Veeam agent for Linux installation and CIS security standards

[sandsturm]

Hi

We need to be compliant with the hardening standards of https://www.cisecurity.org/ to harden all servers in our environment. One of these CIS rules is to not allow executions in /tmp directory, but that is exactly something the veeam agent for Linux installer (manged installation via VBR console) does during installation or rescan. For now, we made an exception to allow this temporary, but in a long term we cannot allow this any more.

Question for the developers or software engineers which are responsible for the Veeam agent: Do you think, you can address this topic to be compliant with CIS guidelines for the installation of the veeam agent in the future? (Currently we don't see any other problems, then this execution in the /tmp directory)

thx
sandsturm

[HannesK]

Hello,
no need to wait for the future - there is a reg key to change the usage of /tmp already today

it's required always when /tmp is mounted noexec. You can use the following reg key (assuming you have at least 9.5U4 - before there was a different key)

Code: Select all

LinAgentExecutableFolder
Type: REG_SZ
Default value: /tmp 

in HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\Veeam Backup and Replication\

use /opt/whatever for example. Don't put a tailing slash to the path. The path must exist.

Restart backup service (or reboot). After that, you should be able to deploy the agent without using /tmp

Best regards,
Hannes

[PTide]

Hi,

My 2 cents in addition to what Hannes has said: in the next versions of VBR /tmp won't be used for VAL installer anymore.

Thanks!