sunhux
asked on
Rhel BootLoader, Single-user mode password & Interactive Boot in a Cloud environment
We run cloud service & our vCenter is not accessible to our tenants
and their IT support; so I would say console access is not feasible
unless the tenant/customer IT come to our DC.
If the following 3 hardenings are done our tenant/customer RHEL
Linux VM, what's the impact to the tenant's sysadmin & IT operation?
a) CIS 1.5.3 Set Boot Loader Password :
if this password is set, when tenant reboot (shutdown -r)
their VM each time, will it prompt for the bootloader
password at console? If so, is there any way the tenant,
could still get their VM booted up if they have no access
to vCenter's console?
b) CIS 1.5.4 Require Authentication for Single-User Mode :
Does Linux allow ssh access while in single-user mode &
can this 'single-user mode password' be entered via an
ssh session (without access to console), assuming certain
'terminal' service is started up / running while in single
user mode
c) CIS 1.5.5 Disable Interactive Boot :
what's the general consensus on this? Disable or enable?
Our corporate hardening guide does not mention this item.
So if the tenant wishes to boot up step by step (ie pausing
at each startup script), they can't do it?
Feel free to add any other impacts that anyone can think of
Lastly, how do people out there grant console access to their
tenants in Cloud environment without security compromise
(I mean without granting vCenter access) : I heard that we can
customize vCenter in a modular way to grant limited access of
vCenter to each tenants, is this so & any link that describes this?
and their IT support; so I would say console access is not feasible
unless the tenant/customer IT come to our DC.
If the following 3 hardenings are done our tenant/customer RHEL
Linux VM, what's the impact to the tenant's sysadmin & IT operation?
a) CIS 1.5.3 Set Boot Loader Password :
if this password is set, when tenant reboot (shutdown -r)
their VM each time, will it prompt for the bootloader
password at console? If so, is there any way the tenant,
could still get their VM booted up if they have no access
to vCenter's console?
b) CIS 1.5.4 Require Authentication for Single-User Mode :
Does Linux allow ssh access while in single-user mode &
can this 'single-user mode password' be entered via an
ssh session (without access to console), assuming certain
'terminal' service is started up / running while in single
user mode
c) CIS 1.5.5 Disable Interactive Boot :
what's the general consensus on this? Disable or enable?
Our corporate hardening guide does not mention this item.
So if the tenant wishes to boot up step by step (ie pausing
at each startup script), they can't do it?
Feel free to add any other impacts that anyone can think of
Lastly, how do people out there grant console access to their
tenants in Cloud environment without security compromise
(I mean without granting vCenter access) : I heard that we can
customize vCenter in a modular way to grant limited access of
vCenter to each tenants, is this so & any link that describes this?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
> b. yes, this could be done via SSL certificates.
Can elaborate how this can be done? So with SSL cert,
when booting to errorlevel 1, the tenant who has no
console access could still enter the password required
for single-user authentication via an ssh session?
Can elaborate how this can be done? So with SSL cert,
when booting to errorlevel 1, the tenant who has no
console access could still enter the password required
for single-user authentication via an ssh session?
Actually it's the exchange of secure certificates, so you can login to SSH by having the machine certificate on your workstation, this make's it securer, because it's not relying on a password, e.g. jeyboard authentication, which is usually required for SSH.
ASKER
So using this jeyboard authentication, we can boot the Linux
VM to single-user mode?
One last query:
> vCenter access cud be avail to tenants to access their
> VMs with correct permissions
Do you have any link that give such example settings/configuration/cas es?
VM to single-user mode?
One last query:
> vCenter access cud be avail to tenants to access their
> VMs with correct permissions
Do you have any link that give such example settings/configuration/cas
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I'm on 5.0 Update 1
ASKER
So can I say in general, the cloud service providers out there customize
their vCenter such that tenants have access to it?
their vCenter such that tenants have access to it?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
their VM, how do they boot it up unless they get us (the Cloud provider's
sysadmin) to do the boot up for them from vCenter. So how does the
cloud providers out there address this?