CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE

on

  • 1,382 views

 

Statistics

Views

Total Views
1,382
Views on SlideShare
1,381
Embed Views
1

Actions

Likes
1
Downloads
23
Comments
0

1 Embed 1

https://twitter.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE Document Transcript

  • 1. CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE FOR ANY IDEAS OR RECLAMATIONS MAIL TO: KERMAKOV@PTSECURITY.RU
  • 2. CONTENTS 1. GENERAL SYSTEM SETTINGS................................................................................................................................................................................................................................ 3 1.1 Services started with Citrix XenServer .............................................................................................................................................................................................................. 3 1.2 Time synchronization configuration................................................................................................................................................................................................................... 4 1.3 Usage of SSHv2 ............................................................................................................................................................................................................................................................ 4 1.4 Usage of AES cryptoalgorithm for SSH ............................................................................................................................................................................................................... 4 1.5 Restrict root login via SSH ...................................................................................................................................................................................................................................... 5 1.6 Limit access to su command................................................................................................................................................................................................................................... 5 1.7 Forbid login to single user mode without password .................................................................................................................................................................................... 6 1.8 extlinux loader password ........................................................................................................................................................................................................................................ 6 1.9 Activate password storing in /etc/shadow file .............................................................................................................................................................................................. 6 1.10 Ensure that there are no users with empty passwords ............................................................................................................................................................................... 7 1.11 Ensure that passwd and shadow and files and system group files do not include «+»................................................................................................................... 7 1.12 Install Citrix XenServer server certificates ....................................................................................................................................................................................................... 7 1.13 Update vulnerable packages .................................................................................................................................................................................................................................. 8 1.14 Store password history ............................................................................................................................................................................................................................................ 9 1.15 Configure unsuccessful login attempts logging and limit additional attempts .................................................................................................................................. 9 1.16 Password policy configuration ........................................................................................................................................................................................................................... 10 2. SYSTEM NETWORK CONFIGURATION ........................................................................................................................................................................................................... 11 2.1 Separate network interfaces by task ............................................................................................................................................................................................................... 11 2.2 Restrict unencrypted connections to XAPI .................................................................................................................................................................................................... 12 2.3 Use encrypted connections in data transferring network ....................................................................................................................................................................... 13 2.4 Configure umask creation for VHD files ......................................................................................................................................................................................................... 13 2.5 Remote NFS storage configuration ................................................................................................................................................................................................................... 14 2.6 Disable promiscuous mode for network cards on virtual machines ................................................................................................................................................... 15 2.7 OS kernel network settings configuration ..................................................................................................................................................................................................... 15 2.8 Firewall configuration ........................................................................................................................................................................................................................................... 15 3. XENSERVER HYPERVISOR SETTINGS ............................................................................................................................................................................................................. 17 3.1 Disable debug mode for xenstored ................................................................................................................................................................................................................... 17 3.2 Configure shared secret for «pool» mode ...................................................................................................................................................................................................... 17 3.3 Disable debug mode for xapi demon ............................................................................................................................................................................................................... 17 3.4 Configure xenstored demon logging ................................................................................................................................................................................................................ 18 3.5 Disable vncterm automatic logon into dom0 as a root ............................................................................................................................................................................. 18 3.6 Disable xsconsole autorun as a root on tty1 ................................................................................................................................................................................................. 18 3.7 Configure PAM in XAPI module ......................................................................................................................................................................................................................... 19 3.8 Disable testing mode in xsconcole .................................................................................................................................................................................................................... 20 3.9 Disable default web page ...................................................................................................................................................................................................................................... 20 4. VIRTUAL MACHINE SETTINGS .......................................................................................................................................................................................................................... 20 4.1 Limit log file size ...................................................................................................................................................................................................................................................... 20 4.2 Disable unused virtual devices........................................................................................................................................................................................................................... 21 4.3 Disable service console redirection.................................................................................................................................................................................................................. 21 CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE Page 2 of 21
  • 3. 1. GENERAL SYSTEM SETTINGS This chapter covers general system settings. The introduced protection methods are the same as used for usual servers based on OS Linux. 1.1 Services started with Citrix XenServer We recommend you to limit services started with the system by default. How to fix: Do the following for all unused services: chkconfig <servicename> off where <servicename> is a service name. The results for a separately installed XenServer 5.6 server may be as follows: chkconfig --list | grep 3:on attach-static-vdis crond fcauthd fe iptables lwsmd management-interface mpp network ntpd perfmon portmap rawdevices set-memory-target snapwatchd squeezed sshd syslog unplug-vcpus v6d vhostmd xapi xapi-domains xe-linux-distribution xen-domain-uuid xenservices CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE Page 3 of 21
  • 4. 1.2 Time synchronization configuration Time synchronization is necessary for correct cooperation of XenServer hosts individually or in pool mode. You can use your own NTP server or default time servers. How to fix: Add the following strings into /etc/ntp.conf file (address rhel.pool.ntp.org is an example): server 0.rhel.pool.ntp.org server 1.rhel.pool.ntp.org server 2.rhel.pool.ntp.org Start NTP server: /etc/init.d/ntpd start chkconfig ntpd on 1.3 Usage of SSHv2 You can use SSH to access Service Console. In this case, disable insecure authentication methods and some other settings from the list below: How to fix: Configure the following settings in /etc/ssh/sshd_config file: Protocol 2 IgnoreRhosts yes RhostsRSAAuthentication no HostbasedAuthentication no PermitEmptyPasswords no Reboot sshd for the modifications to take effect: /etc/init.d/sshd restart 1.4 Usage of AES cryptoalgorithm for SSH We recommend to use AES cryptoalgorithm for SSH traffic. It is more secure than previously used, and opposite to Blowfish and other cryptoalgorithms (supported by OpenSSL library), the great number of client devices support it. How to fix: Set Ciphers option in /etc/ssh/sshd_config configuration file: Ciphers aes256-cbc,aes128-cbc CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE Page 4 of 21
  • 5. Reboot sshd for the modifications to take effect: /etc/init.d/sshd restart 1.5 Restrict root login via SSH We recommend you to restrict root login via SSH for secure purposes. This measure helps to prevent root password brute force attacks, and also make it easier to investigate incidents in case several users are aware of the password. How to fix: Set the following option in /etc/ssh/sshd_config configuration file: PermitRootLogin no Reboot sshd for the modifications to take effect: /etc/init.d/sshd restart 1.6 Limit access to su command su command allows users to execute the shell with the privileges of a specified user, mostly root. We recommend you to grant access to the command only for Citrix XenServer server administrators: include the administrators into wheel group and then enable access limitations that means that only wheel members are able to execute su command. Note. Depending on the company’s security policy, su can be forbidden in the system. In this case, you can execute privileged operations via sudo, and wheel group should not include users. How to fix: Do the following for every user (admin is an example): usermod -G wheel admin Then, enable access to su command for wheel members only. Ensure that /etc/pam.d/su file includes the following string (not in comments): auth required pam_wheel.so use_uid If su is forbidden, ensure that wheel do not include users via contents of files from /etc/passwd folder (primary group) and /etc/group folder (secondary groups). CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE Page 5 of 21
  • 6. 1.7 Forbid login to single user mode without password Citrix XenServer is based on RedHat Linux, therefore it also supports single user mode. You can activate it via loader settings. Default settings allow all users to access console with root privileges. This allows attackers with access to Citrix XenServer local console get root privileges and execute arbitrary commands on the vulnerable server. Therefore, we recommend you to configure password authentication to change to single user mode. How to fix: Add the following entry into /etc/inittab file: ~~:S:wait:/sbin/sulogin Or edit an existed string with “S” in the second field. 1.8 extlinux loader password OS Citrix XenServer loader allows you to configure a great number of OS kernel settings, including a command used to change to single user mode. By default, OS load options are not protected by password that allows attackers with physical access to Xen server local console to set unauthorized OS loading options. To prevent the situation, we recommend you to set password for loader management. Ensure that only super user has access to the service console loader configuration file for reading/writing. How to fix: Execute the following command in Service Console as a root: echo <пароль_загрузчика> | sha1sum chown root:root /boot/extlinux.conf chmod 600 /boot/extlinux.conf Then, add the 40 hash characters into /boot/extlinux.conf file (global sections of loader settings): menu master passwd <password_sha1_hash> 1.9 Activate password storing in /etc/shadow file OS Citrix XenServer does not store password hashes in a separate file (/etc/shadow) according to pam_unix.so module default settings. Therefore, if an account exists in the system, an attacker can access it. We recommend you to reconfigure the system to prevent this situation. How to fix: Edit /etc/pam.d/system-auth file as follows: password sufficient nullok md5 shadow pam_unix.so try_first_pass use_authtok CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE Page 6 of 21
  • 7. Execute the following command: pwconv Reboot the operating system. 1.10 Ensure that there are no users with empty passwords An attacker can use user accounts without passwords to login. Ensure that all user accounts have passwords or blocked via «!!». Here is an example (/etc/shadow): vncterm_base:!!:15278:0:99999:7::: How to fix: Set passwords for all accounts. Use passwd command, or block unused accounts via usermod –L <username> command. 1.11 Ensure that passwd and shadow and files and system group files do not include «+» «+» characters in used in accounts and passwords system configuration files as to insert NIS values. We recommend you to delete such entries to protect the system security. Here is an example of such entry from /etc/shadow file: username:+:15278:0:99999:7::: How to fix: Delete these settings from service files. 1.12 Install Citrix XenServer server certificates We recommend you to install custom .pem SSL certificates to prevent certificate spoofing. How to fix: Do the following to install CA certificate: Link a key media to the system. Execute the following command: xe pool-certificate-install filename=</path/to/ca-cert.pem> where </path/to/ca-cert.pem> is a certificate file path on the external media. Do the following to add a server certificate: Mount the key media. Execute the following commands: CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE Page 7 of 21
  • 8. service xapi stop pkill stunnel cp /etc/xensource/xapi-ssl.pem /etc/xensource/orig-xapi-ssl.pem cp /path/to/new/cert.pem /etc/xensource/xapi-ssl.pem service xapi start Do the following to enable SSL certificate checks: touch /var/xapi/verify_certificates 1.13 Update vulnerable packages It is known that OS Citrix XenServer is based on RedHat Linux 5. Citrix policy states that patch updates are usually issued twice a year. The system package often includes rather old versions. In spite of Citrix notifications that these packages do not include vulnerabilities, we recommend you to check your system for vulnerable packages on your own with third-party software. Here we use MaxPatrol 8 (Positive Technologies). How to fix: Note that you use this method at your own risk, and there is no guarantee that the system would normally operate as you install updates. We hardly recommend you to create a backup copy before updating. You can use this method only in case you can solve problems with xapi and other system components on your own. Detect vulnerable packages by any means, i.e.,with a security scanner or check versions with yum secure plagin. Here is an example hop to detect vulnerable packages and what measures to take. Let us suppose, that you’ve detected that the following packages are vulnerable: <package_1> <package_2> <package_3> Then, you should activate yum repository to update the packages.Edit strings enabled= in /etc/yum.repos.d/CentOS-Base.repo file: [base] name=CentOS-$releasever - Base mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os #baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/ gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5 exclude=kernel-xen*, *xen* enabled=1 #released updates [updates] name=CentOS-$releasever - Updates mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE Page 8 of 21
  • 9. #baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/ gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5 exclude=kernel-xen*, *xen* enabled=1 While updating, you have to disable Citrix repository in /etc/yum.repos.d/Citrix.repo file: enabled=0 Then, update vulnerable packages via yum tool: yum update <package_1> <package_2> <package_3> 1.14 Store password history You should store several password hashes to prevent passwords to be used again in a short period of time. The recommended value is 10. Note. In case administrator (root) changes a user password, the hash is not stored in password history file. How to fix: Do the following commands: touch /etc/security/opasswd chmod 600 /etc/security/opasswd chown root:root /etc/security/opasswd Then, add the following string into /etc/pam.d/system-auth file password 1.15 required pam_unix.so remember=10 Configure unsuccessful login attempts logging and limit additional attempts We recommend you to use additional logging for unsuccessful login attempts. You should also block an account for a certain period in case of an authentication error. To configure the system use PAM module configuration settings. How to fix: Edit /etc/pam.d/system-auth file. We recommend to enable pam_tally module to make it harder for attackers to conduct brute force attacks. With the settings shown below, it blocks users for 300 seconds if there are three unsuccessful login attempts: auth required pam_env.so CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE Page 9 of 21
  • 10. auth required even_deny_root_account auth sufficient auth required pam_tally.so deny=3 unlock_time=300 pam_unix.so try_first_pass nullok pam_deny.so account required pam_unix.so account required pam_tally.so password required pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so try_first_pass use_authtok nullok md5 shadow password required pam_unix.so remember=10 password required pam_deny.so session session session crond quiet session 1.16 optional pam_keyinit.so revoke required pam_limits.so [success=1 default=ignore] pam_succeed_if.so service in use_uid required pam_unix.so Password policy configuration Users should use passwords of at least 9 characters. We recommend you to limit maximum password age (90 days) to decrease the negative effect in case the system is compromised. We also recommend you to notify users 14 days earlier the day the password is expired. If a user does not change its password in 7 days, you should block the account. How to fix: Execute the following command for every user in the system except administrator: chage -m 7 <имя_пользователя> Edit the following strings in /etc/login.defs file to configure the password policy: PASS_MAX_DAYS=90 PASS_MIN_DAYS=7 PASS_WARN_AGE=14 PASS_MIN_LEN=9 CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE Page 10 of 21
  • 11. 2. SYSTEM NETWORK CONFIGURATION The shown below settings are an abstract example. You should remember your own network architecture and server hardware to use these recommendations. Separate network interfaces by task C3 NI VM 2 NI C- VM VM Xe nS er ve r SM AP I XA PI We recommend you to protect networks for management, data transferring and virtual machines to provide maximum security. In that way, you can prevent system compromising in case an attacker manages to crack one of the networks. Pic. 1 shows this solution. Ci tr ix -1 Management Network NI C 2.1 Storage Network External Network Pic. 1. Logic scheme that shows how to separate hypervisor networks How to fix: It there are several network interfaces, separate them physically and logically. It you unable to separate the networks, we recommend you to separate them on IP level or in any way. Managing interface configuration: Show UUID PIF according to eth0 (NIC0) device and its network UUID: xe pif-list device=eth0 params=uuid,network-uuid CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE Page 11 of 21
  • 12. Modify the network name: xe network-param-set uuid=<network uuid> name-label="Management NW" Data transferring interface configuration: Show UUID PIF according to eth1 (NIC1) device and its network UUID: xe pif-list device=eth1 params=uuid,network-uuid Configure network IP address: # xe pif-reconfigure-ip uuid=<pif uuid>> mode=static IP=<ip> gateway=<gateway> netmask=<netmask> DNS=<DNS> Modify the network name: xe network-param-set uuid=<network uuid> name-label="Storage NW" Virtual machine nterface configuration Show UUID PIF according to eth2 (NIC2) device and its network UUID: xe pif-list device=eth2 params=uuid,network-uuid Configure a guest network in case there is no IP address: xe pif-reconfigure-ip uuid=<uuid> mode=none Modify the network name: xe network-param-set uuid=<network uuid> name-label= "Guest NW 0" Do the operations for eth3, eth4 and so on. 2.2 Restrict unencrypted connections to XAPI By default, XAPI stack listen ports 80 (unencrypted channel) and 443 (SSL tunnel) for connection. If unencrypted data are used, an attacker can compromise administrator’s operations. We recommend you to disable access by port 80 for all clients except XenCenter working station. How to fix: Execute the following command: /etc/init.d/iptables save Edit /etc/sysconfig/iptables file: -A RH-Firewall-1-INPUT –s <xen_center_ip> -p tcp -m state --state NEW m tcp --dport 80 -j ACCEPT CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE Page 12 of 21
  • 13. Execute the following command: /etc/init.d/iptables restart 2.3 Use encrypted connections in data transferring network If you move virtual machines, data is transferring between servers (for example, in XenMotion mode) in plain text. It means that data is transferred unencrypted. In spite the fact that networks are separated, you should protect this traffic. We recommend you to use encryption on IP level, such as VPN. There is no example because of a great variety of possible solutions. Configure encryption for iSCSI password transferring: OpenISCSI software is used to connect to remote iSCSI storage for iSCSI traffic. This software supports CHAP protocol to send passwords. We recommend you to use CHAP authentication for OpenlSCSI connections. How to fix: Set the following setting for the variable in /etc/iscsi/iscsid.conf file. # To enable CHAP authentication set node.session.auth.authmethod # to CHAP. The default is None. node.session.auth.authmethod = CHAP 2.4 Configure umask creation for VHD files By default, Citrix XenServer creates virtual machine files with read privileges for “other”. Therefore, every user has rights to get virtual machine data. We recommend you to limit privileges for these file types. How to fix: You should modify server scripts to modify umask settings. Edit /opt/xensource/sm/FileSR.py file: def create(self, sr_uuid, vdi_uuid, size): os.umask(077) if util.ioretry(lambda: util.pathexists(self.path)): Then, you can need to compile file pyc and pyo. Create /opt/xensource/sm/compile.py file with the following content: #!/usr/bin/python import py_compile py_compile.compile('/opt/xensource/sm/FileSR.py') Then, execute the following commands: CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE Page 13 of 21
  • 14. python /opt/xensource/sm/compile.py python –O /opt/xensource/sm/compile.py and reboot the hypervisor with the following command: shutdown –r now 2.5 Remote NFS storage configuration Every remote NFS storage is a folder with a file in VHD format. VHD is not encrypted, therefore we recommend you strictly limit the list of users that are allowed to mount the folder. How to fix: We recommend you to modify system settings to operate with remote NFS storage. Below we show how to configure NFS storage on Linux remote server. Ensure that single IP address is locked in /etc/exports file: /<vm_share_dir> <xenserver_ip>(rw,root_squash,anonuid=<xen_user_UID>,anongid=<xen_user _GID>,sync) Discover the folder owner: chown <xen_user>:<xen_user_group> <vm_share_dir> Configure mountd, statd, lockd and rquotad demons to operate with static ports (ports 4002-4006 are used as an example) in /etc/sysconfig/nfs file: MOUNTD_PORT=”4002” STATD_PORT=”4003” LOCKD_TCPPORT=”4004” LOCKD_UDPPORT=”4004” RQUOTAD_PORT=”4005” STATD_OUTGOING_PORT=”4006” Add the following strings into INPUT table for /etc/sysconfig/iptables network filter: Iptables Iptables Iptables Iptables Iptables Iptables –A –A –A –A –A –A INPUT INPUT INPUT INPUT INPUT INPUT –s –s –s –s –s –s <xenserver-ip> <xenserver-ip> <xenserver-ip> <xenserver-ip> <xenserver-ip> <xenserver-ip> CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE -p -p -p -p -p -p tcp udp tcp udp tcp udp –dport –dport –dport –dport –dport –dport 111 –j ACCEPT 111 –j ACCEPT 4002:4006 –j ACCEPT 4002:4006 –j ACCEPT 2049 –j ACCEPT 2049 –j ACCEPT Page 14 of 21
  • 15. 2.6 Disable promiscuous mode for network cards on virtual machines If promiscuous mode is enabled for simulated network interface, a virtual machine is able to intercept traffic from other guest systems, and also use other specific features including a possibility to send malformed or malicious requests accidentally or deliberately Therefore, we do not recommend you to enable this mode. How to fix: Execute the following commands in Service Console to disable VIF or promiscuous mode: xe pif-param-set uuid=<PIF UUID> other-config:promiscuous="off" or: xe pif-param-set uuid=<PIF UUID> other-config:promiscuous="false" 2.7 OS kernel network settings configuration The following OS kernel settings are necessary to harden Citrix XenServer network attack tolerance: net.ipv4.tcp_max_syn_backlog = 4096 net.ipv4.tcp_syncookies = 1 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 net.ipv4.icmp_echo_ignore_broadcasts = 1 How to fix: Add the settings into /etc/sysctl.conf file, reboot the system and execute the following command: sysctl -p 2.8 Firewall configuration Default Citrix XenServer installation includes Netfilter firewall and iptables command line utility used to manage it. We recommend you to configure this software to provide secure network communication. How to fix: Use the following settings for managing network: service iptables start iptables -F iptables -X iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE Page 15 of 21
  • 16. iptables iptables iptables iptables iptables iptables iptables iptables iptables -A -A -A -A -A -A -A -A -A INPUT -i xenbr0 -p tcp --dport 443 -m state --state NEW -j ACCEPT INPUT -i xenbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT INPUT -i xenbr0 -j DROP OUTPUT -o xenbr0 -p tcp --dport 443 -m state --state NEW -j ACCEPT OUTPUT -o xenbr0 -p tcp --dport 7279 -m state --state NEW -j ACCEPT OUTPUT -o xenbr0 -p tcp --dport 27000 -m state --state NEW -j ACCEPT OUTPUT -o xenbr0 -p udp --dport 123 -m state --state NEW -j ACCEPT OUTPUT -o xenbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT OUTPUT -o xenbr0 -j DROP Input chain for data transferring network: iptables -A INPUT -i xenbr1 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -i xenbr1 -j DROP Add the following permissions to configure NFS remote connections (as an example): iptables iptables iptables iptables iptables iptables iptables iptables -A -A -A -A -A -A -A -A OUTPUT OUTPUT OUTPUT OUTPUT OUTPUT OUTPUT OUTPUT OUTPUT -o -o -o -o -o -o -o -o xenbr1 xenbr1 xenbr1 xenbr1 xenbr1 xenbr1 xenbr1 xenbr1 -p -p -p -p -p -p -m -j udp --dport 111 -m state --state NEW -j ACCEPT tcp --dport 111 -m state --state NEW -j ACCEPT udp --dport 2049 -m state --state NEW -j ACCEPT tcp --dport 2049 -m state --state NEW -j ACCEP udp --dport 4002:4006 -m state --state NEW -j ACCEPT tcp --dport 4002:4006 -m state --state NEW -j ACCEPT state --state RELATED,ESTABLISHED -j ACCEPT DROP Add your own rules to connect to alternative remote storages. Finalize the configuration: service iptables save chkconfig iptables on CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE Page 16 of 21
  • 17. 3. XENSERVER HYPERVISOR SETTINGS This chapter is about specific configuration and critical file options for internal XAPI demon and its environment. These changes can influence virtual infrastructures, therefore we recommend you to make them on testing systems first on all. 3.1 Disable debug mode for xenstored This is necessary to restrict debug mode for guest systems. How to fix: Delete entries like “allow-debug=true” from /etc/xensource/xenstored.conf file. 3.2 Configure shared secret for «pool» mode This is actual for pool-master systems. It is necessary to harden spoofing of the certificate used for data transferring inside the system. We recommend you to create a certificate based on random-number generator with enough entropy. How to fix: Do the following to create the token: service xapi stop rm /etc/xensource/ptoken (ent=$(cat /proc/sys/kernel/random/entropy_avail); while [[ $ent -lt 2000 ]]; do sleep 15; ent=$(cat /proc/sys/kernel/random/entropy_avail); done) && service xapi start 3.3 Disable debug mode for xapi demon By default, Global Catalog Debug mode is enabled. This setting is insecure, we recommend you to disable this mode to prevent system compromising. How to fix: Replace the following value in /etc/xensource/xapi.conf file: gc-debug = true with false. CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE Page 17 of 21
  • 18. 3.4 Configure xenstored demon logging We recommend you to configure xenstored demon logging for further analysis in case the system is compromised. How to fix: Edit /etc/xensource/xenstored.conf file: # Logs #log = error;general;file:/var/log/xenstored.log log = warn;general;file:/var/log/xenstored.log #log = info;general;file:/var/log/xenstored.log #log = debug;io;file:/var/log/xenstored-io.log 3.5 Disable vncterm automatic logon into dom0 as a root In case there is an XAPI request that is created to connect to hypervisor testing console, automatic logon is done as a root regardless of XAPI user, that triggered the request if local authorization is used without RBAC subsystem using Active Directory (in versions Free, Advanced). We recommend you to disable such login to protect the system. The best solution is to replace automatic logon with default login prompt (redirection to SSH). How to fix: Edit /usr/lib/xen/bin/dom0term.sh file, where <admin_user> is your administrative account (not root) : #! /bin/bash read -s -p "Press <Enter> to login " ignore сlear exec /bin/login –p 3.6 Disable xsconsole autorun as a root on tty1 By default, Xsconsole console started with root privileges is available on the system physical console. We recommend you to modify autoload script to prevent SH code injection and/or session interception via text mode. How to fix: Edit /opt/xensource/libexec/run-boot-xsconsole file. Modify the terminal call string as follows: Initial string: exec /sbin/mingetty --noissue --autologin root -loginprog=/usr/bin/xsconsole $TTY CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE Page 18 of 21
  • 19. Modified string: exec /sbin/mingetty --noissue --autologin nobody -loginprog=/usr/bin/xsconsole $TTY 3.7 Configure PAM in XAPI module By default, every OS Citrix XenServer user (in versions Free, Advanced) is able to connect to XAPI with pool-admin privileges. This is a product feature. It means that every user can execute operations in the system using Xen API, therefore we recommend you to limit users with access to XAPI in PAM module. How to fix: As a root, create /etc/xapi_allow file and add root as a first string to the file. Enumerate all users with access to XAPI with line feed separator. Edit /etc/pam.d/xapi file as follows: #%PAM-1.0 auth required auth required file=/etc/xapi_allow auth sufficient auth required pam_env.so pam_listfile.so item=user sense=allow pam_unix.so try_first_pass nullok pam_deny.so account required pam_unix.so password password nullok md5 password required sufficient pam_cracklib.so try_first_pass retry=3 pam_unix.so try_first_pass use_authtok required pam_deny.so session session session crond quiet session optional pam_keyinit.so revoke required pam_limits.so [success=1 default=ignore] pam_succeed_if.so service in use_uid required pam_unix.so If the changes are made, only users from the xapi_allow list are able to access xapi: root admin user Also, limit access to this file: chmod 600 /etc/xapi_allow CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE Page 19 of 21
  • 20. 3.8 Disable testing mode in xsconcole If you add a file testing.txt to /usr/lib/xsconsole/ folder, Xsconsole starts in testing mode. If host=, password= variables are defined in file testing.txt, xsconsole program authenticates on a remote server. Besides, if xsconsole is used on tty1 local console, an attacker can access the local console with root privileges. How to fix: Ensure that /usr/lib/xsconsole/testing.txt file is not existed. If it exists, delete it. 3.9 Disable default web page By default, a web server is active in the system. It allows users to upload XenCenter files and reports current system version. We recommend you to delete the whole page or correct its content to prevent the system compromising. How to fix: Modify web server index file Citrix-index.html in /opt/xensource/www folder. Replace the following fragment: <html> <title>XenServer 5.6.0</title> <head> </head> <body> <p/>Citrix Systems, Inc. XenServer 5.6.0 <p/><a href="XenCenter.iso">XenCenter CD image</a> <p/><a href="XenCenter.msi">XenCenter installer</a> </body> </html> with <html> </html> 4. VIRTUAL MACHINE SETTINGS 4.1 Limit log file size We recommend you to limit the maximum size of log files for virtual machines to prevent system drive overflow. CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE Page 20 of 21
  • 21. 4.2 Disable unused virtual devices We recommend you to disable connections between any virtual devices and virtual machines to prevent the capture of virtual machine credentials. 4.3 Disable service console redirection We recommend you to restrict the usage of text system consoles in *nix operating systems. You should disable XenAPI VM built-in console service and use native OS services. CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE Page 21 of 21