Enabling Commercial Grade Hardening

Last Updated : Nov 21, 2022 |

About this task

After you enable Commercial Grade hardening, you cannot disable it. To disable Commercial Grade hardening, you must redeploy System Manager.

Before you begin

  • To reach the System Manager command-line interface, use one of the following methods:

    • Open vSphere Client (HTML5) and click the Console tab or the icon.

    • Use PuTTY.

  • Log in to System Manager with administrator privilege credentials.

  • Create the System Manager virtual machine snapshot.

    Note:

    Delete the snapshot after the System Manager operation is complete.

Procedure

  1. Log in to the System Manager command-line interface.
  2. Type setSecurityProfile --enable-commercial-grade, and press Enter.
  3. At the prompt, type the user password and press Enter.
  4. At the prompt, type one of the following and press Enter:

    • 1 to continue.

    • 2 to exit.

    You cannot access System Manager when the profile is enabled.

    System Manager checks for the System Manager CA certificate, takes a few minutes to complete the settings, and reboots to apply the changes.

  5. To verify the enabled security profile, type getSecurityprofile, and press Enter.

    If the security profile is successfully enabled, System Manager displays the status.

    For example:

    Profile Mode : commercial grade hardened mode enabled

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33

FIPS State : FIPS enabled.