Nutanix Controller VM

Security Operations Guide

Contents

1. Introduction....................................................................................................3
Nutanix Security Model................................................................................................................................3
Pulse Support.............................................................................................................................................. 4

2. Security Configuration Management Automation......................................5

Hardening Controller VM............................................................................................................................. 5
Hardening AHV............................................................................................................................................ 7
Modifying Default Passwords...................................................................................................................... 9
Emergency Local Account Usage............................................................................................................... 9
Password Expiry........................................................................................................................................ 10
Hardening Cluster...................................................................................................................................... 10
Documenting the Log Fingerprint.............................................................................................................. 11
TCP Wrapper Integration...........................................................................................................................12
Log Forwarding.......................................................................................................................................... 12
Replacing a Certificate.............................................................................................................................. 13
Contact Sales Team.................................................................................................................................. 15
1
Introduction
The purpose of this guide is to address the technical requirements that are site specific or compliance
standards (that should be adhered), which are not enabled by default.
The primary audience for this guide includes cloud or data center administrators and security officers that
are responsible for implementing compliance requirements.
The appliance method of deployment for the Nutanix controller virtual machine (CVM) enables you to
conveniently deploy and configure Nutanix enterprise platform. Authority to Operate (ATO) security
requirements needs to be adhered for approval to run in an production environment.
Nutanix has standardized the security profile of the CVM to a security compliance baseline that meets or
exceeds the following current high-governance requirements.
• Payment Card Industry – Data Security Standard (PCI-DSS)
• Health Insurance Portability and Accountability Act (HIPAA)
• US Federal Risk and Authorization Management Program (FedRAMP)
• Intelligence Community Directive Certification and Accreditation for US Intelligence Agencies (ICD 503)
• US Department of Defense Information Assurance Certification and Accreditation Process (DIACAP)
• Sarbanes Oxley (SOX) electronic records compliance
The most commonly used references in United States to guide vendors to build products according to the
set of technical requirements are as follows.
• The National Institute of Standards and Technology Special Publications Security and Privacy Controls
for Federal Information Systems and Organizations (NIST 800.53)
• The US Department of Defense Information Systems Agency (DISA) Security Technical Implementation
Guides (STIG)
From AOS 4.1 or later releases, most of the technical requirements are incorporated to ease out the
deployment in high governance production environments. NTNX 4 CVM Security Technical Implementation
Guide (STIG) helps you to meet security compliance guidelines.

Nutanix Security Model

Nutanix provides a transparent security model that enables you to protect against the most common
and known vulnerabilities as part of all the CVM platform layers. To provide system and application-level
security by using a defense-in-depth model, each layer of the software is capable of reducing the attack
and eliminates the dependency on a single mechanism to defend a product.
The Nutanix CVM is a critical component to control and manage all the input or output operations. The
CVM public interface for management such as Web console interface, nCLI, and SSH should not be on a
public community network.
Nutanix recommends that all enterprise and cloud management components, including the hypervisor
management layer should be restricted to an isolated management subnet. These components should
use VLAN separation to isolate the cloud management plane from the other management network
requirements external to the hypervisor or storage or network layers.
For the remote management purpose, a VPN connection by using IP-SEC with both strong and ephemeral
cipher suites is recommended. Restricting and isolating the networks that are used to access the

Security | Introduction | 3
 management domain is a crucial aspect of defense-in-depth approach to ensure that the network design is
one of the many layers of the protection model.

Pulse Support
Pulse functionality provides the cluster-related statistic information to the Nutanix customer support. This
functionality is enabled by default. If your need to disable the pulse, see Prism Web Console Guide for a
detailed procedure.
2
Security Configuration Management Automation
Security configuration management automation (SCMA) checks over 800 security entities in the Nutanix
Security Technical Implementation Guide (STIGs) that cover both storage and built-in virtualization.
Nutanix leverages SaltStack and SCMA to self-heal any deviation from the security baseline configuration
of the operating system and hypervisor to remain in compliance. If any component is found as non-
compliant then the component is set back to the supported security settings without any intervention.

Hardening Controller VM
You can use Nutanix Command Line Interface (nCLI) in order to customize the various configuration
settings related to CVM as described below.
• Run the following command to support cluster-wide configuration of the SCMA policy.
nutanix@cvm$ ncli cluster get-cvm-security-config

The current cluster configuration is displayed.

Enable Aide : false
Enable Core : false
Enable High Strength P...: false
Enable Banner : false
Enable SNMPv3 Only : false
Schedule : DAILY

• Run the following command to schedule weekly execution of Advanced Intrusion Detection Environment
(AIDE).
nutanix@cvm$ ncli cluster edit-cvm-security-params enable-aide=true

The following output is displayed.

Enable Aide : true
Enable Core : false
Enable High Strength P... : false
Enable Banner : false
Enable SNMPv3 Only : false
Schedule : DAILY

• Run the following command to enable the strong password policy.

nutanix@cvm$ ncli cluster edit-cvm-security-params enable-high-strength-
password=true

The following output is displayed.

Enable Aide : true
Enable Core : false
Enable High Strength P... : true
Enable Banner : false
Enable SNMPv3 Only : false
Schedule : DAILY

Security | Security Configuration Management Automation | 5

• Run the following command to enable the defense knowledge consent banner of the US department.
nutanix@cvm$ ncli cluster edit-cvm-security-params enable-banner=true

The following output is displayed.

Enable Aide : true
Enable Core : false
Enable High Strength P... : true
Enable Banner : true
Enable SNMPv3 Only : false
Schedule : DAILY

• Run the following command to enable the settings to allow only SNMP version 3.
nutanix@cvm$ ncli cluster edit-cvm-security-params enable-snmpv3-only=true

The following output is displayed.

Enable Aide : true
Enable Core : false
Enable High Strength P... : true
Enable Banner : true
Enable SNMPv3 Only : true
Schedule : DAILY

• Run the following command to change the default schedule of running the SCMA. The schedule can be
hourly, daily, weekly, and monthly.
nutanix@cvm$ ncli cluster edit-cvm-security-params schedule=hourly

The following output is displayed.

Enable Aide : true
Enable Core : false
Enable High Strength P... : true
Enable Banner : true
Enable SNMPv3 Only : true
Schedule : HOURLY

• Run the following command to enable the settings so that CVM can generate stack traces for any
cluster issue.
nutanix@cvm$ ncli cluster edit-cvm-security-params enable-core=true

The following output is displayed.

Enable Aide : true
Enable Core : true
Enable High Strength P... : true
Enable Banner : true
Enable SNMPv3 Only : true
Schedule : HOURLY

Note: Nutanix recommends that Core should not be set to true unless instructed by the Nutanix support
team.

• When a high governance official needs to run the hardened configuration then the settings should be as
follows.
Enable Aide : true
Enable Core : false
Enable High Strength P... : true
Enable Banner : false
Enable SNMPv3 Only : true

Security | Security Configuration Management Automation | 6

 Schedule : HOURLY

• When a federal official needs to run the hardened configuration then the settings should be as follows.
Enable Aide : true
Enable Core : false
Enable High Strength P... : true
Enable Banner : true
Enable SNMPv3 Only : true
Schedule : HOURLY

Note: A banner file can be modified to support non-DoD customer banners.

• Run the following command to backup the DoD banner file.

nutanix@cvm$ sudo cp -a /srv/salt/security/CVM/sshd/DODbanner \

/srv/salt/security/CVM/sshd/DODbannerbak

• Run the following command to modify DoD banner file.

nutanix@cvm$ sudo vi /srv/salt/security/CVM/sshd/DODbanner

Note: Repeat all the above steps on every CVM in a cluster.

• Run the following command to set the banner for all nodes through nCLI.
nutanix@cvm$ ncli cluster edit-cvm-security-params enable-banner=true

Hardening AHV
You can use Nutanix Command Line Interface (nCLI) in order to customize the various configuration
settings related to AHV as described below.
• Run the following command to get the cluster-wide configuration of the SCMA policy.
nutanix@cvm$ ncli cluster get-hypervisor-security-config

The following output is displayed.

Enable Aide : false
Enable Core : false
Enable High Strength P... : false
Enable Banner : false
Schedule : DAILY

• Run the following command to enable the Advanced Intrusion Detection Environment (AIDE) to run on a
weekly basis.
nutanix@cvm$ ncli cluster edit-hypervisor-security-params enable-aide=true

The following output is displayed.

Enable Aide : true
Enable Core : false
Enable High Strength P... : false
Enable Banner : false
Schedule : DAILY

Security | Security Configuration Management Automation | 7

• Run the following command to enable the high-strength password policies (minlen=15, difok=8,
remember=24).
nutanix@cvm$ ncli cluster edit-hypervisor-security-params \

enable-high-strength-password=true

The following output is displayed.

Enable Aide : true
Enable Core : false
Enable High Strength P... : true
Enable Banner : false
Schedule : DAILY

• Run the following command to enable the defense knowledge consent banner of the US department.
nutanix@cvm$ ncli cluster edit-hypervisor -security-params enable-banner=true

The following output is displayed.

Enable Aide : true
Enable Core : false
Enable High Strength P... : true
Enable Banner : true
Schedule : DAILY

• Run the following command to change the default schedule of running the SCMA. The schedule can be
hourly, daily, weekly, and monthly.
nutanix@cvm$ ncli cluster edit-hypervisor-security-params schedule=hourly

The following output is displayed.

Enable Aide : true
Enable Core : false
Enable High Strength P... : true
Enable Banner : true
Schedule : HOURLY

• Run the following command to enable the settings so that AHV can generate stack traces for any
cluster issue.
nutanix@cvm$ ncli cluster edit-hypervisor-security-params enable-core=true

The following output is displayed.

Enable Aide : true
Enable Core : true
Enable High Strength P... : true
Enable Banner : true
Schedule : HOURLY

Note:
Nutanix recommends that Core should not be set to true unless instructed by the Nutanix support
team.

• When a high governance official needs to run the hardened configuration then the settings should be as
follows.
Enable Aide : true
Enable Core : false
Enable High Strength P... : true
Enable Banner : false

Security | Security Configuration Management Automation | 8

 Schedule : HOURLY

• When a federal official needs to run the hardened configuration then the settings should be as follows.
Enable Aide : true
Enable Core : false
Enable High Strength P... : true
Enable Banner : true
Schedule : HOURLY

Note: A banner file can be modified to support non-DoD customer banners.

• Run the following command to backup the DoD banner file.

nutanix@cvm$ sudo cp -a /srv/salt/security/KVM/sshd/DODbanner \
/srv/salt/security/KVM/sshd/DODbannerbak

• Run the following command to modify the DoD banner file.

nutanix@cvm$ sudo vi /srv/salt/security/KVM/sshd/DODbanner

Note: Repeat all the above steps on every AHV in a cluster.

• Run the following command to set the banner for all nodes through nCLI.
nutanix@cvm$ ncli cluster edit-hypervisor-security-params enable-banner=true

Modifying Default Passwords

The Controller VM default password for both the Nutanix and Root user accounts is same (nutanix/4u). You
must change the default Controller VM password for nutanix and root user accounts by adhering to the
password complexity requirements. For more information on changing default passwords, see Prism Web
Console guide.

1. SSH to the Controller VM.

2. Change the nutanix user account password.

nutanix@cvm$ passwd

3. Change the nutanix user account password.

nutanix@cvm$ sudo passwd root

Note:
• Ensure that you store the modified nutanix user password, since the local authentication (PAM)
module requires the previous password of the nutanix user to successfully start the password
reset process.
• For the root account, both the console and SSH direct login is disabled.
• In the subsequent release, the nutanix user interactive emergency account will be converted
to a disabled service account. Hence, it is recommended to use the admin user as the
administrative emergency account.

Emergency Local Account Usage

The admin account is used as a local emergency account. This account ensures that both the Prism
Web Console and the Controller VM are available when the external services such as active directory is
unavailable.

Security | Security Configuration Management Automation | 9

 Note: Local emergency account usage is not supported for any external access mechanisms, specifically for the
external application authentication or external Rest API authentication.

For all the external authentication, the cluster must be configured to use an external IAM service such
as an active directory. Service accounts should be created on the IAM and accounts should have
access grants to the cluster through Prism web console user account management configuration for
authentication.

Password Expiry
The compliance standards for the password expiration are as follows.
• User account passwords should be set to expire in 60 days.
• Service account passwords should be set to expire in 365 days.
• CVM can create new user accounts with a 60 day password expiry by default.
• Nutanix and root accounts are set to 99999 days by default.
It is recommended to check the expiry of all the interactive accounts to meet both security and operational
requirements.
Run the following command on a CVM (not required, if root is disabled) or AHV host to modify the expiry of
the root account.
nutanix@cvm$ for i in `svmips`; do echo cvm $i; ssh $i \

'sudo passwd -x 365 nutanix'; sleep 5; done

Run the following command to modify the expiry of the nutanix account.
nutanix@cvm$ for i in `svmips`; do echo cvm $i; ssh $i \

'sudo passwd -x 365 nutanix'; sleep 5; done

You can use this command to modify any user, replacing the interactive account user name and the
number of days to meet the expiry standards of the organization.

Hardening Cluster
For the remote connections, CVM and AHV hosts should be included the secure shell (SSH). According
to the compliance standards for non-repudiation, SSH key pairs need to be established to identify non-
repudiated logins, and the public key supplied in the Prism Web Console user interface.

1. Run the following command as a Security Manager on a Unix or Linux host to establish a SSH key pair.
$ ssh-keygen -t rsa -b 3072 (or 4096)

For each user, the key pair (id_rsa and id_rsa.pub) should be stored by the security manager.

2. To load the public key for CVM or AHV access, click the gear icon in the Prism Web Console and select
Cluster Lockdown.

3. In the Cluster Lockdown configuration menu, click + New Public Key.

Security | Security Configuration Management Automation | 10

 Figure 1: New Public Key

4. Enter the name in the Name field.

5. Enter the id_rsa.pub file into the Key field.

6. Click Save to store the configuration.

7. Click Close to finish the configuration.

What to do next
Test the configuration by loading the SSH key pair to log in to a CVM or the AHV node.

Documenting the Log Fingerprint

For forensic analysis, non-repudiation is established by verifying the fingerprint of the public key for the log
file entry.

1. Login to the CVM.

2. Run the following command to document the fingerprint for each public key assigned to an individual
admin.
nutanix@cvm$ ssh-keygen -lf /<location of>/id_rsa.pub

The fingerprint is then compared to the SSH daemon log entries and forwarded to the central log host
(/home/log/secure in CVM).

Note: After completion of the ssh public key inclusion in Prism and verification of connectivity, disable the
password authentication for all the CVMs and AHV hosts. From the Prism main menu, de-select Cluster
Lockdown configuration > Enable Remote Login with password check box from the gear icon drop-down
list.

Security | Security Configuration Management Automation | 11

TCP Wrapper Integration
Nutanix CVM uses the tcp_wrappers package to allow TCP supported daemons to control the network
subnets which can access libwrapped daemons. By default SCMA controls the /etc/hosts.allow file in
/srv/salt/security/CVM/network/hosts.allow and contains a generic entry to allow access to
NFS, secure shell, and SNMP.
sshd: ALL : ALLOW
rpcbind: ALL : ALLOW
snmpd: ALL : ALLOW
snmptrapd: ALL : ALLOW

Nutanix recommends that for both production and high governance compliance environments this needs
to be changed to include only the localhost entries and the management network subnet for the restricted
operations.
sshd: 127.0.0.1 : ALLOW
sshd: [::1] : ALLOW
sshd: 192.168.5. : ALLOW
sshd: 1.2.3. : ALLOW
sshd: 4.5.6. : ALLOW
rpcbind: 127.0.0.1 : ALLOW
rpcbind: [::1] : ALLOW
rpcbind: 192.168.5. : ALLOW
rpcbind: 1.2.3. : ALLOW
rpcbind: 4.5.6. : ALLOW
snmpd: 127.0.0.1 : ALLOW
snmpd: [::1] : ALLOW
snmpd: 192.168.5. : ALLOW
snmpd: 1.2.3. : ALLOW
snmpd: 4.5.6. : ALLOW
snmptrapd: 127.0.0.1 : ALLOW
snmptrapd: [::1] : ALLOW
snmptrapd: 192.168.5. : ALLOW
snmptrapd: 1.2.3. : ALLOW
snmptrapd: 4.5.6. : ALLOW

When you connect to the Nutanix services, you should either be in the restricted subnet or use VPN to
connect to the subnet after the changes are applied.

Note: Any changes made to the /etc/hosts.allow file are lost when the CVM is upgraded to a newer
version. Hence, you need to again perform the tcp_wrapper integration after an upgrade. When the SCMA runs
any modification to the /etc/hosts.allow file is overwritten.

Run the following command to edit the /srv/salt/security/CVM/network/hosts.allow file on all

the nodes.
nutanix@cvm$ for i in `svmips`; do echo cvm $i; ssh $i \

'sudo salt-call state.sls security/CVM/networkCVM'; sleep 5; done

Note: The libwrapped services from CVM to hypervisor traffic must be allowed to restrict the network access
by using a tcp_wrapper. In a scenario where multiple clusters of hypervisors with multiple subnets need to route
the traffic so that the CVM can view all the hypervisor subnets. Verify that all subnets are included for all the
libwrapped services.

Log Forwarding
The Nutanix CVM provides a method for log integrity by using a cluster-wide setting to forward all the logs
to a central log host. Due to the appliance form factor of the CVM, system and audit logs does not support

Security | Security Configuration Management Automation | 12

 local log retention periods as a significant increase in log traffic can be used to orchestrate a distributed
denial of service attack (DDoS).
Nutanix recommends deploying a central log host in the management enclave to adhere to any compliance
or internal policy requirement for log retention. In case of any system compromise, a central log host
serves as a defense mechanism to preserve log integrity.

Note: The audit in the CVM uses the audisp plugin by default to ship all the audit logs to the rsyslog daemon
(stored in /home/log/messages). Searching for audispd in the central log host provides the entire content of
the audit logs from the CVM. The audit daemon is configured with a rules engine that adheres to the auditing
requirements of the Operating System Security Requirements Guide (OS SRG), and is embedded as part of the
CVM STIG.

Use the nCLI to enable forwarding of system, audit, aide, and SCMA logs of all the CVM nodes in a cluster
at the required log level.
Run the following command to configure a central log host for all the nodes in a cluster.
nutanix@cvm$ ncli rsyslog-config edit-server name=nodeD \

ip-address=IP_address port=514 network-protocol=tcp relp-enabled=no

Run the following command to configure the log forwarding.

nutanix@cvm$ ncli rsyslog-config add-module module-name=syslog_module \

level=info server-name=nodeD

The following log levels are supported by rsyslog.

• debug
• info (recommended)
• notice
• warning
• error
• crit
• alert
• emerg

Note: Nutanix recommends that central log host needs to be tested thoroughly to ensure that all logs are
received from the CVM. The recommended log setting for troubleshooting requirements is error.

Replacing a Certificate
Nutanix simplifies the process of certificate replacement to support the need of Certificate Authority (CA)
based chains of trust. Nutanix recommends you to replace the default supplied self-signed certificate with a
CA signed certificate.

1. Login to the Prism and click the gear icon.

2. Click SSL Certificate.

3. Select Replace Certificate to replace the certificate.

4. Do one of the following.

• Select Regenerate self signed certificate to generate a new self-signed certificate.
• Select Import key and certificate to import the custom key and certificate. RSA 2048 bit, Elliptic
Curve DSA 256 bit, and Elliptic Curve DSA 384 bit types of key and certificate are supported.
The following files are required and should be PEM encoded to import the keys and certificate.

Security | Security Configuration Management Automation | 13

• The private key associated with the certificate.
• The signed public portion of the server certificate corresponding to the private key
• The CA certificate or chain of the signing authority for the certificate

Figure 2: Importing Certificate

a. Run the following OpenSSL command to generate a RSA 2048 private key and the Certificate
Signing Request (CSR).
openssl req -out server.csr -new -newkey rsa:2048 -nodes -sha256 -subj \

"/C=US/ST=CA/L=San Jose/O=Nutanix Inc./OU=Manageability/CN=*.nutanix.local"

\

-keyout server.key

b. Run the following OpenSSL command to generate a EC DSA 256 private key and the Certificate
Signing Request (CSR).
openssl ecparam -out dsakey.pem -name prime256v1 –genkey openssl req -out \

dsacert.csr -new -key dsakey.pem -nodes -sha256 -subj \

"/C=US/ST=CA/L=San Jose/O=Nutanix Inc./OU=Manageability/CN=*.nutanix.local"

Security | Security Configuration Management Automation | 14

 c. Run the following OpenSSL command to generate a EC DSA 384 private key and the Certificate
Signing Request (CSR).
openssl ecparam -out dsakey.pem -name secp384r1 –genkey openssl req -out \

dsacert.csr -new -key dsakey.pem -nodes –sha384 -subj \

"/C=US/ST=CA/L=San Jose/O=Nutanix Inc./OU=Manageability/CN=*.nutanix.local"

Note: To adhere the high security standards of NIST SP800-131a compliance, requirements of the RFC
6460 for NSA Suite B, provide the optimal performance for encryption. The certificate import process
validates the correct signature algorithm used for a given key or certificate pair.

The following figure displays the supported configurations.

Figure 3: Supported Configurations

5. Run the following command to concatenate the list of CA certificates into a chain file.
cat signer.crt inter.crt root.crt > server.cert

Note: The chain should start with the certificate of the signer and ends with the root CA certificate.

Contact Sales Team

For more information on our defense-in-depth model and our Security Development Lifecycle (SecDL),
contact your Nutanix sales team.

Security | Security Configuration Management Automation | 15