Comprehensive data protection for all workloads
Post Reply
Backup.Operator
Expert
Posts: 110
Liked: 7 times
Joined: Oct 31, 2022 11:39 pm
Full Name: Backup Administrator
Contact:

Hardened Repository best practice deployment

Post by Backup.Operator »

I wonder if there is a best practice guidelines on how to plan, architect and deploy the Hardened Backup repository.
Shall I configure it as Backup Job from the VMware or the Backup Copy job from the XFS repo?
:arrow: :mrgreen:
FrenchBlue
Expert
Posts: 145
Liked: 23 times
Joined: Mar 18, 2021 6:04 pm
Contact:

Re: Hardened Repository best practice deployment

Post by FrenchBlue »

Hello,

It's quite simple, just follow this guide https://bp.veeam.com/vbr/Security/harde ... linux.html
I don't understand the second question?
Mildur
Product Manager
Posts: 10978
Liked: 3014 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: Hardened Repository best practice deployment

Post by Mildur »

Product Management Analyst @ Veeam Software
FrankCl2
Service Provider
Posts: 73
Liked: 10 times
Joined: Sep 19, 2018 12:11 pm
Full Name: Frank Wijmans
Location: The Netherlands
Contact:

Re: Hardened Repository best practice deployment

Post by FrankCl2 »

I dont want to hijack this topic, but I've been playing around with these blogpost myself for a couple of days and I was wondering how this auditing works.
I'm not a real Linux guy and pretty green when it comes to security as well. And the hardening script does a lot of changes when it comes to generating audit logs. But how or where do I find those audit logs? Is this something which is generated autmatically after running that script? Or do I need to configure this myself?

Any info would greatly appreciated!
HannesK
Product Manager
Posts: 15594
Liked: 3442 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: Hardened Repository best practice deployment

Post by HannesK »

Hello,
audit logs are in /var/log/audit/

auditd uses the path automatically, yes.

Best regards,
Hannes
johannesk
Expert
Posts: 177
Liked: 38 times
Joined: Jan 19, 2016 1:28 pm
Full Name: Jóhannes Karl Karlsson
Contact:

Re: Hardened Repository best practice deployment

Post by johannesk »

Mildur wrote: Jun 07, 2023 3:08 pm Hi Fabian,

If one has setup Rocky linux according to the Veeam documentation (as documented in the blog by Hannes), thus with root disabled, ssh disabled and the DISA STIG profile, minimal install, is the VHR script doing anything more?
https://www.veeam.com/sys507

Or is it just to apply to Linux repository setup that was not initially setup according to the Veeam documentation on VHR?

Regards,
Jóhannes
FrenchBlue
Expert
Posts: 145
Liked: 23 times
Joined: Mar 18, 2021 6:04 pm
Contact:

Re: Hardened Repository best practice deployment

Post by FrenchBlue »

Hello,

Generic question: how do you connect to the repo once SSH is disabled? Especially if it's not a VM. Using the server KVM over ip console and then enabling ssh temporarily? Then sudo if root login is disabled?
pybfr
Veeam Software
Posts: 239
Liked: 43 times
Joined: Sep 26, 2022 9:54 am
Full Name: Pierre-Yves B.
Contact:

Re: Hardened Repository best practice deployment

Post by pybfr » 2 people like this post

ideally you don't :)
But when it's required, yes you can use a KVM or better a physical console, so you do not need to enable SSH at all.
FrenchBlue
Expert
Posts: 145
Liked: 23 times
Joined: Mar 18, 2021 6:04 pm
Contact:

Re: Hardened Repository best practice deployment

Post by FrenchBlue »

Thanks. Yeah in theory you don't, but of course irl you sometimes have to log in there 😊
IanBolton
Enthusiast
Posts: 57
Liked: 12 times
Joined: Jan 06, 2022 1:55 pm
Full Name: IanE
Contact:

Re: Hardened Repository best practice deployment

Post by IanBolton » 1 person likes this post

FrenchBlue wrote: Nov 12, 2024 8:42 am Hello,

Generic question: how do you connect to the repo once SSH is disabled? Especially if it's not a VM. Using the server KVM over ip console and then enabling ssh temporarily? Then sudo if root login is disabled?
For my linux repos, SSH is generally disabled, the firewall doesn't have the ssh rule enabled, the iLO card uses unique credentials per host, each is connected to a disabled LAN port.

So although it isnt impossible, an attacker must compromise multiple layers to gain access.

The flipside of that is that there's a lot to unpick on the rare occasions that I need to jump on!
Post Reply

Who is online

Users browsing this forum: Google [Bot] and 44 guests