[Openstack-operators] Fwd: Managing security incidents: how to find the guilty VM ?
Antonio Messina
antonio.s.messina at gmail.com
Mon Jul 27 09:50:03 UTC 2015
On Thu, Jul 23, 2015 at 3:54 PM, Alvise Dorigo <alvise.dorigo at pd.infn.it> wrote:
> If the VM doesn't have a floating IP, the Y IP address that is exposed on
> the internet (and therefore the one that will be commuticated to the
> security people) is the one of the OpenStack router.
>
> Given the private IP of the machine we are able to find the UUID of the VM
> (even if this was already deleted) and then the id of the relevant user who
> created it.
> But the problem is how to find this private IP address.
Interesting: how do you do it? In Kilo, apparently, the ports are
deleted also from the DB, do you have some sort of trigger? And how is
the mapping between port and instance id done?
For your question, I guess the only solution is to periodically save
the output of "conntrack -L" on the network node, to be run *within*
the router namespace.
A possible solution (that I haven't tested yet), is to use ulogd
https://home.regit.org/2014/02/logging-connection-tracking-event-with-ulogd/
.a.
--
antonio.s.messina at gmail.com
antonio.messina at uzh.ch +41 (0)44 635 42 22
S3IT: Service and Support for Science IT http://www.s3it.uzh.ch/
University of Zurich
Winterthurerstrasse 190
CH-8057 Zurich Switzerland
More information about the OpenStack-operators
mailing list