[Openstack-operators] Managing security incidents: how to find the guilty VM ?

Andy Hill hillad at gmail.com
Thu Aug 6 15:25:29 UTC 2015

Archival and consumption of notifications emitted from Nova / Neutron is
one approach.

On Thu, Jul 23, 2015 at 8:54 AM, Alvise Dorigo <alvise.dorigo at pd.infn.it>

> Dear all
> Let's suppose that a user of an OpenStack based Cloud does something
> wrong/illegal on the internet, or a VM gets compromised and from that
> machine something wrong/illegal is done.
> In this case the local security contact persons could be notified after a
> while (days, weeks, even some months, when probably that VM doesn't exist
> anymore) that  a "malicious operations" affecting some IP addresses-ports"
> was performed on date X from a machine with IP Y.
> The local security contact persons have then to find who created that VM,
> at least to prevent that .
> If the VM doesn't have a floating IP, the Y IP address that is exposed on
> the internet (and therefore the one that will be commuticated to the
> security people) is the one of the OpenStack router.
> Given the private IP of the machine we are able to find the UUID of the VM
> (even if this was already deleted) and then the id of the relevant user who
> created it.
> But the problem is how to find this private IP address.
> How this issue can be managed ?
> thanks.
>     Alvise
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20150806/47a42ba5/attachment.html>

More information about the OpenStack-operators mailing list