> Software > Manage > Account > Security > Certifications and Compliance

Enabling Ransomware Protection on CommCell Entities with SELinux

You can enable ransomware protection on CommCell entities by having SELinux enabled in enforced mode. Ransomware protection must be enabled first on the Primary and Stand=by CommServe computers, and then enabled on other CommCell entities as required.

The following CommCell entities support ransomware protection with SELinux:

  • Primary CommServe computer
  • Standby CommServe computer
  • Threat scan servers
  • MediaAgents
  • Web Servers

Enable Ransomware Protection on the Primary and Standby CommServe Computers

You must enable ransomware protection on the Primary and Standby CommServe computers before enabling it on any other CommCell entity.

Before You Begin

  • Verify that SELinux is enabled on the Primary CommServe computer.
  • Verify that you have administrative access to the Primary CommServe computer.
  • Plan a maintenance window, because Commvault services must be stopped and the system rebooted.
  • Take a snapshot of server being hardened if it is a virtual machine

Procedure

Perform these steps on both the Primary and Standby CommServe computers.

  1. Install the CISHardening package on all instances of the Primary and Standby CommServe computers. If MediaAgent package is already installed on an instance, installing the CISHardening package is not required.

    For instructions, see Adding Commvault Software to a File Server.

  2. Install the required SELinux packages:

    yum install selinux-policy-devel

  3. Stop all Commvault services:

    commvault stop

  4. Enable ransomware protection on instance 1 of the Primary CommServe computer:

    /opt/commvault/MediaAgent/cvsecurity.py enable_protection -i Instance001

  5. Enable ransomware protection on instance 2 of the Primary CommServe computer:

    /opt/commvault2/MediaAgent/cvsecurity.py enable_protection -i Instance002

  6. Reboot the system for the changes to take effect.

Enable Ransomware Protection on CommCell Entities Other Than the CommServe Computers

You can enable ransomware protection on CommCell entities only after ransomware protection is enabled on the Primary and Standay CommServe computers.

Before You Begin

  • Verify that SELinux is enabled on the computer.
  • Verify that you have administrative access to the computer.
  • Verify that ransomware protection is enabled on the Primary and Standby CommServe computers.
  • Plan a maintenance window, because Commvault services must be stopped and the system rebooted.

Procedure

  1. Install the CISHardening package, if MediaAgent package is not already installed on the computer.

    For instructions, see Adding Commvault Software to a File Server.

  2. Install the required SELinux packages:

    yum install selinux-policy-devel

  3. Stop all Commvault services:

    commvault stop
    4. Enable ransomware protection on an instance of the CommCell entity:

    /opt/commvault/MediaAgent/cvsecurity.py enable_protection -i Instance001

    Instance001 refers to the instance on the CommCell entity.

  4. Reboot the system for the changes to take effect.

After the reboot completes, ransomware protection is enabled on the selected entites in your CommCell environment.

×

Loading...