[Openstack-operators] Managing security incidents: how to find the guilty VM ?
hillad at gmail.com
Thu Aug 6 15:25:29 UTC 2015
Archival and consumption of notifications emitted from Nova / Neutron is
On Thu, Jul 23, 2015 at 8:54 AM, Alvise Dorigo <alvise.dorigo at pd.infn.it>
> Dear all
> Let's suppose that a user of an OpenStack based Cloud does something
> wrong/illegal on the internet, or a VM gets compromised and from that
> machine something wrong/illegal is done.
> In this case the local security contact persons could be notified after a
> while (days, weeks, even some months, when probably that VM doesn't exist
> anymore) that a "malicious operations" affecting some IP addresses-ports"
> was performed on date X from a machine with IP Y.
> The local security contact persons have then to find who created that VM,
> at least to prevent that .
> If the VM doesn't have a floating IP, the Y IP address that is exposed on
> the internet (and therefore the one that will be commuticated to the
> security people) is the one of the OpenStack router.
> Given the private IP of the machine we are able to find the UUID of the VM
> (even if this was already deleted) and then the id of the relevant user who
> created it.
> But the problem is how to find this private IP address.
> How this issue can be managed ?
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OpenStack-operators