Least Privilege Sudo

[steelnwool]

Hi,

Is there a list of commands that Veeam might run when it connects to a linux machines? I'd like to use this list so that I can tie SUDO down as much as possible for the veeam specific user.

Thanks.

[Vitaliy S.]

Do you refer to backup repositories or backed up VMs?

[steelnwool]

Backed up vms. ie so the backup server can ssh into a host, sudo to root and then install the command to index files.

[Vitaliy S.]

Got it! Unfortunately, we don't have this list handy, but when doing indexing this user account should definitely have access to all partitions and execution permissions.

P.S. let me ask our dev team to find this out.

[Gostev]

We definitely use mlocate for indexing, and I would assume tar/gz to compress index data before the job collects the package. We asked devs to collect the full list of commands, but it may take a few days.

[steelnwool]

I guess this means that it does a sudo -s , and not sudo _somecommandhere_ ?

[Vitaliy S.]

Jeff,

I have discussed it with our dev team again. Our indexing is performed via script that has a random GUID every time you launch your backup job, so adding it to an "allowed commands" list currently is not possible.

Thanks!

[steelnwool]

Thats exactly what I needed to know. Thanks!

[jgh]

Hi,

Is there a list of commands that Veeam might run when it connects to a linux machines? I'd like to use this list so that I can tie SUDO down as much as possible for the veeam specific user.

Thanks.

Have you had any success in limiting sudo? Right now this is what I have:

Code: Select all

Defaults:svc-veeam-guest!requiretty
Cmnd_Alias VEEAM_FLR = /bin/uname, /usr/bin/scp, /bin/arch, /bin/mount, /bin/sh, /bin/rm, /tmp/*
svc-veeam-guest ALL=(ALL) NOPASSWD: VEEAM_FLR 

This is still to open and insecure in my experience. I would like to resolve the /bin/rm and /tmp/* inclusions to be more limited.

Thanks!
-jgh