My experiences good, bad and ugly

 

 

 

UGLY

mkfs.ext4/dev/sdc1(NAME OF THE DRIVE)

If you are tired and sick of your QRadar all you have to do is use the destruction above command, believe me it will wipe out your config and every single log was received by QRadar since day one.
It has been tried :p  

Reason this command is so dangerous? Is CONTEXT. Let me explain the poor customer wanted to delete data from off-board storage to make room for /backup(another mount point). Here is the series of unfortunate events?


ABSTRACT TAKEN FROM REAL-CONFIG GUIDE
Command: ls -l /dev/disk/by-path/*-fc-*

Output on Qradar Primary Host:

lrwxrwxrwx 1 root root  9 Feb 21 15:26 /dev/disk/by-path/pci-0000:16:00.0-fc-0x500507680140d0b0-lun-0 -> ../../sda
lrwxrwxrwx 1 root root 10 Feb 21 15:26 /dev/disk/by-path/pci-0000:16:00.0-fc-0x500507680140d0b0-lun-0-part1 -> ../../sda1
lrwxrwxrwx 1 root root  9 Feb 21 15:26 /dev/disk/by-path/pci-0000:16:00.0-fc-0x500507680140d0f0-lun-0 -> ../../sdb
lrwxrwxrwx 1 root root 10 Feb 21 15:26 /dev/disk/by-path/pci-0000:16:00.0-fc-0x500507680140d0f0-lun-0-part1 -> ../../sdb1

Command:  lsblk

Output on Qradar Primary:

NAME  MAJ:MIN RM SIZE RO TYPE  MOUNTPOINT
Sda 8:0      0     16T   0  disk
ââsda1  8:1      0   14.4T   0  part
sdb       8:16     0     16T   0  disk
ââsdb1  8:17     0   14.4T   0  part  /store
sdc       8:32     0  278.5G  0  disk
ââsdc1  8:33     0    100M   0  part  /boot
ââsdc2  8:34     0    100M   0  part  /boot/efi
ââsdc3   8:35     0      6G   0  part
ââsdc4   8:36     0   23.6G   0  part  [SWAP]
ââsdc5   8:37     0     20M   0  part
ââsdc6   8:38     0     10G   0  part  /var/log
ââsdc7   8:39     0     10G   0  part  /store/tmp
ââsdc8   8:40     0     20G   0  part  /
ââsdc9   8:41     0  208.7G  0  part





2.     Reformat the Partition sdb1

Command:  mkfs.ext4 /dev/sda1

Forensics? 

  • Run lsblk thinking it shows 2 separate storage each of 16TB instead was single /storage shown differently due to dual fiber-channel paths...REST is history. 
  • BOTTOM LINE

ASSUMPTION BEING MOTHER OF ALL FUCK UPS**



5 comments:

  1. A client purchased SIEM and at the time of deployment discussion a genius administrator asks with full curiosity hey what is the different between SIEM and Kiwi syslog :O

    Can you answer such Question?

    ReplyDelete
  2. Abdullah my question is "what the heck was a system administrator doing in a SIEM presentation and deployment?". You were clearly dealing with the wrong audience.

    ReplyDelete
    Replies
    1. actually that is another issue that some organizations do not know who should be sitting behind the dashboard of SIEM

      Delete