[openstack-dev] [OSSG] hardening openstack

Bryan D. Payne bdpayne at acm.org
Fri Nov 2 04:55:17 UTC 2012


Some of the log handling may end up being deployment specific.
Nevertheless, this is a very good idea.

One thing that the OpenStack projects can do to help with logging
would be to cleanup the log messages in all of the projects such that
they provide useful information to someone that was aggregating all of
the logs as you describe.  Last time I checked, there was lots of work
to be done there.

-bryan


On Thu, Nov 1, 2012 at 4:55 PM, Bhandaru, Malini K
<malini.k.bhandaru at intel.com> wrote:
> From out of http://www.nsa.gov/ia/_files/factsheets/rhel5-pamphlet-i731.pdf
> Review system and application logs on a routine basis.
> Dend logs to a dedicated log server. This prevents intruders from easily avoiding detection by modifying the local logs.
>
> Down the road this is something we should consider. Might not want to have to go over the network for every log item, but do so in some digest mode. Alternately, create a VM for logging on the host nodes, a nova-log-vm, a quantum-log-vm .. and log to that for the respective openstack service. Needs more thought.
>
> Regards
> Malini
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



More information about the OpenStack-dev mailing list