Description of problem: Transport Layer Security (SSL/TLS) is not being used to protect sensitive data communications (e.g. UserID/password, SQL, etc) between the application and end-clients. Impact The primary benefit of TLS is the protection of web application data from unauthorized disclosure. It should be noted that TLS only provides protection to data during transmission. Therefore, appropriate security controls must be added to protect data while at rest within the application or within data stores. [root]# cat /etc/libvirt/libvirtd.conf|gre #listen_tls = 0 #tls_port = "16514" #auth_tls = "none" #tls_no_sanity_certificate = 1 #tls_no_verify_certificate = 1 #tls_allowed_dn_list = ["DN1", "DN2"] #tls_priority="NORMAL" Remediation Recommendations 1. Enable TLS for all login pages and all subsequent authenticated pages. Failure to utilize TLS for authenticated pages after the login enables an attacker to view the unencrypted session ID and compromise the user's authenticated session. 2. Ensure SSLv2, SSLv3, TLSv1.0, TLSv1.1 are completely disabled and only allow TLSv1.2 and above with approved cipher suites. Unapproved cipher suites (e.g. ciphers below 128-bit, 3DES, RC4, MD5, DHE, ADH, NULL & EXPORT ciphers) should be disabled in TLS. Refer to Data Protection TSR, section 3.5.1, for more details. 3. When cookies are used on TLS pages, all cookies should be set to secure. This signals the browser to expect sensitive information, which should never be sent over non-SSL channels. Version-Release number of selected component (if applicable): 4.1.3 How reproducible: It is reproducible Steps to Reproduce: # cat /etc/libvirt/libvirtd.conf|grep tls Expected results: TLS should be listening, and that will be reflected in the config file. Additional info:
The output looks like from unconfigured host. Please clarify if the host has been added to a RHV environment
Hi Michal, Yes, the host has been added to the RHV environment, per customer. Customer states that his security team's concern is that libvirt daemon is not using encryption. Thanks, Christine
well, not sure what the customer is doing, but the output is clearly from an unconfigured host. That host is apparently not added into a RHV system yet. Please provide further clarification
ping
any news?
Hi Tomas, Customer has uploaded the sosreport (case log #24). What exactly do you need to see? Christine
Hi Michal, I was just looking at the case for Christine. What leads you to believe that the host is unconfigured? Is it the entries from libvirtd.conf? Regards,, Frank
Yes. How does it look then?
(In reply to Michal Skrivanek from comment #8) > Yes. How does it look then? Could you be specific and let me know what you're looking for? Thanks!
I have just reviewed the libvirtd.conf from the attached sos report and the tls is enabled there (e.g. all the options mentioned in comment 1 are commented out meaning it falls back to the default libvirt configuration which has the tls enabled) It contains, for example, this: # This is enabled by default, uncomment this to disable it #listen_tls = 0 so, not sure, what are you missing?
Christine?