Solved

Rhel BootLoader, Single-user mode password & Interactive Boot in a Cloud environment

Posted on 2014-10-22
10
384 Views
Last Modified: 2014-11-10
We run cloud service & our vCenter is not accessible to our tenants
and their IT support; so I would say console access is not feasible
unless the tenant/customer IT come to our DC.

If the following 3 hardenings are done our tenant/customer RHEL
Linux VM,  what's the impact to the tenant's sysadmin & IT operation?


a) CIS 1.5.3 Set Boot Loader Password :
    if this password is set, when tenant reboot (shutdown -r)
    their VM each time, will it prompt for the bootloader
    password at console?  If so, is there any way the tenant,
    could still get their VM booted up if they have no access
    to vCenter's console?

b) CIS 1.5.4 Require Authentication for Single-User Mode :
    Does Linux allow ssh access while in single-user mode &
    can this 'single-user mode password' be entered via an
    ssh session (without access to console), assuming certain
    'terminal' service is started up / running while in single
    user mode

c) CIS 1.5.5 Disable Interactive Boot :
    what's the general consensus on this? Disable or enable?
    Our corporate hardening guide does not mention this item.
    So if the tenant wishes to boot up step by step (ie pausing
    at each startup script), they can't do it?

Feel free to add any other impacts that anyone can think of

Lastly, how do people out there grant console access to their
tenants in Cloud environment without security compromise
(I mean without granting vCenter access) : I heard that we can
customize vCenter in a modular way to grant limited access of
vCenter to  each tenants, is this so & any link that describes this?
0
Comment
Question by:sunhux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
10 Comments
 

Author Comment

by:sunhux
ID: 40396392
I'm also concerned that without console access, when a tenant shut down
their VM, how do they boot it up unless they get us (the Cloud provider's
sysadmin) to do the boot up for them from vCenter.  So how does the
cloud providers out there address this?
0
 
LVL 120

Accepted Solution

by:
Andrew Hancock (VMware vExpert / EE MVE^2) earned 460 total points
ID: 40396519
a. they will need to enter a password at the console.

b. yes, this could be done via SSL certificates.

c. How would they do this? they would need console access.

vCenter Access could be available to access their VMs with correct permissions.
0
 

Author Comment

by:sunhux
ID: 40396799
> b. yes, this could be done via SSL certificates.
Can elaborate how this can be done?  So with SSL cert,
when booting to errorlevel 1, the tenant who has no
console access could still enter the password required
for single-user authentication via an ssh session?
0
ScreenConnect 6.0 Free Trial

Explore all the enhancements in one game-changing release, ScreenConnect 6.0, based on partner feedback. New features include a redesigned UI, app configurations and chat acknowledgement to improve customer engagement!

 
LVL 120
ID: 40396967
Actually it's the exchange of secure certificates, so you can login to SSH by having the machine certificate on your workstation, this make's it securer, because it's not relying on a password, e.g. jeyboard authentication, which is usually required for SSH.
0
 

Author Comment

by:sunhux
ID: 40397390
So using this jeyboard authentication, we can boot the Linux
VM to single-user mode?

One last query:
> vCenter access cud be avail to tenants to access their
> VMs with correct permissions
Do you have any link that give such example settings/configuration/cases?
0
 
LVL 120

Assisted Solution

by:Andrew Hancock (VMware vExpert / EE MVE^2)
Andrew Hancock (VMware vExpert / EE MVE^2) earned 460 total points
ID: 40397771
Single User Mode has be defined as a Boot Parameter, they will need to have Console Access, not SSH.

Which vCenter version are you using?
0
 

Author Comment

by:sunhux
ID: 40401047
I'm on 5.0 Update 1
0
 

Author Comment

by:sunhux
ID: 40401048
So can I say in general, the cloud service providers out there customize
their vCenter such that tenants have access to it?
0
 
LVL 120

Assisted Solution

by:Andrew Hancock (VMware vExpert / EE MVE^2)
Andrew Hancock (VMware vExpert / EE MVE^2) earned 460 total points
ID: 40401190
Most only give access via SSH, and do not give real console access.

Do you only have vCenter?
0
 
LVL 62

Assisted Solution

by:gheist
gheist earned 40 total points
ID: 40427163
vcenter is way too expensive and too clumsy to provision service to paying customers.
recently rackspace and amazon rebooted all virtual machines. do you think e.g. dropbox admins booted them entering passwords with fingers bleeding in the afternoon?
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
New Relic 3 55
Powercli List Provision space of all datastores in a cluster 24 85
VMware: Best way to move disks to new datastore? 5 48
VAAI  technology 2 63
In this article we will learn how to backup a VMware farm using Nakivo Backup & Replication. In this tutorial we will install the software on a Windows 2012 R2 Server.
This article outlines why you need to choose a backup solution that protects your entire environment – including your VMware ESXi and Microsoft Hyper-V virtualization hosts – not just your virtual machines.
This video shows you how easy it is to boot from ISO images for virtual machines with the ISO images stored on a local datastore on the ESXi host.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question