re-enable the usage of immutable option for non-hardened linux repos

[DaStivi]

hi, this is kinda ah feature request or better said ah step backwards-request...

in V11 it was possible to have immutable option enabled on ah repository even when the linux host wasn't added with "single-use" credentials...
there where ah warning/information popup that its highly recommended to have the linux repo added with single-use credentials but you could just still use it with normal credentials too!!

with V12 this "hole" has been fixed as you can only enable immutable when you've added as hardened linux repositorys, that in turn only allows single-used linux hosts.

i understand that enabling immuteable with non single-use credentials in use isn't as secure as it might can be with ah correctly hardened linux implementation BUT now its even worse, let me explain:

as if for some reason its simply not possible to have ah single-use linux server, as for example these servers are also used as directSAN Backup Proxy that its impossible
not if you've an Enterprise Manager, with restore operator roles, the restore operators could un-intentionally delete backups? sure they should know what they are dooing but with the V11 configuration this was somewhat ah safenet you still had in place for human error...

i feel that this configuration has still its justification and in V12 this has been taken away.


btw. i didn't tested what happens with such configuration while V12 update... might do this in ah few days but i expect some issues, V12 Update block propably?

[Gostev]

In general I agree with you, however I would not call such configuration with the word "immutable" and rather something along "protect against accidental deletion" lines. @Egor Yakovlev could we look at enabling this back?

[DaStivi]

Gladly this can be renamed!
And thx for seeing the need for this too, it's just ah missed opportunity now to can have this enabled, as it might just be another small block for security and governance. ..

I did some tests btw, having "immutable" files on the not immutable repo, in the VM-Backup points window it still recognize them as immutable! So file Attribute is read correctly, i even thought of having ah manual script but honestly this should be necessary even more if there is ah missconfig between the "retention" times it just is ah potential issue again someone might run into ....

[Egor Yakovlev]

I will have a discussion with the teams.
/Thanks!

[HannesK]

Hello,

the restore operators could un-intentionally delete backups?

did you see that or is it a question? restore operators can restore. not delete. As far as I see, you might not need Hardened Repository for your use-case

also used as directSAN Backup Proxy

Additional to normal credentials, this also requires root. Root is impossible for V12 Hardened Repository and the upgrade is blocked, yes. https://www.veeam.com/kb4348 has details.

Having a direct SAN proxy or tape server on a Hardened Repository is a valid feature request. Both roles require root permissions to run (NBD proxy not, that's why we allow it in V12).

Best regards,
Hannes

[DaStivi]

hi,
i'm testing the update procedure right now, setup has ah check nice!


also the KB is nice...
https://www.veeam.com/kb4348

with my "insecure" configration there could still be ah problem now... when veeam changes this to single-use it might break configuration where the customers uses exactly what i described above (directsan, etc..)

[HannesK]

it will break when you apply KB4348, because direct SAN proxy does not work with reduced permissions.

That design is not upgradeable and need to be fixed before upgrade.

[FreddyN]

Hi

Any news regarding SANDirect-Proxy and TapeServer on hardened Repo

Best regards
Freddy

[HannesK]

Hello,

Any news regarding SANDirect-Proxy and TapeServer on hardened Repo

not in foreseeable future because of the root permissions required for that. We want to make (keep) it as secure as possible.

Best regards,
Hannes

[Gostev]

Any service running under root dramatically increases attack surface...

[DaStivi]

Hello,
not in foreseeable future because of the root permissions required for that. We want to make (keep) it as secure as possible.
Best regards,
Hannes

@Gostev

Was there any recent change to this behavior?

[Gostev]

No, except for support for VMware Backup proxy in NBD transport mode, which is the only transport mode that does not require root privileges to function.

[Hirosh]

@Gostev @HannesK

were there any update regarding this issue, so we can utilize Hardened repository & direct SAN Proxy mode without compromising Security?

regards,
Ledwan.

[Mildur]

Hi Ledwan

No.
Please see the answer from Gostev 3 days ago.

Best,
Fabian