PowerShell script exchange
Post Reply
frankive
Service Provider
Posts: 1092
Liked: 134 times
Joined: May 14, 2013 8:35 pm
Full Name: Frank Iversen
Location: Norway
Contact:

RMM and latest immutable status check

Post by frankive »

Hi.
I need to have a powershell script to check whetever someone has tempted with the immutable settings on the repository.
We have a standard of 30 days.

Does anyone have a suggestion to a script that checks if this settings has been altered or not so it could be an issue from an insider attach or a hacker?
I guess the script should not only check if the storage is immutable but also that it is immutable for 30 days in the settings.
If not I guess a hacker would reduce the setting to 1 day, and the check would go under the radar the next 24 hours...

We will of course run the check more often than every 24 ours, but anyway a script should confirm that actually days we are checking is OK.
HannesK
Product Manager
Posts: 14844
Liked: 3086 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: RMM and latest immutable status check

Post by HannesK »

Hello,
which immutability setting do you mean? For the Hardened Repository, the lowest possible setting is 7 days. The checkbox could be disabled. To check that, example code is available here

Code: Select all

$repo = Get-VBRBackupRepository -Name '*RepoName*'
$repo.GetImmutabilitySettings()
For S3 object lock: one enabled, it cannot be removed. An attacker would need to disable backup jobs then. So the backup job status / RPO time should be checked then (e.g. with Veeam ONE "Protected VMs" report)

Best regards,
Hannes
oleg.feoktistov
Veeam Software
Posts: 2010
Liked: 670 times
Joined: Sep 25, 2019 10:32 am
Full Name: Oleg Feoktistov
Contact:

Re: RMM and latest immutable status check

Post by oleg.feoktistov »

Hi Frank,

Since editing repository settings falls under infrastructure item save session specifics, there is no direct way to confirm what you are after.
If we are talking about linux hardened repository, the best way to do that is to check the logs once in a while and confirm that the last immutability setting correspond to the setting repository has now, for instance.
Here is the example of how you can get logs of immutability settings edited for a particular repository, which is a member of SOBR via powershell:

Code: Select all

$sobr = Get-VBRBackupRepository -Scaleout
$repo = $sobr[1].Extent[1].Repository
$log = Get-Content -LiteralPath 'C:\ProgramData\Veeam\Backup\Utils\Util.InfraItemSaver.log'
$immutabilityLog = $log | Select-String -Pattern "Repository $($repo.Name) immutability" 
Thanks,
Oleg
Post Reply

Who is online

Users browsing this forum: No registered users and 10 guests