[Openstack-operators] Managing security incidents: how to find the guilty VM ?
Alvise Dorigo
alvise.dorigo at pd.infn.it
Thu Jul 23 13:54:15 UTC 2015
Dear all
Let's suppose that a user of an OpenStack based Cloud does something
wrong/illegal on the internet, or a VM gets compromised and from that
machine something wrong/illegal is done.
In this case the local security contact persons could be notified after
a while (days, weeks, even some months, when probably that VM doesn't
exist anymore) that a "malicious operations" affecting some IP
addresses-ports" was performed on date X from a machine with IP Y.
The local security contact persons have then to find who created that
VM, at least to prevent that .
If the VM doesn't have a floating IP, the Y IP address that is exposed
on the internet (and therefore the one that will be commuticated to the
security people) is the one of the OpenStack router.
Given the private IP of the machine we are able to find the UUID of the
VM (even if this was already deleted) and then the id of the relevant
user who created it.
But the problem is how to find this private IP address.
How this issue can be managed ?
thanks.
Alvise
More information about the OpenStack-operators
mailing list