Sys Maintenance: Malware Analytics Backup and Recovery

Document created by RSA Information Design and Development on Jun 26, 2017Last modified by RSA Information Design and Development on Jul 27, 2017
Version 2Show Document
  • View in full screen mode
 

Administrators can back up and restore configuration and database files for Malware Analytics, so that if information is lost or deleted, it can be restored.

Back Up Files

For a full backup of configuration files:

  1. Stop the RSA Malware service with the following command:
    stop rsaMalwareDevice
  2. Create a tar file of the required files:  
    tar -C / -cjphvf RSAMalwareFromSlashNew.tar.bz2 /var/lib/netwitness/rsamalware --exclude='root.war' /etc/init/rsaMalwareDevice.conf

Note: For a daily or a partial backup, you can create a tar file of the files in the subdirectory var/lib/netwitness/rsamalware/spectrum

To back up database files:

  1. Back up database files in one of the following ways:
  • On a co-located host, the database uses H2. If you backup the directory var/lib/netwitness/rsamalware mentioned above, it backs up the database as well.  
  • On a standalone Malware Analysis box, Postgres is used. Back up the database in the directory var/lib/pgsql/9.1/data on a daily basis.

To back up Puppet and RabbitMQ files:

  1. Create a tar.bz2 file of the Puppet and RabbitMQ files:
    tar -C / --atime-preserve --recursion -cvpjf /root/puppet-rabbit-backup.tar.bz2 --exclude=/var/lib/puppet/bucket --exclude=/var/lib/puppet/reports --exclude=/var/lib/puppet/lib --exclude=/var/lib/rabbitmq/mnesia /var/lib/puppet /etc/puppet /var/lib/rabbitmq
  2. If you are backing up a system that is still being used, start the RSA Malware service with the following command:
    start rsaMalwareDevice

Restore Files

When you are restoring files that have been backed up, put the files in a consistent place. In this document, we are using the /tmp/ folder as the location for the tar files to be extracted. You can use a different folder if needed.

To restore the configuration and database files:

  1. Log onto the host you intend to restore from a saved backup using SSH.
  2. Stop the RSA Malware service with the following command:

    stop rsaMalwareDevice

  3. Change the directory.

    cd / 

  4. Copy the tar file RSAMalwareFromSlashNew.tar.bz2, using a utility like Secure Copy (SCP), to the host in the /tmp/ folder.
  5. Extract the tar file by using the following command:

    tar -C / -xjpvf /tmp/RSAMalwareFromSlashNew.tar.bz2 

  6. Delete the tar files.
    rm /tmp/RSAMalwareFromSlashNew.tar.bz2

To restore Puppet and RabbitMQ Files:

  1. Change to the / directory.
    cd /
  2. Copy the tar file puppet-rabbit-backup.tar.bz2, using a utility like Secure Copy (SCP), to the host in the /tmp/ directory.
  3. Extract the tar file by using the following command:
    tar -C / -xvjf /tmp/puppet-rabbit-backup.tar.bz2
  4. Delete the tar file.
    rm /tmp/puppet-rabbit-backup.tar.bz2
  5. Start the Malware Analysis service with the following command:
    start rsaMalwareDevice
You are here
Table of Contents > Sys Maintenance: Malware Analytics Backup and Recovery

Attachments

    Outcomes