Customer looking to detect unauthorized creation of Xen VM

Hi,

Essentials: SLES 11 SP3 x86_64 running Xen Hypervisor and SLE 11 SP3 HAE

I have a customer who is looking to audit certain activity. He wants to know when someone tries to create a Xen guest. I’m assuming that there is activity either in the syslog or somewhere else, and I’m looking for a little guidance to expedite my search. Do you have any suggestions that might help me? Thanks!

Elliott

On 12/05/2015 23:04, ElliottRScott wrote:
[color=blue]

Essentials: SLES 11 SP3 x86_64 running Xen Hypervisor and SLE 11 SP3
HAE

I have a customer who is looking to audit certain activity. He wants to
know when someone tries to create a Xen guest. I’m assuming that there
is activity either in the syslog or somewhere else, and I’m looking for
a little guidance to expedite my search. Do you have any suggestions
that might help me? Thanks![/color]

Perhaps enable Xen debug logging then monitor the log files for create
events using syslog-ng?

HTH.

Simon
SUSE Knowledge Partner


If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below. Thanks.

Thanks for the suggestion, Simon. I’m concerned that turning on debug mode might create too much traffic/overhead and hamper performance. I’m guessing that I might also have to do something about log file rotation, etc. Any thoughts on that?

Elliott

Hi
How do you wish to audit real time, email on creation etc?

The xm tool eg xm list shows all the vm’s, AFAIK, libvirt and the virsh
command also monitors Xen vm’s.

You could also audit user command history and filter that to see who
uses the create command.


Cheers Malcolm °¿° LFCS, SUSE Knowledge Partner (Linux Counter #276890)
SUSE Linux Enterprise Desktop 12 GNOME 3.10.1 Kernel 3.12.39-47-default
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below… Thanks!

Hi Elliot,

# grep XendDomainInfo.create /var/log/xen/xend.log

will list any DomU creation - so if you want to monitor real-time, go ahead and watch that file via your favorite management tool (and be it some script following the file, filtering out those lines and sending emails upon detection :wink: ).

Regards,
Jens