Enabling Military Grade hardening

Last Updated : Jun 07, 2024 |

About this task

After you enable Military Grade hardening, you cannot disable it. To disable Military Grade hardening, you must redeploy System Manager.

Before you begin

  • To reach the System Manager command-line interface, use one of the following methods:

    • Open vSphere Client (HTML5) and click the Console tab or the icon.

    • Use PuTTY.

  • Log in to System Manager with administrator privilege credentials.

  • Create the System Manager virtual machine snapshot.

    Note:

    Delete the snapshot after the System Manager operation is complete.

Procedure

  1. Log in to the System Manager command line interface.
  2. Type setSecurityProfile --enable-military-grade, and press Enter.
  3. At the prompt, type the user password and press Enter.
  4. At the prompt, type one of the following and press Enter:

    • 1 to continue.

    • 2 to exit.

  5. At the Enable SELinux? prompt, type one of the following and press Enter:

    • 1 to enable.

    • 2 to disable.

  6. At the Enable Audit? prompt, type one of the following and press Enter:

    • 1 to enable.

    • 2 to disable.

  7. At the Enable AIDE Tool? prompt, type one of the following and press Enter:

    • 1 to enable.

    • 2 to disable.

  8. At the Enable Fapolicy? prompt, type one of the following and press Enter:

    • 1 to enable.

    • 2 to disable.

    You cannot access System Manager when the profile is enabled.

    System Manager takes a few minutes to complete the setting, and reboots for the changes to take effect.

    Note:

    • After a Security Hardening grade is enabled, you cannot enable a lower-level Security Hardening grade.

    • In Release 10.1, if System Manager was not rebooted since installation, then during the Military Grade hardening process, System Manager reboots twice for the changes to take effect.

  9. To verify the enabled security profile, type getSecurityprofile, and press Enter.

    If the security profile is successfully enabled, System Manager displays the status.

    For example:

    Profile Mode : military grade hardened mode enabled

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

FIPS State : FIPS enabled.

Audit logging Enabled..

AIDE Tool Enabled..

Fapolicy:
      status:                   enabled
      state:                    active
      mode from config file:    enforcing