VMware recently released the Hardened Virtual Appliance Operations Guide. This whitepaper was written to assist with the additional components that an administrator may choose to implement on the hardened virtual appliances. You see VMware created a hardened virtual appliance “by embedding the technical requirements of the STIG in the design”. What the heck am I talking about you might say? Well, the Defense Information Systems Agency (DISA) is an entity for the Department of Defense (DoD) and the security technical implementation guide (STIGs) are standards for DoD IA and IA enabled systems. In my experience, DoD is the only one that uses the STIGs but I am sure that there are other companies or civilian agencies out there using the document as guidance. Either way, it is a way to make the system stronger or like we say, harden it. There are many ways of making the system stronger, for instance the Hardening Guidelines that VMware releases as well.
Now that you understand that all of these items are in place, you may ask yourself why you would even bother. Well, in some parts, you won’t have to because as the whitepaper mentions, there are currently (as of Jan 2014) 9 products that utilize the hardened virtual appliance. So in this case, you don’t have to worry so much about building out your own, VMware did it for it. But lets go back to the original question… why do you care? Because you want to minimize any avenue that an attacker might have into your system. You want to reduce the attack surface. In terms that my mom can understand… you want to check all the windows… check all the doors… make sure they are locked, and turn on the house alarm before you go to bed. You want to reduce any avenue that someone may have of getting in to your house. Possibly you don’t have an alarm system so your house can’t be as hardened but there additional steps that you can take to get closer to 100%. This whitepaper helps with those additional steps which include:
- root password
- password expiry
- dodscript.sh script
- secure shell, administrative accounts, and console access
- time sourcing and synchronization
- log forwarding – syslong.ng and auditd
- boot loader (grub) password
- NFS and NIS
Your next step, go back to the vendors that release virtual appliances and ask them if they have hardened them. If they have no idea what you are talking about, mention that VMware has done it, they should too. The fact is all of the experience shows that people don’t manage security for themselves well, so if it can be BUILT IN like we always say… why not!!