[openstack-dev] [neutron] Security group logging
Hi team, Have a nice day. Since Security Group Logging was merged in Queens cycle, we've just found a critical bug which has been addressed in [1] and [2]. These patches is already in good shape now (got +2 from core reviewers). So, could you please help to review and bless these patches to be merged in Rocky stable branch? After that, we can backport to Queens stable branch. [1] https://review.openstack.org/#/c/587681/ [2] https://review.openstack.org/#/c/587770/ Thank you in advance, Best regards, An __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Neutron] Security Group logging
> >On Wed, 2014-04-09 at 00:02 +0100, Salvatore Orlando wrote: >> Auditing has been discussed for the firewall extension. >> However, it is reasonable to expect some form of auditing for security >> group rules as well. >> >> >> To the best of my knowledge there has never been an explicit decision >> to not support logging. >> However, my guess here is that we might be better off with an auditing >> service plugin integrating with security group and firewall agents >> rather than baking the logging feature in the security group >> extension. >> Please note that I'm just thinking aloud here. > >+1. A notification event should be sent across the typical notifier >mechanisms when a security group rule is changed or applied. Throwing my hat in the ring for this as well. Preferably the message should include the UUID of the Group being changed, and also the UUID of the Instance if it¹s being applied. > >Best, >-jay > > > >___ >OpenStack-dev mailing list >OpenStack-dev@lists.openstack.org >http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Neutron] Security Group logging
On Wed, 2014-04-09 at 00:02 +0100, Salvatore Orlando wrote: > Auditing has been discussed for the firewall extension. > However, it is reasonable to expect some form of auditing for security > group rules as well. > > > To the best of my knowledge there has never been an explicit decision > to not support logging. > However, my guess here is that we might be better off with an auditing > service plugin integrating with security group and firewall agents > rather than baking the logging feature in the security group > extension. > Please note that I'm just thinking aloud here. +1. A notification event should be sent across the typical notifier mechanisms when a security group rule is changed or applied. Best, -jay ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Neutron] Security Group logging
Auditing has been discussed for the firewall extension. However, it is reasonable to expect some form of auditing for security group rules as well. To the best of my knowledge there has never been an explicit decision to not support logging. However, my guess here is that we might be better off with an auditing service plugin integrating with security group and firewall agents rather than baking the logging feature in the security group extension. Please note that I'm just thinking aloud here. Regards, Salvatore On 8 April 2014 23:17, CARVER, PAUL wrote: > Are there any blueprints or discussion around logging the actions of > iptables rules that are generated from security groups? > > > > Typically a firewall produces copious logs. As far as I can tell, Neutron > security groups permit or deny traffic but don't provide any record at all > of what happened. Obviously iptables itself supports logging, but I haven't > seen anything in > https://github.com/openstack/neutron/blob/master/neutron/agent/linux/iptables_firewall.pythat > looks like it adds logging rules. > > > > I'd be curious to know if this is just a case of no one having added it > yet, or if there was any explicit decision to NOT support logging (either > as a provider enforced standard, or as a tenant configurable per-rule > setting.) > > ___ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [Neutron] Security Group logging
Are there any blueprints or discussion around logging the actions of iptables rules that are generated from security groups? Typically a firewall produces copious logs. As far as I can tell, Neutron security groups permit or deny traffic but don't provide any record at all of what happened. Obviously iptables itself supports logging, but I haven't seen anything in https://github.com/openstack/neutron/blob/master/neutron/agent/linux/iptables_firewall.py that looks like it adds logging rules. I'd be curious to know if this is just a case of no one having added it yet, or if there was any explicit decision to NOT support logging (either as a provider enforced standard, or as a tenant configurable per-rule setting.) ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev