12:18 p.m.
On Tue, Mar 9, 2021, 14:21 Ales Musil <amusil(a)redhat.com> wrote:
On Tue, Mar 9, 2021 at 12:24 PM <scroodj(a)gmail.com> wrote:
> Hello team,
>
> Due to security policy in the our customer`s company there is need to
> implement some changes into machines in their oVirt cluster (Standalone
> Engine + 2 KVM Host).
>
> 1. The home drives of user sanlock (/var/run/sanlock) and gluster
> (/run/gluster) have permission of 775.
Sanlock use 0775 for good reason. Sanlock is started as root, and it needs
permissions to create the pid file before dropping privileges. It may be
possible to solve this with better selinux policy but nobody contributed
this.
Can you explain what is the actual issue with this configuration?
We would like to have them at least 755 if not stricter. Is that possible?
> 2. NFS mount of storage has ‘nodev’ and ‘nosuid’ disabled.
Is it
> safe to use those options for NFS Storage doamin?
We never tried, you can try to add this options in engine side. Domains >
Manage > Mount optios
Nir
3. Usually bridged routing is not allowed on managed servers. Security
> scan asks us to set the following four parameters to 0
> Network Parameter "net.ipv4.conf.all.send_redirects" = 1 (expected: 0)
> Network Parameter "net.ipv4.conf.all.secure_redirects" = 1 (expected: 0)
> Network Parameter "net.ipv6.conf.all.accept_redirects" = 1 (expected: 0)
> Network Parameter "net.ipv4.conf.all.accept_redirects" = 1 (expected: 0)
> Would changing them interfere with ovirtmgmt network?
>
Hi,
I cannot answer the storage questions, but there is one thing to be aware
of about 3.
Depending on oVirt version under 4.4, we are using ipv6 accept_redirects
to configure and detect
oVirt 4.4 and newer is not using this directly. Anyway if you don't plan
to use an ipv6 autoconf it should be fine.
Best regards,
Ales
>
> Those are valid for all three machines in the cluster.
> On the engine though there is httpd installed now and we have some
> findings there too:
>
> 1. There are modules installed that are on a blacklist. Can they be
> removed? The modules are:
> mod_dav_lock
> mod_userdir
> mod_include
> mod_dav_fs
> mod_autoindex
> mod_dav
> mod_info
> 2. HTTP traces should be blocked so we would set “TraceEnable” to
> off in virtual host config. If HTTP traces are needed we would have to
> limit the verbs that are allowed.
> 3. Apache version information should be turned off to not inform
> potential attackers of which web server is running. Is that a problem for
> oVirt?
> 4. TLSv1.0 and TLSv1.1 are enabled but should be turned off.
> 5. HSTS should be turned on but is not yet.
> 6. Can we use X-Frame-Options header to append X-Frame-Options DENY
> (or SAEMORIGIN or at least ALLOW-FROM)?
> 7. Can we implement the X-Content-Type-Options HTTP header with
> “nosniff”?
> 8. Can we implement the X-XSS-Protection header with “1; mode=block”?
>
> I know, this is quite a bit. But maybe you know the answers.
>
> BR
> Aleksandr
> _______________________________________________
> Users mailing list -- users(a)ovirt.org
> To unsubscribe send an email to users-leave(a)ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
>
https://lists.ovirt.org/archives/list/users@ovirt.org/message/RKQH3IGOXAM...
>
--
Ales Musil
Software Engineer - RHV Network
Red Hat EMEA <https://www.redhat.com>
amusil(a)redhat.com IM: amusil
<https://red.ht/sig>
_______________________________________________
Users mailing list -- users(a)ovirt.org
To unsubscribe send an email to users-leave(a)ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/FO2XSKLVWEJ...