oVirt Virtualization Shift Left Security

oVirt Security

oVirt Virtualization Shift Left Security KVM libvirt VM Hardening Template Network Isolation Compliance OpenSCAP CIS Benchmark Audit Production

VM Hardening

# === oVirt VM Hardening Script ===

# #!/bin/bash
# # VM Hardening Script — CIS Benchmark Based
#
# # 1. Update all packages
# dnf update -y
#
# # 2. Disable unnecessary services
# systemctl disable --now cups avahi-daemon postfix bluetooth
#
# # 3. SSH Hardening
# sed -i 's/^#PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
# sed -i 's/^#PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
# sed -i 's/^#MaxAuthTries.*/MaxAuthTries 3/' /etc/ssh/sshd_config
# sed -i 's/^#ClientAliveInterval.*/ClientAliveInterval 300/' /etc/ssh/sshd_config
# sed -i 's/^#ClientAliveCountMax.*/ClientAliveCountMax 2/' /etc/ssh/sshd_config
# echo "AllowGroups sshusers" >> /etc/ssh/sshd_config
# systemctl restart sshd
#
# # 4. Firewall — Allow only needed ports
# firewall-cmd --set-default-zone=drop
# firewall-cmd --permanent --add-service=ssh
# firewall-cmd --permanent --add-port=443/tcp
# firewall-cmd --reload
#
# # 5. SELinux Enforcing
# sed -i 's/^SELINUX=.*/SELINUX=enforcing/' /etc/selinux/config
# setenforce 1
#
# # 6. Audit Rules
# cat >> /etc/audit/rules.d/hardening.rules << 'EOF'
# -w /etc/passwd -p wa -k identity
# -w /etc/shadow -p wa -k identity
# -w /etc/sudoers -p wa -k sudo_changes
# -w /var/log/ -p wa -k log_changes
# -a always,exit -F arch=b64 -S execve -k command_exec
# EOF
# augenrules --load
#
# # 7. Sysctl Hardening
# cat >> /etc/sysctl.d/99-hardening.conf << 'EOF'
# net.ipv4.conf.all.send_redirects = 0
# net.ipv4.conf.default.accept_redirects = 0
# net.ipv4.conf.all.accept_source_route = 0
# net.ipv4.tcp_syncookies = 1
# kernel.randomize_va_space = 2
# fs.suid_dumpable = 0
# EOF
# sysctl --system

from dataclasses import dataclass

@dataclass
class HardeningItem:
    category: str
    item: str
    command: str
    cis_ref: str
    risk: str

items = [
    HardeningItem("SSH", "Disable Root Login", "PermitRootLogin no", "5.2.10", "Critical"),
    HardeningItem("SSH", "Key Only Auth", "PasswordAuthentication no", "5.2.4", "Critical"),
    HardeningItem("Firewall", "Default Drop", "firewall-cmd --set-default-zone=drop", "3.4.1", "High"),
    HardeningItem("SELinux", "Enforcing Mode", "setenforce 1", "1.6.1", "Critical"),
    HardeningItem("Audit", "File Monitoring", "auditd rules for /etc/", "4.1.3", "High"),
    HardeningItem("Network", "Disable ICMP Redirect", "sysctl net.ipv4", "3.3.2", "Medium"),
    HardeningItem("Services", "Disable Unused", "systemctl disable cups", "2.2.x", "Medium"),
    HardeningItem("Packages", "Remove Unnecessary", "dnf remove telnet", "2.3.x", "Medium"),
]

print("=== VM Hardening Checklist ===")
for i in items:
    print(f"  [{i.risk}] [{i.category}] {i.item}")
    print(f"    Command: {i.command} | CIS: {i.cis_ref}")

Compliance Scanning

# === OpenSCAP Compliance Scanning ===

# Install OpenSCAP
# dnf install -y openscap-scanner scap-security-guide
#
# # List available profiles
# oscap info /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
#
# # Run CIS Benchmark scan
# oscap xccdf eval \
#   --profile xccdf_org.ssgproject.content_profile_cis \
#   --results /tmp/scan-results.xml \
#   --report /tmp/scan-report.html \
#   /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
#
# # Remediate automatically
# oscap xccdf eval \
#   --profile xccdf_org.ssgproject.content_profile_cis \
#   --remediate \
#   /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml

# Ansible Compliance Playbook
# - name: Check VM Compliance
#   hosts: all
#   tasks:
#     - name: Check SELinux status
#       command: getenforce
#       register: selinux_status
#       failed_when: selinux_status.stdout != "Enforcing"
#
#     - name: Check SSH root login
#       lineinfile:
#         path: /etc/ssh/sshd_config
#         regexp: '^PermitRootLogin'
#         line: 'PermitRootLogin no'
#       check_mode: yes
#       register: ssh_root
#       failed_when: ssh_root.changed
#
#     - name: Check firewall active
#       service:
#         name: firewalld
#         state: started
#       check_mode: yes
#       register: fw_status
#       failed_when: fw_status.changed

# Lynis Security Audit
# lynis audit system --quick --no-colors > /tmp/lynis-report.txt
# grep "Hardening index" /tmp/lynis-report.txt

@dataclass
class ScanResult:
    category: str
    passed: int
    failed: int
    score: str
    tool: str

results = [
    ScanResult("CIS Level 1", 142, 8, "94.7%", "OpenSCAP"),
    ScanResult("CIS Level 2", 185, 15, "92.5%", "OpenSCAP"),
    ScanResult("STIG", 230, 12, "95.0%", "OpenSCAP"),
    ScanResult("Lynis Hardening", 0, 0, "82/100", "Lynis"),
    ScanResult("CVE Scan", 45, 2, "95.7%", "Trivy"),
    ScanResult("Network Isolation", 12, 0, "100%", "Custom"),
]

print("\n=== Compliance Scan Results ===")
for r in results:
    total = r.passed + r.failed if r.passed > 0 else 0
    print(f"  [{r.category}] Score: {r.score} | Tool: {r.tool}")
    if total > 0:
        print(f"    Passed: {r.passed} | Failed: {r.failed} | Total: {total}")

Network and Operations

# === oVirt Network Security ===

# VLAN Isolation in oVirt
# 1. Create Logical Network per zone
#    - Management VLAN 10
#    - Production VLAN 20
#    - Database VLAN 30
#    - DMZ VLAN 40
#    - Backup VLAN 50
#
# 2. Assign Networks to Clusters
#    engine-config -s CustomDeviceProperties='{type=dropdown}'
#
# 3. VM Network Assignment
#    - Web Server → DMZ VLAN 40 + Production VLAN 20
#    - App Server → Production VLAN 20 + Database VLAN 30
#    - DB Server → Database VLAN 30 + Backup VLAN 50

@dataclass
class SecurityOps:
    task: str
    frequency: str
    tool: str
    owner: str
    automation: str

ops = [
    SecurityOps("OpenSCAP Scan", "Weekly", "OpenSCAP + Ansible", "Security Team", "Cron + Report"),
    SecurityOps("CVE Patch", "Monthly + Critical ASAP", "dnf update + Ansible", "Ops Team", "Ansible Playbook"),
    SecurityOps("Template Refresh", "Monthly", "oVirt API + Script", "Ops Team", "CI/CD Pipeline"),
    SecurityOps("Audit Log Review", "Daily", "auditd + SIEM", "Security Team", "Automated Alert"),
    SecurityOps("Network Review", "Quarterly", "Firewall Rules Check", "Network Team", "Ansible Audit"),
    SecurityOps("Access Review", "Quarterly", "oVirt RBAC Audit", "Manager", "Report Script"),
    SecurityOps("Backup Verify", "Weekly", "Restore Test", "Ops Team", "Automated Test"),
    SecurityOps("DR Test", "Bi-annually", "Full Failover Test", "All Teams", "Runbook"),
]

print("Security Operations:")
for o in ops:
    print(f"  [{o.task}] {o.frequency}")
    print(f"    Tool: {o.tool} | Owner: {o.owner}")
    print(f"    Automation: {o.automation}")

maturity = {
    "Level 1 (Basic)": "Manual hardening, No scanning, Ad-hoc patches",
    "Level 2 (Managed)": "Hardened templates, Monthly scans, Scheduled patches",
    "Level 3 (Defined)": "Automated scanning, CI/CD templates, SIEM logging",
    "Level 4 (Measured)": "Continuous compliance, Metrics dashboard, Auto-remediate",
    "Level 5 (Optimized)": "Zero Trust, Full automation, Predictive security",
}

print(f"\n\nSecurity Maturity Model:")
for k, v in maturity.items():
    print(f"  [{k}]: {v}")

เคล็ดลับ

• Template: สร้าง Hardened Template ใช้สร้าง VM ใหม่ทุกครั้ง
• Scan: OpenSCAP Scan ทุกสัปดาห์ แก้ Finding ทันที
• VLAN: แยก Network Zone ด้วย VLAN ไม่ปนกัน
• Audit: เปิด auditd ทุก VM ส่ง Log ไป SIEM
• Automate: ใช้ Ansible Automate ทุก Security Task

oVirt คืออะไร

Open Source Virtualization KVM libvirt Web UI Engine VDSM Live Migration HA Storage Domain NFS iSCSI VLAN Bonding แทน VMware ฟรี

สรุป

oVirt Virtualization Shift Left Security KVM Hardening Template OpenSCAP CIS Benchmark VLAN Isolation auditd Ansible Compliance Scan Production Operations