Early Look: Logging and Virtualization


Published on

Early Look: Logging and Virtualization

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Early Look: Logging and Virtualization

    1. 1. Auditing and Logging Considerations to Ensure Compliance and Protect Virtual Server Environments Part II – Anton Chuvakin Dr. Anton Chuvakin, GCIA, GCIH, GCFA Chief Logging Evangelist, LogLogic
    2. 2. <ul><li>Chief Logging Evangelist for LogLogic </li></ul><ul><ul><li>involved with projecting LogLogic's product vision and strategy to the outside world </li></ul></ul><ul><ul><li>conducting logging research </li></ul></ul><ul><ul><li>influencing company vision and roadmap </li></ul></ul><ul><li>GCIA, GCIH, GCFA </li></ul><ul><li>Author of the book 'Security Warrior' from O'Reilly and a contributor to 'Know Your Enemy II', 'Handbook of Information Security Management', 'Hackers Challenge 3' and 'PCI Compliance' </li></ul>
    3. 3. LM and Virtualization Roadmap <ul><li>What changed when virtualization came? </li></ul><ul><li>What stayed the same? </li></ul><ul><li>What is the impact? </li></ul><ul><li>New logs? New data in old logs? </li></ul><ul><li>New challenges to logging and log analysis? </li></ul><ul><li>New advantages to log management? </li></ul><ul><li>New possibilities to use logs for solving problems? </li></ul>
    4. 4. Virtual Logs: What Stays The Same? <ul><li>The rest of IT infrastructure stays the same </li></ul><ul><ul><li>Routers, switches, firewalls, etc </li></ul></ul><ul><li>A virtual server is still a server ! </li></ul><ul><ul><li>OS + applications are still there </li></ul></ul><ul><li>Systems are still being provisioned, modified, reconfigured – and used (of course!) </li></ul><ul><li>Intra-VM networking resembles the “real thing” </li></ul>
    5. 5. Virtual Logs: What Changed? <ul><li>VM host server – a new “IT player” </li></ul><ul><ul><li>Stricter availability monitoring </li></ul></ul><ul><ul><ul><li>Due to server aggregation </li></ul></ul></ul><ul><ul><li>Stricter host OS security monitoring </li></ul></ul><ul><ul><ul><li>Own VM – own “the world” </li></ul></ul></ul><ul><ul><li>New management tools (… and their logs!) </li></ul></ul><ul><li>Passive hosts + needs for live monitoring </li></ul><ul><ul><li>IR/IH/forensics across many images </li></ul></ul><ul><li>Rogue VMs </li></ul><ul><ul><li>And – OMG! –rogue VMs in the cloud </li></ul></ul>
    6. 6. Good, bad … ugly anywhere? <ul><li>Good </li></ul><ul><ul><li>Ability to provision images with logging enabled </li></ul></ul><ul><ul><li>Ability to use current logging tools (!) </li></ul></ul><ul><li>Bad </li></ul><ul><ul><li>New logs to collect and analyze </li></ul></ul><ul><ul><li>A need to monitor VM host logs very closely </li></ul></ul><ul><li>Ugly </li></ul><ul><ul><li>Rogue VMs </li></ul></ul><ul><ul><ul><li>Poof! Here goes your evidence…  </li></ul></ul></ul>
    7. 7. How Logs Help With Virtualization Risks <ul><li>Security </li></ul><ul><ul><li>Tracking access to VM hosts system (and guest images!) </li></ul></ul><ul><ul><li>Looking for security-relevant failures </li></ul></ul><ul><li>Operations </li></ul><ul><ul><li>Monitoring for failures and errors as well as VM health </li></ul></ul><ul><li>Compliance </li></ul><ul><ul><li>Addressing PCI DSS and other logging requirements: collection, retention, review, etc </li></ul></ul>
    8. 8. Details: Hypervisor Platform Logging <ul><li>VMkernel: </li></ul><ul><li>/var/log/vmkernel </li></ul><ul><li>VMkernel warnings: </li></ul><ul><li>/var/log/vmkwarning </li></ul><ul><li>VMkernel summary: </li></ul><ul><li>/var/log/vmksummary.html </li></ul><ul><li>ESX Server host agent log: </li></ul><ul><li>/var/log/vmware/hostd.log </li></ul><ul><li>Web access: </li></ul><ul><li>/var/log/vmware/webAccess </li></ul><ul><li>Service console: </li></ul><ul><li>/var/log/messages </li></ul><ul><li>Authentication log: </li></ul><ul><li>/var/log/secure </li></ul><ul><li>Individual virtual machine logs: </li></ul><ul><li><path to virtual machine on ESX Server>/vmware.log </li></ul><ul><li>vmware-specific logs: </li></ul><ul><ul><li>storageMonitor </li></ul></ul><ul><ul><li>sudolog </li></ul></ul><ul><ul><li>vmkproxy </li></ul></ul>
    9. 9. Case Study: Logging for PCI in Virtual Environment <ul><li>Solving PCI Requirement 10 in VM environment </li></ul><ul><li>Same : </li></ul><ul><ul><li>Log collection, retention, analysis, protection </li></ul></ul><ul><li>Different : </li></ul><ul><ul><li>New systems: VM platform itself </li></ul></ul><ul><ul><li>New logs: various VM logs, guess access logs </li></ul></ul><ul><ul><li>New analysis: VMotion tracking? </li></ul></ul>
    10. 10. Conclusions <ul><li>“ Virtualization changes everything ?” Not exactly! New and old stuff both exist </li></ul><ul><li>New logs, new information in logs – but still networks, servers, applications </li></ul><ul><li>Learn VM platform logs - just like you learned Unix/Linux, Windows, etc logs, but keeping virtualization concepts in mind </li></ul>
    11. 11. Thanks for Attending! <ul><li>Dr Anton Chuvakin, GCIA, GCIH, GCFA </li></ul><ul><li>Chief Logging Evangelist </li></ul><ul><li>LogLogic, Inc </li></ul><ul><li>Coauthor of “Security Warrior” (O’Reilly, 2004) and “PCI Compliance” (Syngress, 2007) </li></ul><ul><li>See http://www.info-secure.org for my papers, books, reviews and other security resources related to logs. Book on logs is coming soon! Also see http:// chuvakin.blogspot.com </li></ul>