Appendix E. Securing Red Hat Virtualization
This topic includes limited information about how to secure Red Hat Virtualization. This information will increase over time.
This information is specific to Red Hat Virtualization; it and does not cover fundamental security practices related to:
- Disabling unnecessary services
- Penetration testing and hardening of non-RHV services
- Encryption of sensitive application data
- You should be proficient in your organization’s security standards and practices. If possible, consult with your organization’s Security Officer.
- Consult the Red Hat Enterprise Linux Security Guide before deploying RHEL-based hypervisors.
E.1. DISA STIG for Red Hat Linux 7
The Defense Information Systems Agency (DISA) distributes Security Technical Implementation Guides (STIGs) for various platforms and operating systems.
While installing Red Hat Virtualization Host (RHVH), the DISA STIG for Red Hat Linux 7 profile is one of the security policies available. Enabling this profile as your security policy during installation removes the need regenerate SSH keys, SSL certificates, or otherwise re-configure the host later in the deployment process.
The DISA STIG security policy is the only security policy that Red Hat officially tests and certifies.
DISA STIGs are "configuration standards for DOD IA and IA-enabled devices/systems. Since 1998, DISA has played a critical role in enhancing the security posture of DoD’s security systems by providing the Security Technical Implementation Guides (STIGs). The STIGs contain technical guidance to 'lock down' information systems/software that might otherwise be vulnerable to a malicious computer attack."
These STIGs are based on requirements put forth by the National Institute of Standards and Technology (NIST) Special Publication 800-53, a catalog of security controls for all U.S. federal information systems except those related to national security.
To determine which various profiles overlap, Red Hat refers to the Cloud Security Alliance’s Cloud Controls Matrix (CCM). This CCM specifies a comprehensive set of cloud-specific security controls, and maps each one to the requirements of leading standards, best practices, and regulations.
To help you verify your security policy, Red Hat provides OpenSCAP tools and Security Content Automation Protocol (SCAP) profiles for various Red Hat platforms, including RHEL and RHV.
Red Hat’s OpenSCAP project provides open source tools for administrators and auditors to assess, measure, and enforce of SCAP baselines. NIST awarded SCAP 1.2 certification to OpenSCAP in 2014.
NIST maintains the SCAP standard. SCAP-compliant profiles provide detailed low-level guidance on setting the security configuration of operating systems and applications.
Red Hat publishes SCAP baselines for various products and platforms to two locations:
- The NIST National Checklist Program (NCP), the U.S. government repository of publicly available security checklists (or benchmarks).
- The Department of Defense (DoD) Cyber Exchange
E.2. Applying the DISA STIG for Red Hat Linux 7 Profile
This topic shows you how to enable the DISA STIG for Red Hat Linux 7 security profile while installing the Red Hat Virtualization (RHV) Manager ("the Manager"), the RHV Host (RHVH), and the Red Hat Enterprise Linux host (RHEL-H).
Enable DISA STIG for Red Hat Linux 7 for RHVH
The following procedure applies to installing Red Hat Virtual Host (RHVH) for two different purposes:
- Using RHVH as the host for the Manager virtual machine when you deploy RHV as a Self-Hosted Engine.
- Using RHVH as an ordinary host in an RHV cluster.
If you use the Anaconda installer to install RHVH:
- On the Installation Summary screen, select Security Policy.
- On the Security Policy screen that opens, toggle the Apply security policy setting to On.
- Scroll down the list of profiles and select DISA STIG for Red Hat Linux 7.
Click the Select profile button. This action adds a green checkmark next to the profile and adds packages to the list of Changes that were done or need to be done.Note
These packages are already part of the RHVH image. RHVH ships as a single system image. Installation of packages required by any other selected security profiles which are not part of the RHV-H image may not be possible. Please see the RHV-H package manifest for a list of included packages.
- Click Done.
- On the Installation Summary screen, verify that the status of Security Policy is Everything okay.
- Later, when you log into RHVH, the command line displays the following information.
If you deploy RHV as a Self-Hosted Engine using the command line, during the series of prompts after you enter
ovirt-hosted-engine-setup, the command line will ask
Do you want to apply a default OpenSCAP security profile? Enter
Yes and follow the instructions to select the DISA STIG for Red Hat Linux 7 profile.