1 Unix and Linux Backups – SANS GIAC LevelOne © 2000, 2001 1 Unix and Linux Backups for System Administrators By Robert Blader Hello, my name is Robert Blader. I’m here to present a tutorial on how to make use of the backup utilities that UNIX provides and apply them to the development of a backup plan. For the past 10 years, I have worked as a system administrator at the Naval Surface Warfare Center in Dahlgren, Virginia. The mission of the site I managed was to develop fire-control software for deployment on board submarines. As such, data availability, security, and configuration management were of paramount importance. Before I start, I’d like to tell a story. Perhaps some of you can identify with it. You’re tasked with managing a system. If it’s new, start with hardware - connect cables, attach peripherals, etc. Next, you install and configure the operating system, the latest security patches, and security software (Tripwire, TCP Wrappers, COPS, etc). Next, you create user accounts, groups, and directories. Finally, you add your applications, compilers, tools, etc. You’re running along fine for six months until one morning users notice they cannot access files. The day in question, there is some deadline that must be met and that data is essential. You confirm what you are being told - you cannot access directories that should be there, and attempts to mount the filesytem are futile. Your choices are (A) panic; (B) panic while trying to locate a backup that you fear is old and was not done with a timely recovery in mind; or (C) break out your contingency plan that has your backup/recovery plan documented step by step. If this is your first crisis, then you probably will handle it using some combination of A and B. Hopefully, after going through this tutorial, choice C will be a viable option. 2 Unix and Linux Backups – SANS GIAC LevelOne © 2000, 2001 2 Course Objectives • Use three Unix/Linux backup commands: tar, dump, and dd (or cpio) • Operate the tape device via the mt command • Develop a backup strategy that meets your needs as well as your users’ At the completion of this tutorial, the student will know how to (1) use tar, dump, and dd to archive data; (2) know how to use the mt command to control the tape media and the tape device; and (3) know how to apply the UNIX archiving tool set to formulate a backup plan. (Editor’s note: information on the UNIX command cpio is also included as an appendix to this course. – JEK) No one can argue against the value of a backup in a time of crisis. Whether the crisis is the result of a hardware failure such as a disk crash, a security breach, or a user accidentally deleting files, the ability to recover from the event in a timely manner is what will separate an excellent system administrator from a mediocre one. Obtaining funding – and the respect and confidence of users – is a lot easier when you can provide them with restored data rather than with excuses. However, devising a backup scheme that achieves this in a UNIX environment may seem a daunting task. However, it does not need to be. This tutorial will explain the concepts you need to be able to meet this challenge and succeed. A list of the requirements that a backup plan should meet will be discussed. A little bit of time spent creating a backup plan now will make dealing with lost data much less stressful later. 3 Unix and Linux Backups – SANS GIAC LevelOne © 2000, 2001 3 Tutorial Outline • Unix/Linux Backup Commands • Tape operation • Backup strategies •Conclusion We will start by presenting the three backup utilities that UNIX provides us. They are tar, dump, and dd. Each command will be presented with usage, examples, and a description of the situation that each is best suited for. We will also touch on some personal "war stories" and useful examples. This way, we will see how the utilities come together to form a comprehensive backup scheme. Since magnetic tape is by and far the most common media, we will show how the mt command comes into play to manage the tape device and manipulate the tape. Next, we will present some considerations to take into account when creating a backup plan, and wrap up with some closing notes. 4 Unix and Linux Backups – SANS GIAC LevelOne © 2000, 2001 4 Unix/Linux Backup Commands •tar •dump •dd •cpio (in Appendix) The archival commands we will discuss here are tar, dump, and dd. As we will see, each is suited for different types of backups. Combined, they form a versatile toolkit for performing backups. Some information on syntax - the dash proceeding option flags for tar and dump are optional. Dashes however, are not used with dd. 5 Unix and Linux Backups – SANS GIAC LevelOne © 2000, 2001 5 tar Usage • Create tar file tar cvf <archive> <file> • Extract tar file tar xvf <archive> <file> • List contents of tar archive tar tvf <archive> <file> • Copy current directory to another tar cpf - . | ( cd newdir; tar xvpf - ) –Where • <Archive> is a file or tape device • <File> is the file or directory to archive The three primary functions of tar are (1) to create an archive; (2) to extract files from the archive; and (3) to generate a table of contents for a tar file. It is simple to use, ideal for backing up only a particular directory tree or a list of files. Note how in the fourth bullet, we use a dash instead of specifying an “archive”. A dash can be used in lieu of a device or file name to a indicate that the data will either be read from standard input or written to standard output depending on which side of the pipe it is used. 6 Unix and Linux Backups – SANS GIAC LevelOne © 2000, 2001 6 tar -the <File> Parameter • Warning: -p to get all ACL and permission information • Absolute vs. Relative path –Affects whether files will be placed in current working directory or in absolute path when restoring • If restoring file from tar created using absolute pathname, could wind up overwriting a file if one exists by that name tar, when used with the -p flag, will preserve access information. If you administer a heterogeneous environment, it may be important to try to extract your tar files on the same platform as they were created on. This is because some operating systems (such as Solaris) support Access Control Lists; others (such as Linux) do not. If maintaining ACL controls is important for you at your site, note that the information will be lost Another thing to keep in mind when creating a tar archive is the use of absolute vs. relative path names. Tar files are restored to locations based on how they were put on the tape. If they were created using absolute path names, they will be restored to the same location. Otherwise they are restored relative to the current working directory. To illustrate the significance, here is a true story: At the site I used to work at, we routinely got deliveries of software from our contractors. Unfortunately, one company was lax in their documentation, especially when it came to installation notes. The normal course of action with a new delivery was to unload it to a “test” area, where the code would be tested prior to being put into production. The current version remains in use until the code is tested. One day, I was given an update to install. I extracted the tar file that was delivered. Since it was backed up using absolute path names, the current version wound up being overwritten. I had to restore the original version, move it to a temporary location, extract the new files, move them to a test directory, and move the old version back to where it belonged. Moral of the story: know what you are extracting, make sure you know where the files are going, and know if the files already exist on disk. Otherwise, a 15 minute task could take you all afternoon. 7 Unix and Linux Backups – SANS GIAC LevelOne © 2000, 2001 7 Absolute vs Relative Examples •Backup /etc to etc_archive.tar Absolute path: would overwrite /etc when extracted) tar -cvf etc_archive.tar /etc Relative path : use “.” to indicate current directory cd /etc tar cvf /etc_archive.tar . relative path Here are examples of how an archive is created with tar using both absolute and relative path names. In the absolute path example, the contents of /etc would be overwritten when restored. Use of the “.” indicates that the archive uses relative path names. Restoring files created in this manner will place them in the current directory. Typically, you would want to first create an empty directory from which to stage the tar extraction. By the way, Linux (Red Hat) tar, by default, strips any leading slashes. However, this can be overridden with the -P flag. However, this does not apply to all vendors’ implementations of tar. 8 Unix and Linux Backups – SANS GIAC LevelOne © 2000, 2001 8 Use Caution When Extracting Tar Files • If backed up with absolute path: –Take care that files by that name don’t already exist • If backed up with relative path – Will restore to current directory. Be certain you cd to the directory you want the files to reside in Whether using relative or absolute pathnames, caution should be used. If absolute pathnames are used, make sure you do not accidentally overwrite files on disk. The next slide shows a snippet of code that can be used as a shell script to check that the files that are on a tape will not overwrite any files without you knowing it. Alternatively, if relative paths are used and the files go to the directory you are in, you need to make sure that is where you want them to wind up. A common mistake is to untar the file while still sitting in a directory full of files like /usr for example, and then having to “relocate” the files that do not belong there. 9 Unix and Linux Backups – SANS GIAC LevelOne © 2000, 2001 9 Ensure Don’t Overwrite Files With tar • The following code could help find files that could get overwritten: tar -tvf /dev/nrst0 > tar_listing.out for FILE in `cat tar_listing.out|cut -f6 -d” “` do if [ -f $FILE ]; then echo “$FILE exists mv $FILE $FILE.orig fi done Here is one way to ensure that you don’t overwrite files. First, we use tar with the -t option to extract a file listing and save it off to a temporary file called tar_listing.out. Then, we read the contents of the tar listing, extract the filename with the cut command, and test to see if a file by that name exists. If so, print a warning and save it off with a .orig extension. This way we can be proactive when we restore files and not just cross our fingers and hope for the best. As a rule of thumb, it is recommended that you use relative path names, extract to a temporary directory, and then copy files to where you want them to permanently reside. This way, you avoid overwriting a file by accident. 10 Unix and Linux Backups – SANS GIAC LevelOne © 2000, 2001 10 Other Tar Options • Tar a list of files with -I (include) –Want all *.C files from the /development directory tree or file system: find /development -name “*.C” > filelist.Out tar -I filelist.Out -cvf c_files_archive.Tar • Likewise, exclude files with -X This example shows how you can use the find command in conjunction with tar (with the -I flag) to create an include list. Here we are archiving C source files. The find command says “search the /development directory tree for files matching the pattern *.c. Save the results to a file called filelist.out”. The tar command says “archive all the files in filelist.out and call the archive c_files_archive.tar”. [...]... of=output_device Unix and Linux Backups – SANS GIAC LevelOne © 2000, 2001 21 If your system should ever be infected by a virus, Trojan horse, etc., first perform a backup of the filesystem using dd This will preserve filesystem information, along with “deleted” disk blocks which forensics experts may be able to recover Ideally, you will have a ready spare to rebuild onto from your backups and can set the... we just did Fourth, do a second restore command with the t flag that reads the level 2 and lists a table of contents and saves the output in level2.toc 27 Tutorial Outline • Unix/ Linux Backup commands • Tape operation • Backup strategies • Conclusion Unix and Linux Backups – SANS GIAC LevelOne © 2000, 2001 28 Now that we have discussed the backup commands and how to manipulate the tape device, the next... Reusable and economical • However, disks and CDROM are other technologies that might be considered Unix and Linux Backups – SANS GIAC LevelOne © 2000, 2001 24 Tapes, by and far, are the backup media of choice They offer high capacity, take little space, are available in various sizes and formats, and are cost efficient However, they are not the only option available Disks are getting cheaper and bigger... modify format of a dump file – Copy archives between tapes Unix and Linux Backups – SANS GIAC LevelOne © 2000, 2001 22 This slide compares and contrasts the backup commands tar, dump, and dd tar is best for backing up a single directory or selected files You can also use it to copy the contents of one directory to another, with the exception of /dev dump and its counterpart restore are best suited for. .. backup for forensics and to assess damage • Running tripwire is of little use if you have no way to restore corrupted files • A hacker could corrupt your tripwire database if left on-line Should backup the database to off-line media Unix and Linux Backups – SANS GIAC LevelOne © 2000, 2001 32 From a security perspective, two issues that backups should address are forensics and file integrity Forensics... system files you cannot account for /bin/login, /bin/ps, /bin/ls, etc • First, pull network connection (if there is one) • Check for compromise on other remotely connected systems, especially those with trust relationships Unix and Linux Backups – SANS GIAC LevelOne © 2000, 2001 33 Suppose that some time after setting up a system, you see that Tripwire reports that a system file has been modified and. .. restored Without backups, there is no way to get the system (or user’s software) back to a known baseline A copy of the latest baseline of your system should be stored offsite in the event of a fire, flood, etc 29 Safety Net • Protect users from themselves • Protect system administrators from themselves • Cost of time and resources to backup is trivial when compared to cost of data Unix and Linux Backups –... between SGI and other UNIX variants Other conversions include changing upper to lowercase data, ASCII to EBCIDC, and others Refer to the man pages for a complete list 19 dd Examples • Image copy of a file system dd if=/dev/hd0a of=/dev/nrst0 • Tape to tape copy dd if=/dev/nrst0 of=/dev/nrst1 • Copy from a platform with different byte order dd if=/dev/nrst0 conv=swab| tar xf - Unix and Linux Backups –... from an SGI to a Linux system Since these two platforms have a different byte order, a conversion needs to take place The byte-order conversion is made to an archive residing on a tape and piped to a tar command This is probably not something you need to do often but is shown to illustrate how powerful dd can be 20 dd Examples - Forensics • Files AND filesystem metadata are saved for forensics study... baseline state of the system Unix and Linux Backups – SANS GIAC LevelOne © 2000, 2001 35 Configuration management is the control of change to a system s configuration It is possible for a change, a patch, or an upgrade to either not fix a problem, or create yet another, unexpected one In some cases, the modification may be difficult to undo and backups are required to restore the system to some known . 1 Unix and Linux Backups – SANS GIAC LevelOne © 2000, 2001 1 Unix and Linux Backups for System Administrators By Robert Blader Hello,. a backup plan, and wrap up with some closing notes. 4 Unix and Linux Backups – SANS GIAC LevelOne © 2000, 2001 4 Unix/ Linux Backup Commands •tar •dump •dd •cpio