SYSTEM BACKUP AND RESTORE (AlienVault USM 4.8+)

(1)

AlienVault Unified Security Management™ Solution

Complete. Simple. Affordable

SYSTEM BACKUP AND RESTORE

(AlienVault USM 4.8+)

(2)

AlienVault™, AlienVault Unified Security Management™, AlienVault USM™, AlienVault Open Threat Exchange™, AlienVault OTX™, Open Threat Exchange™, AlienVault OTX Reputation Monitor™, AlienVault OTX Reputation Monitor Alert™, AlienVault OSSIM™ and

(3)

1. INTRODUCTION ... 4

2. SCOPE ... 4

3. HOW TO BACKUP AN ALIENVAULT APPLIANCE ... 4

3.1. Payload Backup ... 6

3.2. Environment Backup ... 6

3.3. “Raw Data” Backup ... 7

3.4. Saving Generated Backup Files ... 7

4. HOW TO RESTORE AN ALIENVAULT APPLIANCE BACKUP ... 7

4.1. Copy the backup files into the appliance ... 8

4.2. Stop appliance services ... 9

4.3. Payload Restore ... 9

4.4. MongoDB Dump Recovery ... 9

4.5. Environment Restore ... 10

4.6. “Raw Data” Restore ... 10

(4)

AlienVault Unified Security Management™ Solution SYSTEM BACKUP AND RESTORE

(AlienVault USM 4.8+)

1. INTRODUCTION

This document describes how to perform a full backup of an AlienVault USM appliance (4.8+) so the system can be recovered - or replaced by another system - after proceeding with the restore process.

The appliance to be recovered MUST have the same software version used during the backup process.

2. SCOPE

This procedure will save all the information from your system required for recovery purposes:

• Payload: events, alarms, assets, users, reports, tickets, historic data... • Environment: processes configuration, plugins, keys...

• Raw Data: Logger data and Netflows

All the steps described in the following sections must be done, in the order here defined, to perform the full backup and restore of the system.

Do not use this procedure to try to clone/duplicate data or configuration across your deployment.

3. HOW TO BACKUP AN ALIENVAULT APPLIANCE

The backup procedure requires the users to have full access to the appliance console (local or remote access). To get remote access:

• Open a console terminal and type the following command:

ssh root@IP_address

(5)

DC-00146 Edition 01 Copyright© 2015 AlienVault. All rights reserved. Page 5 of 11 The AlienVault Setup main menu should be displayed after the user authentication. • On the computer keyboard, press the arrow keys to move to option 3: “Jailbreak

System”. Then, press Enter to accept the selection (<OK>).

• Execute the following command:

screen

The instructions below will generate the following backup files:

• Payload − alienvault-dbs.sql.gz − alienvault-mongo.tgz • Environment − Alienvault-environment.tgz • Raw Data − alienvault-data.tgz

Please, keep these files in a secure location. They are needed in order to recover your appliance.

(6)

3.1. PAYLOAD BACKUP

The entire “payload” data managed by AlienVault appliances is stored in two databases: • MySQL: events, alarms, assets info, users and permissions, reports, tickets... • Mongo DB: IDM historic data

So saving up a dump from these databases will provide the “payload” backup.

3.1.1. MYSQL DATABASE DUMP

1. Execute the following command:

mysqldump -p`grep ^pass /etc/ossim/ossim_setup.conf | sed 's/pass=//'` --no-autocommit --single-transaction --all-databases | gzip >

alienvault-dbs.sql.gz

2. The alienvault-dbs.sql.gz backup file should be created.

3.1.2. MONGO DATABASE DUMP

1. Execute this command to dump your database:

mongodump --host localhost

2. A directory called dump should be generated.

3. Compress the dump file. Type the following command:

tar cvzf alienvault-mongo.tgz dump

4. The alienvault-mongo.tgz file should be successfully created.

3.2. ENVIRONMENT BACKUP

This section describes how to save the environment configuration files related to the appliance platform, processes, plugins, keys...

1. Execute the following command:

if [[ ! f /etc/alienvaultcenter/alienvaultcenteruuid ]]; then dmidecode -s -sy-stem-uuid | awk '{print tolower($0)}' >

(7)

2. Backup the appliance configuration:

tar cvzf alienvault-environment.tgz /etc/ossim/ /etc/alienvault/

/etc/alienvault-center/ /etc/ansible/ /root/.ssh/ /home/avapi/ /home/avforw/ /home/avserver/ /var/ossec/ /etc/snort/ /etc/suricata/ /etc/nagios3/

/etc/openvpn/ /var/cache/openvas/ /var/lib/openvas/ /etc/logrotate.d/ /etc/rsyslog.d/ /etc/apache2/ /usr/share/alienvault-center/ /etc/nfsen/ /etc/mysql/ /var/ossim/keys/ /var/ossim/ssl/ /etc/hosts /etc/resolv.conf

3. The alienvault-environment.tgz file should be created.

3.3. “RAW DATA” BACKUP

1. Create a compressed file containing the Logger and Netflows data:

tar cvzf alienvault-data.tgz /var/ossim/logs /var/nfsen /var/cache/nfdump

2. The alienvault-data.tgz file should be created.

3.4. SAVING GENERATED BACKUP FILES

Do not forget to copy the generated backup files in a secure location. You can use any SCP application; for example, WinSCP (for Windows) or SCP command (for Linux):

• alienvault-dbs.sql.gz • alienvault-mongo.tgz • alienvault-environment.tgz • alienvault-data.tgz

4. HOW TO RESTORE AN ALIENVAULT APPLIANCE BACKUP

The appliance to be recovered MUST have the same software version used during the backup process.

The restore procedure requires the users to have full access to the appliance console (local or remote access). To get remote access:

(8)

ssh root@IP_address

IP_address refers to the default IP of your appliance.

The AlienVault Setup main menu should be displayed after the user authentication. • On the computer keyboard, press the arrow keys to move to option 3: “Jailbreak

System”. Then, press Enter to accept the selection (<OK>).

• Execute the following command:

screen

4.1. COPY THE BACKUP FILES INTO THE APPLIANCE

The following files, previously saved, must be copied into your target appliance in order to restore the backup. You can use any SCP application; for example, WinSCP (for Windows) or SCP command (for Linux):

• alienvault-dbs.sql.gz • alienvault-mongo.tgz • alienvault-environment.tgz • alienvault-data.tgz

(9)

4.2. STOP APPLIANCE SERVICES

1. Stop the following services in the appliance:

/etc/init.d/monit stop /etc/init.d/ossim-server stop /etc/init.d/ossim-agent stop /etc/init.d/ossim-framework stop /etc/init.d/alienvault-idm stop /etc/init.d/alienvault-center stop /etc/init.d/alienvault-api stop

2. Create a backup of the AlienVault configuration file:

cp /etc/ossim/ossim_setup.conf /root/ossim_setup.conf_last

4.3. PAYLOAD RESTORE

4.3.1. MYSQL DUMP RECOVERY

Enter the following command to restore the dump file:

zcat alienvault-dbs.sql.gz | ossim-db

4.4. MONGODB DUMP RECOVERY

1. Extract the tar file:

tar xvzf alienvault-mongo.tgz

2. Restore the mongoDB backup:

(10)

4.5. ENVIRONMENT RESTORE

1. Remove current configuration:

rm -rf /etc/ossim/ /etc/alienvault/ /etc/alienvault-center/ /etc/ansible/ /root/.ssh/ /home/avapi/ /home/avforw/ /home/avserver/ /var/ossec/ /etc/snort/ /etc/suricata/ /etc/nagios3/ /etc/openvpn/ /var/cache/openvas/

/var/lib/openvas/ /etc/logrotate.d/ /etc/rsyslog.d/ /etc/apache2/ /usr/share/alienvault-center/ /etc/nfsen/ /etc/mysql/ /var/ossim/keys/ /var/ossim/ssl/ /etc/hosts /etc/resolv.conf

2. Restore configuration from your backup. Extract the tar file into the “/” directory:

tar xvzf alienvault-environment.tgz -C /

3. Copy the Alienvault configuration file under /etc/ossim:

cp /root/ossim_setup.conf_last /etc/ossim/

4. Enter the following commands to update the files permissions:

tar tvzf alienvault-environment.tgz | tr -s ' ' > /root/file_list ulimit -s 65536

cd /

ulimit -s 8192 cd /

4.6. “RAW DATA” RESTORE

1. Extract the tar file to the “/” directory:

tar xvzf alienvault-data.tgz -C /

2. Enter the following commands to update the files permissions:

(11)

cd /

ulimit -s 8192

4.7. START APPLIANCE SERVICES

1. Type the following command in the console:

ossim-reconfig -c -v -d

SYSTEM BACKUP AND RESTORE (AlienVault USM 4.8+)

AlienVault Unified Security Management™ Solution

Complete. Simple. Affordable