Академический Документы
Профессиональный Документы
Культура Документы
Scott Radvan
Tahlia Richardson
Thanks go to the following people for enabling the creation of this guide:
Paul Moore
Kurt Seifried
David Jorm
Legal Notice
Co pyright 20 12, 20 14 Red Hat, Inc.
This do cument is licensed by Red Hat under the Creative Co mmo ns Attributio n-ShareAlike 3.0
Unpo rted License. If yo u distribute this do cument, o r a mo dified versio n o f it, yo u must pro vide
attributio n to Red Hat, Inc. and pro vide a link to the o riginal. If the do cument is mo dified, all Red
Hat trademarks must be remo ved.
Red Hat, as the licenso r o f this do cument, waives the right to enfo rce, and agrees no t to assert,
Sectio n 4 d o f CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shado wman lo go , JBo ss, MetaMatrix, Fedo ra, the Infinity
Lo go , and RHCE are trademarks o f Red Hat, Inc., registered in the United States and o ther
co untries.
Linux is the registered trademark o f Linus To rvalds in the United States and o ther co untries.
Java is a registered trademark o f Oracle and/o r its affiliates.
XFS is a trademark o f Silico n Graphics Internatio nal Co rp. o r its subsidiaries in the United
States and/o r o ther co untries.
MySQL is a registered trademark o f MySQL AB in the United States, the Euro pean Unio n and
o ther co untries.
No de.js is an o fficial trademark o f Jo yent. Red Hat So ftware Co llectio ns is no t fo rmally
related to o r endo rsed by the o fficial Jo yent No de.js o pen so urce o r co mmercial pro ject.
The OpenStack Wo rd Mark and OpenStack Lo go are either registered trademarks/service
marks o r trademarks/service marks o f the OpenStack Fo undatio n, in the United States and o ther
co untries and are used with the OpenStack Fo undatio n's permissio n. We are no t affiliated with,
endo rsed o r spo nso red by the OpenStack Fo undatio n, o r the OpenStack co mmunity.
All o ther trademarks are the pro perty o f their respective o wners.
Abstract
This guide pro vides an o verview o f virtualizatio n security techno lo gies pro vided by Red Hat. It
also pro vides reco mmendatio ns fo r securing ho sts, guests, and shared infrastructure and
reso urces in virtualized enviro nments.
T able of Contents
. .hapt
C
. . . .er
. .1. .. Int
. . .roduct
. . . . . .ion
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2. . . . . . . . . .
1.1. Virtualiz ed and No n-Virtualiz ed Enviro nments
2
1.2. Why Virtualiz atio n Sec urity Matters
3
1.3. Leverag ing SELinux with s Virt
4
1.4. Further Res o urc es
4
. .hapt
C
. . . .er
. .2. .. Host
. . . . .Securit
. . . . . . y. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6. . . . . . . . . .
2 .1. Why Ho s t Sec urity Matters
6
2 .2. Ho s t Sec urity Rec o mmend ed Prac tic es fo r Red Hat Enterp ris e Linux
6
2 .2.1. Sp ec ial Co ns id eratio ns fo r Pub lic Clo ud O p erato rs
7
2 .3. Ho s t Sec urity Rec o mmend ed Prac tic es fo r Red Hat Enterp ris e Virtualiz atio n
7
2 .3.1. Red Hat Enterp ris e Virtualiz atio n Netwo rk Po rts
7
. .hapt
C
. . . .er
. .3.
. .G. uest
. . . . .Securit
. . . . . . y. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9. . . . . . . . . .
3 .1. Why G ues t Sec urity Matters
3 .2. G ues t Sec urity Rec o mmend ed Prac tic es
9
9
. .hapt
C
. . . .er
. .4. .. sVirt
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1. 0. . . . . . . . . .
4 .1. Intro d uc tio n
10
4 .2. SELinux and Mand ato ry Ac c es s Co ntro l (MAC)
10
4 .3. s Virt Co nfig uratio n
11
4 .4. s Virt Lab eling
12
4 .4.1. Typ es o f s Virt Lab els
12
4 .4.2. Dynamic Co nfig uratio n
12
4 .4.3. Dynamic Co nfig uratio n with Bas e Lab eling
13
4 .4.4. Static Co nfig uratio n with Dynamic Res o urc e Lab eling
13
4 .4.5. Static Co nfig uratio n witho ut Res o urc e Lab eling
13
. .hapt
C
. . . .er
. .5.
. .Net
. . . work
. . . . .Securit
. . . . . .y. in
. . .a. Virt
. . . ualiz
. . . . ed
. . . Environment
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1. 5. . . . . . . . . .
5 .1. Netwo rk Sec urity O verview
15
5 .2. Netwo rk Sec urity Rec o mmend ed Prac tic es
15
5 .2.1. Sec uring Co nnec tivity to Sp ic e
15
5 .2.2. Sec uring Co nnec tivity to Sto rag e
15
. .ppendix
A
. . . . . . . A.
. . Furt
. . . . her
. . . Informat
. . . . . . . .ion
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1. 6. . . . . . . . . .
A .1. SELinux and s Virt
A .2. Virtualiz atio n Sec urity
16
16
. .ppendix
A
. . . . . . . B.
. . .Revision
. . . . . . . .Hist
. . . ory
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1. 7. . . . . . . . . .
Chapter 1. Introduction
1.1. Virt ualiz ed and Non-Virt ualiz ed Environment s
A virtualized environment presents opportunities for both the discovery of new attack vectors and the
refinement of existing exploits that may not previously have presented value to an attacker. It is
therefore important to take steps to ensure the security of both the physical hosts and the guests
running on them when creating and maintaining virtual machines.
N o n - Virt u aliz ed En viro n men t
In a non-virtualized environment, hosts are separated from each other physically and each host has
a self-contained environment, consisting of services such as a web server, or a D NS server. These
services communicate directly to their own user space, host kernel and physical host, offering their
services directly to the network. The following image represents a non-virtualized environment:
This guide aims to assist you in mitigating your security risks by offering a number of virtualization
recommended practices for Red Hat Enterprise Linux and Red Hat Enterprise Virtualization that will
help you secure your virtualized infrastructure.
Red Hat Enterprise Virtualization User Guide: This guide describes how to use the User Portal of a
Red Hat Enterprise Virtualization environment, including the functionality provided by the Basic
and Extended tabs, how to create and work with virtual machines and templates, and how to
monitor resource usage.
Red Hat Enterprise Virtualization Technical Guide: This guide describes how to use the REST API,
the Python and Java software development kits, and command-line tools specific to Red Hat
Enterprise Virtualization. It also outlines the underlying technical concepts behind Red Hat
Enterprise Virtualization.
Red Hat Enterprise Virtualization Manager Release Notes: This guide contains information on the
Red Hat Enterprise Virtualization Manager specific to the current release.
Red Hat Enterprise Virtualization Technical Notes: This guide describes the changes that have
been made made between the current release and the previous release.
Note
All of the guides for these products are available at the Red Hat Customer Portal:
https://access.redhat.com/site/documentation/
2.2. Host Securit y Recommended Pract ices for Red Hat Ent erprise
Linux
With host security being such a critical part of a secure virtualization infrastructure, the following
recommended practices should serve as a starting point for securing a Red Hat Enterprise Linux host
system:
Run only the services necessary to support the use and management of your guest systems. If
you need to provide additional services, such as file or print services, you should consider
running those services on a Red Hat Enterprise Linux guest.
Limit direct access to the system to only those users who have a need to manage the system.
Consider disallowing shared root access and instead use tools such as sud o to grant privileged
access to administrators based on their administrative roles.
Ensure that SELinux is configured properly for your installation and is operating in enforcing
mode. Besides being a good security practice, the advanced virtualization security functionality
provided by sVirt relies on SELinux. Refer to Chapter 4, sVirt for more information on SELinux and
sVirt.
Ensure that auditing is enabled on the host system and that libvirt is configured to emit audit
records. When auditing is enabled, libvirt will generate audit records for changes to guest
configuration as well start/stop events which help you track the guest's state. In addition to the
standard audit log inspection tools, the libvirt audit events can also be viewed using the
specialized auvirt tool.
Ensure that any remote management of the system takes place only over secured network
channels. Tools such as SSH and network protocols such as TLS or SSL provide both
authentication and data encryption to help ensure that only approved administrators can
manage the system remotely.
Ensure that the firewall is configured properly for your installation and is activated at boot. Only
those network ports needed for the use and management of the system should be allowed.
Refrain from granting guests direct access to entire disks or block devices (for example,
/d ev/sd b); instead, use partitions (for example, /d ev/sd b1) or LVM volumes for guest storage.
Ensure that staff have adequate training and knowledge in virtual environments.
Warning
Attaching a USB device, Physical Function or physical device when SR-IOV is not available to
a virtual machine could provide access to the device which is sufficient enough to over-write
that device's firmware. This presents a potential security issue by which an attacker could
over-write the device's firmware with malicious code and cause problems when moving the
device between virtual machines or at host boot time. It is advised to use SR-IOV Virtual
Function device assignment where applicable.
Note
The objective of this guide is to explain the unique security-related challenges, vulnerabilities,
and solutions that are present in most virtualized environments, and the recommended method
of addressing them. However, there are a number of recommended practices to follow when
securing a Red Hat Enterprise Linux system that apply regardless of whether the system is a
standalone, virtualization host, or guest instance. These recommended practices include
procedures such as system updates, password security, encryption, and firewall
configuration. This information is discussed in more detail in the Red Hat Enterprise Linux
Security Guide which can be found at https://access.redhat.com/site/documentation/.
2.3. Host Securit y Recommended Pract ices for Red Hat Ent erprise
Virt ualiz at ion
2.3.1. Red Hat Ent erprise Virt ualiz at ion Net work Port s
Red Hat Enterprise Virtualization uses various network ports for management and other virtualization
features. These ports must be open for Red Hat Enterprise Linux to function as a host with Red Hat
Enterprise Virtualization. The list below covers ports and their usage by Red Hat Enterprise
Virtualization:
Incoming ICMP echo requests and outgoing ICMP echo replies must be allowed.
Port 22 (TCP) should be open for SSH access and the initial installation.
Port 161 (UD P) is required for SNMP (Simple Network Management Protocol).
Ports 5900 to 65535 (TCP) are used for guest console access.
Ports 80 or 443 (TCP), depending on the security settings on the Manager, are used by the vdsmreg service to communicate information about the host.
Port 16514 (TLS) or port 16509 (TCP) is used to support migration communication generated by
libvirt.
Ports 49152 to 49215 (TCP) are used for migrations. Migration may use any port in this range
depending on the number of concurrent migrations occurring.
Port 54321 (TCP) is used by default, by VDSM for management, storage and inter-host
communication. This port can be modified.
Warning
Take special care to filter SNMP on port 161 (UD P) at the border of your network unless it is
absolutely necessary to externally manage devices.
Chapter 4. sVirt
4 .1. Int roduct ion
Since virtual machines under KVM are implemented as Linux processes, KVM leverages the standard
Linux security model to provide isolation and resource controls. The Linux kernel includes SELinux
(Security-Enhanced Linux), a project developed by the US National Security Agency to add
mandatory access control (MAC), multi-level security (MLS) and multi-category security (MCS)
through a flexible and customizable security policy. SELinux provides strict resource isolation and
confinement for processes running on top of the Linux kernel, including virtual machine processes.
The sVirt project builds upon SELinux to further facilitate virtual machine isolation and controlled
sharing. For example, fine-grained permissions could be applied to group virtual machines together
to share resources.
From a security point of view, the hypervisor is a tempting target for attackers, as a compromised
hypervisor could lead to the compromise of all virtual machines running on the host system.
Integrating SELinux into virtualization technologies helps improve hypervisor security against
malicious virtual machines trying to gain access to the host system or other virtual machines.
Refer to the following image which represents isolated guests, limiting the ability for a compromised
hypervisor (or guest) to launch further attacks, or to extend to another instance:
Note
For more information on SELinux, refer to Red Hat Enterprise Linux Security-Enhanced Linux at
https://access.redhat.com/site/documentation/.
10
Chapt er 4 . sVirt
allowed operations after standard discretionary access controls (D AC) are checked. SELinux can
enforce a user-customizable security policy on running processes and their actions, including
attempts to access file system objects. Enabled by default in Red Hat Enterprise Linux, SELinux limits
the scope of potential damage that can result from the exploitation of vulnerabilities in applications
and system services, such as the hypervisor.
sVirt integrates with libvirt, a virtualization management abstraction layer, to provide a MAC
framework for virtual machines. This architecture allows all virtualization platforms supported by
libvirt and all MAC implementations supported by sVirt to interoperate.
D escrip t io n
staff_use_svirt
unprivuser_use_svirt
virt_sandbox_use_audit
virt_sandbox_use_netlink
virt_sandbox_use_sys_admin
virt_transition_userdomain
virt_use_comm
virt_use_execmem
virt_use_fusefs
virt_use_nfs
virt_use_rawip
virt_use_samba
virt_use_sanlock
virt_use_usb
virt_use_xserver
11
Note
For more information on SELinux Booleans, refer to Red Hat Enterprise Linux Security Enhanced
Linux at https://access.redhat.com/site/documentation/.
4 .4 . sVirt Labeling
Like other services under the protection of SELinux, sVirt uses process based mechanisms, labels
and restrictions to provide extra security and control over guest instances. Labels are applied
automatically to resources on the system based on the currently running virtual machines (dynamic),
but can also be manually specified by the administrator (static), to meet any specific requirements
that may exist.
SELin u x C o n t ext
system_u:system_r:svirt_t:MCS1
00:00:17 qemu-kvm
In this example, the q emu-kvm process has a base label of system_u: system_r: svi rt_t: s0 .
The libvirt system has generated a unique MCS label of c87,c520 for this process. The base label
and the MCS label are combined to form the complete security label for the process. Likewise, libvirt
12
Chapt er 4 . sVirt
takes the same MCS label and base label to form the image label. This image label is then
automatically applied to all host files that the VM is required to access, such as disk images, disk
devices, PCI devices, USB devices, and kernel/initrd files. Each process is isolated from other virtual
machines with different labels.
The following example shows the virtual machine's unique security label (with a corresponding MCS
label of c87,c520 in this case) as applied to the guest disk image file in
/var/l i b/l i bvi rt/i mag es:
# ls -lZ /var/lib/libvirt/images/*
system_u:object_r:svirt_image_t:s0:c87,c520
image1
The following example shows dynamic labeling in the XML configuration for the guest:
<seclabel type='dynamic' model='selinux' relabel='yes'>
<label>system_u:system_r:svirt_t:s0:c87,c520</label>
<imagelabel>system_u:object_r:svirt_image_t:s0:c87,c520</imagelabel>
</seclabel>
13
14
Note
For more information on networked storage, refer to the Storage Concepts chapter of the Red
Hat Enterprise Linux Virtualization Administration Guide at
https://access.redhat.com/site/documentation/.
15
16
Lau ra N o vich
R evisio n 0.4 - 28
Version for 6.7 GA release
Jiri H errman n
Mo n Ju l 14 2015
R evisio n 0.4 - 26
Fri Ap r 17 2015
Preparing document for 6.7 Beta publication.
Lau ra N o vich
R evisio n 0.4 - 25
Fri Ap r 17 2015
Preparing document for 6.7 Beta publication.
Lau ra N o vich
R evisio n 0.4 - 24
Fri Ap r 17 2015
Preparing document for 6.7 Beta publication.
Lau ra N o vich
R evisio n 0.4 - 23
Fri Ap r 17 2015
Preparing document for 6.7 Beta publication.
Lau ra N o vich
R evisio n 0.4 - 22
T h u Ap r 16 2015
Preparing document for 6.7 Beta publication.
Lau ra N o vich
R evisio n 0.4 - 21
Version for 6.6 GA release.
Sco t t R ad van
Fri O ct 10 2014
R evisio n 0.4 - 20
Fri O ct 10 2014
Sco t t R ad van
Add warning admonition regarding USB and PF security vulnerability (BZ #1150077).
R evisio n 0.4 - 19
Wed May 14 2014
Updated booleans list (BZ #1093284).
Applied D ocs QE feedback (BZ #1093286, BZ #1097058).
R evisio n 0.4 - 18
Version for 6.5 GA release.
T u es N o v 19 2013
R evisio n 0.4 - 17
Mo n Sep t 30 2013
T ah lia R ich ard so n
Removed the Hypervisor D eployment Guide from the doc suite list.
Publishing with the updated docs suite list and updated links (changed previously).
R evisio n 0.4 - 16
Version for 6.4 GA release.
Su n Feb 17 2013
Sco t t R ad van
R evisio n 0.4 - 15
Review for 6.4 release.
Sco t t R ad van
R evisio n 0.4 - 14
T u e Jan 22 2013
Add `Further Resources` to Introduction.
Sco t t R ad van
R evisio n 0.4 - 13
Sco t t R ad van
T u e Jan 22 2013
17
Su n O ct 28 2012
Sco t t R ad van
R evisio n 0.4 - 10
Review for 6.4 accuracy.
T u e O ct 16 2012
Sco t t R ad van
R evisio n 0.4 - 9
T h u Sep 27 2012
Correct links to new docs site.
Sco t t R ad van
R evisio n 0.4 - 08
Fri Ju l 20 2012
Ensuring that the document complies with word usage policy.
Lau ra B ailey
R evisio n 0.4 - 07
Publish for 6.3 GA release.
Sco t t R ad van
Su n Ju n 17 2012
R evisio n 0.4 - 06
Fri Ju n 15 2012
Remove draft watermark, prepare for 6.3 branch.
Sco t t R ad van
R evisio n 0.4 - 05
Fri Ju n 08 2012
Static labeling example output re-ordered.
Sco t t R ad van
R evisio n 0.4 - 04
Minor fixes from SME review.
Sco t t R ad van
Fri Ju n 08 2012
R evisio n 0.4 - 03
T u e Ju n 05 2012
Add fixes from QE review (BZ #828032).
Sco t t R ad van
R evisio n 0.4 - 02
Mo n Ju n 04 2012
Sco t t R ad van
Include Further Information chapter, add contributors and links.
R evisio n 0.4 - 01
Mo n Ju n 04 2012
Bump major, performed proof and minor edits.
Sco t t R ad van
R evisio n 0.2- 06
Wed May 30 2012
Sco t t R ad van
Initial work on 'Chapter 5 - Network Security in a Virtualized Environment'.
R evisio n 0.2- 05
T u e May 15 2012
Sco t t R ad van
Add note about root access in guests not being desirable, to Guest_Security.xml
R evisio n 0.2- 04
Mo n May 14 2012
Add warning about SNMP at network border.
Sco t t R ad van
R evisio n 0.2- 03
Sco t t R ad van
18
Mo n May 14 2012
Add `Guest Security' sections. Expand Network Ports to specify Echo Request (ping) and TCP/UD P.
Include additional passthrough mechanisms for public cloud recommendations. Expand Booleans
to specify mounted file systems.
R evisio n 0.2- 02
s/Overview/Introduction
T u e May 08 2012
Sco t t R ad van
R evisio n 0.2- 01
T u e May 08 2012
Sco t t R ad van
Bump major. Added SME content for `Host Security' chapter and performed edits/proof.
R evisio n 0.1- 15
T h u Mar 29 2012
Sco t t R ad van
Import `Red Hat Enterprise Virtualization Network Ports' section to Host_Security.xml.
R evisio n 0.1- 14
T h u Mar 29 2012
Sco t t R ad van
Rename titles for Best Practices sections. Re-wording of Best Practices.
R evisio n 0.1- 13
Wed Mar 28 2012
Build with new version of publishing toolchain.
Sco t t R ad van
R evisio n 0.1- 12
Mo n Mar 20 2012
Sco t t R ad van
Initial publish of new section: `1.2. Why Virtualization Security Matters' for SME review.
R evisio n 0.1- 11
Mo n Mar 20 2012
Sco t t R ad van
Move `Best Host Security Practices for Red Hat Enterprise Linux' to `Host Security' chapter.
R evisio n 0.1- 10
Mo n Mar 20 2012
Major SME-assisted restructure of TOC.
Sco t t R ad van
R evisio n 0.1- 09
Introduction wording.
Mo n Feb 14 2012
Sco t t R ad van
R evisio n 0.1- 08
Mo n Feb 13 2012
New version of publishing tool.
Sco t t R ad van
R evisio n 0.1- 07
T u e Feb 01 2012
Publish for SME review of sVirt chapter.
Sco t t R ad van
R evisio n 0.1- 06
T u e Jan 31 2012
Add draft watermark to denote development/internal status.
Sco t t R ad van
R evisio n 0.1- 05
Mo n Jan 30 2012
Sco t t R ad van
Additions to Introduction. Arrange sVirt labeling sections. Add admonition regarding system
hardening topics that this guide does not cover. Introduce dynamic labeling.
R evisio n 0.1- 04
Mo n Jan 30 2012
Sco t t R ad van
Minor wording updates to sVirt chapter. Restructure and improve flow of Chapter 1: Introduction.
R evisio n 0.1- 03
Fri Jan 20 2012
Sco t t R ad van
Further restructure sVirt chapter. Incorporate initial developer feedback/fixes.
R evisio n 0.1- 02
T u e Jan 17 2012
Sco t t R ad van
19
20
Sco t t R ad van