Discussions related to using object storage as a backup target.
Post Reply
stfconsulting
Service Provider
Posts: 33
Liked: 12 times
Joined: Jan 31, 2015 9:17 pm
Full Name: S Furman
Contact:

Auditing Encryption Password Changes

Post by stfconsulting »

I found a couple of threads on this topic from the past and wondered if there are any changes in 11 in regards to keeping an eye on this.

One thing that I have seen in my testing is that when a new encryption password is added or removed from Veeam it generates a Windows Event. I tested changing the password and it does not generate an event. This would be very useful.

I am wondering what people are doing to keep an eye on this and how they are making sure that their backups are viable on the S3 side.

We have Veeam one and have tried a couple of the audit reports however it does not seem to register anything when the password is changed. Only when it is added or removed.

Appreciate everyone's insights on this.
Gostev
Chief Product Officer
Posts: 31350
Liked: 6601 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Auditing Encryption Password Changes

Post by Gostev »

@wishr why is Veeam ONE not reporting encryption password changes? Looks like a bug to me.
stfconsulting
Service Provider
Posts: 33
Liked: 12 times
Joined: Jan 31, 2015 9:17 pm
Full Name: S Furman
Contact:

Re: Auditing Encryption Password Changes

Post by stfconsulting »

I just want to put a disclaimer out there that I may be doing something wrong with the reports or I may not be looking at the right now.
wishr
Veteran
Posts: 3077
Liked: 453 times
Joined: Aug 07, 2018 3:11 pm
Full Name: Fedor Maslov
Contact:

Re: Auditing Encryption Password Changes

Post by wishr »

Hello Stfconsulting,

I guess this is happening because the event is not generated on the VBR side.

A few questions so we could try to reproduce it:
1. What job type/technology is that? If it is an agent backup job, please specify how the agent is managed.
2. What exact setting you are changing?
3. What VONE reports you are referring to? I suppose its Job Configuration Change Tracking or Backup Objects Change Tracking but wanted to confirm.

Thanks
stfconsulting
Service Provider
Posts: 33
Liked: 12 times
Joined: Jan 31, 2015 9:17 pm
Full Name: S Furman
Contact:

Re: Auditing Encryption Password Changes

Post by stfconsulting »

1. I am testing changing the encryption password for the backups stored in our SOBR Wasabi Target.
2. SOBR > Capacity Tier > Encrypt data uploaded to object storage
3. Yes that is the report I am referring to.

Thanks for the followup.
wishr
Veteran
Posts: 3077
Liked: 453 times
Joined: Aug 07, 2018 3:11 pm
Full Name: Fedor Maslov
Contact:

Re: Auditing Encryption Password Changes

Post by wishr » 1 person likes this post

Just checked it myself in a v11 environment.

The event is there and the data has got to the Backup Objects Change Tracking report, so this is not a bug.

VBR server:
Image

Backup Objects Change Tracking report:
Image

Are you sure you have successfully applied the change by clicking finish in the SOBR configuration wizard? Also, what VBR and VONE versions you are using?

Thanks
stfconsulting
Service Provider
Posts: 33
Liked: 12 times
Joined: Jan 31, 2015 9:17 pm
Full Name: S Furman
Contact:

Re: Auditing Encryption Password Changes

Post by stfconsulting » 1 person likes this post

Perfect! Thank you. I will upgrade to 11 soon.
Regnor
Veeam Software
Posts: 929
Liked: 280 times
Joined: Jan 31, 2011 11:17 am
Full Name: Max
Contact:

Re: Auditing Encryption Password Changes

Post by Regnor »

I've had a discussion today with one of our customers about monitoring the encryption keys/passwords.
While I recommended Veeam ONE, we had the idea of someone accessing the VBR configuration database and changing the password there.
Neither would VBR nor ONE notice this event, given that you know how to change the password in SQL without breaking everything.
Sure at some point you lose the fight, especially with someone acting as administrator on the VBR side, but do we have any chance of noticing such a change?
For example having Veeam ONE fetching and comparing key hashes?
Gostev
Chief Product Officer
Posts: 31350
Liked: 6601 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Auditing Encryption Password Changes

Post by Gostev » 1 person likes this post

This would be analogous to calling a military post to check on them after it has already been taken over by enemy's special forces...
- Are you guys OK?
- Sure, everything is fine!

What I'm trying to say is that a node that has already been compromised by a hacker cannot be trusted for any check results, because it can tell known monitoring tools what they want to hear in order to keep them "happy"... by just returning successes for every check there is (with a most basic API hook).
Regnor
Veeam Software
Posts: 929
Liked: 280 times
Joined: Jan 31, 2011 11:17 am
Full Name: Max
Contact:

Re: Auditing Encryption Password Changes

Post by Regnor »

I'm with you that one cannot fully trust a system which has been taken over by an attacker. But still I would say that every additional check increases the likelihood of detecting a manipulation or ongoing attack. One will never be able to achieve 100% security, however every possible step should be taken. And I'm sure that a check against the database would be more reliable then parsing the event log, which Veeam ONE is currently doing.
Post Reply

Who is online

Users browsing this forum: No registered users and 4 guests