Veritas NetBackup™ Appliance Security Guide

Last Published:
Product(s): Appliances (3.1.1)
Platform: 5220,5230,5240,5330,5340
  1. About the NetBackup appliance Security Guide
    1.  
      About the NetBackup appliance Security Guide
  2. User authentication
    1. About user authentication on the NetBackup appliance
      1.  
        User types that can authenticate on the NetBackup appliance
    2. About configuring user authentication
      1.  
        Generic user authentication guidelines
    3.  
      About authenticating LDAP users
    4.  
      About authenticating Active Directory users
    5.  
      About authenticating Kerberos-NIS users
    6.  
      About the appliance login banner
    7. About user name and password specifications
      1.  
        About STIG-compliant password policy rules
  3. User authorization
    1.  
      About user authorization on the NetBackup appliance
    2. About authorizing NetBackup appliance users
      1.  
        NetBackup appliance user role privileges
    3.  
      About the Administrator user role
    4.  
      About the NetBackupCLI user role
  4. Intrusion prevention and intrusion detection systems
    1.  
      About Symantec Data Center Security on the NetBackup appliance
    2.  
      About the NetBackup appliance intrusion prevention system
    3.  
      About the NetBackup appliance intrusion detection system
    4.  
      Reviewing SDCS events on the NetBackup appliance
    5.  
      Running SDCS in unmanaged mode on the NetBackup appliance
    6.  
      Running SDCS in managed mode on the NetBackup appliance
    7.  
      Overriding the NetBackup appliance intrusion prevention system policy
    8.  
      Re-enabling the NetBackup appliance intrusion prevention system policy
  5. Log files
    1.  
      About NetBackup appliance log files
    2.  
      Viewing log files using the Support command
    3.  
      Where to find NetBackup appliance log files using the Browse command
    4.  
      Gathering device logs on a NetBackup appliance
    5.  
      Log Forwarding feature overview
  6. Operating system security
    1.  
      About NetBackup appliance operating system security
    2.  
      Major components of the NetBackup appliance OS
    3.  
      Vulnerability scanning of the NetBackup appliance
  7. Data security
    1.  
      About data security
    2.  
      About data integrity
    3.  
      About data classification
    4. About data encryption
      1.  
        KMS support
  8. Web security
    1.  
      About SSL usage
    2.  
      Implementing third-party SSL certificates
  9. Network security
    1.  
      About IPsec Channel Configuration
    2.  
      About NetBackup appliance ports
  10. Call Home security
    1. About AutoSupport
      1.  
        Data security standards
    2. About Call Home
      1.  
        Configuring Call Home from the NetBackup Appliance Shell Menu
      2.  
        Enabling and disabling Call Home from the appliance shell menu
      3.  
        Configuring a Call Home proxy server from the NetBackup Appliance Shell Menu
      4.  
        Understanding the Call Home workflow
    3. About SNMP
      1.  
        About the Management Information Base (MIB)
  11. Remote Management Module (RMM) I security
    1.  
      Introduction to IPMI configuration
    2.  
      Recommended IPMI settings
    3.  
      RMM ports
    4.  
      Enabling SSH on the Remote Management Module
    5.  
      Replacing the default IPMI SSL certificate
  12. STIG and FIPS conformance
    1.  
      OS STIG hardening for NetBackup appliances
    2.  
      Unenforced STIG hardening rules
    3.  
      FIPS 140-2 conformance for NetBackup appliances
  13. Appendix A. Security release content
    1.  
      NetBackup Appliance security release content

Overriding the NetBackup appliance intrusion prevention system policy

To discourage accessing the root account, the appliance requires that you first disable the intrusion prevention system (IPS) policy. For example, using the elevate command under Support > Maintenance fails unless the IPS policy is disabled.

Warning:

Disabling the IPS policy is not recommended as it puts the system at risk and vulnerable to attack.

You can use the NetBackupCLI user role to run NetBackup commands without overriding the IPS policy. See About the NetBackupCLI user role.

Note:

Overriding the IPS policy disables only the appliance intrusion prevention system. The appliance intrusion detection system (IDS) logging is still enabled and every activity under the maintenance account is still logged.

To override the appliance IPS policy

  1. Log on to the NetBackup Appliance Shell Menu as an administrator.
  2. Enter the Support > Maintenance command to bring up the Maintenance Mode login prompt. Enter the Maintenance user account password to log into Maintenance Mode.
    app123.Support> Maintenance
<!-- Maintenance Mode --!>
maintenance's password:
  3. In Maintenance Mode, type the following command to override the IPS policy:
    /opt/Symantec/sdcssagent/IPS/sisipsoverride.sh

    The following message is displayed:

    Symantec Critical Protection Policy Override

Agent Version: 6.7 (build 1060)

Current Policy: NetBackup Appliance Prevention Policy, r123

Policy Prevention: Enabled

Policy Override: Allowed

Override State: Not overridden

To override the policy and disable protection, 
enter your login password.

Password:
  4. Enter the Maintenance user account password. The following options are displayed:
    Choose the type of override that you wish to perform:

1. Override Prevention except for Self Protection

2. Override Prevention Completely

Choice?
  5. Enter 1 to override prevention except for self-protection.

    Note:

    Veritas recommends that you use Option 1. Selecting Option 1 allows modification only to the NetBackup Appliance Shell Menu and not to the SDCS agent.

    The following options are displayed:

    Choose the amount of time after which to automatically re-enable:

1. 15 minutes

2. 30 minutes

3. 1 hour

4. 2 hours

5. 4 hours

6. 8 hours
  6. Enter the appropriate number from 1 to 7 based on the amount of time that is required to debug the support case.

    The appliance displays the following message:

    Enter a comment. Press Enter to continue.
  7. Enter a relevant comment as to why the override is required. For example:
    Enter a comment. Press Enter to continue.

Disabling the security policy for 
debugging support case no - XYZ

    The appliance overrides the policy and displays the following message:

    Please wait while the policy is being overridden.
........

The policy was successfully overridden.
maintenance - !> elevate

You should now have access to the root account for debugging the appliance.