Auditing Encryption Password Changes

[stfconsulting]

I found a couple of threads on this topic from the past and wondered if there are any changes in 11 in regards to keeping an eye on this.

One thing that I have seen in my testing is that when a new encryption password is added or removed from Veeam it generates a Windows Event. I tested changing the password and it does not generate an event. This would be very useful.

I am wondering what people are doing to keep an eye on this and how they are making sure that their backups are viable on the S3 side.

We have Veeam one and have tried a couple of the audit reports however it does not seem to register anything when the password is changed. Only when it is added or removed.

Appreciate everyone's insights on this.

[Gostev]

@wishr why is Veeam ONE not reporting encryption password changes? Looks like a bug to me.

[stfconsulting]

I just want to put a disclaimer out there that I may be doing something wrong with the reports or I may not be looking at the right now.

[wishr]

Hello Stfconsulting,

I guess this is happening because the event is not generated on the VBR side.

A few questions so we could try to reproduce it:
1. What job type/technology is that? If it is an agent backup job, please specify how the agent is managed.
2. What exact setting you are changing?
3. What VONE reports you are referring to? I suppose its Job Configuration Change Tracking or Backup Objects Change Tracking but wanted to confirm.

Thanks

[stfconsulting]

1. I am testing changing the encryption password for the backups stored in our SOBR Wasabi Target.
2. SOBR > Capacity Tier > Encrypt data uploaded to object storage
3. Yes that is the report I am referring to.

Thanks for the followup.

[wishr]

Just checked it myself in a v11 environment.

The event is there and the data has got to the Backup Objects Change Tracking report, so this is not a bug.

VBR server:


Backup Objects Change Tracking report:


Are you sure you have successfully applied the change by clicking finish in the SOBR configuration wizard? Also, what VBR and VONE versions you are using?

Thanks

[stfconsulting]

Perfect! Thank you. I will upgrade to 11 soon.

[Regnor]

I've had a discussion today with one of our customers about monitoring the encryption keys/passwords.
While I recommended Veeam ONE, we had the idea of someone accessing the VBR configuration database and changing the password there.
Neither would VBR nor ONE notice this event, given that you know how to change the password in SQL without breaking everything.
Sure at some point you lose the fight, especially with someone acting as administrator on the VBR side, but do we have any chance of noticing such a change?
For example having Veeam ONE fetching and comparing key hashes?

[Gostev]

This would be analogous to calling a military post to check on them after it has already been taken over by enemy's special forces...
- Are you guys OK?
- Sure, everything is fine!

What I'm trying to say is that a node that has already been compromised by a hacker cannot be trusted for any check results, because it can tell known monitoring tools what they want to hear in order to keep them "happy"... by just returning successes for every check there is (with a most basic API hook).

[Regnor]

I'm with you that one cannot fully trust a system which has been taken over by an attacker. But still I would say that every additional check increases the likelihood of detecting a manipulation or ongoing attack. One will never be able to achieve 100% security, however every possible step should be taken. And I'm sure that a check against the database would be more reliable then parsing the event log, which Veeam ONE is currently doing.