Hi.
I need to have a powershell script to check whetever someone has tempted with the immutable settings on the repository.
We have a standard of 30 days.
Does anyone have a suggestion to a script that checks if this settings has been altered or not so it could be an issue from an insider attach or a hacker?
I guess the script should not only check if the storage is immutable but also that it is immutable for 30 days in the settings.
If not I guess a hacker would reduce the setting to 1 day, and the check would go under the radar the next 24 hours...
We will of course run the check more often than every 24 ours, but anyway a script should confirm that actually days we are checking is OK.
-
frankive
- Service Provider
- Posts: 1092
- Liked: 134 times
- Joined: May 14, 2013 8:35 pm
- Full Name: Frank Iversen
- Location: Norway
- Contact:
-
HannesK
- Product Manager
- Posts: 14759
- Liked: 3044 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: RMM and latest immutable status check
Hello,
which immutability setting do you mean? For the Hardened Repository, the lowest possible setting is 7 days. The checkbox could be disabled. To check that, example code is available here
For S3 object lock: one enabled, it cannot be removed. An attacker would need to disable backup jobs then. So the backup job status / RPO time should be checked then (e.g. with Veeam ONE "Protected VMs" report)
Best regards,
Hannes
which immutability setting do you mean? For the Hardened Repository, the lowest possible setting is 7 days. The checkbox could be disabled. To check that, example code is available here
Code: Select all
$repo = Get-VBRBackupRepository -Name '*RepoName*'
$repo.GetImmutabilitySettings()Best regards,
Hannes
-
oleg.feoktistov
- Veeam Software
- Posts: 2007
- Liked: 666 times
- Joined: Sep 25, 2019 10:32 am
- Full Name: Oleg Feoktistov
- Contact:
Re: RMM and latest immutable status check
Hi Frank,
Since editing repository settings falls under infrastructure item save session specifics, there is no direct way to confirm what you are after.
If we are talking about linux hardened repository, the best way to do that is to check the logs once in a while and confirm that the last immutability setting correspond to the setting repository has now, for instance.
Here is the example of how you can get logs of immutability settings edited for a particular repository, which is a member of SOBR via powershell:
Thanks,
Oleg
Since editing repository settings falls under infrastructure item save session specifics, there is no direct way to confirm what you are after.
If we are talking about linux hardened repository, the best way to do that is to check the logs once in a while and confirm that the last immutability setting correspond to the setting repository has now, for instance.
Here is the example of how you can get logs of immutability settings edited for a particular repository, which is a member of SOBR via powershell:
Code: Select all
$sobr = Get-VBRBackupRepository -Scaleout
$repo = $sobr[1].Extent[1].Repository
$log = Get-Content -LiteralPath 'C:\ProgramData\Veeam\Backup\Utils\Util.InfraItemSaver.log'
$immutabilityLog = $log | Select-String -Pattern "Repository $($repo.Name) immutability"
Oleg
Who is online
Users browsing this forum: No registered users and 7 guests