0

I had a thought and would be interested in seeing it is passes the sniff test by smarter folks here.

I have a web-facing server. I'll call it WEB1. I believe I have taken the standard precautions and as of yet it hasn't been co-opted, as far as I know. For the sake of my question assume I have done well. In spite of my best efforts it is still possible someone evil-doer could find an "in".

The WEB1 server is a VM. It is running on a dedicated Linux box, I'll call it HOST1. It has no Internet visibility. From HOST1 I can look at WEB1's vm file. Is there a "smart" way to tell if the OS of WEB1 has been modified by looking at it from HOST1?

If it has been altered, I can get back up almost instantly by restarting WEB1 from a snapshot.

Any comments or criticisms would be welcomed. Mike

MonkeyFarmer
  • 11
  • 1
  • Not really. The host sees the storage space for the VM. While it could monitor the changes in that storage, the changes occur at block level. Decoding those block level changes to filesystem level changes is one big issue. Then one have to determine which changes are part of normal operation and what changes are not normal, to make rules for change interpretation. – Tero Kilkanen Oct 22 '16 at 15:18
  • Good points. I did a bit of poking on my system and if I avoided nested paging I can see a pretty clear pattern of usage. I do map the small database onto another drive so I only looked at WEB1 OS. If I were to partition the Linux box carefully I can treat most of the disk as read_only. Any writes are to the OS areas are NoNo. More thought on my part. – MonkeyFarmer Oct 23 '16 at 00:48

1 Answers1

0

You are not mentioning what hypervisor is used.

If it's KVM - then you can:

  1. Periodically snapshot your VM.
  2. Mount snapshot on host with qemu-nbd mount qcow2 snapshots
  3. Run some file integrity check (like ossec for example).
  4. If changes to system files are detected (here you would have to carefully define what can and what can't change) - then destroy VM and spin a new one.
Community
  • 1
Dmitry Zayats
  • 1,378
  • 6
  • 7