Is there a STIG for KVM? Investigating STIG Compliance as it Relates to Virtualization

For organizations operating within regulated environments, it is important that their systems be robustly protected against potential attacks. Many times, this is done through the use of Security Technical Implementation Guides (STIGs) applied to their system. Until recently, it has been unclear what, if any, STIGs are available for Linux-based virtualized systems.

What is a STIG?

STIGs are created by the Defense Information Security Agency (DISA) and published on a quarterly basis. Each STIG provides the documentation and guidance to bring a specific OS or tool into compliance with NIST 800-53, which is the general NIST standard for cyber compliance. The overall focus of each STIG is to provide a framework to enhance the security posture of a system via specific configuration settings, system hardening measures, and access control policies. Each approved OS has a corresponding STIG that is required to be applied. 

What is KVM?

KVM (Kernel-based Virtual Machine) is a type 1 hypervisor and a modern virtualization solution for Linux based (including RHEL) hosts. It provides the facilities for managing and isolating virtual machines (VMs). In many environments, there is a clear need for virtualization either to improve hardware isolation or be able to run multiple segmented workloads on the same hardware. There has not been explicit guidance from DISA on how to protect a Linux-based KVM host, which created a gap where organizations that are interested in using KVM for virtualization have not known if they have the authority to securely use it. 

Securing KVM Systems

Click to read the whitepaper!

So, the question remains. Is there a unique STIG required for KVM-based virtualization? The answer is no. To date, DISA has not published security guidance specifically for hypervisors. Therefore, designing a secure system that includes virtualization requires an approach that ensures the hypervisor is secured and meets the intent of DISAs existing guidance. Here’s our suggestion: 

  1. Ensure the host for your hypervisor has a relevant STIG that can be applied. This is the case for Linux distributions include both RHEL and Ubuntu. 

  2. Identify any guidance provided by other entities to secure the hypervisor (Hint: The NSA supplies hypervisor guidance stemming from NIST 800-125) 

  3. Assess the threat model for your system and apply any additional measures necessary to secure the hypervisor to the extent necessary for your use case. 

 As mentioned above, the NSA supplies hypervisor security guidance stemming from NIST 800-125: Guide to Security for Full Virtualization Technologies. As a hypervisor and virtualization specific document, it specifically excludes all protections related to securing the host including: “hypervisor host user account management, hypervisor host authentication and access control, routine administration of Host OS (e.g., keeping patches current)” which is why the need for STIGs remains. Using these guidelines together – that is, the host STIG and hypervisor-specific security guidance – is the key to thoroughly securing the system. 

The goal of hypervisor-specific protections is to ensure that the hypervisor can provide its many necessary functions (VM process/memory isolation, device access control, VM management) without being compromised by an attack. Some of the potential threats called out by NIST that need to be managed include VM escapes, network isolation failures, and denials of service. All of these can be mitigated with the appropriate protections like hard partitioning of cores to avoid side-channels from shared CPUs and relying on the IOMMU to ensure devices cannot be improperly accessed between VMs. 

Titanium for KVM

Click to view the webinar!

Because we know all too well how time-consuming it is to secure hypervisors – we decided to create  a solution that helps engineering teams secure KVM easily and efficiently. Titanium for KVM extends Titanium Technology Protection capabilities to provide safety and security for this critical component in the system stack.  

Titanium Technology Protection is a comprehensive technology protection solution for Linux-based mission-critical systems in Aerospace and Defense, that counters cyber and technology protection threats with capabilities including secure boot, data-at-rest protections, mandatory access controls, kernel hardening, and security for KVM-based virtualization. 

 

Contact Us

Reach out about making your system secure-by-design, including your KVM Hypervisor!

Matthew Fahrenkrug