Up
Previous Next

Sheriff CSM™

Back Up and Restore System Configuration

In Sheriff CSM, you can back up and restore system configurations including system profile, network configuration, inventory data, policies, plugins, correlation directives and other basic settings. You can restore the configurations on a different Sheriff CSM system from a backup file through the Sheriff Console. You can also manage the configuration backups from the Sheriff CSM web user interface (UI).

Note: It is not possible to upgrade from Sheriff Vigilante® to Sheriff CSM, but you can restore Sheriff Vigilante configurations to Sheriff CSM or vice versa if they are the same version.

Each configuration backup file contains the following, which does not include events, alarms, or raw logs:

  • Asset and inventory data
  • Correlation directives
  • Host-based intrusion detection system (HIDS) configurations
  • HIDS local rules
  • Iptables configurations
  • Plugins (both default and customized)
  • Policies
  • Syslog and logrotate configurations
  • System configuration (including network interfaces, system profile, and Sheriff CSM basic configuration settings)
  • Tickets created in Sheriff CSM
  • Virtual private network (VPN) configurations (including VPN certificates)

    Important: Be aware that if your VPN certificate changes after the backup has taken place, you must reconfigure the VPN connection after restoring the backup file.

By default, Sheriff CSM backs up the system configurations at 7:00 am local time every day. These display as "Auto" under the Type column in the web UI. You can also manually run a backup at any time.

Sheriff CSM stores its configuration backup files locally, in the following location:
/var/sheriff/backup/configuration_<hostname>_<timestamp>.tar.gz

For example, configuration_VirtualSheriffAllInOne_1429616586.tar.gz

The integer string represents epoch time, therefore, the backup with the highest number denotes the most recent one. Sheriff CSM maintains 10 backups on each system, based on their time stamp.

Note: Sheriff recommends keeping a copy of the latest backup file outside of Sheriff CSM because you may not be able to retrieve these backup files when the system is down.

Before starting the backup, Sheriff CSM verifies the following:

  • No re-configuration process is running.
  • No other backup or restore processes are running.
  • Sufficient disk space exists to restore the configuration backup.

​Sheriff CSM aborts the backup process if any of these checks fails.

Starting from version 5.2.5, Sheriff CSM will not generate any configuration backups, automatic or manual, until you set a password to encrypt the backup files. And you need to provide the same password to decrypt the file before a restoration.

To set up a password to encrypt the backup files

  1. In the web UI, go to Configuration > Administration > Main > Backup.

  2. In Password to encrypt backup files, type a password between 7 and 32 characters.

    Important: Do not use the following characters in your password:

    ;, |, &, $, <, >, \n, (, ), [, ], {, }, ?, *, ^, \.

  3. Click Update Configuration.

To run a backup manually

  1. In the web UI, go to Configuration > Administration > Backups > Configuration.

  2. Click Run Backup Now.

    A message appears showing when the last backup was run and asking if you want to continue.

  3. Select Yes to start the backup.

    These backups display as "Manual" under the Type column.

To see any error messages in the backup logs

  1. Go to Configuration > Administration > Backups > Configuration.

  2. Click View Backup Logs.

In a federated environment, where you have Sheriff CSM Sensors (Deputies) reporting to a Sheriff CSM Server (child), which then reports to another Sheriff CSM Server (federated), keep the following in mind:

  • Each Sheriff CSM Server (whether a child or federated server) only triggers automatic backups of itself and directly connected sensors. In other words, the federated server does not trigger automatic backups to its child servers.

  • Each Sheriff CSM stores its own backup file.

You can select the child server on the federated server, but not the reverse. You can run a manual backup of the child server from the federated server by following the standard backup procedure.

To back up the child server from the federated server:

  1. Go to Configuration > Administration > Backups > Configuration.

  2. Choose which system you want to use by expanding Show Backups for.

  3. Click Run Backup Now.

You can only restore a Sheriff CSM system from a backup file through the Sheriff Console.

Before running a restoration, Sheriff CSM verifies the following and aborts the restoration process if any of these checks fails:

  • No re-configuration process is running.

  • No other backup or restore processes are running.

  • The backup profile matches the system profile. In other words, you cannot restore a backup file from the Sheriff CSM Server on the Sheriff CSM Sensor.

  • Backup file version is the same as the target system. In other words, you can only restore a Sheriff CSM version 5.4.3 backup on a system that is running Sheriff CSM version 5.4.3.

    Note: You can restore an Sheriff Vigilante backup on a Sheriff CSM or vice versa, as long as they are the same version.

  • Sufficient disk space exists to restore the configuration backup.

Before restoring a backup file, you must transfer the file to the target system and place it in the /var/Sheriff/backup/ directory. You can use either an SFTP client on Windows, such as WinSCP; or the SCP protocol on Linux.

To restore a backup file

  1. Connect to the Sheriff Console through SSH and use your credentials to log in.

    The Sheriff Setup menu displays.

  2. Select Maintenance & Troubleshooting.

  3. Select Backups.

  4. Select Restore configuration backup.

  5. Select the backup file you want to restore, click <OK> or press Enter.

  6. Select <Yes> to continue.

  7. Enter the password used to encrypt the backup files.

    The restoration process starts.

    After the process finishes, the system restarts automatically.

    Note: Your SSH connection will drop if the IP address of Sheriff CSM changes as a result of the restoration.

  8. Log in to display the Sheriff Setup menu again.

  9. Select System Preferences.

  10. Select Reset Sheriff API Key.

    To find out more, see Reset the Sheriff API Key.

You can manage the configuration backups on Configuration > Administration > Backups > Configuration.

The configuration backups display in a table format.

Columns / fields for configuration backups

Column / Field NameDescription
System System chosen for backup
Date Date and time when the backup was run.
Backup Backup category. Currently the only category is Configuration.
Type Backup Type. Supported values are Auto and Manual.
Version Version of the Sheriff CSM system.
Size Size of the backup file.
Download Saves the backup file to your local machine.

By default, Sheriff CSM sorts the backups by their time stamps, with the latest one at the top.

To look for a backup

  • Use the search box at the upper left corner.

    Search fields are System (name or IP address), Date, or Type.

To download backups and store them locally

  1. Locate the backup you'd like to download.

  2. In the last column, click the download icon (Export Report).

    Sample backup file format:

    configuration_VirtualSheriffAllInOne_1429616586.tar.gz

    Because the integer string represents epoch time, the backup with the highest number denotes the most recent one.

To delete one or more backups

  1. Select the backups by checking the square(s) to the left of each backup.

  2. Click the delete icon (Delete Report) above the table towards the right.
Topic revision: r25 - 12 Jun 2022, SheriffCyberSecurity
Copyright 2020 Sheriff Cyber Security, LLC. All rights reserved.