Introduction
giis-ext4 is designed to protect certain important directories/files on linux systems that are using the ext4 filesystem.
The binary installation of giis-ext4 has only one dependency. That is : sqlite3, which should be available by default on most linux machines.
Installation
Installation of giis-ext4 will need root privileges. You should follow these
steps for both binary and source installation.
Download the latest tar file into your home directory
wget http://www.giis.co.in/giis/giis-ext4_0.6.tar
Extract the tar file into your home directory, which will create a new
directory called giis-ext4
tar -xvf giis-ext4_0.6.tar
Change to the newly created directory
cd giis-ext4
Now, To install giis-ext4 binary, run the following commands as root-
sh install_giis_ext4.sh
This script will place the binary in /usr/bin and create the /usr/local/giis/
working directory structure and files.
giis-ext4 configuration
Once you have succuessfully installed giis-ext4 from either the binary or source
code, you need to configure it.
Run the following command as root to configure which directories to protect, how
many levels of directory and how often to look for changes.
Lets start the configuration by running
#giis-ext4 –install
Device Found : /dev/mapper/vg_space-lv_root
giis : Taking snapshot of current File system
giis-ext4:Installation begins..
giis-ext4: header table created
giis-ext4: file table created
What’s the maximum directory depth?4
I want to protect four levels of directory depth like (dir1/subdir1/subdir2/subdir3) so enter “4”
Now it prompts for which directories to protect.
Enter the dirname name,that you would like to protect(Max. 7 directories)
Enter dirname:/tools
Press 1 to add/protect another directory else Press 0 to complete: 1
Enter dirname:/docs
Press 1 to add/protect another directory else Press 0 to complete: 0
I want to protect files from two directories namely “tools” and “docs” and entered zero “0” to specify
end of directory.
Check for newly files every ‘auto update time’ minutes.
Enter auto update time: 20
Here I specified that every 20 minutes the tool should scan “tools” and “docs” directory for any new files or change in exising files.
If it finds new file or changes to existing files , keep track of it.
Parsing directory : /tools
Parsing directory : /docs
*Please add following entry into your /etc/crontab file for auto update
*/20 * * * * root /usr/bin/giis-ext4 -u > /dev/null
giis-ext4:Installation is complete.
Now append the corntab entry as suggested above,so that it runs for every 20 minutes.
Here is contents on tools directory
# ls -l /tools/
total 120
-rwxr-xr-x. 1 root root 60247 2011-03-17 22:56 cloud-seed.py
-rwxr-xr-x. 1 root root 335 2011-03-17 22:56 dbench_test.sh
-rwxr-xr-x. 1 root root 217 2011-03-17 22:56 iozone_test.sh
-rwxr-xr-x. 1 root root 5644 2011-03-17 22:56 kernel_compile.sh
#ls -l /docs/
-rw-r–r–. 1 root root 461 2011-03-17 22:57 bonnie++.txt
-rw-r–r–. 1 root root 66 2011-03-17 22:57 cpio.txt
-rw-r–r–. 1 root root 199 2011-03-17 22:57 dbench.txt
-rw-r–r–. 1 root root 340 2011-03-17 22:57 small_files.txt
For example here is md5sum of a file-
# md5sum /docs/small_files.txt
0669d98fe55c5e76f8c1841c9f08bf7f /docs/small_files.txt
Say by mistake , I deleted a file named “small_files.txt”
#rm -rf /docs/small_files.txt
Now the file is gone. Its inode is freed.
Suddenly I realize , in fact small_files.txt was input for another shell script.
Now what would you do?
Relax,since you have configured giis-ext4 for this directory. You may still have chance to recover the file.
Recovering files
# giis-ext4 –recover
Device Found : /dev/mapper/vg_space-lv_root
press 1: get all user files
press 2: get specific user files
press 3: get specific file type
press 4: get specific file
press 5: get it by deleted date
Enter your option:4
Since we know the exact file name that we wanted to recover – I selected option 4 and entered the file na,e
Enter the Filename Name….small_files.txt
Verifing inode:8126486|
**giis-ext4 : Recovery completed.Please check /usr/local/giis/giis.log for more details and /usr/local/giis/got_it/ for files **
Lets check the log file-
# cat /usr/local/giis/giis.log
/docs/small_files.txt — recovered on — Thu Mar 17 23:22:37 2011
good.It says file “small_files.txt” recorded and placed under /docs directory.
Is it true-
# ls -l /docs/small_files.txt
-rw-r–r–. 1 root root 340 2011-03-17 23:29 /docs/small_files.txt
Yes,seems like the recovered file with same size.
But does it contains same data? Lets verify with md5sum-
# md5sum /docs/small_files.txt
0669d98fe55c5e76f8c1841c9f08bf7f /docs/small_files.txt
cool.Seems like perfect match.
Other interesting recovery options –
press 1: get all user files
press 2: get specific user files
press 3: get specific file type
press 4: get specific file
press 5: get it by deleted date
We have seen how option 4 works.The option 1,just recovers all possible files which are deleted from configured directories.
Option 2 ,will allow to recover files based on its owner.If you want to recover files belong to “Elija”.Simply enter the name with option2.
Enter your option:2
Enter the User Name….Elija
With option 3,you can recover particular type of files. Say you want to recover only pdf files.
Enter your option:3
Make sure you use % before extentions – sql injection 🙂
Enter the file extention ( %.txt or %.c or %.cpp …) :%.pdf
Option 5,It allows you to recover files based on delete dates!.You can recover all files deleted on specific date or within two date ranges or
recover all files deleted after/before a date.
press 5: get it by deleted date
Enter your option:5
Get Files by Deleted Date:
Press 0 : Deleted on
Press 1 : Deleted After
Press 2 : Deleted Before
Press 3 : Deleted Between
Override auto-update time-
While installing,we configured the update time as 20 minutes.
For example, I created an important file -wants to make its protected by giis-ext4,
I’m impatient and can’t wait till 20 minutes.You can add it like-
# giis-ext4 –update
Device Found : /dev/mapper/vg_space-lv_root
giis : Updating snapshot of current File system
Parsing directory : /tools
inode<7602199>Record already exists
Parsing directory : /docs
giis-ext4:Update is complete.
Now the newly created file is added into giistable.
Viewing list of deleted files with “–list”
Say we deleted couple of files-
# rm -rf /docs/ffsb.txt
#rm -rf /tools/iozone_test.sh
# giis-ext4 –list
Device Found : /dev/mapper/vg_space-lv_root
Verifing inode:
File:iozone_test.sh was deleted from /tools/iozone_test.sh.
File:ffsb.txt was deleted from /docs/ffsb.txt.
giis-ext4 recognizes the two files are missing from its inventory.
Th-th-th-that’s all folks! 🙂