Rolling back a zone to a known state
By John Clingan on Aug 29, 2006
As mentioned earlier, BART is a tool that is used to help detect filesystem modifications, whether they be intentional, unintential or malicious. So far, the script is working out well with one exception. I'm still mucking with my system so much that wwwaayyyy too many files are changing. On my "core" zones, I'll be reviewing the results before creating a new control file. The remaining zones will be removed as they are temporary.
So what does one do if a zone is compromised? Step #1 is to shut down the zone. No need to be nice as there is no "People for the Ethical Treatment of Zones" (PETZ). Halt the zone (zoneadm -z zone_name halt). The next step is post-mortem analysis. This is where the BART audit comes in. Execute bart and create a report. That will help to understand how the system was compromised if, and only if, the filesystem was modified. What now? Fixing the problem in a compromised zone and re-booting sure sounds like trouble. The natural thing to do is to restore from tape. Which tape? If BART is run regularly, you'll restore from the last backup prior to the security breach, which BART will hopefully help you find. But tape backup is sssoooo last quarter century. Besides, I don't have a tape drive for my system on the 'Net. I'm on the cheap. The closest thing I have to tape is a read-only DVD drive. Sigh.
To solve this problem, I've mounted my zones on ZFS filesystems as follows:
# zfs create mypool/myzone
# zfs set mountpoint=/zones/myzone mypool/myzone
# zonecfg -z myzone
[ set zonepath=/zones/mypool ]
After creating and configuring the zone, run BART. Next, create a snapshot of the zone:
# zfs snapshot myzone@`date '+%m_%d_%y__%H:%M:%S'`
In fact, put the above in a cron job and run it at regular intervals. The cron job should also remove old snapshots (greater than N days old) or else zfs filesystem management gets a bit unwieldy - not to mention ever-shrinking disk space. By creating nightly, weekly or monthly snapshots, a compromised system can be restore to a healthy state by running:
# zfs rollback myzone@08_30_06.....
Before actually booting the zone, fix the security hole (duh). Create a new BART control file. Your set.