검색

이 콘텐츠는 선택한 언어로 제공되지 않습니다.

Chapter 2. Host Security

download PDF
When deploying virtualization technologies on a Red Hat Enterprise Linux system, the host is responsible for managing and controlling access to the physical devices, storage, and network, but also to all virtualized guests. If the host system is compromised, the guests and their data become vulnerable as well.
Therefore, securing the Red Hat Enterprise Linux host system is the first step towards ensuring a secure virtualization platform.

2.1. Securing the Host Physical Machine

The following tasks and tips can assist you with securing and ensuring reliability, as well increasing the performance, of your Red Hat Enterprise Linux host.
  • Ensure that SELinux is configured properly for your installation and is operating in enforcing mode:
    # setenforce 1
    In addition to being a good security practice, the advanced virtualization security functionality provided by sVirt relies on SELinux. See Chapter 4, sVirt for more information on SELinux and sVirt.
  • Remove or disable any unnecessary services such as AutoFS, NFS, FTP, HTTP, NIS, telnetd, or sendmail.
  • Only add the minimum number of user accounts needed for platform management on the server and remove unnecessary user accounts. Limit direct access to the system to only those users who have a need to manage the system. Consider disallowing shared root access and instead use tools such as sudo to grant privileged access to administrators based on their administrative roles.
  • Avoid running any unessential applications on your host. Running applications on the host may impact virtual machine performance and can affect server stability. Any application that may crash the server will also cause all virtual machines on the server to fail. In addition, vulnerable applications can become vectors for an attack on the host.
  • Use a central location for virtual machine installations and images. Virtual machine images should be stored under /var/lib/libvirt/images/. If you are using a different directory for your virtual machine images make sure you add the directory to your SELinux policy and relabel it before starting the installation. Use of shareable, network storage in a central location is highly recommended.
  • Run only the services necessary to support the use and management of your guest systems. If you need to provide additional services, such as file or print services, consider running those services on a Red Hat Enterprise Linux guest.
  • Ensure that auditing is enabled on the host system and that libvirt is configured to generate audit records. When auditing is enabled, libvirt generates audit records for changes to guest configuration and start/stop events, which can help you track the guest's state. In addition, the libvirt audit events can also be viewed using the specialized auvirt utility. For more information, use the man auvirt command.
  • Ensure that any remote management of the system takes place only over secured network channels. Utilities such as SSH and network protocols such as TLS or SSL provide both authentication and data encryption to help ensure that only approved administrators can manage the system remotely.
  • Ensure that the firewall is configured properly for your installation and is activated at boot. Only network ports needed for the use and management of the system should be allowed.
  • Do not grant guests with direct access to entire disks or block devices (for example, /dev/sdb); instead, use partitions (for example, /dev/sdb1) or LVM volumes for guest storage.
  • Attaching a USB device, Physical Function or physical device when SR-IOV is not available to a virtual machine could provide access to the device which is sufficient enough to overwrite that device's firmware. This presents a potential security issue by which an attacker could overwrite the device's firmware with malicious code and cause problems when moving the device between virtual machines or at host boot time.
    It is advised to use SR-IOV Virtual Function device assignment where applicable.

Note

For more security tips and instructions for your host system, see the Red Hat Enterprise Linux Security Guide.
Red Hat logoGithubRedditYoutubeTwitter

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

Red Hat을 사용하는 고객은 신뢰할 수 있는 콘텐츠가 포함된 제품과 서비스를 통해 혁신하고 목표를 달성할 수 있습니다.

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat은 코드, 문서, 웹 속성에서 문제가 있는 언어를 교체하기 위해 최선을 다하고 있습니다. 자세한 내용은 다음을 참조하세요.Red Hat 블로그.

Red Hat 소개

Red Hat은 기업이 핵심 데이터 센터에서 네트워크 에지에 이르기까지 플랫폼과 환경 전반에서 더 쉽게 작업할 수 있도록 강화된 솔루션을 제공합니다.

© 2024 Red Hat, Inc.