[H-GEN] Fixes for excalibur's backup

Robert Brockway robert at timetraveller.org
Mon Jul 13 22:14:04 EDT 2009


On Tue, 14 Jul 2009, Russell Stuart wrote:

> Is there anyway to get to the VM if it has been compromised and we are
> locked out?  (I have never used linode, so I don't know.) It is not like

We can get to the console even if we close regular network access to the 
box.  I'll show the other admins how to do that.

> we can toddle down into UQ's basement and get copy of the drive and do
> forensics on it.  If we don't, the only way to look at the log files is
> from the backups.  What you loose in that case is all history (apache,
> sudo, etc).  If you are trying to prevent a similar exploit in the
> future that information can be pretty useful.  Particularly so because

Yep that would be the price we'd pay.

I've done a lot of forensics following up on breakins and I'd say the logs 
were really useful to find the cause in maybe 50% of cases.  Having said 
that the vast majority of breakins I've looked at occured because the 
system was behind in security updates rather than alternative causes like 
a config error or a vulnerable custom web app.

So yes I'd like to have the logs in case of a breakin but perhaps the 
price is too high.

> Look in /etc/rdiff-image/rdiff-image.conf to see what is currently
> excluded.

Great thanks.

Cheers,

Rob

-- 
I tried to change the world but they had a no-return policy
Projected IPv4 exhaustion: http://www.potaroo.net/tools/ipv4/index.html



More information about the General mailing list