Linux Hardened Repository requires insecure UMASK

[EcoboostPerformance]

When setting up the veeam hardened linux repository with a onetime password veeam requires the umask to the be set to 022. This is actually a medium risk security violation more info located here...

https://www.stigviewer.com/stig/red_ha ... ng/V-72049


The security standard (CIS Center for Internet Security https://www.cisecurity.org/controls) and the default on all hardened systems is 077. Which would not allow other users to interact with the files that root has written without root specifically allowing them to do so.


I have 2 suggested fixes for this in mind the first check the umask on installation and then temporarilly set it at runtime this would look like the following.

Code: Select all

```
bash
mask=$(umask)
if (( ($mask & 022) != 0 )); then 
    umask 022
fi
```

Or Set the permissions for each of the files you need individually this would look like the following.

Code: Select all

```bash
# /opt/veeam/transport/: 

chmod 644 /opt/veeam/transport/libacl.so.1
chmod 644 /opt/veeam/transport/libattr.so.1
chmod 644 /opt/veeam/transport/libblkid.so.1
chmod 644 /opt/veeam/transport/libfuse.so
chmod 355 /opt/veeam/transport/libNtfsLib.so
chmod 644 /opt/veeam/transport/libuuid.so.1
chmod 355 /opt/veeam/transport/veeamagent
chmod 355 /opt/veeam/transport/veeamimmureposvc
chmod 355 /opt/veeam/transport/veeamtransport
chmod 644 /opt/veeam/transport/VeeamTransportConfig

#/opt/veeam/transport/certs/:
chmod 744 /opt/veeam/transport/certs/cert.p12

#/opt/veeam/transport/certs/client/:

chmod 744 /opt/veeam/transport/certs/client/*.pem

#/opt/veeam/transport/scripts/:

chmod 444 /opt/veeam/transport/scripts/veeamtransport
chmod 444 /opt/veeam/transport/scripts/veeamtransport.service

#/opt/veeam/transport/vddk_6_0/:

chmod 644 /opt/veeam/transport/vddk_6_0/vmc_config.ini

#/opt/veeam/transport/vddk_6_0/lib64/:

chmod 644 /opt/veeam/transport/vddk_6_0/lib64/libcrypto.so.1.0.2
chmod 644 /opt/veeam/transport/vddk_6_0/lib64/libcurl.so.4
chmod 644 /opt/veeam/transport/vddk_6_0/lib64/libdiskLibPlugin.so
chmod 644 /opt/veeam/transport/vddk_6_0/lib64/libexpat.so
chmod 644 /opt/veeam/transport/vddk_6_0/lib64/libglib-2.0.so.0
chmod 644 /opt/veeam/transport/vddk_6_0/lib64/libgmodule-2.0.so.0
chmod 644 /opt/veeam/transport/vddk_6_0/lib64/libgobject-2.0.so.0
chmod 644 /opt/veeam/transport/vddk_6_0/lib64/libgthread-2.0.so.0
chmod 644 /opt/veeam/transport/vddk_6_0/lib64/libgvmomi.so
chmod 644 /opt/veeam/transport/vddk_6_0/lib64/libssl.so.1.0.2
chmod 644 /opt/veeam/transport/vddk_6_0/lib64/libssoclient.so
chmod 644 /opt/veeam/transport/vddk_6_0/lib64/libstdc++.so.6.0.13
chmod 644 /opt/veeam/transport/vddk_6_0/lib64/libvim-types.so
chmod 644 /opt/veeam/transport/vddk_6_0/lib64/libvixDiskLib.so.6.0.0
chmod 644 /opt/veeam/transport/vddk_6_0/lib64/libvixDiskLibVim.so.6.0.0
chmod 644 /opt/veeam/transport/vddk_6_0/lib64/libvixMntapi.so.1.1.0
chmod 644 /opt/veeam/transport/vddk_6_0/lib64/libvmacore.so
chmod 644 /opt/veeam/transport/vddk_6_0/lib64/libvmomi.so
chmod 644 /opt/veeam/transport/vddk_6_0/lib64/libxml2.so.2

#/opt/veeam/transport/vddk_6_7/:

chmod 644 /opt/veeam/transport/vddk_6_7/vmc_config.ini

#/opt/veeam/transport/vddk_6_7/lib64/:

chmod 644 /opt/veeam/transport/vddk_6_7/lib64/libcares.so.2
chmod 644 /opt/veeam/transport/vddk_6_7/lib64/libcrypto.so.1.0.2
chmod 644 /opt/veeam/transport/vddk_6_7/lib64/libcurl.so.4
chmod 644 /opt/veeam/transport/vddk_6_7/lib64/libdiskLibPlugin.so
chmod 644 /opt/veeam/transport/vddk_6_7/lib64/libexpat.so
chmod 644 /opt/veeam/transport/vddk_6_7/lib64/libffi.so.5
chmod 644 /opt/veeam/transport/vddk_6_7/lib64/libgcc_s.so.1
chmod 644 /opt/veeam/transport/vddk_6_7/lib64/libglib-2.0.so.0
chmod 644 /opt/veeam/transport/vddk_6_7/lib64/libgmodule-2.0.so.0
chmod 644 /opt/veeam/transport/vddk_6_7/lib64/libgobject-2.0.so.0
chmod 644 /opt/veeam/transport/vddk_6_7/lib64/libgthread-2.0.so.0
chmod 644 /opt/veeam/transport/vddk_6_7/lib64/libgvmomi.so
chmod 644 /opt/veeam/transport/vddk_6_7/lib64/libsqlite3.so.0.8.6
chmod 644 /opt/veeam/transport/vddk_6_7/lib64/libssl.so.1.0.2
chmod 644 /opt/veeam/transport/vddk_6_7/lib64/libssoclient.so
chmod 644 /opt/veeam/transport/vddk_6_7/lib64/libstdc++.so.6
chmod 644 /opt/veeam/transport/vddk_6_7/lib64/libvim-types.so
chmod 644 /opt/veeam/transport/vddk_6_7/lib64/libvixDiskLib.so.6.7.0
chmod 644 /opt/veeam/transport/vddk_6_7/lib64/libvixDiskLibVim.so.6.7.0
chmod 644 /opt/veeam/transport/vddk_6_7/lib64/libvixMntapi.so.1.1.0
chmod 644 /opt/veeam/transport/vddk_6_7/lib64/libvmacore.so
chmod 644 /opt/veeam/transport/vddk_6_7/lib64/libvmomi.so
chmod 644 /opt/veeam/transport/vddk_6_7/lib64/libxml2.so.2
chmod 644 /opt/veeam/transport/vddk_6_7/lib64/libz.so.1

#/opt/veeam/transport/vddk_7_0/:

chmod 444 /opt/veeam/transport/vddk_7_0/fips_config.ini
chmod 644 /opt/veeam/transport/vddk_7_0/vmc_config.ini
chmod 644 /opt/veeam/transport/vddk_7_0/vmc_fips_config.ini

#/opt/veeam/transport/vddk_7_0/lib64/:

chmod 355 /opt/veeam/transport/vddk_7_0/lib64/libcares.so.2
chmod 355 /opt/veeam/transport/vddk_7_0/lib64/libcrypto.so.1.0.2
chmod 355 /opt/veeam/transport/vddk_7_0/lib64/libcurl.so.4
chmod 355 /opt/veeam/transport/vddk_7_0/lib64/libdiskLibPlugin.so
chmod 355 /opt/veeam/transport/vddk_7_0/lib64/libexpat.so
chmod 644 /opt/veeam/transport/vddk_7_0/lib64/libgcc_s.so.1
chmod 355 /opt/veeam/transport/vddk_7_0/lib64/liblookup-types.so
chmod 355 /opt/veeam/transport/vddk_7_0/lib64/libsqlite3.so.0.8.6
chmod 355 /opt/veeam/transport/vddk_7_0/lib64/libssl.so.1.0.2
chmod 355 /opt/veeam/transport/vddk_7_0/lib64/libssoclient.so
chmod 355 /opt/veeam/transport/vddk_7_0/lib64/libstdc++.so.6
chmod 355 /opt/veeam/transport/vddk_7_0/lib64/libvddkVimAccess.so.7.0.1
chmod 355 /opt/veeam/transport/vddk_7_0/lib64/libvim-types.so
chmod 355 /opt/veeam/transport/vddk_7_0/lib64/libvixDiskLib.so.7.0.1
chmod 355 /opt/veeam/transport/vddk_7_0/lib64/libvixMntapi.so.1.1.0
chmod 355 /opt/veeam/transport/vddk_7_0/lib64/libvmacore.so
chmod 355 /opt/veeam/transport/vddk_7_0/lib64/libvmomi.so
chmod 355 /opt/veeam/transport/vddk_7_0/lib64/libz.so.1

```

[HannesK]

Hi Ryan,
yes, we are aware of that and the explanation can be found here

Unfortunately there is no "out of the box" fix right now.

Best regards,
Hannes

[bct44]

Hello,

I'm glad to read, i'm not alone on this problem. I opened a case on veeam support about it this summer. I asked feature request to modify rights during veeam transport installation.
I'm not using CIS but this:
https://static.open-scap.org/ssg-guides ... _high.html

@Hannesk: Thanks I didn't know about this topic, i will follow it

[HannesK]

Hello,
we are working on improvements. For now, I can provide a workaround that could be used today. But it's not solving the root cause.

the script needs to run before the installation.

Code: Select all

mkdir -p /opt/veeam/transport/certs/client
mkdir /opt/veeam/upload/
chown -R <username>:<groupname> /opt/veeam/
chmod -R 700 /opt/veeam/
setfacl -d -m g::rx /opt/veeam/transport/certs/
setfacl -d -m o::rx /opt/veeam/transport/certs/

Best regards,
Hannes

[Gustav]

@HannesK:

I wrote the guide Build an immutable backup repository - article series aimed at Windows admins like me knowing next to nothing about Linux.

In Part 3, paragraph Permissions (the last paragraph), I set the very limited permissions to the backup drive.

Could you explain in detail, please, which steps and commands to include (using Ubuntu Server if that makes a difference) to incorporate the added security discussed in this thread?

Also, it is not clear to me if these settings must be set before installing Ubuntu. If so, for a running machine, could you uninstall the agent, apply the settings, and reinstall to agent?
And must they be turned off prior to the agent install, and then turned on when done? If so, how?

Finally, could you list the expected output using command ll to confirm the settings (like, as you can see, I do for /mnt)?

I know, this is very basic stuff for skilled Linux admins, but the immutable repository is such a great feature of Veeam B&R, and if a few commands could make it even more secure, the guide should be updated to mention how.

[HannesK]

Hello,

to incorporate the added security discussed in this thread?

I argument that this "added security" is only a compliance thing that has nothing to do with actual "security". The point is, that on a Hardened Repository, there should only be two users
1) root (always exists in Linux)
2) a veeam user with limited permissions

So the umask setting itself is irrelevant, because there is no "other user" who could benefit from the "insecure" setting.

I agree, that we need to make the product compliant with security standards. But that does not add "security" per se.

So I would not add anything to your guide, because it just creates confusion. It's fine and with Ubuntu it works out of the box.

Best regards,
Hannes

[Gustav]

@HannesK: OK. Thank you for the clarification.