The Veeam Hardened Repository ISO (VHRISO) is a Managed Hardened Repository delivered as bootable ISO with a Rocky Linux distribution preconfigured by Veeam.
The idea is to dramatically simplify the provisioning experience while eliminating (or at least reducing) the need for any Linux expertise.
But also have an OS pre-hardened out of the box with all advanced security settings already applied. This because immutability may be not enough if you configure your repository in a wrong way! Recommendations are based on Security Technical Implementation Guides (STIGs) created and maintained by the Defense Information Systems Agency (DISA) for Rocky Linux.
Further, on-going management costs are reduced thanks to both hardened repository components as well as the base OS updates provided directly by Veeam.
On 29 October 2024, this project has changed its status from Community Preview to experimentally supported. This means that hardened repositories are now officially supported for use in production environments, and you can open support cases normally in case of any issues (experimental support SLA disclaimer applies only to issues with the ISO Installer and the Configurator Tool specifically). To be eligible for support, you must use an unmodified version of the Veeam Hardened Repository ISO on a machine that meets all the system requirements.
On 29th January 2025, Veeam has released the new build 2.0.0.8 that is available for download both in the Customer Portal or trial downloads. Just click Additional Downloads > Extensions and Other > Veeam Hardened Repository ISO.
The following requirements must be met:
- The Veeam Backup & Replication version must be 12.2 or later.
- All hardware must be on the Red Hat compatibility list or CIQ certified hardware list.
- UEFI secure boot must be enabled.
- Third party security software must not be installed on the server.
- Only hardware RAID controllers must be used
- Software RAID, Intel VMD VROC, and FakeRAID controllers are not supported.
- RAID controllers must have write-back cache enabled.
- Internal or direct attached storage volumes must be used.
- The server must have at least two storage volumes:
- A separate volume for the operating system (minimum 100GB).
- One of the disks must be the smallest disk (1x 100GB and 1x 101 GB is supported. 2x 100GB and 1x 200TB is unsupported because there is no “smallest disk” and the installer will throw an error).
- At least one additional volume for data. All additional data volumes must be larger than the operating system volume. It is strongly recommended that you use at least a dual parity RAID configuration.
- A separate volume for the operating system (minimum 100GB).
- In addition to the standard set of ports that must be opened for a backup/hardened repository, a direct or HTTP proxy connection to repository.veeam.com on port 443 is also required for security and operating system updates. Without this connection, the GNU Privacy Guard (GPG) keys will eventually expire. Once these keys have expired, no further updates will be possible and a full re-installation of the operating system will be required.
- To prevent unauthorized access or deletion of the hardened repository, the BMC (base management controller) port on your server hardware must be secured using appropriate measures such as firewalls and strong passwords.
Using a VM is not recommended due to vastly increased attack surface (hypervisor) and inability to access backups in case of a hypervisor host outage.
New features compare to previous version:
- Repair mode
- Re-installs only the OS while keeping the data partitions intact.
- Please note that repair functionality cannot be used for migrations from Ubuntu or any other Linux distributions. The system will fail to boot and you would need to fix /etc/fstab manually.
- Live boot
- Provides a live system for troubleshooting. It’s mainly built for use by Veeam support, however experienced Linux users can also use this for example for performance testing with fio or iperf
- Fully automated installation / Zero-touch installation
- This uses regular kickstart and was designed to allow mass deployments or unattended (lab) installations. Public documentation can be created depending on demand. In general, the kickstart documentation from Red Hat can be used.
- To get “zero touch installations” working, add auto=1 to the kernel parameters in the grub bootloader. In the ks.cfg ensure to set keyboard layout, time zone and disable the cdrom installation source.
