NetBackup 52xx and 5330 Appliance Security Guide - 2.7.2

Veritas NetBackup™
Appliance Security Guide
Release 2.7.2
NetBackup 52xx and 5330

Veritas NetBackup™ Appliance Security Guide
Documentation version: 2.7.2
Legal Notice
Copyright © 2016 Veritas Technologies LLC. All rights reserved.
Veritas , the Veritas Logo, NetBackup, and Storage Foundation are trademarks or registered
trademarks of Veritas Technologies LLC or its affiliates in the U.S. and other countries. Other
names may be trademarks of their respective owners.
This product may contain third party software for which Veritas is required to provide attribution
to the third party (“Third Party Programs”). Some of the Third Party Programs are available
under open source or free software licenses. The License Agreement accompanying the
Software does not alter any rights or obligations you may have under those open source or
free software licenses. Please see the Third Party Legal Notice Appendix to this Documentation
or TPIP ReadMe File accompanying this product for more information on the Third Party
Programs.
The product described in this document is distributed under licenses restricting its use, copying,
distribution, and decompilation/reverse engineering. No part of this document may be
reproduced in any form by any means without prior written authorization of Veritas Technologies
LLC and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED

CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED
WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR
NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH
DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC
SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN
CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS
DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS
SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software
as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19
"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq.
"Commercial Computer Software and Commercial Computer Software Documentation," as
applicable, and any successor regulations, whether delivered by Veritas as on premises or
hosted services. Any use, modification, reproduction release, performance, display or disclosure
of the Licensed Software and Documentation by the U.S. Government shall be solely in
accordance with the terms of this Agreement.
Veritas Technologies LLC
500 E Middlefield Road
Mountain View, CA 94043
http://www.veritas.com
Technical Support
Technical Support maintains support centers globally. Technical Support’s primary
role is to respond to specific queries about product features and functionality. The
Technical Support group also creates content for our online Knowledge Base. The
Technical Support group works collaboratively with the other functional areas within
the company to answer your questions in a timely fashion.
Our support offerings include the following:
■ A range of support options that give you the flexibility to select the right amount
of service for any size organization
■ Telephone and/or Web-based support that provides rapid response and
up-to-the-minute information
■ Upgrade assurance that delivers software upgrades
■ Global support purchased on a regional business hours or 24 hours a day, 7
days a week basis
■ Premium service offerings that include Account Management Services
For information about our support offerings, you can visit our website at the following
URL:
www.veritas.com/support
All support services will be delivered in accordance with your support agreement
and the then-current enterprise technical support policy.
Contacting Technical Support

Customers with a current support agreement may access Technical Support
information at the following URL:
Before contacting Technical Support, make sure you have satisfied the system
requirements that are listed in your product documentation. Also, you should be at
the computer on which the problem occurred, in case it is necessary to replicate
the problem.
When you contact Technical Support, please have the following information
available:
■ Product release level
■ Hardware information
■ Available memory, disk space, and NIC information
■ Operating system
■ Version and patch level
■ Network topology
■ Router, gateway, and IP address information
■ Problem description:
■ Error messages and log files
■ Troubleshooting that was performed before contacting Technical Support
■ Recent software configuration changes and network changes
Licensing and registration

If your product requires registration or a license key, access our technical support
Web page at the following URL:
Customer service
Customer service information is available at the following URL:
Customer Service is available to assist with non-technical questions, such as the
following types of issues:
■ Questions regarding product licensing or serialization
■ Product registration updates, such as address or name changes
■ General product information (features, language availability, local dealers)
■ Latest information about product updates and upgrades
■ Information about upgrade assurance and support contracts
■ Advice about technical support options
■ Nontechnical presales questions
■ Issues that are related to CD-ROMs, DVDs, or manuals
Support agreement resources
If you want to contact us regarding an existing support agreement, please contact
the support agreement administration team for your region as follows:
Worldwide (except Japan) CustomerCare@veritas.com
Japan CustomerCare_Japan@veritas.com
Contents
Technical Support ............................................................................................ 4
Chapter 1 About the NetBackup Appliance Security Guide

.......................................................................................... 10
About the NetBackup Appliance Security Guide .................................. 10
Chapter 2 User authentication ........................................................... 18

About user authentication on the NetBackup appliance ........................ 18
User types that can authenticate on the NetBackup
appliance ........................................................................ 20
About configuring user authentication ............................................... 23
Generic user authentication guidelines ....................................... 26
About authenticating LDAP users .................................................... 26
About authenticating Active Directory users ....................................... 27
About authenticating Kerberos-NIS users .......................................... 28
About the appliance login banner ..................................................... 29
About user name and password specifications ................................... 30
Chapter 3 User authorization ............................................................. 35
About user authorization on the NetBackup appliance .......................... 35

About authorizing NetBackup appliance users .................................... 36
NetBackup appliance user role privileges .................................... 38
About the Administrator user role ..................................................... 39
About the NetBackupCLI user role ................................................... 40
Chapter 4 Intrusion prevention and intrusion detection

systems .......................................................................... 42
About Symantec Data Center Security on the NetBackup

appliance .............................................................................. 43
About the NetBackup appliance intrusion prevention system ................. 45
About the NetBackup appliance intrusion detection system ................... 46
Reviewing SDCS events on the NetBackup appliance .......................... 47
Contents 8
Running SDCS in unmanaged mode on the NetBackup

appliance .............................................................................. 50
Running SDCS in managed mode on the NetBackup appliance ............. 50
Overriding the NetBackup appliance intrusion prevention system
policy ................................................................................... 51
Re-enabling the NetBackup appliance intrusion prevention system
policy ................................................................................... 54
Chapter 5 Log files ................................................................................ 57
About NetBackup appliance log files ................................................. 57

About the Collect Log files wizard .................................................... 59
Viewing log files using the Support command ..................................... 60
Where to find NetBackup appliance log files using the Browse
command ............................................................................. 61
Gathering device logs with the DataCollect command .......................... 62
Chapter 6 Operating system security .............................................. 66
About NetBackup appliance operating system security ......................... 66

Major components of the NetBackup appliance OS ............................. 67
Disabled service accounts on the NetBackup appliance ....................... 68
Vulnerability scanning of the NetBackup appliance .............................. 69
Chapter 7 Data security ....................................................................... 70
About Data Security ...................................................................... 70

About Data Integrity ...................................................................... 71
About Data Classification ............................................................... 72
About Data Encryption .................................................................. 72
KMS support ........................................................................ 73
Chapter 8 Web security ....................................................................... 75
About SSL certification .................................................................. 75

Implementing third-party SSL certificates ........................................... 76
Chapter 9 Network security ................................................................ 78
About IPsec Channel Configuration .................................................. 78

About the NetBackup Appliance 52xx ports ........................................ 80
Contents 9
Chapter 10 Call Home security ............................................................ 83

About AutoSupport ...................................................................... 83
About Call Home .......................................................................... 84
Configuring Call Home from the NetBackup Appliance Shell
Menu ............................................................................. 86
Enabling and disabling Call Home from the NetBackup Appliance
Shell Menu ...................................................................... 87
Configuring a Call Home proxy server from the NetBackup
Appliance Shell Menu ........................................................ 87
Understanding the Call Home workflow ....................................... 88
About SNMP ............................................................................... 89
About the Management Information Base (MIB) ............................ 89
Chapter 11 IPMI security ....................................................................... 91
Introduction to IPMI configuration ..................................................... 91

Recommended IPMI settings .......................................................... 91
Replacing the default IPMI SSL certificate ......................................... 93
Appendix A Software packages included in the NetBackup

appliance OS ................................................................ 98
List of software packages included in the NetBackup appliance
OS ...................................................................................... 98
Index .................................................................................................................. 104

Chapter 1
About the NetBackup
Appliance Security Guide
This chapter includes the following topics:
■ About the NetBackup Appliance Security Guide
About the NetBackup Appliance Security Guide

The NetBackup appliances are developed from their inception with security as a
primary need. Each element of the appliance, including its Linux operating system
and the core NetBackup application, is tested for vulnerabilities using both industry
standards and advanced security products. These measures ensure that exposure
to unauthorized access and resulting data loss or theft is minimized.
Each new version of NetBackup appliance software and hardware is verified for
vulnerabilities before release. Depending on the severity of issues found, Veritas
will address them using a patch or through a scheduled major release. To reduce
the risk of unknown threats, Veritas regularly updates the third-party packages and
modules that are used in the product as part of regular maintenance release cycles.
The goal of this guide is to describe the security features implemented in NetBackup
Appliance 2.7.2 and includes the following chapters and sub-sections:
NetBackup appliance user authentication

This chapter talks about the authentication features of the NetBackup appliance
and includes the following sections:
About the NetBackup Appliance Security Guide 11
Table 1-1 Sections featuring authentication
Section name Description Link
About user This section describes the types of users, See “About user
authentication on user accounts, and processes allowed to authentication on the
the NetBackup access the appliance. NetBackup appliance”
appliance on page 18.
About configuring This section describes the configuration See “About configuring
user authentication options for the various types of users that user authentication”
can authenticate on the appliance. on page 23.
About authenticating This section describes the prerequisites See “About

LDAP users and process to configure the appliance to authenticating LDAP
register and authenticate LDAP users. users” on page 26.

Active Directory and process to configure the appliance to authenticating Active
users register and authenticate Active Directory Directory users”
(AD) users. on page 27.

Kerberos-NIS users and process to configure the appliance to authenticating
register and authenticate Kerberos-NIS Kerberos-NIS users”
users. on page 28.
About the appliance This section describes the login banner See “About the appliance
login banner feature where you can set a text banner to login banner”
appear when a user tries to authenticate on page 29.
on the appliance.
About user name This section describes the user name and See “About user name
and password password credentials. and password
specifications specifications”
on page 30.
NetBackup Appliance user authorization

This chapter describes the features that are implemented for authorizing users
accessing the NetBackup Appliance and includes the following sections:
Table 1-2 Sections on authorization
About user This section describes the key See “About user
authorization on the characteristics of the authorization process authorization on the
NetBackup of the NetBackup Appliance. NetBackup appliance”
About authorizing This section describes the administrative See “About authorizing
NetBackup options for authorizing appliance users with NetBackup appliance
appliance users various access permissions. users” on page 36.
About the This section describes the Administrator See “About the
Administrator user user role. Administrator user role”
role on page 39.
About the This section describes the NetBackupCLI See “About the
NetBackupCLI user user role. NetBackupCLI user role”
role on page 40.
NetBackup Appliance intrusion prevention and intrusion

detection systems
This chapter describes the Symantec Data Center Security: Server Advanced
(SDCS) implementation for the NetBackup Appliance using the following sections:
Table 1-3 Sections on IPS and IDS policies
About Symantec This section introduces the SDCS feature See “About Symantec
Data Center implemented with the appliances. Data Center Security on
Security on the the NetBackup
NetBackup appliance” on page 43.
appliance
About the This section describes the IPS policy that See “About the
NetBackup is used to protect the appliances. NetBackup appliance
appliance intrusion intrusion prevention
prevention system system” on page 45.
About the This section describes the IDS policy that See “About the
NetBackup is used to monitor the appliances. NetBackup appliance
appliance intrusion intrusion detection
detection system system” on page 46.
Table 1-3 Sections on IPS and IDS policies (continued)
Reviewing SDCS This section describes the SDCS events See “Reviewing SDCS
events on the based on their level of security. events on the NetBackup
NetBackup appliance” on page 47.
appliance
Running SDCS in This section briefly describes the default See “Running SDCS in
unmanaged mode security management on the appliance. unmanaged mode on the
on the NetBackup NetBackup appliance”
Running SDCS in This section describes how you can See “Running SDCS in
managed mode on manage appliance security as part of a managed mode on the
the NetBackup centralized SDCS environment. NetBackup appliance”
Overriding the This section describes the procedure to See “Overriding the
NetBackup override the IPS policy that is applied to the NetBackup appliance
appliance intrusion appliances. intrusion prevention
prevention system system policy”
policy on page 51.
Re-enabling the This section describes the procedure to See “Re-enabling the
NetBackup re-enable the IPS policy that is applied to NetBackup appliance
appliance intrusion the appliances. intrusion prevention
prevention system system policy”
policy on page 54.
NetBackup Appliance log files

This chapter lists the NetBackup Appliance log files and the options to view the log
files, using the following sections:
Table 1-4 Working log sections
About working with This chapter provides an overview on all See “About NetBackup
log files the different types of logs that you can view appliance log files”
for the NetBackup Appliance. on page 57.
About using the This chapter describes the usage of the See “About the Collect
Collect Log files Collect Log files wizard present on the Log files wizard”
wizard NetBackup Appliance Web Console. on page 59.
Table 1-4 Working log sections (continued)
Viewing log files This chapter describes the procedure to See “Viewing log files
using the Support view log files using the support command. using the Support
command command” on page 60.
Locating NetBackup This chapter describes the usage of Browse See “Where to find
Appliance log files command to view log files. NetBackup appliance
using the Browse log files using the
command Browse command”
on page 61.
Gathering device This chapter describes the procedure to See “Gathering device
logs with the gather device logs. logs with the DataCollect
DataCollect command” on page 62.
command
NetBackup Appliance operating system security

Table 1-5 Operating system sections
About NetBackup This section describes the different update See “About NetBackup
appliance operating types that are made to the operating system appliance operating
system security to improve the security of the overall system security”
NetBackup Appliance. on page 66.
Major components This section lists the products and operating See “Major components
of the NetBackup system components of the NetBackup of the NetBackup
appliance OS Appliance. appliance OS”
on page 67.
Disabled service This section lists the OS service accounts See “Disabled service
accounts on the that are disabled on the appliance. accounts on the
NetBackup NetBackup appliance”
Vulnerability This section lists some of the security See “Vulnerability

scanning of the scanners that Veritas uses to verify the scanning of the
NetBackup security of the appliance. NetBackup appliance”
NetBackup Appliance data security

This chapter describes the data security implementation for the NetBackup
Appliance, using the following sections:
Table 1-6 Data security sections
About Data This section lists the measures that are taken See “About Data
Security to improve data security. Security” on page 70.
About Data Integrity This section lists the measures that are taken See “About Data
to improve data integrity. Integrity” on page 71.
Classification to improve data classification. Classification”
on page 72.
Encryption to improve data encryption. Encryption ” on page 72.
NetBackup Appliance web security

This chapter describes the web security implementation for the NetBackup
Table 1-7 Web security sections
About SSL This section lists the SSL certification updates See “About SSL
certification for NetBackup Appliance Web Console. certification”
on page 75.
Implementing This section lists the procedure to implement See “Implementing

third-party SSL third-party SSL certificates. third-party SSL
certificates certificates” on page 76.
NetBackup Appliance network security

This chapter describes the network security implementation for the NetBackup
Table 1-8 Network security sections
About IPsec This section describes the IPsec configuration See “About IPsec
Channel for NetBackup Appliances. Channel Configuration”
Configuration on page 78.
Table 1-8 Network security sections (continued)
About NetBackup This section describes the port information See “About the
Appliance 52xx for NetBackup Appliances. NetBackup Appliance
ports 52xx ports” on page 80.
NetBackup Appliance Call Home security

This chapter describes the Call Home security implementation for the NetBackup
Table 1-9 Call Home security sections
About AutoSupport This section describes the AutoSupport feature See “About
in the NetBackup Appliance. AutoSupport ”
on page 83.
About Call Home This section describes the Call Home feature See “About Call Home”
in the NetBackup Appliance. on page 84.
About SNMP This section describes the SNMP feature in See “About SNMP”
the NetBackup Appliance. on page 89.
NetBackup Appliance IPMI security

This chapter describes the guidelines that are adopted to secure IPMI configuration,
using the following sections:
Table 1-10 IPMI security sections
Introduction to This section describes IPMI and how it is See “Introduction to

IPMI configuration configured with the NetBackup Appliance. IPMI configuration”
on page 91.
Listing the This section lists the recommended IPMI See “Recommended
Recommended settings for a secure configuration. IPMI settings”
IPMI settings on page 91.
Appendices
Table 1-11 Appendix listed in the Security Guide
Appendix A: Software This appendix lists the OS packages See “List of software
packages included in the that are includes as a part of packages included in the
NetBackup appliance OS NetBackup appliance OS. NetBackup appliance
OS” on page 98.
Intended Audience
This guide is intended for the users that include security administrators, backup
administrators, system administrators, and IT technicians who are tasked with
maintaining the NetBackup Appliance.
Chapter 2
User authentication
■ About user authentication on the NetBackup appliance
■ About configuring user authentication
■ About authenticating LDAP users
■ About authenticating Active Directory users
■ About authenticating Kerberos-NIS users
■ About the appliance login banner
■ About user name and password specifications
About user authentication on the NetBackup

appliance
Table 2-1 describes the user accounts that are available on the NetBackup
appliance.
User authentication 19
About user authentication on the NetBackup appliance
Table 2-1 NetBackup appliance account types
Account type Description
User The NetBackup appliance is administered and managed through user accounts. You can
create local user accounts, or register users and user groups that belong to a remote directory
service. Each user account must authenticate itself with a user name and password to
access the appliance. For a local user, the user name and password are managed on the
appliance. For a registered remote user, the user name and password are managed by the
remote directory service.
In order for a new user account to log on and access the appliance, you must first authorize
it with a role. By default, a new user account does not have an assigned role, and therefore
it cannot log on until you grant it a role.
You can grant the following roles to a user or user group:
■ Administrator
A user account that is assigned the Administrator role is provided administrative privileges
to manage the NetBackup appliance. An Administrator user is allowed to log on, view,
and perform all functions on the NetBackup Appliance Web Console and the NetBackup
Appliance Shell Menu. These user accounts have permissions to log on to the appliance
and run NetBackup commands with superuser privileges.
See “About the Administrator user role” on page 39.
■ NetBackupCLI
A user account that is assigned the NetBackupCLI role can execute all NetBackup
commands, view logs, edit NetBackup touch files, and edit NetBackup notify scripts.
NetBackupCLI users are solely restricted to run NetBackup commands with superuser
privileges and do not have access outside the scope of NetBackup software directories.
Once these users log on, they are taken to a restricted shell from where they can run
the NetBackup commands.
See “About the NetBackupCLI user role” on page 40.
admin The admin account is the default Administrator user on the NetBackup appliance.
New NetBackup appliances are shipped with the following default logon credentials:
■ User name: admin

■ Password: P@ssw0rd
Maintenance The Maintenance account is used by Veritas Support through the NetBackup Appliance
Shell Menu (after an administrative log-on). This account is used specifically to perform
maintenance activity or to troubleshoot the appliance.
AppComm The AppComm account is used for internal process communication.
sisips The sisips account is an internal user for implementing the SDCS policies.
Table 2-1 NetBackup appliance account types (continued)
Account type Description
root The root account is a restricted user that is only accessed by Veritas Support to perform
maintenance tasks. If you try to access this account, the following message is displayed:
Permission Denied !! Access to the root account requires

overriding the Symantec Intrusion Security Policy.
Please refer to the appliance security guide for

overriding instructions.
Warning: Please note that you can override the Veritas Intrusion Security Policy (ISP) to
gain access to the root account. However, doing so is not recommended as it puts the
system at risk and vulnerable to attack.See “Overriding the NetBackup appliance intrusion
prevention system policy” on page 51.
See “About user authentication on the NetBackup appliance” on page 18.

See “About authorizing NetBackup appliance users” on page 36.
User types that can authenticate on the NetBackup appliance

You can directly add local users on the appliance, or register users from an LDAP
server, Active Directory (AD) server, or NIS server. Registering remote users offers
the benefit of letting you leverage your existing directory service for user
management and authentication. Table 2-2 describes the types of users that can
be added to a NetBackup appliance.
Table 2-2 NetBackup appliance user types
User type Description Notes
Local (native A local user is added to the appliance ■ You can use the Settings > Authentication >
user) database and is not referenced to an external User Management page from the NetBackup
directory-based server like an LDAP server. Appliance Web Console to add, delete, and
Once the user has been added, you can then manage local users.
grant or revoke the appropriate appliance ■ You can use the Settings > Security >
access permissions. Authentication > LocalUser command
from the NetBackup Appliance Shell Menu to add
and delete local users, as well as change their
passwords.
■ You cannot add local user groups.
■ A local user can have the Administrator or
NetBackupCLI role.
Note: You cannot grant the NetBackupCLI role
to an existing local user. However, you can create
a local NetBackupCLI user by using the Manage
> NetBackupCLI > Create command from
the NetBackup Appliance Shell Menu.
LDAP An LDAP (Lightweight Directory Access ■ You can use the Settings > Authentication >
Protocol) user or user group exists on an User Management page from the NetBackup
external LDAP server. After configuring the Appliance Web Console to add, delete, and
appliance to communicate with the LDAP manage LDAP users and user groups.
server, you can register those users and user ■ You can use the Settings > Security >
groups with the appliance. Once the user has Authentication > LDAP command from the
been registered (added), you can then grant NetBackup Appliance Shell Menu to add and
or revoke the appropriate appliance access delete LDAP users and user groups.
permissions. ■ You can assign the Administrator or
See “About authenticating LDAP users” NetBackupCLI role to an LDAP user or user
on page 26. group.
Note: The NetBackupCLI role can be assigned
to a maximum of nine (9) user groups at any
given time.
Table 2-2 NetBackup appliance user types (continued)
User type Description Notes
Active An Active Directory (AD) user or user group ■ You can use the Settings > Authentication >
Directory exists on an external AD server. After User Management page from the NetBackup
configuring the appliance to communicate with Appliance Web Console to add, delete, and
the AD server, you can register those users manage AD users and user groups.
and user groups with the appliance. Once the ■ You can use the Settings > Security >
user has been registered (added), you can Authentication > ActiveDirectory
then grant or revoke the appropriate appliance command from the NetBackup Appliance Shell
access permissions. Menu to add and delete AD users and user
See “About authenticating Active Directory groups.
users” on page 27. ■ You can assign the Administrator or
NetBackupCLI role to an AD user or user group.
Note: The NetBackupCLI role can be assigned
to a maximum of nine (9) user groups at any
given time.
Kerberos-NIS A NIS (Network Information Service) user or ■ You can use the Settings > Authentication >
user group exists on an external NIS server. User Management page from the NetBackup
Unlike the LDAP and AD implementations, Appliance Web Console to add, delete, and
configuring the appliance to communicate with manage NIS users and user groups.
the NIS domain requires Kerberos ■ You can use the Settings > Security >
authentication. You must have an existing Authentication > Kerberos command from
Kerberos service associated with your NIS the NetBackup Appliance Shell Menu to add and
server before you can configure the appliance delete NIS users and user groups.
to register the NIS users. ■ You can assign the Administrator or
After configuring the appliance to communicate NetBackupCLI role to a NIS user or user group.
with the NIS server and the Kerberos server, Note: The NetBackupCLI role can be assigned
you can register the NIS users and user to a maximum of nine (9) user groups at any
groups with the appliance. Once the user has given time.
been registered (added) to the appliance, you
can then grant or revoke the appropriate
appliance access permissions.
See “About authenticating Kerberos-NIS

users” on page 28.
For detailed instructions on configuring new users, refer to the NetBackup Appliance
Administrator's Guide.
About configuring user authentication

Table 2-3 describes the options that are provided in the NetBackup Appliance Web
Console and NetBackup Appliance Shell Menu for configuring the appliance to
authenticate various types of users and grant them access privileges.
Table 2-3 User authentication management
User type NetBackup Appliance Web Console NetBackup Appliance Shell Menu
Local (native user) Use the Settings > Authentication > User The following commands and options are
Management tab in the NetBackup Appliance available under Settings > Security >
Web Console to add local users. Authentication > LocalUser:
See “About authorizing NetBackup appliance ■ Clean - Delete all of the local users.
users” on page 36. ■ List - List all of the local users that have
been added to the appliance.
■ Password - Change the password of a local
user.
■ Users - Add or remove one or more local
users.
Table 2-3 User authentication management (continued)
LDAP You can perform the following LDAP The following commands and options are
configuration tasks under Settings > available under Settings > Security >
Authentication > LDAP: Authentication > LDAP:
■ Add a new LDAP configuration. ■ Attribute - Add or delete LDAP

■ Import a saved LDAP configuration from configuration attributes.
an XML file. ■ Certificate - Set, view, or disable the SSL
■ Add, edit, and delete configuration certificate.
parameters for the LDAP server. ■ ConfigParam - Set, view, and disable the
■ Identify and attach the SSL certificate for LDAP configuration parameters.
the LDAP server. ■ Configure - Configure the appliance to
■ Add, edit, and delete attribute mappings allow LDAP users to register and authenticate
for the LDAP server. with the appliance. *
■ Export the current LDAP configuration ■ Disable - Disable LDAP user authentication
(including users) as an XML file. This file on the appliance.
can be imported to configure LDAP on ■ Enable - Enable LDAP user authentication
other appliances. on the appliance.
■ Disable and re-enable the LDAP ■ Export - Export the existing LDAP
configuration. configuration as an XML file.
■ Unconfigure the LDAP server. ■ Groups - Add or remove one or more LDAP
Use the Settings > Authentication > User user groups. Only the user groups that
Management tab in the NetBackup Appliance already exist on the LDAP server can be
Web Console to add LDAP users and user added to the appliance.
groups. ■ Import - Import the LDAP configuration from
an XML file.
See “About authorizing NetBackup appliance
■ List - List all of the LDAP users and user
groups that have been added to the
appliance.
■ Map - Add, delete, or show NSS map
attributes or object classes.
■ Show - View the LDAP configuration details.
■ Status - View the status of LDAP
authentication on the appliance.
■ Unconfigure - Delete the LDAP
configuration.
■ Users - Add or remove one or more LDAP
users. Only the users groups that already
exist on the LDAP server can be added to
the appliance.
Table 2-3 User authentication management (continued)
Active Directory You can perform the following AD The following commands and options are
Authentication > Active Directory: Authentication > ActiveDirectory:
■ Configure a new Active Directory ■ Configure - Configure the appliance to

configuration. allow AD users to register and authenticate
■ Unconfigure an existing Active Directory with the appliance.
configuration. ■ Groups - Add or remove one or more AD
Management tab in the NetBackup Appliance already exist on the AD server can be added
Web Console to add Active Directory users to the appliance.
and user groups. ■ List - List all of the AD users and user
appliance.
■ Status - View the status of AD
authentication on the appliance.
■ Unconfigure - Delete the AD configuration.
■ Users - Add or remove one or more AD
users. Only the users that already exist on
the AD server can be added to the appliance.
Kerberos-NIS You can perform the following Kerberos-NIS The following commands and options are
Authentication > Kerberos-NIS : Authentication > Kerberos:
■ Configure a new Kerberos-NIS ■ Configure - Configure the appliance to

configuration. allow NIS users to register and authenticate
■ Unconfigure an existing Kerberos-NIS with the appliance.
configuration. ■ Groups - Add or remove one or more NIS
Management tab in the NetBackup Appliance already exist on the NIS server can be added
Web Console to add Kerberos-NIS users and to the appliance.
user groups. ■ List - List all of the NIS users and user
appliance.
■ Status - View the status of NIS and
Kerberos authentication on the appliance.
■ Unconfigure - Delete the NIS and Kerberos
configuration.
■ Users - Add or remove one or more NIS
users. Only the users that already exist on
the NIS server can be added to the appliance.
About authenticating LDAP users
Generic user authentication guidelines

Use the following guidelines for authenticating users on the appliance:
■ Only one remote user type (such as LDAP, Active Directory (AD), and NIS) can
be configured for authentication on an appliance at a given point in time. For
example, if you currently authenticate LDAP users on an appliance, you must
unconfigure LDAP on that appliance before you can switch to authenticating
AD users.
■ The NetBackupCLI role can be assigned to a maximum of nine (9) user groups
at any given time.
■ You cannot grant the NetBackupCLI role to an existing local user. However,
you can create a local NetBackupCLI user by using the Manage > NetBackupCLI
> Create command from the NetBackup Appliance Shell Menu.
■ You cannot add a new user or a user group to an appliance if it has the same
user name, user ID, or group ID as an existing user on that appliance.
See “About user authentication on the NetBackup appliance” on page 18.
About authenticating LDAP users

The NetBackup appliance uses the built-in Pluggable Authentication Module (PAM)
plug-in to support the authentication of Lightweight Directory Access Protocol (LDAP)
users. This functionality allows users belonging to an LDAP directory service to be
added and authorized to log on to a NetBackup appliance. LDAP is considered as
another type of user directory with a schema installed on it by UNIX services.
Pre-requisites for using LDAP user authentication

The following list contains the pre-requisites and requirements for using LDAP user
authentication on the appliance:
■ You must have NetBackup Appliance 2.6 or higher installed to configure LDAP
user authentication.
■ The LDAP schema must be RFC 2307 or RFC 2307bis compliant.
■ The following firewall ports must be open:
■ LDAP 389
■ LDAP OVER SSL/TLS 636
■ HTTPS 443
About authenticating Active Directory users
■ Ensure that the LDAP server is available and is set up with the users and user
groups that you want to register with the appliance.
Configuring LDAP user authentication

Before you can register new LDAP users and user groups on the appliance, you
need to configure the appliance to communicate with the LDAP server. Once the
configuration is complete, the appliance can access the LDAP server's user
information for authentication.
To configure LDAP user authentication, you can use either of the following options:
■ Settings > Authentication > LDAP from the NetBackup Appliance Web
Console.
■ Settings > Security > Authentication > LDAP from the NetBackup
Appliance Shell Menu.
For detailed instructions on how to configure LDAP user authentication on the
appliance, refer to the NetBackup Appliance Administrator's Guide and the
NetBackup Appliance Command Reference Guide.
About authenticating Active Directory users

plug-in to support the authentication of Active Directory (AD) users. This functionality
allows users belonging to an AD service to be added and authorized to log on to a
NetBackup appliance. AD is considered as another type of user directory with a
schema installed on it by UNIX services.
Pre-requisites for using Active Directory user

authentication
The following list contains the pre-requisites and requirements for using AD user
■ You must have NetBackup Appliance 2.6.0.3 or higher installed to configure AD
user authentication.
■ Ensure that the AD service is available and is set up with the users and user
■ Ensure that the authorized domain user credentials are used to configure the
AD server with the appliance.
■ Configure the NetBackup appliance with a DNS server that can forward DNS
requests to an AD DNS server. Alternatively, configure the appliance to use the
AD DNS server as the name service data source.
About authenticating Kerberos-NIS users
Configuring Active Directory user authentication

Before you can register new AD users and user groups on the appliance, you need
to configure the appliance to communicate with the AD service. Once the
configuration is complete, the appliance can access the AD server's user information
for authentication. You can configure AD authentication using the following options:
■ Settings > Authentication >Active Directory page from the NetBackup
Appliance Web Console.
■ Settings > Security > Authentication > ActiveDirectory commands
from the NetBackup Appliance Shell Menu.
For detailed instructions on how to configure AD user authentication on the
appliance, refer to the NetBackup Appliance Administrator's Guide and the
About authenticating Kerberos-NIS users

plug-in to support the authentication of Network Information Service (NIS) users.
This functionality allows users belonging to a NIS directory service to be added and
authorized to log on to a NetBackup appliance. NIS is considered as another type
of user directory with a schema installed on it by UNIX services.
Unlike the implementations of LDAP and Active Directory (AD), configuring the
appliance to authenticate NIS users requires Kerberos authentication. You must
have an existing Kerberos service associated with your NIS domain before you can
configure the appliance to register the NIS users.
Pre-requisites for using NIS user authentication with

Kerberos
The following list contains the pre-requisites and requirements for using NIS user
■ You must have NetBackup Appliance 2.6.1.1 or higher installed to configure
NIS user authentication using Kerberos.
■ Ensure that the NIS domain is available and is set up with the users and user
■ Ensure that the Kerberos server is available and properly configured to
communicate with the NIS domain.
■ Due to the strict time requirements of Kerberos, Veritas strongly recommends
that you use an NTP server to synchronize time between the appliance, the NIS
server, and the Kerberos server.
About the appliance login banner
Configuring NIS user authentication with Kerberos

Before you can register new NIS users and user groups on the appliance, you need
to configure the appliance to communicate with the NIS server and Kerberos server.
Once the configuration is complete, the appliance can access the NIS domain's
user information for authentication. You can configure Kerberos-NIS authentication
using the following options:
■ Settings > Authentication >Kerberos-NIS page from the NetBackup Appliance
Web Console.
■ Settings > Security > Authentication > Kerberos commands from the
NetBackup Appliance Shell Menu.
For detailed instructions on how to configure Kerberos-NIS user authentication on
the appliance, refer to the NetBackup Appliance Administrator's Guide and the
About the appliance login banner

The NetBackup appliance provides the ability to set a text banner that appears
when a user attempts to log on to the appliance. You can use the login banner to
communicate various kinds of messages to users. Typical uses for the login banner
include legal notices, warning messages, and company policy information.
The NetBackup Administration Console also supports a login banner. By default,
when you set a login banner for the appliance, the banner is not used by NetBackup.
However, during the appliance login banner configuration you can choose to
propagate the banner to NetBackup so that it appears whenever a user attempts
to log into the NetBackup Administration Console.
Table 2-4 describes the appliance interfaces that support the login banner. Once
a login banner is set, it appears in each of the appliance interfaces that support it,
such as the NetBackup Appliance Shell Menu and SSH. However, the login banner
can be optionally turned on and off for the NetBackup Administration Console.
Table 2-4 Appliance interfaces that support the login banner
Interface Notes
SSH The login banner appears in an SSH session

once a user name is specified, but before a
password is requested.
IPMI console session The login banner appears in an IPMI console

session once a user name is specified, but
before a password is requested.
About user name and password specifications
Table 2-4 Appliance interfaces that support the login banner (continued)
Interface Notes
NetBackup Administration Console (optional) The login banner appears whenever a user
attempts to log on to the appliance using the
NetBackup Administration Console. This
feature uses the pre-existing login banner
functionality that is a part of NetBackup. For
more information, refer to the NetBackup
Administrator's Guide, Volume I.
Use Settings > Notifications > LoginBanner in the NetBackup Appliance

Shell Menu to configure the login banner. Refer to the NetBackup Appliance
Commands Reference Guide for more information.

The user name for the NetBackup appliance user account must be in the format
that the selected authentication system accepts. Table 2-5 lists the user name
specifications for each user type.
Note: The Manage > NetBackupCLI > Create command is used to create local
users with the NetBackupCLI role. All the local user and password specifications
apply to these users.
Table 2-5 User name specifications
Description Administrator NetBackupCLI (local Registered

(local user) user) remote user
Maximum length No restrictions applied No restrictions applied Determined by the

LDAP, AD, or NIS
policy
Minimum length 2 characters 2 characters Determined by the

LDAP, AD, or NIS
policy
Restrictions User names must not User names must not start Determined by the
start with: with: LDAP, AD, or NIS
policy
■ Number ■ Number
■ Special character ■ Special character
Table 2-5 User name specifications (continued)
Description Administrator NetBackupCLI (local Registered

(local user) user) remote user
Space inclusion User names must not User names must not Determined by the
include spaces. include spaces. LDAP, AD, or NIS
policy
Password specifications
The NetBackup appliance password policy has been updated to increase security
on the appliance. The password for the appliance user account must be in the
format that the selected authentication system accepts. Table 2-6 lists the password
specifications for each user type.
Table 2-6 Password specifications
Description Administrator (local NetBackupCLI (local Registered

user) user) remote user
Maximum length No restrictions applied No restrictions applied Determined by the

LDAP, AD, or NIS
policy
Minimum length 7 (with limitation) or 7 (with limitation) or else Determined by the

else 8 characters 8 characters LDAP, AD, or NIS
policy
Passwords must Passwords must contain
contain at least eight at least eight characters.
characters.
Requirements ■ One uppercase ■ One uppercase letter Determined by the

letter ■ One lowercase letter LDAP, AD, or NIS
■ One lowercase letter (a-z) policy
(a-z) ■ One number (0-9)
■ One number (0-9) ■ Dictionary words are
■ Dictionary words are considered as weak
considered as weak passwords and are
passwords and are not accepted.
not accepted. ■ The last seven
■ The last seven passwords cannot be
passwords cannot reused and the new
be reused and the password cannot be
new password similar to previous
cannot be similar to passwords.
previous passwords.
Table 2-6 Password specifications (continued)

Space inclusion Passwords must not Passwords must not Determined by the
include spaces. include spaces. LDAP, AD, or NIS
policy
Minimum 0 day 0 day Determined by the

password age
Note: You can manage LDAP, AD, or NIS
policy
the user password age
using the Manage >
NetBackupCLI >
PasswordExpiry
command from the
NetBackup Appliance
Shell Menu. For more
information, refer to the
NetBackup Appliance
Command Reference
Guide.
Maximum 99999 days (doesn’t 99999 days (doesn’t Determined by the

password age expire) expire) LDAP, AD, or NIS
policy
Password history The last seven None Determined by the

passwords cannot be LDAP, AD, or NIS
The last seven
reused and the new policy
passwords cannot be
password cannot be
reused and the new
similar to previous
password cannot be
passwords.
similar to previous
passwords.
Password expiry Not applicable as the Use the Manage > Determined by the
password does not NetBackupCLI > LDAP, AD, or NIS
expire PasswordExpiry policy
command to manage
NetBackupCLI user
passwords.
Password None None Determined by the

lockout LDAP, AD, or NIS
policy
Table 2-6 Password specifications (continued)

Lockout duration None None Determined by the

LDAP, AD, or NIS
policy
Note: To increase the security of your appliance environment, Veritas recommends

that you change the default admin and maintenance account passwords upon initial
login to the appliance. You can use the Settings > Password page from the
NetBackup Appliance Web Console or the Settings > Password command from
the NetBackup Appliance Shell Menu to change the password.
Warning: The NetBackup appliance does not support setting the Maintenance
account password using commands like yppasswd root or passwd root. A
password that is set in this fashion is overwritten once the system is upgraded. You
should use the NetBackup Appliance Shell Menu to change the Maintenance account
password.
Password encryption
The NetBackup appliance uses the following password encryption measures:
■ Starting with NetBackup appliance software version 2.6.1.1, the SHA-512
encryption algorithm is used for hashing the passwords of all customer-accessible
local appliance users (local users, NetBackupCLI users, the Administrator user,
and the Maintenance user). Whenever you create a new local appliance user,
or change an existing local appliance user's password, the password is encrypted
using SHA-512.
Note: Before 2.6.1.1, the appliance used a variety of default password encryption
algorithms that included SHA-512, SHA-256, and Blowfish. When you upgrade
your appliance to 2.6.1.1 or newer, the existing password hashes are preserved
even though the new default is SHA-512. Although the previous algorithms
remain functional and secure, Veritas recommends that you eventually change
the passwords of all the local appliance users after you upgrade to NetBackup
appliance software version 2.6.1.1 or newer so that they use the new default.
■ The password history is set to 7, meaning that the old passwords are encrypted
and logged up to seven times. If you try to use the old password as the new
password, the appliance displays a token manipulation error.
■ Passwords in transit include the following:
■ An SSH log-in where the password is protected by the SSH protocol.
■ A NetBackup Appliance Web Console log-in where the password is protected
by HTTPS communication.
For detailed password instructions, refer to the NetBackup Appliance Administrator's

Guide.
Chapter 3
User authorization
■ About user authorization on the NetBackup appliance
■ About authorizing NetBackup appliance users
■ About the Administrator user role
■ About the NetBackupCLI user role
About user authorization on the NetBackup

appliance
The NetBackup appliance is administered and managed through user accounts.
You can create local user accounts, or register users and user groups that belong
to a remote directory service. In order for a new user account to log on and access
the appliance, you must first authorize it with a role. By default, a new user account
does not have an assigned role, and therefore it cannot log on until you grant it a
role.
Table 3-1 NetBackup appliance user roles
Role Description
Administrator A user account that is assigned the Administrator role is

provided administrative privileges to manage the NetBackup
appliance. An Administrator user is allowed to log on, view,
and perform all functions on the NetBackup Appliance Web
Console and the NetBackup Appliance Shell Menu. These
user accounts have permissions to log on to the appliance
and run NetBackup commands with superuser privileges.

User authorization 36
About authorizing NetBackup appliance users
Table 3-1 NetBackup appliance user roles (continued)
Role Description
NetBackupCLI A user account that is assigned the NetBackupCLI role is

solely restricted to run a limited set of NetBackup CLI
commands and does not have access outside the scope of
NetBackup software directories. Once these users log on to
the appliance, they are taken to a restricted shell menu from
where they can manage NetBackup. The NetBackupCLI
users do not have access to the NetBackup Appliance Web
Console and the NetBackup Appliance Shell Menu.
The following list describes some of the characteristics of NetBackup appliance

authorization:
■ Ability to prevent unintended access to the appliance by password protecting
logins.
■ Access to shared data is provided only to authorized appliance users and
NetBackup processes.
■ Data that is stored within an appliance cannot inherently protect itself from
unintended modification or deletion by a malicious user that knows of admin
credentials to the appliance.
■ Network access to the NetBackup Appliance Shell Menu is only allowed through
SSH, and the NetBackup Appliance Web Console over HTTPS. You can also
directly connect a monitor and keyboard to the appliance and log on using
administrative credentials.
■ Access to FTP, Telnet, and rlogin are disabled on all appliances.
Note: The NetBackup appliance does not currently limit login attempts and enforce
lockout policies. These features will be implemented in future releases.

Table 3-2 describes the options that are provided for authorizing new and existing
users or user groups through the NetBackup Appliance Web Console and NetBackup
Appliance Shell Menu:
Table 3-2 User authorization management
Task NetBackup Appliance Web NetBackup Appliance Shell

Console Menu
Manage users The following options are available Use the Settings > Security
under Settings > Authentication > Authentication commands
> User Management to add, delete, and view appliance
users.
■ View all of the users that have
been added to the appliance. See “About configuring user
■ Expand and view all belonging authentication” on page 23.
users to a single user group.
■ Add and delete local users.
■ Add and delete
LDAP/AD/Kerberos-NIS users
and user groups.
Manage user The following options are available The following commands and
permissions (roles) under Settings > Authentication options are available under Main
> User Management: > Settings > Security >
Authorization:
■ Grant and revoke the
Administrator role for users and ■ Grant
user groups. Grant the Administrator and
■ Grant and revoke the NetBackupCLI roles to specific
NetBackupCLI role for users users and users groups that
and user groups. have been added to the
■ Synchronize members of appliance.
registered user groups with ■ List
Administrator role. List all of the users and user
groups that have been added
to the appliance, along with
their designated roles.
■ Revoke
Revoke the Administrator and
NetBackupCLI roles from
specific users and users
groups that have been added
to the appliance.
■ SyncGroupMembers
Synchronize members of
registered user groups.
Notes about user management

■ You cannot grant the NetBackupCLI role to an existing local user. However,
you can create a local NetBackupCLI user by using the Manage > NetBackupCLI
> Create command from theNetBackup Appliance Shell Menu.
■ The NetBackupCLI role can be assigned to a maximum of nine (9) user groups
at any given time.
■ Active Directory (AD) user groups and user names support the use of a hyphen
character in those names. The hyphen must appear between the first and the
last character of a user name or a user group name. AD user names and user
group names cannot begin or end with a hyphen.
■ You can list all users of a group that has maximum to 2000 users from
theNetBackup Appliance Web Console. To list all of a group that has more than
2000 users, use the List command from theNetBackup Appliance Shell Menu.
NetBackup appliance user role privileges

User roles determine the access privileges that a user is granted to operate the
system or to change the system configuration. The user roles that are described in
this topic are specific to LDAP, Active Directory (AD), and NIS users.
The following describes the appliance user roles and their associated privileges:
Table 3-3 User roles and privileges
User role Privileges
NetBackupCLI Users can only access the NetBackup CLI.
Administrator Users can access the following:
■ NetBackup Appliance Web Console

■ NetBackup Appliance Shell Menu
■ NetBackup Administration Console
A role can be applied to an individual user, or it can be applied to a group that

includes multiple users.
A user cannot be granted privileges to both user roles. However, a NetBackupCLI
user can also be granted access to the NetBackup Appliance Shell Menu in the
following scenarios:
About the Administrator user role
■ The user with the NetBackupCLI role is also in a group that is assigned the
Administrator role.
■ The user with the Administrator role is also in a group that is assigned the
NetBackupCLI role.
Note: When granting a user to have privileges to the NetBackupCLI and the
NetBackup Appliance Shell Menu, an extra step is required. The user must enter
the switch2admin command from the NetBackup CLI to access the NetBackup
Appliance Shell Menu.
Granting privileges to users and user groups can be done as follows:

■ From the NetBackup Appliance Web Console, on the Settings > Authentication
> User Management page, click on the Grant Permissions link.
■ From the NetBackup Appliance Shell Menu, use the following commands in the
Settings > Security > Authorization view:
Grant Administrator Group
Grant Administrator Users
Grant NetBackupCLI Group
Grant NetBackupCLI Users
See “About configuring user authentication” on page 23.

About the Administrator user role

The NetBackup appliance provides access control mechanisms to prevent
unauthorized access to the backup data on the appliances. These mechanisms
include administrative user accounts that provide elevated privileges to modify
appliance configurations, monitoring the appliance, and so on. Only the users that
are assigned the Administrator role are authorized to configure and manage the
NetBackup appliance.
The Administrator role should be provided only to authorized system administrators
to prevent unauthorized and inappropriate modification of the appliance configuration
or the backup data that is contained in the expansion disk storage. An Administrator
user can access the appliance using the NetBackup Appliance Shell Menu through
SSH, or the NetBackup Appliance Web Console over HTTPS.
An Administrator user as a superuser can perform all the following tasks:
■ Perform appliance initial configuration.
About the NetBackupCLI user role
■ Monitor hardware, storage, and SDCS logs.

■ Manage storage configuration, additional servers, licenses and so on.
■ Update configuration settings like Date and Time, Network, Notification, etc.
■ Restore the appliance.
■ Decommission the appliance.
■ Apply patches to the appliance.
A local, LDAP, Active Directory (AD), or NIS user needs to have the permissions
of the Administrator user role to access and administer the appliance. After you
have added a new user or a user group, use the Settings > Authentication > User
Management page from the NetBackup Appliance Web Console to grant the
Administrator user permissions.

A NetBackupCLI user can execute all NetBackup commands, view logs, edit
NetBackup touch files, and edit NetBackup notify scripts. NetBackupCLI users are
solely restricted to run NetBackup commands with superuser privileges and do not
have access outside the scope of NetBackup software directories. Once these
users log on, they are taken to a restricted shell from where they can run the
NetBackup commands. The NetBackupCLI users share a home directory and do
not have access to NetBackup Appliance Web Console or NetBackup Appliance
Shell Menu.
Table 3-4 lists the rights and restrictions of NetBackupCLI users.
Table 3-4 Rights and restrictions of the appliance NetBackupCLI user
Rights Restrictions
The NetBackupCLI user can use the The following restrictions are placed on
NetBackup Appliance Shell Menu to do the NetBackupCLI users:
following:
■ NetBackupCLI users do not have access
■ Run the NetBackup CLI and access the outside of the NetBackup software
NetBackup directories and files. directories.
■ Modify or create NetBackup notify scripts ■ They cannot edit the bp.conf file directly
using the cp-nbu-notify command. using an editor. Use the bpsetconfig
Note: The notify script restriction has command to set an attribute.
been lifted from versions 2.6.0.2 and ■ The cp-nbu-config command supports
higher. creating and editing NetBackup touch
configuration files only in the
■ Run the following NetBackup commands
/usr/openv/netbackup/db/config
and for the following directories that
directory.
contain the NetBackup CLI:
■ They cannot use the man or -h command
■ /usr/openv/netbackup/bin/*
to see the help of any other command.
■ /usr/openv/netbackup/bin/admincmd/*
■ /usr/openv/netbackup/bin/goodies/*
■ /usr/openv/volmgr/bin/*
■ /usr/openv/volmgr/bin/goodies/*
■ /usr/openv/pdde/pdag/bin/mtstrmd
■ /usr/openv/pdde/pdag/bin/pdcfg
■ /usr/openv/pdde/pdag/bin/pdusercfg
■ /usr/openv/pdde/pdconfigure/pdde
■ /usr/openv/pdde/pdcr/bin/*
How to run NetBackup commands as a NetBackupCLI

user:
The following are the two ways to run commands as a NetBackupCLI user:
■ Using the restricted shell
■ Using the absolute path [“sudo”], for example: bppllist or
/usr/openv/netbackup/bin/admincmd/bpplist
Chapter 4
Intrusion prevention and
intrusion detection
systems
■ About Symantec Data Center Security on the NetBackup appliance
■ About the NetBackup appliance intrusion prevention system
■ About the NetBackup appliance intrusion detection system
■ Reviewing SDCS events on the NetBackup appliance
■ Running SDCS in unmanaged mode on the NetBackup appliance
■ Running SDCS in managed mode on the NetBackup appliance
■ Overriding the NetBackup appliance intrusion prevention system policy
■ Re-enabling the NetBackup appliance intrusion prevention system policy

Intrusion prevention and intrusion detection systems 43
About Symantec Data Center Security on the NetBackup appliance
About Symantec Data Center Security on the

NetBackup appliance
Note: In previous appliance releases, Symantec Data Center Security (SDCS) was
known as Symantec Critical System Protection (SCSP). As part of the upgrade to
NetBackup Appliance 2.7.1 and newer, the appliance SDCS agent is set to
unmanaged mode. If an appliance was running in managed mode before upgrade,
make sure to reset that appliance back to managed mode after the upgrade
completes.
You must also update the appliance IPS and IDS policies on your SDCS
management server. You cannot use the older policies to manage an appliance
that is running software version 2.7.1 or newer. The new policies can be downloaded
from the Monitor > SDCS Events page of the NetBackup Appliance Web Console.
Also note that any custom rules or support exceptions you might have for the IPS
and IDS policies are not available after an upgrade to NetBackup Appliance 2.7.1.
Symantec Data Center Security: Server Advanced (SDCS) is a security solution

offered by Symantec to protect servers in data centers. The SDCS software is
included on the appliance and is automatically configured during appliance software
installation. SDCS offers policy-based protection and helps secure the appliance
using host-based intrusion prevention and detection technology. It uses the
least-privileged containment approach and also helps security administrators
centrally manage multiple appliances in a data center. The SDCS agent runs at
startup and enforces the customized NetBackup appliance intrusion prevention
system (IPS) and intrusion detection system (IDS) policies. The overall SDCS
solution on the appliance provides the following features:
■ Hardened Linux OS components
Prevents or contains malware from harming the integrity of the underlying host
system as a result of OS vulnerabilities.
■ Data protection
Tightly limits appliance data access to only those programs and activities that
need access, regardless of system privileges.
■ Hardened appliance stack
Appliance application binaries and configuration settings are locked down such
that changes are tightly controlled by the application or trusted programs and
scripts.
■ Expanded detection and audit capabilities
About Symantec Data Center Security on the NetBackup appliance
Provides enhanced visibility into important user or system actions to ensure a

valid and complete audit trail that addresses compliance regulations (such as
PCI) as a compensating control.
■ Centralized managed mode operations
Lets you use a central SDCS manager for an integrated view of security across
multiple appliances as well as any other enterprise systems managed by SDCS.
The SDCS implementation on the appliance can operate in an unmanaged mode
or a managed mode. By default, SDCS operates in an unmanaged mode and helps
secure the appliance using host-based intrusion prevention and detection technology.
The NetBackup appliance is in unmanaged mode, when it is not connected to the
SDCS server. In unmanaged mode, you can monitor SDCS events from the
NetBackup Appliance Web Console. Use the Monitor > SDCS Events page, to
monitor the events logged. The events are monitored using the NetBackup appliance
IDS and IPS policies. These policies are automatically applied at the time of initial
configuration. Click Filter Logs to filter and view specific events.
In managed mode, the SDCS agent on the appliance continues to protect the
appliance while also connecting to an external SDCS server for centralized
management and log analysis. In managed mode, the appliance is connected to
the SDCS server and the events are monitored using the SDCS management
console. Using this mode multiple appliances can be monitored using a single SDCS
server. SDCS agents are configured with each NetBackup appliance that are used
to send events to the SDCS server.
Figure 4-1 illustrates SDCS in managed mode.
Figure 4-1 SDCS implementation in managed mode
SDCS agent SDCS agent SDCS agent
1
1
1
2
About the NetBackup appliance intrusion prevention system
To set up managed mode, you can install the SDCS server and management
console and then connect the appliance to an SDCS server.
Use Monitor > SDCS Events page to:
■ Download SDCS server and console
■ Install the server and console
■ Download NetBackup Appliance IPS and IDS policies
■ Apply these polices using the SDCS management console
■ Connect the NetBackup appliances with the server
■ Monitor events for all the NetBackup appliances connected to this server.
Use Monitor > SDCS Events > Connect to SDCS server to:
■ Add SDCS server details
■ Download authentication certificate
■ Connect to the SDCS server
For complete information about the SDCS implementation on the appliance, refer
to the NetBackup Appliance Security Guide.
About the NetBackup appliance intrusion

prevention system
The appliance intrusion prevention system (IPS) consists of a custom Symantec
Data Center Security (SDCS) policy that runs automatically that runs automatically
at startup. The IPS policy is an in-line policy that can proactively block unwanted
resource access behaviors before they can be acted upon by the operating system.
The following list contains some of the IPS policy features:
■ Real-time tight confinement of the appliance operating system processes and
common applications, such as the following:
■ nscd - which caches DNS requests to cut down on remote DNS lookups.
■ cron
■ syslog-ng
■ klogd
■ rpcd for NFS
■ rpc.idmapd
About the NetBackup appliance intrusion detection system
■ rpc.mountd
■ rpc.statd
■ rpcbind
■ Self-Protection for the SDCS agent itself to ensure that the security features
and monitoring features of SDCS are not compromised.
■ Lock-down of access to system binaries, except by identified and trusted
applications, users, and user groups.
■ Confinements that protect the system from the applications that try to install
software, such as sbin) or change system configuration settings, such as hosts
file.
■ Prohibits applications from executing critical system calls such as mknod, modctl,
link, mount, and so on.
■ Prohibits unauthorized users or applications from accessing backup data, such

as /advanceddisk, /cat, /disk, /usr/openv/kms,
/opt/NBUAppliance/db/config/data, and so on.
■ Restricted access to the root account by maintenance user. See “Overriding

the NetBackup appliance intrusion prevention system policy” on page 51.
About the NetBackup appliance intrusion

detection system
The appliance intrusion detection system (IDS) consists of a custom Symantec
Data Center Security (SDCS) policy that runs automatically at startup. The IDS
policy is a real-time policy for monitoring significant system events and critical
configuration changes, while optionally taking remediation actions on events of
interest.
The following list contains some of the events that the IDS policy monitors:
■ User logons, logouts, and failed log on attempts
■ Sudo commands
■ User addition, deletion, and password changes
■ User group addition, deletion, and member modifications
■ System auto-start option changes
■ Modifications to all system directories and files, including core system files, core
system configuration files, installation programs, and common daemon files
Reviewing SDCS events on the NetBackup appliance
■ NetBackup services start and stop

■ Detected system attacks from UNIX rootkit file/directory detection, UNIX worm
file/directory detection, malicious module detection, suspicious permission
change detection, and so on
■ Audit of all the NetBackup Appliance Web Console and NetBackup Appliance
Shell Menu activity, including shell operations for maintenance, root, and
NetBackupCLI users.
Reviewing SDCS events on the NetBackup

appliance
You can use the Monitor > SDCS Events page to view the Symantec Data Center
Security (SDCS) logs. These audit logs can help in detecting security breaches and
abnormal activity on the appliance. An event in the audit log includes the following
details:
■ When - Displays the timestamp of the logged event.
■ Who - Displays which user had logged on when the event took place.
■ What - Displays the description of the event and the resource involved.
■ How - Displays the Process Name, Process ID, Operation Permissions, and
Sandbox Details.
■ Severity - Displays the severity of the event.
■ Enforcement Action - Displays whether the event was allowed or denied.
The SDCS events are retrieved and are represented using the severity types that
are described in Table 4-1
Table 4-1 SDCS event severity types
Severity types Description Events example
Information Events with a severity as Info For example the following

contain information about message provides the basic
normal system operation. information relating to a
generic event.
general CLISH message

Event source:
SYSLOG PID: 30315
Complete message:
May 21 06:58:55
nb-appliance
CLISH[30315]:
User admin
executed Return
Notice Events with a severity as An event that helps confirm

Notice contain information the successful execution of
about normal system an event is recorded as a
operation. Notice. For example the
following message helps the
user to understand that the
event has been successfully
executed.
successful SUDO to root

Event source: SYSLOG
[sudo facility]
Command: /bin/su From
Username: AppComm To
Username: root
Port: unknown
Table 4-1 SDCS event severity types (continued)
Severity types Description Events example
Warning Events with a severity as For example, the following

Warning indicate unexpected event helps to identify and
activity or problems that have unexpected activity, like the
already been handled by inbound connection from a
SDCS. These Warning local IP address.
messages might indicate that
a service or application on a Inbound connection allowed from
target computer is functioning <IPaddress> to local address.
improperly with the applied
policy. After investigating the
policy violations, you can
configure the policy and allow
the service or application to
access to the specific
resources if necessary.
Major Events with a severity as For example, the following

Major imply a more serious event helps to identify
effect than Warning and less unauthorized access.
effect than Critical.
General luser message
Event source:SYSLOG Complete
message:
Feb 5 21:57 luser Unauthorized
user by luser
Denying access to system.
Critical Events with a severity as For example, the following

Critical indicate activity or event can help to identify
problems that might require critical events that can affect
administrator intervention to the appliance in an
correct. unexpected manner.
Group Membership for "group1"

CHANGED from 'admin1' to
'admin2'
For more information about retrieving SDCS audit logs, refer to the NetBackup
Appliance Administrator's Guide.
For information about the appliance operating system logs, such as syslogs and
other appliance logs, See “About NetBackup appliance log files” on page 57.
Running SDCS in unmanaged mode on the NetBackup appliance
Running SDCS in unmanaged mode on the

NetBackup appliance
The Symantec Data Center Security (SDCS) implementation on the appliance
operates in an unmanaged mode or a managed mode. The unmanaged mode is
the default mode in which the appliance is configured. In unmanaged mode, the
appliance is protected and audited without the use of an external SDCS server.
Even in an unmanaged mode, both the IDS and IPS policies are applied and the
appliance is protected at startup.
The unmanaged mode is recommended for administrators who are the sole owners
of the appliance and are primarily involved in backup administration.
You can monitor SDCS events from the NetBackup Appliance Web Console
(Monitor > SDCS Events) and the NetBackup Appliance Shell Menu (Main_Menu
> Monitor > SDCS). From these interfaces
Running SDCS in managed mode on the

NetBackup appliance
The SDCS implementation on the appliance can operate in an unmanaged mode
or a managed mode. In managed mode, an external SDCS server is used to
communicate with and manage the SDCS agent on one or more appliances. The
SDCS server uses the same IPS and IDS policies that are used in managed mode.
You can download the SDCS server, console, and policies from the NetBackup
Appliance Web Console.
Managed mode is recommended for use only by security administrators or by
existing SDCS customers who have in-depth knowledge of SDCS.
Benefits of using the managed mode:
■ Helps to provide separate tools that cater to the backup administrator role and
the security administrator role.
■ Provides centralized security management of multiple appliances using a single
SDCS server and console.
■ Provides the ability to archive and export logs.
■ Provides a common console for monitoring, reporting, and setting up alerts.
■ Extends the IPS and IDS policies on top of Symantec baseline to meet your
data center standards.
Overriding the NetBackup appliance intrusion prevention system policy
To configure the appliance in SDCS managed mode

1 If you have not yet downloaded and installed SDCS in your environment, the
server package and console package are available to download directly from
the NetBackup Appliance Web Console under Monitor > SDCS Events. You
need to make sure that the console is available to connect to the SDCS server
and that the server is available to connect to the appliance.
2 Download the IPS and IDS policies from the appliance and import them using
the SDCS console. The policies are available for download directly from the
NetBackup Appliance Web Console under Monitor > SDCS Events.
3 Connect the appliance to the SDCS server. You can connect to the SDCS
server from the NetBackup Appliance Web Console under Monitor > SDCS
Events or from the NetBackup Appliance Shell Menu using under Monitor >
SDCS.
4 Use the SDCS console to apply the IPS and IDS policies to the connected
appliance.
Overriding the NetBackup appliance intrusion

prevention system policy
To discourage accessing the root account, the appliance requires that you first
disable the intrusion prevention system (IPS) policy. For example, using the elevate
command under Support > Maintenance fails unless the IPS policy is disabled.
Warning: Disabling the IPS policy is not recommended as it puts the system at risk
and vulnerable to attack.
You can use the NetBackupCLI user role to run NetBackup commands without
overriding the IPS policy. See “About the NetBackupCLI user role” on page 40.
Note: Overriding the IPS policy disables only the appliance intrusion prevention
system. The appliance intrusion detection system (IDS) logging is still enabled and
every activity under the maintenance account is still logged.
To override the appliance IPS policy

1 Log on to the NetBackup Appliance Shell Menu as an administrator.
2 Enter the Support > Maintenance command to bring up the Maintenance
Mode login prompt. Enter the Maintenance user account password to log into
Maintenance Mode.
app123.Support> Maintenance
<!-- Maintenance Mode --!>
maintenance's password:
3 In Maintenance Mode, type the following command to override the IPS policy:
/opt/Symantec/sdcssagent/IPS/sisipsoverride.sh
The following message is displayed:
Symantec Critical Protection Policy Override
Agent Version: 6.5.0 (build 355)
Current Policy: NetBackup Appliance Prevention Policy, r33
Policy Prevention: Enabled
Policy Override: Allowed
Override State: Not overridden
To override the policy and disable protection,

enter your login password.
Password:
4 Enter the Maintenance user account password. The following options are
displayed:
Choose the type of override that you wish to perform:
1. Override Prevention except for Self Protection
2. Override Prevention Completely
Choice?
5 Enter 1 to override prevention except for self-protection.
Note: Veritas recommends that you use Option 1. Selecting Option 1 allows
modification only to the NetBackup Appliance Shell Menu and not to the SDCS
agent.
The following options are displayed:
Choose the amount of time after which to automatically re-enable:
1. 15 minutes
2. 30 minutes
3. 1 hour
4. 2 hours
5. 4 hours
6. 8 hours
6 Enter the appropriate number from 1 to 7 based on the amount of time that is
required to debug the support case.
The appliance displays the following message:
Enter a comment. Press Enter to continue.
7 Enter a relevant comment as to why the override is required. For example:
Disabling the security policy for

debugging support case no - XYZ
The appliance overrides the policy and displays the following message:
Please wait while the policy is being overridden.

........
The policy was successfully overridden.

maintenance - !> elevate
Re-enabling the NetBackup appliance intrusion prevention system policy
You should now have access to the root account for debugging the appliance.
Re-enabling the NetBackup appliance intrusion

prevention system policy
You can use the following procedure to re-enable the Intrusion Security policy (IPS)
from the maintenance mode.
To re-enable the Symantec Intrusion security policy:
1 Log on to the NetBackup Appliance Shell Menu as an administrator.
2 Enter the Support > Maintenance command to bring up the Maintenance
Mode login prompt. Enter the Maintenance user account password to log into
Maintenance Mode.
app123.Support> Maintenance
<!-- Maintenance Mode --!>
maintenance's password:
3 In Maintenance Mode, type the following command to re-enable the IPS policy:
/opt/Symantec/sdcssagent/IPS/sisipsoverride.sh
Symantec Critical Protection Policy Override
Agent Version: 6.5.0 (build 355)
Current Policy: NetBackup Appliance Prevention Policy, r33
Policy Prevention: Enabled
Policy Override: Allowed
Override State: Overriden
Overide Type: Prevention Overriden except for Self-Protection
Overide User: maintenance
Previous Comment: This is an example.
Auto re-enable in: 13 minutes, 31 seconds
Do you wish to:
1. Re-enable the Policy.

2. Extend the Override Time.
4 Enter 1 to re-enable the IPS policy.

5 Enter a relevant comment, such as:
The policy is re-enabled.
The appliance re-enables the policy and the following message is displayed:
Please wait while the policy is being re-enabled.
......
The policy was successfully re-enabled.

Chapter 5
Log files
■ About NetBackup appliance log files
■ About the Collect Log files wizard
■ Viewing log files using the Support command
■ Where to find NetBackup appliance log files using the Browse command
■ Gathering device logs with the DataCollect command
About NetBackup appliance log files

Log files help you to identify and resolve any issues that you may encounter with
your appliance.
A NetBackup appliance has the ability to capture hardware-, software-, system-,
and performance-related data. Log files capture information such as appliance
operation, issues such as unconfigured volumes or arrays, temperature or battery
issues, and other details.
Table 5-1 describes the methods you can use to access the appliance log files.
Log files 58
About NetBackup appliance log files
Table 5-1 Viewing log files
From... Using... Log details
NetBackup Appliance Web You can use the Collect Log files wizard ■ Logs created by the NetBackup
Console from the NetBackup Appliance Web Copy Logs tool (nbcplogs)
Console to collect log files from an ■ Appliance logs including high
appliance. availability, hardware, and event
See “About the Collect Log files wizard” logs
on page 59. ■ Operating system logs
■ All logs related to Media Server
Deduplication Pool (MSDP)
■ All logs related to the NetBackup
Appliance Web Console
■ Diagnostic information about
NetBackup and the operating
system
■ Hardware and storage device logs
NetBackup Appliance Web You can use the Monitor > SDCS Audit Appliance audit logs
Console View screen from the NetBackup Appliance
Web Console to retrieve the audit logs of
an appliance. See “Reviewing SDCS events
on the NetBackup appliance” on page 47.
NetBackup Appliance Shell Menu You can use the Main > Support > ■ Appliance configuration log
Logs > Browse commands to open the ■ NetBackup logs, Volume Manager
LOGROOT/> prompt. You can use logs, and the NetBackup logs that
commands like ls and cd to work with the are contained in the openv
appliance log directories and obtain the directory
various logs. ■ Appliance operating system (OS)
See “Viewing log files using the Support installation log
command” on page 60. ■ NetBackup administrative web
user interface log and the
NetBackup web server log
■ NetBackup 52xx appliance device
logs
Log files 59
About the Collect Log files wizard
Table 5-1 Viewing log files (continued)
From... Using... Log details
NetBackup Appliance Shell Menu You can use the Main > Support > Appliance unified logs:
Logs > VxLogView Module
■ All
ModuleName commands to access the
■ CallHome
appliance VxUL (unified) logs. You can also
■ Checkpoint
use the Main > Support > Share
Open commands and use the desktop to ■ Commands
map, share, and copy the VxUL logs. ■ Common
■ Config
■ CrossHost
■ Database
■ Hardware
■ HWMonitor
■ Network
■ RAID
■ Seeding
■ SelfTest
■ Storage
■ SWUpdate
■ Trace
■ FTMS
■ TaskService
■ AuthService
NetBackup Appliance Shell Menu You can use the Main > Support > Appliance storage device logs
DataCollect commands to collect
storage device logs.
See “Gathering device logs with the

DataCollect command” on page 62.
NetBackup-Java applications If you encounter problems with the Logs relating to the NetBackup-Java
NetBackup-Java applications, you can use applications
the scripts in this section to gather the
required information for contacting support.
About the Collect Log files wizard

You can use the Collect Log files wizard from the NetBackup Appliance Web
Console to collect log files from an appliance. The wizard lets you collect different
types of log files for NetBackup, the appliance, operating system, NBSU (NetBackup
Support Utility), DataCollect, and others.
Log files 60
Viewing log files using the Support command
You can collect log files from any NetBackup appliance.

After you have generated the log files you can email them to recipients, download
them to your computer, or upload them to Veritas Support.
Refer to the following for information about the Appliance Diagnostics Center:
See “About NetBackup appliance log files” on page 57.
Viewing log files using the Support command

You can use the following section to view the log file information.
To view logs using the Support > Logs > Browse command:
1 Enter browse mode using the Main_Menu > Support > Logs followed by the
Browse command in the NetBackup Appliance Shell Menu. The LOGROOT/>
prompt appears.
2 To display the available log directories on your appliance, type ls at LOGROOT/>
prompt.
3 To see the available log files in any of the log directories, use the cd command
to change directories to the log directory of your choice. The prompt changes
to show the directory that you are in. For example, if you changed directories
to the GUI directory, the prompt appears as LOGROOT/GUI/>. From that prompt
you can use the ls command to display the available log files in the GUI log
directory.
4 To view the files, use the less <FILE> or tail <FILE> command. Files are
marked with <FILE> and directories with <DIR>.
See “Where to find NetBackup appliance log files using the Browse command”
on page 61.
To view NetBackup Appliance unified (VxUL) logs using the Support > Logs
command:
1 You can view the NetBackup Appliance unified (VxUL) logs with the Support
> Logs > VXLogView command. Enter the command into the shell menu and
use one of the following options:
■ Logs VXLogView JobID job_id
Use to display debug information for a specific job ID.
■ Logs VXLogView Minutes minutes_ago
Use to display debug information for a specific timeframe.
■ Logs VXLogView Module module_name
Log files 61
Where to find NetBackup appliance log files using the Browse command
Use to display debug information for a specific module.
2 If you want, you can copy the unified logs with the Main > Support > Share
Open command. Use the desktop to map, share, and copy the logs.
Note: The NetBackup Appliance unified logs are not the same as the NetBackup
unified logs, such as nbpem or nbjm. NetBackup Appliance has its own set of unified
logs. To collect the NetBackup unified logs, use the Collect Logs Wizard and select
NetBackup.
You can also use the Main_Menu > Support > Logs commands to do the following:
■ Upload the log files to Veritas Technical Support.
■ Set log levels.
■ Export or remove CIFS and NFS shares.
Note: The NetBackup Appliance VxUL logs are no longer archived by a cron job,
or a scheduled task. In addition, log recycling has been enabled, and the default
number of log files has been set to 50.
Refer to the NetBackup Appliance Command Reference Guide for more information
on the above commands.
Where to find NetBackup appliance log files using

the Browse command
Table 5-2 provides the location of the logs and the log directories that are accessible
with the Support > Logs > Browse command.
Table 5-2 NetBackup appliance log file locations
Appliance log Log file location
Configuration log <DIR> APPLIANCE
config_nb_factory.log
Selftest report <DIR> APPLIANCE
selftest_report
Log files 62
Gathering device logs with the DataCollect command
Table 5-2 NetBackup appliance log file locations (continued)
Appliance log Log file location
Host change log <DIR> APPLIANCE
hostchange.log
NetBackup logs, Volume Manager logs, and <DIR> NBU

the NetBackup logs that are contained in the
■ <DIR> netbackup
openv directory
■ <DIR> openv
■ <DIR> volmgr
Operating system (OS) installation log <DIR> OS
boot.log
boot.msg
boot.omsg
messages
NetBackup deduplication (PDDE) <DIR> PD

configuration script log
pdde-config.log
NetBackup Administrative web user interface <DIR> WEBGUI

log and the NetBackup web server log
■ <DIR> gui
■ <DIR> webserver
Device logs /tmp/DataCollect.zip
You can copy the DataCollect.zip to

your local folders using the Main >
Support > Logs > Share Open
command.
Gathering device logs with the DataCollect

command
You can use the DataCollect command from the Main > Support shell menu to
gather device logs. You can share these device logs with the Veritas Support team
to resolve device-related issues.
Log files 63
Along with the operating system, IPMI, and storage logs, the DataCollect command
now collects the following logs as well:
■ Patch logs
■ File System logs
■ Test hardware logs
■ CPU information
■ Disk performance logs
■ Memory information
■ Hardware information
To gather device logs with the DataCollect command
1 Log on to the administrative NetBackup Appliance Shell Menu.
2 Open the Support menu. To open the support menu, use the following
command:
Main > Support
The appliance displays all the sub-tasks in the support menu.

Log files 64
3 Enter the DataCollect command to gather storage device logs.

The appliance initiates the following procedure:
appliance123.Support > DataCollect

Gathering release information
Gathering dmidecode logs
Gathering ipmitool sel list logs
Gathering fwtermlog logs
Gathering AdpEventLog logs
Gathering smartctl logs
Gathering disk performance logs
Gathering ipmiutil command output
Gathering cpu information
Gathering memory information
Gathering sdr logs
Gathering adpallinfo logs
Gathering encinfo logs
Gathering cfgdsply logs
Gathering ldpdinfo logs
Gathering pdlist logs
Gathering fru logs
Gathering adpbbucmd logs
Gathering os logs
Gathering adpalilog logs
Gathering dfinfo logs
Gathering vxprint logs
Gathering Test Hardware logs
Gathering patch logs
All logs have been collected in /tmp/DataCollect.zip

Log file can be collected from the appliance shared folder
- \\appliance123\logs\APPLIANCE
Share can be opened using Main->Support->Logs->Share Open
=======================End of DataCollect==================
All logs have been collected in /tmp/DataCollect.zip
The appliance generates the device log in the /tmp/DataCollect.zip file.

Log files 65
4 Copy the DataCollect.zip to your local folders using the Main > Support
> Logs > Share Open command.
5 You can send the DataCollect.zip file to the Veritas Support team to resolve
your issues.
Chapter 6
Operating system security
■ About NetBackup appliance operating system security
■ Major components of the NetBackup appliance OS
■ Disabled service accounts on the NetBackup appliance
■ Vulnerability scanning of the NetBackup appliance
About NetBackup appliance operating system

security
The NetBackup appliances run a customized Linux operating system (OS) provided
by Veritas. Each NetBackup appliance software release includes the latest appliance
OS and NetBackup software. In addition to regular security patches and updates,
the appliance OS includes the following security enhancements and features:
■ An updated and trimmed Red Hat Enterprise Linux (RHEL)-based OS platform
that enables the packaging and installation of all the necessary software
components on a compatible and a robust hardware platform.
■ Symantec Data Center Security: Server Advanced (SDCS) intrusion prevention
and intrusion detection software that hardens the appliance OS and protects
the backup data by isolating and sandboxing each process and all system files.
■ Regular scan of the NetBackup appliance with industry-recognized vulnerability
scanners. Any discovered vulnerabilities are patched in regular releases of the
appliance software and with emergency engineering binaries (EEBs). If security
threats are identified between release schedules, you can contact Veritas Support
for a known resolution.
■ Nonusers and unused service accounts are removed or disabled.
Operating system security 67
Major components of the NetBackup appliance OS
■ The appliance OS includes edited kernel parameters that secure the appliance
against attacks such as denial of service (DoS). For example, the sysctl setting
net.ipv4.tcp_syncookies has been added to /etc/sysctl.conf configuration
file to implement TCP SYN cookies.
■ Unnecessary runlevel services are disabled. The appliance OS uses runlevels
to determine the services that should be running and to allow specific work to
be done on the system.
■ FTP, telnet, and rlogin (rsh) are disabled. Usage is limited to ssh, scp, and
sftp.
■ TCP forwarding for SSH is disabled with the addition of AllowTcpForwarding

no and X11Forwarding no to /etc/ssh/sshd_config.
■ IP forwarding is disabled on the appliance OS and does not allow routing on

the TCP/IP stack. This feature prevents a host on one subnet from using the
appliance as a router to access a host on another subnet.
■ The NetBackup appliance does not allow IP aliasing (configuring multiple IP
addresses) on the network interface. This feature prevents access to multiple
network segments on one NIC port.
■ The UMASK value determines the file permission for newly created files. It
specifies the permissions which should not be given by default to the newly
created file. Although the default value of UMASK in most UNIX systems is 022,
UMASK is set to 077 for the NetBackup Appliance.
■ The permissions of all the world-writable files that are found in the appliance
OS are searched and fixed.
■ The permissions of all the orphaned and unowned files and directories that are
found in the appliance OS are searched and fixed.
Major components of the NetBackup appliance

OS
Table 6-1 lists the major software components of the appliance operating system:
Disabled service accounts on the NetBackup appliance
Table 6-1 List of major software components included in the NetBackup

appliance OS version 2.7.2
Software component Version
Red Hat Enterprise Linux (RHEL) 6.6

Note: The appliance OS incorporates several
software packages and updates from RHEL 6.7.
Veritas NetBackup 7.7.2
Veritas Storage Foundation 6.2

Note: The Veritas Storage Foundation installation
is modified and tuned for maximum performance
on the appliance.
Symantec Data Center Security: Server 6.5

Advanced (SDCS)
Veritas Perl 5.16.1.27
Java Runtime Environment (JRE) 1.8.0_66
Apache Tomcat 8.0.26
RabbitMQ 3.5.0-1
Intel IPMI Utils 2.9.5-1
Intel IPMI Tools 1.8.11-28
Disabled service accounts on the NetBackup

appliance
The following list of service accounts have been disabled in the NetBackup appliance
operating system:
■ Batch jobs daemon
■ bin
■ daemon
■ DHCP server daemon
■ FTP account
■ User for haldaemon
Vulnerability scanning of the NetBackup appliance
■ User for OpenLDAP

■ Mailer daemon
■ Manual pages viewer
■ User for D-BUS
■ Name server daemon
■ News system
■ nobody
■ NTP daemon
■ PolicyKit
■ Postfix Daemon
■ SSH daemon
■ Novell Customer Center User
■ UNIX-to-UNIX CoPy system
■ wwwrun WWW daemon Apache
■ NBE Web service ntbecmlpi
Vulnerability scanning of the NetBackup appliance

Veritas regularly tests the NetBackup appliances with industry-recognized
vulnerability scanners. Any new vulnerabilities that pose a security threat to the
appliance are then patched in routine software releases. For high-severity
vulnerabilities, Veritas may choose to issue a patch in an emergency engineering
binary (EEB) to urgently address a potential security threat. Table 6-2 lists the
software products that were used to scan NetBackup appliance software version
2.7.2.
Table 6-2 Software used to scan NetBackup appliances
Security scanner Version
Nessus™ 6.5.0
QualysGuard™ 7.17.21-1
Trustwave App Scanner™ 8.0.0

Chapter 7
Data security
■ About Data Security
■ About Data Integrity
■ About Data Classification
■ About Data Encryption
About Data Security

NetBackup Appliances support policy driven mechanism to protect data on clients
as well as NetBackup servers. The following measures are implemented to improve
data security by avoiding data leaks and improving protection:
■ Real-time intrusion detection mechanisms are in place to audit access to
confidential data stored on NetBackup Appliance.
■ Logging and real-time tracking of all restores.
■ Access to the backed up data is authorized to only appliance users and
processes.
■ NetBackup Appliance ensures that all backup data in the Deduplication Pool
(MSDP) are marked with Cyclic Redundancy Check (CRC) digital signatures
when the backup takes place. A maintenance task continuously re-computes
the CRC digital signatures and compares it with the original signature to detect
if there has been any unwanted tampering or corruption in the Deduplication
Pool.
■ Unintended access to appliance storage is prevented by password protecting
logins to the appliance.
■ Access to shared data limited to authorized users only and NetBackup processes.
Data security 71
About Data Integrity
See “Disabled service accounts on the NetBackup appliance” on page 68.

■ Usage of HTTPS protocol and port 443 to connect to the Veritas AutoSupport
server to upload hardware and software information using the Call Home feature.
Veritas Technical Support uses this information to resolve any issues that you
might report. This information is retained for 90 days and purged at the Veritas
Secure Operations Center.
■ Support “Checkpoints” that lets you easily roll back the entire system to a point
in time to undo any misconfiguration. The checkpoint captures the following
components:
■ Appliance operating system
■ Appliance software
■ NetBackup software
■ Tape media configuration on the master server
■ Networking configuration
■ LDAP configuration if it exists
■ Fiber channel configuration
■ Any previously applied patches
Note: Critical components like NetBackup Catalog, KMS database, or NBAC

database may need additional configuration.
NetBackup Appliance software has no in-built transmission/session security unless

it is HTTP (Web service) protocol. Veritas recommends deploying VPN (Virtual
Private Networks) solutions like IPSec, between NetBackup hosts if appliance
software is running in an untrusted network environment.
About Data Integrity

The Deduplication Pool storage in NetBackup Appliance provides the following data
integrity checks to ensure that successful data restores:
Continuous end-to-end verification of backup data, stored

in the Deduplication Pool
Any inadvertent data modifications that can cause data corruption are automatically
detected and rectified if possible. Any unrecoverable data corruption issues are
reported to the storage administrator by the NetBackup Console’s Disk Reports UI
(NetBackup Administration Console > Reports > Disk Reports).
Data security 72
About Data Classification
Continuous Cyclic Redundancy Check (CRC) verification

of backup data, stored in the Deduplication Pool
A CRC value is computed for each object created for the backup job in the
Deduplication pool. A background process continuously verifies the CRC signatures
to ensure that backup data is not tampered with and can be restored successfully
when needed. The deduplication pool design naturally isolates any data corruption
from uncorrupted portions of the pool, preventing corruption from spreading
throughout the deduplication pool.
About Data Classification

A data classification represents a set of backup requirements, which makes it easier
to configure backups for data with different requirements. For example, a backup
with a gold classification must go to a storage lifecycle policy with a gold data
classification. The NetBackup Appliance supports the same data classification
attributes as NetBackup.
The NetBackup Data Classification attribute specifies the classification of the storage
lifecycle policy that stores the backup. For example, a backup with a gold
classification must go to a storage unit with a gold data classification.
NetBackup provides the following default data classifications:
■ Platinum
■ Gold
■ Silver
■ Bronze
This attribute is optional and applies only when the backup is to be written to a
storage lifecycle policy. If the list displays No data classification, the policy uses
the storage selection that is displayed in the Policy storage list. If a data
classification is selected, all the images that the policy creates are tagged with the
classification ID.
About Data Encryption

The NetBackup Appliance offers the following encryption methodologies to protect
both data at rest and in flight:
■ Transmit data in encrypted formats and using secure tunnels. These
configurations can be made by client-side encryption and also replication. If
these options are not used, once the data is out of NetBackup Appliances we
rely on Network infrastructure for securing data in flight.
Data security 73
■ Provides blowfish128-bit encryption in MSDP and allows encryption of each

block with a unique key, further enhancing security.
■ Supports encryption using NetBackup Key Management Service (KMS) which
is integrated with NetBackup Enterprise Server 7.1. See “KMS support ”
on page 73.
■ Supports NetBackup Access Control (NBAC) functionality that incorporates the
NetBackup Product Authentication and Authorization into NetBackup Appliance
master servers.
KMS support
The NetBackup Appliance supports encryption managed by NetBackup Key
Management Service (KMS) which is integrated with NetBackup Enterprise Server
7.1. With version 2.6 and later, KMS is supported on a NetBackup Appliance
configured as a Master or a Media Server. Regenerating the data encryption key
is the only supported method of recovering KMS on an Appliance Master Server.
It has the following key features:
■ It does not require an additional license.
■ It is a master server-based symmetric key management service.
■ It can be administered as a Master Server with tape devices connected to it or
to another NetBackup Appliance.
■ It manages symmetric cryptography keys for tape drives, that conform to the
T10 standard (such as LTO4 or LTO5).
■ It is designed to use volume pool-based tape encryption.
■ It can be used with tape hardware, that has built-in hardware encryption
capability.
■ It can be managed by a NetBackup CLI administrator using the NetBackup
Appliance Shell Menu or the KMS Command Line Interface (CLI).
Note: In the versions earlier than 2.6 of the NetBackup Appliance, KMS is only
supported when the appliance is configured as a Media Server. A non-Appliance
Master Server is required to administrate KMS with devices connected to a
NetBackup Appliance.
About the keys used under KMS

The KMS generates keys from passcodes or auto-generates keys. The Table 7-1
lists the files associated with KMS that hold the information about the keys.
Data security 74
Table 7-1 KMS files
KMS Description Location

files
Key file This is the most important file for KMS. It contains /usr/openv/kms/db/KMS_DATA.dat
or key the data encryption keys.
database
Host It contains the encryption key that encrypts and /usr/openv/kms/key/KMS_HMKF.dat

Master protects the KMS_DATA.dat key file using AES
Key 256.
Key It is the encryption key that encrypts and protects /usr/openv/kms/key/KMS_KPKF.dat

Protection individual records in the KMS_DATA.dat key file
Key using AES 256. Currently the same key protection
key is used to encrypt all of the records.
Chapter 8
Web security
■ About SSL certification
■ Implementing third-party SSL certificates
About SSL certification

The Secure Socket Layer protocol creates an encrypted connection between your
appliances web server and your LDAP server or your local servers allowing for
information to be transmitted without the problems of eavesdropping, data tampering,
or message forgery. To enable SSL on your NetBackup Appliance Web Console,
you need an SSL certificate that identifies you and installs it on the appliance's web
server.
Veritas NetBackup appliances use self-signed certificates for client and host
validation. The key algorithm that is used to generate the SSL certificate key is
SHA1 with RSA. All the Low strength ciphers, such as, SSLv2 and Diffie-Hellman
are disabled.
You can also set the SSL certificates for an LDAP PAM Authentication module that
enables you to establish a secure connection, between the NetBackup Appliance
LDAP PAM module and the LDAP server.
Third-party certificates
You can manually add and implement third-party certificates for the Web service
support. The appliance uses the Java keystore as the repository of security
certificates. A Java keystore (JKS) is a repository of security certificates, like
authorization certificates or public key certificates that are used for instance in SSL
encryption.
Web security 76
Implementing third-party SSL certificates
Note: The procedure to implement third-party certificates varies with the type of
PKCS (Public-key Cryptography Standards) used. For more information on
implementing third-party certificates using PKCS# 7 and PKCS# 12 standard formats,
refer to the NetBackup Appliance Administrator's Guide.

You can manually add and implement third-party certificates for the web service
support. The appliance uses the Java KeyStore as the repository of security
certificates. A Java KeyStore (JKS) is a repository of security certificates, like the
authorization certificates or the public key certificates that are used for instance in
SSL encryption. If you want to implement third-party certificates, use the following
procedure:
To implement third-party SSL certificates:
1 Prepare keystore file for web services. The procedure varies with the type of
PKCS (Public-key Cryptography Standards) you use, the following table
describes the steps to use PKCS# 7 and PKCS# 12 standard formats
PKCS format Preparing keystore files
PKCS#7 or X.509 You can use the following link:

format https://knowledge.verisign.com/support/ssl-certificates-support/index.html
Web security 77
PKCS format Preparing keystore files
PKCS#12 format 1 Convert PEM formatted x509 Cert and Key to a PKCS# 12,
using the following commands:
openssl pkcs12 export -in server.crt -inkey

server.key -out server.p12 -name some-alias
-CAfile ca.crt -caname root
For more information on openssl usage, refer to

http://www.openssl.org/.
Note: Ensure that you put a password on the PKCS #12 file.
When the password is not applied to the file, you may get a
null reference exception when you try to import the file
2 Convert the pkcs12 file to a Java Keystore using the following

commands:
keytool -importkeystore -deststorepass

changeit -destkeypass changeit -destkeystore
server.keystore -srckeystore server.p12
-srcstoretype PKCS12 -srcstorepass some-
password -alias some-alias
For more information on keytool usage, refer to

http://docs.oracle.com/javase/6/docs/technotes/tools/solaris/keytool.html
2 Shutdown web service using the following command:

/etc/init.d/nbappws stop
3 Replace the existing keystore file with your new keystore file. The default file
name is /opt/SYMCnbappws/Security/keystore.
4 Correct the following information in the configuration files:
■ Change the keystoreFile and keystorePass settings in the
/opt/SYMCnbappws/config/server.xml.
■ Change the keystoreFile and keystorePass settings in the

/opt/SYMCnbappws/webserver/conf/server.xml.
■ Change the javax.net.ssl.trustStore and

javax.net.ssl.trustStorePassword settings in the
/opt/SYMCnbappws/bin/startgui.sh.
5 Startup web service using the following command:

/etc/init.d/nbappws start
Chapter 9
Network security
■ About IPsec Channel Configuration
■ About the NetBackup Appliance 52xx ports
About IPsec Channel Configuration

The NetBackup Appliance uses IPsec channels to secure communication between
two appliances, thus helping to secure data in transit. All other communication
between NetBackup Appliance and non-appliance, like the NetBackup master
servers, would be non-IPsec.
IPsec security works at IP level and allows securing IP traffic between two hosts.
Device certificates are provisioned to the Master and Media appliances, these
certificates are then enabled for configuring IPsec channels. This enables a secure
interaction of the master and media servers. The device certificates used are x509
certificates issued by Versign CA.
The appliance performs the following validation checks before establishing IPsec
channel:
■ Validate the authenticity of the certificates using the x509 cert validate.
■ Validate whether the device certificate corresponds to the IP.
■ Validate and update security associations in both directions of the
communication.
The hosts are detected after the device certificates are recognized. Only after this
is IPsec channel is configured and enabled.
Network security 79
About IPsec Channel Configuration
Managing IPsec configuration

You can use the following commands from the NetBackup Appliance Shell Menu
to manage IPsec channel:
Table 9-1 IPsec commands
Command Description
Network > Security > You can use this command to configure IPsec between
Configure any two hosts. You can define the hosts by the host name.
You can also identify them by the user ID and password.
Network > Security > You can use this command to remove IPsec policies for
Delete a list of remote hosts on a local system. You can use this
command to remove IPsec policies for a list of remote
hosts on a local system. Remove IPsec policies for a list
of remote hosts on a local system. Use the Hosts variable
to define one or more host names. Use a comma to
separate multiple host names.
Network > Security > Use this command to export the IPsec credentials. The
Export EnterPasswd field is used to answer the question, "Do
you want to enter a password?". You must enter
a value of yes or no in this field. In addition, you must
specify a path that defines where you want to place the
exported credentials.
Note: The IPsec credentials are removed during a
reimage process. The credentials are unique for each
appliance and are included as part of the original factory
image. The IPsec credentials are not included on the USB
drive that is used to reimage the appliance.
Network > Security > Use this command to import the IPsec credentials.
Import
The EnterPasswd field is used to answer the question,
"Do you want to enter a password?". You must
enter a value of yes or no in this field. In addition, you
must specify a path that defines where you want to place
the imported credentials.
Network > Security > Use this command to provision IPsec policies for a list of
Provision remote hosts on a local system. Use the Hosts variable
to define one or more host names. Use a comma to
separate multiple host names.
Network security 80
About the NetBackup Appliance 52xx ports
Table 9-1 IPsec commands (continued)
Command Description
Network > Security Use this command to reload the IPsec configuration. The
(IPsec) > Refresh [Auto] option defines whether the configurations on all
referenced hosts are refreshed or not. You can enter
[Auto] or [NoAuto]. The default value is [NoAuto].
Network > Security > Show Display the IPsec policies for a local host or a provided
host. The [[Verbose]] option is used to define whether
the output is verbose or not. The values that you can enter
in this field are [VERBOSE] or [NoVERBOSE]. The default
value is [NoVERBOSE]. The [[HostInfo] ]option can
contain the following information that is separated by a
comma. The host name, the user ID (optional), and the
password (optional).
Network > Security > Use this command to unconfigure IPsec between any two
Unconfigure hosts. The Host1Info variable can contain the
following information that is separated by a comma. The
host name, the user ID (optional), and the password
(optional). The [Host2info] variable can contain the
host name, the user ID (optional), and the password
(optional).
You can use the Main > Network > Security command from the NetBackup
Appliance Shell Menu to configure the IPSec channel between two hosts. For more
information of configuring IPsec channels, refer to the NetBackup Appliance
Command Reference Guide.

In addition to the ports used by NetBackup, the 52xx appliances also provide for
both in-band and out-of-band management. The out-of-band management is through
a separate network connection, the Remote Management Module (RMM), and the
Intelligent Platform Management Interface (IPMI). Open these ports through the
firewall as appropriate to allow access to the management services from a remote
laptop or KVM (keyboard, video monitor, mouse).
Network security 81
Warning: The NetBackup Appliance Web Console is now available only over
HTTPS on the default port 443; port 80 over HTTP has been disabled. Please use
https://<appliance-name> to log in to the Web Console, where appliance-name
is the fully qualified domain name (FQDN) of the Appliance and can also be an IP
address.
Table 9-2 lists the ports open for inbound communication to the NetBackup
Appliance.
Table 9-2 Inbound ports
Port Service Description
22 ssh In-band management CLI
80 HTTP In-band management GUI
443 HTTPS In-band management GUI
80 HTTP Out-of-band management

(ISM+ or RM*)
443 HTTPS Out-of-band management

(ISM+ or RM*)
5900 KVM CLI access, ISO & CDROM

redirection
623 KVM (optional, used if open)
7578 RMM CLI access
5120 RMM ISO & CD-ROM redirection
5123 RMM Floppy redirection
7582 RMM KVM
5124 HTTPS CD ROM
5127 USB or Floppy
2049 HTTPS NFS++
445 CIFS (for the Log/Install

shares)
+ NetBackup Integrated storage manager

* Veritas Remote Management – Remote Console
Network security 82
++ Once the NFS service is shut down, the vulnerability scanners do not pick up
these ports as threats.
Note: Ports 7578, 5120, and 5123 are for the unencrypted mode. Ports 7528, 5124,
and 5127 are for the encrypted mode.
Table 9-3 list the ports outbound from the appliance to allow alerts and notifications
to the indicated servers.
Table 9-3 Outbound ports
Port Service Description
443 HTTPS Call Home notifications to

Veritas
162** SNMP Outbound traps and alerts
443 HTTPS Download SDCS certificate
** This port number can be changed within the appliance configuration to match
the remote server.
A complete list of all the applicable ports is available in the NetBackup Network
Ports Reference Guide.
Chapter 10
Call Home security
■ About AutoSupport
■ About Call Home
■ About SNMP
About AutoSupport
The AutoSupport feature lets you register the appliance and your contact details
at the Veritas support website . Veritas support uses this information to resolve any
issue that you report. The information allows Veritas support to minimize downtime
and provide a more proactive approach to support.
Provide the registration details for your appliance using one of the following
provisions:
■ The MyAppliance portal before you install the appliance
■ The appliance initial configuration on the Registration page
■ The NetBackup Appliance Web Console by navigating to Settings > Notification
> Registration page
■ The NetBackup Appliance Shell Menu by running the Settings > Alerts >
CallHome Registration command. For more information about this command,
refer to the NetBackup Appliance Command Reference Guide.
You can register by entering the following basic information:
■ Name: Your name, company name
■ Address, where the appliance is physically located: City, street, state, ZIP Code
■ Contact information: Phone number, email address
Call Home security 84
About Call Home
The support infrastructure is designed to allow Veritas support to help you in the
following ways:
■ Proactive monitoring lets Veritas support to automatically create cases, fix issues,
and dispatch any appliance parts that might be at risk.
■ The AutoSupport infrastructure within Veritas analyzes the Call Home data from
appliance. This analysis provides proactive customer support for hardware
failures, reducing the need for backup administrators to initiate support cases.
■ With AutoSupport ability, Veritas support can begin to understand how customers
configure and use their appliances, and where improvements would be most
beneficial.
■ Send and receive status and alert notifications for the appliance.
■ Receive hardware and software status using Call Home.
■ Provide more insight into the issues and identify any issues that might further
occur as a result of the existing issue.
■ View reports from the Call Home data to analyze patterns of hardware failure,
and see usage trends. The appliance sends health data every 30 minutes.
The information that you provide for appliance registration helps Veritas support to
initiate resolution of any issue that you report. However, if you want to provide
additional details such as a secondary contact, phone, rack location, and so on,
you can visit https://my.veritas.com.
About Call Home

Your appliance can connect with a Veritas AutoSupport server and upload hardware
and software information. Veritas support uses this information to resolve any issues
that you might report. The appliance uses the HTTPS protocol and uses port 443
to connect to the Veritas AutoSupport server. This feature of the appliance is referred
to as Call Home. It is enabled by default.
AutoSupport in appliance uses the data that is gathered by Call Home to provide
proactive monitoring for the appliance. If Call Home is enabled, the appliance
uploads hardware and software information (or the Call Home data) to Veritas
AutoSupport server periodically at an interval of 24 hours by default.
If you determine that you have a problem with a piece of hardware, you might want
to contact Veritas support. The Technical Support engineer uses the serial number
of your appliance and assesses the hardware status from the Call Home data. To
know the serial number of your appliance from theNetBackup Appliance Web
Console, go to the Monitor > Hardware > Health details page. To determine the
serial number of your appliance using the shell menu, go to the Monitor > Hardware
About Call Home
commands. For more information about the Monitor > Hardware commands, refer
to the NetBackup Appliance Command Reference Guide.
Use the Settings > Notification page to configure Call Home from the NetBackup
Appliance Web Console. Click Alert Configuration and enter the details in the
Call Home Configuration pane.
Table 10-1 describes how a hardware failure is reported when the feature is enabled
or disabled.
Table 10-1 What happens when Call Home is enabled or disabled
Monitoring status Hardware failure routine
Call Home enabled When a hardware failure occurs, the following sequence of
alerts occur:
■ The appliance uploads all the monitored hardware and

software information to a Veritas AutoSupport server. The
list following the table contains all the relevant information.
■ The appliance generates 3 kinds of email alerts to the
configured email address.
■ An error message by email to notify you of the
hardware failure once an error is detected.
■ A resolved message by email to inform you of any
hardware failure once an error is resolved.
■ A 24-hour summary by email to summarize all of the
currently unresolved errors in the recent 24 hours.
■ The appliance also generates an SNMP trap.
Call Home disabled No data is sent to the Veritas AutoSupport server. Your
system does not report hardware errors to Veritas to enable
faster problem resolution.
The following list contains all the information that is monitored and sent to Veritas
AutoSupport server for analysis.
■ CPU
■ Disk
■ Fan
■ Power supply
■ RAID group
■ Temperatures
■ Adapter
About Call Home
■ PCI
■ Fibre Channel HBA
■ Network card
■ Partition information
■ MSDP statistics
■ Storage connections
■ Storage status
■ 52xx Storage Shelf - Status of disk, fan, power supply, and temperature
■ 5330 Primary Storage Shelf - Status of disk, fan, power supply, temperature,
battery backup unit (BBU), controller, volume, and volume group
■ 5330 Expansion Storage Shelf - Status of disk, fan, power supply, and
temperature
■ NetBackup Appliance software version
■ NetBackup version
■ Appliance model
■ Appliance configuration
■ Firmware versions
■ Appliance, storage, and hardware component serial numbers
See “Configuring Call Home from the NetBackup Appliance Shell Menu” on page 86.
See “About AutoSupport ” on page 83.
Configuring Call Home from the NetBackup Appliance Shell Menu

You can configure the Call Home details from the Settings > Notification page.
You can configure the following Call Home settings from the NetBackup Appliance
Shell Menu:
■ Enabling and disabling Call Home from the NetBackup Appliance Shell Menu
■ Configuring a Call Home proxy server from the NetBackup Appliance Shell Menu
■ Testing whether or not Call Home works correctly by running the Settings >
Alerts > CallHome > Test command.
If you enable Call Home, you can use the Settings > Alerts > CallHome
Registration command to configure the contact details for your appliance by
entering the following information:
About Call Home
■ The name of the person who is the first point of contact and responsible for the
appliance.
■ The address of the contact person.
■ The phone number of the contact person.
■ The email address of the contact person.
To learn more about the Main > Settings > Alerts > CallHome commands,
refer to theNetBackup Appliance Command Reference Guide.
For a list of the hardware problems that cause an alert, see the following topics:
See “About Call Home” on page 84.
Enabling and disabling Call Home from the NetBackup Appliance

Shell Menu
You can enable or disable Call Home from both, the NetBackup Appliance Web
Console and the NetBackup Appliance Shell Menu. Call Home is enabled by default.
To enable or disable Call Home from the NetBackup Appliance Shell Menu
1 Log on to the NetBackup Appliance Shell Menu.
2 To enable Call Home, run the Main > Settings > Alerts > CallHome
Enable command.
3 To disable Call Home, run the Main > Settings > Alerts > CallHome
Disable command.
For more information on Main > Settings > Alerts > CallHome commands,
refer to the NetBackup Appliance Command Reference Guide.
Configuring a Call Home proxy server from the NetBackup Appliance

Shell Menu
You can configure a proxy server for Call Home, if required. If the appliance
environment has a proxy server between the environment and external Internet
access, you must enable the proxy settings on the appliance. The proxy settings
include both a proxy server and a port. The proxy server must accept https
connections from the Veritas AutoSupport server. This option is disabled by default.
To add a Call Home proxy server from the NetBackup Appliance Shell Menu
1 Log on to NetBackup Appliance Shell Menu.
2 To enable proxy settings, run the Main > Settings > Alerts > CallHome
Proxy Enable command.
About Call Home
3 To add a proxy server, run the Main > Settings > Alerts > CallHome
Proxy Add command.
■ You are prompted to enter the name of the proxy server. The proxy server
name is the TCP/IP address or the fully qualified domain name of the proxy
server.
■ After you have entered a name for the proxy server, you are prompted to
enter the port number for the proxy server.
■ Further, you are required to answer the following:
Do you want to set credentials for proxy server? (yes/no)
■ On answering yes, you are prompted to enter a user name for the proxy
server.
■ After you have entered the user name, you are prompted to enter a
password for the user. On entering the required information, the following
message is displayed:
Successfully set proxy server
4 To disable proxy settings, run the Main > Settings > Alerts > CallHome
Proxy Disable command.
Further, you can also use the NetBackup Appliance Shell Menu to enable or disable
proxy server tunneling for your appliance. To do so, run the Main > Settings >
CallHome Proxy EnableTunnel and Main > Settings > Alerts > CallHome
Proxy DisableTunnel commands. Proxy server tunneling lets you provide a secure
path through an untrusted network.
Understanding the Call Home workflow

This section explains the mechanism that Call Home uses to upload data from your
appliance to the Veritas AutoSupport server.
Call Home uses HTTPS (secure and encrypted protocol) with port number 443 for
all communication with Veritas AutoSupport servers. For Call Home to work correctly,
ensure that your appliance has Internet access either directly, or through a proxy
server to reach the Veritas AutoSupport servers. AutoSupport, a mechanism that
monitors the appliance proactively, uses the Call Home data to analyze and resolve
any issues that the appliance may encounter.
All communications are initiated by the appliance. Your appliance needs access to
https://receiver.appliance.veritas.com.
About SNMP
The appliance Call Home feature uses the following workflow to communicate with
AutoSupport servers:
■ Access a port to https://receiver.appliance.veritas.com every 24 hours.
■ Perform a self-test operation to https://receiver.appliance.veritas.com.
■ If the appliance encounters an error state, all hardware logs from past three
days are gathered along with the current log.
■ The logs are then uploaded to the Veritas AutoSupport server for further analysis
and support. These error logs are also stored on the appliance. You can access
these logs from /log/upload/<date> folder.
■ If the error state persists three days later, the logs will be re-uploaded.
See “About Call Home” on page 84.
See “About AutoSupport ” on page 83.
About SNMP
The Simple Network Management Protocol (SNMP) is an application layer protocol
that facilitates the exchange of management information between network devices.
It uses either the Transmission Control Protocol (TCP) or the User Datagram
Protocol (UDP) for transport, depending on configuration. SNMP enables network
administrators to manage network performance, find and solve network problems,
and plan for network growth.
SNMP is based on the manager model and agent model. This model consists of a
manager, an agent, a database of management information, managed objects, and
the network protocol.
The manager provides the interface between the human network manager and the
management system. The agent provides the interface between the manager and
the physical devices being managed.
The manager and agent use a Management Information Base (MIB) and a relatively
small set of commands to exchange information. The MIB is organized in a tree
structure with individual variables, such as point status or description, being
represented as leaves on the branches. A numeric tag or object identifier (OID) is
used to distinguish each variable uniquely in the MIB and in SNMP messages.
NetBackup Appliance 2.7.2 supports SNMP v2.
About the Management Information Base (MIB)

Each SNMP element manages specific objects with each object having specific
characteristics. Each object and characteristic has a unique object identifier (OID)
About SNMP
that is associated with it. Each OID consists of the numbers that are separated by
decimal points (for example, 1.3.6.1.4.1.2682.1).
These OIDs form a tree. A MIB associates each OID with a readable label and
various other parameters that are related to the object. The MIB then serves as a
data dictionary that is used to assemble and interpret SNMP messages. This
information is saved as a MIB file.
You can check the details of the SNMP MIB file from the Settings > Notifications
> Alert Configuration page of the NetBackup Appliance Web Console. To configure
the appliance SNMP manager to receive hardware monitoring related traps, click
View SNMP MIB file in the SNMP Server Configuration pane.
You can also view the SNMP MIB file with the Settings > Alerts > SNMP ShowMIB
command in the NetBackup Appliance Shell Menu.
Chapter 11
IPMI security
■ Introduction to IPMI configuration
■ Recommended IPMI settings
■ Replacing the default IPMI SSL certificate
Introduction to IPMI configuration

You can configure the IPMI sub-system for your appliances. The Intelligent Platform
Management Interface (IPMI) sub-system is beneficial when an unexpected power
outage shuts down the connected system. This sub-system operates independently
of the operating system and can be connected by using the remote management
port, located on the rear panel of the appliance.
You can configure the IPMI sub-system and the Veritas Remote Management tool
using the BIOS setup. The Veritas Remote Management tool provides an interface
to use the remote management port. It lets you monitor and manage your appliance
from a remote location.
Recommended IPMI settings

This section lists the recommended IPMI settings to ensure a secure IPMI
configuration.
Users
The following recommendations must be kept in mind while creating IPMI users:
■ Don’t allow accounts with null user name or password.
■ Recommended to have one administrative user.
IPMI security 92
Recommended IPMI settings
■ Recommended to disable anonymous user.

■ Recommended to delete vendor accounts and create your own user name and
passwords.
■ Recommended to set 16-20 characters of password on each user to avoid brute
force attacks
Login
The following recommendations must be kept in mind while creating applying login
settings for the IPMI users:
Table 11-1 Login security settings
Settings Recommended values
Failed login attempts 3
User Lockout time (min) 60 seconds
Force HTTPS Yes
The 'Force HTTPS' check-box must be enabled to ensure that

the IPMI connection always takes place over HTTPS.
Web Session Timeout 1800
LDAP Settings
Veritas recommends that you should enable LDAP authentication, if possible in
your environment.
SSL Upload
Veritas recommends that you import a new/custom ssl certificate.
Remote Session
Table 11-2 Remote session security settings
Settings Recommended values
KVM Encryption AES
Media Encryption Enable
Cipher recommendation
■ Do NOT set cipher to zero on the IPMI channel
IPMI security 93
Replacing the default IPMI SSL certificate
Warning: If the cipher 0 enabled on a channel, it allows anyone to perform any

IPMI action with no authentication, effectively subverting IPMI security entirely.
Disable it at all costs.
■ Only use ciphers 3, 8, and 12.
Ethernet connection settings

Recommended to have a dedicated Ethernet connection for IPMI, that is you should
avoid sharing the server’s physical connection.
■ Use a static IP
■ Avoid DHCP
Disable Services that aren’t used

In future version of IPMI, you will have the ability to disable SSH and HTTP services
from the Veritas Remote Management Console or the command line interface.
For more information, refer to
http://www.intel.com/content/www/us/en/servers/ipmi/ipmi-home.html.

Veritas recommends that the default IPMI SSL certificate used to access the IPMI
web interface be replaced with either a certificate signed by a trusted internal or
external Certificate Authority (in PEM format), or by a self-signed certificate. You
can use the following procedure to create a minimal self-signed certificate on a
Linux computer and import it into the IPMI web interface:
IPMI security 94
To create a minimal self-signed certificate on a Linux computer and import it

into the IPMI web interface:
1 Run the following command to generate the private key called ipmi.key:
$ openssl genrsa -out ipmi.key 2048
Generating RSA private key, 2048 bit long modulus
.....+++
.+++
e is 65537 (0x10001)
IPMI security 95
2 Generate a certificate signing request called ipmi.csr using ipmi.key, filling

in each field with their appropriate values:
Note: To avoid extra warnings in your browser, set the CN to the fully qualified
domain name of the IPMI interface. You are about to enter is what is called a
Distinguished Name or a DN.
$ openssl req -new -key ipmi.key -out ipmi.csr
Refer to the following guidelines to enter information to be incorporated into

your certificate request:
Country Name (2 letter Enter your Country's name. For example, US.
code) [AU]:
State or Province Name Enter your State's or Province's name. For example, OR.
(full name)
[Some-State]:
Locality Name (eg, city) Enter your Locality name. For example, Springfield.
[]:
Organization Name (eg, Enter your Organization's name. For example, Veritas.
company) [Internet
Widgits Pty Ltd]:
Organizational Unit Enter your Organization Unit's name.

Name (eg, section) []:
Common Name (eg, Enter hostname.your.company.

YOUR name) []:
Email Address []: Enter your email address. For example,

email@your.company .
A challenge password Enter the appropriate challenge password, which is the extra
[]: attribute to be sent with your certificate request.
An optional company Enter the appropriate optional company name, which is the
name []: extra attribute to be sent with your certificate request.
Note: Enter '.', to leave any field blank.

IPMI security 96
3 Sign ipmi.csr with ipmi.key and create a certificate called ipmi.crt that is
valid for 1 year:
$ openssl x509 -req -in ipmi.csr
-out ipmi.crt -signkey ipmi.key
-days 365
Signature ok
subject=/C=US/ST=OR/L=Springfield
/O=Veritas/OU=Your OU/
CN=hostname.your.company/
emailAddress=email@your.company
Getting Private key
4 Concatenate ipmi.crt and ipmi.key to create a certificate in PEM format

called ipmi.pem.
$ cat ipmi.crt ipmi.key > ipmi.pem
5 Copy ipmi.pem to a host that has access to the appliance's IPMI web interface.
6 Login to your Veritas Remote Management (IPMI web interface).
7 Click Configuration > SSL.
The appliance displays the SSL Upload page.
8 From the SSL Upload page, click Choose File to import the certificate.
9 Select the ipmi.pem and click Upload.
10 A warning may appear that says an SSL certificate already exists, press OK
to continue.
11 To import the key, click Choose File again (notice it says New Privacy Key
next to the button).
12 Select the ipmi.pem and click Upload.
IPMI security 97
13 A confirmation appears stating that the certificate and key were uploaded
successfully, press OK to restart the Web service.
14 Close and reopen the Veritas Remote Management (IPMI web interface)
interface to verify that the new certificate is being presented.
Appendix A
Software packages
included in the NetBackup
appliance OS
This appendix includes the following topics:
■ List of software packages included in the NetBackup appliance OS
List of software packages included in the

NetBackup appliance OS
The appliance operating system (OS) is based on a Veritas-customized version of
Red Hat Enterprise Linux (RHEL). To improve security, performance, and stability,
Veritas has only included the RHEL packages that are necessary for the function
of the appliance. Table A-1 includes a list of the RHEL software packages that are
included in the appliance OS.
Software packages included in the NetBackup appliance OS 99
List of software packages included in the NetBackup appliance OS
Table A-1 List of software packages included in the NetBackup appliance

OS

OS (continued)
abrt gtk libxml python-libs

abrt-addon-ccpp gzip libxml2-python python-lxml
abrt-addon-kerneloops hal libXpm python-paramiko
abrt-addon-python hal-info libXpm-devel python-pycurl
abrt-cli hal-libs libXrandr python-rhsm
abrt-libs hdparm libXrender python-slip
abrt-python hicolor-icon-theme libxslt python-slip-dbus
abrt-tui hunspell libXt python-tdb
acl hunspell-en lm_sensors python-tevent4
acpid hwdata lm_sensors-devel python-urlgrabber
aic94xx ifplugd lm_sensors-libs ql2100-firmware
alsa-lib info lockdev ql2200-firmware
atk initscripts logrotate ql23xx-firmware
atmel-firmware iotop lrzsz ql2400-firmware
attr ipmitool lsof ql2500-firmware
audit iproute lsscsi quota
audit-libs iptables ltrace rarian
audit-libs iptables-ipv6 lua rarian-compat
augeas-libs iputils lvm rdate
authconfig ipw2100 lvm2-libs readahead
avahi-glib ipw2200 lzo readline
avahi-libs irqbalance m2crypto redhat-indexhtml
b43-fwcutter iscsi-initiator-utils m4 redhat-logos
b43-openfwwf isomd5sum mailcap redhat-release-server
basesystem ivtv-firmware mailx redhat-rpm-config
bash iw make redhat-support-lib-python
bc iwl100-firmware MAKEDEV redhat-support-tool
bfa-firmware iwl1000-firmware man rfkill
bind-libs iwl3945-firmware man-pages rhn-check
bind-utils iwl4965-firmware man-pages-overrides rhn-client-tools
binutils iwl5000-firmware mdadm rhn-setup
biosdevname iwl5150-firmware microcode_ctl rhnlib
blktrace iwl6000-firmware mingetty rhnsd
bridge-utils iwl6000g2a-firmware minicom rng-tools
btparser iwl6050-firmware mlocate rootfiles
busybox jasper module-init-tools rpcbind
bzip2 jasper-libs mozilla-filesystem rpm
bzip2-libs json-c mpfr rpm-build
ca-certificates kbd mtools rpm-devel
cairo kbd-misc mtr rpm-libs
cas kernel mysql-libs rpm-python
checkpolicy kernel-devel nano rsh
chkconfig kernel-firmware ncurses rsh-server

OS (continued)
cifs-utils kernel-headers ncurses-base rsync

cloog-ppl kexec-tools ncurses-libs rsyslog
cmatrix keyutils net-snmp rt61pci-firmware
compat-glibc keyutils-libs net-snmp-devel rt73usb-firmware
compat-glibc-headers keyutils-libs-devel net-snmp-libs samba
compat-libstdc++ kmod-megasr net-snmp-perl samba-client
ConsoleKit kpartx net-snmp-python samba-common
ConsoleKit-libs krb5-devel net-snmp-utils samba-winbind
ConsoleKit-x11 krb5-libs net-tools samba-winbind-clients
coreutils krb5-pkinit-openssl newt satyr
coreutils-libs krb5-workstation newt-python sblim-cmpi-samba
cpio ksh nfs-utils sblim-tools-libra
cpp latrace nfs-utils-lib scl-utils
cpuspeed ledmon nmap screen
cracklib less nscd sed
cracklib-dicts Lib_Utils nspr selinux-policy
crash libacl nss selinux-policy-targeted
crash-trace-command libaio nss-pam-ldapd setserial
crda libaio-devel nss-softokn setup
createrepo libattr nss-softokn-freebl setuptool
cronie libblkid nss-sysinit sg3_utils
cronie-anacron libcap nss-tools sg3_utils-libs
crontabs libcap-ng nss-util sgml-common
cryptsetup-luks libcom_err ntp sgpio
cryptsetup-luks-libs libcom_err-devel ntpdate shadow-utils
cups-libs libcurl ntsysv shared-mime-info
curl libdaemon numactl slang
cvs libdrm OpenIPMI smartmontools
cyrus-sasl libedit OpenIPMI-libs snappy
cyrus-sasl-lib liberation-fonts-common
openldap sos
cyrus-sasl-plain liberation-sans-fonts openldap-clients sqlite
dash libertas-usb8388-firmware
openslp startup-notification
db4 libevent openssh strace
db4-utils libffi openssh-clients subscription-manager
dbus libfprint openssh-server sudo
dbus-glib libgcc openssl syslinux
dbus-libs libgcrypt openssl-devel syslinux-nonlinux
dbus-python libglade openssl098e sysstat
deltarpm libgomp ORBit system-config-firewall
desktop-file-utils libgpg-error p11-kit system-config-firewall-base
device-mapper libgssglue p11-kit-trust system-config-firewall-tui
device-mapper-event libgudev pam_krb5 system-config-kdump
device-mapper-event-libs
libICE pam_ldap system-config-network-tui
device-mapper-libs libIDL pam_passwdqc systemtap

OS (continued)
device-mapper-persistent-data
libidn pam systemtap-client
dhclient libjpeg-turbo pango systemtap-devel
dhcp-common libldb parted systemtap-initscript
diffutils libldb-devel passwd systemtap-runtime
dmidecode libnih patch systemtap-sdt-devel
dmraid libnl pciutils systemtap-server
dmraid-events libpcap pciutils-libs sysvinit-tools
docbook-dtds libpciaccess pcmciautils tar
dos2unix libpng pcre tcl
dosfstools libproxy perl tcp_wrappers
dracut libproxy-bin perl-Compress-Raw-Bziptcp_wrappers-devel
dracut-kernel libproxy-python perl-Compress-Raw-Zlibtcp_wrappers-libs
e2fsprogs libreport perl-Compress-Zlib tcpdump
e2fsprogs-libs libreport-cli perl-HTML-Parser tcsh
ed libreport-compat perl-HTML-Tagset telnet
efibootmgr libreport-filesystem perl-IO-Compress-Base time
eggdbus libreport-plugin-kerneloops
perl-IO-Compress-Bzip tmpwatch
eject libreport-plugin-logger
perl-IO-Compress-Zlib tog-pegasus
elfutils libreport-plugin-mailxperl-libs tog-pegasus-libs
elfutils-devel libreport-plugin-reportuploader
perl-libwww-perl trace-cmd
elfutils-libelf libreport-plugin-rhtsupport
perl-Module-Pluggable traceroute
elfutils-libelf-devel libreport-plugin-ureport
perl-Parse-Yapp tzdata
elfutils-libs libreport-python perl-Pod-Escapes udev
ethtool libselinux perl-Pod-Simple unzip
expat libselinux-devel perl-URI upstart
expect libselinux-python perl-version usbutils
file libselinux-utils perl-XML-Parser usermode
file-devel libsemanage perl-XML-XPath ustr
file-libs libsepol pinentry util-linux-ng
filesystem libsepol-devel pinfo valgrind
findutils libSM pixman vconfig
fipscheck libss pkgconfig vim-common
fipscheck-lib libssh plymouth vim-enhanced
fontconfig libstdc++ plymouth-core-libs vim-filesystem
fontpackages-filesystem
libtalloc plymouth-scripts vim-minimal
fprintd libtalloc-devel pm-utils virt-what
fprintd-pam libtar policycoreutils vlock
freetype libtasn polkit w3m
gamin libtdb popt wget
gawk libtdb-devel popt-devel which
gc libtevent portreserve wireless-tools
gcc libtevent-devel postfix words
GConf libthai ppl xcb-util
gd libtiff prelink xdg-utils

OS (continued)
gdb libtirpc procps xinetd

gdbm libtool-ltdl psacct xml-common
gdk-pixbuf libtool-ltdl-devel psmisc xmlrpc-c
genisoimage libudev pth xmlrpc-c-client
gettext libusb pycairo xmlsec
glib libusb pygobject xmlsec1-openssl
glibc libuser pygpgme xorg-x11-drv-ati-firmware
glibc-common libutempter pygtk xorg-x11-proto-devel
glibc-devel libuuid pygtk2-libglade xulrunner
glibc-headers libX11 pykickstart xz
glibc-utils libX11-common pyldb xz-devel
gmp libX11-devel pyOpenSSL xz-libs
gnome-doc-utils-stylesheets
libXau pytalloc xz-lzma-compat
gnome-user-docs libXau-devel python yelp
gnome-vfs libxcb python-argparse yp-tools
gnupg libxcb-devel python-crypto ypbind
gnutls libXcomposite python-dateutil yum
gpgme libXcursor python-decorator yum-metadata-parser
gpm-libs libXdamage python-deltarpm yum-plugin-security
grep libXext python-dmidecode yum-rhn-plugin
groff libXfixes python-ethtool yum-utils
grub libXft python-gudev zd1211-firmware
grubby libXi python-iniparse zip
libXinerama python-iwlib zlib
zlib-devel
Index
A D
Active Directory user data classification 72
configure authentication 25 data encryption 72
AD supported users KMS support 73
configure server 27 data integrity 71
pre-requisites 27 CRC verification 72
appliance log files end-to-end verification 71
Browse command 61 data security 70
appliance security datacollect
about 10 device logs 62
authentication
AD 20 I
LDAP 20
intrusion detection system
local user 20
about 46
NIS
intrusion prevention system
Kerberos 20
about 45
authorization 35
IPMI security
Administrator 39
recommendations 91
NetBackupCLI user 40
IPMI SSL certificate 93
AutoSupport
IPS policy
customer registration 83
override 51
re-enable 54
B IPsec
Browse command network security 78
appliance log files 61
K
C Kerberos
Call Home authenticate NIS 28
alerts 84
workflow 88 L
Call Home proxy server
LDAP supported users
configuring 87
configure server 26
Collect Log files 59
pre-requisites 26
collect logs
LDAP user
commands 60
configure authentication 24
datacollect 62
local user
log file location 60
configure authentication 23
types of logs 60
log files
introduction 57
Index 105
login banner T
about 29 third party SSL certificates 76
appliance 29
NetBackup 29
U
user 18
M Active Directory 25
Management Information Base (MIB) 89 add 37
admin 18
N Administrator 18
NetBackupCLI AppComm 18
commands 41 authorize 36
network security Kerberos-NIS 25
IPsec 78 LDAP 24
NIS supported users local 23
configure server 28 Maintenance 18
pre-requisites 28 manage role
NIS user permissions 37
configure authentication 25 NetBackupCLI 18
notifications 84 root 18
sisips 18
user authentication
O configure 23
operating system guidelines 26
disabled services 68 user group
major components 67 add 37
security highlights 66 manage role
software packages 98 permissions 37
user name credentials 30
P user role privileges
password NetBackup appliance 38
credentials 30
encryption 30 W
privileges wizard
user role 38 Collect Log files 59
R
replacing
IPMI SSL certificate 93
root 51
S
Simple Network Management Protocol (SNMP) 89
Symantec Data Center Security
about 43
IDS policy 46
IPS policy 45
managed mode 43, 50
unmanaged mode 43, 50

NetBackup 52xx and 5330 Appliance Security Guide - 2.7.2

Uploaded by

Document Informationclick to expand document information

Copyright:

Available Formats

NetBackup 52xx and 5330 Appliance Security Guide - 2.7.2

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

NetBackup 52xx and 5330 Appliance Security Guide - 2.7.2

Uploaded by

Copyright:

Available Formats

Veritas NetBackup™

Appliance Security Guide

NetBackup 52xx and 5330

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED

Contacting Technical Support

Licensing and registration

Worldwide (except Japan) CustomerCare@veritas.com

Technical Support ............................................................................................ 4

Chapter 1 About the NetBackup Appliance Security Guide

About the NetBackup Appliance Security Guide .................................. 10

Chapter 2 User authentication ........................................................... 18

Chapter 3 User authorization ............................................................. 35

About user authorization on the NetBackup appliance .......................... 35

Chapter 4 Intrusion prevention and intrusion detection

About Symantec Data Center Security on the NetBackup

Running SDCS in unmanaged mode on the NetBackup

Chapter 5 Log files ................................................................................ 57

About NetBackup appliance log files ................................................. 57

Chapter 6 Operating system security .............................................. 66

About NetBackup appliance operating system security ......................... 66

Chapter 7 Data security ....................................................................... 70

About Data Security ...................................................................... 70

Chapter 8 Web security ....................................................................... 75

About SSL certification .................................................................. 75

Chapter 9 Network security ................................................................ 78

About IPsec Channel Configuration .................................................. 78

Chapter 10 Call Home security ............................................................ 83

Chapter 11 IPMI security ....................................................................... 91

Introduction to IPMI configuration ..................................................... 91

Appendix A Software packages included in the NetBackup

Index .................................................................................................................. 104

■ About the NetBackup Appliance Security Guide

About the NetBackup Appliance Security Guide

NetBackup appliance user authentication

Table 1-1 Sections featuring authentication

Section name Description Link

About authenticating This section describes the prerequisites See “About

About authenticating This section describes the prerequisites See “About

About authenticating This section describes the prerequisites See “About

NetBackup Appliance user authorization

Table 1-2 Sections on authorization

Section name Description Link

NetBackup Appliance intrusion prevention and intrusion

Table 1-3 Sections on IPS and IDS policies

Section name Description Link

Table 1-3 Sections on IPS and IDS policies (continued)

Section name Description Link

NetBackup Appliance log files

Table 1-4 Working log sections

Section name Description Link

Table 1-4 Working log sections (continued)

Section name Description Link

NetBackup Appliance operating system security

Section name Description Link

Vulnerability This section lists some of the security See “Vulnerability

NetBackup Appliance data security

Table 1-6 Data security sections

Section name Description Link

NetBackup Appliance web security