Skip to main content
Solved

Monitoring "Ransomware protection" on Hyperscale

  • 10 February 2021
  • 6 replies
  • 343 views

Martin.Roende
Byte
Forum|alt.badge.img+2

 

Hi

Ransomware protection on Hyperscale:
Any improvements on the monitoring part , so False positives are avoided. ?

Alerts monitoring detect intrusion test, but all sorts of sosreport , dbusd and smartd events are triggered in the audit.log on the Hyperscale MA’s and makes monitoring setup full of false positives.
.
I have been guided by commvault to avoid the dbusd entries with this REGEX to enter in the monitoring setup:
denied.*cvstorage_t(?!.*\bdbus\b.*)|denied.*cvbackup_t(?!.*\bdbus\b.*)

.

But I still struggle to REGEX the sosreport entries out , any suggestions ?
.
Regards, Martin Rønde Andersen ,  using https://regex101.com/ as companion. 

 

Best answer by Mike Struening RETIRED

Updating (and closing) as this conversation was taken offline with @DMCVault .

View original
Did this answer your question?

6 replies

Forum|alt.badge.img+8
  • Vaulter
  • 53 replies
  • February 10, 2021

@Martin.Roende yes regex can be a pain sometimes!  Would you mind sending us the log snippet containing the false positive, I will take a look and help you figure it out.


Thanks for the feedback also...We are working on some new things to make this easier, but in the short term, manually creating the policy is necessary and filters like this may be necessary to weed out certain events.  We will fold the feedback into improving the policy or providing a preconfigured template.


Martin.Roende
Byte
Forum|alt.badge.img+2

Martin.Roende
Byte
Forum|alt.badge.img+2

Please delete previous entry with this:  Even though I am logged in to ma.commvault.com I cannot edit my entry.

 

So far I have tried out different REGEX , here is the last one , without any luck to avoid “sosreport” alerts.

denied.*cvstorage_t(?!.*\bdbus\b.*)|denied.*cvbackup_t(?!.*\bdbus\b.*)| denied.*cvstorage_t(?!\bsosreport_t\b)
 

With 4 clusters and gluster file storage I only test out in one cluster until I have a solution.

My test works and give’s a correct alert.:
# touch /ws/glus/`hostname`-touch-trigger;ls -al /ws/glus
touch: cannot touch ‘/ws/glus/XXXXX-touch-trigger’: Permission denied
total 16
drwxr-xr-x.  5 root root 4096 Jan 27 12:52 .
drwxr-xr-x. 28 root root 4096 Jun 30  2020 ..
drw-r--r--.  2 root root 4096 Jan 27 12:52 .cvlt
drwxrwxr-x.  3 root root 4096 Sep 15 10:42 Folder_08.13.2020_10.45

Alert is : With HTML format in mail of caurse.
CommCell: comcell01 
Type: Operation - Event Viewer Events 
Detected Criteria: Event Viewer Events 
Detected Time: Mon Feb 8 13:02:23 2021 
•    Event ID: 40861623 
•    Monitoring Criteria: (Event Code contains 35:4402) AND (Description contains Criteria matched for monitoring policy [HyperScale-22H Ransomware Protection Auditlog monitoring]) 
•    Severity: Major 
•    Event Date: Mon Feb 8 13:04:25 2021 
•    Program: cvd 
•    Client: XXXXX
•    Description: Criteria matched for monitoring policy [HyperScale-22H Ransomware Protection Auditlog monitoring]. Description: [type=AVC msg=audit(1612785653.356:918378): avc: denied { write } for pid=19991 comm="touch" name="/" dev="fuse" ino=1 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cvstorage_t:s0 tclass=dir permissive=0] 

 


Damian Andre
Vaulter
Forum|alt.badge.img+23
  • Vaulter
  • 1186 replies
  • February 10, 2021
Martin.Roende wrote:

Please delete previous entry with this:  Even though I am logged in to ma.commvault.com I cannot edit my entry.

 

Fixed :thumbsup: - there is a time limit on editing posts


Martin.Roende
Byte
Forum|alt.badge.img+2

Adding in the auditlog example, anonymized.


Mike Struening
Vaulter
Forum|alt.badge.img+23

Updating (and closing) as this conversation was taken offline with @DMCVault .


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings