Veritas NetBackup™ Virtual Appliance Documentation
- Getting to know the NetBackup Virtual Appliance
- NetBackup Virtual Appliance product description
- Preparing to deploy the appliance
- Deploying and configuring the appliance
- How to deploy and configure a NetBackup Virtual Appliance combined master and media server
- How to deploy and configure a NetBackup Virtual Appliance media server
- How to deploy and configure a NetBackup Virtual Appliance master server
- How to deploy and configure a NetBackup Virtual Appliance CloudCatalyst
- How to deploy and configure a NetBackup Virtual Appliance combined master and media server
- Post initial configuration procedures
- Appliance common tasks
- Storage management
- About NetBackup Virtual Appliance storage configuration
- About viewing storage space information using the Show command
- About OpenStorage plugin installation
- About NetBackup Virtual Appliance storage configuration
- Deduplication pool catalog backup and recovery
- Network connection management
- Managing users
- About user name and password specifications
- About authenticating LDAP users
- About authenticating Active Directory users
- About authenticating Kerberos-NIS users
- About user authorization on the NetBackup Virtual Appliance
- Creating NetBackup administrator user accounts
- Using the appliance
- About configuring Host parameters for your appliance on the NetBackup Virtual Appliance
- About Copilot functionality and Share management
- About NetBackup Virtual Appliance as a VMware backup host
- About running NetBackup commands from the appliance
- About mounting a remote NFS
- About Auto Image Replication from a NetBackup Virtual Appliance
- Monitoring the appliance
- About SNMP
- About Call Home
- Appliance security
- About Symantec Data Center Security on the NetBackup Virtual Appliance
- Setting the appliance login banner
- Upgrading the appliance
- About upgrading to NetBackup Virtual Appliance software version 3.2
- Requirements and best practices for upgrading NetBackup appliances
- Methods for downloading appliance software release updates
- NetBackup client upgrades with VxUpdate
- Appliance restore
- Decommissioning and Reconfiguring
- Troubleshooting
- About disaster recovery
- About NetBackup support utilities
- Appliance logging
- Commands overview
- Appendix A. Appliance commands
- Appendix B. Manage commands
- Appendix C. Monitor commands
- Appendix D. Network commands
- Appendix E. Reports commands
- Appendix F. Settings commands
- Appendix G. Support commands
OS STIG hardening for NetBackup Virtual Appliance
The Security Technical Implementation Guides (STIGs) provide technical guidance for increasing the security of information systems and software to help prevent malicious computer attacks. This type of security is also referred to as hardening.
Starting with software version 3.2, you can enable OS STIG hardening rules for increased security. These rules are based on the following profile from the Defense Information Systems Agency (DISA):
STIG for Red Hat Enterprise Linux 7 Server - Version 0.1.43
To enable these rules, use the following command:
Main_Menu > Settings > Security > Stig Enable, followed by the maintenance password.
Note the following about enabling STIG:
When the option is enabled, a list of the enforced rules appears. The command output also shows exceptions to any rules that are not enforced.
This command does not allow individual rule control.
Once the option is enabled, a factory reset is required to disable the associated rules.
If Lightweight Directory Access Protocol (LDAP) is configured, it is recommended that you set it up to use Transport Layer Security (TLS) before you enable the option.
Note:
If you have enabled the STIG feature on an appliance and you need to upgrade it or install an EEB on it, do not plan such installations during the 4:00am - 4:30am time frame. By following this best practice, you can avoid interrupting the automatic update of the AIDE
database and any monitored files, which can cause multiple alert messages from the appliance.
The following describes the hardening rules that are enforced after the option is enabled. Each rule is identified by a Common Configuration Enumerator (CCE) identifier, a short rule description, and a Security Content Automation Protocol (SCAP) scanner severity level.
CCE-27127-0: Enable randomized layout of virtual address space.
Scanner severity level: Medium
CCE-26900-1: Disable core dumps for
SUID
programs.Scanner severity level: Low
CCE-27050-4: Restrict access to kernel message buffer.
Scanner severity level: Low
CCE-80258-7: Disable the
kdump
kernel crash analyzer.Scanner severity level: Medium
CCE-27220-3: Build and test
AIDE
database.Scanner severity level: Medium
CCE-26952-2: Configure periodic execution of
AIDE
.Scanner severity level: Medium
CCE-27303-7: Modify the system login banner.
Scanner severity level: Medium
CCE-27082-7: Set SSH client alive account.
Scanner severity level: Medium
CCE-27314-4: Enable SSH warning banner.
Scanner severity level: Medium
CCE-27437-3: Ensure that
auditd
collects information on the use of privileged commands.Scanner severity level: Medium
CCE-27309: Set boot loader password.
Scanner severity level: High
CCE-80374-2: Configure notification of
AIDE
scan results.Scanner security level: Medium
CCE-80375-9: Configure AIDE to verify Access Control Lists (ACLs).
Scanner severity level: Medium
CCE-80376-7: Configure AIDE to verify extended attributes.
Scanner severity level: Medium
CCE-27375-5: Configure
auditd_space_left_action
on low disk space.Scanner severity level: Medium
CCE-27341-7: Configure
auditd
to useaudispd_syslog_plugin
.Scanner security level: Medium
CCE-27353-2: Record events that modify the system discretionary access controls (
fremovexattr
).Scanner severity level: Medium
CCE-27410-0: Record events that modify the system discretionary access controls (
lremovexattr
).Scanner severity level: Medium
CCE-27367-2: Record events that modify the system discretionary access controls (
removexattr
).Scanner severity level: Medium
CCE-27204-7: Record attempts to alter the logon and logout events.
Scanner severity level: Medium
CCE-27347-4: Ensure that
auditd
collects unauthorized access attempts to files.Scanner severity level: Medium
CCE-27447-2: Ensure that
auditd
collects information on successful exporting to media.Scanner severity level: Medium
CCE-27206-2: Ensure that
auditd
collects file deletion events by the user.Scanner severity level: Medium
CCE-27129-6: Ensure that
auditd
collects information on kernel module loading and unloading.Scanner severity level: Medium
CCE-27333-4: Set the password rule for maximum consecutive repeating characters.
Scanner severity level: Medium
CCE-27512-3: Set the password rule for maximum consecutive repeating characters from the same character class.
Scanner severity level: Medium
CCE-27214-6: Set the password strength for minimum digit (numeric) characters.
Scanner severity level: Medium
CCE-27293-0: Set the password rule for minimum length.
Scanner severity level: Medium
CCE-27200-5: Set the password strength for minimum uppercase characters.
Scanner severity level: Medium
CCE-27360-7: Set the password strength for minimum special characters.
Scanner severity level: Medium
CCE-27345-8: Set the password strength for minimum lowercase characters.
Scanner severity level: Medium
CCE-26631-2: Set the password strength for minimum different characters.
Scanner severity level: Medium
CCE-27115-5: Disable
modprobe
loading of the USB storage driver.Scanner severity level: Medium
CCE-27350-8: Set the number of failed password attempts to deny access.
Scanner severity level: Medium
CCE-80353-6: Configure the root account for failed password attempts.
Scanner severity level: Medium
CCE-27297-1: Set the interval for counting failed password attempts.
Scanner severity level: Medium
CCE-27002-5: Set the password minimum age.
Scanner severity level: Medium
CCE-27051-2: Set the password maximum age.
Scanner security level: Medium
CCE-27081-9: Limit the number of concurrent login sessions allowed for each user.
Scanner severity level: Low
CCE-80522-6: Set the maximum age (period of time after which the set password expires and must be changed) for the existing password.
Scanner severity level: Medium
CCE-80521-8: Set the minimum age (period of time a password must be used before it can be changed) for the existing password .
Scanner severity level: Medium
CCE-27339-1: Record the events that modify the system's discretionary access controls (chmod).
Scanner severity level: Medium
CCE-27364-9: Record the events that modify the system's discretionary access controls (chown).
Scanner severity level: Medium
CCE-27393-8: Record the events that modify the system's discretionary access controls (fchmod).
Scanner severity level: Medium
CCE-27388-8: Record the events that modify the system's discretionary access controls (fchmodat).
Scanner severity level: Medium
CCE-27356-5: Record the events that modify the system's discretionary access controls (fchown).
Scanner severity level: Medium
CCE-27387-0: Record the events that modify the system's discretionary access controls (fchownat).
Scanner severity level: Medium
CCE-27389-6: Record the events that modify the system's discretionary access controls (fsetxattr).
Scanner severity level: Medium
CCE-27083-5: Record the events that modify the system's discretionary access controls (lchown).
Scanner severity level: Medium
CCE-27280-7: Record the events that modify the system's discretionary access controls (lsetxattr).
Scanner severity level: Medium
CCE-27213-8: Record the events that modify the system's discretionary access controls (setxattr).
Scanner severity level: Medium
CCE-27206-2: Ensure that
auditd
collects file deletion events executed by the user (rename).Scanner severity level: Medium
CCE-80413-8: Ensure that
auditd
collects file deletion events executed by the user (renameat).Scanner severity level: Medium
CCE-80412-0: Ensure that
auditd
collects file deletion events executed by the user (rmdir).Scanner severity level: Medium
CCE-27206-2: Ensure that
auditd
collects file deletion events executed by the user (unlink).Scanner severity level: Medium
CCE-80662-0: Ensure that
auditd
collects file deletion events executed by the user (unlinkat).Scanner severity level: Medium
CCE-80446-8: Ensure that
auditd
collects information on kernel module loading (insmod).Scanner severity level: Medium
CCE-80417-9: Ensure that
auditd
collects information on kernel module loading and unloading (modprobe).Scanner severity level: Medium
CCE-80416-1: Ensure that
auditd
collects information on kernel module unloading (rmmod).Scanner severity level: Medium
CCE-80384-1: Record attempts to alter logon and logout events (lastlog).
Scanner severity level: Medium
CCE-80382-5: Record attempts to alter logon and logout events (tallylog).
Scanner severity level: Medium
CCE-80398-1: Ensure that
auditd
collects information on the use of privileged commands (chage).Scanner severity level: Medium
CCE-80404-7: Ensure that
auditd
collects information on the use of privileged commands (chsh).Scanner severity level: Medium
CCE-80410-4: Ensure that
auditd
collects information on the use of privileged commands (crontab).Scanner severity level: Medium
CCE-80397-3: Ensure that
auditd
collects information on the use of privileged commands (gpasswd).Scanner severity level: Medium
CCE-80403-9: Ensure that
auditd
collects information on the use of privileged commands (newgrp).Scanner severity level: Medium
CCE-80411-2: Ensure that
auditd
collects information on the use of privileged commands (pam_timestamp_check).Scanner severity level: Medium
CCE-80395-7: Ensure that
auditd
collects information on the use of privileged commands (passwd).Scanner severity level: Medium
CCE-80406-2: Ensure that
auditd
collects information on the use of privileged commands (postdrop).Scanner severity level: Medium
CCE-80407-0: Ensure that
auditd
collects information on the use of privileged commands (postqueue).Scanner severity level: Medium
CCE-80408-8: Ensure that
auditd
collects information on the use of privileged commands (ssh-keysign).Scanner severity level: Medium
CCE-80400-5: Ensure that
auditd
collects information on the use of privileged commands (su).Scanner severity level: Medium
CCE-80401-3: Ensure that
auditd
collects information on the use of privileged commands (sudo).Scanner severity level: Medium
CCE-80405-4: Ensure that
auditd
collects information on the use of privileged commands (umount).Scanner severity level: Medium
CCE-80396-5: Ensure that
auditd
collects information on the use of privileged commands (unix_chkpwd).Scanner severity level: Medium
CCE-80399-9: Ensure that
auditd
collects information on the use of privileged commands (userhelper).Scanner severity level: Medium
CCE-27461-3: Ensure that
auditd
collects system administrator actions.Scanner severity level: Medium
CCE-80433-6: Record the events that modify user/group information (
/etc/group
).Scanner severity level: Medium
CCE-80432-8: Record the events that modify user/group information (
/etc/gshadow
).Scanner severity level: Medium
CCE-80430-2: Record the events that modify user/group information (
/etc/security/opasswd
).Scanner severity level: Medium
CCE-80435-1: Record the events that modify user/group information (
/etc/passwd
).Scanner severity level: Medium
CCE-80431-0: Record the events that modify user/group information (
/etc/shadow
).Scanner severity level: Medium
CCE-27309-4: Set boot loader password in grub2.
Scanner severity level: High
CCE-80377-5: Configure aide to use fips 140-2 for validating hashes.
Scanner severity level: Medium
The following rules are always enforced and cannot be disabled. Hardening of these rules complies with the specifications described in "NIST Special Publication 800-123". For more information, refer to the following:
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-123.pdf
CCE-80165-4: Configure the kernel parameter to ignore ICMP broadcast echo requests.
Scanner severity level: Medium
CCE-80156-3: Disable the kernel parameter for sending ICMP redirects by default.
Scanner severity level: Medium
CCE-80156-3: Disable the kernel parameter for sending ICMP redirects for all interfaces.
Scanner severity level: Medium
CCE-27212-0: Enable auditing for the processes that start before the audit daemon.
Scanner severity level: Medium
CCE-26957-1: Ensure that the Red Hat GPG key is installed.
Scanner severity level: High
CCE-27096-7: Ensure that the
AIDE
package is installed.Scanner severity level: Medium
CCE-27351-6: Install the
screen
package.Scanner severity level: Medium
CCE-27268-2: Restrict serial port root logins.
Scanner severity level: Low
CCE-27318-5: Restrict virtual console root logins.
Scanner severity level: Medium
CCE-27401-9: Disable
telnet
serviceScanner severity level: High
CCE-27471-2: Disable SSH access without a password.
Scanner severity level: High
CCE-27286-4: Prevent login to accounts without a password.
Scanner severity level: High
CCE-27511-5: Disable Ctrl-Alt-Del reboot activation.
Scanner severity level: High
CCE-27320-1: Allow only SSH protocol version 2.
Scanner severity level: High
CCE-27294-8: Do not allow direct root logins.
Scanner severity level: Medium
CCE-80157-1: Disable the kernel parameter for IP forwarding.
Scanner severity level: Medium
CCE-80158-9: Configure the kernel parameter for accepting ICMP redirects for all interfaces.
Scanner severity level: Medium
CCE-80163-9: Configure the kernel parameter for accepting ICMP redirects by default.
Scanner severity level: Medium
CCE-27327-6: Disable the Bluetooth kernel modules.
Scanner severity level: Medium
CCE-80179-5: Configure the kernel parameter for accepting source-routed packets for all interfaces.
Scanner severity level: Medium
CCE-80220-7: Disable the GSSAPI authentication.
Scanner severity level: Medium
CCE-80221-5: Disable the Kerberos authentication.
Scanner severity level: Medium
CCE-80222-3: Enable the use of strict mode checking.
Scanner severity level: Medium
CCE-80224-9: Disable compression or set compression to delayed.
Scanner severity level: Medium
CCE-27455-5: Use only FIPS approved MACs.
Scanner severity level: Medium
CCE-80378-3: Verify the user that owns
/etc/cron.allow
.Scanner severity level: Medium
CCE-80379-1: Verify the group that owns
/etc/cron.allow
.Scanner severity level: Medium
CCE-80372-6: Disable SSH support for user-known hosts.
Scanner severity level: Medium
CCE-80373-4: Disable SSH support for
rhosts
RSA authentication.Scanner severity level: Medium
CCE-27363-1: Do not allow SSH environment options.
Scanner severity level: Medium
CCE-26989-4: Ensure that gpgcheck is globally activated.
Scanner severity level: High
CCE-80349--4: Ensure that the installed OS is certified.
Scanner severity level: High
CCE-27175-9: No UID except zero.
Scanner severity level: High
CCE-27498-5: Disable the auto-mounter.
Scanner severity level: Medium
CCE-80134-0: No files not owned by user.
Scanner severity level: Medium
CCE-80135-7: No file permissions not owned by group.
Scanner severity level: Medium
CCE-27211-2:
sysctl_kernal_exec_shield
.Scanner severity level: Medium
CCE-27352-4: Verify that all account password hashes are shadowed.
Scanner severity level: Medium
CCE-27104-9: Set the password hashing algorithm
systemauth
.Scanner severity level: Medium
CCE-27124-7: Set the password hashing algorithm
logindefs
.Scanner severity level: Medium
CCE-27053-8: Set the password hashing algorithm
libusercon
.Scanner severity level: Medium
CCE-27078-5: Disable pre-linking software.
Scanner severity level: Low
CCE-27116-3: Install the PAE kernel on supported 32-bit x86 systems.
Scanner severity level: Low
CCE-27503-2: All GIDs referenced in
/etc/password
must be defined in/etc/group
.Scanner severity level: Low
CCE-27160-1: Password pam retry.
Scanner severity level: Low
CCE-27275-7: Display login attempts.
Scanner severity level: Low
CCE-80350-2: Remove
no_authenticate
onsudo
.Scanner severity level: Medium
CCE-26961-3: Ensure that SELinux is not disabled in
/etc/default/grub
.Scanner severity level: Medium
CCE-80245-4: Uninstall the
vsftpd
package.Scanner severity level: High
CCE-80216-5: Enable the OpenSSH service.
Scanner severity level: Medium
CCE-27407-6: Enable the
auditd
service.Scanner severity level: Medium
CCE-27361-5: Verify that firewalld is enabled.
Scanner severity level: Medium
CCE-80544-0: Ensure that users cannot change GNOME3 session idle settings.
Scanner severity level: Medium
CCE-80371-8: Ensure that users cannot change GNOME3 screensaver settings.
Scanner severity level: Medium
CCE-80563-0: Ensure that users cannot change GNOME3 screensaver lock after idle period.
Scanner severity level: Medium
CCE-80112-6: Enable GNOME3 screensaver lock after idle period.
Scanner severity level: Medium
CCE-80370-0: Set GNOME3 screensaver lock delay after activation period.
Scanner severity level: Medium
CCE-80110-0: Set GNOME3 screensaver inactivity timeout.
Scanner severity level: Medium
CCE-80564-8: Ensure that users cannot change the GNOME3 screensaver idle activation.
Scanner severity level: Medium
CCE-80162-1: Configure the kernel parameter for accepting source-routed packets by default.
Scanner severity level: Medium
CCE-80111-8: Enable GNOME3 screensaver idle activation.
Scanner severity level: Medium
CCE-80105-0: Disable GDM guest login.
Scanner severity level: High
CCE-80104-3: Disable GDM automatic login.
Scanner severity level: High
CCE-80108-4: Enable the GNOME3 login smartcard authentication.
Scanner severity level: Medium
CCE-27279-9: Configure the SELinux policy.
Scanner severity level: High
CCE-80148-0: Add the
nosuid
option to removable media partitions.Scanner severity level: Low
CCE-80136-5: Ensure that all world-writable directories are owned by a system account.
Scanner severity level: Low
CCE-80174-6: Ensure that the system is not acting as a network sniffer.
Scanner severity level: Medium
CCE-80438-5: Configure multiple DNS servers in
/etc/resolv.conf
.Scanner severity level: Low
CCE-27358-1: Deactivate wireless network interfaces.
Scanner severity level: Medium
CCE-27287-2: Require authentication for Single User mode.
Scanner severity level: Medium
CCE-27434-0: Configure the kernel parameter for accepting IPv4 source-routed packets for all interfaces.
Scanner severity level: Medium
CCE-80447-6: Configure the Firewalld Ports.
Scanner severity level: Medium
CCE-80380-9: Ensure that
cron
is able to log in to Rsyslog.Scanner severity level: Medium
CCE-80354-4: Set the UEFI boot loader password.
Scanner severity level: Medium
CCE-80517-6: Boat loader is not installed on removeable media.
Scanner severity level: Medium
CCE-27394-6: Configure the
auditd
mail_acct action on low disk space.Scanner severity level: Medium
CCE-80434-4: Ensure that home directories are created for new users.
Scanner severity level: Medium
CCE-80536-6: Ensure that the default umask is set correctly for interactive users.
Scanner severity level: Medium
CCE-26923-3: Limit password reuse.
Scanner severity level: Medium
CCE-26892-0: Set the GNOME3 login warning banner text.
Scanner severity level: Medium
CCE-26970-4: Enable GNOME3 login warning banner.
Scanner severity level: Medium
CCE-27218-7: Remove the X Windows package group.
Scanner severity level: Medium
CCE-80215-7: Install the OpenSSH server package.
Scanner severity level: Medium
CCE-27311-0: Verify Permissions on SSH Server public *.pub key files.
Scanner severity level: Medium
CCE-27485-2: Verify Permissions on SSH Server private *_key key files.
Scanner severity level: Medium
CCE-80223-1: Enable Use of Privilege Separation.
Scanner severity level: Medium
CCE-27295-5: Use Only FIPS 140-2 Validated Ciphers.
Scanner severity level: Medium
CCE-80225-6: Enable SSH Print Last Log.
Scanner severity level: Medium
CCE-27445-6: Disable SSH root login.
Scanner severity level: Medium
CCE-27377-1: Disable SSH support for .rhosts files.
Scanner severity level: Medium
CCE-27413-4: Disable host-based authentication.
Scanner severity level: Medium
CCE-27458-9: Mount remote file systems with Kerberos Security.
Scanner severity level: Medium
CCE-80214-0: Ensure tftp daemon uses secure mode.
Scanner severity level: Medium
CCE-80213-2: Uninstall the tftp-server package.
Scanner severity level: High
CCE-27165-0: Uninstall the telnet-server package.
Scanner severity level: High
CCE-27342-5: Uninstall the rsh-server package.
Scanner severity level: High
CCE-80514-3: Remove user host-based authentication files.
Scanner severity level: High
CCE-80513-5: Remove host-based authentication files.
Scanner severity level: High
CCE-27399-5: Uninstall the
ypserv
package.Scanner severity level: High
CCE-80240-5: Mount remote file systems with
nosuid
.Scanner severity level: Medium
CCE-80436-9: Mount remote file systems with
noexec
.Scanner severity level: Medium
CCE-80205-8: Ensure that the default umask is set correctly in
login.defs
.Scanner severity level: Medium