Health Check: Local backup security

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform Notice: Data Center - This article applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Purpose

This health check looks for backups in the local application storage and warns you if any backup files are found there. Storing backups in the application's local filesystem is a security risk that may expose sensitive data to attackers.

You'll receive a warning message if there are any .zip files in any of the following locations:

  • <jira-local-home-dir>/export/backups
  • <jira-local-home-dir>/import

Health check results

Icon

Result

What this means

(tick)There are no backups in the local application storage.No backups are present in the specified directories. This message applies to single-node instances.
(tick)

There are no backups in local storage on node <node-id>. Run this health check on the other nodes if you've received a warning notification.

No backups are present in the specified directories on this particular node. This message applies to clustered instances.
(warning)Found <n> backup files in the <dir-path> directory.There are backups stored in the application storage. This message shows you how many files were found in which directory. Jira displays this message for every affected directory.
(warning)Found <n> backup files in the <dir-path> directory for node <node-id>.There are backups stored in the application storage on this particular node. This message shows you how many files were found in which directory on this particular node. Jira displays this message for every affected directory.

What happens if I ignore the warning?

Storing unencrypted backups that contain sensitive information on the application file system is a security risk. When an attacker gains access to the local file system, this sensitive data becomes exposed. Furthermore, attackers can compromise the application and then encrypt or remove the backups, preventing administrators from being able to restore the application's data and settings.

Resolution

Here are a few things you can try if the Local backup security health check fails:

Move existing backups to a secure storage

To immediately fix this warning, move all existing backup files to a dedicated secure storage location.

Review your scheduled backups feature

The automated backup feature may create new backups on a regular schedule. This will trigger the health check warning again.
Consider either disabling this feature or setting up an automated script to move these files outside of the Jira filesystem.

Implement a production backup policy

For production instances, we're recommending using database native tools to back up the database and creating a backup of shared home and local home directories for all nodes.

Store backups in Amazon S3

Starting from Jira 9.16 it is possible to store XML Backups in Amazon S3.  Read more.

(Not recommended) Disable the Local backups health check

If you're aware of the security risk, you can disable this health check on the Troubleshooting page. This might be a viable option for non-production instances.



Last modified on May 7, 2024

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.