Early Look: Logging and Virtualization

Slideshow Transcript

1. Slide 1: Auditing and Logging Considerations to Ensure Compliance and Protect Virtual Server Environments Part II – Anton Chuvakin Dr. Anton Chuvakin, GCIA, GCIH, GCFA Chief Logging Evangelist, LogLogic
2. Slide 2: • Chief Logging Evangelist for LogLogic – involved with projecting LogLogic's product vision and strategy to the outside world – conducting logging research – influencing company vision and roadmap • GCIA, GCIH, GCFA • Author of the book 'Security Warrior' from O'Reilly and a contributor to 'Know Your Enemy II', 'Handbook of Information Security Management', 'Hackers Challenge 3' and 'PCI Compliance'
3. Slide 3: LM and Virtualization Roadmap What changed when virtualization came? What stayed the same? What is the impact? • New logs? New data in old logs? • New challenges to logging and log analysis? • New advantages to log management? • New possibilities to use logs for solving problems?
4. Slide 4: Virtual Logs: What Stays The Same? • The rest of IT infrastructure stays the same – Routers, switches, firewalls, etc • A virtual server is still a server! – OS + applications are still there • Systems are still being provisioned, modified, reconfigured – and used (of course!) • Intra-VM networking resembles the “real thing”
5. Slide 5: Virtual Logs: What Changed? • VM host server – a new “IT player” – Stricter availability monitoring • Due to server aggregation – Stricter host OS security monitoring • Own VM – own “the world” – New management tools (… and their logs!) • Passive hosts + needs for live monitoring – IR/IH/forensics across many images • Rogue VMs – And – OMG! –rogue VMs in the cloud
6. Slide 6: Good, bad … ugly anywhere? • Good – Ability to provision images with logging enabled – Ability to use current logging tools (!) • Bad – New logs to collect and analyze – A need to monitor VM host logs very closely • Ugly – Rogue VMs • Poof! Here goes your evidence… 
7. Slide 7: How Logs Help With Virtualization Risks 1. Security • Tracking access to VM hosts system (and guest images!) • Looking for security-relevant failures 2. Operations • Monitoring for failures and errors as well as VM health 3. Compliance • Addressing PCI DSS and other logging requirements: collection, retention, review, etc
8. Slide 8: Details: Hypervisor Platform Logging • VMkernel: • Individual virtual machine logs: /var/log/vmkernel <path to virtual machine on • VMkernel warnings: ESX Server>/vmware.log /var/log/vmkwarning • VMkernel summary: • vmware-specific logs: /var/log/vmksummary.html storageMonitor • ESX Server host agent log: sudolog /var/log/vmware/hostd.log vmkproxy • Web access: /var/log/vmware/webAcces s • Service console: /var/log/messages • Authentication log: /var/log/secure
9. Slide 9: Case Study: Logging for PCI in Virtual Environment Solving PCI Requirement 10 in VM environment • Same: – Log collection, retention, analysis, protection • Different: – New systems: VM platform itself – New logs: various VM logs, guess access logs – New analysis: VMotion tracking?
10. Slide 10: Conclusions • “Virtualization changes everything?” Not exactly! New and old stuff both exist • New logs, new information in logs – but still networks, servers, applications • Learn VM platform logs - just like you learned Unix/Linux, Windows, etc logs, but keeping virtualization concepts in mind
11. Slide 11: Thanks for Attending! Dr Anton Chuvakin, GCIA, GCIH, GCFA Chief Logging Evangelist LogLogic, Inc Coauthor of “Security Warrior” (O’Reilly, 2004) and “PCI Compliance” (Syngress, 2007) See http://www.info-secure.org for my papers, books, reviews and other security resources related to logs. Book on logs is coming soon! Also see http:// chuvakin.blogspot.com