Auditing and Logging Considerations to Ensure Compliance and Protect Virtual Server Environments Part II – Anton Chuvakin Dr. Anton Chuvakin, GCIA, GCIH, GCFA Chief Logging Evangelist, LogLogic

Chief Logging Evangelist for LogLogic involved with projecting LogLogic's product vision and strategy to the outside world conducting logging research influencing company vision and roadmap GCIA, GCIH, GCFA Author of the book 'Security Warrior' from O'Reilly and a contributor to 'Know Your Enemy II', 'Handbook of Information Security Management', 'Hackers Challenge 3' and 'PCI Compliance'

Chief Logging Evangelist for LogLogic

involved with projecting LogLogic's product vision and strategy to the outside world

conducting logging research

influencing company vision and roadmap

GCIA, GCIH, GCFA

Author of the book 'Security Warrior' from O'Reilly and a contributor to 'Know Your Enemy II', 'Handbook of Information Security Management', 'Hackers Challenge 3' and 'PCI Compliance'

LM and Virtualization Roadmap What changed when virtualization came? What stayed the same? What is the impact? New logs? New data in old logs? New challenges to logging and log analysis? New advantages to log management? New possibilities to use logs for solving problems?

What changed when virtualization came?

What stayed the same?

What is the impact?

New logs? New data in old logs?

New challenges to logging and log analysis?

New advantages to log management?

New possibilities to use logs for solving problems?

Virtual Logs: What Stays The Same? The rest of IT infrastructure stays the same Routers, switches, firewalls, etc A virtual server is still a server ! OS + applications are still there Systems are still being provisioned, modified, reconfigured – and used (of course!) Intra-VM networking resembles the “real thing”

The rest of IT infrastructure stays the same

Routers, switches, firewalls, etc

A virtual server is still a server !

OS + applications are still there

Systems are still being provisioned, modified, reconfigured – and used (of course!)

Intra-VM networking resembles the “real thing”

Virtual Logs: What Changed? VM host server – a new “IT player” Stricter availability monitoring Due to server aggregation Stricter host OS security monitoring Own VM – own “the world” New management tools (… and their logs!) Passive hosts + needs for live monitoring IR/IH/forensics across many images Rogue VMs And – OMG! –rogue VMs in the cloud

VM host server – a new “IT player”

Stricter availability monitoring

Due to server aggregation

Stricter host OS security monitoring

Own VM – own “the world”

New management tools (… and their logs!)

Passive hosts + needs for live monitoring

IR/IH/forensics across many images

Rogue VMs

And – OMG! –rogue VMs in the cloud

Good, bad … ugly anywhere? Good Ability to provision images with logging enabled Ability to use current logging tools (!) Bad New logs to collect and analyze A need to monitor VM host logs very closely Ugly Rogue VMs Poof! Here goes your evidence… 

Good

Ability to provision images with logging enabled

Ability to use current logging tools (!)

Bad

New logs to collect and analyze

A need to monitor VM host logs very closely

Ugly

Rogue VMs

Poof! Here goes your evidence… 

How Logs Help With Virtualization Risks Security Tracking access to VM hosts system (and guest images!) Looking for security-relevant failures Operations Monitoring for failures and errors as well as VM health Compliance Addressing PCI DSS and other logging requirements: collection, retention, review, etc

Security

Tracking access to VM hosts system (and guest images!)

Looking for security-relevant failures

Operations

Monitoring for failures and errors as well as VM health

Compliance

Addressing PCI DSS and other logging requirements: collection, retention, review, etc

Details: Hypervisor Platform Logging VMkernel: /var/log/vmkernel VMkernel warnings: /var/log/vmkwarning VMkernel summary: /var/log/vmksummary.html ESX Server host agent log: /var/log/vmware/hostd.log Web access: /var/log/vmware/webAccess Service console: /var/log/messages Authentication log: /var/log/secure Individual virtual machine logs: <path to virtual machine on ESX Server>/vmware.log vmware-specific logs: storageMonitor sudolog vmkproxy

VMkernel:

/var/log/vmkernel

VMkernel warnings:

/var/log/vmkwarning

VMkernel summary:

/var/log/vmksummary.html

ESX Server host agent log:

/var/log/vmware/hostd.log

Web access:

/var/log/vmware/webAccess

Service console:

/var/log/messages

Authentication log:

/var/log/secure

Individual virtual machine logs:

<path to virtual machine on ESX Server>/vmware.log

vmware-specific logs:

storageMonitor

sudolog

vmkproxy

Case Study: Logging for PCI in Virtual Environment Solving PCI Requirement 10 in VM environment Same : Log collection, retention, analysis, protection Different : New systems: VM platform itself New logs: various VM logs, guess access logs New analysis: VMotion tracking?

Solving PCI Requirement 10 in VM environment

Same :

Log collection, retention, analysis, protection

Different :

New systems: VM platform itself

New logs: various VM logs, guess access logs

New analysis: VMotion tracking?

Conclusions “ Virtualization changes everything ?” Not exactly! New and old stuff both exist New logs, new information in logs – but still networks, servers, applications Learn VM platform logs - just like you learned Unix/Linux, Windows, etc logs, but keeping virtualization concepts in mind

“ Virtualization changes everything ?” Not exactly! New and old stuff both exist

New logs, new information in logs – but still networks, servers, applications

Learn VM platform logs - just like you learned Unix/Linux, Windows, etc logs, but keeping virtualization concepts in mind

Thanks for Attending! Dr Anton Chuvakin, GCIA, GCIH, GCFA Chief Logging Evangelist LogLogic, Inc Coauthor of “Security Warrior” (O’Reilly, 2004) and “PCI Compliance” (Syngress, 2007) See http://www.info-secure.org for my papers, books, reviews and other security resources related to logs. Book on logs is coming soon! Also see http:// chuvakin.blogspot.com

Dr Anton Chuvakin, GCIA, GCIH, GCFA

Chief Logging Evangelist

LogLogic, Inc

Coauthor of “Security Warrior” (O’Reilly, 2004) and “PCI Compliance” (Syngress, 2007)

See http://www.info-secure.org for my papers, books, reviews and other security resources related to logs. Book on logs is coming soon! Also see http:// chuvakin.blogspot.com