CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE

CITRIX
XENSERVER FREE/ADVANCED 5.6
HARDENING GUIDE

FOR ANY IDEAS OR RECLAMATIONS
MAIL TO: KERMAKOV@PTSECURITY.RU

CONTENTS
1.

GENERAL SYSTEM SETTINGS................................................................................................................................................................................................................................ 3

1.1

Services started with Citrix XenServer .............................................................................................................................................................................................................. 3

1.2

Time synchronization configuration................................................................................................................................................................................................................... 4

1.3

Usage of SSHv2 ............................................................................................................................................................................................................................................................ 4

1.4

Usage of AES cryptoalgorithm for SSH ............................................................................................................................................................................................................... 4

1.5

Restrict root login via SSH ...................................................................................................................................................................................................................................... 5

1.6

Limit access to su command................................................................................................................................................................................................................................... 5

1.7

Forbid login to single user mode without password .................................................................................................................................................................................... 6

1.8

extlinux loader password ........................................................................................................................................................................................................................................ 6

1.9

Activate password storing in /etc/shadow file .............................................................................................................................................................................................. 6

1.10 Ensure that there are no users with empty passwords ............................................................................................................................................................................... 7
1.11 Ensure that passwd and shadow and files and system group files do not include «+»................................................................................................................... 7
1.12 Install Citrix XenServer server certificates ....................................................................................................................................................................................................... 7
1.13 Update vulnerable packages .................................................................................................................................................................................................................................. 8
1.14 Store password history ............................................................................................................................................................................................................................................ 9
1.15 Configure unsuccessful login attempts logging and limit additional attempts .................................................................................................................................. 9
1.16 Password policy configuration ........................................................................................................................................................................................................................... 10
2.

SYSTEM NETWORK CONFIGURATION ........................................................................................................................................................................................................... 11

2.1

Separate network interfaces by task ............................................................................................................................................................................................................... 11

2.2

Restrict unencrypted connections to XAPI .................................................................................................................................................................................................... 12

2.3

Use encrypted connections in data transferring network ....................................................................................................................................................................... 13

2.4

Configure umask creation for VHD files ......................................................................................................................................................................................................... 13

2.5

Remote NFS storage configuration ................................................................................................................................................................................................................... 14

2.6

Disable promiscuous mode for network cards on virtual machines ................................................................................................................................................... 15

2.7

OS kernel network settings configuration ..................................................................................................................................................................................................... 15

2.8

Firewall configuration ........................................................................................................................................................................................................................................... 15

3.

XENSERVER HYPERVISOR SETTINGS ............................................................................................................................................................................................................. 17

3.1

Disable debug mode for xenstored ................................................................................................................................................................................................................... 17

3.2

Configure shared secret for «pool» mode ...................................................................................................................................................................................................... 17

3.3

Disable debug mode for xapi demon ............................................................................................................................................................................................................... 17

3.4

Configure xenstored demon logging ................................................................................................................................................................................................................ 18

3.5

Disable vncterm automatic logon into dom0 as a root ............................................................................................................................................................................. 18

3.6

Disable xsconsole autorun as a root on tty1 ................................................................................................................................................................................................. 18

3.7

Configure PAM in XAPI module ......................................................................................................................................................................................................................... 19

3.8

Disable testing mode in xsconcole .................................................................................................................................................................................................................... 20

3.9

Disable default web page ...................................................................................................................................................................................................................................... 20

4.

VIRTUAL MACHINE SETTINGS .......................................................................................................................................................................................................................... 20

4.1

Limit log file size ...................................................................................................................................................................................................................................................... 20

4.2

Disable unused virtual devices........................................................................................................................................................................................................................... 21

4.3

Disable service console redirection.................................................................................................................................................................................................................. 21

CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE

Page 2 of 21

1.

GENERAL SYSTEM SETTINGS
This chapter covers general system settings. The introduced protection methods are the same as used
for usual servers based on OS Linux.

1.1

Services started with Citrix XenServer

We recommend you to limit services started with the system by default.
How to fix:
Do the following for all unused services:
chkconfig <servicename> off
where <servicename> is a service name.
The results for a separately installed XenServer 5.6 server may be as follows:
chkconfig --list | grep 3:on
attach-static-vdis
crond
fcauthd
fe
iptables
lwsmd
management-interface
mpp
network
ntpd
perfmon
portmap
rawdevices
set-memory-target
snapwatchd
squeezed
sshd
syslog
unplug-vcpus
v6d
vhostmd
xapi
xapi-domains
xe-linux-distribution
xen-domain-uuid
xenservices

Page 3 of 21

1.2

Time synchronization configuration

Time synchronization is necessary for correct cooperation of XenServer hosts individually or in pool
mode. You can use your own NTP server or default time servers.
How to fix:
Add the following strings into /etc/ntp.conf file (address rhel.pool.ntp.org is an example):
server 0.rhel.pool.ntp.org
Start NTP server:
/etc/init.d/ntpd start
chkconfig ntpd on

1.3

Usage of SSHv2

You can use SSH to access Service Console. In this case, disable insecure authentication methods and
some other settings from the list below:
How to fix:
Configure the following settings in /etc/ssh/sshd_config file:
Protocol 2
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
Reboot sshd for the modifications to take effect:
/etc/init.d/sshd restart

1.4

Usage of AES cryptoalgorithm for SSH

We recommend to use AES cryptoalgorithm for SSH traffic. It is more secure than previously used, and
opposite to Blowfish and other cryptoalgorithms (supported by OpenSSL library), the great number of
client devices support it.
How to fix:
Set Ciphers option in /etc/ssh/sshd_config configuration file:
Ciphers aes256-cbc,aes128-cbc

Page 4 of 21


1.5

Restrict root login via SSH

We recommend you to restrict root login via SSH for secure purposes. This measure helps to prevent
root password brute force attacks, and also make it easier to investigate incidents in case several users
are aware of the password.
How to fix:
Set the following option in /etc/ssh/sshd_config configuration file:
PermitRootLogin no

1.6

Limit access to su command

su command allows users to execute the shell with the privileges of a specified user, mostly root. We
recommend you to grant access to the command only for Citrix XenServer server administrators: include
the administrators into wheel group and then enable access limitations that means that only wheel
members are able to execute su command.
Note. Depending on the company’s security policy, su can be forbidden in the system. In this case, you
can execute privileged operations via sudo, and wheel group should not include users.
How to fix:
Do the following for every user (admin is an example):
usermod -G wheel admin
Then, enable access to su command for wheel members only. Ensure that /etc/pam.d/su file
includes the following string (not in comments):
auth required pam_wheel.so use_uid
If su is forbidden, ensure that wheel do not include users via contents of files from /etc/passwd
folder (primary group) and /etc/group folder (secondary groups).


Page 5 of 21

1.7

Forbid login to single user mode without password

Citrix XenServer is based on RedHat Linux, therefore it also supports single user mode. You can activate
it via loader settings. Default settings allow all users to access console with root privileges. This allows
attackers with access to Citrix XenServer local console get root privileges and execute arbitrary
commands on the vulnerable server. Therefore, we recommend you to configure password
authentication to change to single user mode.
How to fix:
Add the following entry into /etc/inittab file:
~~:S:wait:/sbin/sulogin
Or edit an existed string with “S” in the second field.

1.8

extlinux loader password

OS Citrix XenServer loader allows you to configure a great number of OS kernel settings, including a
command used to change to single user mode. By default, OS load options are not protected by
password that allows attackers with physical access to Xen server local console to set unauthorized OS
loading options. To prevent the situation, we recommend you to set password for loader management.
Ensure that only super user has access to the service console loader configuration file for
reading/writing.
How to fix:
Execute the following command in Service Console as a root:
echo <пароль_загрузчика> | sha1sum
chown root:root /boot/extlinux.conf
chmod 600 /boot/extlinux.conf
Then, add the 40 hash characters into /boot/extlinux.conf file (global sections of loader settings):
menu master passwd <password_sha1_hash>

1.9

Activate password storing in /etc/shadow file

OS Citrix XenServer does not store password hashes in a separate file (/etc/shadow) according to
pam_unix.so module default settings. Therefore, if an account exists in the system, an attacker can
access it. We recommend you to reconfigure the system to prevent this situation.
How to fix:
Edit /etc/pam.d/system-auth file as follows:
password
sufficient
nullok md5 shadow

pam_unix.so try_first_pass use_authtok


Page 6 of 21

Execute the following command:
pwconv

Reboot the operating system.

1.10 Ensure that there are no users with empty passwords

An attacker can use user accounts without passwords to login. Ensure that all user accounts have
passwords or blocked via «!!». Here is an example (/etc/shadow):
vncterm_base:!!:15278:0:99999:7:::
How to fix:
Set passwords for all accounts. Use passwd command, or block unused accounts via usermod –L
<username> command.

1.11

Ensure that passwd and shadow and files and system group files do not include
«+»

«+» characters in used in accounts and passwords system configuration files as to insert NIS values. We
recommend you to delete such entries to protect the system security. Here is an example of such entry
from /etc/shadow file:
username:+:15278:0:99999:7:::
How to fix:

Delete these settings from service files.

1.12

Install Citrix XenServer server certificates

We recommend you to install custom .pem SSL certificates to prevent certificate spoofing.
How to fix:
Do the following to install CA certificate:
Link a key media to the system.
xe pool-certificate-install filename=</path/to/ca-cert.pem>
where </path/to/ca-cert.pem> is a certificate file path on the external media.
Do the following to add a server certificate:
Mount the key media.
Execute the following commands:


Page 7 of 21

service xapi stop
pkill stunnel
cp /etc/xensource/xapi-ssl.pem /etc/xensource/orig-xapi-ssl.pem
cp /path/to/new/cert.pem /etc/xensource/xapi-ssl.pem
service xapi start
Do the following to enable SSL certificate checks:
touch /var/xapi/verify_certificates

1.13

Update vulnerable packages

It is known that OS Citrix XenServer is based on RedHat Linux 5. Citrix policy states that patch updates
are usually issued twice a year. The system package often includes rather old versions. In spite of Citrix
notifications that these packages do not include vulnerabilities, we recommend you to check your
system for vulnerable packages on your own with third-party software. Here we use MaxPatrol 8
(Positive Technologies).
How to fix:
Note that you use this method at your own risk, and there is no guarantee that the system would
normally operate as you install updates. We hardly recommend you to create a backup copy before
updating. You can use this method only in case you can solve problems with xapi and other system
components on your own.
Detect vulnerable packages by any means, i.e.,with a security scanner or check versions with yum secure
plagin. Here is an example hop to detect vulnerable packages and what measures to take. Let us
suppose, that you’ve detected that the following packages are vulnerable:
<package_1>
<package_2>
<package_3>

Then, you should activate yum repository to update the packages.Edit strings enabled= in
/etc/yum.repos.d/CentOS-Base.repo file:
[base]
name=CentOS-$releasever - Base
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
#baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
exclude=kernel-xen*, *xen*
enabled=1
#released updates
[updates]
name=CentOS-$releasever - Updates
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates

Page 8 of 21

#baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
exclude=kernel-xen*, *xen*
enabled=1
While updating, you have to disable Citrix repository in /etc/yum.repos.d/Citrix.repo file:
enabled=0
Then, update vulnerable packages via yum tool:
yum update <package_1> <package_2> <package_3>

1.14

Store password history

You should store several password hashes to prevent passwords to be used again in a short period of
time. The recommended value is 10.
Note. In case administrator (root) changes a user password, the hash is not stored in password history
file.
How to fix:
Do the following commands:
touch /etc/security/opasswd
chmod 600 /etc/security/opasswd
chown root:root /etc/security/opasswd
Then, add the following string into /etc/pam.d/system-auth file
password

1.15

required

pam_unix.so

remember=10

Configure unsuccessful login attempts logging and limit additional attempts

We recommend you to use additional logging for unsuccessful login attempts. You should also block an
account for a certain period in case of an authentication error. To configure the system use PAM module
configuration settings.
How to fix:
Edit /etc/pam.d/system-auth file. We recommend to enable pam_tally module to make it harder
for attackers to conduct brute force attacks. With the settings shown below, it blocks users for 300
seconds if there are three unsuccessful login attempts:
auth

required

pam_env.so


Page 9 of 21

auth
required
even_deny_root_account
auth
sufficient
auth
required

pam_tally.so deny=3 unlock_time=300
pam_unix.so try_first_pass nullok
pam_deny.so

account
required
pam_unix.so
account
required
pam_tally.so
password
required
pam_cracklib.so try_first_pass retry=3
password
sufficient
nullok md5 shadow
password
required pam_unix.so
remember=10
password
required
pam_deny.so
session
session
session
crond quiet
session

1.16

optional
pam_keyinit.so revoke
required
pam_limits.so
[success=1 default=ignore] pam_succeed_if.so service in
use_uid
required
pam_unix.so

Password policy configuration

Users should use passwords of at least 9 characters. We recommend you to limit maximum password
age (90 days) to decrease the negative effect in case the system is compromised. We also recommend
you to notify users 14 days earlier the day the password is expired. If a user does not change its
password in 7 days, you should block the account.
How to fix:
Execute the following command for every user in the system except administrator:
chage -m 7 <имя_пользователя>
Edit the following strings in /etc/login.defs file to configure the password policy:
PASS_MAX_DAYS=90
PASS_MIN_DAYS=7
PASS_WARN_AGE=14
PASS_MIN_LEN=9


Page 10 of 21

2.

SYSTEM NETWORK CONFIGURATION
The shown below settings are an abstract example. You should remember your own network
architecture and server hardware to use these recommendations.

Separate network interfaces by task

C3
NI

VM

2
NI
C-

VM

VM

Xe

nS
er
ve
r

SM
AP
I

XA
PI

We recommend you to protect networks for management, data transferring and virtual machines to
provide maximum security. In that way, you can prevent system compromising in case an attacker
manages to crack one of the networks. Pic. 1 shows this solution.

Ci
tr
ix

-1

Management
Network

NI
C

2.1

Storage Network

External Network

Pic. 1. Logic scheme that shows how to separate hypervisor networks

How to fix:
It there are several network interfaces, separate them physically and logically. It you unable to separate
the networks, we recommend you to separate them on IP level or in any way.
Managing interface configuration:
Show UUID PIF according to eth0 (NIC0) device and its network UUID:
xe pif-list device=eth0 params=uuid,network-uuid


Page 11 of 21

Modify the network name:
xe network-param-set uuid=<network uuid> name-label="Management NW"
Data transferring interface configuration:
Configure network IP address:
# xe pif-reconfigure-ip uuid=<pif uuid>> mode=static IP=<ip>
gateway=<gateway> netmask=<netmask> DNS=<DNS>
xe network-param-set uuid=<network uuid> name-label="Storage NW"
Virtual machine nterface configuration
Configure a guest network in case there is no IP address:
xe pif-reconfigure-ip uuid=<uuid> mode=none
xe network-param-set uuid=<network uuid> name-label= "Guest NW 0"
Do the operations for eth3, eth4 and so on.

2.2

Restrict unencrypted connections to XAPI

By default, XAPI stack listen ports 80 (unencrypted channel) and 443 (SSL tunnel) for connection. If
unencrypted data are used, an attacker can compromise administrator’s operations. We recommend
you to disable access by port 80 for all clients except XenCenter working station.
How to fix:
/etc/init.d/iptables save
Edit /etc/sysconfig/iptables file:
-A RH-Firewall-1-INPUT –s <xen_center_ip> -p tcp -m state --state NEW m tcp --dport 80 -j ACCEPT


Page 12 of 21

/etc/init.d/iptables restart

2.3

Use encrypted connections in data transferring network

If you move virtual machines, data is transferring between servers (for example, in XenMotion mode) in
plain text. It means that data is transferred unencrypted. In spite the fact that networks are separated,
you should protect this traffic. We recommend you to use encryption on IP level, such as VPN. There is
no example because of a great variety of possible solutions.
Configure encryption for iSCSI password transferring:
OpenISCSI software is used to connect to remote iSCSI storage for iSCSI traffic. This software supports
CHAP protocol to send passwords. We recommend you to use CHAP authentication for OpenlSCSI
connections.
How to fix:
Set the following setting for the variable in /etc/iscsi/iscsid.conf file.
# To enable CHAP authentication set node.session.auth.authmethod
# to CHAP. The default is None.
node.session.auth.authmethod = CHAP

2.4

Configure umask creation for VHD files

By default, Citrix XenServer creates virtual machine files with read privileges for “other”. Therefore,
every user has rights to get virtual machine data. We recommend you to limit privileges for these file
types.
How to fix:
You should modify server scripts to modify umask settings.
Edit /opt/xensource/sm/FileSR.py file:
def create(self, sr_uuid, vdi_uuid, size):
os.umask(077)
if util.ioretry(lambda: util.pathexists(self.path)):
Then, you can need to compile file pyc and pyo. Create /opt/xensource/sm/compile.py file with the
following content:
#!/usr/bin/python
import py_compile
py_compile.compile('/opt/xensource/sm/FileSR.py')
Then, execute the following commands:


Page 13 of 21

python /opt/xensource/sm/compile.py
python –O /opt/xensource/sm/compile.py
and reboot the hypervisor with the following command:
shutdown –r now

2.5

Remote NFS storage configuration

Every remote NFS storage is a folder with a file in VHD format. VHD is not encrypted, therefore we
recommend you strictly limit the list of users that are allowed to mount the folder.
How to fix:
We recommend you to modify system settings to operate with remote NFS storage. Below we show
how to configure NFS storage on Linux remote server. Ensure that single IP address is locked in
/etc/exports file:
/<vm_share_dir>
<xenserver_ip>(rw,root_squash,anonuid=<xen_user_UID>,anongid=<xen_user
_GID>,sync)
Discover the folder owner:
chown <xen_user>:<xen_user_group> <vm_share_dir>
Configure mountd, statd, lockd and rquotad demons to operate with static ports (ports 4002-4006 are
used as an example) in /etc/sysconfig/nfs file:
MOUNTD_PORT=”4002”
STATD_PORT=”4003”
LOCKD_TCPPORT=”4004”
LOCKD_UDPPORT=”4004”
RQUOTAD_PORT=”4005”
STATD_OUTGOING_PORT=”4006”
Add the following strings into INPUT table for /etc/sysconfig/iptables network filter:
Iptables
Iptables
Iptables
Iptables
Iptables
Iptables

–A
–A
–A
–A
–A
–A

INPUT
INPUT
INPUT
INPUT
INPUT
INPUT

–s
–s
–s
–s
–s
–s

<xenserver-ip>
<xenserver-ip>
<xenserver-ip>
<xenserver-ip>
<xenserver-ip>
<xenserver-ip>


-p
-p
-p
-p
-p
-p

tcp
udp
tcp
udp
tcp
udp

–dport
–dport
–dport
–dport
–dport
–dport

111 –j ACCEPT
111 –j ACCEPT
4002:4006 –j ACCEPT
4002:4006 –j ACCEPT
2049 –j ACCEPT
2049 –j ACCEPT

Page 14 of 21

2.6

Disable promiscuous mode for network cards on virtual machines

If promiscuous mode is enabled for simulated network interface, a virtual machine is able to intercept
traffic from other guest systems, and also use other specific features including a possibility to send
malformed or malicious requests accidentally or deliberately Therefore, we do not recommend you to
enable this mode.
How to fix:
Execute the following commands in Service Console to disable VIF or promiscuous mode:
xe pif-param-set uuid=<PIF UUID> other-config:promiscuous="off"
or:
xe pif-param-set uuid=<PIF UUID> other-config:promiscuous="false"

2.7

OS kernel network settings configuration

The following OS kernel settings are necessary to harden Citrix XenServer network attack tolerance:
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
How to fix:
Add the settings into /etc/sysctl.conf file, reboot the system and execute the following command:
sysctl -p

2.8

Firewall configuration

Default Citrix XenServer installation includes Netfilter firewall and iptables command line utility used to
manage it. We recommend you to configure this software to provide secure network communication.
How to fix:
Use the following settings for managing network:
service iptables start
iptables -F
iptables -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT


Page 15 of 21

iptables
iptables
iptables
iptables
iptables
iptables
iptables
iptables
iptables

-A
-A
-A
-A
-A
-A
-A
-A
-A

INPUT -i xenbr0 -p tcp --dport 443 -m state --state NEW -j ACCEPT
INPUT -i xenbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
INPUT -i xenbr0 -j DROP
OUTPUT -o xenbr0 -p tcp --dport 443 -m state --state NEW -j ACCEPT
OUTPUT -o xenbr0 -p udp --dport 123 -m state --state NEW -j ACCEPT
OUTPUT -o xenbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
OUTPUT -o xenbr0 -j DROP

Input chain for data transferring network:
iptables -A INPUT -i xenbr1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i xenbr1 -j DROP

Add the following permissions to configure NFS remote connections (as an example):
iptables
iptables
iptables
iptables
iptables
iptables
iptables
iptables

-A
-A
-A
-A
-A
-A
-A
-A

OUTPUT
OUTPUT
OUTPUT
OUTPUT
OUTPUT
OUTPUT
OUTPUT
OUTPUT

-o
-o
-o
-o
-o
-o
-o
-o

xenbr1
xenbr1
xenbr1
xenbr1
xenbr1
xenbr1
xenbr1
xenbr1

-p
-p
-p
-p
-p
-p
-m
-j

udp --dport 111 -m state --state NEW -j ACCEPT
tcp --dport 111 -m state --state NEW -j ACCEPT
udp --dport 2049 -m state --state NEW -j ACCEPT
tcp --dport 2049 -m state --state NEW -j ACCEP
udp --dport 4002:4006 -m state --state NEW -j ACCEPT
tcp --dport 4002:4006 -m state --state NEW -j ACCEPT
state --state RELATED,ESTABLISHED -j ACCEPT
DROP

Add your own rules to connect to alternative remote storages.
Finalize the configuration:
service iptables save
chkconfig iptables on


Page 16 of 21

3.

XENSERVER HYPERVISOR SETTINGS
This chapter is about specific configuration and critical file options for internal XAPI demon and its
environment. These changes can influence virtual infrastructures, therefore we recommend you to
make them on testing systems first on all.

3.1

Disable debug mode for xenstored

This is necessary to restrict debug mode for guest systems.
How to fix:
Delete entries like “allow-debug=true” from /etc/xensource/xenstored.conf file.

3.2

Configure shared secret for «pool» mode

This is actual for pool-master systems. It is necessary to harden spoofing of the certificate used for data
transferring inside the system. We recommend you to create a certificate based on random-number
generator with enough entropy.
How to fix:
Do the following to create the token:
service xapi stop
rm /etc/xensource/ptoken
(ent=$(cat /proc/sys/kernel/random/entropy_avail); while [[ $ent -lt
2000 ]]; do
sleep 15; ent=$(cat /proc/sys/kernel/random/entropy_avail); done) &&
service xapi start

3.3

Disable debug mode for xapi demon

By default, Global Catalog Debug mode is enabled. This setting is insecure, we recommend you to
disable this mode to prevent system compromising.
How to fix:
Replace the following value in /etc/xensource/xapi.conf file:
gc-debug = true
with false.


Page 17 of 21

3.4

Configure xenstored demon logging

We recommend you to configure xenstored demon logging for further analysis in case the system is
compromised.

How to fix:
Edit /etc/xensource/xenstored.conf file:
# Logs
#log = error;general;file:/var/log/xenstored.log
log = warn;general;file:/var/log/xenstored.log
#log = info;general;file:/var/log/xenstored.log
#log = debug;io;file:/var/log/xenstored-io.log

3.5

Disable vncterm automatic logon into dom0 as a root

In case there is an XAPI request that is created to connect to hypervisor testing console, automatic logon
is done as a root regardless of XAPI user, that triggered the request if local authorization is used without
RBAC subsystem using Active Directory (in versions Free, Advanced). We recommend you to disable
such login to protect the system. The best solution is to replace automatic logon with default login
prompt (redirection to SSH).
How to fix:
Edit /usr/lib/xen/bin/dom0term.sh file, where <admin_user> is your administrative account (not root) :
#! /bin/bash
read -s -p "Press <Enter> to login
" ignore
сlear
exec /bin/login –p

3.6

Disable xsconsole autorun as a root on tty1

By default, Xsconsole console started with root privileges is available on the system physical console.
We recommend you to modify autoload script to prevent SH code injection and/or session interception
via text mode.
How to fix:
Edit /opt/xensource/libexec/run-boot-xsconsole file. Modify the terminal call string as follows:
Initial string:
exec /sbin/mingetty --noissue --autologin root -loginprog=/usr/bin/xsconsole $TTY


Page 18 of 21

Modified string:
exec /sbin/mingetty --noissue --autologin nobody -loginprog=/usr/bin/xsconsole $TTY

3.7

Configure PAM in XAPI module

By default, every OS Citrix XenServer user (in versions Free, Advanced) is able to connect to XAPI with
pool-admin privileges. This is a product feature. It means that every user can execute operations in the
system using Xen API, therefore we recommend you to limit users with access to XAPI in PAM module.
How to fix:
As a root, create /etc/xapi_allow file and add root as a first string to the file. Enumerate all users with
access to XAPI with line feed separator.
Edit /etc/pam.d/xapi file as follows:
#%PAM-1.0
auth
required
auth
required
file=/etc/xapi_allow
auth
sufficient
auth
required

pam_env.so
pam_listfile.so item=user sense=allow
pam_unix.so try_first_pass nullok
pam_deny.so

account

required

pam_unix.so

password
password
nullok md5
password

required
sufficient

pam_cracklib.so try_first_pass retry=3

required

pam_deny.so

session
session
session
crond quiet
session

optional
pam_keyinit.so revoke
required
pam_limits.so
[success=1 default=ignore] pam_succeed_if.so service in
use_uid
required
pam_unix.so

If the changes are made, only users from the xapi_allow list are able to access xapi:
root
admin
user
Also, limit access to this file:
chmod 600 /etc/xapi_allow


Page 19 of 21

3.8

Disable testing mode in xsconcole

If you add a file testing.txt to /usr/lib/xsconsole/ folder, Xsconsole starts in testing mode. If host=,
password= variables are defined in file testing.txt, xsconsole program authenticates on a remote server.
Besides, if xsconsole is used on tty1 local console, an attacker can access the local console with root
privileges.
How to fix:
Ensure that /usr/lib/xsconsole/testing.txt file is not existed.
If it exists, delete it.

3.9

Disable default web page

By default, a web server is active in the system. It allows users to upload XenCenter files and reports
current system version. We recommend you to delete the whole page or correct its content to prevent
the system compromising.
How to fix:
Modify web server index file Citrix-index.html in /opt/xensource/www folder. Replace
the following fragment:
<html>
<title>XenServer 5.6.0</title>
<head>
</head>
<body>
<p/>Citrix Systems, Inc. XenServer 5.6.0
<p/><a href="XenCenter.iso">XenCenter CD image</a>
<p/><a href="XenCenter.msi">XenCenter installer</a>
</body>
</html>
with
<html>
</html>

4.

VIRTUAL MACHINE SETTINGS

4.1

Limit log file size

We recommend you to limit the maximum size of log files for virtual machines to prevent system drive
overflow.


Page 20 of 21

4.2

Disable unused virtual devices

We recommend you to disable connections between any virtual devices and virtual machines to prevent
the capture of virtual machine credentials.
4.3

Disable service console redirection

We recommend you to restrict the usage of text system consoles in *nix operating systems. You should
disable XenAPI VM built-in console service and use native OS services.


Page 21 of 21

CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (18)

Semelhante a CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE

Semelhante a CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE (20)

Mais de Lorscheider Santiago

Mais de Lorscheider Santiago (14)

Último

Último (20)

CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDE