Reading Time: 5 minutes

The Veeam Hardened Repository ISO (VHRISO) is a Managed Hardened Repository delivered as bootable ISO with a Rocky Linux distribution preconfigured by Veeam.

The idea is to dramatically simplify the provisioning experience while eliminating (or at least reducing) the need for any Linux expertise.

But also have an OS pre-hardened out of the box with all advanced security settings already applied. This because immutability may be not enough if you configure your repository in a wrong way! Recommendations are based on Security Technical Implementation Guides (STIGs) created and maintained by the Defense Information Systems Agency (DISA) for Rocky Linux.

Further, on-going management costs are reduced thanks to both hardened repository components as well as the base OS updates provided directly by Veeam.

On 29 October 2024,  this project has changed its status from Community Preview to experimentally supported.  This means that hardened repositories are now officially supported for use in production environments, and you can open support cases normally in case of any issues (experimental support SLA disclaimer applies only to issues with the ISO Installer and the Configurator Tool specifically). To be eligible for support, you must use an unmodified version of the Veeam Hardened Repository ISO on a machine that meets all the system requirements.

The actual build number remain the 0.1.17 (from October release) and is available for download both in the Customer Portal or trial downloads. Just click Additional Downloads > Extensions and Other > Veeam Hardened Repository ISO.

For the setup and the configuration see: Veeam Managed Hardened Repository installation and configuration

Pre-Hardened OS configurations:

  • DISA STIG security profile is applied to the base OS automatically
  • SSH is disabled by default but can be temporally be enabled
  • Time shift protection is enabled by default, the network time service (chrony) is pre-configured to ignore significant time changes during startup

The official Veeam documentation includes also a section for this particual option.

The following requirements must be met:

  • The Veeam Backup & Replication version must be 12.2 or later.
  • All hardware must be on the Red Hat compatibility list or CIQ certified hardware list.
  • UEFI secure boot must be enabled.
  • Third party security software must not be installed on the server.
  • Only hardware RAID controllers must be used
    • Software RAID, Intel VMD VROC, and FakeRAID controllers are not supported.
    • RAID controllers must have write-back cache enabled.
  • Internal or direct attached storage volumes must be used.
  • The server must have at least two storage volumes:
    • A separate volume for the operating system (minimum 100GB).
    • At least one additional volume for data. All additional data volumes must be larger than the operating system volume. It is strongly recommended that you use at least a dual parity RAID configuration.
  • In addition to the standard set of ports that must be opened for a backup/hardened repository, a direct or HTTP proxy connection to repository.veeam.com on port 443 is also required for security and operating system updates. Without this connection, the GNU Privacy Guard (GPG) keys will eventually expire. Once these keys have expired, no further updates will be possible and a full re-installation of the operating system will be required.
  • To prevent unauthorized access or deletion of the hardened repository, the BMC (base management controller) port on your server hardware must be secured using appropriate measures such as firewalls and strong passwords.

There is also an unofficial server compatibility list (last updated: Dec 11th 2024):

  • Cisco C3260M5 < 2x UCS S3260 Dual Raid Controller based on Broadcom 3316 ROC; 2x Cisco Ethernet Converged NIC XXV710-DA2 (rebranded Intel NIC, dual port with 4x 25Gbit in LACP mode)
  • Dell R550 < PERC H755 RAID Controller in RAID5, BOSS-S2 with dual 480GB M.2, Broadcom 57414 10/25Gb OCP NIC 3.0
  • Dell R730xd < PERC H730P mini RAID controller
  • Dell R740xd < (Debranded EMC DP4400), Perc H730P Mini Embedded 153TB raid 60, Boss-s1 230GB
  • Dell R750 < PERC H755 RAID Controller RAID6; RAID1 BOSS-S2 (2xSSD 450GB); Broadcom NetXtreme Gigabit, Intel Ethernet 10G 4P X710-T4L-t
  • Dell R750xs < no further details known
  • Dell R760 < PERC H965i Front for DATA / BOSS-N1 for OS, Broadcom Adv. Dual 25Gb
  • Dell R760xd2 < PERC H755 for DATA / BOSS-N1 for OS; Broadcom Adv. Dual 25Gb Ethernet
  • Dell R760xs < PERC H755 controller 6 x 12TB SATA / BOSS-N1 with 2 x 480GB SSD drives
  • Dell PE T430 < PERC H730 controller
  • Dell T640 < PERC H730P controller
  • HPE Alletra 4140 < HPE SR932i-p Gen 11, NS204i-u Gen 11, Broadcom BCM 57416 10GbE 2p BASE-T OCP3, Melanox MLX MCX623106AS 100GbE 2p QSFP56
  • HPE DL360G10 < HPE Smart Array P408i-a SR Gen10
  • HPE DL380G10 < E208i-p and P408i-a SR controllers
  • HPE DL380G11 < HPE Smart Array P408i-p SR Gen10
  • HPE ProLiant XL450 Gen10 < PE Smart Array P408i-p SR Gen 10 (for HDD); HPE NS204i-p GEN10+ Boot Controller (for RAID1 NVME boot device)
  • HPE Apollo 4510 Gen10 < PE Smart Array P408i-p SR Gen 10 (for HDD); HPE NS204i-p GEN10+ Boot Controller (for RAID1 NVME boot device)
  • Lenovo SR630V3 < LSI MegaRAID Tri-Mode SAS3508
  • Lenovo SR650V3 < ThinkSystem M.2 NVMe 2-Bay RAID Enablement Kit; ThinkSystem RAID 940-16i 4GB Flash PCIe Gen4 12 Gb Adapter
  • Supermicro X11SPI-TF < LSI MegaRAID SAS 9361-8i
Share