I had a thought and would be interested in seeing it is passes the sniff test by smarter folks here.
I have a web-facing server. I'll call it WEB1. I believe I have taken the standard precautions and as of yet it hasn't been co-opted, as far as I know. For the sake of my question assume I have done well. In spite of my best efforts it is still possible someone evil-doer could find an "in".
The WEB1 server is a VM. It is running on a dedicated Linux box, I'll call it HOST1. It has no Internet visibility. From HOST1 I can look at WEB1's vm file. Is there a "smart" way to tell if the OS of WEB1 has been modified by looking at it from HOST1?
If it has been altered, I can get back up almost instantly by restarting WEB1 from a snapshot.
Any comments or criticisms would be welcomed. Mike
You are not mentioning what hypervisor is used.
If it's KVM - then you can: