I am in the process of building some Hardened repositories.
I want a separate user for every mount that becomes a repository. So on the linux vm I want to create this:
/repositories/Repo1 with a username and password
/repositories/Repo2 wiht a different username and password.
I do want to use the DISA-STIG security profile, but does this mean the usernames and passwords for the repositories will expire or can you set this to not expire?
If they do need to expire, how do you manage this?
-
oscarm
- Service Provider
- Posts: 87
- Liked: 7 times
- Joined: Sep 10, 2013 11:43 am
- Full Name: Oscar Muntenaar
- Contact:
-
d.artzen
- Expert
- Posts: 140
- Liked: 70 times
- Joined: Jan 14, 2022 9:16 am
- Full Name: Daniel Artzen
- Location: Germany
- Contact:
Re: Linux Hardened repository
As described in the user guide https://helpcenter.veeam.com/docs/vbr/u ... tml?ver=13:
"Single-use credentials: Credentials that are used only once to deploy Veeam Data Mover, while adding the Linux server to the backup infrastructure. These credentials are not stored in the backup infrastructure. Even if the Veeam Backup & Replication server is compromised, the attacker cannot get the credentials and connect to the hardened repository.
To interact with the hardened repository, Veeam Backup & Replication uses SHA256RSA self-signed certificates with 2048-bit RSA key."
So even if the credentials expire it would not make a difference for Veeam.
But I have a question: Why use different users for the different volumes or even different volumes? I would just use one big volume with one user for the repository. This is also the way the new Aplliances (VSA and VIA) do it, one disk for the OS and all other disks as a single volume.
"Single-use credentials: Credentials that are used only once to deploy Veeam Data Mover, while adding the Linux server to the backup infrastructure. These credentials are not stored in the backup infrastructure. Even if the Veeam Backup & Replication server is compromised, the attacker cannot get the credentials and connect to the hardened repository.
To interact with the hardened repository, Veeam Backup & Replication uses SHA256RSA self-signed certificates with 2048-bit RSA key."
So even if the credentials expire it would not make a difference for Veeam.
But I have a question: Why use different users for the different volumes or even different volumes? I would just use one big volume with one user for the repository. This is also the way the new Aplliances (VSA and VIA) do it, one disk for the OS and all other disks as a single volume.
Who is online
Users browsing this forum: dabrigo, foggy, Semrush [Bot] and 145 guests