Want to learn how to harden your defenses against external threats but not quite sure where to begin?
In this article, we will go over the following to help you stay proactive with securing your Nutanix environment.
Hardening Your CVM
- Change Default Password
- Learn about STIG, SCMA, and how to configure them
- Advanced Intrusion Detection Environment (AIDE)
- Cluster Lockdown
Change Default Password
First thing that should be done when you first get your system, change the default password! Many systems get compromised due to a weak password or no change to the default. Assuming you’re not enabling Cluster Lockdown, perform the following steps:
1. SSH into CVM
2. Change the Nutanix user account password
nutanxi@cvm$ passwd
3. Change the Nutanix root account password
nutanix@cvm$ sudo passwd root
STIG, SCMA, and how to configure them
If you’re scratching your head about these terms, don’t worry. I didn’t know about them until I joined Nutanix. Let’s start with the Security Technical Implementation Guide (STIG).
Now, what is a STIG?
STIGs are “Powerful automation and self-healing security models help maintain continuous security in enterprise cloud environments with efficiency and ease. Nutanix has created custom STIGs that are based on the guidelines outlined by Defense Information Security Agency (DISA) to keep the enterprise cloud platform within compliance and reduce attack surfaces.” In the case of Linux, the STIGs are commands that find/fix proven vulnerabilities in the code.
Already installed and updated on every Nutanix system is a series of STIGs, both taken from the National Institute of Standards and Technology (NIST). Check out the list of official and customized list of our STIGs.
So now that we know what STIGs are, what is SCMA?
Security Configuration Management Automation (SCMA) checks over 800 security entities in the Nutanix STIGs that cover both storage and built in virtualization. Nutanix leverages SaltStack and SCMA to self-heal any deviation from the security baseline configuration of the operating system and hypervisor to remain in compliance. If any component is found as non-compliant then the component is set back to the supported security settings without any intervention.
- SCMA monitors the deployment periodically for any unknown or unauthorized changes to configurations, and can self-heal from any deviation to remain in compliance.
- For example, automatically protecting permissions on log files is just one of several vulnerabilities that Nutanix checks to ensure their safety.
SaltStack Enterprise, built on Salt open source platform, provides system management software for the software-defined data center with the delivery of event-driven automation for natively integrated configuration management, infrastructure security and compliance, and any cloud or container control.
Hardening your CVMs
SSH into a CVM, and run the following:
nutanix@cvm$ ncli cluster get-hypervisor-security-config
….
Enable Aide : true
Enable Core : false
Enable High Strength P… : true
Enable Banner : false
Schedule : HOURLY
You can customize these categories with preference, but I want to focus on three: AIDE, High Strength Password, and Schedule.
AIDE stands for Advanced Intrusion Detection Environment and is the most popular tools for monitoring changes to Linux-based operating systems. It is used to protect your system against malware, viruses and detect unauthorized activities. It works by creating a database of the file system and checks this database against the system to ensure file integrity and detect system intrusions. AIDE helps you to shorten the investigation time during the incident response by focusing in on the files that have been changed. Basic info can be found about AIDE here.
To enable AIDE, run this command in the CVM terminal.
nutanix@cvm$ ncli cluster edit-hypervisor-security-params enable-aide=true
To enable the high-strength password policies (minlen=15, difok=8, remember=24) for your CVM:
ncli cluster edit-hypervisor-security-params enable-high-strength-password=true
Changing the default schedule of running the SCMA. The schedule can be hourly, daily, weekly, and monthly
ncli cluster edit-hypervisor-security-params schedule=hourly
Cluster Lock Down
Lastly, we can enable Cluster Lock Down on your Nutanix system. This will disable password SSH access to the CVMs and ensure that the system denies access to those attempting to gain access.
- Nutanix recommends that access including SSH directly to CVM and hypervisor should be restricted to as few entities as possible.
- In high security settings, Cluster lockdown can be very appropriate and should be implemented
- Cluster Lockdown does not effect any cluster communication between its components. Cluster will function as normal.
You can enable this feature via Prism Settings, but follow this guide to generate keys needed for this operation.
If you’ve reached this far, then congrats! You have learned about some advanced features you can enable or customize to greater strengthen your defensive stance against exterior threats.