?
Solved

Linux VM hardenings : any concern

Posted on 2014-10-20
12
Medium Priority
?
150 Views
Last Modified: 2014-11-03
If we perform the following 3 hardenings for our tenant/customer Linux VM,
will it affect any sysadmin operation (say if password is forgotten, can't recover
back the VM or we can help apply patches for the tenant) and break any apps ?
 

CIS 1.5.3 Set Boot Loader Password
No boot loader password set. Can we set boot loader password and any concern ?

 

CIS 1.5.4 Require Authentication for Single-User Mode
No single-user mode password set. Can we set password protection when boot to single user mode and any concern ?

 

CIS 1.5.5 Disable Interactive Boot
Interactive Boot is enabled. Any concern to disable interactive boot ?
0
Comment
Question by:sunhux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
12 Comments
 
LVL 62

Expert Comment

by:gheist
ID: 40392818
No, just that it is a pain to run to office to enter boot passwords mid Xmas holiday....
0
 

Author Comment

by:sunhux
ID: 40393605
But the tenant can't access our vCenter so wouldn't that make any
difference if we set the password?  

As far as I know the access of console via vCenter is only
restricted to us, the cloud provider only
0
 
LVL 62

Assisted Solution

by:gheist
gheist earned 1500 total points
ID: 40393649
Then it makes even less sense... You will get virtual machines that dont boot by themselves, and you need to enter password on them. (Probably possible if you have 10 VMs, but when it gets to 100 you get crazy half way...
0
Command Line Tips and Tricks

The command line is a powerful tool at the disposal of every Linux user. Although Linux distros come with beautiful user interfaces, it's worthwhile to learn the command line because it allows you to do a number of things that you otherwise cannot do from the GUI.  

 

Author Comment

by:sunhux
ID: 40394431
So we (the cloud provider) has to advise the tenants not to set
passwords, else whenever the VM reboots, someone at our (the
cloud provider) end needs to be around to enter the console
password(s) at vCenter, right?
0
 

Author Comment

by:sunhux
ID: 40394433
Among the 3, which ones would you recommend not to set password
so as not to cause this inconvenience whenever a VM reboots, it will
not boot up by itself unless the password(s) is entered?
0
 

Author Comment

by:sunhux
ID: 40394707
More specifically, I need clarifications on:

a) Set Boot Loader Password:
    if this password is set, when tenant reboot (shutdown -r)
    their VM each time, will it prompt for the bootloader
    password at console?  If so, is there any way the tenant,
    could still get their VM booted up if they have no access
    to vCenter's console?

b) Require Authentication for Single-User Mode
    Does Linux allow ssh access while in single-user mode &
    can this 'single-user mode password' be entered via an
    ssh session (without access to console), assuming certain
    'terminal' service is started up / running while in single
    user mode

c) Disable Interactive Boot:
    what's the general consensus on this? Disable or enable?
    Our corporate hardening guide does not mention this item.
    So if the tenant wishes to boot up step by step (ie pausing
    at each startup script), they can't do it?

Pls add on any other operational impact if the above 3 items
are hardened.
0
 
LVL 62

Assisted Solution

by:gheist
gheist earned 1500 total points
ID: 40394708
It is meant to protect physical access. With you entering passwords... there is almost no purpose. If your custometr has formal requirement for something that should be applied to protecting your infrastructure and by extension protecting theirs...
0
 

Author Comment

by:sunhux
ID: 40394751
For item (b), is there any possibility of getting the network services
& sshd started at runlevel 1 (ie single user mode)?  Any other
services need to be started to be able to ssh in to the VM while
in single-user mode & to be able to enter the password prompted
when prompted to enter at runlevel 1?
0
 
LVL 62

Expert Comment

by:gheist
ID: 40395664
b) those services are started AFTER password is entered...
0
 
LVL 62

Assisted Solution

by:gheist
gheist earned 1500 total points
ID: 40395666
PS loudest attacks of modern times like heartbleed just dumped apache's memory space and all raw host keys, protecting boot loader was irrelevant.
0
 

Author Comment

by:sunhux
ID: 40396387
Can you reply directly / specifically to the earlier 3 questions:

 I need clarifications on:

a) Set Boot Loader Password:
    if this password is set, when tenant reboot (shutdown -r)
    their VM each time, will it prompt for the bootloader
    password at console?  If so, is there any way the tenant,
    could still get their VM booted up if they have no access
    to vCenter's console?

b) Require Authentication for Single-User Mode
    Does Linux allow ssh access while in single-user mode &
    can this 'single-user mode password' be entered via an
    ssh session (without access to console), assuming certain
    'terminal' service is started up / running while in single
    user mode

c) Disable Interactive Boot:
    what's the general consensus on this? Disable or enable?
    Our corporate hardening guide does not mention this item.
    So if the tenant wishes to boot up step by step (ie pausing
    at each startup script), they can't do it?

Pls add on any other operational impact if the above 3 items
are hardened.
0
 
LVL 62

Accepted Solution

by:
gheist earned 1500 total points
ID: 40396535
None of them is relevant to physically securing virtual machine.
Outer virtualisation product has to be secured instead.

assuming attacker gets to VM's management interfaces (more or less equivalent getting to physical machine) he can bypass named protections:
a) by booting off his own livecd
b) by modifying inittab
c) once in single mode one can start stop single service as they choose
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Veeam Backup & Replication has added a new integration – Veeam Backup for Microsoft Office 365.  In this blog, we will discuss how you can benefit from Office 365 email backup with the Veeam’s new product and try to shed some light on the needs and …
Giving access to ESXi shell console is always an issue for IT departments to other Teams, or Projects. We need to find a way so that teams can use ESXTOP for their POCs, or tests without giving them the access to ESXi host shell console with a root …
Teach the user how to configure vSphere clusters to support the VMware FT feature Open vSphere Web Client: Verify vSphere HA is enabled: Verify netowrking for vMotion and FT Logging is in place or create it: Turn On FT for a virtual machine: Verify …
This Micro Tutorial walks you through using a remote console to access a server and install ESXi 5.1. This example is showing remote access and installation using a Dell server. The hypervisor is the very first component of your virtual infrastructu…
Suggested Courses

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question