Veritas NetBackup™ Virtual Appliance Documentation
- Getting to know the NetBackup Virtual Appliance
- NetBackup Virtual Appliance product description
- Preparing to deploy the appliance
- Deploying and configuring the appliance
- How to deploy and configure a NetBackup Virtual Appliance combined master and media server
- How to deploy and configure a NetBackup Virtual Appliance media server
- How to deploy and configure a NetBackup Virtual Appliance master server
- How to deploy and configure a NetBackup Virtual Appliance CloudCatalyst
- How to deploy and configure a NetBackup Virtual Appliance combined master and media server
- Post initial configuration procedures
- Appliance common tasks
- Storage management
- About NetBackup Virtual Appliance storage configuration
- About viewing storage space information using the Show command
- About OpenStorage plugin installation
- About NetBackup Virtual Appliance storage configuration
- Deduplication pool catalog backup and recovery
- Network connection management
- Managing users
- About user name and password specifications
- About authenticating LDAP users
- About authenticating Active Directory users
- About authenticating Kerberos-NIS users
- About user authorization on the NetBackup Virtual Appliance
- Creating NetBackup administrator user accounts
- Using the appliance
- About configuring Host parameters for your appliance on the NetBackup Virtual Appliance
- About Copilot functionality and Share management
- About NetBackup Virtual Appliance as a VMware backup host
- About running NetBackup commands from the appliance
- About mounting a remote NFS
- About Auto Image Replication from a NetBackup Virtual Appliance
- Monitoring the appliance
- About SNMP
- About Call Home
- Appliance security
- About Symantec Data Center Security on the NetBackup Virtual Appliance
- Setting the appliance login banner
- Upgrading the appliance
- About upgrading to NetBackup Virtual Appliance software version 3.2
- Requirements and best practices for upgrading NetBackup appliances
- Methods for downloading appliance software release updates
- NetBackup client upgrades with VxUpdate
- Appliance restore
- Decommissioning and Reconfiguring
- Troubleshooting
- About disaster recovery
- About NetBackup support utilities
- Appliance logging
- Commands overview
- Appendix A. Appliance commands
- Appendix B. Manage commands
- Appendix C. Monitor commands
- Appendix D. Network commands
- Appendix E. Reports commands
- Appendix F. Settings commands
- Appendix G. Support commands
Unenforced STIG hardening rules
This topic describes the Security Technical Implementation Guide (STIG) rules the are not currently enforced on NetBackup Virtual Appliance. Rules in this list may not be enforced for reasons including, but not limited to the following:
Enforcement of the rule is planned for a future appliance software release.
An alternate method is used to provide protection that meets or exceeds the method described in the rule.
The method described in the rule is not used or supported on NetBackup Virtual Appliance.
The following describes the STIG rules that are not currently enforced:
CCE-26876-3: Ensure that gpgcheck is enabled for all
yum
package repositories.Scanner severity level: High
CCE-27209-6: Verify and correct the file permissions for the rpm.
Scanner severity level: High
CCE-27157-7: Verify file hashes with rpm.
Scanner severity level: High
CCE-80127-4: Install McAfee Antivirus
Scanner severity level: High
CCE-26818-5: Install intrusion detection software.
Scanner severity level: High
CCE-27334-2: Ensure SELinux state is enforcing.
Scanner severity level: High
CCE-80226-4: Enable encrypted X11 forwarding.
Scanner severity level: High
CCE-27386-2: Ensure that the default SNMP password is not used.
Scanner severity level: High
CCE-80126-6: Install the Asset Configuration Compliance Module (ACCM).
Scanner severity level: Medium
CCE-80369-2: Install the Policy Auditor (PA) module.
Scanner severity level: Medium
CCE-27277-3: Disable
modprobe
loading of the USB storage driver.Scanner severity level: Medium
CCE-27349-0: Set default
firewalld
zone for incoming packets.Scanner severity level: Medium
CCE-80170-4: Install
libreswan
package.Scanner severity level: Medium
CCE-80223-1: Enable use of privilege separation.
Scanner severity level: Medium
CCE-80347-8: Ensure that gpgcheck is enabled for local packages.
Scanner severity level: High
CCE-80348-6: Ensure that gpgcheck is enabled for repository metadata.
Scanner severity level: High
CCE-80358-5: Install the
dracut_fips
package.Security scanner level: Medium
CCE-80359-3: Enable FIPS mode in the
GRand Unified Bootloader
version 2 (GRUB2).Scanner severity level: Medium
CCE-27557-8: Set an interactive session timeout to terminate idle sessions.
Scanner severity level: Medium
CCE-80377-5: Configure AIDE to FIPS 140-2 for validating hashes.
Scanner severity level: Medium
CCE-80351-0: Ensure that users re-authenticate for privilege escalation (
sudo_NOPASSWD
).Scanner severity level: Medium
CCE-27355-7: Set account expiration following inactivity.
Scanner severity level: Medium
CCE-80207-4: Enable smart card login.
Scanner severity level: Medium
CCE-27370-6: Configure
auditd_admin_space_left_action
on low disk space.Security scanner level: Medium
CCE-27295-5: Use only approved ciphers.
Scanner severity level: Medium
CCE-26548-8: Disable kernel support for USB from the
bootloader
configuration.Scanner severity level: Low
CCE-27128-8: Encrypt partitions.
Scanner severity level: High
CCE-26895-3: Ensure that software patches are installed.
Scanner security level: High
CCE-27279-9: Configure the SE Linux policy.
Scanner severity level: High
CCE-27399-5: Uninstall the
ypserv
package.Scanner severity level: High
CCE-80128-2: Enable service nails.
Scanner severity level: Medium
CCE-80129-0: Update virus scanning definitions.
Scanner severity level: Medium
CCE-27288-0: Make sure that no daemons are unconfined by SE Linux. Make sure that all daemons are confined by SE Linux.
Scanner severity level: Medium
CCE-27326-8: Make sure that no device files are unlabeled by SE Linux./Make sure that all device files are labeled by SE Linux.
Scanner severity level: Medium
CCE-80354-4: Set the UEFI boot loader password.
Scanner severity level: Medium
CCE-80171-2: Verify any configured
IPSec
tunnel connections.Scanner severity level: Medium
CCE-26960-5: Disable booting from USB devices in boot firmware.
Scanner severity level: Low
CCE-27194-0: Assign a password to prevent changes to the boot firmware configuration.
Scanner severity level: Low
CCE-80516-8: Configure the SSSD LDAP backend client CA certificate.
Scanner severity level: Medium
CCE-80515-0: Configure the SSSD LDAP backend client CA certificate location.
Scanner severity level: Medium
CCE-80546-5: Configure the SSSD LDAP backend to use TLS for all transactions.
Scanner severity level: Medium
CCE-80437-7: Configure PAM in SSSD services.
Scanner severity level: Medium
CCE-80519-2: Install smart card packages for multi factor authentication.
Scanner severity level: Medium
CCE-80520-0: Configure certificate status checking for smart cards.
Scanner severity level: Medium
CCE-80526-7: User initialization files must be group-owned by the primary user.
Scanner severity level: Medium
CCE-80523-4: User initialization files must not run world-writable programs.
Scanner severity level: Medium
CCE-80527-5: User initialization files must be owned by the primary user.
Scanner severity level: Medium
CCE-80524-2: Ensure that the user's path contains only local directories.
Scanner severity level: Medium
CCE-80528-3: All interactive users must have a defined home directory.
Scanner severity level: Medium
CCE-80529-1: All interactive users home directories must exist.
Scanner severity level: Medium
CCE-80534-1: All user files and directories in the home directory must be group-owned by the primary user.
Scanner severity level: Medium
CCE-80533-3: All user files and directories in the home directory must be owned by the primary user.
Scanner severity level: Medium
CCE-80535-8: All user files and directories in the home directory must have permissions set to mode 0750 or less.
Scanner severity level: Medium
CCE-80532-5: All interactive user home directories must be group-owned by the primary user.
Scanner severity level: Medium
CCE-80531-7: All interactive user home directories must be owned by the primary user.
Scanner severity level: Medium
CCE-80525-9: Ensure that all user initialization files have permissions set to mode 0740 or less.
Scanner severity level: Medium
CCE-80530-9: All interactive user home directories must have permissions set to mode 0750 or less.
Scanner severity level: Medium
CCE-80393-2: Record any attempts to run
chcon
.Scanner severity level: Medium
CCE-80391-6: Record any attempts to run
semanage
.Scanner severity level: Medium
CCE-80660-4: Record any attempts to run
setfiles
.Scanner severity level: Medium
CCE-80392-4: Record any attempts to run
setsebool
.Scanner severity level: Medium
CCE-80661-2: Ensure that
auditd
collects information on kernel module loading (create_module).Scanner severity level: Medium
CCE-80415-3: Ensure that
auditd
collects information on kernel module unloading (delete_module).Scanner severity level: Medium
CCE-80547-3: Ensure that
auditd
collects information on kernel module loading and unloading (finit_module).Scanner severity level: Medium
CCE-80414-6: Ensure that
auditd
collects information on kernel module loading (init_module).Scanner severity level: Medium
CCE-80383-3: Record attempts to alter logon and logout events (faillock).
Scanner severity level: Medium
CCE-80402-1: Ensure that
auditd
collects information on the use of privileged commands (sudoedit).Scanner severity level: Medium
CCE-80385-8: Record unauthorized (unsuccessful) access attempts to files (create).
Scanner severity level: Medium
CCE-80390-8: Record unauthorized (unsuccessful) access attempts to files (ftruncate).
Scanner severity level: Medium
CCE-80386-6: Record unauthorized (unsuccessful) access attempts to files (open).
Scanner severity level: Medium
CCE-80388-2: Record unauthorized (unsuccessful) access attempts to files (open_by_handle_at).
Scanner severity level: Medium
CCE-80387-4: Record unauthorized (unsuccessful) access attempts to files (openat).
Scanner severity level: Medium
CCE-80389-0: Record unauthorized (unsuccessful) access attempts to files (truncate).
Scanner severity level: Medium
CCE-80381-7: Shutdown system when auditing failures occur.
Scanner severity level: Medium
CCE-80439-3: Configure the time service maxpoll interval.
Scanner severity level: Low
CCE-80541-6: Configure
audispd
plugin to send logs to remote server.Scanner severity level: Medium
CCE-80539-0: Configure the disk_full_action option in the
audispd's
plugin.Scanner severity level: Medium
CCE-80540-8: Encrypt audit records sent with the
audispd
plugin.Scanner severity level: Medium
CCE-80538-2: Configure the network_failure_action option in the
audispd's
plugin.Scanner severity level: Medium
CCE-80542-4: Configure
firewalld
to rate limit connections.Scanner severity level: Medium
CCE-26828-4: Disable DCCP support.
Scanner severity level: Medium
CCE-81153-9: Add the nosuid option to
/home
.Scanner severity level: Low
CCE-80543-2: Map system users to the appropriate SELinux role.
Scanner severity level: Medium
CCE-80545-7: Verify and correct ownership of an rpm.
Scanner severity level: High
CCE-80512-7: Prevent unrestricted mail relaying.
Scanner severity level: Medium
CCE-26884-7: Set the lockout time for failed password attempts.
Scanner severity level: Medium