Methods and systems for securely managing virtualization platform
Abstract
Virtualization platforms and management clients therefor are communicatively coupled to one another via a control layer logically disposed therebetween. The control layer is configured to proxy virtualization management commands from the management clients to the virtualization platforms, but only after successful authentication of users (which may include automated agents and processes) issuing those commands and privileges of those users as defined by access control information accessible to the control layer. The control layer may be instantiated as an application running on a physical appliance logically interposed between the virtualization platforms and management clients, or a software package running on dedicated hardware logically interposed between the virtualization platforms and management clients, or as an application encapsulated in a virtual machine running on a compatible virtualization platform logically interposed between the virtualization platforms and management client.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1 . A method for performing an assessment and a remediation of a virtualization platform by a security appliance, the security appliance proxying all management commands transmitted from management clients to the virtualization platform, the method comprising:
determining a configuration of the virtualization platform, the configuration including one or more options stored within one or more configuration files of the virtualization platform; performing the assessment of the virtualization platform by comparing the configuration of the virtualization platform with a benchmark configuration that is stored in a repository of the security appliance; based on the assessment of the virtualization platform, determining whether the configuration of the virtualization platform is compliant or non-compliant; and upon determining that the configuration of the virtualization platform is non-compliant, initiating a process that performs remediation measures on the virtualization platform, the remediation measures including modifying the one or more options stored within the one or more configuration files of the virtualization platform.
2 . The method of claim 1 , wherein the virtualization platform includes a hypervisor, a management interface, or both the hypervisor and the management interface.
3 . The method of claim 1 , further comprising presenting results of the assessment, results of the remediation, or results of both the assessment and the remediation to an individual.
4 . The method of claim 1 , wherein the benchmark configuration is stored in a machine readable configuration dialect based on an extensible markup language (XML).
5 . The method of claim 1 , wherein the assessment and remediation of the virtualization platform is performed in part by a combination of programmatic scripts executing directly on the virtualization platform and through network programmatic interfaces.
6 . The method of claim 1 , wherein the configuration file of the virtualization platform configures an operation of a secure shell (SSH) daemon of an operating system of the virtualization platform.
7 . The method of claim 1 , wherein modifying the one or more options stored within the one or more configuration files of the virtualization platform comprises replacing at least one of the one or more options stored within the one or more configuration files with at least one updated option as described by the benchmark configuration.
8 . A system containing a security appliance that is configured to perform an assessment and a remediation of a virtualization platform, the security appliance proxying all management commands transmitted from management clients to the virtualization platform, the system comprising:
a processor; a storage device communicatively coupled to the processor; and a set of instructions on the storage device that, when executed by the processor, cause the security appliance to:
determine a configuration of the virtualization platform, the configuration including one or more options stored within one or more configuration files of the virtualization platform;
perform the assessment of the virtualization platform by comparing the configuration of the virtualization platform with a benchmark configuration that is stored in the storage device;
based on the assessment of the virtualization platform, determine whether the configuration of the virtualization platform is compliant or non-compliant; and
upon determining that the configuration of the virtualization platform is non-compliant, initiate a process that performs remediation measures on the virtualization platform, the remediation measures including modifying the one or more options stored within the one or more configuration files of the virtualization platform.
9 . The system of claim 8 , wherein the virtualization platform includes a hypervisor, a management interface, or both the hypervisor and the management interface.
10 . The system of claim 8 , further comprising instructions on the storage device that, when executed by the processor, cause the security appliance to present results of the assessment, results of the remediation, or results of both the assessment and the remediation to an individual.
11 . The system of claim 8 , wherein the benchmark configuration is stored in a machine readable configuration dialect based on an extensible markup language (XML).
12 . The system of claim 8 , wherein the assessment and remediation of the virtualization platform is performed in part by a combination of programmatic scripts executing directly on the virtualization platform and through network programmatic interfaces.
13 . The system of claim 8 , wherein the configuration file of the virtualization platform configures an operation of a secure shell (SSH) daemon of an operating system of the virtualization platform.
14 . The system of claim 8 , wherein modifying the one or more options stored within the one or more configuration files of the virtualization platform comprises replacing at least one of the one or more options stored within the one or more configuration files with at least one updated option as described by the benchmark configuration.
15 . A non-transitory machine-readable storage medium for a security appliance that is configured to perform an assessment and a remediation of a virtualization platform, the security appliance proxying all management commands transmitted from management clients to the virtualization platform, the non-transitory machine-readable storage medium comprising software instructions that, when executed by a processor, cause the processor to:
determine a configuration of the virtualization platform, the configuration including one or more options stored within one or more configuration files of the virtualization platform; perform an assessment of the virtualization platform by comparing the configuration of the virtualization platform with a benchmark configuration that is stored in a repository of the security appliance; based on the assessment of the virtualization platform, determine whether the configuration of the virtualization platform is compliant or non-compliant; and upon determining that the configuration of the virtualization platform is non-compliant, initiate a process that performs remediation measures on the virtualization platform, the remediation measures including modifying the one or more options stored within the one or more configuration files of the virtualization platform.
16 . The non-transitory machine-readable storage medium of claim 15 , wherein the virtualization platform includes a hypervisor, a management interface, or both the hypervisor and the management interface.
17 . The non-transitory machine-readable storage medium of claim 15 , further comprising software instructions that, when executed by the processor, cause the processor to present results of the assessment, results of the remediation, or results of both the assessment and the remediation to an individual.
18 . The non-transitory machine-readable storage medium of claim 15 , wherein the assessment and remediation of the virtualization platform is performed in part by a combination of programmatic scripts executing directly on the virtualization platform and through network programmatic interfaces.
19 . The non-transitory machine-readable storage medium of claim 15 , wherein the configuration file of the virtualization platform configures an operation of a secure shell (SSH) daemon of an operating system of the virtualization platform.
20 . The non-transitory machine-readable storage medium of claim 15 , wherein modifying the one or more options stored within the one or more configuration files of the virtualization platform comprises replacing at least one of the one or more options stored within the one or more configuration files with at least one updated option as described by the benchmark configuration.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.