-
- Novice
- Posts: 3
- Liked: never
- Joined: Feb 14, 2024 3:57 pm
- Full Name: Ed Battye
- Contact:
Veeam Hardened Linux Repo OS update stragery
Hi,
I am currently setting up our Veeam Hardended repo on Ubuntu 22.04 and have got to the end of the Post installation actions which cover:
To be compliant with DISA STIG UBTU-20-010012, you must have only two users:
The root account. Note that by default the root account has a blank password and cannot be used for connection.
The user account you created during the installation. This account will be used to connect to the Linux server and deploy required Veeam Backup & Replication components including persistent Veeam Data Mover, or transport service. For more information about Veeam Data Movers, see this section.
By default, the user account you created during the installation is the member of the sudo group and has enough privileges to deploy and install required Veeam Backup & Replication components. In that case, when you add a Linux server as a hardened repository to the backup infrastructure and specify single-use credentials, you do not need to enter the password for the root account. After the repository is added, you must remove the user account from the sudo group to make it a non-root account.
Note that the next time you log in with this user account, it will lose sudo permissions. if you need to execute commands as a privileged user, you must boot the operating system into the single user mode.
So my question is how do you recommend we patch the underlying operating system? Is booting to grub and user single user mode and patching there the recommended way?
Thanks
Ed
I am currently setting up our Veeam Hardended repo on Ubuntu 22.04 and have got to the end of the Post installation actions which cover:
To be compliant with DISA STIG UBTU-20-010012, you must have only two users:
The root account. Note that by default the root account has a blank password and cannot be used for connection.
The user account you created during the installation. This account will be used to connect to the Linux server and deploy required Veeam Backup & Replication components including persistent Veeam Data Mover, or transport service. For more information about Veeam Data Movers, see this section.
By default, the user account you created during the installation is the member of the sudo group and has enough privileges to deploy and install required Veeam Backup & Replication components. In that case, when you add a Linux server as a hardened repository to the backup infrastructure and specify single-use credentials, you do not need to enter the password for the root account. After the repository is added, you must remove the user account from the sudo group to make it a non-root account.
Note that the next time you log in with this user account, it will lose sudo permissions. if you need to execute commands as a privileged user, you must boot the operating system into the single user mode.
So my question is how do you recommend we patch the underlying operating system? Is booting to grub and user single user mode and patching there the recommended way?
Thanks
Ed
-
- Veeam Legend
- Posts: 418
- Liked: 243 times
- Joined: Apr 11, 2023 1:18 pm
- Full Name: Tyler Jurgens
- Contact:
Re: Veeam Hardened Linux Repo OS update stragery
You could provide the root account with a password, at which point you can then log into the root account via the console (ILO/IPMI, directly connecting a keyboard/mouse, etc). You could always allow SSH into the root account as well, but I'd suggest against it if you want to be secure.
The idea around this setup is that essentially you *don't* patch the VHR. If you want to patch, I'd take the approach of using the root account to do so by creating a strong password (and not enabling SSH). Of course, to be secure that VHR should also not have internet access, so you'd probably want to have a proxy somewhere that your apt repo can use.
The idea around this setup is that essentially you *don't* patch the VHR. If you want to patch, I'd take the approach of using the root account to do so by creating a strong password (and not enabling SSH). Of course, to be secure that VHR should also not have internet access, so you'd probably want to have a proxy somewhere that your apt repo can use.
Tyler Jurgens
Veeam Legend x3 | vExpert ** | VMCE | VCP 2020 | Tanzu Vanguard | VUG Canada Leader | VMUG Calgary Leader
Blog: https://explosive.cloud
Twitter: @Tyler_Jurgens BlueSky: @explosive.cloud
Veeam Legend x3 | vExpert ** | VMCE | VCP 2020 | Tanzu Vanguard | VUG Canada Leader | VMUG Calgary Leader
Blog: https://explosive.cloud
Twitter: @Tyler_Jurgens BlueSky: @explosive.cloud
-
- Novice
- Posts: 3
- Liked: never
- Joined: Feb 14, 2024 3:57 pm
- Full Name: Ed Battye
- Contact:
Re: Veeam Hardened Linux Repo OS update stragery
I wondered if that was the case, we certain stipulations for patching to achieve cyber essentials although I wonder if we could remove this requirement by mitigation.
Yes planning to isolate the VHR behind a firewall, I was wondering whether IPMI access should be removed, it would be a pain but if someone can access they could delete the RAID from BIOS.
Thank you for help
Yes planning to isolate the VHR behind a firewall, I was wondering whether IPMI access should be removed, it would be a pain but if someone can access they could delete the RAID from BIOS.
Thank you for help
-
- Influencer
- Posts: 15
- Liked: 4 times
- Joined: Jun 07, 2022 10:57 pm
- Full Name: Michael Keating
- Contact:
Re: Veeam Hardened Linux Repo OS update stragery
We deployed using the Veeam process and then applied the STIG hardening. So we have 2 user accounts, one "Service account" with no privileges but has write access to the folders we base the repository on, and another, non-root account which is in the sudoers file buthas no access (read or write) to the repository location. When we patch, we access via the out of band/IPMI interface, log in with the non-service account, install updates and reboot. This has worked well for us, but not sure how it conflicts with the STIG hardening. There is a balance to be struck between access and patching, but with the right controls you can have both.ebriverford wrote: ↑Feb 14, 2024 4:06 pm
So my question is how do you recommend we patch the underlying operating system? Is booting to grub and user single user mode and patching there the recommended way?
Thanks
Ed
We also have an APT mirror internal to the network, and the repository server is segmented from other servers in the network. This server has no internet access (or any access other than Veeam data mover ports).
-
- Service Provider
- Posts: 24
- Liked: 7 times
- Joined: Sep 09, 2019 8:00 am
- Full Name: Tony Spencer
- Contact:
Re: Veeam Hardened Linux Repo OS update stragery
I so wanted to use 22.04 LTS, but found it was going to be easier and certified, if I stuck with 20.04
Ubuntu 22.04 is not certified for STIG yet
https://ubuntu.com/security/certifications/docs/2204
"Ubuntu 22.04 LTS is being certified against the new FIPS 140-3 standard. The cryptographic modules are reviewed by an independent testing lab before being officially certified by NIST"
The key word is "being"
Also, Project member driven scripts won't work with 22.04, so you'll have to do all of the changes manually.
https://github.com/VeeamHub/veeam-harde ... y/issues/4
Not sure what the timeframe for 22.04 STIG certification or if anyone is working on the scripts.
Please correct me if I'm off base here
Ubuntu 22.04 is not certified for STIG yet
https://ubuntu.com/security/certifications/docs/2204
"Ubuntu 22.04 LTS is being certified against the new FIPS 140-3 standard. The cryptographic modules are reviewed by an independent testing lab before being officially certified by NIST"
The key word is "being"
Also, Project member driven scripts won't work with 22.04, so you'll have to do all of the changes manually.
https://github.com/VeeamHub/veeam-harde ... y/issues/4
Not sure what the timeframe for 22.04 STIG certification or if anyone is working on the scripts.
Please correct me if I'm off base here
-
- Novice
- Posts: 3
- Liked: never
- Joined: Feb 14, 2024 3:57 pm
- Full Name: Ed Battye
- Contact:
Re: Veeam Hardened Linux Repo OS update stragery
Ah right yeah, we are UK based and using CIS and cyber essentials. CIS have a build package for 22.04 luckily, haven't applied it yet.
Who is online
Users browsing this forum: Google [Bot], Semrush [Bot] and 79 guests