Recovering data from a compromised VM: Difference between revisions

From Alliance Doc
Jump to navigation Jump to search
m (Shuber moved page Recovering from a compromised VM to Recovering data from a compromised VM without leaving a redirect: Part of translatable page "Recovering from a compromised VM")
No edit summary
Line 11: Line 11:


==What happens when we detect a compromised VM?== <!--T:3-->
==What happens when we detect a compromised VM?== <!--T:3-->
* the compromise is confirmed by looking at network traffic logs and other sources
* the compromise is confirmed by looking at network traffic logs and other sources,
* the VM is shutdown and administratively locked
* the VM is shut down and administratively locked,
* you will be notified when a ticket is created via OTRS
* you will be notified when a ticket is created via OTRS.


==Why do I need to rebuild?== <!--T:4-->
==Why do you need to rebuild?== <!--T:4-->
* you cannot start an administratively locked VM
* you cannot start an administratively locked VM,
* unfortunately a compromised VM is no longer trustworthy
* unfortunately, a compromised VM is no longer trustworthy,
* you are required to build new VM
* you are required to build a new VM,
* you will need to recover your software, settings, and data
* you will need to recover your software, settings, and data.


==What steps should I take to recover?== <!--T:5-->
==What steps should you take to recover?== <!--T:5-->
* contact the support team and outline your recovery plan
* contact the support team and outline your recovery plan,
* if access to the filesystem is required the Cloud support team will unlock the volume
* if access to the filesystem is required, the Cloud support team will unlock the volume
* login to the OpenStack admin console
* log in to the OpenStack admin console,
* create a new volume and launch a new instance with the new volume
* create a new volume and launch a new instance with the new volume,
* under "Volumes" chose "Manage Attachments" near the old volume and chose "Detach Volume"
* under <i>Volumes</i> select <i>Manage Attachments</i> near the old volume and select <i>Detach Volume</i>,
* under "Volumes" chose "Manage Attachments" near the old volume and chose "Attach To Instance"
* under <i>Volumes</i> select <i>Manage Attachments</i> near the old volume and select <i>Attach To Instance</i>,
* boot into the new volume
* boot in to the new volume,
* mount the old volume from /dev/vdb to /mnt
* mount the old volume from <code>/dev/vdb</code> to <code>/mnt</code>,
* recover files as necessary
* recover files as necessary.


<!--T:7-->
<!--T:7-->
[[Category:Cloud]]
[[Category:Cloud]]
</translate>
</translate>

Revision as of 20:52, 24 May 2023

Other languages:

Parent page: Cloud

On the cloud, you are responsible to recover from a compromised VM.

This document is not a complete guide, but will set out some things you need to do when your VM is compromised.

What happens when we detect a compromised VM?

  • the compromise is confirmed by looking at network traffic logs and other sources,
  • the VM is shut down and administratively locked,
  • you will be notified when a ticket is created via OTRS.

Why do you need to rebuild?

  • you cannot start an administratively locked VM,
  • unfortunately, a compromised VM is no longer trustworthy,
  • you are required to build a new VM,
  • you will need to recover your software, settings, and data.

What steps should you take to recover?

  • contact the support team and outline your recovery plan,
  • if access to the filesystem is required, the Cloud support team will unlock the volume
  • log in to the OpenStack admin console,
  • create a new volume and launch a new instance with the new volume,
  • under Volumes select Manage Attachments near the old volume and select Detach Volume,
  • under Volumes select Manage Attachments near the old volume and select Attach To Instance,
  • boot in to the new volume,
  • mount the old volume from /dev/vdb to /mnt,
  • recover files as necessary.