PDA

View Full Version : Customer looking to detect unauthorized creation of Xen VM



ElliottRScott
12-May-2015, 23:02
Hi,

Essentials: SLES 11 SP3 x86_64 running Xen Hypervisor and SLE 11 SP3 HAE

I have a customer who is looking to audit certain activity. He wants to know when someone tries to create a Xen guest. I'm assuming that there is activity either in the syslog or somewhere else, and I'm looking for a little guidance to expedite my search. Do you have any suggestions that might help me? Thanks!

Elliott

smflood
14-May-2015, 15:26
On 12/05/2015 23:04, ElliottRScott wrote:

> Essentials: SLES 11 SP3 x86_64 running Xen Hypervisor and SLE 11 SP3
> HAE
>
> I have a customer who is looking to audit certain activity. He wants to
> know when someone tries to create a Xen guest. I'm assuming that there
> is activity either in the syslog or somewhere else, and I'm looking for
> a little guidance to expedite my search. Do you have any suggestions
> that might help me? Thanks!

Perhaps enable Xen debug logging then monitor the log files for create
events using syslog-ng?

HTH.
--
Simon
SUSE Knowledge Partner

------------------------------------------------------------------------
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below. Thanks.
------------------------------------------------------------------------

ElliottRScott
14-May-2015, 16:09
Thanks for the suggestion, Simon. I'm concerned that turning on debug mode might create too much traffic/overhead and hamper performance. I'm guessing that I might also have to do something about log file rotation, etc. Any thoughts on that?

Elliott

malcolmlewis
14-May-2015, 16:47
On Tue 12 May 2015 10:04:01 PM CDT, ElliottRScott wrote:


Hi,

Essentials: SLES 11 SP3 x86_64 running Xen Hypervisor and SLE 11 SP3
HAE

I have a customer who is looking to audit certain activity. He wants to
know when someone tries to create a Xen guest. I'm assuming that there
is activity either in the syslog or somewhere else, and I'm looking for
a little guidance to expedite my search. Do you have any suggestions
that might help me? Thanks!

Elliott




Hi
How do you wish to audit real time, email on creation etc?

The xm tool eg xm list shows all the vm's, AFAIK, libvirt and the virsh
command also monitors Xen vm's.

You could also audit user command history and filter that to see who
uses the create command.

--
Cheers Malcolm °¿° LFCS, SUSE Knowledge Partner (Linux Counter #276890)
SUSE Linux Enterprise Desktop 12 GNOME 3.10.1 Kernel 3.12.39-47-default
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below... Thanks!

jmozdzen
19-May-2015, 16:37
Hi Elliot,


# grep XendDomainInfo.create /var/log/xen/xend.log

will list any DomU creation - so if you want to monitor real-time, go ahead and watch that file via your favorite management tool (and be it some script following the file, filtering out those lines and sending emails upon detection ;) ).

Regards,
Jens