第 13 章 设置 Domain0 的安全性
When deploying Red Hat Virtualization on your corporate infrastructure, you must ensure that domain0 cannot be compromised. Domain0 is the privileged domain that handles system management. If domain0 is insecure, all other domains in the system are vulnerable. There are several ways to implement security you should know about when integrating Red Hat Virtualization into your systems. Together with other people in your organization,you should create a 'deployment plan' that contains the operating specifications and services that will run on Red Hat Virtualization, and what is needed to support these services. Here are some security issues to consider when putting together a deployment plan:
- 只运行最小数目的必需的服务。不要在 domain0 里运行太多的任务和服务。运行的服务越少,安全性越高。
- 启用 SeLINUX 帮助提高 domain0 的安全性。
- 使用防火墙来限制到 domain0 的通信量。你可以设置采用 default-reject 规则的防火墙,这将有助于避免对 domain0 的攻击。限制网络 facing 服务也是很重要的。
- 不要允许普通用户访问 domain0。如果你允许普通用户访问 domain0,这可能会导致 domain0 易受攻击。记住,domain0 是专用的,允许非专用帐号的访问可能会降低安全级别。
