10-01-2012 05:00 AM - edited 03-17-2019 11:53 PM
Hello!
I am working on a VCS which looks compromised (changed root password, bit strange behavior).
Is there a way to do a real factory default, like wipe some kind of image over the VCS?
What exactly gets overwritten when an update is made? Is the VCS in a trustworthy state afterwards,
what about the boot loader?
Are there security mechanisms within the VCS like AppArmor?
Parts of the file system seems to be on ro drives. Any ways to check the filesystem for changes? (like md5 check)
Please remember to rate helpful responses and identify
Solved! Go to Solution.
10-01-2012 08:00 AM
The "factory-reset" command after login VCS with root account should reset system (clean up DB as well).
10-01-2012 10:35 AM
As Tomo says, the "factory-reset" command is what you'll want. It does a dd on the hard disk and reimages the system. Do it from the console or with KVM connected though rather than ssh, as that would drop mid process. It should be apparent what is happening from the displayed output - it's quite verbose so that you have an idea of where it has got to - it usually takes around 20 minutes.
Thanks,
Guy
Sent from Cisco Technical Support iPhone App
10-01-2012 08:00 AM
The "factory-reset" command after login VCS with root account should reset system (clean up DB as well).
10-01-2012 10:35 AM
As Tomo says, the "factory-reset" command is what you'll want. It does a dd on the hard disk and reimages the system. Do it from the console or with KVM connected though rather than ssh, as that would drop mid process. It should be apparent what is happening from the displayed output - it's quite verbose so that you have an idea of where it has got to - it usually takes around 20 minutes.
Thanks,
Guy
Sent from Cisco Technical Support iPhone App
10-02-2012 12:58 AM
Yes, I am aware of the "factory-reset" command, good to hear its re-imaging the system, that was what I wondered about. Anyhow is there a way to check if the system is compromized (like auto md5check of the files)?
It would be nice to do some forensics :-)
Please remember to rate helpful responses and identify
10-02-2012 01:03 AM
Unfortunately VCS doesn’t have feature to check system overall status like MD5 file check (excluding feature base system alerting feature).
Do you still see VCS function issue after factory-reset? This should take care pretty much all scenario to reset VCS.
10-03-2012 03:52 AM
Can you please compare "factory-reset" with "xCommand DefaultValuesSet Level: 3"? In which cases DefaulValueSet 3 is not good enough?
10-03-2012 05:19 AM
There are details in the following document -
http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/admin_guide/Cisco_VCS_Command_Reference_X6.pdf - of what the xCommand DefaultValueSet commands reset.
However as the product evolves, it does not just run VCS application software with all the configuration in tsh. Other configuration items are in other places, and their are other components such as the back to back user agent which can also have their own configuration.
Factory reset wipes the hard disk and puts the image back on to the system, this is a much fuller reset and can help if other components such as the cluster database have become badly corrupted. It should usually only be used under guidance from TAC etc. as it can wipe all your configuration, including IP addressing and option keys etc.
10-03-2012 12:47 PM
I had little time, these were lab systems which were affected, Ill try it tomorrow.
Besides that, I do not really like the decentalized configuration files. The xconfiguration was
an easy way to compare configs and also script and mass deploy.
Now with somthing here and something there it is not getting better :-(
Please remember to rate helpful responses and identify
10-03-2012 01:14 PM
Yes, we've given the development team the feedback and there are plans afoot to try and get back to a single CLI where everything can be configured from. Not sure of time scales for it, but hopefully not too far in the future.
Sent from Cisco Technical Support iPhone App
10-03-2012 03:40 PM
Hello Guy!
Thats great to hear!
Btw, I also dislike the odd number range for RTP ports on the B2BUA, for me RTP with RTCP is always even.
Like 56000-56999 and not 56000-57000
Please remember to rate helpful responses and identify
10-23-2013 10:17 PM
I assume the factory-reset procedure mentioned above put the VCS in a right from CISCO status i.e. deletes "ALL" configuration information, logs, and resets the box back to the default PWD and whipes the old IP informaiton???
Right?
Chet
10-23-2013 11:53 PM
Hi Chet,
Yes it does a good job of cleaning things out, though it doesn't wipe absolutely everything, as it needs somewhere to install the image from, so that part of the disks doesn't change.
If you need to be certain of wiping everything, raise a case with TAC and tell them your system has been compromised. Ask for them to arrange a re-flash of the system via USB key.
Thanks,
Guy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide