1 | <?xml version="1.0" encoding="UTF-8"?>
|
---|
2 | <!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
---|
3 | "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
---|
4 | <chapter id="Security">
|
---|
5 | <title>Security guide</title>
|
---|
6 |
|
---|
7 | <sect1>
|
---|
8 | <title>Overview</title>
|
---|
9 | <para>
|
---|
10 | </para>
|
---|
11 |
|
---|
12 | <sect2>
|
---|
13 | <title>General Security Principles</title>
|
---|
14 |
|
---|
15 | <para>The following principles are fundamental to using any application
|
---|
16 | securely.
|
---|
17 | <glosslist>
|
---|
18 | <glossentry>
|
---|
19 | <glossterm>Keep Software Up To Date</glossterm>
|
---|
20 | <glossdef>
|
---|
21 | <para>
|
---|
22 | One of the principles of good security practise is to keep all
|
---|
23 | software versions and patches up to date. Activate the VirtualBox
|
---|
24 | update notification to get notified when a new VirtualBox release
|
---|
25 | is available. When updating VirtualBox, do not forget to update
|
---|
26 | the Guest Additions. Keep the host operating system as well as the
|
---|
27 | guest operating system up to date.
|
---|
28 | </para>
|
---|
29 | </glossdef>
|
---|
30 | </glossentry>
|
---|
31 |
|
---|
32 | <glossentry>
|
---|
33 | <glossterm>Restrict Network Access to Critical Services</glossterm>
|
---|
34 | <glossdef>
|
---|
35 | <para>
|
---|
36 | Use proper means, for instance a firewall, to protect your computer
|
---|
37 | and your guest(s) from accesses from the outside. Choosing the proper
|
---|
38 | networking mode for VMs helps to separate host networking from the
|
---|
39 | guest and vice versa.
|
---|
40 | </para>
|
---|
41 | </glossdef>
|
---|
42 | </glossentry>
|
---|
43 |
|
---|
44 | <glossentry>
|
---|
45 | <glossterm>Follow the Principle of Least Privilege</glossterm>
|
---|
46 | <glossdef>
|
---|
47 | <para>
|
---|
48 | The principle of least privilege states that users should be given the
|
---|
49 | least amount of privilege necessary to perform their jobs. Always execute VirtualBox
|
---|
50 | as a regular user. We strongly discourage anyone from executing
|
---|
51 | VirtualBox with system privileges.
|
---|
52 | </para>
|
---|
53 | <para>
|
---|
54 | Choose restrictive permissions when creating configuration files,
|
---|
55 | for instance when creating /etc/default/virtualbox, see
|
---|
56 | <xref linkend="linux_install_opts"/>. Mode 0600 would be preferred.
|
---|
57 | </para>
|
---|
58 | </glossdef>
|
---|
59 | </glossentry>
|
---|
60 |
|
---|
61 | <glossentry>
|
---|
62 | <glossterm>Monitor System Activity</glossterm>
|
---|
63 | <glossdef>
|
---|
64 | <para>
|
---|
65 | System security builds on three pillars: good security protocols, proper
|
---|
66 | system configuration and system monitoring. Auditing and reviewing audit
|
---|
67 | records address the third requirement. Each component within a system
|
---|
68 | has some degree of monitoring capability. Follow audit advice in this
|
---|
69 | document and regularly monitor audit records.
|
---|
70 | </para>
|
---|
71 | </glossdef>
|
---|
72 | </glossentry>
|
---|
73 |
|
---|
74 | <glossentry>
|
---|
75 | <glossterm>Keep Up To Date on Latest Security Information</glossterm>
|
---|
76 | <glossdef>
|
---|
77 | <para>
|
---|
78 | Oracle continually improves its software and documentation. Check this
|
---|
79 | note note yearly for revisions.
|
---|
80 | </para>
|
---|
81 | </glossdef>
|
---|
82 | </glossentry>
|
---|
83 |
|
---|
84 | </glosslist>
|
---|
85 | </para>
|
---|
86 | </sect2>
|
---|
87 | </sect1>
|
---|
88 |
|
---|
89 | <sect1>
|
---|
90 | <title>Secure Installation and Configuration</title>
|
---|
91 | </sect1>
|
---|
92 |
|
---|
93 | <sect2>
|
---|
94 | <title>Installation Overview</title>
|
---|
95 | <para>
|
---|
96 | The VirtualBox base package should be downloaded only from a trusted source,
|
---|
97 | for instance the official website
|
---|
98 | <ulink url="http://www.virtualbox.org">http://www.virtualbox.org</ulink>.
|
---|
99 | The integrity of the package should be verified with the provided SHA256
|
---|
100 | checksum which can be found on the official website.
|
---|
101 | </para>
|
---|
102 | <para>
|
---|
103 | General VirtualBox installation instructions for the supported hosts
|
---|
104 | can be found in <xref linkend="installation"/>.
|
---|
105 | </para>
|
---|
106 | <para>
|
---|
107 | On Windows hosts, the installer allows for disabling USB support, support
|
---|
108 | for bridged networking, support for host-only networking and the Python
|
---|
109 | language bindings, see <xref linkend="installation_windows"/>.
|
---|
110 | All these features are enabled by default but disabling some
|
---|
111 | of them could be appropriate if the corresponding functionality is not
|
---|
112 | required by any virtual machine. The Python language bindings are only
|
---|
113 | required if the VirtualBox API is to be used by external Python
|
---|
114 | applications. In particular USB support and support
|
---|
115 | for the two networking modes require the installation of Windows kernel
|
---|
116 | drivers on the host. Therefore disabling those selected features can
|
---|
117 | not only be used to restrict the user to certain functionality but
|
---|
118 | also to minimize the surface provided to a potential attacker. </para>
|
---|
119 | <para>
|
---|
120 | The general case is to install the complete VirtualBox package. The
|
---|
121 | installation must be done with system privileges. All VirtualBox binaries
|
---|
122 | should be executed as a regular user and never as a privileged user.
|
---|
123 | </para>
|
---|
124 | <para>
|
---|
125 | The Oracle VM VirtualBox extension pack provides additional features
|
---|
126 | and must be downloaded and installed separately, see
|
---|
127 | <xref linkend="intro-installing"/>. As for the base package, the SHA256
|
---|
128 | checksum of the extension pack should be verified. As the installation
|
---|
129 | requires system privileges, VirtualBox will ask for the system
|
---|
130 | password during the installation of the extension pack.
|
---|
131 | </para>
|
---|
132 | </sect2>
|
---|
133 |
|
---|
134 | <sect2>
|
---|
135 | <title>Post Installation Configuration</title>
|
---|
136 | <para>
|
---|
137 | Normally there is no post installation configuration of VirtualBox components
|
---|
138 | required. However, on Solaris and Linux hosts it is necessary to configure
|
---|
139 | the proper permissions for users executing VMs and who should be able to
|
---|
140 | access certain host resources. For instance, Linux users must be member of
|
---|
141 | the <emphasis>vboxusers</emphasis> group to be able to pass USB devices to a
|
---|
142 | guest. If a serial host interface should be accessed from a VM, the proper
|
---|
143 | permissions must be granted to the user to be able to access that device.
|
---|
144 | The same applies to other resources like raw partitions, DVD/CD drives
|
---|
145 | and sound devices.
|
---|
146 | </para>
|
---|
147 | </sect2>
|
---|
148 |
|
---|
149 | <sect1>
|
---|
150 | <title>Security Features</title>
|
---|
151 | <para>This section outlines the specific security mechanisms offered
|
---|
152 | by VirtualBox.</para>
|
---|
153 |
|
---|
154 | <sect2>
|
---|
155 | <title>The Security Model</title>
|
---|
156 | <para>
|
---|
157 | One property of virtual machine monitors (VMMs) like VirtualBox is to encapsulate
|
---|
158 | a guest by executing it in a protected environment, a virtual machine,
|
---|
159 | running as a user process on the host operating system. The guest cannot
|
---|
160 | communicate directly with the hardware or other computers but only through
|
---|
161 | the VMM. The VMM provides emulated physical resources and devices to the
|
---|
162 | guest which are accessed by the guest operating system to perform the required
|
---|
163 | tasks. The VM settings control the resources provided to the guest, for example
|
---|
164 | the amount of guest memory or the number of guest processors, (see
|
---|
165 | <xref linkend="generalsettings"/>) and the enabled features for that guest
|
---|
166 | (for example remote control, certain screen settings and others).
|
---|
167 | </para>
|
---|
168 | </sect2>
|
---|
169 |
|
---|
170 | <sect2>
|
---|
171 | <title>Secure Configuration of Virtual Machines</title>
|
---|
172 | <para>
|
---|
173 | Several aspects of a virtual machine configuration are subject to security
|
---|
174 | considerations.</para>
|
---|
175 |
|
---|
176 | <sect3>
|
---|
177 | <title>Networking</title>
|
---|
178 | <para>
|
---|
179 | The default networking mode for VMs is NAT which means that
|
---|
180 | the VM acts like a computer behind a router, see
|
---|
181 | <xref linkend="network_nat"/>. The guest is part of a private
|
---|
182 | subnet belonging to this VM and the guest IP is not visible
|
---|
183 | from the outside. This networking mode works without
|
---|
184 | any additional setup and is sufficient for many purposes.
|
---|
185 | </para>
|
---|
186 | <para>
|
---|
187 | If bridged networking is used, the VM acts like a computer inside
|
---|
188 | the same network as the host, see <xref linkend="network_bridged"/>.
|
---|
189 | In this case, the guest has the same network access as the host and
|
---|
190 | a firewall might be necessary to protect other computers on the
|
---|
191 | subnet from a potential malicious guest as well as to protect the
|
---|
192 | guest from a direct access from other computers. In some cases it is
|
---|
193 | worth considering using a forwarding rule for a specific port in NAT
|
---|
194 | mode instead of using bridged networking.
|
---|
195 | </para>
|
---|
196 | <para>
|
---|
197 | Some setups do not require a VM to be connected to the public network
|
---|
198 | at all. Internal networking (see <xref linkend="network_internal"/>)
|
---|
199 | or host-only networking (see <xref linkend="network_hostonly"/>)
|
---|
200 | are often sufficient to connect VMs among each other or to connect
|
---|
201 | VMs only with the host but not with the public network.
|
---|
202 | </para>
|
---|
203 | </sect3>
|
---|
204 |
|
---|
205 | <sect3>
|
---|
206 | <title>VRDP remote desktop authentication</title>
|
---|
207 | <para>When using the VirtualBox extension pack provided by Oracle
|
---|
208 | for VRDP remote desktop support, you can optionally use various
|
---|
209 | methods to configure RDP authentication. The "null" method is
|
---|
210 | very insecure and should be avoided in a public network.
|
---|
211 | See <xref linkend="vbox-auth" /> for details.</para>
|
---|
212 | </sect3>
|
---|
213 |
|
---|
214 | <sect3 id="security_clipboard">
|
---|
215 | <title>Clipboard</title>
|
---|
216 | <para>
|
---|
217 | The shared clipboard allows users to share data between the host and
|
---|
218 | the guest. Enabling the clipboard in "Bidirectional" mode allows
|
---|
219 | the guest to read and write the host clipboard. The "Host to guest"
|
---|
220 | mode and the "Guest to host" mode limit the access to one
|
---|
221 | direction. If the guest is able to access the host clipboard it
|
---|
222 | can also potentially access sensitive data from the host which is
|
---|
223 | shared over the clipboard.
|
---|
224 | </para>
|
---|
225 | <para>
|
---|
226 | If the guest is able to read from and/or write to the host clipboard
|
---|
227 | then a remote user connecting to the guest over the network will also
|
---|
228 | gain this ability, which may not be desirable. As a consequence, the
|
---|
229 | shared clipboard is disabled for new machines.
|
---|
230 | </para>
|
---|
231 | </sect3>
|
---|
232 |
|
---|
233 | <sect3>
|
---|
234 | <title>Shared folders</title>
|
---|
235 | <para>If any host folder is shared with the guest then a remote
|
---|
236 | user connected to the guest over the network can access
|
---|
237 | these files too as the folder sharing mechanism cannot be
|
---|
238 | selectively disabled for remote users.
|
---|
239 | </para>
|
---|
240 | </sect3>
|
---|
241 |
|
---|
242 | <sect3>
|
---|
243 | <title>3D graphics acceleration</title>
|
---|
244 | <para>Enabling 3D graphics via the Guest Additions exposes the host
|
---|
245 | to additional security risks; see <xref
|
---|
246 | linkend="guestadd-3d" />.</para>
|
---|
247 | </sect3>
|
---|
248 |
|
---|
249 | <sect3>
|
---|
250 | <title>CD/DVD passthrough</title>
|
---|
251 | <para>Enabling CD/DVD passthrough allows the guest to perform advanced
|
---|
252 | operations on the CD/DVD drive, see <xref linkend="storage-cds"/>.
|
---|
253 | This could induce a security risk as a guest could overwrite data
|
---|
254 | on a CD/DVD medium.
|
---|
255 | </para>
|
---|
256 | </sect3>
|
---|
257 |
|
---|
258 | <sect3>
|
---|
259 | <title>USB passthrough</title>
|
---|
260 | <para>
|
---|
261 | Passing USB devices to the guest provides the guest full access
|
---|
262 | to these devices, see <xref linkend="settings-usb"/>. For instance,
|
---|
263 | in addition to reading and writing the content of the partitions
|
---|
264 | of an external USB disk the guest will be also able to read and
|
---|
265 | write the partition table and hardware data of that disk.
|
---|
266 | </para>
|
---|
267 | </sect3>
|
---|
268 |
|
---|
269 | </sect2>
|
---|
270 |
|
---|
271 | <sect2>
|
---|
272 | <title>Configuring and Using Authentication</title>
|
---|
273 |
|
---|
274 | <para>The following components of VirtualBox can use passwords for
|
---|
275 | authentication:<itemizedlist>
|
---|
276 |
|
---|
277 | <listitem>
|
---|
278 | <para>When using remote iSCSI storage and the storage server
|
---|
279 | requires authentication, an initiator secret can optionally be supplied
|
---|
280 | with the <computeroutput>VBoxManage storageattach</computeroutput>
|
---|
281 | command. As long as no settings password is provided (command line
|
---|
282 | option <screen>--settingspwfile</screen>, this secret is
|
---|
283 | stored <emphasis role="bold">unencrypted</emphasis> in the machine
|
---|
284 | configuration and is therefore potentially readable on the host.
|
---|
285 | See <xref
|
---|
286 | linkend="storage-iscsi" /> and <xref
|
---|
287 | linkend="vboxmanage-storageattach" />.</para>
|
---|
288 | </listitem>
|
---|
289 |
|
---|
290 | <listitem>
|
---|
291 | <para>When using the VirtualBox web service to control a VirtualBox
|
---|
292 | host remotely, connections to the web service are authenticated in
|
---|
293 | various ways. This is described in detail in the VirtualBox Software
|
---|
294 | Development Kit (SDK) reference; please see <xref
|
---|
295 | linkend="VirtualBoxAPI" />.</para>
|
---|
296 | </listitem>
|
---|
297 | </itemizedlist></para>
|
---|
298 | </sect2>
|
---|
299 |
|
---|
300 | <!--
|
---|
301 | <sect2>
|
---|
302 | <title>Configuring and Using Access Control</title>
|
---|
303 | </sect2>
|
---|
304 |
|
---|
305 | <sect2>
|
---|
306 | <title>Configuring and Using Security Audit</title>
|
---|
307 | </sect2>
|
---|
308 |
|
---|
309 | <sect2>
|
---|
310 | <title>Congiguring and Using Other Security Features</title>
|
---|
311 | </sect2>
|
---|
312 | -->
|
---|
313 |
|
---|
314 | <sect2>
|
---|
315 | <title>Potentially insecure operations</title>
|
---|
316 |
|
---|
317 | <para>The following features of VirtualBox can present security
|
---|
318 | problems:<itemizedlist>
|
---|
319 | <listitem>
|
---|
320 | <para>Enabling 3D graphics via the Guest Additions exposes the host
|
---|
321 | to additional security risks; see <xref
|
---|
322 | linkend="guestadd-3d" />.</para>
|
---|
323 | </listitem>
|
---|
324 |
|
---|
325 | <listitem>
|
---|
326 | <para>When teleporting a machine, the data stream through which the
|
---|
327 | machine's memory contents are transferred from one host to another
|
---|
328 | is not encrypted. A third party with access to the network through
|
---|
329 | which the data is transferred could therefore intercept that
|
---|
330 | data. An SSH tunnel could be used to secure the connection between
|
---|
331 | the two hosts. But when considering teleporting a VM over an untrusted
|
---|
332 | network the first question to answer is how both VMs can securely
|
---|
333 | access the same virtual disk image(s) with a reasonable performance. </para>
|
---|
334 | </listitem>
|
---|
335 |
|
---|
336 | <listitem>
|
---|
337 | <para>When using the VirtualBox web service to control a VirtualBox
|
---|
338 | host remotely, connections to the web service (through which the API
|
---|
339 | calls are transferred via SOAP XML) are not encrypted, but use plain
|
---|
340 | HTTP by default. This is a potential security risk! For details about
|
---|
341 | the web service, please see <xref linkend="VirtualBoxAPI" />.</para>
|
---|
342 | <para>The web services are not started by default. Please refer to
|
---|
343 | <xref linkend="vboxwebsrv-daemon"/> to find out how to start this
|
---|
344 | service and how to enable SSL/TLS support. It has to be started as
|
---|
345 | a regular user and only the VMs of that user can be controlled. By
|
---|
346 | default, the service binds to localhost preventing any remote connection.</para>
|
---|
347 | </listitem>
|
---|
348 |
|
---|
349 | <listitem>
|
---|
350 | <para>Traffic sent over a UDP Tunnel network attachment is not
|
---|
351 | encrypted. You can either encrypt it on the host network level (with
|
---|
352 | IPsec), or use encrypted protocols in the guest network (such as
|
---|
353 | SSH). The security properties are similar to bridged Ethernet.</para>
|
---|
354 | </listitem>
|
---|
355 | </itemizedlist></para>
|
---|
356 | </sect2>
|
---|
357 |
|
---|
358 | <sect2>
|
---|
359 | <title>Encryption</title>
|
---|
360 |
|
---|
361 | <para>The following components of VirtualBox use encryption to protect
|
---|
362 | sensitive data:<itemizedlist>
|
---|
363 | <listitem>
|
---|
364 | <para>When using the VirtualBox extension pack provided by Oracle
|
---|
365 | for VRDP remote desktop support, RDP data can optionally be
|
---|
366 | encrypted. See <xref linkend="vrde-crypt" /> for details. Only
|
---|
367 | the Enhanced RDP Security method (RDP5.2) with TLS protocol
|
---|
368 | provides a secure connection. Standard RDP Security (RDP4 and
|
---|
369 | RDP5.1) is vulnerable to a man-in-the-middle attack.</para>
|
---|
370 | </listitem>
|
---|
371 | </itemizedlist></para>
|
---|
372 | </sect2>
|
---|
373 | </sect1>
|
---|
374 |
|
---|
375 | <!--
|
---|
376 | <sect1>
|
---|
377 | <title>Security Considerations for Developers</title>
|
---|
378 | </sect1>
|
---|
379 | -->
|
---|
380 |
|
---|
381 | </chapter>
|
---|