[Community Preview] Managed Hardened Repository ISO by Veeam (Part 1)

Since Veeam v11, Veeam introduced the Hardened Backup Repository, which has been widely adopted by Veeam customers worldwide. Many customers have built their own hardened repositories using Linux systems, providing Veeam with secure and reliable data storage that has successfully resisted various ransomware attacks.

Over the past few years, to help everyone configure hardened repositories more conveniently, I’ve created several scripts and tools:

• Using This Method, Your Backup Data Will No Longer Fear Ransomware
• Veeam Hardened Linux Repository Configurator
• Further Security Hardening of Ubuntu Systems for Veeam Hardened Repositories

On September 30th, the Veeam R&D team officially released another deployment method for the Hardened Repository - a Linux ISO for building systems “from scratch.” Administrators can use this Veeam-packaged ISO to quickly deploy bare-metal servers, install the Hardened Repository operating system, and once installation is complete, the system will have already deployed a series of Veeam Hardened Repository best practices. Administrators can then perform subsequent configuration and management in VBR.

Feature Overview

This is a Veeam-packaged Linux system installation disk that uses Rocky Linux. After this system installation is complete, it automatically applies the DISA STIG security configuration profile to the underlying system, disables SSH, and enables time modification protection. The system includes the Hardened Repository Configurator tool, which can:

• Configure system network settings
• Set up HTTP proxy
• Modify hostname
• Change the password for the vhradmin user
• Temporarily enable SSH
• Upgrade OS and Veeam components
• Reset time change protection
• Log out/restart/shutdown
• Auto-logout after 10 minutes

System Requirements

This Linux system can be installed on any physical hardware listed in the official Red Hat compatibility list. For CPU and memory requirements, please follow the best practice requirements listed in the Veeam help documentation. For storage, you must prepare at least two physical volumes, such as /dev/sda, /dev/sdb, and the volume for installing the operating system must have a minimum capacity of 100GB, otherwise errors will occur during the system installation process.

The system only supports storage systems with built-in RAID cards or disk controllers. It cannot work properly with LUNs mounted to the server via iSCSI or FC. Soft RAID and fake RAID systems are also not supported. All storage configurations must be completed before system installation. Once the system installation begins, the installer will detect relevant disks and automatically format them.

During the system installation process, the installer will automatically select the disk with the smallest capacity to install the operating system. Therefore, when configuring disk selection, please ensure that the disk intended for the system installation is smaller than the data disks.

Operating System Security Design Logic

This Hardened Repository installation disk is designed with the following security configurations:

• Automatically applies the DISA STIG security configuration profile. This includes password complexity requirements, application whitelisting, UEFI secure boot, etc.

• Disables all network service listeners after installation, including SSH.

• Two users are configured on this system: veeamsvc and vhradmin.

  • veeamsvc is used to run all VBR services, and the password is automatically generated by the Hardened Repository Configurator. This user has sudo permissions and will be used for one-time configuration when configuring the Hardened Repository in VBR.
  • The vhradmin account has no sudo permissions and can only run the Hardened Repository Configurator program for basic system maintenance. The default password for this account is “vhradmin”, and this password must be changed upon first login.

• All security automatic updates come from the repository.veeam.com source. If you need to receive automatic updates, you need to enable access to this website.

Currently, this hardened repository system is available as a community preview with version number 0.1.15. Interested friends can download and try it from the Veeam Community Forum. Since this is a technical preview, it is not recommended for production use, and there is currently no official Veeam technical support. In the future, Veeam plans to release an official complete product version, at which time Veeam’s official technical support will provide comprehensive technical support for this ISO-deployed Linux system.

It should also be noted that during this preview phase, the product does not support upgrading to future official versions. When the official version is released, a complete reinstallation will still be required.

All technical support for this community technical preview can be asked and answered directly in the forum download thread. If needed, you can also leave a message on my official account to contact me.

That’s all for this issue. In the next installment, I’ll bring you a detailed installation guide.