The Veeam Managed Hardened Repository is a bootable ISO based on Rocky Linux 9.2 (Blue Onyx) distribution preconfigured by Veeam.
The idea is to dramatically simplify the provisioning experience and improve the security of the hardened repository, with a solutionpre-hardened out of the box with all advanced security settings already applied. This because immutability may be not enough if you configure your repository in a wrong way!
Some of the hardening settings are:
- Security recommendations based on Security Technical Implementation Guides (STIGs) created and maintained by the Defense Information Systems Agency (DISA) for Rocky Linux.
- No direct root access at the system. Current sudo permissions for the veeamsvc user allow to install additional packages that are signed by a trusted key. But other command (like sudo su -) are blocked by sudo!
- SSH disabled by default but can be temporally be enabled with the veeamsvc user and a random password.
- Time shift protection is enabled by default, the network time service (chrony) is pre-configured to ignore significant time changes during startup.
Requirements
The following requirements must be met:
- Veeam Backup & Replication version must be 12.2 or 12.3.
- All hardware must be on the Red Hat compatibility list or CIQ certified hardware list.
- Technically speaking is possible install on a VM, but the solution is designed to be installed on a physical system. Having an hardened repository in a VM is a bad idea!
- UEFI secure boot must be enabled. Installation to non-UEFI systems (BIOS) is blocked for security considerations. There is no specif check if secure boot is enable… so be sure to enable it before start the installation!
- Third party security software must not be installed on the server.
- For CPU and RAM sizing check the requirements for a Linux repository
- For the RAM, at least 4 GB RAM, plus not less than 1 GB RAM for each concurrently processed machine disk.
- For the CPU, the total number of cores depends on the concurrent task settings.
- For more information, see Limitation of Concurrent Tasks.
- Internal or direct attached storage volumes must be used.
- Only hardware RAID controllers must be used:
- Software RAID, Intel VMD VROC, and FakeRAID controllers are not supported.
- RAID controllers must have write-back cache enabled for performance and have cache protection (like battery) for data integrity.
- The server must have at least two storage volumes:
- A separate volume for the operating system (minimum 100GB).
- At least one additional volume for data. All additional data volumes must be larger than the operating system volume. It is strongly recommended that you use at least a dual parity RAID configuration to increase the reliability of the backup.
- For the network connectivity there is no specific requirements, but two 10 Gbps (or more) NICs should be a good choice.
- In addition to the standard set of ports that must be opened for a backup/hardened repository, a direct or HTTP proxy connection to repository.veeam.com on port 443 is also required for security and operating system updates. Without this connection, the GNU Privacy Guard (GPG) keys will eventually expire. Once these keys have expired, no further updates will be possible and a full re-installation of the operating system will be required.
- To prevent unauthorized access or deletion of the hardened repository, the BMC (base management controller) port on your server hardware must be secured using appropriate measures such as firewalls and strong passwords.
Installation
The actual build number remain the 0.1.17 and is available for download both in the Customer Portal or trial downloads. Just click Additional Downloads > Extensions and Other > Veeam Hardened Repository ISO.
You can use a remote console or create a bootable USB stick from the ISO. To create a bootable USB stick, from a Windows machines it is recommended that you use Rufus with the default settings. Note that you need to select Write in DD Image mode option.
Power on your server and follow the instructions:
On the boot screen, select Install Hardened Repository.
On the Installation Summary step of the installation wizard:
- Select Keyboard to add your preferred keyboard layouts.
- Select Time and Date to set your time zone.
- On the Network & Host Name screen, specify a hostname. Then, configure your network interface.
Note that is not possible choose the disk partition layout. All disks are automatically selected and re-initialized! First disk will be the system disk, all other disks will form a single logical volume (LVM formatted with XFS) to use the entire capacity in a single repository.
Click Begin Installation. After the installation finishes, remove the installation media and reboot the system.
The installation procedure will also install some specific SELinux packaged and finally some add-ons.
When installation is finished, restart your system and remove the installation media.
Configuration
Post-installation, follow these steps:
- Log in to the server using the vhradmin account. By default, the password is vhradmin.
- Select a new password for the account. It must meet the following DISA STIG requirements:
- 15 characters minimum.
- 1 upper case character.
- 1 numeric character.
- 1 special character.
- No more than 3 characters of the same class in a row. For example, more than 3 lowercase or 3 numerical characters in sequence.
- Minimum password lifetime – 24 hours.
- Accept the license agreement.
- In the Veeam Hardened Repository Configurator, configure the following settings as required:
- Network settings — Select Standard configuration to set IPv4 addresses, DHCP, and DNS for network interfaces. Alternatively, select Advanced configuration to use nmtui.
- Proxy settings — Specify an HTTP or HTTPS proxy. Note that self-signed HTTPS proxies are not supported.
- Time settings — Add an NTP server. When adding the NTP server, consider the following:
- chronyd is used as the NTP client.
- NTP servers over DHCP are allowed. This setting cannot be disabled.
- NTP servers are added with the iburst parameter. No additional options can be specified.
After you add the hardened repository, select Stop SSH in the configurator.
Select the Start SSH option. This will generate credentials for the veeamsvc user (with a random password) that will be used to add the hardened repository to Veeam Backup & Replication. To generate new credentials, restart the SSH service.
Add the server as a hardened repository. For more information, see Adding Hardened Repositories.
The Hardened Repository Configurator Tool is a management tool that provide this capabilities without require any Linux skills:
- Simplified network settings configuration (all settings are available via nmtui)
- HTTP proxy settings (for downloading updates and to access external object storage)
- Change hostname
- Change password for vhradmin user
- Temporarily enable SSH to enable Veeam Backup & Replication to establish the initial connection.
- Update OS and Veeam components (dnf update is leveraged under the hood)
- Reset time shift protection
- Logout, reboot, shutdown
- Automatic logout after 10min
It’s possible re-configure the network after the installation, but could be better set the proper teaming configuration during the installation.
The following bonding mode are supported:
- Round Robin (EtherChannel without LACP)
- 802.3ad (EtherChannel with LACP)
- Active-backup (for other configurations)
Limitations of current version
The solution has the following limitations:
- Current version is based on an old Rocky Linux release 9.2 (Blue Onyx) and a kernel 5.14.0-284.30.1.el9_2.x86_64. Also if you perform an update, it remain a 9.2 version!
- There is no way to upgrade or converter an existing Linux repository to a Managed Hardened Repository (also if you start from a Rocky Linux 9.2, all the disks will be reformatted from scratch).
- I hope that there will an option to keep at least the backup data.
- The ISO does not currently have a “repair mode”, so be sure to have a redoundat OS disk!
- If the operating system volume is lost due to a RAID failure or similar issue, you will need to install another supported Linux-based operating system and mount the storage volume or volumes to access your data.
- Updates to the server occur automatically at 8:00 AM of the configured time zone. However, the server will not automatically reboot. Additionally, there are no notifications about required reboots. To make sure that all updates are installed and applied properly, reboot the hardened repository regularly.
- Multipathing for storage volumes is not supported.
- iSCSI or Fibre Channel LUNs provisioned to the server are not supported.
- Wireless network connections are not supported.