Recovering data from a compromised VM: Difference between revisions
Jump to navigation
Jump to search
(Marked this version for translation) |
m (Shuber moved page Recovering from a compromised VM to Recovering data from a compromised VM without leaving a redirect: Part of translatable page "Recovering from a compromised VM") |
(No difference)
|
Revision as of 19:30, 1 May 2023
Parent page: Cloud
On the cloud, you are responsible to recover from a compromised VM.
This document is not a complete guide, but will set out some things you need to do when your VM is compromised.
What happens when we detect a compromised VM?
- the compromise is confirmed by looking at network traffic logs and other sources
- the VM is shutdown and administratively locked
- you will be notified when a ticket is created via OTRS
Why do I need to rebuild?
- you cannot start an administratively locked VM
- unfortunately a compromised VM is no longer trustworthy
- you are required to build new VM
- you will need to recover your software, settings, and data
What steps should I take to recover?
- contact the support team and outline your recovery plan
- if access to the filesystem is required the Cloud support team will unlock the volume
- login to the OpenStack admin console
- create a new volume and launch a new instance with the new volume
- under "Volumes" chose "Manage Attachments" near the old volume and chose "Detach Volume"
- under "Volumes" chose "Manage Attachments" near the old volume and chose "Attach To Instance"
- boot into the new volume
- mount the old volume from /dev/vdb to /mnt
- recover files as necessary