What and why?
The Veeam Hardened Repo (VHR) is definitely in my top 10 list of product features. However, as with any IT system, having it in place means that it needs to be maintained. Veeam's own components are maintained by Veeam during patches or upgrades. With the initial release of 12.1, updating a VHR is still a partly manual task. You will need to enable SSH to do this. Cumulative Update 1 to 12.1 should allow us to update the Veeam services without having to enable SSH: https://forums.veeam.com/veeam-backup-replication-f2/upgrade-of-vbr-to-12-1-with-hardened-repo-t91251.html
But there is more to it than that! The Linux underneath also needs to be maintained.
Update your Linux underneath
For example, as Ubuntu is one of the recommended distributions to use with a VHR, this is of course easily achieved through its package management system APT.
We always recommend using LTS releases. With those you immediately get 5 years of update support after their initial release date. For 20.04 LTS this would e.g. be until 2025.
With adding Expanded Security Maintenance or ESM, we can now get up to 10 years.
All you have to do is head to https://ubuntu.com/pro and subscribe to specific channels such as Ubuntu Pro or Ubuntu Pro (Infra-only). The latter option opens the esm-infra repository for access and could already be enough for a generic VHR. It covers ~2,300 packages from the Ubuntu Main repository and allows for updates beyond the initial 5 years. This would take your Ubuntu 20.04 LTS safely patched into the year 2030!
How much is the fun?
For server systems, Canonical charges $225 per year for Ubuntu Pro (infra-only). The full-blown Ubuntu Pro for $500 also includes the esm-apps repository, covering >23k packages from the Ubuntu Universe repository: https://ubuntu.com/pro/subscribe
For personal use Canonical grants us 5x Ubuntu Pro for free. Just register and get your free support tokens here: https://ubuntu.com/pro/dashboard
You can buy additional tokens for productive use here as well with “Buy new subscription”. The number of active machines using a certain token is also shown.
To infinity and beyond - Activating ESM
Before activating ESM on a machine make sure your installation is up to date in respect to the regular public repositories:
sudo apt-get update
sudo apt-get upgrade
If you want to check what updates will be available in addition because of ESM, you can use the pro command. To leverage it, install the package ubuntu-advantage-tools:
sudo apt-get ubuntu-advantage-tools
Having installed this, you can already get an idea of what ESM would bring without having it enabled:
sudo pro security-status
616 packages installed:
609 packages from Ubuntu Main/Restricted repository
7 packages from Ubuntu Universe/Multiverse repository
To get more information about the packages, run
pro security-status --help
for a list of available options.
This machine is receiving security patching for Ubuntu Main/Restricted
repository until 2025.
This machine is NOT attached to an Ubuntu Pro subscription.
Ubuntu Pro with 'esm-infra' enabled provides security updates for
Main/Restricted packages until 2030.
Ubuntu Pro with 'esm-apps' enabled provides security updates for
Universe/Multiverse packages until 2030. There are 2 pending security updates.
So we can see here, that most of the packages used come from Main while a few come from Universal. Right now, without ESM, we will not be able to apply patches from those repositories and not beyond 2025. Only Ubuntu Pro could bring us to 2030.
Canonical uses special update repositories for ESM updates. To be able to access those, the system needs to have our unique token to be bound to the OS:
sudo pro attach {token}
{token} is the pure token shown on https://ubuntu.com/pro/dashboard. So just put the token, without the brakets.
If successful Ubuntu will show the repositories being enabled now.
Depending on the edition you have chosen you get access to the following additional repositories:
- esm-infra – distribution and server packages from the repositories “main” and “restricted”
- esm-apps (16.04 LTS and above) – updates for applications and other packages from “universe”
- livepatch – for live (aka no-reboot) kernel updates (needs 16.04+).
If you see “warning” next to livepatch, you are using an outdated kernel that cannot do live updates and have to shift it to a supported kernel first.
Checking for and applying updates
You can check for the specific updates that will be provided by ESM using:
sudo pro security-status --esm-infra
sudo pro security-status --esm-apps
616 packages installed:
7 packages from Ubuntu Universe/Multiverse repository
Ubuntu Pro with 'esm-apps' enabled provides security updates for
Universe/Multiverse packages until 2030. There are 2 pending security updates.
Run 'pro help esm-apps' to learn more
Installed packages with an available esm-apps update:
mc mc-data
Further installed packages covered by esm-apps:
atop iftop ioping libssh2-1 nethogs
The updates themselves including the ones via ESM are applied as usual with:
sudo apt-get update
sudo apt-get dist-upgrade
You can even check for your vulnerability against certain CVEs.
pro fix {CVE-Number}
Here an example for a currently unresolved one:
Final thoughts
Keep in mind that even with ESM enabled, you are not bringing e.g. Ubuntu 16.04 LTS up to the same security level as, say, Ubuntu 22.04 LTS. So an OS upgrade will still come in handy from time to time. This can also be done in-place (sudo do-release-upgrade), but you have to follow a complete process including at least one reboot. Information on this is available online (e.g. https://www.cyberciti.biz/faq/upgrade-ubuntu-20-04-lts-to-22-04-lts/).
A Veeam Hardened Repository is one of the best ways to safeguard your backups against intruders or malware. It can only stay secure if regularly patched with patches available and maintained by the manufacturer.
Ubuntu ESM can help you keep your VHR secure for up to 10 years after installation.