Hello Proxmox Community & Team,
I am working through making a hardened baseline for my teams Proxmox deployment, loosely following CIS Lvl1/2 and DISA STIG requirements for Linux operating systems. I have made good progress, and have built out a hardened PVE cluster successfully that has functioning replication, migration, etc. Just have a few questions that have come out of this process:
- The SSL private keys are kept in plaintext in the configuration database, as well as on the cluster filesystem. They are protected by being owned by root - so in my mind largely a non-issue, however for approval purposes I will need to either explain this as not security relevant or find a means of either encrypting the private keys (which creates the problem of just having another set of keys somewhere to decrypt). The idea was thrown around regarding the possibility of encrypting the configuration database on the filesystem - is this a possibility in a future release?
- Has FIPS mode encryption been attempted with a PVE installation? I don't need FIPS-accreditation, rather just the usage of FIPS-type ciphers would greatly aid my team with obtaining approvals for PVE. For now, leaving the Debian OS set to it's default cryptography configuration.
- Setting the default user shell timeout to 900 seconds in /etc/bash.bashrc should be OK?
- How to disable TLSv1.2 for the pveproxy 8006 interface? I created a file in /etc/defaults/ for pveproxy and set the following line, but TLSv1.2 is still on (need it to be turned off and run in TLSv1.3 only mode):
- Any known problems with setting maximum SSHD sessions to 3 (project req), and setting the client alive interval and client alive count max to 600 as per CIS guidelines? I presume it would limit the cluster to have only 3 migrations in flight between hosts at a time? So far, it is behaving normally.
Thanks for any input.
I am working through making a hardened baseline for my teams Proxmox deployment, loosely following CIS Lvl1/2 and DISA STIG requirements for Linux operating systems. I have made good progress, and have built out a hardened PVE cluster successfully that has functioning replication, migration, etc. Just have a few questions that have come out of this process:
- The SSL private keys are kept in plaintext in the configuration database, as well as on the cluster filesystem. They are protected by being owned by root - so in my mind largely a non-issue, however for approval purposes I will need to either explain this as not security relevant or find a means of either encrypting the private keys (which creates the problem of just having another set of keys somewhere to decrypt). The idea was thrown around regarding the possibility of encrypting the configuration database on the filesystem - is this a possibility in a future release?
- Has FIPS mode encryption been attempted with a PVE installation? I don't need FIPS-accreditation, rather just the usage of FIPS-type ciphers would greatly aid my team with obtaining approvals for PVE. For now, leaving the Debian OS set to it's default cryptography configuration.
- Setting the default user shell timeout to 900 seconds in /etc/bash.bashrc should be OK?
- How to disable TLSv1.2 for the pveproxy 8006 interface? I created a file in /etc/defaults/ for pveproxy and set the following line, but TLSv1.2 is still on (need it to be turned off and run in TLSv1.3 only mode):
Code:
CIPHERS="HIGH:!TLSv1:!TLSv1_2:!SSLv3:!aNULL:!MD5"- Any known problems with setting maximum SSHD sessions to 3 (project req), and setting the client alive interval and client alive count max to 600 as per CIS guidelines? I presume it would limit the cluster to have only 3 migrations in flight between hosts at a time? So far, it is behaving normally.
Thanks for any input.
