[Linux-cluster] Rhel BootLoader, Single-user mode password & Interactive Boot in a Cloud environment

[Digimer]

On 22/10/14 04:44 AM, Sunhux G wrote:
> We run cloud service & our vCenter is not accessible to our tenants
> and their IT support; so I would say console access is not feasible
> unless the tenant/customer IT come to our DC.
>
> If the following 3 hardenings are done our tenant/customer RHEL
> Linux VM, what's the impact to the tenant's sysadmin & IT operation?
>
>
> a) CIS 1.5.3 Set Boot Loader Password *:*
>      if this password is set, when tenant reboot (shutdown -r)
>      their VM each time, will it prompt for the bootloader
>      password at console?  If so, is there any way the tenant,
>      could still get their VM booted up if they have no access
>      to vCenter's console?
>
> b) CIS 1.5.4 Require Authentication for Single-User Mode *:*
>      Does Linux allow ssh access while in single-user mode &
>      can this 'single-user mode password' be entered via an
>      ssh session (without access to console), assuming certain
>      'terminal' service is started up / running while in single
>      user mode
>
> c) CIS 1.5.5 Disable Interactive Boot *:*
>      what's the general consensus on this? Disable or enable?
>      Our corporate hardening guide does not mention this item.
>      So if the tenant wishes to boot up step by step (ie pausing
>      at each startup script), they can't do it?
>
> Feel free to add any other impacts that anyone can think of
>
> Lastly, how do people out there grant console access to their
> tenants in Cloud environment without security compromise
> (I mean without granting vCenter access) : I heard that we can
> customize vCenter to grant limited access of vCenter to
> tenants, is this so?
>
>
> Sun

Hi Sun,

   Did you mean to post this to the vmware mailing list?

-- 
Digimer
Papers and Projects: https://alteeve.ca/w/
What if the cure for cancer is trapped in the mind of a person without 
access to education?