Recovering data from a compromised VM: Difference between revisions

From Alliance Doc
Jump to navigation Jump to search
m (Add CC-Cloud flag)
No edit summary
 
(7 intermediate revisions by 3 users not shown)
Line 1: Line 1:
{{Draft}}
<languages/>
<languages/>
<translate>
<translate>
Line 7: Line 5:


<!--T:1-->
<!--T:1-->
On the [[CC-Cloud|cloud]], you are responsible to recover from a compromised VM.
You are responsible for recovering data out of a VM that has been compromised.


<!--T:2-->
<!--T:2-->
This document is not a complete guide, but will set out some things you need to do when your VM is compromised.
The information in this page is not complete, but sets out what you need to do in this situation.


==What happens when we detect a compromised VM?== <!--T:3-->
==What happens when we detect a compromised VM?== <!--T:3-->
* the compromise is confirmed by looking at network traffic logs and other sources
# Our support team confirms this by investigating network traffic logs and other sources.
* the VM is shutdown and administratively locked
# The VM is shut down and locked at the sysadmin level.
* you will be notified when a ticket is created via OTRS
# You are notified by email.


==Why do I need to rebuild?== <!--T:3-->
==Why do you need to rebuild?== <!--T:4-->
* you cannot start an administratively locked VM
* You cannot start an administratively locked VM.
* unfortunately a compromised VM is no longer trustworthy
* The contents of the VM are no longer trustworthy, but it is relatively safe to extract the data.
* you are required to build new VM
* You have to build a new VM.
* you will need to recover your software, settings, and data


==What steps should I take to recover?== <!--T:3-->
==What steps should you take?== <!--T:5-->
* contact the support team and outline your recovery plan
# Send an email to [mailto:cloud@tech.alliancecan.ca cloud@tech.alliancecan.ca] outlining your recovery plan; if access to the filesystem is required, the cloud support team will unlock the volume.
* if access to the filesystem is required the Cloud support team will unlock the volume
# Log in to the OpenStack admin console.
* login to the OpenStack admin console
# Launch a new instance that will be used for data rescue operations.
* create a new volume and launch a new instance with the new volume
# Under <i>Volumes</i>, select <i>Manage Attachments</i> from the dropdown list at the far right for the volume that was compromised and click on the <i>Detach Volume</i> button.
* under "Volumes" chose "Manage Attachments" near the old volume and chose "Detach Volume"
# Under <i>Volumes</i>, select <i>Manage Attachments</i> for the volume that was compromised and select <i>Attach To Instance</i> (select the recovery instance you just launched).
* under "Volumes" chose "Manage Attachments" near the old volume and chose "Attach To Instance"
# ssh in to your recovery instance: you will now see your old, compromised volume available as the “vdb” disk.
* boot into the new volume
# Mounting the appropriate filesystem out of a partition or an LVM logical volume depends on how the base OS image was created. Because instructions vary greatly, contact someone with experience to continue.
* mount the old volume from /dev/vdb to /mnt
* recover files as necessary


[[Category:CC-Cloud]]
<!--T:7-->
[[Category:Cloud]]
</translate>
</translate>

Latest revision as of 16:50, 30 May 2023

Other languages:

Parent page: Cloud

You are responsible for recovering data out of a VM that has been compromised.

The information in this page is not complete, but sets out what you need to do in this situation.

What happens when we detect a compromised VM?

  1. Our support team confirms this by investigating network traffic logs and other sources.
  2. The VM is shut down and locked at the sysadmin level.
  3. You are notified by email.

Why do you need to rebuild?

  • You cannot start an administratively locked VM.
  • The contents of the VM are no longer trustworthy, but it is relatively safe to extract the data.
  • You have to build a new VM.

What steps should you take?

  1. Send an email to cloud@tech.alliancecan.ca outlining your recovery plan; if access to the filesystem is required, the cloud support team will unlock the volume.
  2. Log in to the OpenStack admin console.
  3. Launch a new instance that will be used for data rescue operations.
  4. Under Volumes, select Manage Attachments from the dropdown list at the far right for the volume that was compromised and click on the Detach Volume button.
  5. Under Volumes, select Manage Attachments for the volume that was compromised and select Attach To Instance (select the recovery instance you just launched).
  6. ssh in to your recovery instance: you will now see your old, compromised volume available as the “vdb” disk.
  7. Mounting the appropriate filesystem out of a partition or an LVM logical volume depends on how the base OS image was created. Because instructions vary greatly, contact someone with experience to continue.