Josh
"would allow the attacker to restore and steal any backed up file from any and
all clients."
This scenario can be completely avoided by encrypting the backup volumes on the
client.
The scriptsdirectory feature would be helpful to us.
Regards
Steve
________________________________
From: Josh Fisher <jfis...@pvct.com>
Sent: 09 September 2013 21:58
To: bacula-devel@lists.sourceforge.net
Subject: Re: [Bacula-devel] Client run before security concern
On 9/9/2013 3:23 PM, Kern Sibbald wrote:
On 09/09/2013 05:22 PM, Steve Lee wrote:
I'll definitely take a look at the restricted console/ACL capability which
seems pretty useful.
I guess it wont help though in the case where the server running the director
has been compromised and a user can create bacula config files and run the
console locally.
Yes, in the case of the Director's machine being compromised, you are really in
trouble. :-(
Indeed! And quite frankly, a ScriptsDirectory, in the case of a compromised
Director machine, is of little consolation, considering that a compromised
Director machine would allow the attacker to restore and steal any backed up
file from any and all clients.
Fortunately, Steve is running Bacula Dir and SD in a Xen VM. I do much the same
thing, but with KVM. In this scenario, there is no reason to have any listening
ports open except Bacula's ports and SSH. With only 3 open ports, all using
TLS, I consider it about as safe as is possible to be. It would be far easier
to attack the client directly, therefore I consider the chance that Bacula can
be used as an attack vector to be extremely low.
------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. Consolidate legacy IT systems to a single system of record for IT
2. Standardize and globalize service processes across IT
3. Implement zero-touch automation to replace manual, redundant tasks
http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
_______________________________________________
Bacula-devel mailing list
Bacula-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-devel
