Store backups in an offsite, secure location.
389-BR-002 - severity: medium
| Field | Value |
|---|---|
| Control ID | 389-BR-002 |
| Severity | medium |
| Type | corrective |
| Owner | IT Operations |
| Status | authored |
| NIST 800-53 | CP-6, CP-9 |
| DISA SRG | SRG-APP-000516 |
Rationale¶
On-host backups are lost along with the host in the scenarios where recovery is most urgent: a catastrophic hardware failure, a fire or flooding event at the primary site, or a ransomware attack that encrypts or deletes all data on the host including its backup directory. Storing a backup on the same host or even the same physical site as the primary directory server creates a single point of failure in the recovery chain - the backup and the system it is meant to recover are destroyed together. An encrypted offsite copy breaks this dependency, ensuring that total loss of the primary site does not also eliminate the ability to recover. Encryption is mandatory, not optional: directory data typically includes credential hashes, group memberships, and sensitive personal attributes, meaning an unencrypted offsite copy is a liability equal in severity to leaving the database file world-readable. NIST SP 800-53 CP-6 requires an alternate storage site for backup information, and CP-9 requires protecting backup copies including at alternate storage sites.
Check¶
Confirm backups are copied to encrypted offsite storage.
ls -l <offsite_backup_path>
Remediation¶
Replicate backups to encrypted offsite storage on a schedule.
# Sync the local backups to encrypted offsite storage on a schedule, e.g.:
rsync -a --delete /var/lib/dirsrv/slapd-<instance>/bak/ <offsite_host>:<offsite_backup_path>/
# ensure the destination is encrypted at rest and access-controlled
References¶
Implementation Notes¶
Replace <offsite_host> and <offsite_backup_path> with the coordinates of
your offsite receiver (object storage bucket, secondary datacenter host, etc.).
For cloud destinations, prefer a storage-native sync tool (e.g., aws s3 sync,
gsutil rsync) over rsync with appropriate server-side encryption enabled.
The rsync example uses --delete to mirror the source; omit that flag if you
need to retain historical backup archives at the destination independently of
the local retention window.
Restrict access to the offsite location using least-privilege credentials separate from those used by the directory server itself. Schedule the sync immediately after each successful backup. Offsite storage does not replace restore testing - verify that offsite archives can actually be retrieved and restored (389-BR-001).