Comment on XCP-NG vs PROXMOX security hardening?
marauding_gibberish142@lemmy.dbzer0.com 1 week agoThank you for the wonderful comment. I am talking about the operating system (Debian vs CentOS if I remember correctly) when I mention Hardening.
I haven’t seen a concrete example of anyone applying CIS policies on the XCP-NG base, neither have I seen any mentions of securing the XCP-NG base by companies using them in production. I understand that having a walled-off dom0 is great and I like that about Xen, but not seeing dialogue on base OS level security is making me a bit uncomfortable about XCP-NG. Not sure if it is immutable, if it is then that would relieve some of my worries.
Personally, I think Proxmox is somewhat unsecure too. I believe something like following relevant STIG recommendations, kernel self-protection, hardened malloc and other things (there’s a huge list but I’ll be brief) should be essential. Ideally I would’ve preferred that the Proxmox project took some of the measures that the Kicksecure project does in hardening debian but I don’t see any mention of something like that. If I end up wanting to run Proxmox, I’ll install Debian, distro-morph it to Kicksecure and then follow the instructions for Proxmox (not sure how I’ll keep from using the Proxmox custom kernel but we’ll see).
moonpiedumplings@programming.dev 1 week ago
Proxmox is unique from other projects, in it’s much more hacky, and much of the stack is custom rather than standards. Like for example: For networking, they maintain a fork of the Linux’s older networking stack, called
ifupdown2, whereas similar projects, like openstack, or Incus, use either the standard Linux kernel networking, or a project calledopenvswitch.I think Proxmox is definitely secure enough, but I don’t know if I would really trust it for higher value usecases due to some of their stack being custom, rather than standard and mantained by the wider community.
If you’re interested in deploying a hypervisor on top of an existing operating system, I recommend looking into Incus or Openstack. They have packages/deployments than can be done on Debian or Red Hat distros, and I would argue that they are designed in a more secure manner (since they include multi tenancy) than Proxmox. In addition to that, they also use standard tooling for networking, like both can use Linux Bridge (in-kernel networking) for networking operations.
I would trust Openstack the most when it comes to security, because it is designed to be used as a public cloud, like having your own AWS, and it is deployed with components publicly accessible in the real world.
marauding_gibberish142@lemmy.dbzer0.com 1 week ago
I had looked into openstack a while back but left it thinking it was too complex. I was looking at Apache’s Cloudstack then.
I see now that a contributor has got Debian in the official list of supported distributions. Which means my distro-morphing idea should work in theory with OpenStack. This is a great idea, thanks. I will look at OpenStack more seriously now. Does look like it will need some effort though
moonpiedumplings@programming.dev 1 week ago
I don’t recommend doing a manual install though, as it’s extremely complex compared to automated deployment solutions like kolla-ansible, openstack-ansible, or openstack-helm/genestack. They make the install much more simpler and less time consuming, while still being intensely configurable.
marauding_gibberish142@lemmy.dbzer0.com 1 week ago
I see. But does the installation cover hardening steps like hardened_malloc, permission hardener, kernel self-protection etc?