openstack
/
security-doc
Code Issues Proposed changes

Grammatical errors in CH.45 - Forensics and Incident Response. 

Made multiple corrections in passage to remediate grammatical errors.
Fix itemizedlists, remove extraneous markup.
Remove one useage of etc
Wrap overlong paragraphs.

Co-Authored-By: Andreas Jaeger <jaegerandi@gmail.com>
Closes-Bug: #1342968
Change-Id: I4f9d92b8db3068004ec4e72ecbdae88f2884ddd0
This commit is contained in:
Shellee Arnold 2014-08-24 21:16:23 -07:00 committed by Andreas Jaeger
parent 8bc596ab99
commit 55fffd4b50
1 changed files with 134 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

167
security-guide/section_forensics-and-incident-response.xml
View File

@ -6,49 +6,150 @@
xml:id="forensics-and-incident-response">
<?dbhtml stop-chunking?>
<title>Forensics and incident response</title>
<para>A lot of activity goes on within a cloud environment. It is a mix of hardware, operating systems, virtual machine managers, the OpenStack services, cloud-user activity such as creating instances and attaching storage, the network underlying the whole, and finally end-users using the applications running on the various instances.</para>
<para>The generation and collection of logs is an important component of securely monitoring an OpenStack infrastructure. Logs provide visibility into the day-to-day actions of administrators, tenants, and guests, in addition to the activity in the compute, networking, and storage and other components that comprise your OpenStack deployment.</para>
<para>The basics of logging: configuration, setting log level, location of the log files, and how to use and customize logs, as well as how to do centralized collections of logs is well covered in the <link xlink:href="http://docs.openstack.org/ops/"><citetitle>OpenStack Operations Guide</citetitle></link>.</para>
<para>Logs are not only valuable for proactive security and continuous compliance activities, but they are also a valuable information source for investigating and responding to incidents.</para>
<para>For instance, analyzing the access logs of Identity Service or its replacement authentication system would alert us to failed logins, frequency, origin IP, whether the events are restricted to select accounts and other pertinent information. Log analysis supports detection.</para>
<para>Actions may be taken to mitigate potential malicious activity such as blacklisting an IP address, recommending the strengthening of user passwords, or de-activating a user account if it is deemed dormant.</para>
<para>
A lot of activity goes on within a cloud environment. It is a
mix of hardware, operating systems, virtual machine managers,
the OpenStack services, cloud-user activity such as creating
instances and attaching storage, the network underlying the
whole, and finally end-users using the applications running on
the various instances.
</para>
<para>
The generation and collection of logs is an important component
of securely monitoring an OpenStack infrastructure. Logs provide
visibility into the day-to-day actions of administrators,
tenants, and guests, in addition to the activity in the compute,
networking, and storage and other components that comprise your
OpenStack deployment.
</para>
<para>
The basics of logging: configuration, setting log level,
location of the log files, and how to use and customize logs, as
well as how to do centralized collections of logs is well
covered in the <link
xlink:href="http://docs.openstack.org/ops/"><citetitle>OpenStack
Operations Guide</citetitle></link>.
</para>
<para>
Logs are not only valuable for proactive security and continuous
compliance activities, but they are also a valuable information
source for investigating and responding to incidents.
</para>
<para>
For instance, analyzing the access logs of Identity Service or
its replacement authentication system would alert us to failed
logins, frequency, origin IP, whether the events are restricted
to select accounts and other pertinent information. Log analysis
supports detection.
</para>
<para>
Actions may be taken to mitigate potential malicious activity
such as blacklisting an IP address, recommending the
strengthening of user passwords, or de-activating a user account
if it is deemed dormant.
</para>
<section xml:id="forensics-and-incident-response-idp60511">
<title>Monitoring use cases</title>
<para>Monitoring events is more pro-active and provides real-time detection and response. There are several tools to aid in monitoring.</para>
<para>In the case of an OpenStack cloud instance, we need to monitor the hardware, the OpenStack services, and the cloud resource usage. The last stems from wanting to be elastic, to scale to the dynamic needs of the users.</para>
<para>Here are a few important use cases to consider when implementing log aggregation, analysis and monitoring. These use cases can be implemented and monitored through various commercial and open source tools, homegrown scripts, etc. These tools and scripts can generate events that can then be sent to the administrators through email or integrated dashboard. It is important to consider additional use cases that may apply to your specific network and what you may consider anomalous behavior.</para>
<itemizedlist><listitem>
<para>Detecting the absence of log generation is an event of high value. Such an event would indicate a service failure or even an intruder who has temporarily switched off logging or modified the log level to hide their tracks.</para>
<para>
Event monitoring is a more pro-active approach to securing an
environment, providing real-time detection and response. Several
tools exist which can aid in monitoring.
</para>
<para>
In the case of an OpenStack cloud instance, we need to monitor
the hardware, the OpenStack services, and the cloud resource
usage. The latter stems from wanting to be elastic, to scale to
the dynamic needs of the users.
</para>
<para>
Here are a few important use cases to consider when implementing
log aggregation, analysis and monitoring. These use cases can be
implemented and monitored through various applications, tools or
scripts. There are open source and commercial solutions and some
operators develop their own in-house solutions. These tools and
scripts can generate events that can be sent to administrators
through email or viewed in the integrated dashboard. It is
important to consider additional use cases that may apply to
your specific network and what you may consider anomalous
behavior.
</para>
<itemizedlist>
<listitem>
<para>
Detecting the absence of log generation is an event of high
value. Such an event would indicate a service failure or
even an intruder who has temporarily switched off logging or
modified the log level to hide their tracks.
</para>
</listitem>
</itemizedlist>
<itemizedlist><listitem>
<para>Application events such as start and/or stop that were unscheduled would also be events to monitor and examine for possible security implications.</para>
<listitem>
<para>
Application events such as start or stop events that were
unscheduled would also be events to monitor and examine for
possible security implications.
</para>
</listitem>
</itemizedlist>
<itemizedlist><listitem>
<para>OS events on the OpenStack service machines such as user logins, restarts also provide valuable insight into use/misuse</para>
<listitem>
<para>
Operating system events on the OpenStack service machines
such as user logins or restarts also provide valuable
insight into proper and improper usage of systems.
</para>
</listitem>
</itemizedlist>
<itemizedlist><listitem>
<para>Being able to detect the load on the OpenStack servers also enables responding by way of introducing additional servers for load balancing to ensure high availability.</para>
<listitem>
<para>
Being able to detect the load on the OpenStack servers also
enables responding by way of introducing additional servers
for load balancing to ensure high availability.
</para>
</listitem>
</itemizedlist>
<itemizedlist><listitem>
<para>Other events that are actionable are networking bridges going down, ip tables being flushed on compute nodes and consequential loss of access to instances resulting in unhappy customers.</para>
<listitem>
<para>
Other events that are actionable are networking bridges
going down, ip tables being flushed on compute nodes and
consequential loss of access to instances resulting in
unhappy customers.
</para>
</listitem>
</itemizedlist>
<itemizedlist><listitem>
<para>To reduce security risks from orphan instances on a user/tenant/domain deletion in the Identity service there is discussion to generate notifications in the system and have OpenStack components respond to these events as appropriate such as terminating instances, disconnecting attached volumes, reclaiming CPU and storage resources etc.</para>
<listitem>
<para>
To reduce security risks from orphan instances on a
user, tenant, or domain deletion in the Identity service there is
discussion to generate notifications in the system and have
OpenStack components respond to these events as appropriate
such as terminating instances, disconnecting attached
volumes, reclaiming CPU and storage resources and so on.
</para>
</listitem>
</itemizedlist>
<para>A cloud will host many virtual instances, and monitoring these instances goes beyond hardware monitoring and log files which may just contain CRUD events.</para>
<para>Security monitoring controls such as intrusion detection software, antivirus software, and spyware detection and removal utilities can generate logs that show when and how an attack or intrusion took place. Deploying these tools on the cloud machines provides value and protection. Cloud users, those running instances on the cloud may also want to run such tools on their instances.</para>
</itemizedlist>
<para>
A cloud will host many virtual instances, and monitoring these
instances goes beyond hardware monitoring and log files which
may just contain CRUD events.
</para>
<para>
Security monitoring controls such as intrusion detection
software, antivirus software, and spyware detection and removal
utilities can generate logs that show when and how an attack or
intrusion took place. Deploying these tools on the cloud
machines provides value and protection. Cloud users, those
running instances on the cloud, may also want to run such tools
on their instances.
</para>
</section>
<section xml:id="forensics-and-incident-response-idp60512">
<title>References</title>
<para><link xlink:href="http://www.mirantis.com/blog/openstack-monitoring/">http://www.mirantis.com/blog/openstack-monitoring/</link></para>
<para><link xlink:href="http://blog.sflow.com/2012/01/host-sflow-distributed-agent.html">http://blog.sflow.com/2012/01/host-sflow-distributed-agent.html</link></para>
<para><link xlink:href="http://blog.sflow.com/2009/09/lan-and-wan.html">http://blog.sflow.com/2009/09/lan-and-wan.html</link></para>
<para><link xlink:href="http://blog.sflow.com/2013/01/rapidly-detecting-large-flows-sflow-vs.html">http://blog.sflow.com/2013/01/rapidly-detecting-large-flows-sflow-vs.html</link></para>
<para>
<link xlink:href="http://www.mirantis.com/blog/openstack-monitoring/">http://www.mirantis.com/blog/openstack-monitoring/</link>
</para>
<para>
<link xlink:href="http://blog.sflow.com/2012/01/host-sflow-distributed-agent.html">http://blog.sflow.com/2012/01/host-sflow-distributed-agent.html</link>
</para>
<para>
<link xlink:href="http://blog.sflow.com/2009/09/lan-and-wan.html">http://blog.sflow.com/2009/09/lan-and-wan.html</link>
</para>
<para>
<link xlink:href="http://blog.sflow.com/2013/01/rapidly-detecting-large-flows-sflow-vs.html">http://blog.sflow.com/2013/01/rapidly-detecting-large-flows-sflow-vs.html</link>
</para>
</section>
</section>