Solved

Monitoring "Ransomware protection" on Hyperscale

  • 10 February 2021
  • 6 replies
  • 329 views

Badge +2

 

Hi

Ransomware protection on Hyperscale:
Any improvements on the monitoring part , so False positives are avoided. ?

Alerts monitoring detect intrusion test, but all sorts of sosreport , dbusd and smartd events are triggered in the audit.log on the Hyperscale MA’s and makes monitoring setup full of false positives.
.
I have been guided by commvault to avoid the dbusd entries with this REGEX to enter in the monitoring setup:
denied.*cvstorage_t(?!.*\bdbus\b.*)|denied.*cvbackup_t(?!.*\bdbus\b.*)

.

But I still struggle to REGEX the sosreport entries out , any suggestions ?
.
Regards, Martin Rønde Andersen ,  using https://regex101.com/ as companion. 

 

icon

Best answer by Mike Struening RETIRED 11 March 2021, 18:13

View original

6 replies

Userlevel 5
Badge +8

@Martin.Roende yes regex can be a pain sometimes!  Would you mind sending us the log snippet containing the false positive, I will take a look and help you figure it out.


Thanks for the feedback also...We are working on some new things to make this easier, but in the short term, manually creating the policy is necessary and filters like this may be necessary to weed out certain events.  We will fold the feedback into improving the policy or providing a preconfigured template.

Badge +2

Reference Commvault case.:

https://ma.commvault.com/Case/Details/210107-267

Badge +2

Please delete previous entry with this:  Even though I am logged in to ma.commvault.com I cannot edit my entry.

 

So far I have tried out different REGEX , here is the last one , without any luck to avoid “sosreport” alerts.

denied.*cvstorage_t(?!.*\bdbus\b.*)|denied.*cvbackup_t(?!.*\bdbus\b.*)| denied.*cvstorage_t(?!\bsosreport_t\b)
 

With 4 clusters and gluster file storage I only test out in one cluster until I have a solution.

My test works and give’s a correct alert.:
# touch /ws/glus/`hostname`-touch-trigger;ls -al /ws/glus
touch: cannot touch ‘/ws/glus/XXXXX-touch-trigger’: Permission denied
total 16
drwxr-xr-x.  5 root root 4096 Jan 27 12:52 .
drwxr-xr-x. 28 root root 4096 Jun 30  2020 ..
drw-r--r--.  2 root root 4096 Jan 27 12:52 .cvlt
drwxrwxr-x.  3 root root 4096 Sep 15 10:42 Folder_08.13.2020_10.45

Alert is : With HTML format in mail of caurse.
CommCell: comcell01 
Type: Operation - Event Viewer Events 
Detected Criteria: Event Viewer Events 
Detected Time: Mon Feb 8 13:02:23 2021 
•    Event ID: 40861623 
•    Monitoring Criteria: (Event Code contains 35:4402) AND (Description contains Criteria matched for monitoring policy [HyperScale-22H Ransomware Protection Auditlog monitoring]) 
•    Severity: Major 
•    Event Date: Mon Feb 8 13:04:25 2021 
•    Program: cvd 
•    Client: XXXXX
•    Description: Criteria matched for monitoring policy [HyperScale-22H Ransomware Protection Auditlog monitoring]. Description: [type=AVC msg=audit(1612785653.356:918378): avc: denied { write } for pid=19991 comm="touch" name="/" dev="fuse" ino=1 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cvstorage_t:s0 tclass=dir permissive=0] 

 

Userlevel 7
Badge +23

Please delete previous entry with this:  Even though I am logged in to ma.commvault.com I cannot edit my entry.

 

Fixed :thumbsup: - there is a time limit on editing posts

Badge +2

Adding in the auditlog example, anonymized.

Userlevel 7
Badge +23

Updating (and closing) as this conversation was taken offline with @DMCVault .

Reply