How does Veeam Hardened / Immutable Repository work?
To prevent the loss of backup files due to ransomware, malware, or even unplanned actions, it is recommended to use immutable backup repositories and the 3-2-1-1-0 data protection architectural rule.
One of the options available since release 11 of Veeam Backup & Replication is using a Linux server, taking advantage of the native file protection capabilities of this operating system as a backup repository.
The Veeam Hardened Linux Repository supports the following features:
- File immutability: we can specify the period, and backup files will remain immutable. During this time, they cannot be modified or deleted.
- Single-use credentials: this is one of the most critical security points. Linux user credentials are only used during the initial Veeam Data Mover deployment. This operation only happens when adding the Linux server to the backup infrastructure. These credentials are not stored in the backup infrastructure. Even if the Veeam Backup & Replication server is compromised, the attacker cannot obtain the credentials and connect to the protected repository.
Two Veeam services are used to implement and control immutability in this solution:
- Transport service.
- Immutability service.
After installation, the transport service runs as a non-root user. In our example here, we create the user “veeamadmin”. The transport service is responsible for communicating with the backup server, obtaining information about the immutability period, and forwarding it to the immutability service for processing.
The immutability service runs with root permissions and is a child transport service process. It checks the file’s immutability attributes every twenty minutes, calculates the time until a file must be immutable according to the backup job settings configured in the VBR console, and sets or removes the immutable attribute for backup files.
It is an intelligent mechanism because it prevents backup files from being deleted or modified even if they somehow exploit the transport service.
Using the command “ps aux | grep -i veeam” in the hardened repository, we can see the list of the Veeam processes:
We can see, as stated before, that the “veeamimmureposvc” service has the root attribute:
This service controls the “i” (immutability) attribute of the backup files, as shown in the figure below. After the immutability period, it removes that “i” attribute, allowing the file to be deleted from the backup chain.
Although Veeam’s “veeamimmureposvc” service has root access to set the “i” attribute, it is 100% local, has no network or port access, and cannot be compromised remotely.
When we start a new backup job, we can see the transport service in action:
Analyzing the immutability period for these backup files, we can see that the immutability expiration time is the same as configured in the VBR for this backup repository: 07 days.
Conclusion
Since Veeam works with the incremental forever backup chain concept, and a file or object can be part of different backup chains, VBR must be able to control the granular removal of each file or object from an immutable repository.
If Veeam Data Platform needs to discard old restore points in which a file or incremental backup object is no longer included but is still part of a restore point that cannot yet be discarded, it needs to control the enabling and disabling of the immutability of this file or object precisely.
This is why some object storage solutions do not allow immutability with Veeam: they only implement immutability at the level of the bucket and not on the object level.
References:
About Hardened Repository – User Guide for VMware vSphere (veeam.com)
About Hardened Repository – User Guide for Microsoft Hyper-V (veeam.com)
Protect against Ransomware with Immutable Backups (veeam.com)
https://www.redhat.com/en/blog/veeam-ransomware-protection-rhel-immutable-repository
https://www.starwindsoftware.com/blog/veeam-hardened-linux-repository-part-3
https://www.veeam.com/blog/backup-repository-security-disa-stig-ubuntu-step-by-step-guide.html
