Hardening macpine instances (via QEMU use and configuration)

QEMU Resources

• General QEMU Security Information
• !! note: tiny codegen emulation is not developed for security. Guests emulated using tcg must be considered trusted.
• Reporting QEMU Security Issues

Linux Resources

• grsecurity (non-free)
• SELinux and AppArmor

General tips

• Limit exposed interfaces, virtual devices, and ports
• Run services on unprivileged ports (> 1024) as dedicated users with localhost proxying if needed
• Configure ssh-agent authentication to the guest machine with certificate-based credentials, and then disable password authentication (PermitRootLogin prohibit-password and/or PasswordAuthentication no in /etc/ssh/sshd_config)
• qemu port forwarding binds 0.0.0.0, meaning any source IP may send traffic to the guest. Enabling a firewall on the host can prevent unwanted ingress traffic to the guest.