[ovirt-users] oVirt 4.3.6 and Security Measures

Hello team, Due to security policy in the our customer`s company there is need to implement some changes into machines in their oVirt cluster (Standalone Engine + 2 KVM Host). 1. The home drives of user sanlock (/var/run/sanlock) and gluster (/run/gluster) have permission of 775. We would like to have them at least 755 if not stricter. Is that possible? 2. NFS mount of storage has ‘nodev’ and ‘nosuid’ disabled. Is it safe to use those options for NFS Storage doamin? 3. Usually bridged routing is not allowed on managed servers. Security scan asks us to set the following four parameters to 0 Network Parameter "net.ipv4.conf.all.send_redirects" = 1 (expected: 0) Network Parameter "net.ipv4.conf.all.secure_redirects" = 1 (expected: 0) Network Parameter "net.ipv6.conf.all.accept_redirects" = 1 (expected: 0) Network Parameter "net.ipv4.conf.all.accept_redirects" = 1 (expected: 0) Would changing them interfere with ovirtmgmt network? Those are valid for all three machines in the cluster. On the engine though there is httpd installed now and we have some findings there too: 1. There are modules installed that are on a blacklist. Can they be removed? The modules are: mod_dav_lock mod_userdir mod_include mod_dav_fs mod_autoindex mod_dav mod_info 2. HTTP traces should be blocked so we would set “TraceEnable” to off in virtual host config. If HTTP traces are needed we would have to limit the verbs that are allowed. 3. Apache version information should be turned off to not inform potential attackers of which web server is running. Is that a problem for oVirt? 4. TLSv1.0 and TLSv1.1 are enabled but should be turned off. 5. HSTS should be turned on but is not yet. 6. Can we use X-Frame-Options header to append X-Frame-Options DENY (or SAEMORIGIN or at least ALLOW-FROM)? 7. Can we implement the X-Content-Type-Options HTTP header with “nosniff”? 8. Can we implement the X-XSS-Protection header with “1; mode=block”? I know, this is quite a bit. But maybe you know the answers. BR Aleksandr