oVirt Virtualization Shift Left Security —
oVirt Security
oVirt Virtualization Shift Left Security KVM libvirt VM Hardening Template Network Isolation Compliance OpenSCAP CIS Benchmark Audit Production
| Security Layer | Traditional | Shift Left | Tool | Frequency |
|---|---|---|---|---|
| VM Template | หลัง Deploy | ก่อนสร้าง Template | CIS Benchmark | ทุก Template |
| Image Scan | ไม่ทำ | ก่อน Deploy | OpenSCAP Trivy | ทุก Build |
| Network | หลัง Deploy | ตอน Design | VLAN Firewall | ทุก Change |
| Secrets | Hardcode | Vault ตั้งแต่แรก | HashiCorp Vault | ทุก Provision |
| Compliance | Yearly Audit | Continuous Scan | OpenSCAP Lynis | Weekly |
| Logging | หลังเกิดเหตุ | ตั้งแต่วันแรก | rsyslog auditd | Real-time |
VM Hardening
=== oVirt VM Hardening Script ===
#!/bin/bash
# VM Hardening Script — CIS Benchmark Based
# 1. Update all packages
dnf update -y
# 2. Disable unnecessary services
systemctl disable --now cups avahi-daemon postfix bluetooth
# 3. SSH Hardening
sed -i 's/^#PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
sed -i 's/^#PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
sed -i 's/^#MaxAuthTries.*/MaxAuthTries 3/' /etc/ssh/sshd_config
sed -i 's/^#ClientAliveInterval.*/ClientAliveInterval 300/' /etc/ssh/sshd_config
sed -i 's/^#ClientAliveCountMax.*/ClientAliveCountMax 2/' /etc/ssh/sshd_config
echo "AllowGroups sshusers" >> /etc/ssh/sshd_config
systemctl restart sshd
# 4. Firewall — Allow only needed ports
firewall-cmd --set-default-zone=drop
firewall-cmd --permanent --add-service=ssh
firewall-cmd --permanent --add-port=443/tcp
firewall-cmd --reload
# 5. SELinux Enforcing
sed -i 's/^SELINUX=.*/SELINUX=enforcing/' /etc/selinux/config
setenforce 1
เนื้อหาเกี่ยวข้อง — Embedding Model SSL TLS Certificate
# 6. Audit Rules
cat >> /etc/audit/rules.d/hardening.rules << 'EOF'
-w /etc/passwd -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/sudoers -p wa -k sudo_changes
-w /var/log/ -p wa -k log_changes
-a always,exit -F arch=b64 -S execve -k command_exec
แนะนำเพิ่มเติม — ติดตาม XM Signal
EOF
augenrules --load
# 7. Sysctl Hardening
cat >> /etc/sysctl.d/99-hardening.conf << 'EOF'
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.tcp_syncookies = 1
kernel.randomize_va_space = 2
fs.suid_dumpable = 0
EOF
sysctl --system
from dataclasses import dataclass
@dataclass
class HardeningItem:
category: str
item: str
command: str
เนื้อหาเกี่ยวข้อง — ดูเพิ่มเติมเรื่อง Nginx Plus Consensus Algorithm
cis_ref: str
risk: str
items = [
HardeningItem("SSH", "Disable Root Login", "PermitRootLogin no", "5.2.10", "Critical"),
HardeningItem("SSH", "Key Only Auth", "PasswordAuthentication no", "5.2.4", "Critical"),
HardeningItem("Firewall", "Default Drop", "firewall-cmd --set-default-zone=drop", "3.4.1", "High"),
HardeningItem("SELinux", "Enforcing Mode", "setenforce 1", "1.6.1", "Critical"),
HardeningItem("Audit", "File Monitoring", "auditd rules for /etc/", "4.1.3", "High"),
HardeningItem("Network", "Disable ICMP Redirect", "sysctl net.ipv4", "3.3.2", "Medium"),
HardeningItem("Services", "Disable Unused", "systemctl disable cups", "2.2.x", "Medium"),
HardeningItem("Packages", "Remove Unnecessary", "dnf remove telnet", "2.3.x", "Medium"),
]
print("=== VM Hardening Checklist ===")
แนะนำเพิ่มเติม — คู่มือเทรดจาก SiamCafeBook
for i in items:
print(f" [{i.risk}] [{i.category}] {i.item}")
print(f" Command: {i.command} | CIS: {i.cis_ref}")
Compliance Scanning
=== OpenSCAP Compliance Scanning ===
Install OpenSCAP
dnf install -y openscap-scanner scap-security-guide
# List available profiles
oscap info /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
# Run CIS Benchmark scan
oscap xccdf eval \
--profile xccdf_org.ssgproject.content_profile_cis \
เนื้อหาเกี่ยวข้อง — Asic คืออะไร — คู่มือฉบับสมบูรณ์ 2026
--results /tmp/scan-results.xml \
--report /tmp/scan-report.html \
/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
# Remediate automatically
oscap xccdf eval \
--profile xccdf_org.ssgproject.content_profile_cis \
--remediate \
/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
Ansible Compliance Playbook
- name: Check VM Compliance
hosts: all
tasks:
- name: Check SELinux status
command: getenforce
register: selinux_status
failed_when: selinux_status.stdout != "Enforcing"
- name: Check SSH root login
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^PermitRootLogin'
line: 'PermitRootLogin no'
check_mode: yes
register: ssh_root
failed_when: ssh_root.changed
- name: Check firewall active
service:
name: firewalld
state: started
check_mode: yes
register: fw_status
failed_when: fw_status.changed
เนื้อหาเกี่ยวข้อง — แนะนำให้อ่าน megaphone pattern — ข้อมูลครบถ้วน 2026
Lynis Security Audit
lynis audit system --quick --no-colors > /tmp/lynis-report.txt
grep "Hardening index" /tmp/lynis-report.txt
@dataclass
class ScanResult:
category: str
passed: int
failed: int
score: str
tool: str
results = [
ScanResult("CIS Level 1", 142, 8, "94.7%", "OpenSCAP"),
ScanResult("CIS Level 2", 185, 15, "92.5%", "OpenSCAP"),
ScanResult("STIG", 230, 12, "95.0%", "OpenSCAP"),
ScanResult("Lynis Hardening", 0, 0, "82/100", "Lynis"),
ScanResult("CVE Scan", 45, 2, "95.7%", "Trivy"),
ScanResult("Network Isolation", 12, 0, "100%", "Custom"),
]
print("\n=== Compliance Scan Results ===")
for r in results:
total = r.passed + r.failed if r.passed > 0 else 0
print(f" [{r.category}] Score: {r.score} | Tool: {r.tool}")
if total > 0:
print(f" Passed: {r.passed} | Failed: {r.failed} | Total: {total}")
Network and Operations
# === oVirt Network Security ===
# VLAN Isolation in oVirt
# 1. Create Logical Network per zone
# - Management VLAN 10
# - Production VLAN 20
# - Database VLAN 30
# - DMZ VLAN 40
# - Backup VLAN 50
#
# 2. Assign Networks to Clusters
# engine-config -s CustomDeviceProperties='{type=dropdown}'
#
# 3. VM Network Assignment
# - Web Server → DMZ VLAN 40 + Production VLAN 20
# - App Server → Production VLAN 20 + Database VLAN 30
# - DB Server → Database VLAN 30 + Backup VLAN 50
@dataclass
class SecurityOps:
task: str
frequency: str
tool: str
owner: str
automation: str
ops = [
SecurityOps("OpenSCAP Scan", "Weekly", "OpenSCAP + Ansible", "Security Team", "Cron + Report"),
SecurityOps("CVE Patch", "Monthly + Critical ASAP", "dnf update + Ansible", "Ops Team", "Ansible Playbook"),
SecurityOps("Template Refresh", "Monthly", "oVirt API + Script", "Ops Team", "CI/CD Pipeline"),
SecurityOps("Audit Log Review", "Daily", "auditd + SIEM", "Security Team", "Automated Alert"),
SecurityOps("Network Review", "Quarterly", "Firewall Rules Check", "Network Team", "Ansible Audit"),
SecurityOps("Access Review", "Quarterly", "oVirt RBAC Audit", "Manager", "Report Script"),
SecurityOps("Backup Verify", "Weekly", "Restore Test", "Ops Team", "Automated Test"),
SecurityOps("DR Test", "Bi-annually", "Full Failover Test", "All Teams", "Runbook"),
]
print("Security Operations:")
for o in ops:
print(f" [{o.task}] {o.frequency}")
print(f" Tool: {o.tool} | Owner: {o.owner}")
print(f" Automation: {o.automation}")
maturity = {
"Level 1 (Basic)": "Manual hardening, No scanning, Ad-hoc patches",
"Level 2 (Managed)": "Hardened templates, Monthly scans, Scheduled patches",
"Level 3 (Defined)": "Automated scanning, CI/CD templates, SIEM logging",
"Level 4 (Measured)": "Continuous compliance, Metrics dashboard, Auto-remediate",
"Level 5 (Optimized)": "Zero Trust, Full automation, Predictive security",
}
print(f"\n\nSecurity Maturity Model:")
for k, v in maturity.items():
print(f" [{k}]: {v}")เคล็ดลับ
- Template: สร้าง Hardened Template ใช้สร้าง VM ใหม่ทุกครั้ง
- Scan: OpenSCAP Scan ทุกสัปดาห์ แก้ Finding ทันที
- VLAN: แยก Network Zone ด้วย VLAN ไม่ปนกัน
- Audit: เปิด auditd ทุก VM ส่ง Log ไป SIEM
- Automate: ใช้ Ansible Automate ทุก Security Task
oVirt คืออะไร
Open Source Virtualization KVM libvirt Web UI Engine VDSM Live Migration HA Storage Domain NFS iSCSI VLAN Bonding แทน VMware ฟรี
