Along this same line (security), I mentioned Verify jobs. For those of you who don't know what I mean, here is an example of a Verify output where I updated my development machine MySQL, CUPS, ... and the kernel, and I forgot to run a new InitCatalog job to update the Bacula database with the new files. I've copied the bacula-users list for this email only (please) because this is something everyone can do today to improve security:
Roxie Bacula: Verify Differences of RufusVerify Verify Catalog From: Roxie Bacula <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] 15-Jun 05:05 roxie-dir: Verifying against JobId=597 Job=RufusVerify.2006-06-14_05.48.10 15-Jun 05:05 roxie-dir: Start Verify JobId=600 Level=Catalog Job=RufusVerify.2006-06-15_05.05.01 15-Jun 05:05 roxie-dir: File: /boot/ 15-Jun 05:05 roxie-dir: st_ino differ. Cat: 2 File: 384769 15-Jun 05:05 roxie-dir: st_nlink differ. Cat: 4 File: 2 15-Jun 05:05 roxie-dir: File: /usr/bin/mysql_create_system_tables 15-Jun 05:05 roxie-dir: st_ino differ. Cat: 611733 File: 611732 15-Jun 05:05 roxie-dir: File: /usr/bin/mysqlaccess 15-Jun 05:05 roxie-dir: st_ino differ. Cat: 610970 File: 606365 15-Jun 05:05 roxie-dir: File: /usr/bin/import 15-Jun 05:05 roxie-dir: st_ino differ. Cat: 606117 File: 611567 15-Jun 05:05 roxie-dir: SHA1 differs. 15-Jun 05:05 roxie-dir: File: /usr/bin/cupsdconf 15-Jun 05:05 roxie-dir: st_ino differ. Cat: 609038 File: 606422 15-Jun 05:05 roxie-dir: SHA1 differs. ... 15-Jun 05:07 roxie-dir: File: /etc/rc.d/init.d/mysqld 15-Jun 05:07 roxie-dir: st_ino differ. Cat: 400941 File: 401245 15-Jun 05:07 roxie-dir: 15-Jun 05:07 roxie-dir: The following files are missing: 15-Jun 05:07 roxie-dir: /boot/lost+found/ 15-Jun 05:07 roxie-dir: /boot/grub/ 15-Jun 05:07 roxie-dir: /boot/grub/grub.conf 15-Jun 05:07 roxie-dir: /boot/grub/splash.xpm.gz 15-Jun 05:07 roxie-dir: /boot/grub/menu.lst ... 15-Jun 05:07 roxie-dir: /boot/initrd-2.6.16-1.2133_FC5smp.img 15-Jun 05:07 roxie-dir: /boot/System.map-2.6.16-1.2133_FC5smp 15-Jun 05:07 roxie-dir: /boot/config-2.6.16-1.2133_FC5smp 15-Jun 05:07 roxie-dir: /boot/vmlinuz-2.6.16-1.2133_FC5smp 15-Jun 05:07 roxie-dir: RufusVerify.2006-06-15_05.05.01 Error: Bacula 1.38.10 (04Jun06): 15-Jun-2006 05:07:01 JobId: 600 Job: RufusVerify.2006-06-15_05.05.01 FileSet: Verify Set Verify Level: Catalog Client: RufusVerify Verify JobId: 597 Verify Job: Start time: 15-Jun-2006 05:05:53 End time: 15-Jun-2006 05:07:01 Files Examined: 7,545 Non-fatal FD errors: 0 FD termination status: OK Termination: *** Verify Error *** Note, I've set it up so that I only get these emails if there is an error otherwise, the job report is simply recorded in the Bacula log file. For Bacula users who may not have seen the proposal below, it has been discussed on the bacula-devel list, and everyone agrees (including me) agrees that it is a good proposal that should be implemented. On Wednesday 14 June 2006 20:30, Elrond wrote: > Hi, > > The issue I'm considering here is a compromised director or > a compromised fd password (brute forced for example). > > (Of course, if you have the fd password, you can setup a > fake director. That's why all following text does not > distinguish between the two compromises.) > > > There are two importants threats involved: > > (1) ClientRunBeforeJob and ClientRunAfterJob > > basicly setting up a fake backup job using any > useful commands to compromise the client machine > can be used here. > > Note that those usually run as root. > > (2) Restore > > For example restore /etc/passwd and /etc/shadow > onto the victim client box. Or /etc/ssh/* and wait > for sshd being restarted (you can use (1) for that) > > > Suggestion for a solution: > > (1) IgnoreClientRunBeforeAndAfterJobs = yes > in bacula-fd.conf. > > This should stop any of ClientRunBeforeJob or > ClientRunAfterJob completely. To aid in debugging > issues, the attempt should be logged. > > (2) AllRestoresToDirectory = /tmp/bacula-restore > in bacula-fd.conf. > > This lets any restored files go to the named > directory. Putting / in there would yield the old > behaviour. > > Note that it can be discussed, whether these options should > be fd global or per director, that is listed in > bacula-fd.conf. > > > Utilising these suggested options, a compromised > director/fd password means, that all your data is > compromised (they can start a backup job and get it), but > the machine itself is not compromised. (it can even > continue to work normally). > > > Credit for the two option names goes to Dan Langille. > > > Elrond > > > _______________________________________________ > Bacula-devel mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/bacula-devel -- Best regards, Kern ("> /\ V_V _______________________________________________ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
