Archival and consumption of notifications emitted from Nova / Neutron is one approach.
On Thu, Jul 23, 2015 at 8:54 AM, Alvise Dorigo <alvise.dor...@pd.infn.it> wrote: > Dear all > > Let's suppose that a user of an OpenStack based Cloud does something > wrong/illegal on the internet, or a VM gets compromised and from that > machine something wrong/illegal is done. > > > In this case the local security contact persons could be notified after a > while (days, weeks, even some months, when probably that VM doesn't exist > anymore) that a "malicious operations" affecting some IP addresses-ports" > was performed on date X from a machine with IP Y. > > The local security contact persons have then to find who created that VM, > at least to prevent that . > > If the VM doesn't have a floating IP, the Y IP address that is exposed on > the internet (and therefore the one that will be commuticated to the > security people) is the one of the OpenStack router. > > Given the private IP of the machine we are able to find the UUID of the VM > (even if this was already deleted) and then the id of the relevant user who > created it. > But the problem is how to find this private IP address. > > > How this issue can be managed ? > > thanks. > > Alvise > > _______________________________________________ > OpenStack-operators mailing list > OpenStack-operators@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators >
_______________________________________________ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
