Nutanix Security Hardening AOS 7.5, Part 1: CVM, PCVM & AHV

A technical deep-dive into hardening your Nutanix infrastructure at the hypervisor and controller level. This is Part 1 of a 3-part series covering AOS 7.5 security features.

With regulations like NIS2 and DORA now in effect across the EU, hardening your hyperconverged infrastructure isn't optional, it's a compliance requirement. This series walks through every step using real CLI commands.

Prerequisites

  • SSH access to Nutanix CVM or PCVM
  • Prism Central pc.7.5 or later (for centralized security management)
  • AOS 7.5 running on your cluster
  • Administrative credentials for Prism Element/Central
  • Basic familiarity with nCLI commands

Security Configuration Management Automation (SCMA)

Nutanix AOS 7.5 uses Security Configuration Management Automation (SCMA) to continuously monitor and self-heal security configurations. The platform conforms to RHEL 8 Security Technical Implementation Guides (STIGs) published by DISA.

SCMA automatically detects deviations from the security baseline and reverts them without manual intervention. This covers boot loader settings, file system permissions, SSH configurations, authentication policies, and logging.

Generating a STIG Compliance Report

Use the OpenSCAP tool to generate a compliance report for your CVMs:

bash
ssh nutanix@cvm_ip_address

Create the output directory:

bash
mkdir /tmp/stig_report

Generate the STIG compliance report:

bash
sudo python3 -B /home/nutanix/config/security/stig_scripts/stig_scan_driver.py \
  /home/nutanix/config/security/stig_scripts/U_RHEL_8_V1R11_STIG_SCAP_1-2_Benchmark.xml \
  /tmp/stig_report/

The scan takes approximately 60-90 minutes depending on your environment size.

CVM Security Hardening

View the current CVM security configuration:

bash
ncli cluster get-cvm-security-config

Expected output:

output
Enable Aide              : false
Enable Core              : false
Enable High Strength P...: false
Enable Banner            : false
Schedule                 : DAILY
Enable Kernel Core       : true
Enable Page Poison       : false
Enable Slub Debug        : false
SSH Security Level       : DEFAULT
Enable Lock Status       : false
IP Restriction State     : NORMAL
Enable DoDin Additiona...: false
Enable Fapolicy          : false
Enable Processor Mitig...: false
SSH whitelisted addres...:

Enable AIDE (Advanced Intrusion Detection Environment)

AIDE performs file and directory integrity checking to detect unauthorized modifications:

bash
ncli cluster edit-cvm-security-params enable-aide=true

Enable High Strength Password Policy

Enforces stricter password requirements including minimum 15 characters, 8 character difference from old password, and dictionary checks:

bash
ncli cluster edit-cvm-security-params enable-high-strength-password=true

Configure SSH Login Banner

First, backup and modify the DoD banner file:

bash
sudo cp -a /srv/salt/security/CVM/sshd/DODbanner /srv/salt/security/CVM/sshd/DODbannerbak
sudo vi /srv/salt/security/CVM/sshd/DODbanner

Enable the banner:

bash
ncli cluster edit-cvm-security-params enable-banner=true

Enable Memory Protection Features

Enable page poison to detect use-after-free vulnerabilities:

bash
ncli cluster edit-cvm-security-params enable-page-poison=true

Enable SLUB debugging for memory corruption detection:

bash
ncli cluster edit-cvm-security-params enable-slub-debug=true

PCVM Security Hardening

View the PCVM security configuration:

bash
ssh nutanix@pcvm_ip_address
ncli cluster get-pcvm-security-config

Expected output:

output
Enable Aide              : false
Enable Core              : false
Enable High Strength P...: false
Enable Banner            : false
Schedule                 : DAILY
Enable Kernel Core       : false
Enable Page Poison       : false
Enable Slub Debug        : false
SSH Security Level       : DEFAULT
Enable Lock Status       : false
IP Restriction State     : NORMAL
Enable DoDin Additiona...: false
Enable Fapolicy          : false
Enable Processor Mitig...: false
SSH whitelisted addres...:

Enable PCVM Security Features

Enable AIDE on PCVM:

bash
ncli cluster edit-pcvm-security-params enable-aide=true

Enable high strength password:

bash
ncli cluster edit-pcvm-security-params enable-high-strength-password=true

Enable processor mitigations against CPU vulnerabilities:

bash
ncli cluster edit-pcvm-security-params enable-processor-mitigations=true

Configure SSH Security Level

Available options are DEFAULT, LIMITED, or RESTRICTED:

bash
ncli cluster edit-pcvm-security-params ssh-security-level=LIMITED
  • DEFAULT: Full nutanix user privileges for password or key-based SSH
  • LIMITED: Password-based sessions switch to lower-privileged admin user
  • RESTRICTED: All sessions switch to lower-privileged admin user

Configure IP Restriction and SSH Whitelist

Add IP addresses to the SSH whitelist:

bash
ncli cluster edit-pcvm-security-params add-to-ssh-whitelist=10.0.1.100

Enable IP restriction to limit SSH access to whitelisted IPs only:

bash
ncli cluster edit-pcvm-security-params ip-restriction=restricted

AHV Security Hardening

Enable high strength password on AHV hosts:

bash
ncli cluster edit-hypervisor-security-params enable-high-strength-password=true

Enable iTLB Multihit mitigation (CVE-2018-12207):

bash
ncli cluster edit-hypervisor-security-params enable-itlb-multihit-mitigation=True

Enable Retbleed mitigation (CVE-2022-29900, CVE-2022-29901):

bash
ncli cluster edit-hypervisor-security-params enable-retbleed-mitigation=True

Enable memory poison:

bash
ncli cluster edit-hypervisor-security-params enable-memory-poison=True

Summary

This first part covered the foundation: SCMA and STIG compliance reporting, CVM hardening (AIDE, password policies, SSH banners, memory protection), PCVM hardening (SSH levels, IP restrictions), and AHV host hardening (CPU vulnerability mitigations). In Part 2, we cover cluster lockdown and data encryption.