Recovering data from a compromised VM

From Alliance Doc
Revision as of 20:52, 24 May 2023 by Diane27 (talk | contribs)
Jump to navigation Jump to search
Other languages:

Parent page: Cloud

On the cloud, you are responsible to recover from a compromised VM.

This document is not a complete guide, but will set out some things you need to do when your VM is compromised.

What happens when we detect a compromised VM?

  • the compromise is confirmed by looking at network traffic logs and other sources,
  • the VM is shut down and administratively locked,
  • you will be notified when a ticket is created via OTRS.

Why do you need to rebuild?

  • you cannot start an administratively locked VM,
  • unfortunately, a compromised VM is no longer trustworthy,
  • you are required to build a new VM,
  • you will need to recover your software, settings, and data.

What steps should you take to recover?

  • contact the support team and outline your recovery plan,
  • if access to the filesystem is required, the Cloud support team will unlock the volume
  • log in to the OpenStack admin console,
  • create a new volume and launch a new instance with the new volume,
  • under Volumes select Manage Attachments near the old volume and select Detach Volume,
  • under Volumes select Manage Attachments near the old volume and select Attach To Instance,
  • boot in to the new volume,
  • mount the old volume from /dev/vdb to /mnt,
  • recover files as necessary.
Retrieved from "https://docs.alliancecan.ca/mediawiki/index.php?title=Recovering_data_from_a_compromised_VM&oldid=137004"