• EN

Veeam v11 - Hardened Repository - how it behaves

Show first post

40 comments

regnor
Userlevel 7
Badge +14

I wouldn't say it's the easy way, but yes this would work. While I would say 7 days is a rather short time frame for immutability, at least you would lose your current backups.

That's why you still need to secure your environment and should monitor all configuration changes. Immutability is only a part of the solution.

Max M. | Systems Engineer @Veeam | VMCE/VMCA | former Legend & Vanguard
Geoff Burke
Userlevel 7
Badge +22

So the easy way to attack a inmutable copy is:

  • Take control of Veeam server.
  • change the repository config. (remove inmutability)
  • wait the inmutability time (let’s say 7 days)
  • You will be able to delete restore points from Veeam console… and final user has had no warning.

 

Am I correct?

you would still have to wait for the immutability time to expire, so if I put 160 days…. The lock is on the object store so Veeam and windows can’t change it.

VMCA2022, VMCE2023, CKA, CKAD, KCNA, LFCS, PCA,TARS
Geoff Burke
Userlevel 7
Badge +22

So the easy way to attack a inmutable copy is:

  • Take control of Veeam server.
  • change the repository config. (remove inmutability)
  • wait the inmutability time (let’s say 7 days)
  • You will be able to delete restore points from Veeam console… and final user has had no warning.

 

Am I correct?

you would still have to wait for the immutability time to expire, so if I put 160 days…. The lock is on the object store so Veeam and windows can’t change it.

Now if you got console on the linux server then that is not good. If you are running your object storgage in containers in orchestrated environment then we add yet another level of difficult into the equation for the bad guys ;)

VMCA2022, VMCE2023, CKA, CKAD, KCNA, LFCS, PCA,TARS
MicoolPaul
Userlevel 7
Badge +20

Also to add, if you’re using Veeam ONE (which, you really should be!), there’s built in alarms for Immutability state and Immutability change tracking. So this would drive your warnings.

Michael Paul - #VeeamLegend | #VeeamVanguard | Veeam Certified Architect | VMware vExpert | https://micoolpaul.com | Twitter: @MicoolPaul | Mastodon: @micoolpaul@masto.nu | Bluesky: @micoolpaul.bsky.social
Z
Userlevel 1

So the easy way to attack a inmutable copy is:

  • Take control of Veeam server.
  • change the repository config. (remove inmutability)
  • wait the inmutability time (let’s say 7 days)
  • You will be able to delete restore points from Veeam console… and final user has had no warning.

 

Am I correct?

you would still have to wait for the immutability time to expire, so if I put 160 days…. The lock is on the object store so Veeam and windows can’t change it.

Yes, I said “wait the inmutability time”… if it’s very long you will be safer… but you will need a really big disk

Z
Userlevel 1

Also to add, if you’re using Veeam ONE (which, you really should be!), there’s built in alarms for Immutability state and Immutability change tracking. So this would drive your warnings.

that’s a good point!! thanks!

MicoolPaul
Userlevel 7
Badge +20

@Zucchetti Spain, correct on waiting the immutability time, I can’t find the document but I thought I saw something about not being able to change the immutability state of a hardened repository after initial deployment, I may be thinking of Object Storage, @vNote42 / @Mildur, does this ring any bells to yourselves?

Michael Paul - #VeeamLegend | #VeeamVanguard | Veeam Certified Architect | VMware vExpert | https://micoolpaul.com | Twitter: @MicoolPaul | Mastodon: @micoolpaul@masto.nu | Bluesky: @micoolpaul.bsky.social
Z
Userlevel 1

@Zucchetti Spain, correct on waiting the immutability time, I can’t find the document but I thought I saw something about not being able to change the immutability state of a hardened repository after initial deployment, I may be thinking of Object Storage, @vNote42@Mildur, does this ring any bells to yourselves?

I have tried It and I can remove the chek in Veeam… with no warning. now i’m waiting 7 days to pass but I’m quite sure I will be able to delete my (test) backups…

 

In my opinion Veeam should warn about “this backup has changed form inmutable to non inmutable” for at least some days...

Mildur
Userlevel 7
Badge +12

@MicoolPaul

Are you talking about disabling Immutability? Disabling immutability on an object Storage is not possible. You get an error.

 

 

Immutability on Linux Hardened Repositories can be disabled in my testlab, but Veeam One will alarm you about it.

 

Product Management Analyst @ Veeam Software
I
Userlevel 7
Badge +4

Awesome post! 

Inder | www.thenetworkdna.com | Twitter @inder8588
Z
Userlevel 1

@MicoolPaul

Are you talking about disabling Immutability? Disabling immutability on an object Storage is not possible. You get an error.

 

 

Immutability on Linux Hardened Repositories can be disabled in my testlab, but Veeam One will alarm you about it.

 

yes… I mean disabling it on Linux hardened repository…  Veeam One will warn me… but in my opinion it shoud be a good idea put a warning in the result email of the copy itself

 

JMeixner
Userlevel 7
Badge +17

You can it disable on a hardened repository. But the backups which are already in the repository stay immutable. Only the new ones are not immutable.

Yes, the VeeamOne alarm is very useful. But I agree, it would be useful when Veeam would warn itself, too….

Jochen (Joe) Meixner | Veeam Vanguard 2024 | Veeam Legend 2021 - 2023 | Veeam Certified Architect (VMCA) 2022 | Twitter: @JoMeix | BlueSky: @jmeixner.bsky.social
MicoolPaul
Userlevel 7
Badge +20

@Zucchetti Spain, correct on waiting the immutability time, I can’t find the document but I thought I saw something about not being able to change the immutability state of a hardened repository after initial deployment, I may be thinking of Object Storage, @vNote42@Mildur, does this ring any bells to yourselves?

I have tried It and I can remove the chek in Veeam… with no warning. now i’m waiting 7 days to pass but I’m quite sure I will be able to delete my (test) backups…

 

In my opinion Veeam should warn about “this backup has changed form inmutable to non inmutable” for at least some days...

Thanks @Mildur for confirming, couldn’t remember if it was either or both, so your comments there are appreciated!

@Zucchetti Spain, just to also say, the immutability will be 7 days from the last point in the chain by the way, Veeam increments this on the dependent points in the active chain to ensure the chain is immutable to the same time so there’s no isolated incremental backups that aren’t usable.

Michael Paul - #VeeamLegend | #VeeamVanguard | Veeam Certified Architect | VMware vExpert | https://micoolpaul.com | Twitter: @MicoolPaul | Mastodon: @micoolpaul@masto.nu | Bluesky: @micoolpaul.bsky.social
vNote42
Userlevel 7
Badge +13

@Zucchetti Spain , just add my two cents:

As already said, it is easily possible to disable immutability if you get backup-admin access to VBR server. This is because immutability is just a property of the repository, saved in the VBR-database. Therefore it is essential to monitor these settings. With Veeam ONE, you have a good tool to do so:

Monitor Hardened Repository with Veeam ONE v11a

 

Maybe also important to note: GFS restore points stay immutable as long as they are kept by retention-policy.

 

 

 

Wolfgang | vnote42.net | @vNote42
BertrandFR
Userlevel 7
Badge +8

i’m wondering if someone deployed an hardened repo with openscap for hardening the OS? What is your experiences about it? did you encounter any inconvenience about OS hardening enable ?

BTW, i discovered this article on Redhat Website about the deployment of an hardened repository.

https://www.redhat.com/en/blog/veeam-ransomware-protection-rhel-immutable-repository

@vNote42 not sure it’s the right topic, if it’s not tell me i will move my message to another :)

Comment


Terms & Conditions