Your SlideShare is downloading. ×

Early Look: Logging and Virtualization

1,739

Published on

Early Look: Logging and Virtualization

Early Look: Logging and Virtualization

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,739
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
3
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Transcript

    • 1. Auditing and Logging Considerations to Ensure Compliance and Protect Virtual Server Environments Part II – Anton Chuvakin Dr. Anton Chuvakin, GCIA, GCIH, GCFA Chief Logging Evangelist, LogLogic
    • 2.
      • Chief Logging Evangelist for LogLogic
        • involved with projecting LogLogic's product vision and strategy to the outside world
        • conducting logging research
        • influencing company vision and roadmap
      • GCIA, GCIH, GCFA
      • Author of the book 'Security Warrior' from O'Reilly and a contributor to 'Know Your Enemy II', 'Handbook of Information Security Management', 'Hackers Challenge 3' and 'PCI Compliance'
    • 3. LM and Virtualization Roadmap
      • What changed when virtualization came?
      • What stayed the same?
      • What is the impact?
      • New logs? New data in old logs?
      • New challenges to logging and log analysis?
      • New advantages to log management?
      • New possibilities to use logs for solving problems?
    • 4. Virtual Logs: What Stays The Same?
      • The rest of IT infrastructure stays the same
        • Routers, switches, firewalls, etc
      • A virtual server is still a server !
        • OS + applications are still there
      • Systems are still being provisioned, modified, reconfigured – and used (of course!)
      • Intra-VM networking resembles the “real thing”
    • 5. Virtual Logs: What Changed?
      • VM host server – a new “IT player”
        • Stricter availability monitoring
          • Due to server aggregation
        • Stricter host OS security monitoring
          • Own VM – own “the world”
        • New management tools (… and their logs!)
      • Passive hosts + needs for live monitoring
        • IR/IH/forensics across many images
      • Rogue VMs
        • And – OMG! –rogue VMs in the cloud
    • 6. Good, bad … ugly anywhere?
      • Good
        • Ability to provision images with logging enabled
        • Ability to use current logging tools (!)
      • Bad
        • New logs to collect and analyze
        • A need to monitor VM host logs very closely
      • Ugly
        • Rogue VMs
          • Poof! Here goes your evidence… 
    • 7. How Logs Help With Virtualization Risks
      • Security
        • Tracking access to VM hosts system (and guest images!)
        • Looking for security-relevant failures
      • Operations
        • Monitoring for failures and errors as well as VM health
      • Compliance
        • Addressing PCI DSS and other logging requirements: collection, retention, review, etc
    • 8. Details: Hypervisor Platform Logging
      • VMkernel:
      • /var/log/vmkernel
      • VMkernel warnings:
      • /var/log/vmkwarning
      • VMkernel summary:
      • /var/log/vmksummary.html
      • ESX Server host agent log:
      • /var/log/vmware/hostd.log
      • Web access:
      • /var/log/vmware/webAccess
      • Service console:
      • /var/log/messages
      • Authentication log:
      • /var/log/secure
      • Individual virtual machine logs:
      • <path to virtual machine on ESX Server>/vmware.log
      • vmware-specific logs:
        • storageMonitor
        • sudolog
        • vmkproxy
    • 9. Case Study: Logging for PCI in Virtual Environment
      • Solving PCI Requirement 10 in VM environment
      • Same :
        • Log collection, retention, analysis, protection
      • Different :
        • New systems: VM platform itself
        • New logs: various VM logs, guess access logs
        • New analysis: VMotion tracking?
    • 10. Conclusions
      • “ Virtualization changes everything ?” Not exactly! New and old stuff both exist
      • New logs, new information in logs – but still networks, servers, applications
      • Learn VM platform logs - just like you learned Unix/Linux, Windows, etc logs, but keeping virtualization concepts in mind
    • 11. Thanks for Attending!
      • Dr Anton Chuvakin, GCIA, GCIH, GCFA
      • Chief Logging Evangelist
      • LogLogic, Inc
      • Coauthor of “Security Warrior” (O’Reilly, 2004) and “PCI Compliance” (Syngress, 2007)
      • See http://www.info-secure.org for my papers, books, reviews and other security resources related to logs. Book on logs is coming soon! Also see http:// chuvakin.blogspot.com

    ×