diff --git a/docs/usage.rst b/docs/usage.rst index fb566ab3b..fc19c6ac4 100644 --- a/docs/usage.rst +++ b/docs/usage.rst @@ -714,7 +714,7 @@ Example +++++++ Suppose an attacker remotely deleted all backups, but your repository was in append-only -mode. A transaction look in this situation might look like this: :: +mode. A transaction log in this situation might look like this: :: transaction 1, UTC time 2016-03-31T15:53:27.383532 transaction 5, UTC time 2016-03-31T15:53:52.588922 @@ -728,6 +728,11 @@ that transactions 11 and later are compromised. Note that the transaction ID is name of the *last* file in the transaction. For example, transaction 11 spans files 6 to 11. +In a real attack you'll likely want to keep the compromised repository +intact to analyze what the attacker tried to achieve. It's also a good idea to make this +copy just in case something goes wrong during the recovery. Since recovery is done by +deleting some files, a hard link copy (``cp -al``) is sufficient. + The first step to reset the repository to transaction 5, the last uncompromised transaction, is to remove the ``hints.N`` and ``index.N`` files in the repository (these two files are always expendable). In this example N is 13. @@ -737,9 +742,7 @@ with file 6:: rm data/**/{6..13} -That's all to it. In a real attack you'll likely want to keep the compromised repository -intact to analyze what the attacker tried to achieve. It's also a good idea to make this -copy just in case something goes wrong during the recovery. +That's all to it. Drawbacks +++++++++ @@ -754,7 +757,8 @@ Further considerations ++++++++++++++++++++++ Append-only mode is not respected by tools other than Borg. ``rm`` still works on the -repository. Make sure that backup jobs only get to access the repository with ``borg serve``. +repository. Make sure that backup client machines only get to access the repository via +``borg serve``. Ensure that no remote access is possible if the repository is temporarily set to normal mode for e.g. regular pruning.