So, something crept to mind today reading about more crypto/ransomware, and I thought I’d ask considering I’ve not yet had to deal with a scenario like I’ll give below. What would FreeNAS do in such a scenario? What would you do?
You have a single central FreeNAS system, with one large z3 pool, many datasets, all datasets snapped at least daily, and the pool at 80% Used.
You have a rogue computer with access to 75% of all datasets and it gets crypto/ransomwared. As a consequence, the datasets get crypto’d, but there snapshots that go back two weeks.
Now you walk in the next day and realize what’s happened, and after throwing the bad employee in the nearest closet for a timeout, you praise the zfs gods for snapshots, than realize the pool is at 80% and get stressed again…
The questions than become:
With the pool at 80%, and crypto changing 75% of it, would it even properly snapshot that night?
If it would, what’s the outcome? If it wouldn’t, would it attempt to fill the pool first then fail?
Knowing your snapshots go back two weeks, in either case of the snapshot outcome from above, could you Rollback all your datasets? If so, how, considering it’s 80%+ full?
I’ll also add one last wrench in the mix, suppose that central box, has a remote backup/sync freenas node, what happens with that if a sync is attempted that night?
I know the above is a sort-of worst case, however, Chance Favors the Prepared Mind…