Bareos Security Issues
Security means being able to restore your files, so read the Critical Items Chapter of this manual.
The clients (bareos-fd) must run as root to be able to access all the system files.
It is not necessary to run the Director as root.
It is not necessary to run the Storage daemon as root, but you must ensure that it can open the tape drives, which are often restricted to root access by default. In addition, if you do not run the Storage daemon as root, it will not be able to automatically set your tape drive parameters on most OSes since these functions, unfortunately require root access.
You should restrict access to the Bareos configuration files, so that the passwords are not world-readable. The Bareos daemons are password protected using CRAM-MD5 (i.e. the password is not sent across the network). This will ensure that not everyone can access the daemons. It is a reasonably good protection, but can be cracked by experts.
If you are using the recommended ports 9101, 9102, and 9103, you will probably want to protect these ports from external access using a firewall.
You should ensure that the Bareos working directories are readable and writable only by the Bareos daemons.
Don’t forget that Bareos is a network program, so anyone anywhere on the network with the console program and the Director’s password can access Bareos and the backed up data.
You can restrict what IP addresses Bareos will bind to by using the appropriate DirAddress, FDAddress, or SDAddress records in the respective daemon configuration files.
The new systemd service uses the systemd default service type ‘Simple’, which will log startup errors to systemd-journal. This is particularly useful to debug starting errors. However this could also leak some sensitive information to the journal. Though the access to the systemd journal is sensitive and as such per default restricted, you might want to verify that your installation is strict enough.
Secure Erase Command
Strict industry standards and government regulations are in place that force organizations to mitigate the risk of unauthorized exposure of confidential corporate and government data. Regulations in the United States include HIPAA (Health Insurance Portability and Accountability Act); FACTA (The Fair and Accurate Credit Transactions Act of 2003); GLB (Gramm-Leach Bliley); Sarbanes-Oxley Act (SOx); and Payment Card Industry Data Security Standards (PCI DSS) and the Data Protection Act in the United Kingdom. Failure to comply can result in fines and damage to company reputation, as well as civil and criminal liability.
Bareos supports the secure erase of files that usually are simply deleted. Bareos uses an external command to do the secure erase itself.
This makes it easy to choose a tool that meets the secure erase requirements.
To configure this functionality, a new configuration directive with the name Secure Erase Command has been introduced.
This directive is optional and can be configured in:
This directive configures the secure erase command globally for the daemon it was configured in.
If set, the secure erase command is used to delete files instead of the normal delete routine.
If files are securely erased during a job, the secure delete command output will be shown in the job log.
08-Sep 12:58 win-fd JobId 10: secure_erase: executing C:/cygwin64/bin/shred.exe "C:/temp/bareos-restores/C/Program Files/Bareos/Plugins/bareos_fd_consts.py" 08-Sep 12:58 win-fd JobId 10: secure_erase: executing C:/cygwin64/bin/shred.exe "C:/temp/bareos-restores/C/Program Files/Bareos/Plugins/bareos_sd_consts.py" 08-Sep 12:58 win-fd JobId 10: secure_erase: executing C:/cygwin64/bin/shred.exe "C:/temp/bareos-restores/C/Program Files/Bareos/Plugins/bpipe-fd.dll"
The current status of the secure erase command is also shown in the output of status director, status client and status storage.
If the secure erase command is configured, the current value is printed.
* status dir backup1.example.com-dir Version: 15.3.0 (24 August 2015) x86_64-suse-linux-gnu suse openSUSE 13.2 (Harlequin) (x86_64) Daemon started 08-Sep-15 12:50. Jobs: run=0, running=0 mode=0 db=postgresql Heap: heap=290,816 smbytes=89,166 max_bytes=89,166 bufs=334 max_bufs=335 secure erase command='/usr/bin/wipe -V'
Example for Secure Erase Command Settings:
Secure Erase Command = “/usr/bin/wipe -V”
Secure Erase Command = “C:/cygwin64/bin/shred.exe”
Our tests with the sdelete command was not successful, as sdelete seems to stay active in the background.