- Knowledge Base Listing Page
- How to configure hardened repository on Red Hat Enterprise Linux 8 with NIST 800-171 security profile
How to configure hardened repository on Red Hat Enterprise Linux 8 with NIST 800-171 security profile
| KB ID: | 4250 |
| Product: | Veeam Backup & Replication | 11 |
| Published: | 2021-12-10 |
| Last Modified: | 2022-04-07 |
Cheers for trusting us with the spot in your mailbox!
Now you’re less likely to miss what’s been brewing in our knowledge base with this weekly digest
Challenge
The underlying SSH channel is closed
Solution
I. Disable tmux automatic startup when logging in on the system.
The NIST 800-171 security profile on Red Hat Enterprise Linux 8 includes tmux automatic startup system-wide. To successfully deploy the Veeam services on the system, tmux must be temporarily disabled. Usually, it is configured in /etc/bashrc for all users on the system as shown here:
[user@rhel8 ~]$ sudo grep tmux /etc/bashrc
case "$name" in sshd|login) exec tmux ;; esac
[user@rhel8 ~]$ sudo grep tmux /etc/bashrc
#case "$name" in sshd|login) exec tmux ;; esac
II. Set umask value to 022 for the account used by Veeam
Next, configure umask value to 022 for the user assigned to Veeam to use when adding the Linux server.
There are two scenarios for this:
a) When elevating account privileges automatically (not using the "Use 'su' if 'sudo' fails" option):
Defaults:user umask_override
Defaults:user umask=0022echo "umask 022" >> .bash_profile
sudo echo "umask 022" >> .bash_profileIII. Add the Linux server to Veeam Backup & Replication
2. Click Next (twice) through the following pages of the New Linux Server wizard, and STOP when the button changes from [Next] to [Apply].
3. Once you click [Apply], the deployment will begin. During the deployment, when you see the line "Testing Veeam Data Mover service connection," you will have three minutes to send the series of commands below to mark the Veeam binaries as trusted by fapolicyd. Before you click [Apply], we advise that you connect to the Linux server you are adding and prepare to enter the commands at the appropriate time, as mentioned above. Click [Apply] when you are ready to proceed.
sudo fapolicyd-cli --file add /opt/veeam/transport/veeamagentsudo fapolicyd-cli --file add /opt/veeam/transport/veeamtransport
sudo fapolicyd-cli --file add /opt/veeam/transport/veeamimmureposvcsudo systemctl restart fapolicydIf you see messages like "Cannot open /opt/veeam/transport/veeamagent" the deployment process has failed, and the Veeam Data Mover service binaries have been uninstalled. If this occurs, click [Previous] and click [Apply] to repeat the deployment process. Try again entering the commands during the "Testing Veeam Data Mover service connection" step.
4. The first deployment attempt will fail despite applying the rules correctly, because the the Veeam Data Mover service processes fail to start due to fapolicyd. If you have entered the commands correctly to mark the Veeam binaries as trusted by fapolicyd when you click [Previous] and then click [Apply] again, the deployment process will succeed.
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.
Spelling error in text
Thank you!
Your feedback has been received and will be reviewed.
Oops! Something went wrong.
Please try again later.
KB Feedback/Suggestion
This form is only for KB Feedback/Suggestions, if you need help with the software open a support case
Thank you!
Your feedback has been received and will be reviewed.