0

I had a thought and would be interested in seeing it is passes the sniff test by smarter folks here.

I have a web-facing server. I'll call it WEB1. I believe I have taken the standard precautions and as of yet it hasn't been co-opted, as far as I know. For the sake of my question assume I have done well. In spite of my best efforts it is still possible someone evil-doer could find an "in".

The WEB1 server is a VM. It is running on a dedicated Linux box, I'll call it HOST1. It has no Internet visibility. From HOST1 I can look at WEB1's vm file. Is there a "smart" way to tell if the OS of WEB1 has been modified by looking at it from HOST1?

If it has been altered, I can get back up almost instantly by restarting WEB1 from a snapshot.

Any comments or criticisms would be welcomed. Mike

MonkeyFarmer
  • 11

1 Answers1

0

You are not mentioning what hypervisor is used.

If it's KVM - then you can:

  1. Periodically snapshot your VM.
  2. Mount snapshot on host with qemu-nbd mount qcow2 snapshots
  3. Run some file integrity check (like ossec for example).
  4. If changes to system files are detected (here you would have to carefully define what can and what can't change) - then destroy VM and spin a new one.
Community
  • 1
Dmitry Zayats
  • 1,388