2. CONTENTS
1.
GENERAL SYSTEM SETTINGS................................................................................................................................................................................................................................ 3
1.1
Services started with Citrix XenServer .............................................................................................................................................................................................................. 3
1.2
Time synchronization configuration................................................................................................................................................................................................................... 4
1.3
Usage of SSHv2 ............................................................................................................................................................................................................................................................ 4
1.4
Usage of AES cryptoalgorithm for SSH ............................................................................................................................................................................................................... 4
1.5
Restrict root login via SSH ...................................................................................................................................................................................................................................... 5
1.6
Limit access to su command................................................................................................................................................................................................................................... 5
1.7
Forbid login to single user mode without password .................................................................................................................................................................................... 6
1.8
extlinux loader password ........................................................................................................................................................................................................................................ 6
1.9
Activate password storing in /etc/shadow file .............................................................................................................................................................................................. 6
1.10 Ensure that there are no users with empty passwords ............................................................................................................................................................................... 7
1.11 Ensure that passwd and shadow and files and system group files do not include «+»................................................................................................................... 7
1.12 Install Citrix XenServer server certificates ....................................................................................................................................................................................................... 7
1.13 Update vulnerable packages .................................................................................................................................................................................................................................. 8
1.14 Store password history ............................................................................................................................................................................................................................................ 9
1.15 Configure unsuccessful login attempts logging and limit additional attempts .................................................................................................................................. 9
1.16 Password policy configuration ........................................................................................................................................................................................................................... 10
2.
SYSTEM NETWORK CONFIGURATION ........................................................................................................................................................................................................... 11
2.1
Separate network interfaces by task ............................................................................................................................................................................................................... 11
2.2
Restrict unencrypted connections to XAPI .................................................................................................................................................................................................... 12
2.3
Use encrypted connections in data transferring network ....................................................................................................................................................................... 13
2.4
Configure umask creation for VHD files ......................................................................................................................................................................................................... 13
2.5
Remote NFS storage configuration ................................................................................................................................................................................................................... 14
2.6
Disable promiscuous mode for network cards on virtual machines ................................................................................................................................................... 15
2.7
OS kernel network settings configuration ..................................................................................................................................................................................................... 15
2.8
Firewall configuration ........................................................................................................................................................................................................................................... 15
3.
XENSERVER HYPERVISOR SETTINGS ............................................................................................................................................................................................................. 17
3.1
Disable debug mode for xenstored ................................................................................................................................................................................................................... 17
3.2
Configure shared secret for «pool» mode ...................................................................................................................................................................................................... 17
3.3
Disable debug mode for xapi demon ............................................................................................................................................................................................................... 17
3.4
Configure xenstored demon logging ................................................................................................................................................................................................................ 18
3.5
Disable vncterm automatic logon into dom0 as a root ............................................................................................................................................................................. 18
3.6
Disable xsconsole autorun as a root on tty1 ................................................................................................................................................................................................. 18
3.7
Configure PAM in XAPI module ......................................................................................................................................................................................................................... 19
3.8
Disable testing mode in xsconcole .................................................................................................................................................................................................................... 20
3.9
Disable default web page ...................................................................................................................................................................................................................................... 20
4.
VIRTUAL MACHINE SETTINGS .......................................................................................................................................................................................................................... 20
4.1
Limit log file size ...................................................................................................................................................................................................................................................... 20
4.2
Disable unused virtual devices........................................................................................................................................................................................................................... 21
4.3
Disable service console redirection.................................................................................................................................................................................................................. 21
CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE
Page 2 of 21
3. 1.
GENERAL SYSTEM SETTINGS
This chapter covers general system settings. The introduced protection methods are the same as used
for usual servers based on OS Linux.
1.1
Services started with Citrix XenServer
We recommend you to limit services started with the system by default.
How to fix:
Do the following for all unused services:
chkconfig <servicename> off
where <servicename> is a service name.
The results for a separately installed XenServer 5.6 server may be as follows:
chkconfig --list | grep 3:on
attach-static-vdis
crond
fcauthd
fe
iptables
lwsmd
management-interface
mpp
network
ntpd
perfmon
portmap
rawdevices
set-memory-target
snapwatchd
squeezed
sshd
syslog
unplug-vcpus
v6d
vhostmd
xapi
xapi-domains
xe-linux-distribution
xen-domain-uuid
xenservices
CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE
Page 3 of 21
4. 1.2
Time synchronization configuration
Time synchronization is necessary for correct cooperation of XenServer hosts individually or in pool
mode. You can use your own NTP server or default time servers.
How to fix:
Add the following strings into /etc/ntp.conf file (address rhel.pool.ntp.org is an example):
server 0.rhel.pool.ntp.org
server 1.rhel.pool.ntp.org
server 2.rhel.pool.ntp.org
Start NTP server:
/etc/init.d/ntpd start
chkconfig ntpd on
1.3
Usage of SSHv2
You can use SSH to access Service Console. In this case, disable insecure authentication methods and
some other settings from the list below:
How to fix:
Configure the following settings in /etc/ssh/sshd_config file:
Protocol 2
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
Reboot sshd for the modifications to take effect:
/etc/init.d/sshd restart
1.4
Usage of AES cryptoalgorithm for SSH
We recommend to use AES cryptoalgorithm for SSH traffic. It is more secure than previously used, and
opposite to Blowfish and other cryptoalgorithms (supported by OpenSSL library), the great number of
client devices support it.
How to fix:
Set Ciphers option in /etc/ssh/sshd_config configuration file:
Ciphers aes256-cbc,aes128-cbc
CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE
Page 4 of 21
5. Reboot sshd for the modifications to take effect:
/etc/init.d/sshd restart
1.5
Restrict root login via SSH
We recommend you to restrict root login via SSH for secure purposes. This measure helps to prevent
root password brute force attacks, and also make it easier to investigate incidents in case several users
are aware of the password.
How to fix:
Set the following option in /etc/ssh/sshd_config configuration file:
PermitRootLogin no
Reboot sshd for the modifications to take effect:
/etc/init.d/sshd restart
1.6
Limit access to su command
su command allows users to execute the shell with the privileges of a specified user, mostly root. We
recommend you to grant access to the command only for Citrix XenServer server administrators: include
the administrators into wheel group and then enable access limitations that means that only wheel
members are able to execute su command.
Note. Depending on the company’s security policy, su can be forbidden in the system. In this case, you
can execute privileged operations via sudo, and wheel group should not include users.
How to fix:
Do the following for every user (admin is an example):
usermod -G wheel admin
Then, enable access to su command for wheel members only. Ensure that /etc/pam.d/su file
includes the following string (not in comments):
auth required pam_wheel.so use_uid
If su is forbidden, ensure that wheel do not include users via contents of files from /etc/passwd
folder (primary group) and /etc/group folder (secondary groups).
CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE
Page 5 of 21
6. 1.7
Forbid login to single user mode without password
Citrix XenServer is based on RedHat Linux, therefore it also supports single user mode. You can activate
it via loader settings. Default settings allow all users to access console with root privileges. This allows
attackers with access to Citrix XenServer local console get root privileges and execute arbitrary
commands on the vulnerable server. Therefore, we recommend you to configure password
authentication to change to single user mode.
How to fix:
Add the following entry into /etc/inittab file:
~~:S:wait:/sbin/sulogin
Or edit an existed string with “S” in the second field.
1.8
extlinux loader password
OS Citrix XenServer loader allows you to configure a great number of OS kernel settings, including a
command used to change to single user mode. By default, OS load options are not protected by
password that allows attackers with physical access to Xen server local console to set unauthorized OS
loading options. To prevent the situation, we recommend you to set password for loader management.
Ensure that only super user has access to the service console loader configuration file for
reading/writing.
How to fix:
Execute the following command in Service Console as a root:
echo <пароль_загрузчика> | sha1sum
chown root:root /boot/extlinux.conf
chmod 600 /boot/extlinux.conf
Then, add the 40 hash characters into /boot/extlinux.conf file (global sections of loader settings):
menu master passwd <password_sha1_hash>
1.9
Activate password storing in /etc/shadow file
OS Citrix XenServer does not store password hashes in a separate file (/etc/shadow) according to
pam_unix.so module default settings. Therefore, if an account exists in the system, an attacker can
access it. We recommend you to reconfigure the system to prevent this situation.
How to fix:
Edit /etc/pam.d/system-auth file as follows:
password
sufficient
nullok md5 shadow
pam_unix.so try_first_pass use_authtok
CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE
Page 6 of 21
7. Execute the following command:
pwconv
Reboot the operating system.
1.10 Ensure that there are no users with empty passwords
An attacker can use user accounts without passwords to login. Ensure that all user accounts have
passwords or blocked via «!!». Here is an example (/etc/shadow):
vncterm_base:!!:15278:0:99999:7:::
How to fix:
Set passwords for all accounts. Use passwd command, or block unused accounts via usermod –L
<username> command.
1.11
Ensure that passwd and shadow and files and system group files do not include
«+»
«+» characters in used in accounts and passwords system configuration files as to insert NIS values. We
recommend you to delete such entries to protect the system security. Here is an example of such entry
from /etc/shadow file:
username:+:15278:0:99999:7:::
How to fix:
Delete these settings from service files.
1.12
Install Citrix XenServer server certificates
We recommend you to install custom .pem SSL certificates to prevent certificate spoofing.
How to fix:
Do the following to install CA certificate:
Link a key media to the system.
Execute the following command:
xe pool-certificate-install filename=</path/to/ca-cert.pem>
where </path/to/ca-cert.pem> is a certificate file path on the external media.
Do the following to add a server certificate:
Mount the key media.
Execute the following commands:
CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE
Page 7 of 21
8. service xapi stop
pkill stunnel
cp /etc/xensource/xapi-ssl.pem /etc/xensource/orig-xapi-ssl.pem
cp /path/to/new/cert.pem /etc/xensource/xapi-ssl.pem
service xapi start
Do the following to enable SSL certificate checks:
touch /var/xapi/verify_certificates
1.13
Update vulnerable packages
It is known that OS Citrix XenServer is based on RedHat Linux 5. Citrix policy states that patch updates
are usually issued twice a year. The system package often includes rather old versions. In spite of Citrix
notifications that these packages do not include vulnerabilities, we recommend you to check your
system for vulnerable packages on your own with third-party software. Here we use MaxPatrol 8
(Positive Technologies).
How to fix:
Note that you use this method at your own risk, and there is no guarantee that the system would
normally operate as you install updates. We hardly recommend you to create a backup copy before
updating. You can use this method only in case you can solve problems with xapi and other system
components on your own.
Detect vulnerable packages by any means, i.e.,with a security scanner or check versions with yum secure
plagin. Here is an example hop to detect vulnerable packages and what measures to take. Let us
suppose, that you’ve detected that the following packages are vulnerable:
<package_1>
<package_2>
<package_3>
Then, you should activate yum repository to update the packages.Edit strings enabled= in
/etc/yum.repos.d/CentOS-Base.repo file:
[base]
name=CentOS-$releasever - Base
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
#baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
exclude=kernel-xen*, *xen*
enabled=1
#released updates
[updates]
name=CentOS-$releasever - Updates
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates
CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE
Page 8 of 21
9. #baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
exclude=kernel-xen*, *xen*
enabled=1
While updating, you have to disable Citrix repository in /etc/yum.repos.d/Citrix.repo file:
enabled=0
Then, update vulnerable packages via yum tool:
yum update <package_1> <package_2> <package_3>
1.14
Store password history
You should store several password hashes to prevent passwords to be used again in a short period of
time. The recommended value is 10.
Note. In case administrator (root) changes a user password, the hash is not stored in password history
file.
How to fix:
Do the following commands:
touch /etc/security/opasswd
chmod 600 /etc/security/opasswd
chown root:root /etc/security/opasswd
Then, add the following string into /etc/pam.d/system-auth file
password
1.15
required
pam_unix.so
remember=10
Configure unsuccessful login attempts logging and limit additional attempts
We recommend you to use additional logging for unsuccessful login attempts. You should also block an
account for a certain period in case of an authentication error. To configure the system use PAM module
configuration settings.
How to fix:
Edit /etc/pam.d/system-auth file. We recommend to enable pam_tally module to make it harder
for attackers to conduct brute force attacks. With the settings shown below, it blocks users for 300
seconds if there are three unsuccessful login attempts:
auth
required
pam_env.so
CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE
Page 9 of 21
10. auth
required
even_deny_root_account
auth
sufficient
auth
required
pam_tally.so deny=3 unlock_time=300
pam_unix.so try_first_pass nullok
pam_deny.so
account
required
pam_unix.so
account
required
pam_tally.so
password
required
pam_cracklib.so try_first_pass retry=3
password
sufficient
pam_unix.so try_first_pass use_authtok
nullok md5 shadow
password
required pam_unix.so
remember=10
password
required
pam_deny.so
session
session
session
crond quiet
session
1.16
optional
pam_keyinit.so revoke
required
pam_limits.so
[success=1 default=ignore] pam_succeed_if.so service in
use_uid
required
pam_unix.so
Password policy configuration
Users should use passwords of at least 9 characters. We recommend you to limit maximum password
age (90 days) to decrease the negative effect in case the system is compromised. We also recommend
you to notify users 14 days earlier the day the password is expired. If a user does not change its
password in 7 days, you should block the account.
How to fix:
Execute the following command for every user in the system except administrator:
chage -m 7 <имя_пользователя>
Edit the following strings in /etc/login.defs file to configure the password policy:
PASS_MAX_DAYS=90
PASS_MIN_DAYS=7
PASS_WARN_AGE=14
PASS_MIN_LEN=9
CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE
Page 10 of 21
11. 2.
SYSTEM NETWORK CONFIGURATION
The shown below settings are an abstract example. You should remember your own network
architecture and server hardware to use these recommendations.
Separate network interfaces by task
C3
NI
VM
2
NI
C-
VM
VM
Xe
nS
er
ve
r
SM
AP
I
XA
PI
We recommend you to protect networks for management, data transferring and virtual machines to
provide maximum security. In that way, you can prevent system compromising in case an attacker
manages to crack one of the networks. Pic. 1 shows this solution.
Ci
tr
ix
-1
Management
Network
NI
C
2.1
Storage Network
External Network
Pic. 1. Logic scheme that shows how to separate hypervisor networks
How to fix:
It there are several network interfaces, separate them physically and logically. It you unable to separate
the networks, we recommend you to separate them on IP level or in any way.
Managing interface configuration:
Show UUID PIF according to eth0 (NIC0) device and its network UUID:
xe pif-list device=eth0 params=uuid,network-uuid
CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE
Page 11 of 21
12. Modify the network name:
xe network-param-set uuid=<network uuid> name-label="Management NW"
Data transferring interface configuration:
Show UUID PIF according to eth1 (NIC1) device and its network UUID:
xe pif-list device=eth1 params=uuid,network-uuid
Configure network IP address:
# xe pif-reconfigure-ip uuid=<pif uuid>> mode=static IP=<ip>
gateway=<gateway> netmask=<netmask> DNS=<DNS>
Modify the network name:
xe network-param-set uuid=<network uuid> name-label="Storage NW"
Virtual machine nterface configuration
Show UUID PIF according to eth2 (NIC2) device and its network UUID:
xe pif-list device=eth2 params=uuid,network-uuid
Configure a guest network in case there is no IP address:
xe pif-reconfigure-ip uuid=<uuid> mode=none
Modify the network name:
xe network-param-set uuid=<network uuid> name-label= "Guest NW 0"
Do the operations for eth3, eth4 and so on.
2.2
Restrict unencrypted connections to XAPI
By default, XAPI stack listen ports 80 (unencrypted channel) and 443 (SSL tunnel) for connection. If
unencrypted data are used, an attacker can compromise administrator’s operations. We recommend
you to disable access by port 80 for all clients except XenCenter working station.
How to fix:
Execute the following command:
/etc/init.d/iptables save
Edit /etc/sysconfig/iptables file:
-A RH-Firewall-1-INPUT –s <xen_center_ip> -p tcp -m state --state NEW m tcp --dport 80 -j ACCEPT
CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE
Page 12 of 21
13. Execute the following command:
/etc/init.d/iptables restart
2.3
Use encrypted connections in data transferring network
If you move virtual machines, data is transferring between servers (for example, in XenMotion mode) in
plain text. It means that data is transferred unencrypted. In spite the fact that networks are separated,
you should protect this traffic. We recommend you to use encryption on IP level, such as VPN. There is
no example because of a great variety of possible solutions.
Configure encryption for iSCSI password transferring:
OpenISCSI software is used to connect to remote iSCSI storage for iSCSI traffic. This software supports
CHAP protocol to send passwords. We recommend you to use CHAP authentication for OpenlSCSI
connections.
How to fix:
Set the following setting for the variable in /etc/iscsi/iscsid.conf file.
# To enable CHAP authentication set node.session.auth.authmethod
# to CHAP. The default is None.
node.session.auth.authmethod = CHAP
2.4
Configure umask creation for VHD files
By default, Citrix XenServer creates virtual machine files with read privileges for “other”. Therefore,
every user has rights to get virtual machine data. We recommend you to limit privileges for these file
types.
How to fix:
You should modify server scripts to modify umask settings.
Edit /opt/xensource/sm/FileSR.py file:
def create(self, sr_uuid, vdi_uuid, size):
os.umask(077)
if util.ioretry(lambda: util.pathexists(self.path)):
Then, you can need to compile file pyc and pyo. Create /opt/xensource/sm/compile.py file with the
following content:
#!/usr/bin/python
import py_compile
py_compile.compile('/opt/xensource/sm/FileSR.py')
Then, execute the following commands:
CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE
Page 13 of 21
14. python /opt/xensource/sm/compile.py
python –O /opt/xensource/sm/compile.py
and reboot the hypervisor with the following command:
shutdown –r now
2.5
Remote NFS storage configuration
Every remote NFS storage is a folder with a file in VHD format. VHD is not encrypted, therefore we
recommend you strictly limit the list of users that are allowed to mount the folder.
How to fix:
We recommend you to modify system settings to operate with remote NFS storage. Below we show
how to configure NFS storage on Linux remote server. Ensure that single IP address is locked in
/etc/exports file:
/<vm_share_dir>
<xenserver_ip>(rw,root_squash,anonuid=<xen_user_UID>,anongid=<xen_user
_GID>,sync)
Discover the folder owner:
chown <xen_user>:<xen_user_group> <vm_share_dir>
Configure mountd, statd, lockd and rquotad demons to operate with static ports (ports 4002-4006 are
used as an example) in /etc/sysconfig/nfs file:
MOUNTD_PORT=”4002”
STATD_PORT=”4003”
LOCKD_TCPPORT=”4004”
LOCKD_UDPPORT=”4004”
RQUOTAD_PORT=”4005”
STATD_OUTGOING_PORT=”4006”
Add the following strings into INPUT table for /etc/sysconfig/iptables network filter:
Iptables
Iptables
Iptables
Iptables
Iptables
Iptables
–A
–A
–A
–A
–A
–A
INPUT
INPUT
INPUT
INPUT
INPUT
INPUT
–s
–s
–s
–s
–s
–s
<xenserver-ip>
<xenserver-ip>
<xenserver-ip>
<xenserver-ip>
<xenserver-ip>
<xenserver-ip>
CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE
-p
-p
-p
-p
-p
-p
tcp
udp
tcp
udp
tcp
udp
–dport
–dport
–dport
–dport
–dport
–dport
111 –j ACCEPT
111 –j ACCEPT
4002:4006 –j ACCEPT
4002:4006 –j ACCEPT
2049 –j ACCEPT
2049 –j ACCEPT
Page 14 of 21
15. 2.6
Disable promiscuous mode for network cards on virtual machines
If promiscuous mode is enabled for simulated network interface, a virtual machine is able to intercept
traffic from other guest systems, and also use other specific features including a possibility to send
malformed or malicious requests accidentally or deliberately Therefore, we do not recommend you to
enable this mode.
How to fix:
Execute the following commands in Service Console to disable VIF or promiscuous mode:
xe pif-param-set uuid=<PIF UUID> other-config:promiscuous="off"
or:
xe pif-param-set uuid=<PIF UUID> other-config:promiscuous="false"
2.7
OS kernel network settings configuration
The following OS kernel settings are necessary to harden Citrix XenServer network attack tolerance:
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
How to fix:
Add the settings into /etc/sysctl.conf file, reboot the system and execute the following command:
sysctl -p
2.8
Firewall configuration
Default Citrix XenServer installation includes Netfilter firewall and iptables command line utility used to
manage it. We recommend you to configure this software to provide secure network communication.
How to fix:
Use the following settings for managing network:
service iptables start
iptables -F
iptables -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE
Page 15 of 21
16. iptables
iptables
iptables
iptables
iptables
iptables
iptables
iptables
iptables
-A
-A
-A
-A
-A
-A
-A
-A
-A
INPUT -i xenbr0 -p tcp --dport 443 -m state --state NEW -j ACCEPT
INPUT -i xenbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
INPUT -i xenbr0 -j DROP
OUTPUT -o xenbr0 -p tcp --dport 443 -m state --state NEW -j ACCEPT
OUTPUT -o xenbr0 -p tcp --dport 7279 -m state --state NEW -j ACCEPT
OUTPUT -o xenbr0 -p tcp --dport 27000 -m state --state NEW -j ACCEPT
OUTPUT -o xenbr0 -p udp --dport 123 -m state --state NEW -j ACCEPT
OUTPUT -o xenbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
OUTPUT -o xenbr0 -j DROP
Input chain for data transferring network:
iptables -A INPUT -i xenbr1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i xenbr1 -j DROP
Add the following permissions to configure NFS remote connections (as an example):
iptables
iptables
iptables
iptables
iptables
iptables
iptables
iptables
-A
-A
-A
-A
-A
-A
-A
-A
OUTPUT
OUTPUT
OUTPUT
OUTPUT
OUTPUT
OUTPUT
OUTPUT
OUTPUT
-o
-o
-o
-o
-o
-o
-o
-o
xenbr1
xenbr1
xenbr1
xenbr1
xenbr1
xenbr1
xenbr1
xenbr1
-p
-p
-p
-p
-p
-p
-m
-j
udp --dport 111 -m state --state NEW -j ACCEPT
tcp --dport 111 -m state --state NEW -j ACCEPT
udp --dport 2049 -m state --state NEW -j ACCEPT
tcp --dport 2049 -m state --state NEW -j ACCEP
udp --dport 4002:4006 -m state --state NEW -j ACCEPT
tcp --dport 4002:4006 -m state --state NEW -j ACCEPT
state --state RELATED,ESTABLISHED -j ACCEPT
DROP
Add your own rules to connect to alternative remote storages.
Finalize the configuration:
service iptables save
chkconfig iptables on
CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE
Page 16 of 21
17. 3.
XENSERVER HYPERVISOR SETTINGS
This chapter is about specific configuration and critical file options for internal XAPI demon and its
environment. These changes can influence virtual infrastructures, therefore we recommend you to
make them on testing systems first on all.
3.1
Disable debug mode for xenstored
This is necessary to restrict debug mode for guest systems.
How to fix:
Delete entries like “allow-debug=true” from /etc/xensource/xenstored.conf file.
3.2
Configure shared secret for «pool» mode
This is actual for pool-master systems. It is necessary to harden spoofing of the certificate used for data
transferring inside the system. We recommend you to create a certificate based on random-number
generator with enough entropy.
How to fix:
Do the following to create the token:
service xapi stop
rm /etc/xensource/ptoken
(ent=$(cat /proc/sys/kernel/random/entropy_avail); while [[ $ent -lt
2000 ]]; do
sleep 15; ent=$(cat /proc/sys/kernel/random/entropy_avail); done) &&
service xapi start
3.3
Disable debug mode for xapi demon
By default, Global Catalog Debug mode is enabled. This setting is insecure, we recommend you to
disable this mode to prevent system compromising.
How to fix:
Replace the following value in /etc/xensource/xapi.conf file:
gc-debug = true
with false.
CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE
Page 17 of 21
18. 3.4
Configure xenstored demon logging
We recommend you to configure xenstored demon logging for further analysis in case the system is
compromised.
How to fix:
Edit /etc/xensource/xenstored.conf file:
# Logs
#log = error;general;file:/var/log/xenstored.log
log = warn;general;file:/var/log/xenstored.log
#log = info;general;file:/var/log/xenstored.log
#log = debug;io;file:/var/log/xenstored-io.log
3.5
Disable vncterm automatic logon into dom0 as a root
In case there is an XAPI request that is created to connect to hypervisor testing console, automatic logon
is done as a root regardless of XAPI user, that triggered the request if local authorization is used without
RBAC subsystem using Active Directory (in versions Free, Advanced). We recommend you to disable
such login to protect the system. The best solution is to replace automatic logon with default login
prompt (redirection to SSH).
How to fix:
Edit /usr/lib/xen/bin/dom0term.sh file, where <admin_user> is your administrative account (not root) :
#! /bin/bash
read -s -p "Press <Enter> to login
" ignore
сlear
exec /bin/login –p
3.6
Disable xsconsole autorun as a root on tty1
By default, Xsconsole console started with root privileges is available on the system physical console.
We recommend you to modify autoload script to prevent SH code injection and/or session interception
via text mode.
How to fix:
Edit /opt/xensource/libexec/run-boot-xsconsole file. Modify the terminal call string as follows:
Initial string:
exec /sbin/mingetty --noissue --autologin root -loginprog=/usr/bin/xsconsole $TTY
CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE
Page 18 of 21
19. Modified string:
exec /sbin/mingetty --noissue --autologin nobody -loginprog=/usr/bin/xsconsole $TTY
3.7
Configure PAM in XAPI module
By default, every OS Citrix XenServer user (in versions Free, Advanced) is able to connect to XAPI with
pool-admin privileges. This is a product feature. It means that every user can execute operations in the
system using Xen API, therefore we recommend you to limit users with access to XAPI in PAM module.
How to fix:
As a root, create /etc/xapi_allow file and add root as a first string to the file. Enumerate all users with
access to XAPI with line feed separator.
Edit /etc/pam.d/xapi file as follows:
#%PAM-1.0
auth
required
auth
required
file=/etc/xapi_allow
auth
sufficient
auth
required
pam_env.so
pam_listfile.so item=user sense=allow
pam_unix.so try_first_pass nullok
pam_deny.so
account
required
pam_unix.so
password
password
nullok md5
password
required
sufficient
pam_cracklib.so try_first_pass retry=3
pam_unix.so try_first_pass use_authtok
required
pam_deny.so
session
session
session
crond quiet
session
optional
pam_keyinit.so revoke
required
pam_limits.so
[success=1 default=ignore] pam_succeed_if.so service in
use_uid
required
pam_unix.so
If the changes are made, only users from the xapi_allow list are able to access xapi:
root
admin
user
Also, limit access to this file:
chmod 600 /etc/xapi_allow
CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE
Page 19 of 21
20. 3.8
Disable testing mode in xsconcole
If you add a file testing.txt to /usr/lib/xsconsole/ folder, Xsconsole starts in testing mode. If host=,
password= variables are defined in file testing.txt, xsconsole program authenticates on a remote server.
Besides, if xsconsole is used on tty1 local console, an attacker can access the local console with root
privileges.
How to fix:
Ensure that /usr/lib/xsconsole/testing.txt file is not existed.
If it exists, delete it.
3.9
Disable default web page
By default, a web server is active in the system. It allows users to upload XenCenter files and reports
current system version. We recommend you to delete the whole page or correct its content to prevent
the system compromising.
How to fix:
Modify web server index file Citrix-index.html in /opt/xensource/www folder. Replace
the following fragment:
<html>
<title>XenServer 5.6.0</title>
<head>
</head>
<body>
<p/>Citrix Systems, Inc. XenServer 5.6.0
<p/><a href="XenCenter.iso">XenCenter CD image</a>
<p/><a href="XenCenter.msi">XenCenter installer</a>
</body>
</html>
with
<html>
</html>
4.
VIRTUAL MACHINE SETTINGS
4.1
Limit log file size
We recommend you to limit the maximum size of log files for virtual machines to prevent system drive
overflow.
CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE
Page 20 of 21
21. 4.2
Disable unused virtual devices
We recommend you to disable connections between any virtual devices and virtual machines to prevent
the capture of virtual machine credentials.
4.3
Disable service console redirection
We recommend you to restrict the usage of text system consoles in *nix operating systems. You should
disable XenAPI VM built-in console service and use native OS services.
CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE
Page 21 of 21