Appendix E. Securing Red Hat Virtualization

This information is specific to Red Hat Virtualization. It does not cover fundamental security practices related to any of the following:

  • Disabling unnecessary services
  • Authentication
  • Authorization
  • Accounting
  • Penetration testing and hardening of non-RHV services
  • Encryption of sensitive application data

Prerequisites

  • You should be proficient in your organization’s security standards and practices. If possible, consult with your organization’s Security Officer.
  • Consult the Red Hat Enterprise Linux Security hardening before deploying RHEL hosts.

E.1. Applying the DISA STIG profile in RHEL based hosts and the standalone Manager

When installing RHV, you can select the DISA STIG profile with the UI installer, which is the profile provided by RHEL 8.

Important

The DISA STIG profile is not supported for Red Hat Virtualization Host (RHVH).

Procedure

  1. In the Installation Summary screen, select Security Policy.
  2. In the Security Policy screen, set the Apply security policy to On.
  3. Select DISA STIG for Red Hat Enterprise Linux 8.
  4. Click Select profile. This action adds a green checkmark next to the profile and adds packages to the list of Changes that were done or need to be done. Follow the onscreen instructions if they direct you to make any changes.
  5. Click Done.
  6. On the Installation Summary screen, verify that the status of Security Policy is Everything okay.
  7. Reboot the host.

E.1.1. Enabling DISA STIG in a self-hosted engine

You can enable DISA STIG in a self-hosted engine during deployment when using the command-line.

Procedure

  1. Start the self-hosted engine deployment script. See Installing Red Hat Virtualization as a self-hosted engine using the command line.
  2. When the deployment script prompts Do you want to apply an OpenSCAP security profile?, enter Yes.
  3. When the deployment script prompts Please provide the security profile you would like to use?, enter stig.

E.2. Applying the PCI-DSS profile in RHV hosts and the standalone Manager

When installing RHVH, you can select the PCI-DSS profile with the UI installer, which is the profile provided by RHEL 8.

Procedure

  1. In the Installation Summary screen, select Security Policy.
  2. In the Security Policy screen, set the Apply security policy to On.
  3. Select PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8.
  4. Click Select profile. This action adds a green checkmark next to the profile and adds packages to the list of Changes that were done or need to be done. Follow the onscreen instructions if they direct you to make any changes.
  5. Click Done.
  6. In the Installation Summary screen, verify that the status of Security Policy is Everything okay.
  7. Reboot the host.

E.2.1. Enabling PCI-DSS in a self-hosted engine

You can enable PCI-DSS in a self-hosted engine during deployment when using the command-line.

Procedure

  1. Start the self-hosted engine deployment script. See Installing Red Hat Virtualization as a self-hosted engine using the command line.
  2. When the deployment script prompts Do you want to apply an OpenSCAP security profile?, enter Yes.
  3. When the deployment script prompts Please provide the security profile you would like to use?, enter pci-dss.