> Essential > Storage for Backups > MediaAgents > Ransomware Protection for Disk Libraries on a Linux MediaAgent

Considerations for Ransomware Protection

Review the following considerations before you enable ransomware protection for a MediaAgent:

  • If any root intrusion occurs in the MediaAgent and modifies the SELinux module configuration, then the module cannot offer protection. For more information, see SELinux documentation from the operating system vendor.

  • Ransomware protection can be enabled only on a single instance.

  • The following table presents the support for various types of disk libraries.

    Type of Disk Library

    New or Existing

    Support for Protection

    Library configured on under a root filesystem directory (“/”)

    Existing

    Not supported

    Library configured using local or external SAS/SATA disk storage

    Existing

    Supported

    Library configured using local or external disk storage

    New

    Supported

    Shared library with the mount path on an NFS share

    Existing

    Supported

    You must run protect_disk_library command when you configure ransomware protection on a Linux MediaAgent or a HyperScale MediaAgent.

    Shared library with the mount path on an NFS share

    New

    Supported

    Configure ransomware protection for a disk library on an NFS share.

    Library on a HyperScale MediaAgent

    Existing

    Supported

    Library on a HyperScale MediaAgent

    New

    Supported

    HPE StoreOnce Catalyst Library

    New

    N/A

  • If you want to upgrade or update the kernel or the operating system on the MediaAgent after you enable ransomware protection, you must pause SELinux prior to the operation and then resume SELinux again after the operation is complete.

    • To pause SELinux, complete the following steps:

    • Log on to the MediaAgent computer as a root user.

    • Execute the following command:

      #setenforce 0

    • Open the /etc/selinux/config file, set the value as SELINUX=permissive, and then save the file.

    • To confirm that SELinux is paused successfully, execute the following command:

      #sestatus

    • The output appears as follows:

      SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             default
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     requested (insecure)
Max kernel policy version:      33

      You must see that the value for Current mode is set to permissive.

    • To resume SELinux, complete the following steps:

    • Execute the following command:

      #setenforce 1

    • Open the /etc/selinux/config file, set the value as SELINUX=enforcing, and then save the file.

    • To confirm that SELinux is paused successfully, execute the following command:

      #sestatus

      The output appears as follows:

      SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33

      You must see that the value for Current mode is set to enforcing.

Loading...