SlideShare a Scribd company logo

Top Secret KVM Deployment Lessons Learned

F
Frank Caviggia

This document discusses security controls for a Red Hat Enterprise Linux virtualization environment hosting Top Secret VMs. It describes the hardware and software system configuration, including the use of KVM virtualization, Identity Management, and Satellite for patching. It also covers security concepts like SELinux and cgroups used to isolate VMs and limit resources. Hardening scripts are used to configure systems according to standards and continuous monitoring is enabled through SCAP and Satellite.

1 of 34
Download to read offline
Defense in Depth 2014 | Frank Caviggia1 Top Secret KVM, Lessons Learned from an ICD 503 Deployment Frank Caviggia July 30, 2014 Defense in Depth 2014
Defense in Depth 2014 | Frank Caviggia2 Overview System Configuration - Hardware - Software Security Controls - Security Concepts - Government Standards - Hardening Scripts (STIG FIX, SSG) - DISA STIG Kickstart DVD SELinux Concepts - What is SELinux? - DAC and MAC - Polyinstantiation and Multitenancy KVM Security Features - sVirt – SELinux Labels on VMs - Multiple Firewall Levels - cgroups – Control Groups (Limiters) More Information
Defense in Depth 2014 | Frank Caviggia3 System Configuration
Defense in Depth 2014 | Frank Caviggia4 “Commodity Hardware” Rack Servers - Dell R200s (IdM) - Dell R710s (RHN) Blade Server - HP C7000 with ProCurve 6120 Switch - 4x HP BL460C G7 Servers - HP D2200sb Storage Blade System Configuration: Hardware
Defense in Depth 2014 | Frank Caviggia5 Red Hat Software - Red Hat Enterprise Linux 6.5 Server x86_64 - Authentication (IdM) [389-DS(LDAP)/Kerberos] - Red Hat supported version of FreeIPA - Kernel Virtual Machine (KVM) - Red Hat Enterprise Virtualization (RHEV) 3.3 - RHEV-M (Management Console for KVM Hypervisors) - Red Hat Network (RHN) Satellite 5.6 System Configuration: Software
Defense in Depth 2014 | Frank Caviggia6 Kernel Cryptographic API "2.0" #1901 Certified, Level 1 Disk Volume Cryptographic API "2.0" #1933 Certified, Level 1 libgcrypt "2.0" #1757 Certified, Level 1 OpenSSH Client "2.0" #1791 Certified, Level 1 OpenSSH Server "2.0" #1792 Certified, Level 1 OpenSSL "2.0" #1758 Certified, Level 1 Openswan "2.0" #1859 Certified, Level 1 NSS (Freebl) 3.12.9.1 #1710 Certified, Level 1 NSS 3.12.9.1 #1837 Certified, Level 1 Red Hat Enterprise Linux 6 EAL4+ OSPP, including Labeled Security, Advanced Audit, Advanced Management, and Virtualization Extended Modules Dell HP IBM SGI (report, target) Red Hat Enterprise Linux 6: - RHEL is Common Criteria Evaluated (Certified EAL 4+) - FIPS 140-2 (Level 1 – Certified, Level 2 – In Evaluation) - Linux Unified Key Setup (LUKS) Encryption (Data at Rest) – 8 Keys - SSH uses AES256 (Counter mode) Encryption (Data in Motion) - Web portals (Apache HTTPD) will require PKI authentication to view login page System Configuration: RHEL, RHEV, KVM
Defense in Depth 2014 | Frank Caviggia7 KVM SPECvirt 2010 Results – KVM vs VMware Kernel Virtual Machine (KVM): - Type 1 Hypervisor (Bare-Metal) – runs as Kernel Module - Utilizes native virtualization in Intel (VT-i,VT-d) and AMD hardware - RHEL/KVM is Common Criteria Evaluated (Certified EAL 4+) - Inherits Security (SELinux, Auditing) and Performance - VM Limits (Leading Performance – SPECvirt) - 160 CPUs - 4TB RAM* * As of RHEL 6.5/ RHEV 3.4 and newer System Configuration: RHEL, RHEV, KVM (continued)
Defense in Depth 2014 | Frank Caviggia8 Red Hat Enterprise Virtualization Manager (RHEV-M): - Web-based portal access to Virtual Machines (VMs) - Role Based Access Control (RBAC) to VMs - SPICE protocol (plug-ins for IE or Firefox) or Standalone Client - Support for up to 4 independent monitors per VM - Akin to vCenter in VMware System Configuration: RHEL, RHEV, KVM (continued)
Defense in Depth 2014 | Frank Caviggia9 Red Hat Enterprise Linux Lifecycle: - 10 years of support (up to 13 years with just security fixes) - Common Vulnerabilities and Exposures (CVE) are fixed through Red Hat Security Advisory (RHSA) process: - Ensures IAVAs are patched - Ensures system stability and support (backporting) - There are no licenses, only subscriptions (stable budgeting) - Upgrades are included with subscription Support Lifecycle of Red Hat Enterprise Linux 6 System Configuration: RHEL, RHEV, KVM (continued)
Defense in Depth 2014 | Frank Caviggia10 RHN Satellite: SCAP Compliance Reporting Red Hat Network Satellite 5.6 - IAVA patching and validation (patch management) - File provisioning to connected hosts (configuration management) - SCAP compliance scans (continuous monitoring) more on this later… System Configuration: RHN Satellite
Defense in Depth 2014 | Frank Caviggia11 Security Controls
Defense in Depth 2014 | Frank Caviggia12 Security is like an onion – the more layers you peel the more you cry… Goal: Create a secure virtualization environment using a standard set of packaged scripts, configurations, and policies to be deployed across systems. Controls are implemented through the following mechanisms: - Hardening Scripts, Kickstart Installation - Discretionary Access Controls (DAC) - SELinux Policies - Mandatory Access Controls (MAC) - Network Controls (TCP_WRAPPERS, iptables, ebtables) - Process and Memory Controls (cgroups) - Administrative Controls (physical, policies, etc.) - Continuous Monitoring (SCAP, RHN Satellite) Security Overview
Defense in Depth 2014 | Frank Caviggia13 There are multiple government standards and regulations – some of which overlap: Cross Domain Controls NSA SNAC DISA STIGS Common Criteria EAL 4+ System Security Controls CAPP 1 RBACPP 2 LSPP 3 1 Controlled Access Protection Profile (CAPP) 2 Role-Based Access Control Protection Profile (RBACPP) 3 Labeled Security Protection Profile (LSPP) NIST 800-53 (USGCB) FIPS 140-2 Security Overview: Government Regulation…
Defense in Depth 2014 | Frank Caviggia14 Hardening will be applied by shell scripts, configurations, and policies based upon several government standards and open-source projects to standardize configuration: Apply Security Best Practices to Base Operating System 1 SCAP Security Guide - https://fedorahosted.org/scap-security-guide/ 2 USGB Content -http://usgcb.nist.gov/usgcb/rhel/download_rhel5.html 3 Aqueduct Project - https://fedorahosted.org/aqueduct/ SCAP Security Guide1 - RHEL 6 SCAP, Security Configuration NIST 800-53 - United States Government Configuration Baseline (USGCB)2 DISA Unix STIGs - Aqueduct Project3 - Tresys’ Certifiable Linux Integration Platform (CLIP)4 NSA Security Configuration Guide5 - USB blocking, configurations, and other lockdowns (Gnome) 4 Tresys CLIP Project - http://oss.tresys.com/projects/clip 5 NSA SNAC Guide - http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operating_systems.shtml#linux2 Hardening Scripts
Defense in Depth 2014 | Frank Caviggia15 The hardening shell script serves several purposes in hardening the system: - Distributes ‘baseline’ system configurations and policies for authentication, auditing, accounts, and services - Modular code in folders and separate scripts allows for adaptation to meet changing system and security needs of customer code - Verifies application of hardening with logging, hardening can be re-applied in case of modification of baseline, fits in with continuous monitoring apply.sh gen1000.sh gen2000.sh … gen9999.sh gen1000.sh gen2000.sh … gen9999.sh gen1000.sh gen2000.sh … gen9999.sh gen1000.sh gen2000.sh … gen9999.sh CAT I CAT II CAT III CAT IV nist1000.sh nist2000.sh … nist9999.sh NIST 800-53 NSA SNAC nsa1000.sh nsa2000.sh … nsa9999.shHardening Script Function (apply.sh) Hardening Script: Implementation
Defense in Depth 2014 | Frank Caviggia16 Hardening scripts were packaged in RPM for the following reasons: - Integrity verification - Integrated version control and configuration management - Distribute scripts via RHN Satellite Server Check out the open source project here: https://github.com/redhatgov/stig-fix-el6/ # rpm –V stig-fix-1.0.el6 Verify the integrity of an RPM Hardening Script: Packaging
Defense in Depth 2014 | Frank Caviggia17 SCAP is implemented on Red Hat Enterprise Linux by OpenSCAP (oscap) and the SCAP Security Guide (SSG) developed with collaboration with the NSA, NIST, and DISA. RHN Satellite can run SCAP Scans against a defined security baseline to check for configuration compliance on a schedule. This helps to maintain continuous monitoring: # oscap xccdf eval --profile stig-rhel6-server-upstream --results results.xml --report report.html --cpe /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictonary.xml /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml OpenSCAP XCCDF System Compliance Check # wget http://www.redhat.com/security/data/oval/com.redhat.rhsa-all.xml # wget http://www.redhat.com/security/data/metrics/com.redhat.rhsa-all.xccdf.xml # oscap xccdf eval --results results.xml --report report.html com.redhat.rhsa-all.xccdf.xml OpenSCAP XCCDF Patch (CVE) Compliance Check - XCCDF (eXtensible Configuration Checklist Description Format) - Creates checklist for security configuration on a target system - OVAL (Open Vulnerability and Assessment Language) - Standardized security information content - CPE (Common Platform Enumeration) Dictionary - Names and Metadata for security Evaluation - CCE (Common Configuration Enumeration) - Identifies mappings between SCAP security checks and STIG/NIST 800-53 settings SCAP Terms & Definitions Security Configuration Automation Protocol (SCAP)
Defense in Depth 2014 | Frank Caviggia18 The hardening script RPM was combined with a customized Kickstart to produce a standardized installation DVD to help meet security requirements right from installation. Screenshots of DISA STIG Kickstart DVD Security Configuration: DISA STIG Kickstart DVD More Information: https://people.redhat.com/fcaviggi/stig-fix/
Defense in Depth 2014 | Frank Caviggia19 SELinux Concepts
Defense in Depth 2014 | Frank Caviggia20
Defense in Depth 2014 | Frank Caviggia21 SELinux Policy ExampleWatertight Compartments in Ship Design1 1 Picture Source: Wikipedia – Bulkhead (Partition) Security-Enhanced Linux (SELinux) was a research project sponsored by the NSA to provide Mandatory Access Controls (MAC) to the Linux kernel SELinux mainlined into the Linux kernel in August 2003 (2.6.0-test3), it was first enabled for general use in Red Hat Enterprise Linux 4 Kernel enforcement based on “security context” provided by policies rather than standard permissions. Think of it like a chroot jail on steroids or “watertight” compartments in ship design SELinux: Overview
Defense in Depth 2014 | Frank Caviggia22 Traditional Unix Permissions - User, Group, Others (ugo) - Read, Write, Execute (rwx) Access Control Lists (ACLs) - POSIX1 compliant ACLs standard in Linux filesystems (ext3, ext4, XFS, etc.) - Extends DAC controls to specific user(s) and group(s) 1 Portable Operating System Interface EXchange Discretionary Access Controls (DAC) Concepts: Discretionary Access Control (DAC)
Defense in Depth 2014 | Frank Caviggia23 SELinux has 3 defined policy modes - Targeted (Default), Strict, and MLS. Security Context implemented through extended attributes (xattr) in filesystem and enforced by the Linux Kernel according to SELinux Policy Unix concept of “everything is a file” (devices, processes, files, directories, etc.) Thus, everything is labeled with a Security Context SELinux policy defines the “watertight” compartments – the SELinux policy control how users, services, files, and binaries interact Policy is generally developed with software vendor when possible. Otherwise, developing policy can be achieved through testing and evaluation giving “least privilege” to allow completion of a job function Security Context in SELinux Concepts: Mandatory Access Control (MAC)
Defense in Depth 2014 | Frank Caviggia24 Type Enforcement (TE) used by Targeted policy (Default) in SELinux - The Linux Kernel enforces transactions between processes and objects via domain transitions - Further control can be specified using different policy SELinux Domain Transitions Compromised Apache process cannot access /etc/shadow Concepts: Type Enforcement (TE)
Defense in Depth 2014 | Frank Caviggia25 1 IBM Developer Works Article “Improve Security with Polyinstantiation” 2 https://securityblog.redhat.com/2014/04/09/new-red-hat-enterprise-linux-7-security-feature-privatetmp/ Polyinstantiation1 is the process used on MLS systems to ensure data being processed by users at separate security levels do so in isolated spaces to use to prevent unauthorized access to data. Data written to these directories will be stored in an independent directory at the security level that they were written, particularly important for shared temporary directories (/tmp, /var/tmp, /dev/shm/) User will not see the redirection to a secure folder, SELinux handles the transition transparently. See the “Private Tmp” feature in RHEL 72 Multitenancy extends the concept of polyinstantiation with cgroups and Linux Containers (LXC) to ensure that applications are securely separated from each other through Type Enforcement (TE) and MCS (the c0.c1023 attributes of the security level) Multitenancy in OpenShift Concepts: Polyinstantiation and Multitenancy
Defense in Depth 2014 | Frank Caviggia26 Kernel Virtual Machine Security
Defense in Depth 2014 | Frank Caviggia27 Each VM has their own “container” via SELinux Type Enforcement (TE) and Multi-Category Security (MCS) which uses random compartments to keep the VMs separate… KVM Security: sVirt (SELinux for KVM)
Defense in Depth 2014 | Frank Caviggia28 Compromised VM uses hypervisor exploit to compromise other VMs VS. Compromised VM containment with KVM and sVirt (SELinux Labels) KVM Security: sVirt (SELinux for KVM) (continued)
Defense in Depth 2014 | Frank Caviggia29 KVM Security: Multiple Firewall Levels
Defense in Depth 2014 | Frank Caviggia30 The ebtables firewall that enables basic ethernet frame filtering on a Linux network bridge, logging, MAC (network address) NAT, and brouting. The firewalls (iptables and ebtables) will be used to complement each other. What can ebtables do? # ebtables –A FORWARD –i vnet+ –-among-src ! 54:52:00:5b:1a:cd=192.168.0.100 –j DROP Prevent IP-MAC Address Spoofing from VMs # ebtables –A OUTPUT –i vnet+ –p IPv6 –j DROP Drop All Outbound IPv6 Packets • Ethernet protocol filtering • MAC address filtering • Simple IP header filtering • ARP header filtering • 802.1Q VLAN filtering • In/Out interface filtering (logical and physical device). • MAC address NAT • Logging • Frame counters • Ability to add, delete and insert rules; flush chains; zero counters • Brouter facility • Ability to atomically load a complete table, containing the rules you made, into the kernel • Support for user defined chains • Support for marking frames and matching marked frames KVM Security: Multiple Firewall Levels (continued)
Defense in Depth 2014 | Frank Caviggia31 cgroups (control groups) is a Linux kernel feature to limit, account and isolate resource usage (CPU, memory, disk I/O, etc.) of process groups. • Resource limiting: groups can be set to not exceed a set memory limit — this also includes file system cache. • Prioritization: some groups may get a larger share of CPU or disk I/O throughput. • Accounting: to measure how much resources certain systems use (e.g. billing purposes) • Control: freezing groups or checkpointing and restarting. Dynamic Changes in Workload and Priority (e.g. Number Crunching Overnight, Web Servers during Work Hours) KVM Security: Control Groups
Defense in Depth 2014 | Frank Caviggia32 KVM Security: Secured Development Litterbox!
Defense in Depth 2014 | Frank Caviggia33 Questions?
Defense in Depth 2014 | Frank Caviggia34 More Information DISA STIG Kickstart DVD: http://people.redhat.com/fcaviggi/stig-fix/ Hardening Scripts: https://github.com/RedHatGov/stig-fix-el6 SCAP Security Guide: https://fedorahosted.org/scap-security-guide/ VDSM Hooks for RHEVM: http://www.ovirt.org/VDSM-Hooks_Catalogue Classification Banner: https://github.com/RedHatGov/classification-banner

Recommended

Kubernetes Summit 2019 - Harden Your Kubernetes Cluster
Kubernetes Summit 2019 - Harden Your Kubernetes ClusterKubernetes Summit 2019 - Harden Your Kubernetes Cluster
Kubernetes Summit 2019 - Harden Your Kubernetes Clustersmalltown
 
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context ConstraintsAlessandro Arrichiello
 
K8s security best practices
K8s security best practicesK8s security best practices
K8s security best practicesSharon Vendrov
 
K8s security best practices
K8s security best practicesK8s security best practices
K8s security best practicesSharon Vendrov
 
Cloud Platform Symantec Meetup Nov 2014
Cloud Platform Symantec Meetup Nov 2014Cloud Platform Symantec Meetup Nov 2014
Cloud Platform Symantec Meetup Nov 2014Miguel Zuniga
 
LlinuxKit security, Security Scanning and Notary
LlinuxKit security, Security Scanning and NotaryLlinuxKit security, Security Scanning and Notary
LlinuxKit security, Security Scanning and NotaryDocker, Inc.
 
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Michael Man
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container SecurityPhil Estes
 

Recommended

Kubernetes Summit 2019 - Harden Your Kubernetes Cluster
Kubernetes Summit 2019 - Harden Your Kubernetes ClusterKubernetes Summit 2019 - Harden Your Kubernetes Cluster
Kubernetes Summit 2019 - Harden Your Kubernetes Clustersmalltown
 
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context ConstraintsAlessandro Arrichiello
 
K8s security best practices
K8s security best practicesK8s security best practices
K8s security best practicesSharon Vendrov
 
K8s security best practices
K8s security best practicesK8s security best practices
K8s security best practicesSharon Vendrov
 
Cloud Platform Symantec Meetup Nov 2014
Cloud Platform Symantec Meetup Nov 2014Cloud Platform Symantec Meetup Nov 2014
Cloud Platform Symantec Meetup Nov 2014Miguel Zuniga
 
LlinuxKit security, Security Scanning and Notary
LlinuxKit security, Security Scanning and NotaryLlinuxKit security, Security Scanning and Notary
LlinuxKit security, Security Scanning and NotaryDocker, Inc.
 
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Michael Man
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container SecurityPhil Estes
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformAll Things Open
 
Integrating Linux Systems with Active Directory Using Open Source Tools
Integrating Linux Systems with Active Directory Using Open Source ToolsIntegrating Linux Systems with Active Directory Using Open Source Tools
Integrating Linux Systems with Active Directory Using Open Source ToolsAll Things Open
 
Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxMichael Boelen
 
Kubernetes laravel and kubernetes
Kubernetes laravel and kubernetesKubernetes laravel and kubernetes
Kubernetes laravel and kubernetesWilliam Stewart
 
Security on a Container Platform
Security on a Container PlatformSecurity on a Container Platform
Security on a Container PlatformAll Things Open
 
Moby and Kubernetes entitlements
Moby and Kubernetes entitlements Moby and Kubernetes entitlements
Moby and Kubernetes entitlements Docker, Inc.
 
LinuxKit Update at the Moby Summit
LinuxKit Update at the Moby SummitLinuxKit Update at the Moby Summit
LinuxKit Update at the Moby SummitDocker, Inc.
 
Open Stack compute-service-nova
Open Stack compute-service-novaOpen Stack compute-service-nova
Open Stack compute-service-novaGHANSHYAM MANN
 
Managing Stateful Applications in Kubernetes
Managing Stateful Applications in KubernetesManaging Stateful Applications in Kubernetes
Managing Stateful Applications in KubernetesAll Things Open
 
Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014
Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014
Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014brendandburns
 
How abusing the Docker API led to remote code execution same origin bypass an...
How abusing the Docker API led to remote code execution same origin bypass an...How abusing the Docker API led to remote code execution same origin bypass an...
How abusing the Docker API led to remote code execution same origin bypass an...Aqua Security
 
Troubleshooting Tips from a Docker Support Engineer
Troubleshooting Tips from a Docker Support EngineerTroubleshooting Tips from a Docker Support Engineer
Troubleshooting Tips from a Docker Support EngineerJeff Anderson
 
Effective Data Pipelines with Docker & Jenkins - Brian Donaldson
Effective Data Pipelines with Docker & Jenkins - Brian DonaldsonEffective Data Pipelines with Docker & Jenkins - Brian Donaldson
Effective Data Pipelines with Docker & Jenkins - Brian DonaldsonDocker, Inc.
 
Deeper Dive in Docker Overlay Networks
Deeper Dive in Docker Overlay NetworksDeeper Dive in Docker Overlay Networks
Deeper Dive in Docker Overlay NetworksDocker, Inc.
 
Security model for a remote company
Security model for a remote companySecurity model for a remote company
Security model for a remote companyPierre Mavro
 
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...Docker, Inc.
 
Enabling Production Grade Containerized Applications through Policy Based Inf...
Enabling Production Grade Containerized Applications through Policy Based Inf...Enabling Production Grade Containerized Applications through Policy Based Inf...
Enabling Production Grade Containerized Applications through Policy Based Inf...Docker, Inc.
 
Security best practices for kubernetes deployment
Security best practices for kubernetes deploymentSecurity best practices for kubernetes deployment
Security best practices for kubernetes deploymentMichael Cherny
 
Enabling ceph-mgr to control Ceph services via Kubernetes
Enabling ceph-mgr to control Ceph services via KubernetesEnabling ceph-mgr to control Ceph services via Kubernetes
Enabling ceph-mgr to control Ceph services via Kubernetesmountpoint.io
 
CI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in KubernetesCI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in KubernetesSysdig
 
2008-09-09 IBM Interaction Conference, Red Hat Update for System z
2008-09-09 IBM Interaction Conference, Red Hat Update for System z2008-09-09 IBM Interaction Conference, Red Hat Update for System z
2008-09-09 IBM Interaction Conference, Red Hat Update for System zShawn Wells
 
2008-07-30 IBM Teach the Teacher (IBM T3), Red Hat Update for System z
2008-07-30 IBM Teach the Teacher (IBM T3), Red Hat Update for System z2008-07-30 IBM Teach the Teacher (IBM T3), Red Hat Update for System z
2008-07-30 IBM Teach the Teacher (IBM T3), Red Hat Update for System zShawn Wells
 

More Related Content

What's hot

Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformAll Things Open
 
Integrating Linux Systems with Active Directory Using Open Source Tools
Integrating Linux Systems with Active Directory Using Open Source ToolsIntegrating Linux Systems with Active Directory Using Open Source Tools
Integrating Linux Systems with Active Directory Using Open Source ToolsAll Things Open
 
Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxMichael Boelen
 
Kubernetes laravel and kubernetes
Kubernetes laravel and kubernetesKubernetes laravel and kubernetes
Kubernetes laravel and kubernetesWilliam Stewart
 
Security on a Container Platform
Security on a Container PlatformSecurity on a Container Platform
Security on a Container PlatformAll Things Open
 
Moby and Kubernetes entitlements
Moby and Kubernetes entitlements Moby and Kubernetes entitlements
Moby and Kubernetes entitlements Docker, Inc.
 
LinuxKit Update at the Moby Summit
LinuxKit Update at the Moby SummitLinuxKit Update at the Moby Summit
LinuxKit Update at the Moby SummitDocker, Inc.
 
Open Stack compute-service-nova
Open Stack compute-service-novaOpen Stack compute-service-nova
Open Stack compute-service-novaGHANSHYAM MANN
 
Managing Stateful Applications in Kubernetes
Managing Stateful Applications in KubernetesManaging Stateful Applications in Kubernetes
Managing Stateful Applications in KubernetesAll Things Open
 
Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014
Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014
Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014brendandburns
 
How abusing the Docker API led to remote code execution same origin bypass an...
How abusing the Docker API led to remote code execution same origin bypass an...How abusing the Docker API led to remote code execution same origin bypass an...
How abusing the Docker API led to remote code execution same origin bypass an...Aqua Security
 
Troubleshooting Tips from a Docker Support Engineer
Troubleshooting Tips from a Docker Support EngineerTroubleshooting Tips from a Docker Support Engineer
Troubleshooting Tips from a Docker Support EngineerJeff Anderson
 
Effective Data Pipelines with Docker & Jenkins - Brian Donaldson
Effective Data Pipelines with Docker & Jenkins - Brian DonaldsonEffective Data Pipelines with Docker & Jenkins - Brian Donaldson
Effective Data Pipelines with Docker & Jenkins - Brian DonaldsonDocker, Inc.
 
Deeper Dive in Docker Overlay Networks
Deeper Dive in Docker Overlay NetworksDeeper Dive in Docker Overlay Networks
Deeper Dive in Docker Overlay NetworksDocker, Inc.
 
Security model for a remote company
Security model for a remote companySecurity model for a remote company
Security model for a remote companyPierre Mavro
 
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...Docker, Inc.
 
Enabling Production Grade Containerized Applications through Policy Based Inf...
Enabling Production Grade Containerized Applications through Policy Based Inf...Enabling Production Grade Containerized Applications through Policy Based Inf...
Enabling Production Grade Containerized Applications through Policy Based Inf...Docker, Inc.
 
Security best practices for kubernetes deployment
Security best practices for kubernetes deploymentSecurity best practices for kubernetes deployment
Security best practices for kubernetes deploymentMichael Cherny
 
Enabling ceph-mgr to control Ceph services via Kubernetes
Enabling ceph-mgr to control Ceph services via KubernetesEnabling ceph-mgr to control Ceph services via Kubernetes
Enabling ceph-mgr to control Ceph services via Kubernetesmountpoint.io
 
CI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in KubernetesCI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in KubernetesSysdig
 

What's hot (20)

Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
 
Integrating Linux Systems with Active Directory Using Open Source Tools
Integrating Linux Systems with Active Directory Using Open Source ToolsIntegrating Linux Systems with Active Directory Using Open Source Tools
Integrating Linux Systems with Active Directory Using Open Source Tools
 
Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on Linux
 
Kubernetes laravel and kubernetes
Kubernetes laravel and kubernetesKubernetes laravel and kubernetes
Kubernetes laravel and kubernetes
 
Security on a Container Platform
Security on a Container PlatformSecurity on a Container Platform
Security on a Container Platform
 
Moby and Kubernetes entitlements
Moby and Kubernetes entitlements Moby and Kubernetes entitlements
Moby and Kubernetes entitlements
 
LinuxKit Update at the Moby Summit
LinuxKit Update at the Moby SummitLinuxKit Update at the Moby Summit
LinuxKit Update at the Moby Summit
 
Open Stack compute-service-nova
Open Stack compute-service-novaOpen Stack compute-service-nova
Open Stack compute-service-nova
 
Managing Stateful Applications in Kubernetes
Managing Stateful Applications in KubernetesManaging Stateful Applications in Kubernetes
Managing Stateful Applications in Kubernetes
 
Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014
Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014
Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014
 
How abusing the Docker API led to remote code execution same origin bypass an...
How abusing the Docker API led to remote code execution same origin bypass an...How abusing the Docker API led to remote code execution same origin bypass an...
How abusing the Docker API led to remote code execution same origin bypass an...
 
Troubleshooting Tips from a Docker Support Engineer
Troubleshooting Tips from a Docker Support EngineerTroubleshooting Tips from a Docker Support Engineer
Troubleshooting Tips from a Docker Support Engineer
 
Effective Data Pipelines with Docker & Jenkins - Brian Donaldson
Effective Data Pipelines with Docker & Jenkins - Brian DonaldsonEffective Data Pipelines with Docker & Jenkins - Brian Donaldson
Effective Data Pipelines with Docker & Jenkins - Brian Donaldson
 
Deeper Dive in Docker Overlay Networks
Deeper Dive in Docker Overlay NetworksDeeper Dive in Docker Overlay Networks
Deeper Dive in Docker Overlay Networks
 
Security model for a remote company
Security model for a remote companySecurity model for a remote company
Security model for a remote company
 
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...
 
Enabling Production Grade Containerized Applications through Policy Based Inf...
Enabling Production Grade Containerized Applications through Policy Based Inf...Enabling Production Grade Containerized Applications through Policy Based Inf...
Enabling Production Grade Containerized Applications through Policy Based Inf...
 
Security best practices for kubernetes deployment
Security best practices for kubernetes deploymentSecurity best practices for kubernetes deployment
Security best practices for kubernetes deployment
 
Enabling ceph-mgr to control Ceph services via Kubernetes
Enabling ceph-mgr to control Ceph services via KubernetesEnabling ceph-mgr to control Ceph services via Kubernetes
Enabling ceph-mgr to control Ceph services via Kubernetes
 
CI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in KubernetesCI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in Kubernetes
 

Similar to Top Secret KVM Deployment Lessons Learned

2008-09-09 IBM Interaction Conference, Red Hat Update for System z
2008-09-09 IBM Interaction Conference, Red Hat Update for System z2008-09-09 IBM Interaction Conference, Red Hat Update for System z
2008-09-09 IBM Interaction Conference, Red Hat Update for System zShawn Wells
 
2008-07-30 IBM Teach the Teacher (IBM T3), Red Hat Update for System z
2008-07-30 IBM Teach the Teacher (IBM T3), Red Hat Update for System z2008-07-30 IBM Teach the Teacher (IBM T3), Red Hat Update for System z
2008-07-30 IBM Teach the Teacher (IBM T3), Red Hat Update for System zShawn Wells
 
2008-01-22 Red Hat (Security) Roadmap Presentation
2008-01-22 Red Hat (Security) Roadmap Presentation2008-01-22 Red Hat (Security) Roadmap Presentation
2008-01-22 Red Hat (Security) Roadmap PresentationShawn Wells
 
SCAP for openSUSE
SCAP for openSUSESCAP for openSUSE
SCAP for openSUSEKazuki Omo
 
OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)Jooho Lee
 
Hardening Linux, introducing Securix GNU/Linux
Hardening Linux, introducing Securix GNU/LinuxHardening Linux, introducing Securix GNU/Linux
Hardening Linux, introducing Securix GNU/LinuxMartin Holovský
 
2010-01-28 NSA Open Source User Group Meeting, Current & Future Linux on Syst...
2010-01-28 NSA Open Source User Group Meeting, Current & Future Linux on Syst...2010-01-28 NSA Open Source User Group Meeting, Current & Future Linux on Syst...
2010-01-28 NSA Open Source User Group Meeting, Current & Future Linux on Syst...Shawn Wells
 
Check Point CCSA NGX R71 Course Overview
Check Point CCSA NGX R71 Course OverviewCheck Point CCSA NGX R71 Course Overview
Check Point CCSA NGX R71 Course Overviewdaisuke_tanabe
 
HNazarianRes_Current_19Feb2015
HNazarianRes_Current_19Feb2015HNazarianRes_Current_19Feb2015
HNazarianRes_Current_19Feb2015Harry Nazarian
 
2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy
2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy
2015-06-25 Red Hat Summit 2015 - Security Compliance Made EasyShawn Wells
 
2016 -11-18 OpenSCAP Workshop Coursebook
2016 -11-18 OpenSCAP Workshop Coursebook2016 -11-18 OpenSCAP Workshop Coursebook
2016 -11-18 OpenSCAP Workshop CoursebookShawn Wells
 
Hardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix LinuxHardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix LinuxSecurity Session
 
DevOpsDaysRiga 2017: Chris Van Tuin - A DevOps State of Mind: Continuous Secu...
DevOpsDaysRiga 2017: Chris Van Tuin - A DevOps State of Mind: Continuous Secu...DevOpsDaysRiga 2017: Chris Van Tuin - A DevOps State of Mind: Continuous Secu...
DevOpsDaysRiga 2017: Chris Van Tuin - A DevOps State of Mind: Continuous Secu...DevOpsDays Riga
 
2011-11-03 Intelligence Community Cloud Users Group
2011-11-03 Intelligence Community Cloud Users Group2011-11-03 Intelligence Community Cloud Users Group
2011-11-03 Intelligence Community Cloud Users GroupShawn Wells
 
Kirankumar_Satuluri_540633_Linux_and_Unix_Administrator
Kirankumar_Satuluri_540633_Linux_and_Unix_AdministratorKirankumar_Satuluri_540633_Linux_and_Unix_Administrator
Kirankumar_Satuluri_540633_Linux_and_Unix_Administratorskiankumar
 
Jörg Schad - Hybrid Cloud (Kubernetes, Spark, HDFS, …)-as-a-Service - Codemot...
Jörg Schad - Hybrid Cloud (Kubernetes, Spark, HDFS, …)-as-a-Service - Codemot...Jörg Schad - Hybrid Cloud (Kubernetes, Spark, HDFS, …)-as-a-Service - Codemot...
Jörg Schad - Hybrid Cloud (Kubernetes, Spark, HDFS, …)-as-a-Service - Codemot...Codemotion
 
Jörg Schad - Hybrid Cloud (Kubernetes, Spark, HDFS, …)-as-a-Service - Codemot...
Jörg Schad - Hybrid Cloud (Kubernetes, Spark, HDFS, …)-as-a-Service - Codemot...Jörg Schad - Hybrid Cloud (Kubernetes, Spark, HDFS, …)-as-a-Service - Codemot...
Jörg Schad - Hybrid Cloud (Kubernetes, Spark, HDFS, …)-as-a-Service - Codemot...Codemotion
 
Automated Out-of-Band management with Ansible and Redfish
Automated Out-of-Band management with Ansible and RedfishAutomated Out-of-Band management with Ansible and Redfish
Automated Out-of-Band management with Ansible and RedfishJose De La Rosa
 

Similar to Top Secret KVM Deployment Lessons Learned (20)

2008-09-09 IBM Interaction Conference, Red Hat Update for System z
2008-09-09 IBM Interaction Conference, Red Hat Update for System z2008-09-09 IBM Interaction Conference, Red Hat Update for System z
2008-09-09 IBM Interaction Conference, Red Hat Update for System z
 
2008-07-30 IBM Teach the Teacher (IBM T3), Red Hat Update for System z
2008-07-30 IBM Teach the Teacher (IBM T3), Red Hat Update for System z2008-07-30 IBM Teach the Teacher (IBM T3), Red Hat Update for System z
2008-07-30 IBM Teach the Teacher (IBM T3), Red Hat Update for System z
 
Resume
ResumeResume
Resume
 
2008-01-22 Red Hat (Security) Roadmap Presentation
2008-01-22 Red Hat (Security) Roadmap Presentation2008-01-22 Red Hat (Security) Roadmap Presentation
2008-01-22 Red Hat (Security) Roadmap Presentation
 
SCAP for openSUSE
SCAP for openSUSESCAP for openSUSE
SCAP for openSUSE
 
OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)
 
Hardening Linux, introducing Securix GNU/Linux
Hardening Linux, introducing Securix GNU/LinuxHardening Linux, introducing Securix GNU/Linux
Hardening Linux, introducing Securix GNU/Linux
 
2010-01-28 NSA Open Source User Group Meeting, Current & Future Linux on Syst...
2010-01-28 NSA Open Source User Group Meeting, Current & Future Linux on Syst...2010-01-28 NSA Open Source User Group Meeting, Current & Future Linux on Syst...
2010-01-28 NSA Open Source User Group Meeting, Current & Future Linux on Syst...
 
Check Point CCSA NGX R71 Course Overview
Check Point CCSA NGX R71 Course OverviewCheck Point CCSA NGX R71 Course Overview
Check Point CCSA NGX R71 Course Overview
 
Apache Cloudstack QA Strategy
Apache Cloudstack QA StrategyApache Cloudstack QA Strategy
Apache Cloudstack QA Strategy
 
HNazarianRes_Current_19Feb2015
HNazarianRes_Current_19Feb2015HNazarianRes_Current_19Feb2015
HNazarianRes_Current_19Feb2015
 
2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy
2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy
2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy
 
2016 -11-18 OpenSCAP Workshop Coursebook
2016 -11-18 OpenSCAP Workshop Coursebook2016 -11-18 OpenSCAP Workshop Coursebook
2016 -11-18 OpenSCAP Workshop Coursebook
 
Hardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix LinuxHardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix Linux
 
DevOpsDaysRiga 2017: Chris Van Tuin - A DevOps State of Mind: Continuous Secu...
DevOpsDaysRiga 2017: Chris Van Tuin - A DevOps State of Mind: Continuous Secu...DevOpsDaysRiga 2017: Chris Van Tuin - A DevOps State of Mind: Continuous Secu...
DevOpsDaysRiga 2017: Chris Van Tuin - A DevOps State of Mind: Continuous Secu...
 
2011-11-03 Intelligence Community Cloud Users Group
2011-11-03 Intelligence Community Cloud Users Group2011-11-03 Intelligence Community Cloud Users Group
2011-11-03 Intelligence Community Cloud Users Group
 
Kirankumar_Satuluri_540633_Linux_and_Unix_Administrator
Kirankumar_Satuluri_540633_Linux_and_Unix_AdministratorKirankumar_Satuluri_540633_Linux_and_Unix_Administrator
Kirankumar_Satuluri_540633_Linux_and_Unix_Administrator
 
Jörg Schad - Hybrid Cloud (Kubernetes, Spark, HDFS, …)-as-a-Service - Codemot...
Jörg Schad - Hybrid Cloud (Kubernetes, Spark, HDFS, …)-as-a-Service - Codemot...Jörg Schad - Hybrid Cloud (Kubernetes, Spark, HDFS, …)-as-a-Service - Codemot...
Jörg Schad - Hybrid Cloud (Kubernetes, Spark, HDFS, …)-as-a-Service - Codemot...
 
Jörg Schad - Hybrid Cloud (Kubernetes, Spark, HDFS, …)-as-a-Service - Codemot...
Jörg Schad - Hybrid Cloud (Kubernetes, Spark, HDFS, …)-as-a-Service - Codemot...Jörg Schad - Hybrid Cloud (Kubernetes, Spark, HDFS, …)-as-a-Service - Codemot...
Jörg Schad - Hybrid Cloud (Kubernetes, Spark, HDFS, …)-as-a-Service - Codemot...
 
Automated Out-of-Band management with Ansible and Redfish
Automated Out-of-Band management with Ansible and RedfishAutomated Out-of-Band management with Ansible and Redfish
Automated Out-of-Band management with Ansible and Redfish
 

Top Secret KVM Deployment Lessons Learned

  • 1. Defense in Depth 2014 | Frank Caviggia1 Top Secret KVM, Lessons Learned from an ICD 503 Deployment Frank Caviggia July 30, 2014 Defense in Depth 2014
  • 2. Defense in Depth 2014 | Frank Caviggia2 Overview System Configuration - Hardware - Software Security Controls - Security Concepts - Government Standards - Hardening Scripts (STIG FIX, SSG) - DISA STIG Kickstart DVD SELinux Concepts - What is SELinux? - DAC and MAC - Polyinstantiation and Multitenancy KVM Security Features - sVirt – SELinux Labels on VMs - Multiple Firewall Levels - cgroups – Control Groups (Limiters) More Information
  • 3. Defense in Depth 2014 | Frank Caviggia3 System Configuration
  • 4. Defense in Depth 2014 | Frank Caviggia4 “Commodity Hardware” Rack Servers - Dell R200s (IdM) - Dell R710s (RHN) Blade Server - HP C7000 with ProCurve 6120 Switch - 4x HP BL460C G7 Servers - HP D2200sb Storage Blade System Configuration: Hardware
  • 5. Defense in Depth 2014 | Frank Caviggia5 Red Hat Software - Red Hat Enterprise Linux 6.5 Server x86_64 - Authentication (IdM) [389-DS(LDAP)/Kerberos] - Red Hat supported version of FreeIPA - Kernel Virtual Machine (KVM) - Red Hat Enterprise Virtualization (RHEV) 3.3 - RHEV-M (Management Console for KVM Hypervisors) - Red Hat Network (RHN) Satellite 5.6 System Configuration: Software
  • 6. Defense in Depth 2014 | Frank Caviggia6 Kernel Cryptographic API "2.0" #1901 Certified, Level 1 Disk Volume Cryptographic API "2.0" #1933 Certified, Level 1 libgcrypt "2.0" #1757 Certified, Level 1 OpenSSH Client "2.0" #1791 Certified, Level 1 OpenSSH Server "2.0" #1792 Certified, Level 1 OpenSSL "2.0" #1758 Certified, Level 1 Openswan "2.0" #1859 Certified, Level 1 NSS (Freebl) 3.12.9.1 #1710 Certified, Level 1 NSS 3.12.9.1 #1837 Certified, Level 1 Red Hat Enterprise Linux 6 EAL4+ OSPP, including Labeled Security, Advanced Audit, Advanced Management, and Virtualization Extended Modules Dell HP IBM SGI (report, target) Red Hat Enterprise Linux 6: - RHEL is Common Criteria Evaluated (Certified EAL 4+) - FIPS 140-2 (Level 1 – Certified, Level 2 – In Evaluation) - Linux Unified Key Setup (LUKS) Encryption (Data at Rest) – 8 Keys - SSH uses AES256 (Counter mode) Encryption (Data in Motion) - Web portals (Apache HTTPD) will require PKI authentication to view login page System Configuration: RHEL, RHEV, KVM
  • 7. Defense in Depth 2014 | Frank Caviggia7 KVM SPECvirt 2010 Results – KVM vs VMware Kernel Virtual Machine (KVM): - Type 1 Hypervisor (Bare-Metal) – runs as Kernel Module - Utilizes native virtualization in Intel (VT-i,VT-d) and AMD hardware - RHEL/KVM is Common Criteria Evaluated (Certified EAL 4+) - Inherits Security (SELinux, Auditing) and Performance - VM Limits (Leading Performance – SPECvirt) - 160 CPUs - 4TB RAM* * As of RHEL 6.5/ RHEV 3.4 and newer System Configuration: RHEL, RHEV, KVM (continued)
  • 8. Defense in Depth 2014 | Frank Caviggia8 Red Hat Enterprise Virtualization Manager (RHEV-M): - Web-based portal access to Virtual Machines (VMs) - Role Based Access Control (RBAC) to VMs - SPICE protocol (plug-ins for IE or Firefox) or Standalone Client - Support for up to 4 independent monitors per VM - Akin to vCenter in VMware System Configuration: RHEL, RHEV, KVM (continued)
  • 9. Defense in Depth 2014 | Frank Caviggia9 Red Hat Enterprise Linux Lifecycle: - 10 years of support (up to 13 years with just security fixes) - Common Vulnerabilities and Exposures (CVE) are fixed through Red Hat Security Advisory (RHSA) process: - Ensures IAVAs are patched - Ensures system stability and support (backporting) - There are no licenses, only subscriptions (stable budgeting) - Upgrades are included with subscription Support Lifecycle of Red Hat Enterprise Linux 6 System Configuration: RHEL, RHEV, KVM (continued)
  • 10. Defense in Depth 2014 | Frank Caviggia10 RHN Satellite: SCAP Compliance Reporting Red Hat Network Satellite 5.6 - IAVA patching and validation (patch management) - File provisioning to connected hosts (configuration management) - SCAP compliance scans (continuous monitoring) more on this later… System Configuration: RHN Satellite
  • 11. Defense in Depth 2014 | Frank Caviggia11 Security Controls
  • 12. Defense in Depth 2014 | Frank Caviggia12 Security is like an onion – the more layers you peel the more you cry… Goal: Create a secure virtualization environment using a standard set of packaged scripts, configurations, and policies to be deployed across systems. Controls are implemented through the following mechanisms: - Hardening Scripts, Kickstart Installation - Discretionary Access Controls (DAC) - SELinux Policies - Mandatory Access Controls (MAC) - Network Controls (TCP_WRAPPERS, iptables, ebtables) - Process and Memory Controls (cgroups) - Administrative Controls (physical, policies, etc.) - Continuous Monitoring (SCAP, RHN Satellite) Security Overview
  • 13. Defense in Depth 2014 | Frank Caviggia13 There are multiple government standards and regulations – some of which overlap: Cross Domain Controls NSA SNAC DISA STIGS Common Criteria EAL 4+ System Security Controls CAPP 1 RBACPP 2 LSPP 3 1 Controlled Access Protection Profile (CAPP) 2 Role-Based Access Control Protection Profile (RBACPP) 3 Labeled Security Protection Profile (LSPP) NIST 800-53 (USGCB) FIPS 140-2 Security Overview: Government Regulation…
  • 14. Defense in Depth 2014 | Frank Caviggia14 Hardening will be applied by shell scripts, configurations, and policies based upon several government standards and open-source projects to standardize configuration: Apply Security Best Practices to Base Operating System 1 SCAP Security Guide - https://fedorahosted.org/scap-security-guide/ 2 USGB Content -http://usgcb.nist.gov/usgcb/rhel/download_rhel5.html 3 Aqueduct Project - https://fedorahosted.org/aqueduct/ SCAP Security Guide1 - RHEL 6 SCAP, Security Configuration NIST 800-53 - United States Government Configuration Baseline (USGCB)2 DISA Unix STIGs - Aqueduct Project3 - Tresys’ Certifiable Linux Integration Platform (CLIP)4 NSA Security Configuration Guide5 - USB blocking, configurations, and other lockdowns (Gnome) 4 Tresys CLIP Project - http://oss.tresys.com/projects/clip 5 NSA SNAC Guide - http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operating_systems.shtml#linux2 Hardening Scripts
  • 15. Defense in Depth 2014 | Frank Caviggia15 The hardening shell script serves several purposes in hardening the system: - Distributes ‘baseline’ system configurations and policies for authentication, auditing, accounts, and services - Modular code in folders and separate scripts allows for adaptation to meet changing system and security needs of customer code - Verifies application of hardening with logging, hardening can be re-applied in case of modification of baseline, fits in with continuous monitoring apply.sh gen1000.sh gen2000.sh … gen9999.sh gen1000.sh gen2000.sh … gen9999.sh gen1000.sh gen2000.sh … gen9999.sh gen1000.sh gen2000.sh … gen9999.sh CAT I CAT II CAT III CAT IV nist1000.sh nist2000.sh … nist9999.sh NIST 800-53 NSA SNAC nsa1000.sh nsa2000.sh … nsa9999.shHardening Script Function (apply.sh) Hardening Script: Implementation
  • 16. Defense in Depth 2014 | Frank Caviggia16 Hardening scripts were packaged in RPM for the following reasons: - Integrity verification - Integrated version control and configuration management - Distribute scripts via RHN Satellite Server Check out the open source project here: https://github.com/redhatgov/stig-fix-el6/ # rpm –V stig-fix-1.0.el6 Verify the integrity of an RPM Hardening Script: Packaging
  • 17. Defense in Depth 2014 | Frank Caviggia17 SCAP is implemented on Red Hat Enterprise Linux by OpenSCAP (oscap) and the SCAP Security Guide (SSG) developed with collaboration with the NSA, NIST, and DISA. RHN Satellite can run SCAP Scans against a defined security baseline to check for configuration compliance on a schedule. This helps to maintain continuous monitoring: # oscap xccdf eval --profile stig-rhel6-server-upstream --results results.xml --report report.html --cpe /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictonary.xml /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml OpenSCAP XCCDF System Compliance Check # wget http://www.redhat.com/security/data/oval/com.redhat.rhsa-all.xml # wget http://www.redhat.com/security/data/metrics/com.redhat.rhsa-all.xccdf.xml # oscap xccdf eval --results results.xml --report report.html com.redhat.rhsa-all.xccdf.xml OpenSCAP XCCDF Patch (CVE) Compliance Check - XCCDF (eXtensible Configuration Checklist Description Format) - Creates checklist for security configuration on a target system - OVAL (Open Vulnerability and Assessment Language) - Standardized security information content - CPE (Common Platform Enumeration) Dictionary - Names and Metadata for security Evaluation - CCE (Common Configuration Enumeration) - Identifies mappings between SCAP security checks and STIG/NIST 800-53 settings SCAP Terms & Definitions Security Configuration Automation Protocol (SCAP)
  • 18. Defense in Depth 2014 | Frank Caviggia18 The hardening script RPM was combined with a customized Kickstart to produce a standardized installation DVD to help meet security requirements right from installation. Screenshots of DISA STIG Kickstart DVD Security Configuration: DISA STIG Kickstart DVD More Information: https://people.redhat.com/fcaviggi/stig-fix/
  • 19. Defense in Depth 2014 | Frank Caviggia19 SELinux Concepts
  • 20. Defense in Depth 2014 | Frank Caviggia20
  • 21. Defense in Depth 2014 | Frank Caviggia21 SELinux Policy ExampleWatertight Compartments in Ship Design1 1 Picture Source: Wikipedia – Bulkhead (Partition) Security-Enhanced Linux (SELinux) was a research project sponsored by the NSA to provide Mandatory Access Controls (MAC) to the Linux kernel SELinux mainlined into the Linux kernel in August 2003 (2.6.0-test3), it was first enabled for general use in Red Hat Enterprise Linux 4 Kernel enforcement based on “security context” provided by policies rather than standard permissions. Think of it like a chroot jail on steroids or “watertight” compartments in ship design SELinux: Overview
  • 22. Defense in Depth 2014 | Frank Caviggia22 Traditional Unix Permissions - User, Group, Others (ugo) - Read, Write, Execute (rwx) Access Control Lists (ACLs) - POSIX1 compliant ACLs standard in Linux filesystems (ext3, ext4, XFS, etc.) - Extends DAC controls to specific user(s) and group(s) 1 Portable Operating System Interface EXchange Discretionary Access Controls (DAC) Concepts: Discretionary Access Control (DAC)
  • 23. Defense in Depth 2014 | Frank Caviggia23 SELinux has 3 defined policy modes - Targeted (Default), Strict, and MLS. Security Context implemented through extended attributes (xattr) in filesystem and enforced by the Linux Kernel according to SELinux Policy Unix concept of “everything is a file” (devices, processes, files, directories, etc.) Thus, everything is labeled with a Security Context SELinux policy defines the “watertight” compartments – the SELinux policy control how users, services, files, and binaries interact Policy is generally developed with software vendor when possible. Otherwise, developing policy can be achieved through testing and evaluation giving “least privilege” to allow completion of a job function Security Context in SELinux Concepts: Mandatory Access Control (MAC)
  • 24. Defense in Depth 2014 | Frank Caviggia24 Type Enforcement (TE) used by Targeted policy (Default) in SELinux - The Linux Kernel enforces transactions between processes and objects via domain transitions - Further control can be specified using different policy SELinux Domain Transitions Compromised Apache process cannot access /etc/shadow Concepts: Type Enforcement (TE)
  • 25. Defense in Depth 2014 | Frank Caviggia25 1 IBM Developer Works Article “Improve Security with Polyinstantiation” 2 https://securityblog.redhat.com/2014/04/09/new-red-hat-enterprise-linux-7-security-feature-privatetmp/ Polyinstantiation1 is the process used on MLS systems to ensure data being processed by users at separate security levels do so in isolated spaces to use to prevent unauthorized access to data. Data written to these directories will be stored in an independent directory at the security level that they were written, particularly important for shared temporary directories (/tmp, /var/tmp, /dev/shm/) User will not see the redirection to a secure folder, SELinux handles the transition transparently. See the “Private Tmp” feature in RHEL 72 Multitenancy extends the concept of polyinstantiation with cgroups and Linux Containers (LXC) to ensure that applications are securely separated from each other through Type Enforcement (TE) and MCS (the c0.c1023 attributes of the security level) Multitenancy in OpenShift Concepts: Polyinstantiation and Multitenancy
  • 26. Defense in Depth 2014 | Frank Caviggia26 Kernel Virtual Machine Security
  • 27. Defense in Depth 2014 | Frank Caviggia27 Each VM has their own “container” via SELinux Type Enforcement (TE) and Multi-Category Security (MCS) which uses random compartments to keep the VMs separate… KVM Security: sVirt (SELinux for KVM)
  • 28. Defense in Depth 2014 | Frank Caviggia28 Compromised VM uses hypervisor exploit to compromise other VMs VS. Compromised VM containment with KVM and sVirt (SELinux Labels) KVM Security: sVirt (SELinux for KVM) (continued)
  • 29. Defense in Depth 2014 | Frank Caviggia29 KVM Security: Multiple Firewall Levels
  • 30. Defense in Depth 2014 | Frank Caviggia30 The ebtables firewall that enables basic ethernet frame filtering on a Linux network bridge, logging, MAC (network address) NAT, and brouting. The firewalls (iptables and ebtables) will be used to complement each other. What can ebtables do? # ebtables –A FORWARD –i vnet+ –-among-src ! 54:52:00:5b:1a:cd=192.168.0.100 –j DROP Prevent IP-MAC Address Spoofing from VMs # ebtables –A OUTPUT –i vnet+ –p IPv6 –j DROP Drop All Outbound IPv6 Packets • Ethernet protocol filtering • MAC address filtering • Simple IP header filtering • ARP header filtering • 802.1Q VLAN filtering • In/Out interface filtering (logical and physical device). • MAC address NAT • Logging • Frame counters • Ability to add, delete and insert rules; flush chains; zero counters • Brouter facility • Ability to atomically load a complete table, containing the rules you made, into the kernel • Support for user defined chains • Support for marking frames and matching marked frames KVM Security: Multiple Firewall Levels (continued)
  • 31. Defense in Depth 2014 | Frank Caviggia31 cgroups (control groups) is a Linux kernel feature to limit, account and isolate resource usage (CPU, memory, disk I/O, etc.) of process groups. • Resource limiting: groups can be set to not exceed a set memory limit — this also includes file system cache. • Prioritization: some groups may get a larger share of CPU or disk I/O throughput. • Accounting: to measure how much resources certain systems use (e.g. billing purposes) • Control: freezing groups or checkpointing and restarting. Dynamic Changes in Workload and Priority (e.g. Number Crunching Overnight, Web Servers during Work Hours) KVM Security: Control Groups
  • 32. Defense in Depth 2014 | Frank Caviggia32 KVM Security: Secured Development Litterbox!
  • 33. Defense in Depth 2014 | Frank Caviggia33 Questions?
  • 34. Defense in Depth 2014 | Frank Caviggia34 More Information DISA STIG Kickstart DVD: http://people.redhat.com/fcaviggi/stig-fix/ Hardening Scripts: https://github.com/RedHatGov/stig-fix-el6 SCAP Security Guide: https://fedorahosted.org/scap-security-guide/ VDSM Hooks for RHEVM: http://www.ovirt.org/VDSM-Hooks_Catalogue Classification Banner: https://github.com/RedHatGov/classification-banner