第 13 章 设​​​​​​​置​​​​​​​ Domain0 的​​​​​​​安​​​​​​​全​​​​​​​性​​​​​​​

When deploying Red Hat Virtualization on your corporate infrastructure, you must ensure that domain0 cannot be compromised. Domain0 is the privileged domain that handles system management. If domain0 is insecure, all other domains in the system are vulnerable. There are several ways to implement security you should know about when integrating Red Hat Virtualization into your systems. Together with other people in your organization,you should create a 'deployment plan' that contains the operating specifications and services that will run on Red Hat Virtualization, and what is needed to support these services. Here are some security issues to consider when putting together a deployment plan:
  • 只​​​​​​​运​​​​​​​行​​​​​​​最​​​​​​​小​​​​​​​数​​​​​​​目​​​​​​​的​​​​​​​必​​​​​​​需​​​​​​​的​​​​​​​服​​​​​​​务​​​​​​​。​​​​​​​不​​​​​​​要​​​​​​​在​​​​​​​ domain0 里​​​​​​​运​​​​​​​行​​​​​​​太​​​​​​​多​​​​​​​的​​​​​​​任​​​​​​​务​​​​​​​和​​​​​​​服​​​​​​​务​​​​​​​。​​​​​​​运​​​​​​​行​​​​​​​的​​​​​​​服​​​​​​​务​​​​​​​越​​​​​​​少​​​​​​​,安​​​​​​​全​​​​​​​性​​​​​​​越​​​​​​​高​​​​​​​。​​​​​​​
  • 启​​​​​​​用​​​​​​​ SeLINUX 帮​​​​​​​助​​​​​​​提​​​​​​​高​​​​​​​ domain0 的​​​​​​​安​​​​​​​全​​​​​​​性​​​​​​​。​​​​​​​
  • 使​​​​​​​用​​​​​​​防​​​​​​​火​​​​​​​墙​​​​​​​来​​​​​​​限​​​​​​​制​​​​​​​到​​​​​​​ domain0 的​​​​​​​通​​​​​​​信​​​​​​​量​​​​​​​。​​​​​​​你​​​​​​​可​​​​​​​以​​​​​​​设​​​​​​​置​​​​​​​采​​​​​​​用​​​​​​​ default-reject 规​​​​​​​则​​​​​​​的​​​​​​​防​​​​​​​火​​​​​​​墙​​​​​​​,这​​​​​​​将​​​​​​​有​​​​​​​助​​​​​​​于​​​​​​​避​​​​​​​免​​​​​​​对​​​​​​​ domain0 的​​​​​​​攻​​​​​​​击​​​​​​​。​​​​​​​限​​​​​​​制​​​​​​​网​​​​​​​络​​​​​​​ facing 服​​​​​​​务​​​​​​​也​​​​​​​是​​​​​​​很​​​​​​​重​​​​​​​要​​​​​​​的​​​​​​​。​​​​​​​
  • 不​​​​​​​要​​​​​​​允​​​​​​​许​​​​​​​普​​​​​​​通​​​​​​​用​​​​​​​户​​​​​​​访​​​​​​​问​​​​​​​ domain0。​​​​​​​如​​​​​​​果​​​​​​​你​​​​​​​允​​​​​​​许​​​​​​​普​​​​​​​通​​​​​​​用​​​​​​​户​​​​​​​访​​​​​​​问​​​​​​​ domain0,这​​​​​​​可​​​​​​​能​​​​​​​会​​​​​​​导​​​​​​​致​​​​​​​ domain0 易​​​​​​​受​​​​​​​攻​​​​​​​击​​​​​​​。​​​​​​​记​​​​​​​住​​​​​​​,domain0 是​​​​​​​专​​​​​​​用​​​​​​​的​​​​​​​,允​​​​​​​许​​​​​​​非​​​​​​​专​​​​​​​用​​​​​​​帐​​​​​​​号​​​​​​​的​​​​​​​访​​​​​​​问​​​​​​​可​​​​​​​能​​​​​​​会​​​​​​​降​​​​​​​低​​​​​​​安​​​​​​​全​​​​​​​级​​​​​​​别​​​​​​​。​​​​​​​

为了尽快向用户提供最新的信息,本文档可能会包括由机器自动从英文原文翻译的内容。如需更多信息,请参阅此说明。