How to configure hardened repository on Red Hat Enterprise Linux 8 with NIST 800-171 security profile

KB ID: 4250
Product: Veeam Backup & Replication | 11
Published: 2021-12-10
Last Modified: 2022-04-07
Get weekly article updates
By subscribing, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.

Cheers for trusting us with the spot in your mailbox!

Now you’re less likely to miss what’s been brewing in our knowledge base with this weekly digest

error icon

Oops! Something went wrong.

Please try again later.

Challenge

When trying to add a RHEL 8 Linux server with the NIST 800-171 security profile enable to Veeam Backup and Replication, the following general failures may occur:
The underlying SSH channel is closed
Screenshot showing a linux server attempting to be added but failing with the error "The underlying SSH channel is closed"
The process may also fail during deployment section of adding the Linux server:
Screenshot showing errors during the testing of the Veeam data mover connection

Solution

I. Disable tmux automatic startup when logging in on the system.

The NIST 800-171 security profile on Red Hat Enterprise Linux 8 includes tmux automatic startup system-wide. To successfully deploy the Veeam services on the system, tmux must be temporarily disabled. Usually, it is configured in /etc/bashrc for all users on the system as shown here:

[user@rhel8 ~]$ sudo grep tmux /etc/bashrc
  case "$name" in sshd|login) exec tmux ;; esac
To disable the automatic launching of tmux, edit the /etc/bashrc file and comment out the line with tmux. When complete, the bashrc should be as shown in the grep output below.
[user@rhel8 ~]$ sudo grep tmux /etc/bashrc
  #case "$name" in sshd|login) exec tmux ;; esac

II. Set umask value to 022 for the account used by Veeam

Next, configure umask value to 022 for the user assigned to Veeam to use when adding the Linux server.

There are two scenarios for this:

a) When elevating account privileges automatically (not using the "Use 'su' if 'sudo' fails" option):

When elevating account privileges automatically
Set default umask in the /etc/sudoers file by adding these two rules:
Defaults:user umask_override
Defaults:user umask=0022
As an alternative, the umask can be configured permanently when logging in on the system as this user. You can do it in a way convenient for you. For example, set it directly in bash profile for a user:
echo "umask 022" >> .bash_profile
b) When elevating account privileges using root:
When elevating account privileges using root
In this case, default umask must be set for the root user when logging in on the system. You can do it in a way convenient for you. For example, set it directly in bash profile for root user:
sudo echo "umask 022" >> .bash_profile

III. Add the Linux server to Veeam Backup & Replication

In the steps below, there is a part where you will manually add the Veeam binaries to the fapolicyd trust; this procedure is time-sensitive. Please read all steps in this section before proceeding to understand what to expect. The "Apply" tab's deployment process will have to be attempted twice. During the first attempt, you will have three minutes to set the Veeam binaries as trusted. Because the binaries were not trusted, the deployment will fail, and you will click the [Previous] button and then [Apply] again to retry. The second time the Apply tab attempts to deploy the binaries, they will be trusted, and deployment will succeed.
1. Add the Linux server to Veeam Backup & Replication using the "Single-use credentials for hardened repository" option.
Add your Linux server with "Single-use credentials for hardened repository"

2. Click Next (twice) through the following pages of the New Linux Server wizard, and STOP when the button changes from [Next] to [Apply].

 

3. Once you click [Apply], the deployment will begin. During the deployment, when you see the line "Testing Veeam Data Mover service connection," you will have three minutes to send the series of commands below to mark the Veeam binaries as trusted by fapolicyd. Before you click [Apply], we advise that you connect to the Linux server you are adding and prepare to enter the commands at the appropriate time, as mentioned above. Click [Apply] when you are ready to proceed.

Testing Veeam Data Mover service connection step, when you see that you have 3 minutes to add the binariees to the trusted state of fapolicyd
During the first deployment attempt, when you see the line "Testing Veeam Data Mover service connection" you have 3 minutes to run the following four commands to mark the Veeam Data Mover service binaries as trusted by the fapolicyd framework:
sudo fapolicyd-cli --file add /opt/veeam/transport/veeamagent
sudo fapolicyd-cli --file add /opt/veeam/transport/veeamtransport
sudo fapolicyd-cli --file add /opt/veeam/transport/veeamimmureposvc
sudo systemctl restart fapolicyd

If you see messages like "Cannot open /opt/veeam/transport/veeamagent" the deployment process has failed, and the Veeam Data Mover service binaries have been uninstalled. If this occurs, click [Previous] and click [Apply] to repeat the deployment process. Try again entering the commands during the "Testing Veeam Data Mover service connection" step.

 

4. The first deployment attempt will fail despite applying the rules correctly, because the the Veeam Data Mover service processes fail to start due to fapolicyd. If you have entered the commands correctly to mark the Veeam binaries as trusted by fapolicyd when you click [Previous] and then click [Apply] again, the deployment process will succeed.

Succesfull Deployment
5. Click [Finish] to complete adding the Linux Server.
After successfully adding the Linux server to Veeam Backup and Replication, you can enable tmux again and set umask to 027. The Veeam Data Mover service binaries must remain trusted by fapolicyd.
Click here to send feedback regarding this KB, or suggest content for a new KB.
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

Spelling error in text

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

Oops! Something went wrong.

Please try again later.

KB Feedback/Suggestion

This form is only for KB Feedback/Suggestions, if you need help with the software open a support case

By submitting, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Verify your email to continue your product download
We've sent a verification code to:
  • Incorrect verification code. Please try again.
An email with a verification code was just sent to
Didn't receive the code? Click to resend in sec
Didn't receive the code? Click to resend
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

error icon

Oops! Something went wrong.

Please try again later.