusi mo le Fa'atulagaina STIG Parameters

O le STIG automation script mo le setiina o le STIG mo le Pule VMs, ESXi hosts, ma le vCenter i totonu o le HX Cluster e mafai ona faʻatinoina pe mai le Pule VM poʻo mai se sapalai ma faʻamatalaga nei:

  • Ubuntu Version: 16.04.4 LTS (Xenial Xerus)
  • Python Version: 2.7.12
  • O afifi e mana'omia: pyvmomi

O le tusitusiga, o le faʻatulagaga file, ma ogalaau file o loʻo i luga o le pule VM i le nofoaga: /usr/share/springpath/storfs-misc/hx-scripts/. O le file igoa o:

  • stig_security_settings.py
  • stig_config.ini

Manatua O le 2 muamua files e tatau ona kopi i le masini mai le mea e faʻatino ai le faʻamaumauga.

Ina ia faʻagasolo le STIG automation script, ulufale:
python stig_security_settings.py
O fa'asologa STIG nei o lo'o fa'atulaga e le fa'amaumauga:

  • Mo ESXi hosts: ESXiShellTimeOut:900DcuiTimeOut:900  DVFilterBindIpAddress: BlockGuestBPDU:1 PasswordQualityControl:similar=deny retry=3 min=disabled,disabled,disabled,disabled,15 SyslogDir:[]://scalhost issue:ud Syscratch/log Ole faiga lea e mata'ituina ile tulafono a le Feterale ma Fa'ava-o-malo. Ua fa'atinoina fa'atonuga fa'atatau ile DISA STIGs. WelcomeMessage: Ole faiga lea e mata'ituina ile feterale ma fa'ava-o-malo. Ua fa'atinoina fa'atonuga fa'atatau ile DISA STIGs. AccountLock Failure:3 AccountUnlockTaimi:900
  • Mo Pule VMs: isolation.tools.hgfsServerSet.disable:true RemoteDisplay.maxConnections:1 RemoteDisplay.vnc.enabled:false isolation.device.connectable.disable:true isolation.device.edit.disable:true tools.guestlib.enableHostInfo:sese isolation.tools.copy.disable:true isolation.tools.dnd.disable:true
  • isolation.tools.setGUIOptions.enable:fase isolation.tools.paste.disable:true
  • isolation.tools.ghi.autologon.disable:true isolation.bios.bbs.disable:true
  • isolation.tools.getCreds.disable:true
  • isolation.tools.ghi.launchmenu.change:true isolation.tools.memSchedFakeSampleStats.disable:true isolation.tools.ghi.protocolhandler.info.disable:true isolation.ghi.host.shellAction.disable:true
  • isolation.tools.dispTopoRequest.disable:true isolation.tools.trashFolderState.disable:true isolation.tools.ghi.trayicon.disable:true isolation.tools.unity.disable:true
  • isolation.tools.unityInterlockOperation.disable:true isolation.tools.unity.push.update.disable:true isolation.tools.unity.taskbar.disable:true isolation.tools.unityActive.disable:true
  • isolation.tools.unity.windowContents.disable:true isolation.tools.vmxDnDVersionGet.disable:true isolation.tools.guestDnDVersionSet.disable:true isolation.tools.vixMessage.disable:true
  • isolation.tools.autoInstall.disable:true
  • tools.setinfo.sizeLimit:1048576

• Mo vCenter:
config.nfc.useSSL:tonu

 Mo le fe'au Fa'afeiloa'i ESXi, ua fa'atulaga le fa'amaumauga i se tau fa'aletonu

.Ina ia setiina ma le lima le STIG mo le faʻamaʻaʻaina o le saogalemu, vaʻai i vaega nei:

  • Mo 'au ESXi, va'ai Set STIG Parameters mo ESXi Hosts, ile itulau 3.
  • Mo Pule VMs, va'ai Set STIG Parameters mo Pule VMs, ile itulau 5.
  • Mo vCenter, tagai Set STIG Parameters mo vCenter, i le itulau 5.
  • Mo le fe'au Fa'afeiloa'i ESXi, va'ai Seti le Fe'au Fa'afeiloa'i ESXi, i le itulau 6.

Manatua

  1.  A fa'alauteleina se fuifui HX, e le otometi ona fa'aoga le seti STIG i 'au fou fa'aopoopo ma VM. A le o le tusitusiga e tatau ona toe tamoʻe poʻo le faʻatulagaga e tatau ona faʻaoga ma le lima.
  2.  I le taimi nei afai e manaʻo le tagata e toe setiina le STIG, e tatau ona faia ma le lima.

Seti le STIG Parameters mo ESXi Hosts

O lenei faiga o loʻo tuʻuina atu ai faʻatonuga mo le setiina ma le lima o le STIG parakalafa mo 'au ESXi.

Lapataiga E mafua ai ona le atoatoa le atigi ESXi pe a uma le 900 sekone, lea e mafua ai ona le manuia le faʻaleleia o le HX. Ina ia setiina ma le lima le STIG mo 'au ESXi:

Laasaga mo vCenter Version 6.0 Fa'aaogaina vSphere Web Tagata fa'atau

  1. Su'e ile talimalo ile vSphere Web lisi o tagata o tausia.
  2. Kiliki le Manage tab ma kiliki Seti.
  3. I lalo o le System, filifili Faʻatonu Faʻatonu Faʻatonu.
  4. Filifili le UserVars.ESXiShellTimeOut ma kiliki le Fa'atonu icon.
  5. Ulufale i le fa'atulagaina o le taimi fa'aletonu.
  6. Toe amata le auaunaga SSH mo le taimi fa'agata e aoga.
    • Filifili le talimalo.
    • Kiliki le Manage tab ma kiliki Seti.
    • I lalo ole System, filifili Security Profile.
    • I le vaega Auaunaga, kiliki Fa'atonu.
    • Filifili SSH.
    • Kiliki Toe amata.
    • Kiliki OK.
    • Kiliki OK.

Laasaga mo vCenter Version 6.5 Fa'aaogaina vSphere Web Tagata fa'atau

  1.  Su'e ile talimalo ile vSphere Web Su'esu'ega a tagata fa'atau.
  2. Kiliki Configure.
  3. I lalo o le System, filifili Faʻatonu Faʻatonu Faʻatonu.
  4. Filifili le UserVars.ESXiShellTimeOut ma kiliki le Fa'atonu icon.
  5. Ulufale i le Taua.
  6. Toe amata le auaunaga SSH mo le taimi fa'agata e aoga.
    • Filifili le talimalo.
    • Kiliki le Manage tab ma kiliki Seti.
    • I lalo ole System, filifili Security Profile.
    • I le vaega Auaunaga, kiliki Fa'atonu.
    • Filifili SSH.
    • Kiliki Toe amata.
    • Kiliki OK.

Seti le STIG Parameters mo Pule VMs

O lenei faiga o lo'o tu'uina atu ai fa'atonuga mo le fa'atulagaina o le STIG mo le Pule VM

: Manatua E fautuaina e te setiina lenei parakalafa mo VM i le fuifui tasi i le taimi. O taimi ta'itasi pe a uma ona fa'aola le VM, fa'atali se'i lelei le tulaga o fuifui a'o le'i alu i le isi

.Faiga

Laasaga 1

  •  Ulufale i le vCenter Server system e fa'aaoga ai le vSphere Client.
  • Filifili le masini komepiuta i totonu o le lisi.
  • Kiliki taumatau i luga o le masini masini> Malosi> Malosi.
  • Filifili le masini masini.
  • Kiliki taumatau ma alu ile Fa'atonu Fa'atonu.
  • Filifili Mea Fa'atekonolosi >> fa'asolo le hard disk ma sui le faiga ile Tutoatasi-fa'aauau.
  • Kiliki taumatau le masini masini> Malosi> Malosiaga.

Laasaga 2

  •  Ulufale i le vCenter Server system e fa'aaoga ai le vSphere web tagata o tausia.
  • Filifili le masini komepiuta i totonu o le lisi.
  • Kiliki taumatau i luga o le masini vitual> Malosi> Power off.
  • Filifili le masini masini.
  • Kiliki taumatau ma alu ile Fa'atonu Fa'atonu.
  • Filifili Mea Fa'atekonolosi >> fa'asolo le hard disk ma sui le faiga ile Tutoatasi-fa'aauau.
  • Kiliki taumatau i luga ole masini masini> Malosi> Malosiaga.

Seti le STIG Parameters mo vCenter

O lenei faiga o loʻo tuʻuina atu ai faʻatonuga mo le setiina o le STIG mo le vCenter:

Taualumaga

Ina ia setiina le STIG mo le vCenter, va'ai Fa'asaga le vCenter Security Fa'amalo Fa'atonu

Seti ESXi Fe'au Fa'afeiloa'i

Ina ia setiina ma le lima le fe'au Fa'afeiloa'i ESXi:

Taualumaga

  • Laasaga 1 Fa'aaoga le vSphere Client, filifili le ESXi host i le Inventory.
  • Laasaga 2 Kiliki le Configuration tab.
  • Laasaga 3 Kiliki Fa'atonuga Maualuga i lalo ole Polokalama.
  • Laasaga 4 Kiliki Fa'amatalaga.
  • Laasaga 5 Ulufale i le tusitusiga mana'omia i le Annotation.WelcomeMessage fanua.
  • Laasaga 6 Kiliki OK.

Po'o, e mafai ona e fa'aogaina le fa'agasologa lea:

    • Su'e ile talimalo ile vSphere Web Su'esu'ega a tagata fa'atau.
    • Kiliki le Manage tab ma kiliki Seti.
    • I lalo o le System, filifili Faʻatonu Faʻatonu Faʻatonu.
    • Filifili Annotations.WelcomeMessage ma kiliki le Fa'atonu icon.
    • Ulufale i tusitusiga e mana'omia.
    • Kiliki OK.

Manatua

A fa'alauteleina se fuifui HX, e le otometi ona fa'aoga le seti STIG i 'au fou fa'aopoopo ma VM. A le o le tusitusiga e tatau ona toe tamoʻe poʻo le faʻatulagaga e tatau ona faʻaoga ma le lima. I le taimi nei afai e manaʻo le tagata e toe setiina le STIG, e tatau ona faia ma le lima.

Feso'ota'iga, Au'aunaga, Gagana Fa'aituau, ma Fa'amatalaga Faaopoopo

  • Ina ia maua fa'amatalaga talafeagai mai Cisco, saini i Cisco Profile Pule.
  • Ina ia maua le aafiaga pisinisi o loʻo e suʻeina i tekinolosi e taua, asiasi Cisco Services.
  • Ina ia tuʻuina atu se talosaga tautua, asiasi Cisco Support.
  • Ina ia su'esu'e ma su'esu'e fa'amautu, fa'amaonia polokalame o atina'e, oloa, fofo ma tautua, asiasi i Cisco Marketplace.
  • Mo le mauaina o fesoʻotaʻiga lautele, aʻoaʻoga, ma suafa faʻamaonia, asiasi Cisco Press.
  • Ina ia maua faʻamatalaga faʻamaonia mo se oloa faʻapitoa poʻo se aiga oloa, faʻaoga Cisco Warranty Finder.

Fa'amatalaga Fa'amatalaga
Ina ia tu'uina atu fa'amatalaga e uiga i fa'amaumauga fa'apitoa a Cisco, fa'aoga le fomu fa'amatalaga o lo'o maua i le itu taumatau o pepa uma i luga ole laiga.

Cisco Bug Search Tool

Cisco Bug Search Tool (BST) o se web-e fa'avae meafaigaluega e fai ma faitoto'a i le Cisco bug tracking system o lo'o tausia ai se lisi atoatoa o fa'aletonu ma fa'aletonu i Cisco oloa ma polokalama. E tu'uina atu e le BST ia oe fa'amatalaga au'ili'ili fa'aletonu e uiga i au oloa ma polokalame.

Gagana Fa'aituau
O fa'amaumauga ua fa'atulaga mo lenei oloa o lo'o taumafai e fa'aoga gagana e le fa'aituau. Mo fa'amoemoega o lenei fa'amaumauga  seti, le fa'aituau o lo'o faauigaina o le gagana e le fa'ailoaina le fa'ailoga tagata e fa'atatau i tausaga, fa'aletonu, itupa, fa'ailoga lanu, fa'asinomaga fa'ale-tagata, fa'afeusuaiga, tulaga fa'aletamaoaiga, ma feso'ota'iga. E ono iai ni tuusaunoaga i faamaumauga ona o le gagana e fa'amalo i feso'ota'iga fa'aoga o le polokalama o oloa, gagana o lo'o fa'aaogaina e fa'atatau i fa'amaumauga fa'ata'atia, po'o le gagana o lo'o fa'aogaina e se oloa fa'asino lona tolu.

Pepa / Punaoa

CISCO Fa'afefea ona Fa'atulaga vCenter Saogalemu Fa'amalosi Seti [pdf] Taiala mo Tagata Fa'aoga
Fa'afefea ona fa'atutuina le vCenter Security Fa'amaua'ina Fa'atonuga, Fa'afefea ona Fa'atonu, vCenter Security Fa'amaua'ina Fa'atonu, Puipuiga Fa'amaua'ina Fa'atonu, Fa'atonu Fa'amau

Fa'asinomaga

Fa'amatalaga Fa'atatau

Tuu se faamatalaga

E le fa'asalalauina lau tuatusi imeli. Fa'ailogaina fanua mana'omia *