In VMware Aria Automation 8.18.x, administrators may need to restrict console access to TTY only or verify the current hardening status of the SSH service to meet security compliance requirements.

This process involves modifying the GRUB configuration and utilizing internal validation scripts.

Note:

Editing/Modifying GRUB is not officially supported by Broadcom. It needs a special request from customer that will be  approved by Engineering.

• Product: VMware Aria Automation

• Version: 8.18.x

• Operating System: Photon OS (Appliance-based)

By default, the appliance may allow broader console access modes. Hardening these settings ensures that access is limited to the physical or virtual Teletype (TTY) interface, reducing the attack surface.

Restricting Console to TTY: 

To restrict the console to TTY, you must modify the bootloader configuration:

a. Log in to the VMware Aria Automation appliance as root via SSH.

b. Open the /etc/default/grub file using a text editor.

Locate the GRUB_CMDLINE_LINUX line and append console=tty1.

c. Save the file and exit the editor.

d. Update the GRUB configuration by running: grub2-mkconfig -o /boot/grub2/grub.cfg

e. Reboot the appliance for changes to take effect.

Verifying SSH Hardening Status

Security audits or hardening requirements often necessitate the verification of the /etc/ssh/sshd_config file to ensure that weak cryptographic settings are disabled and only approved protocols are in use.

To verify the SSH security settings, follow these steps:

a. Log in to the Aria Automation appliance as root via the console or a currently active SSH session.

b. Navigate to the SSH configuration directory: cd /etc/ssh/

c. To verify the effective runtime configuration (which accounts for any included files or defaults), run:

sshd -T | grep -E "ciphers|macs|kexalgorithms"

d. Check the status of the SSH service to ensure no configuration errors are preventing the service from applying the latest security hardening:

systemctl status sshd

Note: Always create a backup of your configuration file before making any manual edits: cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

For more information on the maintenance and support lifecycle of this version, please refer to the Product Lifecycle page.

Note:

1. Editing/Modifying GRUB is not officially supported by Broadcom. It needs a special request from customer that will be  approved by Engineering.

2.  Always create a backup of your configuration file before making any manual edits: cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

For more information on the maintenance and support lifecycle of this version, please refer to the Product Lifecycle page.