Este contenido no está disponible en el idioma seleccionado.
Virtualization Security Guide
Securing your virtual environment
Abstract
Chapter 1. Introduction
1.1. Virtualized and Non-Virtualized Environments
In a non-virtualized environment, hosts are separated from each other physically and each host has a self-contained environment, consisting of services such as a web server, or a DNS server. These services communicate directly to their own user space, host kernel and physical host, offering their services directly to the network. The following image represents a non-virtualized environment:
Figure 1.1. Non-Virtualized Environment
In a virtualized environment, several operating systems can be housed (as "guests") within a single host kernel and physical host. The following image represents a virtualized environment:
Figure 1.2. Virtualized Environment
1.2. Why Virtualization Security Matters
- The host/hypervisor become prime targets; they are often a single point of failure for guests and data.
- Virtual machines can interfere with each other in undesirable ways. Assuming no access controls were in place to help prevent this, one malicious guest could bypass a vulnerable hypervisor and directly access other resources on the host system, such as the storage of other guests.
- Resources and services can become difficult to track and maintain; with rapid deployment of virtualized systems comes an increased need for management of resources, including sufficient patching, monitoring and maintenance.
- Technical staff may lack knowledge, have gaps in skill sets, and have minimal experience in virtual environments. This is often a gateway to vulnerabilities.
- Resources such as storage can be spread across, and dependent upon, several machines. This can lead to overly complex environments, and poorly-managed and maintained systems.
- Virtualization does not remove any of the traditional security risks present in your environment; the entire solution stack, not just the virtualization layer, must be secured.
1.3. Leveraging SELinux with sVirt
Chapter 2. Host Security
2.1. Why Host Security Matters
- Operating specifications
- Specifies which services are needed on your guest virtual machines
- Specifies the host physical servers as well as what support is required for these services
- Run only necessary services on host physical machines. The fewer processes and services running on the host physical machine, the higher the level of security and performance.
- Enable SELinux on the hypervisor. Read Section 2.1.2, “SELinux and Virtualization” for more information on using SELinux and virtualization.
- Use a firewall to restrict traffic to the host physical machine. You can setup a firewall with default-reject rules that will help secure the host physical machine from attacks. It is also important to limit network-facing services.
- Do not allow normal users to access the host operating system. If the host operating system is privileged, granting access to unprivileged accounts may compromise the level of security.
2.1.1. Security Concerns when Adding Block Devices to a Guest
- The host physical machine should not use filesystem labels to identify file systems in the
fstab
file, theinitrd
file or on the kernel command line. Doing so presents a security risk if guest virtual machines have write access to whole partitions or LVM volumes, because a guest virtual machine could potentially write a filesystem label belonging to the host physical machine, to its own block device storage. Upon reboot of the host physical machine, the host physical machine could then mistakenly use the guest virtual machine's disk as a system disk, which would compromise the host physical machine system.It is preferable to use the UUID of a device to identify it in thefstab
file, theinitrd
file or on the kernel command line. While using UUIDs is still not completely secure on certain file systems, a similar compromise with UUID is significantly less feasible. - Guest virtual machines should not be given write access to whole disks or block devices (for example,
/dev/sdb
). Guest virtual machines with access to whole block devices may be able to modify volume labels, which can be used to compromise the host physical machine system. Use partitions (for example,/dev/sdb1
) or LVM volumes to prevent this problem.If you are using raw access to partitions, for example/dev/sdb1
or raw disks such as/dev/sdb,
you should configure LVM to only scan disks that are safe, using theglobal_filter
setting.
Note
2.1.2. SELinux and Virtualization
Procedure 2.1. Creating and mounting a logical volume on a guest virtual machine with SELinux enabled
- Create a logical volume. This example creates a 5 gigabyte logical volume named NewVolumeName on the volume group named volumegroup. This example also assumes that there is enough disk space. You may have to create additional storage on a network device and give the guest access to it. This information is discussed in more detail in the Red Hat Enterprise Linux Virtualization Administration Guide.
# lvcreate -n
NewVolumeName
-L5G
volumegroup
- Format the
NewVolumeName
logical volume with a file system that supports extended attributes, such as ext3.# mke2fs -j
/dev/volumegroup/NewVolumeName
- Create a new directory for mounting the new logical volume. This directory can be anywhere on your file system. It is advised not to put it in important system directories (
/etc
,/var
,/sys
) or in home directories (/home
or/root
). This example uses a directory called/virtstorage
# mkdir
/virtstorage
- Mount the logical volume.
# mount
/dev/volumegroup/NewVolumeName
/virtstorage
- Set the SELinux type for the folder you just created.
# semanage fcontext -a -t virt_image_t "/virtstorage(/.*)?"
If the targeted policy is used (targeted is the default policy) the command appends a line to the/etc/selinux/targeted/contexts/files/file_contexts.local
file which makes the change persistent. The appended line may resemble this:/virtstorage(/.*)? system_u:object_r:virt_image_t:s0
- Run the command to change the type of the mount point (
/virtstorage
) and all files under it tovirt_image_t
(therestorecon
andsetfiles
commands read the files in/etc/selinux/targeted/contexts/files/
).# restorecon -R -v /virtstorage
Note
touch
command) on the file system.
# touch /virtstorage/newfile
# sudo ls -Z /virtstorage -rw-------. root root system_u:object_r:virt_image_t:s0 newfile
virt_image_t
.
2.1.3. SELinux
policycoreutils-python
package (yum install policycoreutils-python
) before running the command.
# semanage fcontext -a -t virt_image_t -f -b /dev/sda2 # restorecon /dev/sda2
The following table shows the SELinux Booleans which affect KVM when launched by libvirt.
SELinux Boolean | Description |
---|---|
virt_use_comm | Allow virt to use serial/parallel communication ports. |
virt_use_fusefs | Allow virt to read fuse files. |
virt_use_nfs | Allow virt to manage NFS files. |
virt_use_samba | Allow virt to manage CIFS files. |
virt_use_sanlock | Allow sanlock to manage virt lib files. |
virt_use_sysfs | Allow virt to manage device configuration (PCI). |
virt_use_xserver | Allow virtual machine to interact with the xserver. |
virt_use_usb | Allow virt to use USB devices. |
2.1.4. Virtualization Firewall Information
Note
- ICMP requests must be accepted. ICMP packets are used for network testing. You cannot ping guest virtual machines if the ICMP packets are blocked.
- Port 22 should be open for SSH access and the initial installation.
- Ports 80 or 443 (depending on the security settings on the RHEV Manager) are used by the vdsm-reg service to communicate information about the host physical machine.
- Ports 5634 to 6166 are used for guest virtual machine console access with the SPICE protocol.
- Ports 49152 to 49216 are used for migrations with KVM. Migration may use any port in this range depending on the number of concurrent migrations occurring.
- Enabling IP forwarding (
net.ipv4.ip_forward = 1
) is also required for shared bridges and the default bridge. Note that installing libvirt enables this variable so it will be enabled when the virtualization packages are installed unless it was manually disabled.
Note
2.2. Host Security Recommended Practices for Red Hat Enterprise Linux
- Run only the services necessary to support the use and management of your guest systems. If you need to provide additional services, such as file or print services, you should consider running those services on a Red Hat Enterprise Linux guest.
- Limit direct access to the system to only those users who have a need to manage the system. Consider disallowing shared root access and instead use tools such as
sudo
to grant privileged access to administrators based on their administrative roles. - Ensure that SELinux is configured properly for your installation and is operating in enforcing mode. Besides being a good security practice, the advanced virtualization security functionality provided by sVirt relies on SELinux. Refer to Chapter 4, sVirt for more information on SELinux and sVirt.
- Ensure that auditing is enabled on the host system and that libvirt is configured to emit audit records. When auditing is enabled, libvirt will generate audit records for changes to guest configuration as well start/stop events which help you track the guest's state. In addition to the standard audit log inspection tools, the libvirt audit events can also be viewed using the specialized auvirt tool.
- Ensure that any remote management of the system takes place only over secured network channels. Tools such as SSH and network protocols such as TLS or SSL provide both authentication and data encryption to help ensure that only approved administrators can manage the system remotely.
- Ensure that the firewall is configured properly for your installation and is activated at boot. Only those network ports needed for the use and management of the system should be allowed.
- Refrain from granting guests direct access to entire disks or block devices (for example,
/dev/sdb
); instead, use partitions (for example,/dev/sdb1
) or LVM volumes for guest storage. - Ensure that staff have adequate training and knowledge in virtual environments.
Warning
Note
2.2.1. Special Considerations for Public Cloud Operators
- Disallow any direct hardware access from the guest. PCI, USB, FireWire, Thunderbolt, eSATA and other device passthrough mechanisms not only make management difficult, but often rely on the underlying hardware to enforce separation between the guests.
- Isolate the cloud operator's private management network from the customer guest network, and customer networks from one another, so that:
- the guests cannot access the host systems over the network.
- one customer cannot access another customer's guest systems directly via the cloud provider's internal network.
Chapter 3. Guest Security
3.1. Why Guest Security Matters
3.2. Guest Security Recommended Practices
- With all management of the guest likely taking place remotely, ensure that the management of the system takes place only over secured network channels. Tools such as SSH and network protocols such as TLS or SSL provide both authentication and data encryption to ensure that only approved administrators can manage the system remotely.
- Some virtualization technologies use special guest agents or drivers to enable some virtualization specific features. Ensure that these agents and applications are secured using the standard Red Hat Enterprise Linux security features, such as SELinux.
- In virtualized environments there is a greater risk of sensitive data being accessed outside the protection boundaries of the guest system. Protect stored sensitive data using encryption tools such as dm-crypt and GnuPG; although special care needs to be taken to ensure the confidentiality of the encryption keys.
Chapter 4. sVirt
4.1. Introduction
Figure 4.1. Attack path isolated by SELinux
Note
4.2. SELinux and Mandatory Access Control (MAC)
4.3. sVirt Configuration
setsebool boolean_name {on|off}
for a temporary change, or setsebool -P boolean_name {on|off}
to make the change persistent across reboots.
getsebool -a|grep virt
.
SELinux Boolean | Description |
---|---|
staff_use_svirt | Allow staff user to create and transition to sVirt domains. |
unprivuser_use_svirt | Allow unprivileged user to create and transition to sVirt domains. |
virt_sandbox_use_audit | Allow sandbox containers to send audit messages. |
virt_sandbox_use_netlink | Allow sandbox containers to use netlink system calls. |
virt_sandbox_use_sys_admin | Allow sandbox containers to use sys_admin system calls, such as mount. |
virt_transition_userdomain | Allow virtual processes to run as user domains. |
virt_use_comm | Allow virt to use serial/parallel communication ports. |
virt_use_execmem | Allow confined virtual guests to use executable memory and executable stack. |
virt_use_fusefs | Allow virt to read FUSE mounted files. |
virt_use_nfs | Allow virt to manage NFS mounted files. |
virt_use_rawip | Allow virt to interact with rawip sockets. |
virt_use_samba | Allow virt to manage CIFS mounted files. |
virt_use_sanlock | Allow confined virtual guests to interact with the sanlock. |
virt_use_usb | Allow virt to use USB devices. |
virt_use_xserver | Allow virtual machine to interact with the X Window System. |
Note
4.4. sVirt Labeling
4.4.1. Types of sVirt Labels
Type | SELinux Context | Description/Effect |
---|---|---|
Virtual Machine Processes | system_u:system_r:svirt_t:MCS1 | MCS1 is a randomly selected field. Currently approximately 500,000 labels are supported. |
Virtual Machine Image | system_u:object_r:svirt_image_t:MCS1 | Only svirt_t processes with the same MCS1 fields are able to read/write these image files and devices. |
Virtual Machine Shared Read/Write Content | system_u:object_r:svirt_image_t:s0 | All svirt_t processes are allowed to write to the svirt_image_t:s0 files and devices. |
Virtual Machine Shared Shared Read Only content | system_u:object_r:svirt_content_t:s0 | All svirt_t processes are able to read files/devices with this label. |
Virtual Machine Image | system_u:object_r:virt_content_t:s0 | System default label used when an image exits. No svirt_t virtual processes are allowed to read files/devices with this label. |
4.4.2. Dynamic Configuration
# ps -eZ | grep qemu-kvm system_u:system_r:svirt_t:s0:c87,c520 27950 ? 00:00:17 qemu-kvm
qemu-kvm
process has a base label of system_u:system_r:svirt_t:s0
. The libvirt system has generated a unique MCS label of c87,c520
for this process. The base label and the MCS label are combined to form the complete security label for the process. Likewise, libvirt takes the same MCS label and base label to form the image label. This image label is then automatically applied to all host files that the VM is required to access, such as disk images, disk devices, PCI devices, USB devices, and kernel/initrd files. Each process is isolated from other virtual machines with different labels.
c87,c520
in this case) as applied to the guest disk image file in /var/lib/libvirt/images
:
# ls -lZ /var/lib/libvirt/images/* system_u:object_r:svirt_image_t:s0:c87,c520 image1
<seclabel type='dynamic' model='selinux' relabel='yes'> <label>system_u:system_r:svirt_t:s0:c87,c520</label> <imagelabel>system_u:object_r:svirt_image_t:s0:c87,c520</imagelabel> </seclabel>
4.4.3. Dynamic Configuration with Base Labeling
<baselabel>
option can be configured manually in the XML guest configuration, as shown in this example:
<seclabel type='dynamic' model='selinux' relabel='yes'> <baselabel>system_u:system_r:svirt_custom_t:s0</baselabel> <label>system_u:system_r:svirt_custom_t:s0:c87,c520</label> <imagelabel>system_u:object_r:svirt_image_t:s0:c87,c520</imagelabel> </seclabel>
4.4.4. Static Configuration with Dynamic Resource Labeling
<seclabel type='static' model='selinux' relabel='yes'> <label>system_u:system_r:svirt_custom_t:s0:c87,c520</label> </seclabel>
4.4.5. Static Configuration without Resource Labeling
<seclabel type='static' model='selinux' relabel='no'> <label>system_u:system_r:svirt_custom_t:s0:c87,c520</label> </seclabel>
Chapter 5. Network Security in a Virtualized Environment
5.1. Network Security Overview
5.2. Network Security Recommended Practices
- Ensure that remote management of the system takes place only over secured network channels. Tools such as SSH and network protocols such as TLS or SSL provide both authentication and data encryption to assist with secure and controlled access to systems.
- Ensure that guest applications transferring sensitive data do so over secured network channels. If protocols such as TLS or SSL are not available, consider using one like IPsec.
- Configure firewalls and ensure they are activated at boot. Only those network ports needed for the use and management of the system should be allowed. Test and review firewall rules regularly.
5.2.1. Securing Connectivity to Spice
5.2.2. Securing Connectivity to Storage
Note
Appendix A. Further Information
A.1. SELinux and sVirt
- Main SELinux website: http://www.nsa.gov/research/selinux/index.shtml.
- SELinux documentation: http://www.nsa.gov/research/selinux/docs.shtml.
- Main sVirt website: http://selinuxproject.org/page/SVirt.
- Dan Walsh's blog: http://danwalsh.livejournal.com/.
- The unofficial SELinux FAQ: http://www.crypt.gen.nz/selinux/faq.html.
A.2. Virtualization Security
- NIST (National Institute of Standards and Technology) full virtualization security guidelines: http://www.nist.gov/itl/csd/virtual-020111.cfm.
Appendix B. Revision History
Revision History | |||
---|---|---|---|
Revision 0.4-33 | Wed Mar 08 2017 | ||
| |||
Revision 0.4-31 | Mon Dec 20 2016 | ||
| |||
Revision 0.4-30 | Mon May 10 2016 | ||
| |||
Revision 0.4-23 | Tue Mar 01 2016 | ||
| |||
Revision 0.4-22 | Thu Oct 08 2015 | ||
| |||
Revision 0.4-21 | Fri Oct 10 2014 | ||
|