Enabling Ransomware Protection for Linux ROBO

You can enable ransomware protection for a Linux ROBO MediaAgent. The software enables ransomware protection for the backup data, the Commvault metadata on the MediaAgent computer.

Ransomware protection is automatically enabled on new installations of the Linux ROBO node.

Before You Begin

  • Review the system requirements and the considerations for ransomware protection.

  • If any disk libraries or mount paths that are mounted are already present on the MediaAgent, you must take a backup of the /etc/fstab system file.

  • You must set the MediaAgent on maintenance mode because the operations in the procedure require a reboot and perform unmount and mount of the disk libraries.

  • If the MediaAgent is a client computer, make sure that there are no active backup or restore operations running on the MediaAgent.

Procedure

  1. Login to your MediaAgent.

  2. Stop the Comvault services.

    commvault stop

  3. Go to the /opt/commvault/MediaAgent64 directory.

  4. Perform the following steps:

    • To enable the ransomware protection for the first time, complete the following steps:

      1. Execute the following command:

        ./cvsecurity.py enable_protection -i InstanceID

        where instanceID is the ID of the instance. For example, Instance001.

      2. Reboot the MediaAgent for the ransomware protection to take effect. The software enables ransomware protection for the backup data, the Commvault metadata and the CDS metadata.

    • If you already enabled ransomware protection for the backup data, then to also enable ransomware protection for the Commvault metadata and the CDS metadata on the MediaAgent computer, execute the following commands.

      ./cvsecurity.py protect_meta_data -i Instance001
      
      ./cvsecurity.py restart_cv_services -i Instance001

    Note

    Take the following precautions:

    • Wait for the node to come online after you enable ransomware protection on the node and reboot the node. To ensure that the node is online, verify the start_node operation completes successfully in the /tmp/cvsecurity_hvcmd.log file.

    • To verify that the protection is resumed successfully, run the sestatus command and check that the value for the Current mode parameter is set to enforcing.

    • Verify that the cluster is online and NFS vdisk is mounted. After reboot, you may experience some additional time for the cluster to be up and online depending on the amount of backup data present on the cluster.

    • Verify that the Commvault services are up and running. For instructions, see Using Process Manager to View and Manage Commvault Services.

      Note

      Do not enable ransomware protection on another node until you complete the above verification steps on the current node.

    Repeat the above steps on all the nodes in the HyperScale environment.

  5. Turn off the maintenance mode on all the nodes.

  6. For any unauthorized write access to the disk library on the MediaAgent that is protected by ransomware protection, you can configure to receive alerts that you can view in the Event Viewer of the CommCell Console and in the Audit Trail Report of the Command Center. By default, the software monitors the operations on MediaAgent for every 30 minutes, and sends alerts for any unauthorized events. You can use the event code 32:369 to configure alerts for these events. You can use the dRWProtectionAlertInterval additional setting to modify the time interval to monitor.

    For instructions about configuring alerts, see Creating an Alert from the Alert Wizard.

    Make the following selections when you configure alerts:

    • In the General Information window, select Operation for the Category and Event Viewer Events for the Type.

    • In the Entities Selection window, select the MediaAgents for which you want to receive alerts.

    • In the Threshold and Notification Criteria Selection window, select equals to criteria for Event Code, and then enter 32:659 in the box.

    Note

    • If you paused and resumed ransomware protection, you will get the following system alert and event.
      Ransomware protection resumed from permissive to enforcing mode. Please check the logs for more details
    • If you disabled ransomware protection, you will get the following system alert and event.
      Ransomware protection is in disabled state. Please check the logs for more details

Result

Ransomware protection will be enabled in the MediaAgent and can be viewed as follows:

  1. From the navigation pane, go to Manage > Infrastructure.

    The Infrastructure page appears.

  2. Click the MediaAgent tile.

    The MediaAgents page appears.

  3. Click the MediaAgent in which you enabled ransomware

    In the Control section, the Ransomware Protection toggle key will be enabled. (The toggle key will appear grayed out.)

Additional Information

  • The software logs the activities of the ransomware protection in the /var/log/cvsecurity.log file.

  • The software logs any unauthorized activities in the /var/log/audit/audit.log file.

Loading...