Guide to the Secure Configuration of Virtuozzo Hybrid Infrastructure

with profile VHI Security Hardening
This guide is intended for system administrators and provides a comprehensive set of instructions recommended for hardening a Virtuozzo Hybrid Infrastructure cluster.

The SCAP Security Guide Project
https://www.open-scap.org/security-policies/scap-security-guide

This guide presents a catalog of security-relevant configuration settings for Virtuozzo Hybrid Infrastructure. It is a rendering of content structured in the eXtensible Configuration Checklist Description Format (XCCDF) in order to support security automation. The SCAP content is is available in the scap-security-guide package which is developed at https://www.open-scap.org/security-policies/scap-security-guide.

Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance.

Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. The creators of this guidance assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile Title	VHI Security Hardening
Profile ID	xccdf_org.ssgproject.content_profile_vhi_security_hardening

CPE Platforms

cpe:/o:virtuozzohci:vz:9

Revision History

Current version: 0.1.73

draft (as of 2025-11-11)

VHI Security Hardening
1. Password Policy
2. Service Security

Checklist

Group Guide to the Secure Configuration of Virtuozzo Hybrid Infrastructure Group contains 3 groups and 2 rules

Group VHI Security Hardening Group contains 2 groups and 2 rules

[ref]

Group Password Policy Group contains 1 rule

[ref]

Rule Limit Password Reuse [ref]
Enforce a policy preventing users from reusing their last five passwords. This ensures that compromised credentials cannot be reused and applies only to local system accounts. To configure remembered password history, run the following script that will add or modify the pam_pwhistory.so and pam_unix.so lines to include the remember option: CP=$(authselect current \| awk "NR == 1 {print $3}" \| grep custom/) [[ -n $CP ]] && PTF=/etc/authselect/$CP/system-auth \|\| PTF=/etc/authselect/system-auth [[ -n $(grep -E "^\spassword\s+(sufficient\s+pam_unix\|requi(red\|site)\s+pam_pwhistory).so\s+ ([^#]+\s+)remember=\S+\s.$" "$PTF") ]] \ && sed -ri 's/^\s(password\s+(requisite\|sufficient)\s+(pam_pwquality\.so\|pam_unix\.so)\s+)(.)(remember=\S+\s)(.)$/\1\4 remember=5 \6/' "$PTF" \ \|\| sed -ri 's/^\s(password\s+(requisite\|sufficient)\s+(pam_pwquality\.so\|pam_unix\.so)\s+)(.)$/\1\4 remember=5/' "$PTF" authselect apply-changes
Rationale:	Enforcing a password history policy that prevents the reuse of previous passwords is a critical component of credential security. It mitigates risks associated with predictable or repeated passwords and helps enforce good password hygiene among local system users.
Severity:	medium
Rule ID:	xccdf_org.ssgproject.content_rule_r02_pam_settings_check
Identifiers and References	References: 1, 12, 15, 16, 5, 5.6.2.1.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.8, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(f), IA-5(1)(e), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.5, SRG-OS-000077-GPOS-00045

Group Service Security Group contains 1 rule

[ref]

Rule Ensure Telnet is not installed [ref]

Replace Telnet with SSH where possible for encrypted and secure remote communications. The SSH package provides an encrypted session and stronger security communication.

Rationale:

It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities are often overlooked and therefore may remain insecure. They increase the risk to the platform by providing additional attack vectors.
The telnet service provides an unencrypted remote access service which does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to login using this service, the privileged user password could be compromised.
Removing the telnet package decreases the risk of the telnet service's accidental (or intentional) activation.

Severity:

high

Rule ID: xccdf_org.ssgproject.content_rule_r27_telnet_ins_chk

Identifiers and References

References: 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, Req-2.2.2, SRG-OS-000095-GPOS-00049

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Strategy:	disable


# CAUTION: This remediation script will remove telnet
#	   from the system, and may remove any packages
#	   that depend on telnet. Execute this
#	   remediation AFTER testing on a non-production
#	   system!

if rpm -q --quiet "telnet" ; then

    dnf remove -y "telnet"

fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	disable

- name: Ensure telnet is removed
  package:
    name: telnet
    state: absent
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - PCI-DSS-Req-2.2.2
  - disable_strategy
  - high_severity
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - r27_telnet_ins_chk

Remediation Puppet snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	disable

include remove_telnet

class remove_telnet {
  package { 'telnet':
    ensure => 'purged',
  }
}

Red Hat and Red Hat Enterprise Linux are either registered trademarks or trademarks of Red Hat, Inc. in the United States and other countries. All other names are registered trademarks or trademarks of their respective companies.