Recovering data from a compromised VM: Difference between revisions

From Alliance Doc
Jump to navigation Jump to search
No edit summary
No edit summary
 
(One intermediate revision by the same user not shown)
Line 14: Line 14:
# The VM is shut down and locked at the sysadmin level.
# The VM is shut down and locked at the sysadmin level.
# You are notified by email.
# You are notified by email.


==Why do you need to rebuild?== <!--T:4-->
==Why do you need to rebuild?== <!--T:4-->
Line 20: Line 19:
* The contents of the VM are no longer trustworthy, but it is relatively safe to extract the data.
* The contents of the VM are no longer trustworthy, but it is relatively safe to extract the data.
* You have to build a new VM.
* You have to build a new VM.


==What steps should you take?== <!--T:5-->
==What steps should you take?== <!--T:5-->
# Contact the cloud support team and outline your recovery plan; if access to the filesystem is required, the cloud support team will unlock the volume.
# Send an email to [mailto:cloud@tech.alliancecan.ca cloud@tech.alliancecan.ca] outlining your recovery plan; if access to the filesystem is required, the cloud support team will unlock the volume.
# Log in to the OpenStack admin console.
# Log in to the OpenStack admin console.
# Launch a new instance that will be used for data rescue operations.
# Launch a new instance that will be used for data rescue operations.
# Under <i>Volumes</i>, select <i>Manage Attachments</i> from the dropdown list at the far right for the volume that was compromised and click on the <i>Detach Volume</i> button.
# Under <i>Volumes</i>, select <i>Manage Attachments</i> from the dropdown list at the far right for the volume that was compromised and click on the <i>Detach Volume</i> button.
# Under <i>Volumes</i>, select <i>Manage Attachments</i> for the volume that was compromised and select <i>Attach To Instance</i> (select the recovery instance you just launched).
# Under <i>Volumes</i>, select <i>Manage Attachments</i> for the volume that was compromised and select <i>Attach To Instance</i> (select the recovery instance you just launched).
# ssh into your recovery instance, you will now see your old, compromised volume available as the “vdb” disk
# ssh in to your recovery instance: you will now see your old, compromised volume available as the “vdb” disk.
# Mounting the appropriate filesystem out of a partition or a LVM logical volume depends on how the base OS image was created; instructions vary greatly, so contact someone with experience to continue.
# Mounting the appropriate filesystem out of a partition or an LVM logical volume depends on how the base OS image was created. Because instructions vary greatly, contact someone with experience to continue.


<!--T:7-->
<!--T:7-->
[[Category:Cloud]]
[[Category:Cloud]]
</translate>
</translate>

Latest revision as of 16:50, 30 May 2023

Other languages:

Parent page: Cloud

You are responsible for recovering data out of a VM that has been compromised.

The information in this page is not complete, but sets out what you need to do in this situation.

What happens when we detect a compromised VM?

  1. Our support team confirms this by investigating network traffic logs and other sources.
  2. The VM is shut down and locked at the sysadmin level.
  3. You are notified by email.

Why do you need to rebuild?

  • You cannot start an administratively locked VM.
  • The contents of the VM are no longer trustworthy, but it is relatively safe to extract the data.
  • You have to build a new VM.

What steps should you take?

  1. Send an email to cloud@tech.alliancecan.ca outlining your recovery plan; if access to the filesystem is required, the cloud support team will unlock the volume.
  2. Log in to the OpenStack admin console.
  3. Launch a new instance that will be used for data rescue operations.
  4. Under Volumes, select Manage Attachments from the dropdown list at the far right for the volume that was compromised and click on the Detach Volume button.
  5. Under Volumes, select Manage Attachments for the volume that was compromised and select Attach To Instance (select the recovery instance you just launched).
  6. ssh in to your recovery instance: you will now see your old, compromised volume available as the “vdb” disk.
  7. Mounting the appropriate filesystem out of a partition or an LVM logical volume depends on how the base OS image was created. Because instructions vary greatly, contact someone with experience to continue.