Virtual Machines and Security
Christopher Rodriguez
22SC-CSC300-1: Operating Systems and Architecture
Dr. Jonathan Vanover
2022-06-19

#### Virtual Machines and Security

The assignment was to create a virtual network with three virtual machines (one running Windows 10, one running Ubuntu, and one running Kali Linux). It was suggested to use Virtualbox for this task, however, I instead used libvirt et al as they are a more up-to-date set of tools for virtualization on my chosen platform (GNU Guix).

#### Setting Up the Network

The first process was enabling support on GNU Guix for virtualization. This largely consisted of adding the correct packages and services to my system-wide configuration, which is included in appendix A on page for appendix A. The most important parts of this configuration are the inclusion of the libvirt package in the packages field, and the inclusion of the libvirt-service-type in the services field. Also important was adding my user account to the kvm group, because we are using the “Kernel-Based Virtual Machine” module of the Linux kernel.

Once this was complete, I was able to reboot and use libvirt as intended. This began with opening virt-manager, as seen in figure 1 on page for figure 1. The installation process for each OS was very similar and straightforward; the most important differences were the settings for the networks. The process went something like this:

• 1. Begin Creating a New Virtual Machine, as in figure 2 on page for figure 2.

• 2. Specify a Boot Image to act as the installer, as in figure 3 on page for figure 3. I had pre-downloaded all three installation ISOs, which made this step easy.

• 3. Choose How Much Memory and How Many CPU Cores to Partition to this Virtual Machine While in Use, as in figure 4 on page for figure 4. It’s important to remember that You should avoid partitioning more than You have, and if You are also doing things like writing a paper, keep some resources for the Host OS as well.

• 4. Create a Virtual Drive to Act as Storage for this VM, as in figure 5 on page for figure 5. Here is where I ran into an issue with my Host OS; as GNU Guix keeps most System Directories on a Read-Only Filesystem, the default location for Storage is inside of root’s  /.local folder. Obviously, this is undesirable for myriad reasons, but also my normal user cannot see that directory…so instead I choose “Select or create custom storage” and manually make a qcow2 disk in the globally-accessible /var/lib/libvirt/images/pool directory instead. (If privacy is a goal, the current user’s home directory is just as usable for this.)

• 5. With the basics out of the way, we can move on to the interesting bit: Configuring the Virtual Networks. On the confirmation screen, make sure to select “Configure Before Installation”. A window looking similar to figure 6 on page for figure 6 will appear. We are interested in configuring the NIC, so change to the NIC panel as in figure 7 on page for figure 7.

I had some networks pre-created (using Edit > Connection Details > Virtual Networks), and chose to allow all of the machines to initially use a NAT connection, so that they might update themselves post-install (and so I might install neofetch for a more pleasant OS-identification experience). This network is shown in figure 9 on page for figure 9. I also made sure to have a “Host-Only” Network set up at this step, as in figure 8 on page for figure 8, for ease of use later.

• 6. Install to OS as normal. There are no special VM-centric concerns here. Also ensure all needed updates are applied, and any user-needed packages (neofetch) are installed.

• 7. Finally, Go Into Each VM and configure the NIC to use the appropriate network. The Assignment had Windows 10 and Ubuntu on “Host-Only” networks, and Kali Linux on a NAT network. The final settings for each VM are shown in figures 13 to 15 on pages for figure 13 to figure 15.

#### Results

I was able to ping all three VMs, regardless of which virtual network they were on. This output is shown in figure 16 on page for figure 16. I am confident this fulfills the needs of this assignment.

#### A My System Configuration, with Virtualization Enabled.

;;; jory.scm
;;;
;;; This is the system-config file for Jory, my Purism Librem 14 Laptop
;;;
;;; Author: Christopher Rodriguez
;;; Created: 2022-04-10
;;; Last Released: 2022-06-09
;;; Contact: yewscion@gmail.com
;;;

(use-modules (gnu)
(srfi srfi-1)
(ice-9 textual-ports)
(guix modules))

(use-service-modules admin avahi base databases desktop docker games mail mcron
networking ssh virtualization web xorg )

(use-package-modules admin certs databases emacs games package-management ssh
tls version-control xdisorg )

(define %ming-pubkey
(plain-file "ming_id.pub"
"/LAxFP2O7WPCxX2BL5YIbb4yTPbnmJlooQaM7H5L0Dx"
"WAC0/3Q+XXqb6xDGrHmoJHTp3YHD30W1JNWQiKtKuEK"
"gYzYypiTWHU2MbZ4ahuQN7v2Bc1KM720MFaHKjDd8ru"
"rTya3cOd6PTXOKyhZIMjt1H6OgwYULX92oaYGVdEn+e"
"bSlR3xaSMyPXSJ5yPAWcZlHYrQysz7b2KtulTRvsaE0"
"gq3muCxFdIXqAlbAcCPScLoDWygEDMLSKN/gjV+4b45"
"l/TNIA55l7UtaM9GMxesCQXIsTg0sFV9PZW2zpI4i8/"
"6vpAqr++t/1TQVOZjvxxv+5UWMbKVPJqawIXonOaN1I"
"z9svDuacMij2cBnyNxcBq5BsOjHO6ch2IYnflapFseP"
"fysve5Z3UVVOJJeCanp+nSGSrwDOckreVWnU8G2D0Mu"
"V5HNMNaghoI72uBVi5s3GmH2utl0RSh/x81byQ8iyb6"
"g8m2XiwwoxDGDu6sePVJOJ9iEUYmLWX4TcA4CVLhdFq"
"D1R/9/VE7w+RgvFmzNrufxZEaP3dXJVdIctyeCntGl9"
"eZreVc65GpHesIANJj/cDmeNPk8vyfPJpwHgLAZpGY4"
"NgbR8hXFnyrZRd+XcTvpkZcJc51OKo7kOQ== ")))

(define updatedb-job
;; Run 'updatedb' at 3AM every day.      Here we write the
;; job's action as a Scheme procedure.
#~(job '(next-hour '(3))
(lambda ()
(execl (string-append #\$findutils "/bin/updatedb")
"updatedb"
"--prunepaths=/tmp /var/tmp /gnu/store"))))

(define %my-keyboard-layout
(keyboard-layout "us,apl" #:options
'("ctrl:swapcaps_hyper" "compose:rctrl"
"grp:toggle")))

(define %my-desktop-services
(modify-services %desktop-services

(append
(list
(service gnome-desktop-service-type)
(service openssh-service-type
(openssh-configuration
(authorized-keys
(("ming" ,%ming-pubkey)
("git" ,%ming-pubkey)))))
(service postgresql-service-type
(postgresql-configuration
(postgresql postgresql-10)))
(service gmnisrv-service-type)
(service wesnothd-service-type)
(service docker-service-type)
(service qemu-binfmt-service-type
(qemu-binfmt-configuration
(platforms (lookup-qemu-platforms "arm"
"aarch64"
"risc-v"))))
(simple-service 'my-cron-jobs
mcron-service-type
(list updatedb-job))
(set-xorg-configuration
(xorg-configuration
(keyboard-layout %my-keyboard-layout)))
(handle-power-key 'ignore)))
(service libvirt-service-type
(libvirt-configuration
(unix-sock-group "libvirt")
(tls-port "16555")))
(service virtlog-service-type))
%my-desktop-services))

(define %my-services
(modify-services
(guix-service-type
config =>
(guix-configuration
(inherit config)
(authorized-keys
(append (list (local-file "/etc/cdr255/frostpine.pub"))
%default-authorized-guix-keys))))))
(define %my-packages
(list "nss-certs"
"xorg-server-xwayland"
"emacs"
"openssh"
"openssl"
"rxvt-unicode"
"git"
"libvirt"
"openjdk"
"stumpwm"
"ncurses"
"guile"))
(operating-system
(locale "en_US.utf8")
(timezone "America/New_York")
(keyboard-layout %my-keyboard-layout)
(host-name "jory")
(users (cons* (user-account
(name "ming")
(comment "Christopher Rodriguez")
(group "users")
(home-directory "/home/ming")
(supplementary-groups
'("wheel" "netdev" "audio" "video" "docker" "libvirt" "kvm")))
(user-account
(name "git")
(group "git")
(home-directory "/home/git")
(comment "For Use With Git")
(system? #t))
%base-user-accounts))
(groups (cons* (user-group
(name "git")
(system? #t))
%base-groups))
(packages
(append
(map (compose list specification->package+output)
%my-packages)
%base-packages))
(services
%my-services)
(targets (list "/dev/nvme0n1"))
(keyboard-layout keyboard-layout)))
(swap-devices
(list (swap-space
(target
(uuid "0fd9015c-34ca-4d05-843b-584fa94796d3")))))
(file-systems
(cons* (file-system
(mount-point "/")
(device
`