- Keep kernel, QEMU, libvirt, and firmware fully patched.
- Minimize host packages and disable unnecessary services.
- Restrict host shell access to virtualization administrators.
- Use sVirt/SELinux/AppArmor confinement for guests.
- Segregate tenant/workload networks with VLANs/bridges and ACLs.
- Avoid sharing host filesystem paths broadly with guests.
- Expose libvirt sockets only on trusted networks.
- Use TLS/SASL for remote management.
- Audit VM create/attach/snapshot operations.