[Openstack-operators] Managing security incidents: how to find the guilty VM ?

Antonio Messina antonio.s.messina at gmail.com
Fri Jul 31 15:48:19 UTC 2015 

I've tested briefly ulogd, and it basically works.

The only issue is that the "ulogd" daemon needs to run on the
qrouter-<uuid> namespace, therefore neutron should start ulogd daemon
on a router namespace whenever is created (and deleted whenever the
router is deleted).

Alternative solutions:

a) in case neutron supports "triggers" (but I don't think so), e.g.
shell commands that are executed whenever a namespace is created,
startup of ulogd could be executed by the trigger
b) update rootwrap IpFilter to use a wrapper around ip instead of
"ip". The wrapper should know what to do: run ulogd if "ip netns add"
is called, kill it if "ip netns delete" is called
c) [UGLY]: run a cron every tot seconds to ensure every qrouter-<uuid>
namespace has an instance of ulogd running on it.

Other suggestions?

.a.


On Mon, Jul 27, 2015 at 11:50 AM, Antonio Messina
<antonio.s.messina at gmail.com> wrote:
> On Thu, Jul 23, 2015 at 3:54 PM, Alvise Dorigo <alvise.dorigo at pd.infn.it> wrote:
>> If the VM doesn't have a floating IP, the Y IP address that is exposed on
>> the internet (and therefore the one that will be commuticated to the
>> security people) is the one of the OpenStack router.
>>
>> Given the private IP of the machine we are able to find the UUID of the VM
>> (even if this was already deleted) and then the id of the relevant user who
>> created it.
>> But the problem is how to find this private IP address.
>
> Interesting: how do you do it? In Kilo, apparently, the ports are
> deleted also from the DB, do you have some sort of trigger? And how is
> the mapping between port and instance id done?
>
> For your question, I guess the only solution is to periodically save
> the output of "conntrack -L" on the network node, to be run *within*
> the router namespace.
>
> A possible solution (that I haven't tested yet), is to use ulogd
> https://home.regit.org/2014/02/logging-connection-tracking-event-with-ulogd/
>
> .a.
>
> --
> antonio.s.messina at gmail.com
> antonio.messina at uzh.ch                     +41 (0)44 635 42 22
> S3IT: Service and Support for Science IT   http://www.s3it.uzh.ch/
> University of Zurich
> Winterthurerstrasse 190
> CH-8057 Zurich Switzerland



-- 
antonio.s.messina at gmail.com
antonio.messina at uzh.ch                     +41 (0)44 635 42 22
S3IT: Service and Support for Science IT   http://www.s3it.uzh.ch/
University of Zurich
Winterthurerstrasse 190
CH-8057 Zurich Switzerland

More information about the OpenStack-operators mailing list