CIS releases virtual machine security guide
The Center for Internet Security (CIS) has published a nice little guideline on hardening virtual machines . The guide covers security issues for both guests and hosts and applies to any virtualization product, not just VMWare.
CIS has created a number of guidelines for hardening popular operating systems, routers and server applications such as Apache, IIS, and Oracle. They called them “benchmarks” and are developed with input from private industry and government players. The guidelines are not as in-depth as those from NIST , but are very readable and cover the minimum requirements for hardening systems. CIS has also created some automated assessment tools for many products to evaluate how well the guidelines have been applied.
This new virtualization security guide is just 30 pages but manages to broadly cover the issues:
- Types of virtual machines (e.g. paravirtualization vs hardware-based VMs)
- Types of threats (escaping a guest, host compromize, denial of service etc)
- Best practices for hardening guests and host OSs
- Best practices for managing VMs, including remote managemen
The guide is not specific to one virtualization product so obviously there is no accompanying automated assessment tool. Hopefully in the future CIS will publish a guide specifically for market leader VMWare ESX.
Related posts: