The Center for Internet Security^® (CIS^®) has officially published guidance for hardening Red Hat OpenShift Virtualization.

The official publication of the new CIS Benchmark^® for Red Hat OpenShift Virtualization is an important development for organizations running traditional virtual machines (VMs) alongside modern containers. OpenShift Virtualization is a feature of Red Hat OpenShift that allows existing VM-based workloads to run directly on the platform. This globally recognized, consensus-driven benchmark provides recommendations for creating a security-focused configuration for those environments.

Who is CIS and what is a CIS Benchmark?

CIS is a community-driven nonprofit organization, which aims to "make the connected world a safer place" for businesses, governments, and people by developing and promoting best practice solutions.

The CIS Benchmarks are one of those core solutions. They are a set of globally recognized best practices to help secure configuring operating systems (OSs), servers, and other technology. Developed and maintained by a global community of IT professionals, the CIS Benchmarks provide prescriptive instructions for creating a security-focused configuration baseline. The new CIS Benchmark for OpenShift Virtualization was developed based on the OpenShift Virtualization Hardening Guide.

Key security optimizations

The CIS Benchmark provides detailed recommendations to strengthen your security posture by focusing on 4 key areas of optimization, including:

• Harden the platform from the ground up: This includes guidance on restricting GPU and USB pass-through to approved devices and disabling non-essential feature gates.
• Control workloads at every layer: The CIS Benchmark provides fine-grained controls, such as restricting exec and virtual network computing (VNC) access to approved administrators and disabling features like guest-memory overcommit.
• Segment and protect network traffic: This area focuses on using networking controls like Virtual Local Area Networks (VLANs) to isolate tenant or application traffic and applying Media Access Control (MAC) spoof filtering.
• Safeguard data integrity in storage: This extends security policies into the storage plane, with recommendations to restrict data volume cloning across namespaces and disable unnecessary shareable disks.

How to implement

Here is the good news: implementing this benchmark is less about complex reconfiguration and more about simple verification. Because OpenShift Virtualization is engineered to have maximum security controls in place out-of-the-box, you likely have the majority of these protections in place already. The benchmark simply acts as prescriptive guidance to help you audit your environment. To get started, just cross-reference your current setup against the OpenShift Virtualization Hardening Guide to ensure those standard safety settings haven’t been altered.

Get the CIS Benchmark

By implementing the CIS Benchmark for OpenShift Virtualization, your organization can enforce consistent security capabilities across workloads on your hybrid cloud platform, protecting both your containerized and virtualized applications.

To see the full list of recommendations and download the CIS Benchmark, visit the official CIS Benchmarks page.