- Veeam Support Knowledge Base
- How to configure hardened repository on Red Hat Enterprise Linux 8 with NIST 800-171 security profile
How to Configure Hardened Repository on Red Hat Enterprise Linux 8 With NIST 800-171 Security Profile
Get weekly article updates
By subscribing, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.
Cheers for trusting us with the spot in your mailbox!
Now you’re less likely to miss what’s been brewing in our knowledge base with this weekly digest
Challenge
When trying to add a RHEL 8 Linux server with the NIST 800-171 security profile enable to Veeam Backup and Replication, the following general failures may occur:
The underlying SSH channel is closed
The process may also fail during deployment section of adding the Linux server:
Solution
Part 1: Disable tmux automatic startup when logging in on the system.
The NIST 800-171 security profile on Red Hat Enterprise Linux 8 includes tmux automatic startup system-wide. To successfully deploy the Veeam services on the system, tmux must be temporarily disabled. Usually, it is configured in /etc/bashrc for all users on the system, as shown here:
[user@rhel8 ~]$ sudo grep tmux /etc/bashrc
case "$name" in sshd|login) exec tmux ;; esac
To disable the automatic launching of tmux, edit the /etc/bashrc file and comment out the line with tmux. When complete, the bashrc should be as shown in the grep output below.
[user@rhel8 ~]$ sudo grep tmux /etc/bashrc
#case "$name" in sshd|login) exec tmux ;; esac
Part 2: Set umask value to 022 for the account used by Veeam
Next, configure the umask value to 022 for the user assigned to Veeam to use when adding the Linux server.
There are two scenarios for this:
Scenario A: When elevating account privileges automatically (not using the "Use 'su' if 'sudo' fails" option)
Set default umask in the /etc/sudoers file by adding these two rules:
Defaults:user umask_override
Defaults:user umask=0022
As an alternative, the umask can be configured permanently when logging in on the system as this user. You can do it in a way convenient for you. For example, set it directly in bash profile for a user:
echo "umask 022" >> .bash_profileScenario B: When elevating account privileges using root.
In this case, default umask must be set for the root user when logging in on the system. You can do it in a way convenient for you. For example, set it directly in the bash profile for the root user:
sudo echo "umask 022" >> .bash_profilePart 3: Adding the Linux server to Veeam Backup & Replication
Critical Details
In the steps below, there is a part where you will manually add the Veeam binaries to the fapolicyd trust; this procedure is time-sensitive. Please read all steps in this section before proceeding to understand what to expect. The "Apply" tab's deployment process will have to be attempted twice. During the first attempt, you will have three minutes to set the Veeam binaries as trusted. Because the binaries were not trusted, the deployment will fail, and you will click the [Previous] button and then [Apply] again to retry. The second time the Apply tab attempts to deploy the binaries, they will be trusted, and deployment will succeed.
- Add the Linux server to Veeam Backup & Replication using the "Single-use credentials for hardened repository" option.
- Click Next (twice) through the following pages of the New Linux Server wizard, and STOP when the button changes from [Next] to [Apply].
- [Read this entire step before taking any actions.]
Once you click [Apply], the deployment will begin. During the deployment, when you see the line "Testing Veeam Data Mover service connection," you will have three minutes to send the series of commands below to mark the Veeam binaries as trusted by fapolicyd. Before you click [Apply], we advise that you connect to the Linux server you are adding and prepare to enter the commands at the appropriate time, as mentioned above. Click [Apply] when you are ready to proceed.
During the first deployment attempt, when you see the line "Testing Veeam Data Mover service connection" you have 3 minutes to run the following four commands to mark the Veeam Data Mover service binaries as trusted by the fapolicyd framework:
sudo fapolicyd-cli --file add /opt/veeam/transport/veeamagentsudo fapolicyd-cli --file add /opt/veeam/transport/veeamtransport
sudo fapolicyd-cli --file add /opt/veeam/transport/veeamimmureposvcsudo systemctl restart fapolicydIf you see messages like "Cannot open /opt/veeam/transport/veeamagent" the deployment process has failed, and the Veeam Data Mover service binaries have been uninstalled. If this occurs, click [Previous] and click [Apply] to repeat the deployment process. Try again entering the commands during the "Testing Veeam Data Mover service connection" step.
- The first deployment attempt will fail despite applying the rules correctly because the Veeam Data Mover service processes fail to start due to fapolicyd. If you have entered the commands correctly to mark the Veeam binaries as trusted by fapolicyd when you click [Previous] and then click [Apply] again, the deployment process will succeed.
- Click [Finish] to complete adding the Linux Server.
After successfully adding the Linux server to Veeam Backup and Replication, you can enable tmux again and set umask to 027. The Veeam Data Mover service binaries must remain trusted by fapolicyd.
To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.
Spelling error in text
Thank you!
Your feedback has been received and will be reviewed.
Oops! Something went wrong.
Please try again later.
KB Feedback/Suggestion
This form is only for KB Feedback/Suggestions, if you need help with the software open a support case
Verify your email to continue your product download
We've sent a verification code to:
An email with a verification code was just sent to
Didn't receive the code? Click to resend in sec
Didn't receive the code? Click to resend
Start using Veeam:
Download the product
&
Activate the license key
Thank you!
Your feedback has been received and will be reviewed.