This document provides guidelines for hardening the security of Citrix XenServer virtualization platforms. It outlines configuration settings for general system security like restricting root access, enabling encryption, and updating packages. It also includes recommendations for network, hypervisor, and virtual machine settings such as separating interfaces by task, restricting unencrypted connections, disabling promiscuous mode, and more. Implementing the settings in this guide helps reduce the attack surface and prevent unauthorized access to XenServer systems and VMs.
Getting Started with OpenStack and VMware vSphereEMC
VMware vSphere® is the industry’s leading and most reliable virtualization and cloud computing platform. vSphere simplifies IT by separating applications and operating systems (OSs) from the underlying hardware. OpenStack is an open and scalable cloud management platform (CMP) for building public and private clouds. It is a system designed to provide infrastructure as a service (IaaS) on top of a diverse collection of hardware and software infrastructure technologies.
vSphere has a long history of being a stable and resilient platform that offers many benefits to host cloud infrastructures. As an enterprise-class hypervisor with production-level features and support, vSphere is an excellent solution for enhancing OpenStack.
Getting Started with OpenStack and VMware vSphereEMC
VMware vSphere® is the industry’s leading and most reliable virtualization and cloud computing platform. vSphere simplifies IT by separating applications and operating systems (OSs) from the underlying hardware. OpenStack is an open and scalable cloud management platform (CMP) for building public and private clouds. It is a system designed to provide infrastructure as a service (IaaS) on top of a diverse collection of hardware and software infrastructure technologies.
vSphere has a long history of being a stable and resilient platform that offers many benefits to host cloud infrastructures. As an enterprise-class hypervisor with production-level features and support, vSphere is an excellent solution for enhancing OpenStack.
Microservices with Dockers and KubernetesManish Chopra
This is a customized study guide to get started with Microservices using Docker and Kubernetes. This guide attempts to bridge the gap in the least possible time, and covers the essentials features to get started with Microservices, Docker, and Kubernetes.
Creating a VMware Software-Defined Data Center Reference Architecture EMC
This reference architecture describes an implementation of a software-defined data center (SDDC) using VMware vCloud® Suite Enterprise 5.8, VMware NSXTM for vSphere® 6.1, VMware IT Business Management SuiteTM Standard Edition 1.1, and VMware vCenterTM Log InsightTM 2.0 to create an SDDC. This SDDC implementation is based on real-world scenarios, user workloads, and infrastructure system configurations. The configuration uses industry-standard servers, IP-based storage, and 10-Gigabit Ethernet (10GbE) networking to support a scalable and redundant architecture.
An overview of the solution and the logical architecture as well as results of the tested physical implementation are provided. Consult with your VMware representative as to how to modify the architecture to suit your business needs.
Microservices with Dockers and KubernetesManish Chopra
This is a customized study guide to get started with Microservices using Docker and Kubernetes. This guide attempts to bridge the gap in the least possible time, and covers the essentials features to get started with Microservices, Docker, and Kubernetes.
Creating a VMware Software-Defined Data Center Reference Architecture EMC
This reference architecture describes an implementation of a software-defined data center (SDDC) using VMware vCloud® Suite Enterprise 5.8, VMware NSXTM for vSphere® 6.1, VMware IT Business Management SuiteTM Standard Edition 1.1, and VMware vCenterTM Log InsightTM 2.0 to create an SDDC. This SDDC implementation is based on real-world scenarios, user workloads, and infrastructure system configurations. The configuration uses industry-standard servers, IP-based storage, and 10-Gigabit Ethernet (10GbE) networking to support a scalable and redundant architecture.
An overview of the solution and the logical architecture as well as results of the tested physical implementation are provided. Consult with your VMware representative as to how to modify the architecture to suit your business needs.
Module 7 - Web Browsing and Communication
The first section on Web Browsing requires candidates to understand some of the concepts and terms associated with using the Internet, and to appreciate some of the security considerations. In the second section, Communication, candidates will learn to understand some of the concepts of electronic mail (e-mail), and gain the ability to use email software to send and receive messages, and to attach files to mail messages.
The first section, Web Browsing, enables candidates to learn about the Internet and to use a web browsing application. On completion of the Web Browsing section each candidate will be able to:
• Understand what the Internet is and common terms associated with it. Be aware of some security considerations when using the Internet
• Accomplish everyday web browsing tasks including changing browser settings
• Search for information and complete and submit web-based forms
• Save web pages and download files from the web. Copy web content into a document
The second section, Communication, enables candidates to understand some of the concepts of electronic mail (e-mail) and know about other communication options. On completion of the Communication section each candidate will be able to:
• Understand what e-mail is and know some advantages and disadvantages of its use. Be aware of other communication options
• Be aware of network etiquette and security considerations when using e-mail
• Create, spell check and send e-mail. Reply to and forward e-mail, handle file attachments and print an e-mail
• Be aware of ways to enhance productivity when working with e-mail software. Organise and manage e-mail
Similar to CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE (20)
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
2. CONTENTS
1.
GENERAL SYSTEM SETTINGS................................................................................................................................................................................................................................ 3
1.1
Services started with Citrix XenServer .............................................................................................................................................................................................................. 3
1.2
Time synchronization configuration................................................................................................................................................................................................................... 4
1.3
Usage of SSHv2 ............................................................................................................................................................................................................................................................ 4
1.4
Usage of AES cryptoalgorithm for SSH ............................................................................................................................................................................................................... 4
1.5
Restrict root login via SSH ...................................................................................................................................................................................................................................... 5
1.6
Limit access to su command................................................................................................................................................................................................................................... 5
1.7
Forbid login to single user mode without password .................................................................................................................................................................................... 6
1.8
extlinux loader password ........................................................................................................................................................................................................................................ 6
1.9
Activate password storing in /etc/shadow file .............................................................................................................................................................................................. 6
1.10 Ensure that there are no users with empty passwords ............................................................................................................................................................................... 7
1.11 Ensure that passwd and shadow and files and system group files do not include «+»................................................................................................................... 7
1.12 Install Citrix XenServer server certificates ....................................................................................................................................................................................................... 7
1.13 Update vulnerable packages .................................................................................................................................................................................................................................. 8
1.14 Store password history ............................................................................................................................................................................................................................................ 9
1.15 Configure unsuccessful login attempts logging and limit additional attempts .................................................................................................................................. 9
1.16 Password policy configuration ........................................................................................................................................................................................................................... 10
2.
SYSTEM NETWORK CONFIGURATION ........................................................................................................................................................................................................... 11
2.1
Separate network interfaces by task ............................................................................................................................................................................................................... 11
2.2
Restrict unencrypted connections to XAPI .................................................................................................................................................................................................... 12
2.3
Use encrypted connections in data transferring network ....................................................................................................................................................................... 13
2.4
Configure umask creation for VHD files ......................................................................................................................................................................................................... 13
2.5
Remote NFS storage configuration ................................................................................................................................................................................................................... 14
2.6
Disable promiscuous mode for network cards on virtual machines ................................................................................................................................................... 15
2.7
OS kernel network settings configuration ..................................................................................................................................................................................................... 15
2.8
Firewall configuration ........................................................................................................................................................................................................................................... 15
3.
XENSERVER HYPERVISOR SETTINGS ............................................................................................................................................................................................................. 17
3.1
Disable debug mode for xenstored ................................................................................................................................................................................................................... 17
3.2
Configure shared secret for «pool» mode ...................................................................................................................................................................................................... 17
3.3
Disable debug mode for xapi demon ............................................................................................................................................................................................................... 17
3.4
Configure xenstored demon logging ................................................................................................................................................................................................................ 18
3.5
Disable vncterm automatic logon into dom0 as a root ............................................................................................................................................................................. 18
3.6
Disable xsconsole autorun as a root on tty1 ................................................................................................................................................................................................. 18
3.7
Configure PAM in XAPI module ......................................................................................................................................................................................................................... 19
3.8
Disable testing mode in xsconcole .................................................................................................................................................................................................................... 20
3.9
Disable default web page ...................................................................................................................................................................................................................................... 20
4.
VIRTUAL MACHINE SETTINGS .......................................................................................................................................................................................................................... 20
4.1
Limit log file size ...................................................................................................................................................................................................................................................... 20
4.2
Disable unused virtual devices........................................................................................................................................................................................................................... 21
4.3
Disable service console redirection.................................................................................................................................................................................................................. 21
CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE
Page 2 of 21
3. 1.
GENERAL SYSTEM SETTINGS
This chapter covers general system settings. The introduced protection methods are the same as used
for usual servers based on OS Linux.
1.1
Services started with Citrix XenServer
We recommend you to limit services started with the system by default.
How to fix:
Do the following for all unused services:
chkconfig <servicename> off
where <servicename> is a service name.
The results for a separately installed XenServer 5.6 server may be as follows:
chkconfig --list | grep 3:on
attach-static-vdis
crond
fcauthd
fe
iptables
lwsmd
management-interface
mpp
network
ntpd
perfmon
portmap
rawdevices
set-memory-target
snapwatchd
squeezed
sshd
syslog
unplug-vcpus
v6d
vhostmd
xapi
xapi-domains
xe-linux-distribution
xen-domain-uuid
xenservices
CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE
Page 3 of 21
4. 1.2
Time synchronization configuration
Time synchronization is necessary for correct cooperation of XenServer hosts individually or in pool
mode. You can use your own NTP server or default time servers.
How to fix:
Add the following strings into /etc/ntp.conf file (address rhel.pool.ntp.org is an example):
server 0.rhel.pool.ntp.org
server 1.rhel.pool.ntp.org
server 2.rhel.pool.ntp.org
Start NTP server:
/etc/init.d/ntpd start
chkconfig ntpd on
1.3
Usage of SSHv2
You can use SSH to access Service Console. In this case, disable insecure authentication methods and
some other settings from the list below:
How to fix:
Configure the following settings in /etc/ssh/sshd_config file:
Protocol 2
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
Reboot sshd for the modifications to take effect:
/etc/init.d/sshd restart
1.4
Usage of AES cryptoalgorithm for SSH
We recommend to use AES cryptoalgorithm for SSH traffic. It is more secure than previously used, and
opposite to Blowfish and other cryptoalgorithms (supported by OpenSSL library), the great number of
client devices support it.
How to fix:
Set Ciphers option in /etc/ssh/sshd_config configuration file:
Ciphers aes256-cbc,aes128-cbc
CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE
Page 4 of 21
5. Reboot sshd for the modifications to take effect:
/etc/init.d/sshd restart
1.5
Restrict root login via SSH
We recommend you to restrict root login via SSH for secure purposes. This measure helps to prevent
root password brute force attacks, and also make it easier to investigate incidents in case several users
are aware of the password.
How to fix:
Set the following option in /etc/ssh/sshd_config configuration file:
PermitRootLogin no
Reboot sshd for the modifications to take effect:
/etc/init.d/sshd restart
1.6
Limit access to su command
su command allows users to execute the shell with the privileges of a specified user, mostly root. We
recommend you to grant access to the command only for Citrix XenServer server administrators: include
the administrators into wheel group and then enable access limitations that means that only wheel
members are able to execute su command.
Note. Depending on the company’s security policy, su can be forbidden in the system. In this case, you
can execute privileged operations via sudo, and wheel group should not include users.
How to fix:
Do the following for every user (admin is an example):
usermod -G wheel admin
Then, enable access to su command for wheel members only. Ensure that /etc/pam.d/su file
includes the following string (not in comments):
auth required pam_wheel.so use_uid
If su is forbidden, ensure that wheel do not include users via contents of files from /etc/passwd
folder (primary group) and /etc/group folder (secondary groups).
CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE
Page 5 of 21
6. 1.7
Forbid login to single user mode without password
Citrix XenServer is based on RedHat Linux, therefore it also supports single user mode. You can activate
it via loader settings. Default settings allow all users to access console with root privileges. This allows
attackers with access to Citrix XenServer local console get root privileges and execute arbitrary
commands on the vulnerable server. Therefore, we recommend you to configure password
authentication to change to single user mode.
How to fix:
Add the following entry into /etc/inittab file:
~~:S:wait:/sbin/sulogin
Or edit an existed string with “S” in the second field.
1.8
extlinux loader password
OS Citrix XenServer loader allows you to configure a great number of OS kernel settings, including a
command used to change to single user mode. By default, OS load options are not protected by
password that allows attackers with physical access to Xen server local console to set unauthorized OS
loading options. To prevent the situation, we recommend you to set password for loader management.
Ensure that only super user has access to the service console loader configuration file for
reading/writing.
How to fix:
Execute the following command in Service Console as a root:
echo <пароль_загрузчика> | sha1sum
chown root:root /boot/extlinux.conf
chmod 600 /boot/extlinux.conf
Then, add the 40 hash characters into /boot/extlinux.conf file (global sections of loader settings):
menu master passwd <password_sha1_hash>
1.9
Activate password storing in /etc/shadow file
OS Citrix XenServer does not store password hashes in a separate file (/etc/shadow) according to
pam_unix.so module default settings. Therefore, if an account exists in the system, an attacker can
access it. We recommend you to reconfigure the system to prevent this situation.
How to fix:
Edit /etc/pam.d/system-auth file as follows:
password
sufficient
nullok md5 shadow
pam_unix.so try_first_pass use_authtok
CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE
Page 6 of 21
7. Execute the following command:
pwconv
Reboot the operating system.
1.10 Ensure that there are no users with empty passwords
An attacker can use user accounts without passwords to login. Ensure that all user accounts have
passwords or blocked via «!!». Here is an example (/etc/shadow):
vncterm_base:!!:15278:0:99999:7:::
How to fix:
Set passwords for all accounts. Use passwd command, or block unused accounts via usermod –L
<username> command.
1.11
Ensure that passwd and shadow and files and system group files do not include
«+»
«+» characters in used in accounts and passwords system configuration files as to insert NIS values. We
recommend you to delete such entries to protect the system security. Here is an example of such entry
from /etc/shadow file:
username:+:15278:0:99999:7:::
How to fix:
Delete these settings from service files.
1.12
Install Citrix XenServer server certificates
We recommend you to install custom .pem SSL certificates to prevent certificate spoofing.
How to fix:
Do the following to install CA certificate:
Link a key media to the system.
Execute the following command:
xe pool-certificate-install filename=</path/to/ca-cert.pem>
where </path/to/ca-cert.pem> is a certificate file path on the external media.
Do the following to add a server certificate:
Mount the key media.
Execute the following commands:
CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE
Page 7 of 21
8. service xapi stop
pkill stunnel
cp /etc/xensource/xapi-ssl.pem /etc/xensource/orig-xapi-ssl.pem
cp /path/to/new/cert.pem /etc/xensource/xapi-ssl.pem
service xapi start
Do the following to enable SSL certificate checks:
touch /var/xapi/verify_certificates
1.13
Update vulnerable packages
It is known that OS Citrix XenServer is based on RedHat Linux 5. Citrix policy states that patch updates
are usually issued twice a year. The system package often includes rather old versions. In spite of Citrix
notifications that these packages do not include vulnerabilities, we recommend you to check your
system for vulnerable packages on your own with third-party software. Here we use MaxPatrol 8
(Positive Technologies).
How to fix:
Note that you use this method at your own risk, and there is no guarantee that the system would
normally operate as you install updates. We hardly recommend you to create a backup copy before
updating. You can use this method only in case you can solve problems with xapi and other system
components on your own.
Detect vulnerable packages by any means, i.e.,with a security scanner or check versions with yum secure
plagin. Here is an example hop to detect vulnerable packages and what measures to take. Let us
suppose, that you’ve detected that the following packages are vulnerable:
<package_1>
<package_2>
<package_3>
Then, you should activate yum repository to update the packages.Edit strings enabled= in
/etc/yum.repos.d/CentOS-Base.repo file:
[base]
name=CentOS-$releasever - Base
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
#baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
exclude=kernel-xen*, *xen*
enabled=1
#released updates
[updates]
name=CentOS-$releasever - Updates
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates
CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE
Page 8 of 21
9. #baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
exclude=kernel-xen*, *xen*
enabled=1
While updating, you have to disable Citrix repository in /etc/yum.repos.d/Citrix.repo file:
enabled=0
Then, update vulnerable packages via yum tool:
yum update <package_1> <package_2> <package_3>
1.14
Store password history
You should store several password hashes to prevent passwords to be used again in a short period of
time. The recommended value is 10.
Note. In case administrator (root) changes a user password, the hash is not stored in password history
file.
How to fix:
Do the following commands:
touch /etc/security/opasswd
chmod 600 /etc/security/opasswd
chown root:root /etc/security/opasswd
Then, add the following string into /etc/pam.d/system-auth file
password
1.15
required
pam_unix.so
remember=10
Configure unsuccessful login attempts logging and limit additional attempts
We recommend you to use additional logging for unsuccessful login attempts. You should also block an
account for a certain period in case of an authentication error. To configure the system use PAM module
configuration settings.
How to fix:
Edit /etc/pam.d/system-auth file. We recommend to enable pam_tally module to make it harder
for attackers to conduct brute force attacks. With the settings shown below, it blocks users for 300
seconds if there are three unsuccessful login attempts:
auth
required
pam_env.so
CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE
Page 9 of 21
10. auth
required
even_deny_root_account
auth
sufficient
auth
required
pam_tally.so deny=3 unlock_time=300
pam_unix.so try_first_pass nullok
pam_deny.so
account
required
pam_unix.so
account
required
pam_tally.so
password
required
pam_cracklib.so try_first_pass retry=3
password
sufficient
pam_unix.so try_first_pass use_authtok
nullok md5 shadow
password
required pam_unix.so
remember=10
password
required
pam_deny.so
session
session
session
crond quiet
session
1.16
optional
pam_keyinit.so revoke
required
pam_limits.so
[success=1 default=ignore] pam_succeed_if.so service in
use_uid
required
pam_unix.so
Password policy configuration
Users should use passwords of at least 9 characters. We recommend you to limit maximum password
age (90 days) to decrease the negative effect in case the system is compromised. We also recommend
you to notify users 14 days earlier the day the password is expired. If a user does not change its
password in 7 days, you should block the account.
How to fix:
Execute the following command for every user in the system except administrator:
chage -m 7 <имя_пользователя>
Edit the following strings in /etc/login.defs file to configure the password policy:
PASS_MAX_DAYS=90
PASS_MIN_DAYS=7
PASS_WARN_AGE=14
PASS_MIN_LEN=9
CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE
Page 10 of 21
11. 2.
SYSTEM NETWORK CONFIGURATION
The shown below settings are an abstract example. You should remember your own network
architecture and server hardware to use these recommendations.
Separate network interfaces by task
C3
NI
VM
2
NI
C-
VM
VM
Xe
nS
er
ve
r
SM
AP
I
XA
PI
We recommend you to protect networks for management, data transferring and virtual machines to
provide maximum security. In that way, you can prevent system compromising in case an attacker
manages to crack one of the networks. Pic. 1 shows this solution.
Ci
tr
ix
-1
Management
Network
NI
C
2.1
Storage Network
External Network
Pic. 1. Logic scheme that shows how to separate hypervisor networks
How to fix:
It there are several network interfaces, separate them physically and logically. It you unable to separate
the networks, we recommend you to separate them on IP level or in any way.
Managing interface configuration:
Show UUID PIF according to eth0 (NIC0) device and its network UUID:
xe pif-list device=eth0 params=uuid,network-uuid
CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE
Page 11 of 21
12. Modify the network name:
xe network-param-set uuid=<network uuid> name-label="Management NW"
Data transferring interface configuration:
Show UUID PIF according to eth1 (NIC1) device and its network UUID:
xe pif-list device=eth1 params=uuid,network-uuid
Configure network IP address:
# xe pif-reconfigure-ip uuid=<pif uuid>> mode=static IP=<ip>
gateway=<gateway> netmask=<netmask> DNS=<DNS>
Modify the network name:
xe network-param-set uuid=<network uuid> name-label="Storage NW"
Virtual machine nterface configuration
Show UUID PIF according to eth2 (NIC2) device and its network UUID:
xe pif-list device=eth2 params=uuid,network-uuid
Configure a guest network in case there is no IP address:
xe pif-reconfigure-ip uuid=<uuid> mode=none
Modify the network name:
xe network-param-set uuid=<network uuid> name-label= "Guest NW 0"
Do the operations for eth3, eth4 and so on.
2.2
Restrict unencrypted connections to XAPI
By default, XAPI stack listen ports 80 (unencrypted channel) and 443 (SSL tunnel) for connection. If
unencrypted data are used, an attacker can compromise administrator’s operations. We recommend
you to disable access by port 80 for all clients except XenCenter working station.
How to fix:
Execute the following command:
/etc/init.d/iptables save
Edit /etc/sysconfig/iptables file:
-A RH-Firewall-1-INPUT –s <xen_center_ip> -p tcp -m state --state NEW m tcp --dport 80 -j ACCEPT
CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE
Page 12 of 21
13. Execute the following command:
/etc/init.d/iptables restart
2.3
Use encrypted connections in data transferring network
If you move virtual machines, data is transferring between servers (for example, in XenMotion mode) in
plain text. It means that data is transferred unencrypted. In spite the fact that networks are separated,
you should protect this traffic. We recommend you to use encryption on IP level, such as VPN. There is
no example because of a great variety of possible solutions.
Configure encryption for iSCSI password transferring:
OpenISCSI software is used to connect to remote iSCSI storage for iSCSI traffic. This software supports
CHAP protocol to send passwords. We recommend you to use CHAP authentication for OpenlSCSI
connections.
How to fix:
Set the following setting for the variable in /etc/iscsi/iscsid.conf file.
# To enable CHAP authentication set node.session.auth.authmethod
# to CHAP. The default is None.
node.session.auth.authmethod = CHAP
2.4
Configure umask creation for VHD files
By default, Citrix XenServer creates virtual machine files with read privileges for “other”. Therefore,
every user has rights to get virtual machine data. We recommend you to limit privileges for these file
types.
How to fix:
You should modify server scripts to modify umask settings.
Edit /opt/xensource/sm/FileSR.py file:
def create(self, sr_uuid, vdi_uuid, size):
os.umask(077)
if util.ioretry(lambda: util.pathexists(self.path)):
Then, you can need to compile file pyc and pyo. Create /opt/xensource/sm/compile.py file with the
following content:
#!/usr/bin/python
import py_compile
py_compile.compile('/opt/xensource/sm/FileSR.py')
Then, execute the following commands:
CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE
Page 13 of 21
14. python /opt/xensource/sm/compile.py
python –O /opt/xensource/sm/compile.py
and reboot the hypervisor with the following command:
shutdown –r now
2.5
Remote NFS storage configuration
Every remote NFS storage is a folder with a file in VHD format. VHD is not encrypted, therefore we
recommend you strictly limit the list of users that are allowed to mount the folder.
How to fix:
We recommend you to modify system settings to operate with remote NFS storage. Below we show
how to configure NFS storage on Linux remote server. Ensure that single IP address is locked in
/etc/exports file:
/<vm_share_dir>
<xenserver_ip>(rw,root_squash,anonuid=<xen_user_UID>,anongid=<xen_user
_GID>,sync)
Discover the folder owner:
chown <xen_user>:<xen_user_group> <vm_share_dir>
Configure mountd, statd, lockd and rquotad demons to operate with static ports (ports 4002-4006 are
used as an example) in /etc/sysconfig/nfs file:
MOUNTD_PORT=”4002”
STATD_PORT=”4003”
LOCKD_TCPPORT=”4004”
LOCKD_UDPPORT=”4004”
RQUOTAD_PORT=”4005”
STATD_OUTGOING_PORT=”4006”
Add the following strings into INPUT table for /etc/sysconfig/iptables network filter:
Iptables
Iptables
Iptables
Iptables
Iptables
Iptables
–A
–A
–A
–A
–A
–A
INPUT
INPUT
INPUT
INPUT
INPUT
INPUT
–s
–s
–s
–s
–s
–s
<xenserver-ip>
<xenserver-ip>
<xenserver-ip>
<xenserver-ip>
<xenserver-ip>
<xenserver-ip>
CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE
-p
-p
-p
-p
-p
-p
tcp
udp
tcp
udp
tcp
udp
–dport
–dport
–dport
–dport
–dport
–dport
111 –j ACCEPT
111 –j ACCEPT
4002:4006 –j ACCEPT
4002:4006 –j ACCEPT
2049 –j ACCEPT
2049 –j ACCEPT
Page 14 of 21
15. 2.6
Disable promiscuous mode for network cards on virtual machines
If promiscuous mode is enabled for simulated network interface, a virtual machine is able to intercept
traffic from other guest systems, and also use other specific features including a possibility to send
malformed or malicious requests accidentally or deliberately Therefore, we do not recommend you to
enable this mode.
How to fix:
Execute the following commands in Service Console to disable VIF or promiscuous mode:
xe pif-param-set uuid=<PIF UUID> other-config:promiscuous="off"
or:
xe pif-param-set uuid=<PIF UUID> other-config:promiscuous="false"
2.7
OS kernel network settings configuration
The following OS kernel settings are necessary to harden Citrix XenServer network attack tolerance:
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
How to fix:
Add the settings into /etc/sysctl.conf file, reboot the system and execute the following command:
sysctl -p
2.8
Firewall configuration
Default Citrix XenServer installation includes Netfilter firewall and iptables command line utility used to
manage it. We recommend you to configure this software to provide secure network communication.
How to fix:
Use the following settings for managing network:
service iptables start
iptables -F
iptables -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE
Page 15 of 21
16. iptables
iptables
iptables
iptables
iptables
iptables
iptables
iptables
iptables
-A
-A
-A
-A
-A
-A
-A
-A
-A
INPUT -i xenbr0 -p tcp --dport 443 -m state --state NEW -j ACCEPT
INPUT -i xenbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
INPUT -i xenbr0 -j DROP
OUTPUT -o xenbr0 -p tcp --dport 443 -m state --state NEW -j ACCEPT
OUTPUT -o xenbr0 -p tcp --dport 7279 -m state --state NEW -j ACCEPT
OUTPUT -o xenbr0 -p tcp --dport 27000 -m state --state NEW -j ACCEPT
OUTPUT -o xenbr0 -p udp --dport 123 -m state --state NEW -j ACCEPT
OUTPUT -o xenbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
OUTPUT -o xenbr0 -j DROP
Input chain for data transferring network:
iptables -A INPUT -i xenbr1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i xenbr1 -j DROP
Add the following permissions to configure NFS remote connections (as an example):
iptables
iptables
iptables
iptables
iptables
iptables
iptables
iptables
-A
-A
-A
-A
-A
-A
-A
-A
OUTPUT
OUTPUT
OUTPUT
OUTPUT
OUTPUT
OUTPUT
OUTPUT
OUTPUT
-o
-o
-o
-o
-o
-o
-o
-o
xenbr1
xenbr1
xenbr1
xenbr1
xenbr1
xenbr1
xenbr1
xenbr1
-p
-p
-p
-p
-p
-p
-m
-j
udp --dport 111 -m state --state NEW -j ACCEPT
tcp --dport 111 -m state --state NEW -j ACCEPT
udp --dport 2049 -m state --state NEW -j ACCEPT
tcp --dport 2049 -m state --state NEW -j ACCEP
udp --dport 4002:4006 -m state --state NEW -j ACCEPT
tcp --dport 4002:4006 -m state --state NEW -j ACCEPT
state --state RELATED,ESTABLISHED -j ACCEPT
DROP
Add your own rules to connect to alternative remote storages.
Finalize the configuration:
service iptables save
chkconfig iptables on
CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE
Page 16 of 21
17. 3.
XENSERVER HYPERVISOR SETTINGS
This chapter is about specific configuration and critical file options for internal XAPI demon and its
environment. These changes can influence virtual infrastructures, therefore we recommend you to
make them on testing systems first on all.
3.1
Disable debug mode for xenstored
This is necessary to restrict debug mode for guest systems.
How to fix:
Delete entries like “allow-debug=true” from /etc/xensource/xenstored.conf file.
3.2
Configure shared secret for «pool» mode
This is actual for pool-master systems. It is necessary to harden spoofing of the certificate used for data
transferring inside the system. We recommend you to create a certificate based on random-number
generator with enough entropy.
How to fix:
Do the following to create the token:
service xapi stop
rm /etc/xensource/ptoken
(ent=$(cat /proc/sys/kernel/random/entropy_avail); while [[ $ent -lt
2000 ]]; do
sleep 15; ent=$(cat /proc/sys/kernel/random/entropy_avail); done) &&
service xapi start
3.3
Disable debug mode for xapi demon
By default, Global Catalog Debug mode is enabled. This setting is insecure, we recommend you to
disable this mode to prevent system compromising.
How to fix:
Replace the following value in /etc/xensource/xapi.conf file:
gc-debug = true
with false.
CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE
Page 17 of 21
18. 3.4
Configure xenstored demon logging
We recommend you to configure xenstored demon logging for further analysis in case the system is
compromised.
How to fix:
Edit /etc/xensource/xenstored.conf file:
# Logs
#log = error;general;file:/var/log/xenstored.log
log = warn;general;file:/var/log/xenstored.log
#log = info;general;file:/var/log/xenstored.log
#log = debug;io;file:/var/log/xenstored-io.log
3.5
Disable vncterm automatic logon into dom0 as a root
In case there is an XAPI request that is created to connect to hypervisor testing console, automatic logon
is done as a root regardless of XAPI user, that triggered the request if local authorization is used without
RBAC subsystem using Active Directory (in versions Free, Advanced). We recommend you to disable
such login to protect the system. The best solution is to replace automatic logon with default login
prompt (redirection to SSH).
How to fix:
Edit /usr/lib/xen/bin/dom0term.sh file, where <admin_user> is your administrative account (not root) :
#! /bin/bash
read -s -p "Press <Enter> to login
" ignore
сlear
exec /bin/login –p
3.6
Disable xsconsole autorun as a root on tty1
By default, Xsconsole console started with root privileges is available on the system physical console.
We recommend you to modify autoload script to prevent SH code injection and/or session interception
via text mode.
How to fix:
Edit /opt/xensource/libexec/run-boot-xsconsole file. Modify the terminal call string as follows:
Initial string:
exec /sbin/mingetty --noissue --autologin root -loginprog=/usr/bin/xsconsole $TTY
CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE
Page 18 of 21
19. Modified string:
exec /sbin/mingetty --noissue --autologin nobody -loginprog=/usr/bin/xsconsole $TTY
3.7
Configure PAM in XAPI module
By default, every OS Citrix XenServer user (in versions Free, Advanced) is able to connect to XAPI with
pool-admin privileges. This is a product feature. It means that every user can execute operations in the
system using Xen API, therefore we recommend you to limit users with access to XAPI in PAM module.
How to fix:
As a root, create /etc/xapi_allow file and add root as a first string to the file. Enumerate all users with
access to XAPI with line feed separator.
Edit /etc/pam.d/xapi file as follows:
#%PAM-1.0
auth
required
auth
required
file=/etc/xapi_allow
auth
sufficient
auth
required
pam_env.so
pam_listfile.so item=user sense=allow
pam_unix.so try_first_pass nullok
pam_deny.so
account
required
pam_unix.so
password
password
nullok md5
password
required
sufficient
pam_cracklib.so try_first_pass retry=3
pam_unix.so try_first_pass use_authtok
required
pam_deny.so
session
session
session
crond quiet
session
optional
pam_keyinit.so revoke
required
pam_limits.so
[success=1 default=ignore] pam_succeed_if.so service in
use_uid
required
pam_unix.so
If the changes are made, only users from the xapi_allow list are able to access xapi:
root
admin
user
Also, limit access to this file:
chmod 600 /etc/xapi_allow
CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE
Page 19 of 21
20. 3.8
Disable testing mode in xsconcole
If you add a file testing.txt to /usr/lib/xsconsole/ folder, Xsconsole starts in testing mode. If host=,
password= variables are defined in file testing.txt, xsconsole program authenticates on a remote server.
Besides, if xsconsole is used on tty1 local console, an attacker can access the local console with root
privileges.
How to fix:
Ensure that /usr/lib/xsconsole/testing.txt file is not existed.
If it exists, delete it.
3.9
Disable default web page
By default, a web server is active in the system. It allows users to upload XenCenter files and reports
current system version. We recommend you to delete the whole page or correct its content to prevent
the system compromising.
How to fix:
Modify web server index file Citrix-index.html in /opt/xensource/www folder. Replace
the following fragment:
<html>
<title>XenServer 5.6.0</title>
<head>
</head>
<body>
<p/>Citrix Systems, Inc. XenServer 5.6.0
<p/><a href="XenCenter.iso">XenCenter CD image</a>
<p/><a href="XenCenter.msi">XenCenter installer</a>
</body>
</html>
with
<html>
</html>
4.
VIRTUAL MACHINE SETTINGS
4.1
Limit log file size
We recommend you to limit the maximum size of log files for virtual machines to prevent system drive
overflow.
CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE
Page 20 of 21
21. 4.2
Disable unused virtual devices
We recommend you to disable connections between any virtual devices and virtual machines to prevent
the capture of virtual machine credentials.
4.3
Disable service console redirection
We recommend you to restrict the usage of text system consoles in *nix operating systems. You should
disable XenAPI VM built-in console service and use native OS services.
CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE
Page 21 of 21