Veeam Tape Server hardening on ubuntu

In this section we will be hardening the Ubuntu based linux tape server to store tape backups from the veeam backup solution.

We will be applying the granular sudo level restrictions in order to limit the sudo privilege based on the least privilege principle.

Creating user

Veeam tape server requires the user with SSH access enabled with sudo level permissions to function properly. Refer the article below in order to refer the system requirements

https://helpcenter.veeam.com/docs/backup/vsphere/system_requirements.html?ver=120#tape-server

we will now acquire the root shell and enter the below given command to create the user

sudo useradd -m -s /usr/sbin/nologin tapadmin

The command sudo useradd -m -s /usr/sbin/nologin tapadmin creates a new user named tapadmin with a home directory (-m) but assigns the /usr/sbin/nologin shell (-s), which effectively prevents the user from logging into the system interactively (via SSH or console). This is typically used for system or service accounts that should not have shell access for security reasons.

Now as the user is created we will be adding the user permissions that are required to function the tap server by adhering the least privilege principle.

From the root shell edit the sudoers file to allow the commands that user tapadmin is allowed to run.

sudo visudo

Once the sudoers file opens we will paste the below given lines

#MISC 
tapeadmin ALL=(root) /usr/bin/id -au
tapeadmin ALL=(root) /usr/bin/whoami
tapeadmin ALL=(root) NOPASSWD: /opt/veeam/transport/veeamtransport 
tapeadmin ALL=(root) NOPASSWD: /usr/bin/cp -f /home/tapeadmin/* /tmp/VeeamAgent*
tapeadmin ALL=(root) NOPASSWD: /usr/bin/dpkg --force-confold --install /tmp/veeamdeployment*.deb

 
#MKDIR
tapeadmin ALL=(root) /bin/mkdir -p /opt/veeam
 
#Check host type
tapeadmin ALL=(root) /bin/uname --machine
tapeadmin ALL=(root) /bin/uname -r
tapeadmin ALL=(root) /bin/ls /etc/exagrid-veeam-version
tapeadmin ALL=(root) /bin/ls /tmp/Veeam_enabled
tapeadmin ALL=(root) /bin/ls /tmp/Veeam_enabled_Infinidat
tapeadmin ALL=(root) /bin/ls /tmp/Veeam_enabled_Fujitsu
tapeadmin ALL=(root) /bin/ls /tmp/Veeam_enabled*
 
#RM
tapeadmin ALL=(root) /bin/rmdir /opt/veeam
tapeadmin ALL=(root) /bin/rmdir /opt/veeam/Upload
tapeadmin ALL=(root) /bin/rm -rf /opt/veeam/deployment*
tapeadmin ALL=(root) /usr/bin/rm /opt/veeam/veeaminstaller
 
#DEPLOYMENT SERVICE
tapeadmin ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --dll-version
tapeadmin ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --get-port
tapeadmin ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --uninstall
tapeadmin ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --set-user tapeadmin
tapeadmin ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --disable-restricted-mode
tapeadmin ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --set-base-log-path /var/log/VeeamBackup
tapeadmin ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --restart
tapeadmin ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --get-fingerprint
tapeadmin ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --install 6160
tapeadmin ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --install-server-certificate /tmp/VeeamUpload*/ServerCertificate
tapeadmin ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --install-certificate /tmp/VeeamUpload*/ClientCertificate
tapeadmin ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --set-max-log-size 10485760
tapeadmin ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --set-max-log-count 10
tapeadmin ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --get-bios-uuid
 
#TRANSPORT
tapeadmin ALL=(root) /opt/veeam/transport/veeamtransport --version
tapeadmin ALL=(root) /opt/veeam/transport/veeamtransport-link --get-user
tapeadmin ALL=(root) /opt/veeam/transport/veeamtransport --disable-restricted-mode
tapeadmin ALL=(root) /opt/veeam/transport/veeamtransport-link --set-user root
tapeadmin ALL=(root) /bin/ls /opt/veeam/transport/veeamtransport-link
tapeadmin ALL=(root) /opt/veeam/transport/veeamtransport-link --set-user tapeadmin
tapeadmin ALL=(root) /opt/veeam/transport/veeamtransport --set-option BaseLogDirectory --set-option-value /var/log/VeeamBackup
tapeadmin ALL=(root) /opt/veeam/transport/veeamtransport --set-option FirewallPortRange --set-option-value *
tapeadmin ALL=(root) /opt/veeam/transport/veeamtransport --enable-restricted-mode
tapeadmin ALL=(root) /opt/veeam/transport/veeamtransport --set-option MaxLogSize --set-option-value 10485760
tapeadmin ALL=(root) /opt/veeam/transport/veeamtransport --set-option MaxLogCount --set-option-value 10
tapeadmin ALL=(root) /opt/veeam/transport/veeamtransport --get-port
tapeadmin ALL=(root) /opt/veeam/transport/veeamtransport --uninstall
tapeadmin ALL=(root) /bin/rm -rf /opt/veeam/transport
 
#TAPE
tapeadmin ALL=(root) /opt/veeam/tapeproxy/veeamtapeproxy --set-owner *
tapeadmin ALL=(root) /opt/veeam/tapeproxy/veeamtapeproxy --uninstall
tapeadmin ALL=(root) /bin/rm -rf /opt/veeam/tapeproxy
 
#Additions
tapeadmin ALL=(root) /bin/test -d /tmp/
tapeadmin ALL=(root) /bin/rm -f /tmp/Veeam*
tapeadmin ALL=(root) /bin/touch /tmp/Veeam*
tapeadmin ALL=(root) /bin/chmod 0700 /tmp/Veeam*
 
# Upload and unpack deployer
tapeadmin ALL=(root) /usr/bin/chmod 0766 /opt/veeam/Upload/*                                                                                                                             
tapeadmin ALL=(root) /usr/bin/mkdir --parents /opt/veeam/deployment
tapeadmin ALL=(root) /usr/bin/mkdir --parents /opt/veeam/Upload/*
tapeadmin ALL=(root) /usr/bin/touch /opt/veeam/Upload/*                                                                                                                                                
tapeadmin ALL=(root) /bin/touch /tmp/VeeamDeploymentSvc*
tapeadmin ALL=(root) /bin/tar xvzf /tmp/VeeamDeploymentSvc* -C /opt/veeam/deployment --no-same-owner
tapeadmin ALL=(root) /bin/cp -f /home/tapeadmin/* /tmp/VeeamDeploymentSvc*
tapeadmin ALL=(root) /bin/chmod 0644 /tmp/VeeamDeploymentSvc*
tapeadmin ALL=(root) /bin/cp -f /home/tapeadmin/* /opt/veeam/Upload/*
tapeadmin ALL=(root) /usr/bin/rm -f /tmp/VeeamDeploymentSvc*
tapeadmin ALL=(root) /bin/rm -rf /opt/veeam/Upload/*
tapeadmin ALL=(root) /bin/ls -d /opt/veeam/deployment
 
# Set rights
tapeadmin ALL=(root) /bin/chown -hR root /opt/veeam/deployment
tapeadmin ALL=(root) /bin/find /opt/veeam/deployment -type d
tapeadmin ALL=(root) /bin/chmod 755 /opt/veeam/*                                                                                              
tapeadmin ALL=(root) /bin/find /opt/veeam/deployment -type f -not -path /opt/veeam/deployment/veeamdeploymentsvc
tapeadmin ALL=(root) /bin/chmod 644 /opt/veeam/deployment/*
tapeadmin ALL=(root) /bin/chmod 744 /opt/veeam/deployment/veeamdeploymentsvc

This will ensure the user tapeadmin is only allowed to pass the commands mentioned above with the sudo level permissions.

The permissions are listed on the official veeam KB article referenced below :

https://www.veeam.com/kb4558

Save the sudoers file and exit and consider rebooting the server once using the below command

sudo reboot OR sudo init 6

once server is rebooted we will restrict the user SSH permissions to further narrow down the access for the tapeadmin.

sudo nano /etc/ssh/sshd_config

Add the below given commands at end of the configuration file

Match User tapeadmin
PasswordAuthentication yes
PubKeyAuthentication no

Save the file and exit and restart the SSH service in order to reflect the changes.

sudo systemctl restart sshd

Now we have sucessfully configured the harderned tapeserver on the linux based ubuntu server. On the upcoming sections we will cover more information topics on the veeam backup & replication solution.