On Tue, Mar 9, 2021 at 12:24 PM <scroodj@gmail.com> wrote:
Hello team,

Due to security policy in the our customer`s company there is need to implement some changes into machines in their oVirt cluster (Standalone Engine + 2 KVM Host).

1.      The home drives of user sanlock (/var/run/sanlock) and gluster (/run/gluster) have permission of 775. We would like to have them at least 755 if not stricter. Is that possible?
2.      NFS mount of storage has ‘nodev’ and ‘nosuid’ disabled. Is it safe to use those options for NFS Storage doamin?
3.      Usually bridged routing is not allowed on managed servers. Security scan asks us to set the following four parameters to 0
Network Parameter "net.ipv4.conf.all.send_redirects" = 1 (expected: 0)
Network Parameter "net.ipv4.conf.all.secure_redirects" = 1 (expected: 0)
Network Parameter "net.ipv6.conf.all.accept_redirects" = 1 (expected: 0)
Network Parameter "net.ipv4.conf.all.accept_redirects" = 1 (expected: 0)
Would changing them interfere with ovirtmgmt network?

Hi,

I cannot answer the storage questions, but there is one thing to be aware of about 3.
Depending on oVirt version under 4.4, we are using ipv6 accept_redirects to configure and detect
oVirt 4.4 and newer is not using this directly. Anyway if you don't plan to use an ipv6 autoconf it should be fine.

Best regards,
Ales
 

Those are valid for all three machines in the cluster.
On the engine though there is httpd installed now and we have some findings there too:

1.      There are modules installed that are on a blacklist. Can they be removed? The modules are:
mod_dav_lock
mod_userdir
mod_include
mod_dav_fs
mod_autoindex
mod_dav
mod_info
2.      HTTP traces should be blocked so we would set “TraceEnable” to off in virtual host config. If HTTP traces are needed we would have to limit the verbs that are allowed.
3.      Apache version information should be turned off to not inform potential attackers of which web server is running. Is that a problem for oVirt?
4.      TLSv1.0 and TLSv1.1 are enabled but should be turned off.
5.      HSTS should be turned on but is not yet.
6.      Can we use X-Frame-Options header to append X-Frame-Options DENY (or SAEMORIGIN or at least ALLOW-FROM)?
7.      Can we implement the X-Content-Type-Options HTTP header with “nosniff”?
8.      Can we implement the X-XSS-Protection header with “1; mode=block”?

I know, this is quite a bit. But maybe you know the answers.

BR
Aleksandr
_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-leave@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/RKQH3IGOXAMBK3Q2X32CTHAYUBVGL4E2/


--

Ales Musil

Software Engineer - RHV Network

Red Hat EMEA

amusil@redhat.com    IM: amusil