System Recovery

The company loses money every minute that the system is unavailable. This may be lost income or it may be lost productivity. However, restoring services may be of little value if the data on the system have been compromised or if the hacker still has access. Restoration of services involves bringing both the specific service and the system that supports it online. The restoration of the system may enable other services, which will also need to be verified as uncompromised.

• Availability ” There may be cases where loss of service ” user or application downtime ” is more important than restoring data. These cases could include systems that control automated environments, factory floors, or where income is based on having the service available, such as service providers or network providers.

  Often in these cases, restoring services is more important than securing the system. If you restore services prior to determining the cause, you may find yourself involved in combat with an attacking hacker. This can turn into a long and painful battle.

  If you are planning to restore services or data prior to determining the cause, it is best to make a complete "image" backup, including the entire disks and not just the files on the disk, so that the cause can be determined at a later time.

• Integrity ” Restoring the integrity of a system requires the verification of all parts of the system. Intruders will often compromise the integrity of a system by planting malicious software, such as back doors and Trojan horses. The integrity of the processes is vital to the accuracy of the results.

• Confidentiality ” The installation of information-gathering software is common in attacks. These programs primarily assist in gathering information that will be used to gain more access or privileges. However, they are also used to gather information from the victim organization. One such tool, a network sniffer, is able to gather information from systems that have not been compromised by monitoring all the information that travels over the network.

  The information system must be sufficiently secured prior to restoring services to ensure that restarting the services will not allow more information to be compromised.

HP-UX

Ignite-UX's make_recovery command creates a system recovery tape. This tape can be used to boot and recover a system which has become unbootable due to corruption of the root disk or volume group . A system can be booted and installed from the tape without user intervention for configuration, customization, software selection, hostname, or IP address.

The system recovery tape consists of a boot image, followed by an archive of system files that comprises a minimum core OS. The minimum core OS consists of /stand , /sbin , /dev , /etc , and subsets of /usr , /opt , and /var that are required during the install process. The devices or volume groups that correspond to the file systems/directories / , /dev , /etc , /sbin , /stand , and /usr are considered core devices or volume groups. These devices or volume groups are re-created during the recovery process. All non-OS data on them would be removed and restored during the recovery process, if they were specifically appended to the recovery tape. If /opt or /var are mounted elsewhere, they would not be reinstalled during the recovery process and are fully preserved.

The make_recovery command provides a mechanism for you to specify your own non-system files in the archive by using the /var/adm/makrec.append file. These specifications are limited to files or directories that belong to file systems in the core devices or volume groups. To specify including all files from core volume groups, use the -A option.

The make_recovery command also provides a mechanism for you to exclude selected files from the archive via the -p and -r options. For backing up and recovering non-core file systems which are not on the core device or volume groups, you would use normal backup utilities.

Linux

Reinstallations of Linux systems are performed in the same manner as original installations. However, Red Hat provides a tool, kickstart, which allows you to build a single file containing the answers to all the questions that would normally be asked during a typical Red Hat Linux installation. This provides administrators with an automated installation method to create a system with a specific configuration.

Kickstart installations can be performed using a local CD-ROM, a local hard drive, or via NFS, FTP, or HTTP. Normally, a kickstart file (ks.cfg) is copied to the boot disk or made available on the network. To begin a kickstart installation, you must boot the system from a Red Hat Linux boot diskette or the CD-ROM and enter a special boot command at the boot prompt. If the kickstart file is located on a boot diskette that was created from the boot.img or bootnet.img image file, the correct boot command is:

 boot: linux ks=floppy 

Kickstart installations can also be run interactively so that the default values will populate the input fields, but the administrator has the option to override them.