Nutanix Security Hardening AOS 7.5, Part 1: CVM, PCVM & AHV
A technical deep-dive into hardening your Nutanix infrastructure at the hypervisor and controller level. This is Part 1 of a 3-part series covering AOS 7.5 security features.
With regulations like NIS2 and DORA now in effect across the EU, hardening your hyperconverged infrastructure isn't optional, it's a compliance requirement. This series walks through every step using real CLI commands.
Prerequisites
- SSH access to Nutanix CVM or PCVM
- Prism Central pc.7.5 or later (for centralized security management)
- AOS 7.5 running on your cluster
- Administrative credentials for Prism Element/Central
- Basic familiarity with nCLI commands
Security Configuration Management Automation (SCMA)
Nutanix AOS 7.5 uses Security Configuration Management Automation (SCMA) to continuously monitor and self-heal security configurations. The platform conforms to RHEL 8 Security Technical Implementation Guides (STIGs) published by DISA.
SCMA automatically detects deviations from the security baseline and reverts them without manual intervention. This covers boot loader settings, file system permissions, SSH configurations, authentication policies, and logging.
Generating a STIG Compliance Report
Use the OpenSCAP tool to generate a compliance report for your CVMs:
ssh nutanix@cvm_ip_address
Create the output directory:
mkdir /tmp/stig_report
Generate the STIG compliance report:
sudo python3 -B /home/nutanix/config/security/stig_scripts/stig_scan_driver.py \
/home/nutanix/config/security/stig_scripts/U_RHEL_8_V1R11_STIG_SCAP_1-2_Benchmark.xml \
/tmp/stig_report/
The scan takes approximately 60-90 minutes depending on your environment size.
CVM Security Hardening
View the current CVM security configuration:
ncli cluster get-cvm-security-config
Expected output:
Enable Aide : false
Enable Core : false
Enable High Strength P...: false
Enable Banner : false
Schedule : DAILY
Enable Kernel Core : true
Enable Page Poison : false
Enable Slub Debug : false
SSH Security Level : DEFAULT
Enable Lock Status : false
IP Restriction State : NORMAL
Enable DoDin Additiona...: false
Enable Fapolicy : false
Enable Processor Mitig...: false
SSH whitelisted addres...:
Enable AIDE (Advanced Intrusion Detection Environment)
AIDE performs file and directory integrity checking to detect unauthorized modifications:
ncli cluster edit-cvm-security-params enable-aide=true
Enable High Strength Password Policy
Enforces stricter password requirements including minimum 15 characters, 8 character difference from old password, and dictionary checks:
ncli cluster edit-cvm-security-params enable-high-strength-password=true
Configure SSH Login Banner
First, backup and modify the DoD banner file:
sudo cp -a /srv/salt/security/CVM/sshd/DODbanner /srv/salt/security/CVM/sshd/DODbannerbak
sudo vi /srv/salt/security/CVM/sshd/DODbanner
Enable the banner:
ncli cluster edit-cvm-security-params enable-banner=true
Enable Memory Protection Features
Enable page poison to detect use-after-free vulnerabilities:
ncli cluster edit-cvm-security-params enable-page-poison=true
Enable SLUB debugging for memory corruption detection:
ncli cluster edit-cvm-security-params enable-slub-debug=true
PCVM Security Hardening
View the PCVM security configuration:
ssh nutanix@pcvm_ip_address
ncli cluster get-pcvm-security-config
Expected output:
Enable Aide : false
Enable Core : false
Enable High Strength P...: false
Enable Banner : false
Schedule : DAILY
Enable Kernel Core : false
Enable Page Poison : false
Enable Slub Debug : false
SSH Security Level : DEFAULT
Enable Lock Status : false
IP Restriction State : NORMAL
Enable DoDin Additiona...: false
Enable Fapolicy : false
Enable Processor Mitig...: false
SSH whitelisted addres...:
Enable PCVM Security Features
Enable AIDE on PCVM:
ncli cluster edit-pcvm-security-params enable-aide=true
Enable high strength password:
ncli cluster edit-pcvm-security-params enable-high-strength-password=true
Enable processor mitigations against CPU vulnerabilities:
ncli cluster edit-pcvm-security-params enable-processor-mitigations=true
Configure SSH Security Level
Available options are DEFAULT, LIMITED, or RESTRICTED:
ncli cluster edit-pcvm-security-params ssh-security-level=LIMITED
- DEFAULT: Full nutanix user privileges for password or key-based SSH
- LIMITED: Password-based sessions switch to lower-privileged admin user
- RESTRICTED: All sessions switch to lower-privileged admin user
Configure IP Restriction and SSH Whitelist
Add IP addresses to the SSH whitelist:
ncli cluster edit-pcvm-security-params add-to-ssh-whitelist=10.0.1.100
Enable IP restriction to limit SSH access to whitelisted IPs only:
ncli cluster edit-pcvm-security-params ip-restriction=restricted
AHV Security Hardening
Enable high strength password on AHV hosts:
ncli cluster edit-hypervisor-security-params enable-high-strength-password=true
Enable iTLB Multihit mitigation (CVE-2018-12207):
ncli cluster edit-hypervisor-security-params enable-itlb-multihit-mitigation=True
Enable Retbleed mitigation (CVE-2022-29900, CVE-2022-29901):
ncli cluster edit-hypervisor-security-params enable-retbleed-mitigation=True
Enable memory poison:
ncli cluster edit-hypervisor-security-params enable-memory-poison=True
Summary
This first part covered the foundation: SCMA and STIG compliance reporting, CVM hardening (AIDE, password policies, SSH banners, memory protection), PCVM hardening (SSH levels, IP restrictions), and AHV host hardening (CPU vulnerability mitigations). In Part 2, we cover cluster lockdown and data encryption.


