- Unprivileged user Actions
- Prevent virtual disk shrinking: repeated disk shrinking could cause denial of service.
isolation.tools.diskShrink.disable=TRUE
2. Prevent other users from spying on administrator's remote consoles: might cause administrator lose connection to remote console, or administrator's action on remote console could be reviewed by other non-admin user.
RemoteDisplay.maxConnections=1
3. Disable copy/paste to remote console.Nonprivileged usersa nd processes in the VM can access the clipboard for the VM console. Potential sensitive data expose.
isolation.tools.copy.disable=TRUE
isolation.tools.paste.disable=TRUE
isolation.tools.dnd.disable=TRUE
isolation.tools.setGUIOptions.enable=FALSE
- Virtual Devices
floppyX.present = "FALSE"
serialX.present = "FALSE"
paralleX.present = "FALSE"
usb.present = "FALSE"
ideX:Y.present (CD-ROM) = "FALSE"
2. Prevent unauthorized removal, connection and modification of devices
isolation.device.connectable.disable=TRUE
isolation.device.edit.disable=TRUE
3. Disable VM to VM communication through VMCI, this is by default.
vmci0.unrestricted=FALSE
- VM information flow
- Limit VM log file size and number, or just disable
isolation.tools.log.disable=TRUE
2. Limit the informational message from VM to vmx file (default is 1MB, big enough for most case)
tools.setinfo.sizeLimit=1048756
3. Avoid using independent non persistent disk (.mode = "independent-nonpersistent"), if no remote log, the reboot or shutdown will not keep the track of the change on disk
4. Disable remote operations within the guest. VIX API could manipulate the guest OS inside the VM, if enabled, which could be a potential threat.
guest.command.enable=FALSE
5. Do not send host performance information to guest. Unless requested by VM for performance monitoring.
tools.guestlib.enableHostInfo=FALSE
- VMsafe. a security architecture for virtualized environment and API-sharing program to enable partners to develop security products.
VMsafe network packet inspection API: VMsafe-Net (data-path agent and control-path agent) Inspect network packet between the virtual network adapter and vSwitch.
VMsafe Virtual Disk Development Kit (VDDK) inspect access to virtual disk. VDDK API is built into vSphere and could not be disabled.
VMsafe CPU/memory requires a security virtual appliance within a vSwitch named vmsafe and port group vmsafe-appliances.
The protected VM also will configure vmx file for VMsafe API.
If a VM is not running VMsafe product, then the prot group vmsafe-appliances should not be present
If a VM is not supposed to be protected by VMSafe, all the configuration related to VMsafe should not be present.
VMsafe Net also use a virtual appliance with vSwitch name dvfiler and prot group name: dvfilter-appliances
Protected VM will configure vmx: ethernet0.filter1.name=dv-filter1. 16 filter per vNIC. dv-filter1 is the data path kernel module to protect VM. etherent0 is the vNIC to be protected.
If a VM is not running VMsafe-Net or not supposed to run VMsafe-Net, the port group dvfilter-appliances should not be present, and filter configuration should not be present.
- General VM protection
- Secure VM same as physical machines
- Disable unnecessary function inside VM
- Use template to deploy new VM whenever possible.
- Use resource pool to prevent VM over-taking resource
- minimize the user the VM console, which has impact on service console.
No comments:
Post a Comment