This project aims at monitoring runtime health of virtual machines deployed on any cloud platform such as openstack, opennebula, etc. It is loosely based on the CloudMonatt architecture for openstack infrastructure. The term loosely is used because it does not provide a customized API for services provided by openstack, i.e., it is not strictly bound to the openstack infrastructure. The following figure shows the high level design of the CloudMonatt architecture (source: Monitoring and attestation of virtual machine security health, Tianwei Zhang, Ruby B. Lee)
This application is uses a client-server model to monitor the virtual machines. It contains two major components:
- Attestation agent: A multi-threaded application that runs on each virtual machine. It collects relevant system attributes and sends them to the attestation server.
- Attestation server: A web server which receives runtime system information sent by the attestation agent, saves them in a database and provides access to them via a web API.
________________________
| |
| Cloud infrastructure |
| ____________________ | HTTP traffic ______________________ _________________
| | |-|----------------| | | |
| | Virtual Machine | | | Attestation server |--------| Web interface |
| |____________________|-|----------------|______________________| |_________________|
| | Socket traffic
|________________________|
Requires:
node v18.16.0 (LTS)- See
package.jsonfor all dependencies. - PostgreSQL Database
-
On Linux (Debian), install using
sudo apt install postgresql-XWhere
Xis the major version number like:postgresql-14,postgresql-15Start the database, configure user credentials to access the database as follows:
# Create the database sudo -u postgres createdb -e cec-term-project-group-8 # Change the password for 'postgres' user # Connect to the database, 'postgres' user is allowed without authentication sudo -u postgres psql # Change the password by entering '\password' \password # Connect to the database, enter the password on prompt psql -U postgres cec-term-project-group-8 # Set the configured '<username>:<password>' and the database name in the '.env' file. DATABASE_URL="postgres://postgres:p4ssw0rd@localhost/cec-term-project-group-8"
-
Setup process:
- Clone the
attestation-serverdirectory on a machine that will act as the attestation server. - Install required dependencies:
$ npm install - Set the following environment variables:
DATABASE_URLPORT
- Start server:
$ node app.js - The server should now be running on
PORTport (default=3000).
Requires:
python v3.10+python-socketio v5.8.0requests v2.29.0
Setup process:
- Install and enable auditd for system auditing (requires
sudoprivileges):
$ apt install auditd audispd-plugins
$ systemctl enable auditd - Clone the
attestation_agentdirectory on a virtual machine. - Install required packages:
$ pip install -r attestation_agent/requirements.txt - Configure parameters in
attestation_agent/config.py:ATTESTATION_HOST: IPv4 address of the attestation server.ATTESTATION_PORT: Port on which attestation server API is available.
- Other parameters can also be changed based on system configuration.
- Run the agent:
$ python -m attestation_agent
Requires:
node v18.16.0 (LTS)- See
package.jsonfor all dependencies.
Setup process:
- Clone the
frontenddirectory on some machine (can be same as the attestation server) and navigate inside it. - Install required dependencies:
$ npm install- If this does not work due to mismatched versions, use:
$ npm install --legacy-peer-deps
- If this does not work due to mismatched versions, use:
- Start server:
$ npm start - The frontend should now be running on port
8080.
Note:
- This has been tested on Ubuntu Server 22.04 instances, independent from the openstack infrastructure. Running this on openstack requires some additional configurations which are specific to managing instances on the infrastructure itself.
- The attestation agent runs completely in user mode. On Ubuntu server, reading
log files does not require
sudoprivileges. However, running this on other servers such as CentOS, Fedora, etc., may require modifying read permissions for the log files specified inattestation_agent/config.py.
