1.. _SecurityChapter: 2 3Bareos Security Issues 4====================== 5 6:index:`\ <single: Security>`\ 7 8- Security means being able to restore your files, so read the :ref:`Critical Items Chapter <Critical>` of this manual. 9 10- The clients (bareos-fd) must run as root to be able to access all the system files. 11 12- It is not necessary to run the Director as root. 13 14- It is not necessary to run the Storage daemon as root, but you must ensure that it can open the tape drives, which are often restricted to root access by default. In addition, if you do not run the Storage daemon as root, it will not be able to automatically set your tape drive parameters on most OSes since these functions, unfortunately require root access. 15 16- You should restrict access to the Bareos configuration files, so that the passwords are not world-readable. The Bareos daemons are password protected using CRAM-MD5 (i.e. the password is not sent across the network). This will ensure that not everyone can access the daemons. It is a reasonably good protection, but can be cracked by experts. 17 18- If you are using the recommended ports 9101, 9102, and 9103, you will probably want to protect these ports from external access using a firewall and/or using tcp wrappers (etc/hosts.allow). 19 20- By default, all data that is sent across the network is unencrypted. However, Bareos does support TLS (transport layer security) and can encrypt transmitted data. Please read the :ref:`TLS (SSL) Communications Encryption <CommEncryption>` section of this manual. 21 22- You should ensure that the Bareos working directories are readable and writable only by the Bareos daemons. 23 24- The default Bareos :command:`grant_bareos_privileges` script grants all permissions to use the MySQL (and PostgreSQL) database without a password. If you want security, please tighten this up! 25 26- Don’t forget that Bareos is a network program, so anyone anywhere on the network with the console program and the Director’s password can access Bareos and the backed up data. 27 28- You can restrict what IP addresses Bareos will bind to by using the appropriate DirAddress, FDAddress, or SDAddress records in the respective daemon configuration files. 29 30.. _wrappers: 31 32Configuring and Testing TCP Wrappers 33------------------------------------ 34 35:index:`\ <single: TCP Wrappers>`\ :index:`\ <single: Wrappers; TCP>`\ :index:`\ <single: libwrappers>`\ 36 37The TCP wrapper functionality is available on different platforms. Be default, it is activated on Bareos for Linux. With this enabled, you may control who may access your daemons. This control is done by modifying the file: /etc/hosts.allow. The program name that Bareos uses when applying these access restrictions is the name you specify in the daemon configuration file (see below for examples). You must not use the twist option in your /etc/hosts.allow or it will terminate the Bareos daemon 38when a connection is refused. 39 40 41 42 43 44.. _section-SecureEraseCommand: 45 46Secure Erase Command 47-------------------- 48 49From https://en.wikipedia.org/w/index.php?title=Data_erasure&oldid=675388437: 50 51 Strict industry standards and government regulations are in place that force organizations to mitigate the risk of unauthorized exposure of confidential corporate and government data. Regulations in the United States include HIPAA (Health Insurance Portability and Accountability Act); FACTA (The Fair and Accurate Credit Transactions Act of 2003); GLB (Gramm-Leach Bliley); Sarbanes-Oxley Act (SOx); and Payment Card Industry Data Security Standards (PCI DSS) and the Data Protection Act in the 52 United Kingdom. Failure to comply can result in fines and damage to company reputation, as well as civil and criminal liability. 53 54Bareos supports the secure erase of files that usually are simply deleted. Bareos uses an external command to do the secure erase itself. 55 56This makes it easy to choose a tool that meets the secure erase requirements. 57 58To configure this functionality, a new configuration directive with the name :strong:`Secure Erase Command`\ has been introduced. 59 60This directive is optional and can be configured in: 61 62- 63 64 :config:option:`dir/director/SecureEraseCommand`\ 65 66- 67 68 :config:option:`sd/storage/SecureEraseCommand`\ 69 70- 71 72 :config:option:`fd/client/SecureEraseCommand`\ 73 74This directive configures the secure erase command globally for the daemon it was configured in. 75 76If set, the secure erase command is used to delete files instead of the normal delete routine. 77 78If files are securely erased during a job, the secure delete command output will be shown in the job log. 79 80.. code-block:: bareoslog 81 :caption: bareos.log 82 83 08-Sep 12:58 win-fd JobId 10: secure_erase: executing C:/cygwin64/bin/shred.exe "C:/temp/bareos-restores/C/Program Files/Bareos/Plugins/bareos_fd_consts.py" 84 08-Sep 12:58 win-fd JobId 10: secure_erase: executing C:/cygwin64/bin/shred.exe "C:/temp/bareos-restores/C/Program Files/Bareos/Plugins/bareos_sd_consts.py" 85 08-Sep 12:58 win-fd JobId 10: secure_erase: executing C:/cygwin64/bin/shred.exe "C:/temp/bareos-restores/C/Program Files/Bareos/Plugins/bpipe-fd.dll" 86 87The current status of the secure erase command is also shown in the output of status director, status client and status storage. 88 89If the secure erase command is configured, the current value is printed. 90 91Example: 92 93.. code-block:: bconsole 94 95 * <input>status dir</input> 96 backup1.example.com-dir Version: 15.3.0 (24 August 2015) x86_64-suse-linux-gnu suse openSUSE 13.2 (Harlequin) (x86_64) 97 Daemon started 08-Sep-15 12:50. Jobs: run=0, running=0 mode=0 db=sqlite3 98 Heap: heap=290,816 smbytes=89,166 max_bytes=89,166 bufs=334 max_bufs=335 99 secure erase command='/usr/bin/wipe -V' 100 101Example for Secure Erase Command Settings: 102 103Linux: 104 :strong:`Secure Erase Command = "/usr/bin/wipe -V"`\ 105 106Windows: 107 :strong:`Secure Erase Command = "C:/cygwin64/bin/shred.exe"`\ 108 109Our tests with the :command:`sdelete` command was not successful, as :command:`sdelete` seems to stay active in the background. 110 111\appendix 112 113