はじめに
ランサムウェア対策では、Backup(Snapshot)を取得することで被害を軽減することができます。しかし、最近の攻撃では、BackupやSnapshotなどの復元ポイントを標的とする攻撃が増えており、ファイルを暗号化する前にこれらを削除しようとする傾向があります。
ONTAP 9.12.1以降では、このような攻撃に対する対策として、「Tamperproof Snapshot」という機能が提供されています。
改ざん防止用のSnapshotを作成することができるこの機能は、指定期限まで削除できないSnapshotを作成できるものです。この機能により、ランサムウェア対策だけでなく、管理者権限の漏洩や内部の不正な管理者によるSnapshotの削除も防ぐことができます。
何をしたい?できる?
- 通常のVolumeへのTamperproof Snapshotの設定方法確認
- Tamperproof Snapshotの動作確認
Snapshotとは
Snapshotは、対象データの特定の状態を保持する機能であり、ファイルのコピーとは異なり、余分な容量を消費せずに一瞬でBackupすることができます。また、ポインタの切り替え処理だけで済むため、高速なRestoreを実現することができます。
Snapshotの差分は、別の領域にコピーせず、ユーザーデータとSnapshotデータが同じVolumeに存在するため、ファイルを削除してもSnapshotが残っている場合、Volumeでは空き領域として解放されません。Snapshotも削除することで、空き領域として解放することができます。
Tamperproof Snapshot利用の前提条件
- Cluster内のNodeでONTAP 9.12.1以降が実行されていること
- SnapLockライセンスが適用されている事
- Clusterのコンプライアンスクロックが初期化されている事
制限事項は以下の通りです。
-
Revertの制限
- ONTAPのVersionを下げるRevertをするにはSnapshotの全削除が必要
(LockされたSnapshotがある限りできない) -
ロックされたSnapshotの保持期間は通常のSnapshotの保持数よりも優先
- ロックされたSnapshotの保持期間が期限切れになっていない場合、保持数の制限は考慮されない -
Restore時は指定されたロックされたSnapshot最新のものである場合に実行可能
未サポート機能は以下の通りです。
- Consistency groups
- FlexCache volumes
- SMtape
- SnapCenter
- SnapMirror Business Continuity (SM-BC)
- SnapMirror Synchronous
実施手順
各種設定作業は、CLIかREST APIで実行可能です。
1. LicenseとVersionの確認
#License確認
> license show -package SnapLock
(system license show)
Serial Number: 000000000070
Owner: cluster1-01
Installed License: Labs On Demand ONTAP Bundle
Capacity: -
Package Type Description Expiration
----------------- -------- --------------------- -------------------
SnapLock enabled SnapLock License -
Serial Number: 000000000071
Owner: cluster1-02
Installed License: Labs On Demand ONTAP Bundle
Capacity: -
Package Type Description Expiration
----------------- -------- --------------------- -------------------
SnapLock enabled SnapLock License -
2 entries were displayed.
# Version確認
> version
NetApp Release Yellowdog__9.12.1: Tue Jan 31 19:19:43 UTC 2023
#compliance-clockの初期化(未実施の場合)
> snaplock compliance-clock initialize -node cluster1-01
Warning: You are about to initialize the secure ComplianceClock of the node "cluster1-01" to the current
value of the node's system clock. This procedure can be performed only once on a given node, so
you should ensure that the system time is set correctly before proceeding.
The current node's system clock is: Fri Feb 09 04:19:22 UTC 2023
Do you want to continue? {y|n}: y
2. Volumeへのsnapshot-locking-enabled オプションの有効化
Volume作成時や既存Volumeに対して、snapshot-locking-enabled オプションを指定します。
新規作成の場合
> volume create -vserver svm01 -volume testvol_01 -aggregate aggr1_node2 -size 5g -junction-path /testvol_01 -snapshot-locking-enabled true
Warning: The export-policy "default" has no rules in it. The volume will
therefore be inaccessible over NFS and CIFS protocol.
Do you want to continue? {y|n}: y
Warning: Snapshot copy locking is being enabled on volume "testvol_01" in
Vserver "svm01". It cannot be disabled until all locked Snapshot
copies are past their expiry time. A volume with unexpired locked
Snapshot copies cannot be deleted.
Do you want to continue? {y|n}: y
[Job 173] Job succeeded: Successful
既存の変更の場合
> volume modify -vserver svm01 -volume testvol_01 -snapshot-locking-enabled true
Warning: Snapshot copy locking is being enabled on volume "testvol_01" in
Vserver "svm01". It cannot be disabled until all locked Snapshot
copies are past their expiry time. A volume with unexpired locked
Snapshot copies cannot be deleted.
Do you want to continue? {y|n}: y
Volume modify successful on volume testvol_01 of Vserver svm01.
3. スケジュールでLockされたSnapshotを作成するPolicyの作成と有効化
この例では、30分は削除不可のSnapshotを10分毎に作成している例です。
# Policyの作成
> snapshot policy create -vserver svm01 -policy lock_policy001 -enabled true -schedule1 10min -count1 6 -retention-period1 "30 minutes"
# VolumeにPolicyの適用
> volume modify -vserver svm01 -volume testvol_01 -snapshot-policy lock_policy001
Warning: You are changing the Snapshot policy on volume "testvol_01" to
"lock_policy001". Snapshot copies on this volume that do not match any
of the prefixes of the new Snapshot policy will not be deleted.
However, when the new Snapshot policy takes effect, depending on the
new retention count, any existing Snapshot copies that continue to use
the same prefixes might be deleted. See the 'volume modify' man page
for more information.
Do you want to continue? {y|n}: y
Volume modify successful on volume testvol_01 of Vserver svm01.
4. Snapshotが削除できない事の確認
> date
Node Date Time zone
--------- ------------------------ -------------------------
cluster1-01
Fri Feb 10 02:50:57 2023 Etc/UTC
cluster1-02
Fri Feb 10 02:50:57 2023 Etc/UTC
2 entries were displayed.
> snapshot show -vserver svm01 -volume testvol_01 -fields expiry-time ,snaplock-expiry-time
vserver volume snapshot expiry-time snaplock-expiry-time
------- ---------- --------------------- ----------- -------------------------
svm01 testvol_01 10min.2023-02-10_0230 - 2/10/2023 03:00:00 +00:00
svm01 testvol_01 10min.2023-02-10_0240 - 2/10/2023 03:10:00 +00:00
svm01 testvol_01 10min.2023-02-10_0250 - 2/10/2023 03:20:00 +00:00
3 entries were displayed.
> snap delete -vserver svm01 -volume testvol_01 -snapshot 10min.2023-02-10_0230
Warning: Deleting a Snapshot copy permanently removes data that is stored only
in that Snapshot copy. Are you sure you want to delete Snapshot copy
"10min.2023-02-10_0230" for volume "testvol_01" in Vserver "svm01" ?
{y|n}: y
Error: command failed: Failed to delete snapshot "10min.2023-02-10_0230" of
volume "testvol_01" on Vserver "svm01". Reason: Illegal operation on
Snapshot locked by SnapLock.
Lock期限の前倒しに失敗する事が確認できます。併せて、ONTAP 9.0からあったSnapshotの有効期限(expiry-time)よりsnaplock-expiry-timeが優先される事も確認できます。
#期限の前倒しができない
> date
Node Date Time zone
--------- ------------------------ -------------------------
cluster1-01
Fri Feb 10 02:58:22 2023 Etc/UTC
cluster1-02
Fri Feb 10 02:58:22 2023 Etc/UTC
2 entries were displayed.
> snapshot modify-snaplock-expiry-time -vserver svm01 -volume testvol_01 -snapshot 10min.2023-02-10_0230 -expiry-time "02/10/2023 02:50:00"
Error: command failed: SnapLock expiry time cannot be before the current expiry
time.
#expiry-timeよりsnaplock-expiry-timeが優先
> snapshot modify -vserver svm01 -volume testvol_01 -snapshot 10min.2023-02-10_0230 -expiry-time "02/10/2023 02:50:00"
> snapshot show -vserver svm01 -volume testvol_01 -fields expiry-time ,snaplock-expiry-time
vserver volume snapshot expiry-time snaplock-expiry-time
------- ---------- --------------------- ------------------ -------------------------
svm01 testvol_01 10min.2023-02-10_0230 2/10/2023 02:50:00 2/10/2023 03:00:00 +00:00
svm01 testvol_01 10min.2023-02-10_0240 - 2/10/2023 03:10:00 +00:00
svm01 testvol_01 10min.2023-02-10_0250 - 2/10/2023 03:20:00 +00:00
> snap delete -vserver svm01 -volume testvol_01 -snapshot 10min.2023-02-10_0230
Warning: Deleting a Snapshot copy permanently removes data that is stored only
in that Snapshot copy. Are you sure you want to delete Snapshot copy
"10min.2023-02-10_0230" for volume "testvol_01" in Vserver "svm01" ?
{y|n}: y
Error: command failed: Failed to delete snapshot "10min.2023-02-10_0230" of
volume "testvol_01" on Vserver "svm01". Reason: Illegal operation on
Snapshot locked by SnapLock.
5. SnapshotからのRestoreに失敗する事の確認
LockされたSnapshotが削除されてしまうようなRestoreは失敗します。
(最新のLockされたSnapshotを指定してのRestoreだと成功)
> date
Node Date Time zone
--------- ------------------------ -------------------------
cluster1-01
Fri Feb 10 03:10:39 2023 Etc/UTC
cluster1-02
Fri Feb 10 03:10:39 2023 Etc/UTC
2 entries were displayed.
# まだLockされているSnapshotがいる事の確認
> snapshot show -vserver svm01 -volume testvol_01 -fields expiry-time ,snaplock-expiry-time
vserver volume snapshot expiry-time snaplock-expiry-time
------- ---------- --------------------- ------------------ -------------------------
svm01 testvol_01 10min.2023-02-10_0230 2/10/2023 02:50:00 2/10/2023 03:00:00 +00:00
svm01 testvol_01 10min.2023-02-10_0240 - 2/10/2023 03:10:00 +00:00
svm01 testvol_01 10min.2023-02-10_0250 - 2/10/2023 03:20:00 +00:00
svm01 testvol_01 10min.2023-02-10_0300 - 2/10/2023 03:30:00 +00:00
svm01 testvol_01 10min.2023-02-10_0310 - 2/10/2023 03:40:00 +00:00
5 entries were displayed.
# Restoreが失敗する事の確認
> snapshot restore -vserver svm01 -volume testvol_01 -snapshot 10min.2023-02-10_0250
Warning: Snapshot copy "10min.2023-02-10_0250" is not the most recent copy. Promoting this Snapshot copy
will delete all copies made after it.
Do you want to continue? {y|n}: y
Warning: Quota rules currently enforced on volume "testvol_01" might change during this operation. If the currently enforced quota rules are different from those in Snapshot copy "10min.2023-02-10_0250",
you might have to resize or reinitialize quotas on this volume after this operation.
Do you want to continue? {y|n}: y
Warning: Export policies currently enforced on the qtrees of volume "testvol_01" will not change during
this operation. If the currently enforced export policies are different from those in Snapshot
copy "10min.2023-02-10_0250", reassign the export policies of the qtrees on this volume after
this operation.
Do you want to continue? {y|n}: y
Error: command failed: Failed to restore Snapshot copy "10min.2023-02-10_0250". Reason: This operation can
destroy worm snapshots.
余談(ONTAP 9.0からあるSnapshotのexpiry-timeとの違い)
SnapLockライセンスを適用しないで、以前から使えるSnapshotのexpiry-timeではダメなのかという点については、Snapshot作成後にexpiry-timeだけで有効期限設定を実施しても、expiry-timeでは最初の設定時間の前へ変更できたり、expiry-time到達前なのに古いSnapshotでVolumeをRestoreできてしまいますので、管理者アカウントでもSnapshopを削除させないという事を実施するにはTamperproof Snapshotの利用が必要になります。
# 時間確認
> date
Node Date Time zone
--------- ------------------------ -------------------------
cluster1-01
Thu Feb 09 10:54:15 2023 Etc/UTC
cluster1-02
Thu Feb 09 10:54:15 2023 Etc/UTC
2 entries were displayed.
# 有効期限付きSnapshotや通常のSnapshptの作成
> snapshot create -vserver svm01 -volume test01 -snapshot lock_snap01 -expiry-time "02/09/2023 11:10:00"
> snapshot create -vserver svm01 -volume test01 -snapshot lock_snap02 -expiry-time "02/09/2023 11:15:00"
> snap create -vserver svm01 -volume test01 -snapshot no_lock_snap02
> snapshot show -vserver svm01 -volume test01
---Blocks---
Vserver Volume Snapshot Size Total% Used%
-------- -------- ------------------------------------- -------- ------ -----
svm01 test01
no_lock_snap01 280KB 0% 43%
lock_snap01 344KB 0% 49%
lock_snap02 180KB 0% 33%
no_lock_snap02 136KB 0% 27%
4 entries were displayed.
# Snapshot Restoreの実施すると、指定Snapshot以後のsnapshotが消える(有効期限に到達していなくても)
> snap restore -vserver svm01 -volume test01 -snapshot lock_snap01
Warning: Snapshot copy "lock_snap01" is not the most recent copy. Promoting
this Snapshot copy will delete all copies made after it.
Do you want to continue? {y|n}: y
Warning: Quota rules currently enforced on volume "test01" might change during
this operation. If the currently enforced quota rules are different
from those in Snapshot copy "lock_snap01", you might have to resize or
reinitialize quotas on this volume after this operation.
Do you want to continue? {y|n}: y
Warning: Export policies currently enforced on the qtrees of volume "test01"
will not change during this operation. If the currently enforced
export policies are different from those in Snapshot copy
"lock_snap01", reassign the export policies of the qtrees on this
volume after this operation.
Do you want to continue? {y|n}: y
> snapshot show -vserver svm01 -volume test01
---Blocks---
Vserver Volume Snapshot Size Total% Used%
-------- -------- ------------------------------------- -------- ------ -----
svm01 test01
no_lock_snap01 280KB 0% 37%
lock_snap01 328KB 0% 41%
2 entries were displayed.
参考及びリンク
Tamperproof Snapshot
Proactive ransomware protection—automated with ONTAP
アクセスRole制御