cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
1978
Views
5
Helpful
11
Replies
Martin Koch
Advocate

real factroy default (compromised vcs)

Hello!

I am working on a VCS which looks compromised (changed root password, bit strange behavior).

Is there a way to do a real factory default, like wipe some kind of image over the VCS?

What exactly gets overwritten when an update is made? Is the VCS in a trustworthy state afterwards,

what about the boot loader?

Are there security mechanisms within the VCS like AppArmor?

Parts of the file system seems to be on ro drives. Any ways to check the filesystem for changes? (like md5 check)

Please remember to rate helpful responses and identify

2 ACCEPTED SOLUTIONS

Accepted Solutions
Tomonori Taniguchi
Cisco Employee

The "factory-reset" command after login VCS with root account should reset system (clean up DB as well).

View solution in original post

gubadman
Participant

As Tomo says, the "factory-reset" command is what you'll want. It does a dd on the hard disk and reimages the system. Do it from the console or with KVM connected though rather than ssh, as that would drop mid process. It should be apparent what is happening from the displayed output - it's quite verbose so that you have an idea of where it has got to - it usually takes around 20 minutes.

Thanks,

Guy

Sent from Cisco Technical Support iPhone App

View solution in original post

11 REPLIES 11
Tomonori Taniguchi
Cisco Employee

The "factory-reset" command after login VCS with root account should reset system (clean up DB as well).

gubadman
Participant

As Tomo says, the "factory-reset" command is what you'll want. It does a dd on the hard disk and reimages the system. Do it from the console or with KVM connected though rather than ssh, as that would drop mid process. It should be apparent what is happening from the displayed output - it's quite verbose so that you have an idea of where it has got to - it usually takes around 20 minutes.

Thanks,

Guy

Sent from Cisco Technical Support iPhone App

Yes, I am aware of the "factory-reset" command, good to hear its re-imaging the system, that was what I wondered about. Anyhow is there a way to check if the system is compromized (like auto md5check of the files)?

It would be nice to do some forensics :-)

Please remember to rate helpful responses and identify

Unfortunately VCS doesn’t have feature to check system overall status like MD5 file check (excluding feature base system alerting feature).

Do you still see VCS function issue after factory-reset? This should take care pretty much all scenario to reset VCS.

Can you please compare "factory-reset" with "xCommand DefaultValuesSet Level: 3"? In which cases DefaulValueSet 3 is not good enough?

There are details in the following document -

http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/admin_guide/Cisco_VCS_Command_Reference_X6.pdf - of what the xCommand DefaultValueSet commands reset.

However as the product evolves, it does not just run VCS application software with all the configuration in tsh. Other configuration items are in other places, and their are other components such as the back to back user agent which can also have their own configuration.

Factory reset wipes the hard disk and puts the image back on to the system, this is a much fuller reset and can help if other components such as the cluster database have become badly corrupted. It should usually only be used under guidance from TAC etc. as it can wipe all your configuration, including IP addressing and option keys etc.

I had little time, these were lab systems which were affected, Ill try it tomorrow.

Besides that, I do not really like the decentalized configuration files. The xconfiguration was

an easy way to compare configs and also script and mass deploy.

Now with somthing here and something there it is not getting better :-(

Please remember to rate helpful responses and identify

Yes, we've given the development team the feedback and there are plans afoot to try and get back to a single CLI where everything can be configured from. Not sure of time scales for it, but hopefully not too far in the future.

Sent from Cisco Technical Support iPhone App

Hello Guy!

Thats great to hear!

Btw, I also dislike the odd number range for RTP ports on the B2BUA, for me RTP with RTCP is always even.

Like 56000-56999 and not 56000-57000

Please remember to rate helpful responses and identify

I assume the factory-reset procedure mentioned above put the VCS in a right from CISCO status i.e. deletes "ALL" configuration information, logs, and resets the box back to the default PWD and whipes the old IP informaiton???

Right?

Chet

Chet Cronin
801-815-3539(USA)
801-815-3539 (AFG)

Hi Chet,

Yes it does a good job of cleaning things out, though it doesn't wipe absolutely everything, as it needs somewhere to install the image from, so that part of the disks doesn't change.

If you need to be certain of wiping everything, raise a case with TAC and tell them your system has been compromised. Ask for them to arrange a re-flash of the system via USB key.

Thanks,

Guy

Create
Recognize Your Peers
Content for Community-Ad