Veritas NetBackup™ Security and Encryption Guide

Last Published:
Product(s): NetBackup (9.0.0.1, 9.0)
  1. Read this first for secure communications in NetBackup
    1.  
      About secure communication in NetBackup
    2.  
      How NetBackup CA-signed certificates (or host ID-based certificates) are deployed during installation
    3.  
      How secure communication works with master server cluster nodes
    4.  
      About NetBackup clients installed on nodes of a clustered application
    5.  
      How NetBackup certificates are deployed on hosts during upgrades
    6.  
      When an authorization token is required during certificate deployment
    7.  
      Why do you need to map host names (or IP addresses) to host IDs
    8.  
      How to reset host attributes or host communication status
    9.  
      What has changed for catalog recovery
    10.  
      What has changed with Auto Image Replication
    11.  
      How the hosts with revoked certificates work
    12.  
      Are NetBackup certificates backed up
    13.  
      Can you configure external certificates for master server
    14.  
      How secure communication works with master server cluster nodes using external certificates
    15.  
      How revocation lists work for external certificates
    16.  
      How communication happens when a host cannot directly connect to the master server
    17.  
      How NetBackup 8.1 or later hosts communicate with NetBackup 8.0 and earlier hosts
    18.  
      How communication with legacy media servers happens in the case of cloud configuration
    19. Communication failure scenarios
      1.  
        Failure during communication with 8.0 or earlier hosts
      2.  
        Catalog backup failure
    20.  
      Secure communication support for other hosts in NetBackup domain
    21.  
      Communication between NetBackup 8.1 or later master server and OpsCenter server
    22.  
      Secure communication support for BMR
    23.  
      Configuration for VMware backups that protect SQL Server and backups with SQL Servers that use multiple NICs
  2. Increasing NetBackup security
    1.  
      About NetBackup security and encryption
    2.  
      NetBackup security implementation levels
    3.  
      World-level security
    4.  
      Enterprise-level security
    5.  
      Datacenter-level security overview
    6.  
      NetBackup Access Control (NBAC)
    7.  
      Combined world, enterprise, and data center levels
    8.  
      NetBackup security implementation types
    9.  
      Operating system security
    10.  
      NetBackup security vulnerabilities
    11.  
      Standard NetBackup security
    12.  
      Client side encryption security
    13.  
      NBAC on master, media server, and graphical user interface security
    14.  
      NBAC complete security
  3. Security deployment models
    1.  
      Workgroups
    2.  
      Single datacenters
    3.  
      Multi-datacenters
    4.  
      Workgroup with NetBackup
    5.  
      Single datacenter with standard NetBackup
    6.  
      Single datacenter with client side encryption
    7.  
      Single datacenter with NBAC on master and media servers
    8.  
      Single datacenter with NBAC complete
    9.  
      Multi-datacenter with standard NetBackup
    10.  
      Multi-datacenter with client side encryption
    11.  
      Multi-datacenter with NBAC on master and media servers
    12.  
      Multi-datacenter with NBAC complete
  4. Auditing NetBackup operations
    1.  
      About NetBackup auditing
    2.  
      Viewing the current audit settings
    3. About audit events
      1.  
        Viewing audit events
      2.  
        Audit Events tab
      3.  
        Viewing audit event details
      4.  
        Audit Events Details dialog box
      5.  
        Viewing audit event status
      6.  
        Troubleshooting auditing issues related to the Access History tab
    4.  
      Audit retention period and catalog backups of audit records
    5.  
      Viewing the detailed NetBackup audit report
    6.  
      User identity in the audit report
    7.  
      Disabling auditing
    8.  
      Audit alert notification for audit failures (NetBackup Administration Console)
    9.  
      Send audit events to system logs
  5. Section I. Identity and access management
    1. About identity and access management
      1.  
        About access control in NetBackup
    2. AD and LDAP domains
      1.  
        Adding AD or LDAP domains in NetBackup
      2.  
        Troubleshooting AD or LDAP domain configuration issues
      3.  
        Certificate authorities trusted by the NetBackup Authentication Service
    3. API keys
      1.  
        About API keys
      2.  
        Creating API keys
      3.  
        Managing an API key
      4. Using an API key
        1.  
          Setting an API key environment variable to run NetBackup commands
    4. Auth.conf file
      1.  
        Authorization file (auth.conf) characteristics
    5. Role-based access control (RBAC)
      1.  
        About role-based access control (RBAC) in NetBackup
      2.  
        Configuring RBAC
      3.  
        Default RBAC roles
      4.  
        Add a custom RBAC role
      5.  
        Edit or remove a role a custom role
      6.  
        View users in RBAC
      7.  
        Add a user to a role (non-SAML)
      8.  
        Add a user to a role (SAML)
      9.  
        Remove a user from a role
    6. Smart card or digital certificate
      1.  
        Configure user authentication with smart cards or digital certificates
      2.  
        Edit the configuration for smart card authentication
      3.  
        Add or delete a CA certificate that is used for smart card authentication
      4.  
        Disable or temporarily disable smart card authentication
    7. Single Sign-On (SSO)
      1.  
        About Single Sign-On (SSO) configuration
      2. Configure NetBackup for Single Sign-On (SSO)
        1.  
          Configure the Java KeyStore
        2.  
          Add and enable the IDP configuration
        3.  
          Enroll the NetBackup master server with the IDP
        4.  
          Manage an IDP configuration
    8. Enhanced Auditing
      1.  
        About Enhanced Auditing
      2.  
        Enabling Enhanced Auditing
      3. Configuring Enhanced Auditing
        1.  
          Connecting to a media server with Enhanced Auditing
        2.  
          Changing a server across NetBackup domains
        3.  
          Configuration requirements if using Change Server with NBAC or Enhanced Auditing
      4.  
        Disabling Enhanced Auditing
      5.  
        Managing users with Enhanced Auditing
      6.  
        User authentication with Enhanced Auditing
      7.  
        Impact of Enhanced Auditing on NetBackup Administration Console authorization
    9. NetBackup Access Control Security (NBAC)
      1.  
        About using NetBackup Access Control (NBAC)
      2.  
        NetBackup access management administration
      3.  
        About NetBackup Access Control (NBAC) configuration
      4. Configuring NetBackup Access Control (NBAC)
        1.  
          NBAC configuration overview
        2.  
          Configuring NetBackup Access Control (NBAC) on standalone master servers
        3.  
          Installing the NetBackup master server highly available on a cluster
        4.  
          Configuring NetBackup Access Control (NBAC) on a clustered master server
        5.  
          Configuring NetBackup Access Control (NBAC) on media servers
        6.  
          Installing and configuring NetBackup Access Control (NBAC) on clients
        7.  
          About including authentication and authorization databases in the NetBackup hot catalog backups
        8.  
          NBAC configure commands summary
        9.  
          Unifying NetBackup Management infrastructures with the setuptrust command
        10.  
          Using the setuptrust command
      5. Configuring Access Control host properties for the master and media server
        1.  
          Authentication Domain tab
        2.  
          Authorization Service tab
        3.  
          Network Attributes tab
      6. Access Control host properties dialog for the client
        1.  
          Authentication Domain tab for the client
        2.  
          Network Attributes tab for the client
      7.  
        Using NetBackup Access Control (NBAC) with Auto Image Replication
      8. Troubleshooting Access Management
        1.  
          Troubleshooting NBAC issues
        2.  
          Configuration and troubleshooting tips for NetBackup Authentication and Authorization
        3. Windows verification points
          1.  
            Master server verification points for Windows
          2.  
            Media server verification points for Windows
          3.  
            Client verification points for Windows
        4. UNIX verification points
          1.  
            UNIX master server verification
          2.  
            UNIX media server verification
          3.  
            UNIX client verification
        5. Verification points in a mixed environment with a UNIX master server
          1.  
            Master server verification points for a mixed UNIX master server
          2.  
            Media server verification points for a mixed UNIX master server
          3.  
            Client verification points for a mixed UNIX master server
        6. Verification points in a mixed environment with a Windows master server
          1.  
            Master server verification points for a mixed Windows master server
          2.  
            Media server verification points for a mixed Windows master server
          3.  
            Client verification points for a mixed Windows master server
        7.  
          About the nbac_cron utility
        8.  
          Using the nbac_cron utility
      9.  
        Using the Access Management utility
      10. About determining who can access NetBackup
        1.  
          Individual users
        2.  
          User groups
        3.  
          NetBackup default user groups
        4. Configuring user groups
          1.  
            Creating a new user group
          2.  
            Creating a new user group by copying an existing user group
          3.  
            Renaming a user group
          4.  
            Adding a new user to the user group
        5. About defining a user group and users
          1.  
            Logging on as a new user
          2.  
            Assigning a user to a user group
          3.  
            About authorization objects and permissions
      11. Viewing specific user permissions for NetBackup user groups
        1.  
          Granting permissions
        2.  
          Authorization objects
        3.  
          Media authorization object permissions
        4.  
          Policy authorization object permissions
        5.  
          Drive authorization object permissions
        6.  
          Report authorization object permissions
        7.  
          NBU_Catalog authorization object permissions
        8.  
          Robot authorization object permissions
        9.  
          Storage unit authorization object permissions
        10.  
          DiskPool authorization object permissions
        11.  
          BUAndRest authorization object permissions
        12.  
          Job authorization object permissions
        13.  
          Service authorization object permissions
        14.  
          HostProperties authorization object permissions
        15.  
          License authorization object permissions
        16.  
          Volume group authorization object permissions
        17.  
          VolumePool authorization object permissions
        18.  
          DevHost authorization object permissions
        19.  
          Security authorization object permissions
        20.  
          Fat server authorization object permissions
        21.  
          Fat client authorization object permissions
        22.  
          Vault authorization object permissions
        23.  
          Server group authorization object permissions
        24.  
          Key management system (kms) group authorization object permissions
      12.  
        Upgrading NetBackup Access Control (NBAC)
  6. Section II. Encryption of data in transit
    1. NetBackup CA and NetBackup certificates
      1.  
        Overview of security certificates in NetBackup
      2.  
        About secure communication in NetBackup
      3. About the Security Management utilities
        1.  
          About login activity
      4. About host management
        1.  
          Hosts tab
        2.  
          Adding host ID to host name mappings
        3.  
          Add or Remove Host Mappings dialog box
        4.  
          Removing host ID to host name mappings
        5.  
          Mappings for Approval tab
        6.  
          Viewing auto-discovered mappings
        7.  
          Mapping Details dialog box
        8.  
          Approving host ID to host name mappings
        9.  
          Rejecting host ID to host name mappings
        10. Adding shared or cluster mappings
          1.  
            About shared or cluster mapping scenarios
        11.  
          Add Shared or Cluster Mappings dialog box
        12.  
          Resetting NetBackup host attributes
        13. Allowing or disallowing automatic certificate reissue
          1.  
            Configuring validity of the autoreissue parameter for a host
        14.  
          Adding or deleting comment for a host
      5. About global security settings
        1.  
          About secure communication settings
        2.  
          Disabling insecure communication
        3.  
          About insecure communication with 8.0 and earlier hosts
        4.  
          About communication with 8.0 or earlier host in multiple NetBackup domains
        5.  
          Automatically mapping host ID to host names and IP addresses
        6.  
          About disaster recovery settings
        7.  
          Setting a passphrase to encrypt disaster recovery packages
        8.  
          Disaster recovery packages
      6. About host name-based certificates
        1.  
          Deploying host name-based certificates
      7. About host ID-based certificates
        1.  
          Web login requirements for nbcertcmd command options
        2. Using the Certificate Management utility to issue and deploy host ID-based certificates
          1.  
            Viewing host ID-based certificate details
        3. About NetBackup certificate deployment security levels
          1.  
            Configuring the certificate deployment security levels
        4.  
          Automatic host ID-based certificate deployment
        5.  
          Deploying host ID-based certificates
        6.  
          Deploying host ID-based certificates in an asynchronous manner
        7.  
          Implication of clock skew on certificate validity
        8. Setting up trust with the master server (Certificate Authority)
          1.  
            Finding and communicating the fingerprint of the certificate authority
        9.  
          Forcing or overwriting certificate deployment
        10.  
          Retaining host ID-based certificates when reinstalling NetBackup on non-master hosts
        11.  
          Deploying certificates on a client that has no connectivity with the master server
        12.  
          About host ID-based certificate expiration and renewal
        13.  
          Deleting sensitive certificates and keys from media servers and clients
        14.  
          Cleaning host ID-based certificate information from a host before cloning a virtual machine
        15. About reissuing host ID-based certificates
          1.  
            Creating a reissue token
          2.  
            Changing the key pair for a host
      8. About Token Management for host ID-based certificates
        1.  
          Creating authorization tokens
        2.  
          Deleting authorization tokens
        3.  
          Viewing authorization token details
        4.  
          About expired authorization tokens and cleanup
      9. About the host ID-based certificate revocation list
        1.  
          Refreshing the CRL on the master server
        2.  
          Refreshing the CRL on a NetBackup host
      10. About revoking host ID-based certificates
        1.  
          Removing trust between a host and a master server
        2.  
          Revoking a host ID-based certificate
        3.  
          Determining a NetBackup host's certificate state
        4.  
          Getting a list of NetBackup hosts that have revoked certificates
      11.  
        Deleting host ID-based certificates
      12. Host ID-based certificate deployment in a clustered setup
        1. About deployment of a host ID-based certificate on a clustered NetBackup host
          1.  
            Host ID-based certificate deployment on the active master server node
          2.  
            Host ID-based certificate deployment on inactive master server nodes
        2.  
          Deploying host ID-based certificates on cluster nodes
        3.  
          Revoking a host ID-based certificate for a clustered NetBackup setup
        4.  
          Deploying a host ID-based certificate on a clustered NetBackup setup using reissue token
        5.  
          Creating a reissue token for a clustered NetBackup setup
        6.  
          Renewing a host ID-based certificate on a clustered NetBackup setup
        7.  
          Viewing certificate details of a clustered NetBackup setup
        8.  
          Removing CA certificates from a clustered NetBackup setup
        9.  
          Generating a certificate on a clustered master server after disaster recovery installation
      13.  
        About the communication between a NetBackup client located in a demilitarized zone and a master server through an HTTP tunnel
      14.  
        Adding a NetBackup host manually
      15. Migrating NetBackup CA
        1.  
          Setting the required key strength before installation or upgrade using the NB_KEYSIZE environment variable
        2.  
          Migrating NetBackup CA when the entire NetBackup domain is upgraded to NetBackup 8.3
        3.  
          Manually migrating NetBackup CA after installation or upgrade
        4.  
          Establishing communication with clients that do not have new CA certificates after CA migration
        5.  
          Viewing a list of NetBackup CAs in the domain
        6.  
          Viewing the CA migration summary
        7.  
          Decommissioning the inactive NetBackup CA
    2. External CA and external certificates
      1. About external CA support in NetBackup
        1.  
          Command-line options used for external certificate configuration
      2.  
        Workflow to use external certificates for NetBackup host communication
      3. Configuration options for external CA-signed certificates
        1. ECA_CERT_PATH for NetBackup servers and clients
          1.  
            Specifying Windows certificate store for ECA_CERT_PATH
        2.  
          ECA_TRUST_STORE_PATH for NetBackup servers and clients
        3.  
          ECA_PRIVATE_KEY_PATH for NetBackup servers and clients
        4.  
          ECA_KEY_PASSPHRASEFILE for NetBackup servers and clients
        5.  
          ECA_CRL_CHECK for NetBackup servers and clients
        6.  
          ECA_CRL_PATH for NetBackup servers and clients
        7.  
          ECA_CRL_PATH_SYNC_HOURS for NetBackup servers and clients
        8.  
          ECA_CRL_REFRESH_HOURS for NetBackup servers and clients
        9.  
          ECA_DISABLE_AUTO_ENROLLMENT for NetBackup servers and clients
        10.  
          ECA_DR_BKUP_WIN_CERT_STORE for NetBackup servers and clients
      4. About certificate revocation lists for external CA
        1.  
          How CRLs from ECA_CRL_PATH are used
        2.  
          How CRLs from CDP URLs are used
      5. About certificate enrollment
        1.  
          About automatic enrollment of an external certificate
      6.  
        About viewing enrollment status of master servers
      7. Configuring an external certificate for the NetBackup web server
        1.  
          Updating or renewing external certificate for the web server
        2.  
          Removing the external certificate configured for the web server
      8.  
        Configuring the master server to use an external CA-signed certificate
      9.  
        Configuring a NetBackup host (media server, client, or cluster node) to use an external CA-signed certificate after installation
      10.  
        Enrolling an external certificate for a remote host
      11.  
        Viewing the certificate authorities that your NetBackup domain supports
      12.  
        Viewing external CA-signed certificates in the NetBackup web UI
      13.  
        Renewing a file-based external certificate
      14.  
        Removing certificate enrollment
      15.  
        Disabling the NetBackup CA in a NetBackup domain
      16.  
        Enabling the NetBackup CA in a NetBackup domain
      17.  
        Disabling an external CA in a NetBackup domain
      18.  
        Changing the subject name of an enrolled external certificate
      19. About external certificate configuration for a clustered master server
        1.  
          Workflow to use external certificates for a clustered master server
        2. Configuration options for external CA-signed certificates for a virtual name
          1.  
            CLUSTER_ECA_CERT_PATH for clustered master server
          2.  
            CLUSTER_ECA_TRUST_STORE_PATH for clustered master server
          3.  
            CLUSTER_ECA_PRIVATE_KEY_PATH for clustered master server
          4.  
            CLUSTER_ECA_KEY_PASSPHRASEFILE for clustered master server
        3.  
          Configuring an external certificate for a clustered master server
    3. Regenerating keys and certificates
      1.  
        About regenerating keys and certificates
      2.  
        Regenerating NetBackup authentication broker keys and certificates
      3.  
        Regenerating host identity keys and certificates
      4.  
        Regenerating web service keys and certificates
      5.  
        Regenerating nbcertservice keys and certificates
      6.  
        Regenerating tomcat keys and certificates
      7.  
        Regenerating JWT keys
      8.  
        Regenerating NetBackup gateway certificates
      9.  
        Regenerating web trust store certificates
      10.  
        Regenerating VMware vCenter plug-in certificates
      11.  
        Regenerating NetBackup Administrator Console session certificates
      12.  
        Regenerating OpsCenter keys and certificates
      13.  
        Regenerating NetBackup encryption key file
  7. Section III. Encryption of data at rest
    1. Data at rest encryption security
      1.  
        Data at rest encryption terminology
      2.  
        Data at rest encryption considerations
      3.  
        Destination types for encryption of data at rest
      4.  
        Encryption security questions to consider
      5.  
        Comparison of encryption options
      6. About NetBackup client encryption
        1.  
          Installation prerequisites for encryption security
        2. About running an encryption backup
          1.  
            About choosing encryption for a backup
          2.  
            Standard encryption backup process
          3.  
            Legacy encryption backup process
        3.  
          NetBackup standard encryption restore process
        4.  
          NetBackup legacy encryption restore process
      7. Configuring standard encryption on clients
        1.  
          Managing standard encryption configuration options
        2.  
          Managing the NetBackup encryption key file
        3. About configuring standard encryption from the server
          1.  
            About creating encryption key files on the clients
          2.  
            Creating the key files
          3.  
            Best practices for key file restoration
          4.  
            Manual retention to protect key file pass phrases
          5.  
            Automatic backup of the key file
        4.  
          Restoring an encrypted backup file to another client
        5.  
          About configuring standard encryption directly on clients
        6.  
          Setting standard encryption attribute in policies
        7.  
          Changing the client encryption settings from the NetBackup server
      8. Configuring legacy encryption on clients
        1. About configuring legacy encryption from the client
          1.  
            Managing legacy encryption key files
        2. About configuring legacy encryption from the server
          1.  
            About pushing the legacy encryption configuration to clients
          2.  
            About pushing the legacy encryption pass phrases to clients
        3.  
          Restoring a legacy encrypted backup created on another client
        4.  
          About setting legacy encryption attribute in policies
        5.  
          Changing client legacy encryption settings from the server
        6. Additional legacy key file security for UNIX clients
          1.  
            Running the bpcd -keyfile command
          2.  
            Terminating bpcd on UNIX clients
    2. NetBackup key management service
      1. About FIPS enabled KMS
        1.  
          Federal Information Processing Standards (FIPS)
      2. About the Key Management Service (KMS)
        1.  
          KMS considerations
        2.  
          KMS principles of operation
        3.  
          About writing an encrypted tape
        4.  
          About reading an encrypted tape
        5.  
          KMS terminology
      3. Installing KMS
        1.  
          Using KMS with NBAC
        2.  
          About installing KMS with HA clustering
        3.  
          Enabling the monitoring of the KMS service
        4.  
          Disabling the monitoring of the KMS service
      4. Configuring KMS
        1.  
          Creating the key database
        2. About key groups and key records
          1.  
            About creating key groups
          2.  
            About creating key records
        3. Overview of key record states
          1.  
            Key record state considerations
          2.  
            Prelive key record state
          3.  
            Active key record state
          4.  
            Inactive key record state
          5.  
            Deprecated key record state
          6.  
            Terminated key record state
        4.  
          About backing up the KMS database files
        5.  
          About recovering KMS by restoring all data files
        6.  
          Recovering KMS by restoring only the KMS data file
        7.  
          Recovering KMS by regenerating the data encryption key
        8.  
          Problems backing up the KMS data files
        9.  
          Solutions for backing up the KMS data files
        10.  
          Creating a key record
        11.  
          Listing keys from a key group
        12. Configuring NetBackup to work with KMS
          1.  
            NetBackup and key records from KMS
          2.  
            Example of setting up NetBackup to use tape encryption
        13.  
          Configuring NetBackup KMS using the KMS web application
      5. About using KMS for encryption
        1.  
          About importing KMS encrypted images
        2.  
          Example of running an encrypted tape backup
        3.  
          Example of verifying an encryption backup
      6. KMS database constituents
        1.  
          Creating an empty KMS database
        2.  
          Importance of the KPK ID and HMK ID
        3.  
          About periodically updating the HMK and KPK
        4.  
          Backing up the KMS keystore and administrator keys
      7. Command line interface (CLI) commands
        1.  
          CLI usage help
        2.  
          Create a new key group
        3.  
          Create a new key
        4.  
          Modify key group attributes
        5.  
          Modify key attributes
        6.  
          Get details of key groups
        7.  
          Get details of keys
        8.  
          Delete a key group
        9.  
          Delete a key
        10.  
          Recover a key
        11. About exporting and importing keys from the KMS database
          1. Exporting keys
            1.  
              Troubleshooting common errors during an export
          2. Importing keys
            1.  
              Troubleshooting common errors during an import
        12.  
          Modify host master key (HMK)
        13.  
          Get host master key (HMK) ID
        14.  
          Get key protection key (KPK) ID
        15.  
          Modify key protection key (KPK)
        16.  
          Get keystore statistics
        17.  
          Quiesce KMS database
        18.  
          Unquiesce KMS database
        19.  
          Key creation options
      8. Troubleshooting KMS
        1.  
          Solution for backups not encrypting
        2.  
          Solution for restores that do not decrypt
        3.  
          Troubleshooting example - backup with no active key record
        4.  
          Troubleshooting example - restore with an improper key record state
    3. External key management service
      1.  
        About external KMS
      2.  
        Certificate configuration and authorization
      3.  
        Workflow for external KMS configuration
      4.  
        Validating KMS credentials
      5. Configuring KMS credentials
        1.  
          Listing KMS credentials
        2.  
          Updating KMS credentials
        3.  
          Deleting KMS credentials
      6. Configuring KMS
        1.  
          Listing KMS configurations
        2.  
          Updating KMS configuration
        3.  
          Deleting KMS configuration
      7.  
        Configuring keys in an external KMS for NetBackup consumption
      8. Creating keys in an external KMS
        1.  
          Listing keys
      9.  
        Determining a key group name during storage configuration
      10. Working with multiple KMS servers
        1.  
          Migrating one KMS server to another KMS server
        2.  
          Using a separate KMS server for each storage configuration
      11.  
        Working with external KMS during backup and restore
      12.  
        Key rotation
      13.  
        Disaster recovery when catalog backup is encrypted using an external KMS server
      14.  
        Alerts for expiration of KMS credentials
  8. NetBackup web services account
    1.  
      About the NetBackup web services account
    2.  
      Changing the web service user account
  9. Immutability and indelibility of data in NetBackup
    1.  
      About immutable and indelible data
    2.  
      Workflow to configure immutable and indelible data
    3.  
      Deleting an immutable image from storage using the bpexpdate command
    4.  
      Removing an immutable image from the catalog using the bpexpdate command

About NetBackup auditing

Auditing is enabled by default in new installations. NetBackup auditing can be configured directly on a NetBackup master server or by using OpsCenter. See the NetBackup OpsCenter Administrator's Guide for more details.

Auditing of NetBackup operations provides the following benefits:

  • Customers can gain insight from audit trails while they investigate unexpected changes in a NetBackup environment.

  • Regulatory compliance.

    The record complies with guidelines such as those required by the Sarbanes-Oxley Act (SOX).

  • A method for customers to adhere to internal change management policies.

  • Help for NetBackup Support in troubleshooting problems for customers.

About the NetBackup Audit Manager

The NetBackup Audit Manager (nbaudit) runs on the master server and audit records are maintained in the Enterprise Media Manager (EMM) database.

An administrator can search specifically for:

  • When an action occurred

  • Failed actions in certain situations

  • The actions that a specific user performed

  • The actions that were performed in a specific content area

  • Changes to the audit configuration

Note the following:

  • The audit record truncates any entries greater than 4096 characters. (For example, policy name.)

  • The audit record truncates any restore image IDs greater than 1024 characters.

Actions that NetBackup audits

NetBackup records the following user-initiated actions.

Activity monitor actions

Canceling, suspending, resuming, restarting, or deleting any type of job creates an audit record.

Alerts and email notifications

If an alert cannot be generated or an email notification cannot be sent for NetBackup configuration settings. For example, SMTP server configuration and the list of excluded status codes for alerts.

Asset actions

Deleting an asset, such as a vCenter server, as part of the asset cleanup process with the Asset Database API is audited and logged.

Creating, modifying, or deleting an asset group as well any action on an asset group for which a user is not authorized is audited and logged.

Authorization failure

Authorization failure is audited when you use the NetBackup web UI, the NetBackup APIs, or Enhanced Auditing.

See About Enhanced Auditing.

Catalog information

This information includes:

  • Verifying and expiring images.

  • Read the requests that are sent for the front-end usage data.

Certificate management

Creating, revoking, renewing, and deploying of NetBackup certificates and specific NetBackup certificate failures.

Certificate Verification Failures (CVFs)

Any failed connection attempts that involve SSL handshake errors, revoked certificates, or host name validation failures.

For certificate verification failures (CVFs) that involve SSL handshakes and revoked certificates, the timestamp indicates when the audit record is posted to the master server. (Rather than when an individual certificate verification fails.) A CVF audit record represents a group of CVF events over a time period. The record details provide the start and the end times of the time period as well as the total number of CVFs that occurred in that period.

Disk pools and Volume pools actions

Adding, deleting, or updating disk or volume pools.

Hold operations

Creating, modifying, and deleting hold operations.

Host database

NetBackup host database-related operations.

Logon attempts

Any successful or any failed logon attempts for the NetBackup Administration Console, the NetBackup web UI or the NetBackup APIs.

Policies actions

Adding, deleting, or updating policy attributes, clients, schedules, and backup selections lists.

Restore and browse image user actions

All the restore and browse image content (bplist) operations that a user performs are audited with the user identity.

To set an interval to periodically add audit records of the browse image (bplist) operations from the cache into the NetBackup database, use the DATAACCESS_AUDIT_INTERVAL_HOURS configuration option. Setting this configuration option prevents the NetBackup database size from increasing exponentially because of the bplist audit records.

See the NetBackup Administrator's Guide Volume I.

To add all the bplist audit records from the cache into the NetBackup database, run the following command on the master server:

nbcertcmd -postAudit -dataAccess

Security configuration

Information that is related to changes that are made to the security configuration settings.

Starting a restore job

NetBackup does not audit when other types of jobs begin. For example, NetBackup does not audit when a backup job begins.

Starting and stopping the NetBackup Audit Manager (nbaudit).

Starting and stopping of the nbaudit manager is always audited, even if auditing is disabled.

Storage lifecycle policy actions

Attempts to create, modify, or delete a storage lifecycle policy (SLP) are audited and logged. However, activating and suspending an SLP using the command nbstlutil are not audited. These operations are audited only when they are initiated from a NetBackup graphical user interface or API.

Storage servers actions

Adding, deleting, or updating storage servers.

Storage units actions

Adding, deleting, or updating storage units.

Note:

Actions that are related to storage lifecycle policies are not audited.

Token management

Creating, deleting, and cleanup of tokens and specific token issuing failures.

User management

Adding and deleting Enhanced Auditing users in the Enhanced Auditing mode.

User action that fails to create an audit record

If auditing is enabled but a user action fails to create an audit record, the audit failure is captured in the nbaudit log. NetBackup status code 108 is returned (Action succeeded but auditing failed). The NetBackup Administration Console does not return an exit status code 108 when auditing fails.

Actions that NetBackup does not audit

The following actions are not audited and do not display in the audit report:

Any failed actions.

NetBackup logs failed actions in NetBackup error logs. Failed actions do not display in audit reports because a failed attempt does not bring about a change in the NetBackup system state.

The effect of a configuration change

The results of a change to the NetBackup configuration are not audited. For example, the creation of a policy is audited, but the jobs that result from its creation are not.

The completion status of a manually initiated restore job

While the act of initiating a restore job is audited, the completion status of the job is not audited. Nor is the completion status of any other job type, whether initiated manually or not. The completion status is displayed in the Activity Monitor (Administration Console) and in the Jobs (web UI).

Internally initiated actions

NetBackup-initiated internal actions are not audited. For example, the scheduled deletion of expired images, scheduled backups, or periodic image database cleanup is not audited.

Rollback operations

Some operations are carried out as multiple steps. For example, creating an MSDP-based storage server consists of multiple steps. Every successful step is audited. Failure in any of the steps results in a rollback, or rather, the successful steps may need to be undone. The audit record does not contain details about rollback operations.

Host properties actions

Changes made using the bpsetconfig or the nbsetconfig commands, or the equivalent property in the Host Properties utility, are not audited. Changes that are made directly to the bp.conf file or to the registry are not audited.