Configuring Ubuntu Linux Server
When you configure system settings, consider the following Veeam recommendations:
- To be compliant with DISA STIG UBTU-20-010009, set a password for GRUB. To configure the setting manually, do the following:
- Create a password using the grub-mkpasswd-pbkdf2 command:
grub-mkpasswd-pbkdf2 Enter password: Reenter password: PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.C0F70D240A8BC5C1BC4E1303EC4F040957C1AF1BB8E99EED573133D3A017BE9B2BB48E52577A141B3A6952527A9D1BEF13E2BB29978DA71F2D867EBB03545021.C4E81CAE7B464E78B15DF0A578B63BAB3A0CB180C311AFA5A85F6245800D11D40B37B817C3F30348EE603AF725B7E09B98A291114B0206D[…] |
- Add a user name and a password hash at the end of the /etc/grub.d/40_custom file:
set superusers="root" password_pbkdf2 root grub.pbkdf2.sha512.10000.C0F70D240A8BC5F[…] |
- To disable asking for credentials after rebooting the system and require them only when editing boot menu entries, open the /etc/grub.d/10_linux file and add the --unrestricted parameter to the CLASS variable:
CLASS="--class gnu-linux --class gnu --class os --unrestricted" |
- Update the GRUB configuration:
sudo update-grub |
- To be compliant with DISA STIG UBTU-20-010455, disable all wireless network adapters, as described in this DISA STIG article.
- If you do not use the proxy server and the Linux server has outgoing HTTP internet access allowed, limit outgoing HTTP traffic to the Ubuntu servers only or use an internal Ubuntu mirror. To receive Linux security updates, there must be the access to the Linux distribution security update servers.
- For the separate directory that you created for the backup data, allow access only for the user account you created during the installation. Use the following commands:
- To assign the directory's owner:
chown -R owner:group <dir_path> |
Both owner and group must be the user account you created during the installation.
- To allow access to the directory only for its owner and the root account:
chmod 700 <dir_path> |
- To be compliant with DISA STIG UBTU-20-010012, you must have only two users:
- The root account. Note that by default the root account has a blank password and cannot be used for connection.
- The user account you created during the installation. This account will be used to connect to the Linux server and deploy required Veeam Backup & Replication components including persistent Veeam Data Mover, or transport service. For more information about Veeam Data Movers, see this section.
By default, the user account you created during the installation is the member of the sudo group and has enough privileges to deploy and install required Veeam Backup & Replication components. In that case, when you add a Linux server as a hardened repository to the backup infrastructure and specify single-use credentials, you do not need to enter the password for the root account. After the repository is added, you must remove the user account from the sudo group to make it a non-root account. To do this, perform the following steps:
- Allow the user account to reboot and shutdown the operating system:
sudo bash -c "echo 'user1 ALL = (root) NOEXEC: /usr/sbin/reboot' >> /etc/sudoers" sudo bash -c "echo 'user1 ALL = (root) NOEXEC: /usr/sbin/shutdown' >> /etc/sudoers" |
- Remove the user account from the sudo group:
sudo deluser user1 sudo |
Note that the next time you log in with this user account, it will lose sudo permissions. if you need to execute commands as a privileged user, you must boot the operating system into the single user mode.