Appendix G. Securing Red Hat Virtualization
This information is specific to Red Hat Virtualization. It does not cover fundamental security practices related to any of the following:
- Disabling unnecessary services
- Penetration testing and hardening of non-RHV services
- Encryption of sensitive application data
- You should be proficient in your organization’s security standards and practices. If possible, consult with your organization’s Security Officer.
- Consult the Red Hat Enterprise Linux Security hardening before deploying RHEL hosts.
G.1. DISA STIG for Red Hat Virtualization 4.4
The Defense Information Systems Agency (DISA) distributes Security Technical Implementation Guides (STIGs) for various platforms and operating systems.
When installing Red Hat Virtualization Host (RHVH), the [DRAFT] DISA STIG for Red Hat Virtualization Host (RHVH) profile is one of the security policies available. Enabling this profile as your security policy during installation removes the need to regenerate SSH keys, SSL certificates, or otherwise re-configure the host later in the deployment process.
When installing a RHEL host, you can use the DISA STIG for Red Hat Enterprise Linux 8 profile. For information on applying a security policy, see Configuring a security policy in Performing a standard RHEL installation.
The DISA STIG security policy is the only security policy that Red Hat officially tests and certifies.
DISA STIGs are "configuration standards for DOD IA and IA-enabled devices/systems. Since 1998, DISA has played a critical role in enhancing the security posture of DoD’s security systems by providing the Security Technical Implementation Guides (STIGs). The STIGs contain technical guidance to 'lock down' information systems/software that might otherwise be vulnerable to a malicious computer attack."
These STIGs are based on requirements put forth by the National Institute of Standards and Technology (NIST) Special Publication 800-53, a catalog of security controls for all U.S. federal information systems except those related to national security.
To determine which various profiles overlap, Red Hat refers to the Cloud Security Alliance’s Cloud Controls Matrix (CCM). This CCM specifies a comprehensive set of cloud-specific security controls, and maps each one to the requirements of leading standards, best practices, and regulations.
To help you verify your security policy, Red Hat provides OpenSCAP tools and Security Content Automation Protocol (SCAP) profiles for various Red Hat platforms, including RHEL and RHV.
Red Hat’s OpenSCAP project provides open source tools for administrators and auditors to assess, measure, and enforce of SCAP baselines. NIST awarded SCAP 1.2 certification to OpenSCAP in 2014.
NIST maintains the SCAP standard. SCAP-compliant profiles provide detailed low-level guidance on setting the security configuration of operating systems and applications.
Red Hat publishes SCAP baselines for various products and platforms to two locations:
- The NIST National Checklist Program (NCP), the U.S. government repository of publicly available security checklists (or benchmarks).
- The Department of Defense (DoD) Cyber Exchange
G.2. Applying the DISA STIG profile in Red Hat Virtualization Host
You can apply the DISA STIG profile on hosts, either Red Hat Virtualization Host (RHVH) or Red Hat Enterprise Linux hosts, either to serve as the host for the Manager virtual machine when you deploy the Manager as a self-hosted engine, or to serve as an ordinary host in a Red Hat Virtualization cluster.
Some security hardening, such as disabling SSH for the root user, renders the host unusable for use as a host for Red Hat Virtualization.
When installing RHVH, you can select the DISA STIG profile with the GUI installer.
- On the Installation Summary screen, select Security Policy.
- On the Security Policy screen that opens, toggle the Apply security policy setting to On.
- Select [DRAFT] DISA STIG for Red Hat Virtualization Host (RHVH).
Click the Changes that were done or need to be done. Follow the onscreen instructions if they direct you to make any changes.button. This action adds a green checkmark next to the profile and adds packages to the list ofNote
These packages are already part of the RHVH image. RHVH ships as a single system image. Installation of packages required by any other selected security profiles which are not part of the RHVH image might not be possible. See the RHVH package manifest for a list of included packages.
- Click Done.
- On the Installation Summary screen, verify that the status of Security Policy is Everything okay.
- Reboot the host.
When you log into RHVH, the command line displays the following information.