[Openstack-operators] Managing security incidents: how to find the guilty VM ?
Andy Hill
hillad at gmail.com
Thu Aug 6 15:25:29 UTC 2015
Archival and consumption of notifications emitted from Nova / Neutron is
one approach.
On Thu, Jul 23, 2015 at 8:54 AM, Alvise Dorigo <alvise.dorigo at pd.infn.it>
wrote:
> Dear all
>
> Let's suppose that a user of an OpenStack based Cloud does something
> wrong/illegal on the internet, or a VM gets compromised and from that
> machine something wrong/illegal is done.
>
>
> In this case the local security contact persons could be notified after a
> while (days, weeks, even some months, when probably that VM doesn't exist
> anymore) that a "malicious operations" affecting some IP addresses-ports"
> was performed on date X from a machine with IP Y.
>
> The local security contact persons have then to find who created that VM,
> at least to prevent that .
>
> If the VM doesn't have a floating IP, the Y IP address that is exposed on
> the internet (and therefore the one that will be commuticated to the
> security people) is the one of the OpenStack router.
>
> Given the private IP of the machine we are able to find the UUID of the VM
> (even if this was already deleted) and then the id of the relevant user who
> created it.
> But the problem is how to find this private IP address.
>
>
> How this issue can be managed ?
>
> thanks.
>
> Alvise
>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20150806/47a42ba5/attachment.html>
More information about the OpenStack-operators
mailing list