8
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 1 year has passed since last update.

ONTAPのSecurity機能について5【Tamperproof Snapshot】

Last updated at Posted at 2023-02-14

はじめに

ランサムウェア対策では、Backup(Snapshot)を取得することで被害を軽減することができます。しかし、最近の攻撃では、BackupやSnapshotなどの復元ポイントを標的とする攻撃が増えており、ファイルを暗号化する前にこれらを削除しようとする傾向があります。

ONTAP 9.12.1以降では、このような攻撃に対する対策として、「Tamperproof Snapshot」という機能が提供されています。
改ざん防止用のSnapshotを作成することができるこの機能は、指定期限まで削除できないSnapshotを作成できるものです。この機能により、ランサムウェア対策だけでなく、管理者権限の漏洩や内部の不正な管理者によるSnapshotの削除も防ぐことができます。

001.png

何をしたい?できる?

  • 通常のVolumeへのTamperproof Snapshotの設定方法確認
  • Tamperproof Snapshotの動作確認

Snapshotとは

Snapshotは、対象データの特定の状態を保持する機能であり、ファイルのコピーとは異なり、余分な容量を消費せずに一瞬でBackupすることができます。また、ポインタの切り替え処理だけで済むため、高速なRestoreを実現することができます。

Snapshotの差分は、別の領域にコピーせず、ユーザーデータとSnapshotデータが同じVolumeに存在するため、ファイルを削除してもSnapshotが残っている場合、Volumeでは空き領域として解放されません。Snapshotも削除することで、空き領域として解放することができます。

002.png

Tamperproof Snapshot利用の前提条件

  • Cluster内のNodeでONTAP 9.12.1以降が実行されていること
  • SnapLockライセンスが適用されている事
  • Clusterのコンプライアンスクロックが初期化されている事

制限事項は以下の通りです。

  • Revertの制限
      - ONTAPのVersionを下げるRevertをするにはSnapshotの全削除が必要
      (LockされたSnapshotがある限りできない)

  • ロックされたSnapshotの保持期間は通常のSnapshotの保持数よりも優先
      - ロックされたSnapshotの保持期間が期限切れになっていない場合、保持数の制限は考慮されない

  • Restore時は指定されたロックされたSnapshot最新のものである場合に実行可能

未サポート機能は以下の通りです。

  • Consistency groups
  • FlexCache volumes
  • SMtape
  • SnapCenter
  • SnapMirror Business Continuity (SM-BC)
  • SnapMirror Synchronous

実施手順

各種設定作業は、CLIかREST APIで実行可能です。

1. LicenseとVersionの確認

#License確認
> license show -package SnapLock
  (system license show)

Serial Number: 000000000070
Owner: cluster1-01
Installed License: Labs On Demand ONTAP Bundle
Capacity: -
Package           Type     Description           Expiration
----------------- -------- --------------------- -------------------
SnapLock          enabled  SnapLock License      -

Serial Number: 000000000071
Owner: cluster1-02
Installed License: Labs On Demand ONTAP Bundle
Capacity: -
Package           Type     Description           Expiration
----------------- -------- --------------------- -------------------
SnapLock          enabled  SnapLock License      -
2 entries were displayed.


# Version確認
> version
NetApp Release Yellowdog__9.12.1: Tue Jan 31 19:19:43 UTC 2023


#compliance-clockの初期化(未実施の場合)
> snaplock compliance-clock initialize -node cluster1-01

Warning: You are about to initialize the secure ComplianceClock of the node "cluster1-01" to the current
         value of the node's system clock. This procedure can be performed only once on a given node, so
         you should ensure that the system time is set correctly before proceeding.
         The current node's system clock is: Fri Feb 09 04:19:22 UTC 2023

Do you want to continue? {y|n}: y

2. Volumeへのsnapshot-locking-enabled オプションの有効化

Volume作成時や既存Volumeに対して、snapshot-locking-enabled オプションを指定します。

新規作成の場合

> volume create -vserver svm01 -volume testvol_01 -aggregate aggr1_node2 -size 5g -junction-path /testvol_01 -snapshot-locking-enabled true

Warning: The export-policy "default" has no rules in it. The volume will
         therefore be inaccessible over NFS and CIFS protocol.
Do you want to continue? {y|n}: y

Warning: Snapshot copy locking is being enabled on volume "testvol_01" in
         Vserver "svm01". It cannot be disabled until all locked Snapshot
         copies are past their expiry time. A volume with unexpired locked
         Snapshot copies cannot be deleted.
Do you want to continue? {y|n}: y
[Job 173] Job succeeded: Successful

既存の変更の場合

> volume modify  -vserver svm01 -volume testvol_01 -snapshot-locking-enabled true

Warning: Snapshot copy locking is being enabled on volume "testvol_01" in
         Vserver "svm01". It cannot be disabled until all locked Snapshot
         copies are past their expiry time. A volume with unexpired locked
         Snapshot copies cannot be deleted.
Do you want to continue? {y|n}: y
Volume modify successful on volume testvol_01 of Vserver svm01.

3. スケジュールでLockされたSnapshotを作成するPolicyの作成と有効化

この例では、30分は削除不可のSnapshotを10分毎に作成している例です。

# Policyの作成
> snapshot policy create -vserver svm01 -policy lock_policy001 -enabled true -schedule1 10min -count1 6 -retention-period1 "30 minutes"


# VolumeにPolicyの適用
> volume modify -vserver svm01 -volume testvol_01 -snapshot-policy lock_policy001

Warning: You are changing the Snapshot policy on volume "testvol_01" to
         "lock_policy001". Snapshot copies on this volume that do not match any
         of the prefixes of the new Snapshot policy will not be deleted.
         However, when the new Snapshot policy takes effect, depending on the
         new retention count, any existing Snapshot copies that continue to use
         the same prefixes might be deleted. See the 'volume modify' man page
         for more information.
Do you want to continue? {y|n}: y
Volume modify successful on volume testvol_01 of Vserver svm01.

4. Snapshotが削除できない事の確認

> date
Node      Date                     Time zone
--------- ------------------------ -------------------------
cluster1-01
          Fri Feb 10 02:50:57 2023 Etc/UTC
cluster1-02
          Fri Feb 10 02:50:57 2023 Etc/UTC
2 entries were displayed.


> snapshot show -vserver svm01 -volume testvol_01 -fields expiry-time ,snaplock-expiry-time
vserver volume     snapshot              expiry-time snaplock-expiry-time
------- ---------- --------------------- ----------- -------------------------
svm01   testvol_01 10min.2023-02-10_0230 -           2/10/2023 03:00:00 +00:00
svm01   testvol_01 10min.2023-02-10_0240 -           2/10/2023 03:10:00 +00:00
svm01   testvol_01 10min.2023-02-10_0250 -           2/10/2023 03:20:00 +00:00
3 entries were displayed.


> snap delete -vserver svm01 -volume testvol_01 -snapshot 10min.2023-02-10_0230

Warning: Deleting a Snapshot copy permanently removes data that is stored only
         in that Snapshot copy. Are you sure you want to delete Snapshot copy
         "10min.2023-02-10_0230" for volume "testvol_01" in Vserver "svm01" ?
          {y|n}: y

Error: command failed: Failed to delete snapshot "10min.2023-02-10_0230" of
       volume "testvol_01" on Vserver "svm01". Reason: Illegal operation on
       Snapshot locked by SnapLock.

Lock期限の前倒しに失敗する事が確認できます。併せて、ONTAP 9.0からあったSnapshotの有効期限(expiry-time)よりsnaplock-expiry-timeが優先される事も確認できます。

#期限の前倒しができない
> date                                                                
Node      Date                     Time zone
--------- ------------------------ -------------------------
cluster1-01
          Fri Feb 10 02:58:22 2023 Etc/UTC
cluster1-02
          Fri Feb 10 02:58:22 2023 Etc/UTC
2 entries were displayed.


> snapshot modify-snaplock-expiry-time -vserver svm01 -volume testvol_01 -snapshot 10min.2023-02-10_0230 -expiry-time "02/10/2023 02:50:00"

Error: command failed: SnapLock expiry time cannot be before the current expiry
       time.


#expiry-timeよりsnaplock-expiry-timeが優先
> snapshot modify -vserver svm01 -volume testvol_01 -snapshot 10min.2023-02-10_0230 -expiry-time "02/10/2023 02:50:00"


> snapshot show -vserver svm01 -volume testvol_01 -fields expiry-time ,snaplock-expiry-time
vserver volume     snapshot              expiry-time        snaplock-expiry-time
------- ---------- --------------------- ------------------ -------------------------
svm01   testvol_01 10min.2023-02-10_0230 2/10/2023 02:50:00 2/10/2023 03:00:00 +00:00
svm01   testvol_01 10min.2023-02-10_0240 -                  2/10/2023 03:10:00 +00:00
svm01   testvol_01 10min.2023-02-10_0250 -                  2/10/2023 03:20:00 +00:00


> snap delete -vserver svm01 -volume testvol_01 -snapshot 10min.2023-02-10_0230

Warning: Deleting a Snapshot copy permanently removes data that is stored only
         in that Snapshot copy. Are you sure you want to delete Snapshot copy
         "10min.2023-02-10_0230" for volume "testvol_01" in Vserver "svm01" ?
          {y|n}: y

Error: command failed: Failed to delete snapshot "10min.2023-02-10_0230" of
       volume "testvol_01" on Vserver "svm01". Reason: Illegal operation on
       Snapshot locked by SnapLock.

5. SnapshotからのRestoreに失敗する事の確認

LockされたSnapshotが削除されてしまうようなRestoreは失敗します。
(最新のLockされたSnapshotを指定してのRestoreだと成功)

> date
Node      Date                     Time zone
--------- ------------------------ -------------------------
cluster1-01
          Fri Feb 10 03:10:39 2023 Etc/UTC
cluster1-02
          Fri Feb 10 03:10:39 2023 Etc/UTC
2 entries were displayed.


# まだLockされているSnapshotがいる事の確認
> snapshot show -vserver svm01 -volume testvol_01 -fields expiry-time ,snaplock-expiry-time
vserver volume     snapshot              expiry-time        snaplock-expiry-time
------- ---------- --------------------- ------------------ -------------------------
svm01   testvol_01 10min.2023-02-10_0230 2/10/2023 02:50:00 2/10/2023 03:00:00 +00:00
svm01   testvol_01 10min.2023-02-10_0240 -                  2/10/2023 03:10:00 +00:00
svm01   testvol_01 10min.2023-02-10_0250 -                  2/10/2023 03:20:00 +00:00
svm01   testvol_01 10min.2023-02-10_0300 -                  2/10/2023 03:30:00 +00:00
svm01   testvol_01 10min.2023-02-10_0310 -                  2/10/2023 03:40:00 +00:00
5 entries were displayed.


# Restoreが失敗する事の確認
> snapshot restore -vserver svm01 -volume testvol_01 -snapshot 10min.2023-02-10_0250

Warning: Snapshot copy "10min.2023-02-10_0250" is not the most recent copy. Promoting this Snapshot copy 
     will delete all copies made after it.
Do you want to continue? {y|n}: y

Warning: Quota rules currently enforced on volume "testvol_01" might change during this operation. If the currently enforced quota rules are different from those in Snapshot copy "10min.2023-02-10_0250",
         you might have to resize or reinitialize quotas on this volume after this operation.
Do you want to continue? {y|n}: y

Warning: Export policies currently enforced on the qtrees of volume "testvol_01" will not change during
         this operation. If the currently enforced export policies are different from those in Snapshot
         copy "10min.2023-02-10_0250", reassign the export policies of the qtrees on this volume after
         this operation.
Do you want to continue? {y|n}: y

Error: command failed: Failed to restore Snapshot copy "10min.2023-02-10_0250". Reason: This operation can
       destroy worm snapshots.

余談(ONTAP 9.0からあるSnapshotのexpiry-timeとの違い)

SnapLockライセンスを適用しないで、以前から使えるSnapshotのexpiry-timeではダメなのかという点については、Snapshot作成後にexpiry-timeだけで有効期限設定を実施しても、expiry-timeでは最初の設定時間の前へ変更できたり、expiry-time到達前なのに古いSnapshotでVolumeをRestoreできてしまいますので、管理者アカウントでもSnapshopを削除させないという事を実施するにはTamperproof Snapshotの利用が必要になります。

# 時間確認
> date
Node      Date                     Time zone
--------- ------------------------ -------------------------
cluster1-01
          Thu Feb 09 10:54:15 2023 Etc/UTC
cluster1-02
          Thu Feb 09 10:54:15 2023 Etc/UTC
2 entries were displayed.

# 有効期限付きSnapshotや通常のSnapshptの作成
> snapshot create -vserver svm01 -volume test01 -snapshot lock_snap01 -expiry-time "02/09/2023 11:10:00"
> snapshot create -vserver svm01 -volume test01 -snapshot lock_snap02 -expiry-time "02/09/2023 11:15:00"
> snap create -vserver svm01 -volume test01 -snapshot no_lock_snap02

> snapshot show -vserver svm01 -volume test01   
                                                                 ---Blocks---
Vserver  Volume   Snapshot                                  Size Total% Used%
-------- -------- ------------------------------------- -------- ------ -----
svm01    test01
                  no_lock_snap01                           280KB     0%   43%
                  lock_snap01                              344KB     0%   49%
                  lock_snap02                              180KB     0%   33%
                  no_lock_snap02                           136KB     0%   27%
4 entries were displayed.

# Snapshot Restoreの実施すると、指定Snapshot以後のsnapshotが消える(有効期限に到達していなくても)
> snap restore -vserver svm01 -volume test01 -snapshot lock_snap01    
Warning: Snapshot copy "lock_snap01" is not the most recent copy. Promoting
         this Snapshot copy will delete all copies made after it.
Do you want to continue? {y|n}: y

Warning: Quota rules currently enforced on volume "test01" might change during
         this operation. If the currently enforced quota rules are different
         from those in Snapshot copy "lock_snap01", you might have to resize or
         reinitialize quotas on this volume after this operation.
Do you want to continue? {y|n}: y

Warning: Export policies currently enforced on the qtrees of volume "test01"
         will not change during this operation. If the currently enforced
         export policies are different from those in Snapshot copy
         "lock_snap01", reassign the export policies of the qtrees on this
         volume after this operation.
Do you want to continue? {y|n}: y

> snapshot show -vserver svm01 -volume test01
                                                                 ---Blocks---
Vserver  Volume   Snapshot                                  Size Total% Used%
-------- -------- ------------------------------------- -------- ------ -----
svm01    test01
                  no_lock_snap01                           280KB     0%   37%
                  lock_snap01                              328KB     0%   41%
2 entries were displayed.

参考及びリンク

Tamperproof Snapshot
Proactive ransomware protection—automated with ONTAP
アクセスRole制御

8
0
1

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
8
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?