Results 1 to 5 of 5

Thread: Customer looking to detect unauthorized creation of Xen VM

  1. Customer looking to detect unauthorized creation of Xen VM

    Hi,

    Essentials: SLES 11 SP3 x86_64 running Xen Hypervisor and SLE 11 SP3 HAE

    I have a customer who is looking to audit certain activity. He wants to know when someone tries to create a Xen guest. I'm assuming that there is activity either in the syslog or somewhere else, and I'm looking for a little guidance to expedite my search. Do you have any suggestions that might help me? Thanks!

    Elliott

  2. #2

    Re: Customer looking to detect unauthorized creation of Xen VM

    On 12/05/2015 23:04, ElliottRScott wrote:

    > Essentials: SLES 11 SP3 x86_64 running Xen Hypervisor and SLE 11 SP3
    > HAE
    >
    > I have a customer who is looking to audit certain activity. He wants to
    > know when someone tries to create a Xen guest. I'm assuming that there
    > is activity either in the syslog or somewhere else, and I'm looking for
    > a little guidance to expedite my search. Do you have any suggestions
    > that might help me? Thanks!


    Perhaps enable Xen debug logging then monitor the log files for create
    events using syslog-ng?

    HTH.
    --
    Simon
    SUSE Knowledge Partner

    ------------------------------------------------------------------------
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below. Thanks.
    ------------------------------------------------------------------------

  3. Re: Customer looking to detect unauthorized creation of Xen

    Thanks for the suggestion, Simon. I'm concerned that turning on debug mode might create too much traffic/overhead and hamper performance. I'm guessing that I might also have to do something about log file rotation, etc. Any thoughts on that?

    Elliott

  4. Re: Customer looking to detect unauthorized creation of Xen VM

    On Tue 12 May 2015 10:04:01 PM CDT, ElliottRScott wrote:


    Hi,

    Essentials: SLES 11 SP3 x86_64 running Xen Hypervisor and SLE 11 SP3
    HAE

    I have a customer who is looking to audit certain activity. He wants to
    know when someone tries to create a Xen guest. I'm assuming that there
    is activity either in the syslog or somewhere else, and I'm looking for
    a little guidance to expedite my search. Do you have any suggestions
    that might help me? Thanks!

    Elliott


    Hi
    How do you wish to audit real time, email on creation etc?

    The xm tool eg xm list shows all the vm's, AFAIK, libvirt and the virsh
    command also monitors Xen vm's.

    You could also audit user command history and filter that to see who
    uses the create command.

    --
    Cheers Malcolm °¿° LFCS, SUSE Knowledge Partner (Linux Counter #276890)
    SUSE Linux Enterprise Desktop 12 GNOME 3.10.1 Kernel 3.12.39-47-default
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!


  5. Re: Customer looking to detect unauthorized creation of Xen

    Hi Elliot,

    Code:
    # grep XendDomainInfo.create /var/log/xen/xend.log
    will list any DomU creation - so if you want to monitor real-time, go ahead and watch that file via your favorite management tool (and be it some script following the file, filtering out those lines and sending emails upon detection ).

    Regards,
    Jens
    From the times when today's "old school" was "new school"

    If you find this post helpful and are logged into the web interface, show your appreciation and click on the star below...

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •