This checklist covers key security practices for open-source virtualization environments based on Linux (Proxmox VE, KVM, libvirt, QEMU).

• Root login to Proxmox Web UI is disabled (sudo accounts are used).
• Two-factor authentication (TOTP or U2F) is enabled for Web UI access.
• LDAP/AD integration is used for centralized identity management (if applicable).
• SSH access is limited to key-based authentication; Fail2ban is active.

• Proxmox is running the latest stable version.
• QEMU / libvirt are regularly updated.
• Only official package repositories are used.

• SELinux or AppArmor is enabled (if supported).
• Secure Boot is enabled (if available).
• cgroups, namespaces, and seccomp are configured for VM isolation.
• Passthrough devices (USB, PCI) are disabled unless explicitly required.

• VMs are network-isolated via VLANs or bridged firewall rules.
• UEFI + Secure Boot is used where possible.
• VirtIO drivers are up to date.
• Shared disks and sockets are restricted or disabled.

• Proxmox Firewall is enabled at datacenter, node, and VM levels.
• Management interfaces are only accessible via VPN or trusted internal IPs.
• Virtual networks are segmented by function (e.g. public, internal, backups).
• Deprecated or insecure protocols (Telnet, SNMPv1) are blocked.

• Regular backups are configured using vzdump, Borg, or other tools.
• At least one backup is stored offline or on immutable storage.
• Logs are sent to a centralized logging system (e.g. syslog, ELK).
• Email or Telegram alerts are enabled for critical events.

• Backup restore tests were performed recently.
• Monitoring with Prometheus/Grafana or Zabbix is set up.
• Log audits are performed regularly (auditd, journalctl, fail2ban logs).

Tip: In Proxmox clusters, use a dedicated node for backups and monitoring. Minimum of 3 nodes is recommended for quorum.