Backup
Transkrypt
Backup
Wskazówki odnośnie zabezpieczania i pielęgnowania systemów Linux SUSE Expert Days 2016 Paweł Mirończuk Starszy Konsultant [email protected] Profilaktyka (i to by było na tyle - dziękuję wszystkim za przybycie ) 2 Zagrożenia • Lokalne • Fizyczny dostęp do serwera • Dostęp do konsoli serwera • „Elewacja” uprawnień przez użytkowników • Zdalne • Wykorzystujące luki w oprogramowaniu • Błędy w oprogramowaniu • Brak aktualizacji • Brak kopii bezpieczeństwa • Niespójność konfiguracji w środowisku 3 Wykrywanie zagrożeń lokalnych • Kontrolowanie dostępu fizycznego • Sprawdzanie nieautoryzowanych zmian w systemie • chkrootkit – http://chkrootkit.org/ • rkhunter - https://rootkit.nl/ • fileschanged - http://fileschanged.sourceforge.net/ • appArmor – kolega opowiadał • SIEM • NetIQ Sentinel - https://www.netiq.com/products/sentinel/ • OSSIM - https://www.alienvault.com/products/ossim 4 Wykrywanie zagrożeń sieciowych • nmap (skaner portów) • snort (NIDS/NIPS) • suricata (NIDS/NIPS) • OpenVAS • Nessus (płatne*) 5 Demo OpenVAS Nessus Aktualizacja % 0 % 0 UPDATE 7 ROLLBACK Backup • Filesystem (btrfs) • tar zcvf /mnt/backup.tgz / • rsync –Pauv / /mnt/backup_dir/ • rsnapshot • duplicity • bacula 8 Bacula Veritas Legato Networker CA ARCserve Arkeia Network Backup Backup Levels Full, Differential, Incremental,Consolidation Full, Differential, Incremental Full, Differential, Incremental, Consolidation Full3, Synthetic Full, Differential, Incremental, Infinite Block-Level Incremental24 Full, Differential, Incremental Data Format Custom, fully open Custom Custom Custom, Microsoft Tape Format (MTF) Custom, open-source restore Autochangers Fully supported optional Fully supported Fully supported Deduplication File-Level23 Either-side Global Variable Block Lenght Deduplication, Target-side Either-side18 Backup to Tape Yes Yes Yes Yes Yes Backup to Disk Yes Yes optional Yes Yes Backup to DVD Yes SQL Catalog Yes Can handle 1 billion objects Yes OpenSource Yes No Commercial Support Yes No No No Yes No Yes Yes No No Only restore Yes Yes Yes Yes Yes Yes Yes Yes No Yes Yes GUI Yes - bat Yes Virus Scanning No Yes Tripwire like functions Yes Backup span multiple volumes Yes Yes Backup Reports Yes (Via breport) Yes Yes5 Yes Backup Alerts (notify) Yes Yes Yes Yes Incremental handles deleted files Yes Yes Yes Encryption Datastream Yes (TLS) Yes Yes PostgreSQL-Support21 Yes16,22 VMWare vStorage Support19 Yes16 Yes Yes No Yes Yes http://wiki.bacula.org/doku.php?id=comparisons 9 Yes Yes Demo bacula http://www.bacula.pl/ Niespójna konfiguracja • „Jedynie słuszne” • Ansible – http://www.ansible.com/ • Puppet – http://puppetlabs.com/ • CFEngine (używany w SUSE Manager 2.1) – http://cfengine.com/ • Chef (używany w SUSE OpenStack Cloud 6) – http://www.chef.io/ • „To też jest fajne, ale to nie będę o tym mówił” • Spacewalk (używany w SUSE Manager od „zawsze”) • Salt (używany w SUSE Manager 3) 11 Demo Chef Bonus • https://letsencrypt.org – darmowe, lecz uznawane certyfikaty TLS • https://mmazur.eu.org/darmowy-certyfikat-tls-od-letsencrypt/# - opis jak z nich korzystać 13 Konkurs wiedzy o systemach open source: www.suse.pl/konkurs Odwiedź SUSE Green Room – i zdobądź zielonego kameleona! Unpublished Work of SUSE LLC. All Rights Reserved. This work is an unpublished work and contains confidential, proprietary and trade secret information of SUSE LLC. Access to this work is restricted to SUSE employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of SUSE. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. SUSE makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for SUSE products remains at the sole discretion of SUSE. Further, SUSE reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All SUSE marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All thirdparty trademarks are the property of their respective owners.