XenServer Disable Root
-
@DustinB3403 said in XenServer Disable Root:
The SCAP guide here says you only need to disable root SSH access, not ROOT on the local console.
I think you'd be fine.
http://static.open-scap.org/ssg-guides/ssg-rhel6-guide-common.html > Ctrl+f "disable root"
You still have remote root access through XenCenter. I know how to turn off remote root through SSH.
If I do a useradd and give that user no extra permissions, I can log in as that user in XenCenter and they now have root access. Plus, root can still log in through XenCenter.
-
@thwr said in XenServer Disable Root:
@stacksofplates said in XenServer Disable Root:
I might end up switching to KVM if I can't get it to work. It will give me support through Red Hat and I can use our normal profile to kickstart with and just add the hypervisor role.
KVM is nice because I just add a user to the libvirt group and they can control the VMs but still have regular system permissions.
Keep in mind that there are not many backup options available with KVM. Even @KOOLER had to ask, and I bet he knows what he's doing: https://community.spiceworks.com/topic/1577463-kvm-vm-backup
Ya, we do both agent based and I have a couple KVM machines running. I use the qemu-guest-agent to allow filesystem freezing. I take a snapshot, then unfreeze the fs. Export the snapshot to a file on a remote system, then delete the snapshot. Takes like 20 seconds per VM. So we are covered with that.
-
So your concern shouldn't be "How do I disable root" but it should be; How do I ensure no one else has XenCenter installed and access to my servers?
-
@DustinB3403 said in XenServer Disable Root:
So your concern shouldn't be "How do I disable root" but it should be; How do I ensure no one else has XenCenter installed and access to my servers?
No it should still be how do I disable remote root access. That's the issue that needs to be resolved.
-
To which,
What I would do is remove the XC installable from XenServer's webconsole, and configure everything on Xen Orchestra.
Then do a sweep of your network ensuring no one has XenCenter that isn't supposed to.
-
@stacksofplates said in XenServer Disable Root:
@DustinB3403 said in XenServer Disable Root:
So your concern shouldn't be "How do I disable root" but it should be; How do I ensure no one else has XenCenter installed and access to my servers?
No it should still be how do I disable remote root access. That's the issue that needs to be resolved.
But that issue has already been solved.
Remote root access is disabled via the information I've already provided.You're contriving a separate issue into this one.
Remove XenCenter installable from the XS systems, and uninstall it from everyones' computers.
Problem solved.
-
@DustinB3403 said in XenServer Disable Root:
To which,
What I would do is remove the XC installable from XenServer's webconsole, and configure everything on Xen Orchestra.
Then do a sweep of your network ensuring no one has XenCenter that isn't supposed to.
So first off, I can't do a sweep of our network. We have like 800 people working here and I don't control the network. Second, to meet SCAP we need to disable all remote root access. If I can't do that, then it doesn't work.
-
@DustinB3403 said in XenServer Disable Root:
@stacksofplates said in XenServer Disable Root:
@DustinB3403 said in XenServer Disable Root:
So your concern shouldn't be "How do I disable root" but it should be; How do I ensure no one else has XenCenter installed and access to my servers?
No it should still be how do I disable remote root access. That's the issue that needs to be resolved.
But that issue has already been solved.
Remote root access is disabled via the information I've already provided.You're contriving a separate issue into this one.
Remove XenCenter installable from the XS systems, and uninstall it from everyones' computers.
Problem solved.
No it's not. If I open XenCenter and type root for a username it works. That's remote root access. SSH isn't the only remote access available.
-
@stacksofplates said in XenServer Disable Root:
@DustinB3403 said in XenServer Disable Root:
To which,
What I would do is remove the XC installable from XenServer's webconsole, and configure everything on Xen Orchestra.
Then do a sweep of your network ensuring no one has XenCenter that isn't supposed to.
So first off, I can't do a sweep of our network. We have like 800 people working here and I don't control the network. Second, to meet SCAP we need to disable all remote root access. If I can't do that, then it doesn't work.
But you are disabling remote root access.
Because someone has XenCenter installed gives them console access. It's not considered remote. The solution to this is sweep the network, and remove XC from the network.
And disable SSH root access as already described.
-
@stacksofplates said in XenServer Disable Root:
@DustinB3403 said in XenServer Disable Root:
@stacksofplates said in XenServer Disable Root:
@DustinB3403 said in XenServer Disable Root:
So your concern shouldn't be "How do I disable root" but it should be; How do I ensure no one else has XenCenter installed and access to my servers?
No it should still be how do I disable remote root access. That's the issue that needs to be resolved.
But that issue has already been solved.
Remote root access is disabled via the information I've already provided.You're contriving a separate issue into this one.
Remove XenCenter installable from the XS systems, and uninstall it from everyones' computers.
Problem solved.
No it's not. If I open XenCenter and type root for a username it works. That's remote root access. SSH isn't the only remote access available.
XenCenter is the LOCAL CONSOLE, it's not "remote" in any way. Literally a pts (tty serial port.)
-
Why is the management interface even on the standard network instead of on a VLAN or dedicated management network?
-
@travisdh1 said in XenServer Disable Root:
Why is the management interface even on the standard network instead of on a VLAN or dedicated management network?
Well it's on our server VLAN, but as I don't control the network I can't see what has access to what. Plus even if that's considered local console access, users created on the system have root access through that console. So if I log in as jhooks through XenCenter, I'm given the root console. So I can't hand off any access to anyone else to just control the VMs.
-
@stacksofplates said in XenServer Disable Root:
@travisdh1 said in XenServer Disable Root:
Why is the management interface even on the standard network instead of on a VLAN or dedicated management network?
Well it's on our server VLAN, but as I don't control the network I can't see what has access to what. Plus even if that's considered local console access, users created on the system have root access through that console. So if I log in as jhooks through XenCenter, I'm given the root console. So I can't hand off any access to anyone else to just control the VMs.
So someone else HAS to be responsible for that portion. Inform the boss of the requirements, and that it's beyond your assigned duties. Not your problem.
-
As far as you've described this topic, the issue is easily resolved.
Also in XenCenter you can configure the username used to sign into the systems. So you could very easily configure a user(admin) to login as jhooks on xenserver-one.
But this is again the Local Console, and not remote in any way. Other than physically as you aren't sitting at the server with a keyboard and monitor.
-
@DustinB3403 said in XenServer Disable Root:
Also in XenCenter you can configure the username used to sign into the systems.
Yes and when you do that they have root access.
-
@travisdh1 said in XenServer Disable Root:
@stacksofplates said in XenServer Disable Root:
@travisdh1 said in XenServer Disable Root:
Why is the management interface even on the standard network instead of on a VLAN or dedicated management network?
Well it's on our server VLAN, but as I don't control the network I can't see what has access to what. Plus even if that's considered local console access, users created on the system have root access through that console. So if I log in as jhooks through XenCenter, I'm given the root console. So I can't hand off any access to anyone else to just control the VMs.
So someone else HAS to be responsible for that portion. Inform the boss of the requirements, and that it's beyond your assigned duties. Not your problem.
I'm responsible for our systems meeting our security requirements. If I can't stop things like that from happening, I'll have to use something else.
-
@stacksofplates said in XenServer Disable Root:
@travisdh1 said in XenServer Disable Root:
@stacksofplates said in XenServer Disable Root:
@travisdh1 said in XenServer Disable Root:
Why is the management interface even on the standard network instead of on a VLAN or dedicated management network?
Well it's on our server VLAN, but as I don't control the network I can't see what has access to what. Plus even if that's considered local console access, users created on the system have root access through that console. So if I log in as jhooks through XenCenter, I'm given the root console. So I can't hand off any access to anyone else to just control the VMs.
So someone else HAS to be responsible for that portion. Inform the boss of the requirements, and that it's beyond your assigned duties. Not your problem.
I'm responsible for our systems meeting our security requirements. If I can't stop things like that from happening, I'll have to use something else. We have
So you can't do you're job. You need to communicate this to management, and get that network information. You literally CAN NOT do even basic security without that very basic information!
-
@travisdh1 said in XenServer Disable Root:
@stacksofplates said in XenServer Disable Root:
@travisdh1 said in XenServer Disable Root:
@stacksofplates said in XenServer Disable Root:
@travisdh1 said in XenServer Disable Root:
Why is the management interface even on the standard network instead of on a VLAN or dedicated management network?
Well it's on our server VLAN, but as I don't control the network I can't see what has access to what. Plus even if that's considered local console access, users created on the system have root access through that console. So if I log in as jhooks through XenCenter, I'm given the root console. So I can't hand off any access to anyone else to just control the VMs.
So someone else HAS to be responsible for that portion. Inform the boss of the requirements, and that it's beyond your assigned duties. Not your problem.
I'm responsible for our systems meeting our security requirements. If I can't stop things like that from happening, I'll have to use something else. We have
So you can't do you're job. You need to communicate this to management, and get that network information. You literally CAN NOT do even basic security without that very basic information!
Sorry I meant I if I can't stop other people running VMs from having root access on this system I'll need to use something else. That's kind of crazy that if I connect to a host with XenCenter as a non privileged user, I still get the root console. I don't understand that.
-
@stacksofplates said in XenServer Disable Root:
@travisdh1 said in XenServer Disable Root:
@stacksofplates said in XenServer Disable Root:
@travisdh1 said in XenServer Disable Root:
@stacksofplates said in XenServer Disable Root:
@travisdh1 said in XenServer Disable Root:
Why is the management interface even on the standard network instead of on a VLAN or dedicated management network?
Well it's on our server VLAN, but as I don't control the network I can't see what has access to what. Plus even if that's considered local console access, users created on the system have root access through that console. So if I log in as jhooks through XenCenter, I'm given the root console. So I can't hand off any access to anyone else to just control the VMs.
So someone else HAS to be responsible for that portion. Inform the boss of the requirements, and that it's beyond your assigned duties. Not your problem.
I'm responsible for our systems meeting our security requirements. If I can't stop things like that from happening, I'll have to use something else. We have
So you can't do you're job. You need to communicate this to management, and get that network information. You literally CAN NOT do even basic security without that very basic information!
Sorry I meant I if I can't stop other people running VMs from having root access on this system I'll need to use something else. That's kind of crazy that if I connect to a host with XenCenter as a non privileged user, I still get the root console. I don't understand that.
I know what you mean. I'm sorry, I don't know how to state this another way so you could maybe understand. This is why you need to know how the network is configured. It's right in the configuration documentation for XenServer. The management interface goes on a private network, period, end of story.
-
@travisdh1 said in XenServer Disable Root:
@stacksofplates said in XenServer Disable Root:
@travisdh1 said in XenServer Disable Root:
@stacksofplates said in XenServer Disable Root:
@travisdh1 said in XenServer Disable Root:
@stacksofplates said in XenServer Disable Root:
@travisdh1 said in XenServer Disable Root:
Why is the management interface even on the standard network instead of on a VLAN or dedicated management network?
Well it's on our server VLAN, but as I don't control the network I can't see what has access to what. Plus even if that's considered local console access, users created on the system have root access through that console. So if I log in as jhooks through XenCenter, I'm given the root console. So I can't hand off any access to anyone else to just control the VMs.
So someone else HAS to be responsible for that portion. Inform the boss of the requirements, and that it's beyond your assigned duties. Not your problem.
I'm responsible for our systems meeting our security requirements. If I can't stop things like that from happening, I'll have to use something else. We have
So you can't do you're job. You need to communicate this to management, and get that network information. You literally CAN NOT do even basic security without that very basic information!
Sorry I meant I if I can't stop other people running VMs from having root access on this system I'll need to use something else. That's kind of crazy that if I connect to a host with XenCenter as a non privileged user, I still get the root console. I don't understand that.
I know what you mean. I'm sorry, I don't know how to state this another way so you could maybe understand. This is why you need to know how the network is configured. It's right in the configuration documentation for XenServer. The management interface goes on a private network, period, end of story.
Ah I see what you were saying. I guess what I was saying was we have people who we don't want to have root access to be able to control and change some VMs. So even on a management VLAN, if we give them a non-sudo account and they use that account in XenCenter they now have root access no matter what.
I guess you could say only give it to people you trust, but that kind of undermines the whole point of role based permissions.