Veeam Hardened Linux Repo OS update stragery

[ebriverford]

Hi,
I am currently setting up our Veeam Hardended repo on Ubuntu 22.04 and have got to the end of the Post installation actions which cover:
To be compliant with DISA STIG UBTU-20-010012, you must have only two users:
The root account. Note that by default the root account has a blank password and cannot be used for connection.
The user account you created during the installation. This account will be used to connect to the Linux server and deploy required Veeam Backup & Replication components including persistent Veeam Data Mover, or transport service. For more information about Veeam Data Movers, see this section.
By default, the user account you created during the installation is the member of the sudo group and has enough privileges to deploy and install required Veeam Backup & Replication components. In that case, when you add a Linux server as a hardened repository to the backup infrastructure and specify single-use credentials, you do not need to enter the password for the root account. After the repository is added, you must remove the user account from the sudo group to make it a non-root account.
Note that the next time you log in with this user account, it will lose sudo permissions. if you need to execute commands as a privileged user, you must boot the operating system into the single user mode.
So my question is how do you recommend we patch the underlying operating system? Is booting to grub and user single user mode and patching there the recommended way?
Thanks
Ed

[tyler.jurgens]

You could provide the root account with a password, at which point you can then log into the root account via the console (ILO/IPMI, directly connecting a keyboard/mouse, etc). You could always allow SSH into the root account as well, but I'd suggest against it if you want to be secure.

The idea around this setup is that essentially you *don't* patch the VHR. If you want to patch, I'd take the approach of using the root account to do so by creating a strong password (and not enabling SSH). Of course, to be secure that VHR should also not have internet access, so you'd probably want to have a proxy somewhere that your apt repo can use.

[ebriverford]

I wondered if that was the case, we certain stipulations for patching to achieve cyber essentials although I wonder if we could remove this requirement by mitigation.
Yes planning to isolate the VHR behind a firewall, I was wondering whether IPMI access should be removed, it would be a pain but if someone can access they could delete the RAID from BIOS.
Thank you for help

[mkeating44]

So my question is how do you recommend we patch the underlying operating system? Is booting to grub and user single user mode and patching there the recommended way?
Thanks
Ed

We deployed using the Veeam process and then applied the STIG hardening. So we have 2 user accounts, one "Service account" with no privileges but has write access to the folders we base the repository on, and another, non-root account which is in the sudoers file buthas no access (read or write) to the repository location. When we patch, we access via the out of band/IPMI interface, log in with the non-service account, install updates and reboot. This has worked well for us, but not sure how it conflicts with the STIG hardening. There is a balance to be struck between access and patching, but with the right controls you can have both.

We also have an APT mirror internal to the network, and the repository server is segmented from other servers in the network. This server has no internet access (or any access other than Veeam data mover ports).

[antspants7777]

I so wanted to use 22.04 LTS, but found it was going to be easier and certified, if I stuck with 20.04

Ubuntu 22.04 is not certified for STIG yet
https://ubuntu.com/security/certifications/docs/2204

"Ubuntu 22.04 LTS is being certified against the new FIPS 140-3 standard. The cryptographic modules are reviewed by an independent testing lab before being officially certified by NIST"
The key word is "being"
Also, Project member driven scripts won't work with 22.04, so you'll have to do all of the changes manually.
https://github.com/VeeamHub/veeam-harde ... y/issues/4

Not sure what the timeframe for 22.04 STIG certification or if anyone is working on the scripts.
Please correct me if I'm off base here

[ebriverford]

Ah right yeah, we are UK based and using CIS and cyber essentials. CIS have a build package for 22.04 luckily, haven't applied it yet.