Search

Appendix F. Securing Red Hat Virtualization

download PDF

This information is specific to Red Hat Virtualization. It does not cover fundamental security practices related to any of the following:

  • Disabling unnecessary services
  • Authentication
  • Authorization
  • Accounting
  • Penetration testing and hardening of non-RHV services
  • Encryption of sensitive application data

Prerequisites

  • You should be proficient in your organization’s security standards and practices. If possible, consult with your organization’s Security Officer.
  • Consult the Red Hat Enterprise Linux Security hardening before deploying RHEL hosts.

F.1. Applying the DISA STIG profile in RHEL based hosts and the standalone Manager

When installing RHV, you can select the DISA STIG profile with the UI installer, which is the profile provided by RHEL 8.

Important

The DISA STIG profile is not supported for Red Hat Virtualization Host (RHVH).

Procedure

  1. In the Installation Summary screen, select Security Policy.
  2. In the Security Policy screen, set the Apply security policy to On.
  3. Select DISA STIG for Red Hat Enterprise Linux 8.
  4. Click Select profile. This action adds a green checkmark next to the profile and adds packages to the list of Changes that were done or need to be done. Follow the onscreen instructions if they direct you to make any changes.
  5. Click Done.
  6. On the Installation Summary screen, verify that the status of Security Policy is Everything okay.
  7. Reboot the host.

F.1.1. Enabling DISA STIG in a self-hosted engine

You can enable DISA STIG in a self-hosted engine during deployment when using the command-line.

Procedure

  1. Start the self-hosted engine deployment script. See Installing Red Hat Virtualization as a self-hosted engine using the command line.
  2. When the deployment script prompts Do you want to apply an OpenSCAP security profile?, enter Yes.
  3. When the deployment script prompts Please provide the security profile you would like to use?, enter stig.

F.2. Applying the PCI-DSS profile in RHV hosts and the standalone Manager

When installing RHVH, you can select the PCI-DSS profile with the UI installer, which is the profile provided by RHEL 8.

Procedure

  1. In the Installation Summary screen, select Security Policy.
  2. In the Security Policy screen, set the Apply security policy to On.
  3. Select PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8.
  4. Click Select profile. This action adds a green checkmark next to the profile and adds packages to the list of Changes that were done or need to be done. Follow the onscreen instructions if they direct you to make any changes.
  5. Click Done.
  6. In the Installation Summary screen, verify that the status of Security Policy is Everything okay.
  7. Reboot the host.

F.2.1. Enabling PCI-DSS in a self-hosted engine

You can enable PCI-DSS in a self-hosted engine during deployment when using the command-line.

Procedure

  1. Start the self-hosted engine deployment script. See Installing Red Hat Virtualization as a self-hosted engine using the command line.
  2. When the deployment script prompts Do you want to apply an OpenSCAP security profile?, enter Yes.
  3. When the deployment script prompts Please provide the security profile you would like to use?, enter pci-dss.
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.