Security hardening of Proxmox

E

egli

New Member
Mar 3, 2021
4
0
1
34
Dear all,

I am planning to use Proxmox in an enterprise environment. We are very much concerned about the security of the virtualization plattform and that is why I am trying to take a deeper dive into the possibilities to harden a Proxmox installation.

There is a very extensive security analysis of KVM/QEMU from the Federal Office for Information Security in Germany (BSI):
https://www.bsi.bund.de/SharedDocs/...erheitsanalyse_KVM/Sicherheitsanalyse_KVM.pdf
(Sorry that this is only available in German)

There are basically the following hardening recommendations:
  • Disable KSM can be easily done since 4.x
  • Enabling a Mandatory Access Control (for Debian AppArmor) and confine each VM with a separate AppArmor profile. In the setup they investigated, this is done by the sVirt security driver of libvirt
  • An appropriate network environment: Remove IP of the guest network, disable package forwarding (net.ipv4.ip_forward) and enable the reverse path filter (net.ipv4.conf.all.rp_filter). This should be possible from the CLI.
Are there any plans to incorporate the missing features into Proxmox? Or is there already today a way to confine VMs with AppArmor under Proxmox?

Peter

PS: Are there any hardening tipps for Proxmox available somewhere? Would that be something for the wiki?
 
You can generally look for Debian hardening because that is what is running underneath.
The LXC chapter of the PVE administration guide has a couple of words about AppArmor.
 
writing a generic AppArmor profile that covers all the bases is quite hard. if you want to harden your specific environment, you can build up your own profile tailored to your local environment (e.g., storages/paths which the qemu process needs to access). it will be a moving target though, so you likely need to invest some time and resources to build up a proper test environment.
 
  • Like
Reactions: Stoiko Ivanov
Thanks for the reply. I am aware that I need to harden the underlying Debian. My main concern is the break-out of a hostile VM. I want to use one VM to look at "suspicious" email attachments etc.
I thought always that the sVirt driver provides for libvirt that it creates automatically tailored AppArmor profiles based on the VM settings. Something like this is missing in Proxmox, right?

So what measures can be taken in Proxmox to reduce the possibility for the break-out of a VM?
 
egli said:
My main concern is the break-out of a hostile VM
Click to expand...
this is actually rather uncommon (most malware will avoid executing if a VM is detected, to prevent analysis or debugging by malware researchers)

disabling network on that VM (when running malicious code) and keeping clean snapshots is recommended for this kind of activity
 
if you want to further contain the VM process, you can take a look at the generated command line with
Code: 
qm showcmd VMID --pretty
, and then run that command as non-root user belonging to the 'kvm' group. if that works, you can contain it using a custom apparmor profile. not that there is no guarantee that any of the management features still work (such as hotplugging hardware, writing out new files as part of snapshotting, backups), and any action that triggers a (re)start of the VM via PVE will start it as root again. still, for manual investigation of suspicious things it might be an option. most important for guest to host exploits is to keep your Qemu and kernel packages current, as well as CPU microcode updates installed.
 
fabian said:
if you want to further contain the VM process, you can take a look at the generated command line with
Code: 
qm showcmd VMID --pretty
, and then run that command as non-root user belonging to the 'kvm' group.
Click to expand...
I'm not trying to hijack this thread, but official Proxmox support for running VMs as non-root users (by default) sounds great and feels more secure. Any change that such a feature would appear on the roadmap some time?
 
it's been an idea for quite some time, but the effort to enable it for all the possible combinations of storage/.. is massive...
 
avw said:
I'm not trying to hijack this thread, but official Proxmox support for running VMs as non-root users (by default) sounds great and feels more secure. Any change that such a feature would appear on the roadmap some time?
Click to expand...
No I appreciate that there are also other users which care about getting Proxmox even more secure. So maybe one of the German speaking developers should dig thru the BSI paper and try to see how Proxmox further improve the security. I know that this is a time consuming process and the paper is rather long. However, I am absolutely sure that this would be worth the effort.
 
The paper contains a log of general hints and yes, we try day by day to get Proxmox VE as secure as possible.
 
  • Like
Reactions: hmohr
How secure is proxmox right now? Some malware or hacker still go if he know it's guest. I think is important to know how secure it is for enterprise and for secure wanting people who host servers.

What are alternative to proxmox that is more secure?
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom