XenServer Disable Root

DustinB3403

Here is a PDF guide on hardening XS 6.5

Looking through it to disable the root account entirely.

thwr

@DustinB3403 said in XenServer Disable Root:

As for disabling root.... Hrm there is probably a way to do it, since you can login to the local console with another user name, assuming you have it configured.

Disabling SSH access for root is easy (PermitRootLogin no), password could be set to something random, just make sure your normal user is a sudoer. Erm, is sudo available on XenServer?

DustinB3403

Sudo is available.

thwr

@DustinB3403 said in XenServer Disable Root:

Sudo is available.

Ok, so the rest is easy. Just allow your user to be a sudo'er (add them to the sudo grouip on most systems or check your sudoers config file)

stacksofplates

It's general SCAP standards. We are using Open SCAP since it covers a little more. Here's just the general profile.

http://static.open-scap.org/ssg-guides/ssg-rhel6-guide-common.html

stacksofplates

@thwr said in XenServer Disable Root:

@DustinB3403 said in XenServer Disable Root:

Sudo is available.

Ok, so the rest is easy. Just allow your user to be a sudo'er (add them to the sudo grouip on most systems or check your sudoers config file)

Well with XenCenter it's not that simple. Any user created is added as a Pool Admin and has control over the VMs.

If you connect as a new user with XenCenter you now have root access through the console.

travisdh1

I'm linking to an old, old document here. It should still work the same way for XenServer 6.5, I'm not sure about XenServer 7. Is the XenServer 7 management OS still based on CentOS 6.5?

Anyway, CentOS 5.1 docs. Looks like the Red Hat Documentation is the same.

I'd shy away from disabling it via PAM. If you are forcing people to use sudo (even if they do something like 'sudo -i'), everything they do gets logged. Which is why you always want to login to your normal user account and then su or sudo in order to do system level work.

thwr

@stacksofplates said in XenServer Disable Root:

@thwr said in XenServer Disable Root:

@DustinB3403 said in XenServer Disable Root:

Sudo is available.

Ok, so the rest is easy. Just allow your user to be a sudo'er (add them to the sudo grouip on most systems or check your sudoers config file)

Well with XenCenter it's not that simple. Any user created is added as a Pool Admin and has control over the VMs.

If you connect as a new user with XenCenter you now have root access through the console.

Sorry, only played once with XenServer many years ago. That's just a common Linux / BSD / *NIX approach and basically the same thing that Ubuntu does.

stacksofplates

I might end up switching to KVM if I can't get it to work. It will give me support through Red Hat and I can use our normal profile to kickstart with and just add the hypervisor role.

KVM is nice because I just add a user to the libvirt group and they can control the VMs but still have regular system permissions.

travisdh1

I also want to know what SCAP is? Disabling the ability to make changes to a system isn't really a good idea in general.

stacksofplates

@travisdh1 said in XenServer Disable Root:

I'm linking to an old, old document here. It should still work the same way for XenServer 6.5, I'm not sure about XenServer 7. Is the XenServer 7 management OS still based on CentOS 6.5?

Anyway, CentOS 5.1 docs. Looks like the Red Hat Documentation is the same.

I'd shy away from disabling it via PAM. If you are forcing people to use sudo (even if they do something like 'sudo -i'), everything they do gets logged. Which is why you always want to login to your normal user account and then su or sudo in order to do system level work.

Ya we have to use sudo.

I didn't think it logged correctly if you did a sudo su or sudo -i.

travisdh1

@stacksofplates said in XenServer Disable Root:

@travisdh1 said in XenServer Disable Root:

I'm linking to an old, old document here. It should still work the same way for XenServer 6.5, I'm not sure about XenServer 7. Is the XenServer 7 management OS still based on CentOS 6.5?

Anyway, CentOS 5.1 docs. Looks like the Red Hat Documentation is the same.

I'd shy away from disabling it via PAM. If you are forcing people to use sudo (even if they do something like 'sudo -i'), everything they do gets logged. Which is why you always want to login to your normal user account and then su or sudo in order to do system level work.

Ya we have to use sudo.

I didn't think it logged correctly if you did a sudo su or sudo -i.

It should, if it doesn't I'd say something is broken.

stacksofplates

@travisdh1 said in XenServer Disable Root:

I also want to know what SCAP is? Disabling the ability to make changes to a system isn't really a good idea in general.

It's not disabling root, it's disabling remote root access. The problem is I would have remote root access through XenCenter.

thwr

@stacksofplates said in XenServer Disable Root:

I might end up switching to KVM if I can't get it to work. It will give me support through Red Hat and I can use our normal profile to kickstart with and just add the hypervisor role.

KVM is nice because I just add a user to the libvirt group and they can control the VMs but still have regular system permissions.

Keep in mind that there are not many backup options available with KVM. Even @KOOLER had to ask, and I bet he knows what he's doing: https://community.spiceworks.com/topic/1577463-kvm-vm-backup

DustinB3403

The SCAP guide here says you only need to disable root SSH access, not ROOT on the local console.

I think you'd be fine.

http://static.open-scap.org/ssg-guides/ssg-rhel6-guide-common.html > Ctrl+f "disable root"

DustinB3403

Which the hardening guide I've posted shows how to disable SSH root access.

stacksofplates

@DustinB3403 said in XenServer Disable Root:

The SCAP guide here says you only need to disable root SSH access, not ROOT on the local console.

I think you'd be fine.

http://static.open-scap.org/ssg-guides/ssg-rhel6-guide-common.html > Ctrl+f "disable root"

You still have remote root access through XenCenter. I know how to turn off remote root through SSH.

If I do a useradd and give that user no extra permissions, I can log in as that user in XenCenter and they now have root access. Plus, root can still log in through XenCenter.

stacksofplates

@thwr said in XenServer Disable Root:

@stacksofplates said in XenServer Disable Root:

I might end up switching to KVM if I can't get it to work. It will give me support through Red Hat and I can use our normal profile to kickstart with and just add the hypervisor role.

KVM is nice because I just add a user to the libvirt group and they can control the VMs but still have regular system permissions.

Keep in mind that there are not many backup options available with KVM. Even @KOOLER had to ask, and I bet he knows what he's doing: https://community.spiceworks.com/topic/1577463-kvm-vm-backup

Ya, we do both agent based and I have a couple KVM machines running. I use the qemu-guest-agent to allow filesystem freezing. I take a snapshot, then unfreeze the fs. Export the snapshot to a file on a remote system, then delete the snapshot. Takes like 20 seconds per VM. So we are covered with that.

DustinB3403

So your concern shouldn't be "How do I disable root" but it should be; How do I ensure no one else has XenCenter installed and access to my servers?

stacksofplates

@DustinB3403 said in XenServer Disable Root:

So your concern shouldn't be "How do I disable root" but it should be; How do I ensure no one else has XenCenter installed and access to my servers?

No it should still be how do I disable remote root access. That's the issue that needs to be resolved.