Veritas NetBackup™ Virtual Appliance Documentation

Last Published:
Product(s): Appliances (3.3.0.1)
Platform: NetBackup Virtual Appliance
  1. Getting to know the NetBackup Virtual Appliance
    1. NetBackup Virtual Appliance product description
      1.  
        About the NetBackup Virtual Appliance master server role
      2.  
        About the NetBackup Virtual Appliance combined master and media server role
      3.  
        About the NetBackup Virtual Appliance media server role
    2.  
      NetBackup Virtual Appliance supported features
    3.  
      About the NetBackup Virtual Appliance documentation
    4.  
      NetBackup Virtual Appliance 3.3.0.1 new features, enhancements, and changes
    5.  
      Known limitations of the NetBackup Virtual Appliance 3.3.0.1 release
    6.  
      Operational Notes for the NetBackup Virtual Appliance 3.3.0.1 release
  2. Preparing to deploy the appliance
    1.  
      NetBackup Virtual Appliance product files (OVF templates)
    2.  
      NetBackup Virtual Appliance deployment methods
    3. NetBackup Virtual Appliance deployment guidelines
      1.  
        Configuration overview for NetBackup Virtual Appliance MSDP cloud applications
      2.  
        NetBackup Virtual Appliance initial deployment checklist
  3. Deploying and configuring the appliance
    1. How to deploy and configure a NetBackup Virtual Appliance combined master and media server
      1.  
        Using the vSphere Client to deploy a combined master and media server appliance
      2.  
        Using the OVF Tool to deploy a combined master and media server appliance
      3.  
        Performing the initial configuration on a NetBackup Virtual Appliance combined master and media server
      4.  
        Completing the initial configuration of the NetBackup Virtual Appliance combined master and media server
    2. How to deploy and configure a NetBackup Virtual Appliance media server
      1.  
        Using the vSphere Client to deploy a media server appliance
      2.  
        Using the OVF Tool to deploy a media server appliance
      3.  
        Configuring a master server to communicate with an appliance media server
      4.  
        Performing the initial configuration on a NetBackup Virtual Appliance media server
    3. How to deploy and configure a NetBackup Virtual Appliance master server
      1.  
        Using the vSphere Client to deploy a NetBackup Virtual Appliance master server
      2.  
        Using the OVF Tool to deploy a master server
      3.  
        Performing the initial configuration on a NetBackup Virtual Appliance master server
  4. Post initial configuration procedures
    1.  
      About modifying the NetBackup Virtual Appliance settings
    2.  
      Adding a permanent license key if an evaluation license key expires
    3.  
      Managing license keys on the NetBackup Virtual Appliance
  5. Appliance common tasks
    1.  
      Common tasks in NetBackup Virtual Appliance
  6. Storage management
    1. About NetBackup Virtual Appliance storage configuration
      1. About viewing storage space information using the Show command
        1.  
          Viewing all storage information
        2.  
          Viewing disk information
        3.  
          Viewing partition information
        4.  
          Viewing the partition distribution on disks
      2.  
        Resizing a partition
      3.  
        Troubleshooting resize-related issues
      4.  
        Moving a partition
      5.  
        Monitoring the progress of storage manipulation tasks
      6.  
        Scanning storage devices using the NetBackup Virtual Appliance Shell Menu
      7.  
        Adding storage space for the NetBackup Virtual Appliance
      8.  
        Removing an existing storage disk
    2. About OpenStorage plugin installation
      1.  
        Installing the OpenStorage plugin
      2.  
        Uninstalling the OpenStorage plugin
  7. Deduplication pool catalog backup and recovery
    1.  
      About the NetBackup Virtual Appliance deduplication pool catalog backup policy
    2.  
      Automatic configuration of the NetBackup Virtual Appliance deduplication pool catalog backup policy
    3.  
      Manually configuring the NetBackup Virtual Appliance deduplication pool catalog backup policy
    4.  
      Manually updating the NetBackup Virtual Appliance deduplication pool catalog backup policy
    5.  
      Recovering the NetBackup Virtual Appliance deduplication pool catalog
  8. Network connection management
    1.  
      About IPv4-IPv6-based network support
    2.  
      Network settings for the NetBackup Virtual Appliance
    3.  
      Configuring DNS and host name mapping for the NetBackup Virtual Appliance
    4.  
      Setting the date and time on a NetBackup Virtual Appliance
    5.  
      Configuring static routes on the NetBackup Virtual Appliance
    6.  
      Expanding the bandwidth on the NetBackup Virtual Appliance
  9. Managing users
    1.  
      About managing NetBackup Virtual Appliance users
    2.  
      About NetBackup Virtual Appliance account types
    3.  
      Adding NetBackup Virtual Appliance users
    4.  
      Deleting NetBackup Virtual Appliance users
    5.  
      Adding NetBackup Virtual Appliance user groups
    6.  
      Deleting NetBackup Virtual Appliance user groups
    7.  
      Granting roles to NetBackup Virtual Appliance users and user groups
    8.  
      Revoking roles from NetBackup Virtual Appliance users and user groups
    9. About user name and password specifications
      1.  
        About STIG-compliant password policy rules
    10.  
      Changing NetBackup Virtual Appliance user passwords
    11.  
      About password management and recovery
    12. About authenticating LDAP users
      1.  
        Adding or modifying an LDAP server configuration on the NetBackup Virtual Appliance
      2.  
        Importing an LDAP server configuration for the NetBackup Virtual Appliance
      3.  
        Setting the SSL certification for LDAP on the NetBackup Virtual Appliance
      4.  
        Exporting an LDAP server configuration from the NetBackup Virtual Appliance
      5.  
        Unconfiguring LDAP user authentication on the NetBackup Virtual Appliance
      6.  
        Disabling LDAP user authentication on the NetBackup Virtual Appliance
      7.  
        Enabling LDAP user authentication on the NetBackup Virtual Appliance
      8.  
        Adding an LDAP attribute mapping on the NetBackup Virtual Appliance
      9.  
        Deleting an LDAP attribute mapping on the NetBackup Virtual Appliance
    13. About authenticating Active Directory users
      1.  
        Adding an Active Directory server configuration
      2.  
        Unconfiguring Active Directory user authentication on the NetBackup Virtual Appliance
    14.  
      About authentication using smart cards and digital certificates
    15. About authenticating Kerberos-NIS users
      1.  
        Adding a Kerberos-NIS authentication configuration on the NetBackup Virtual Appliance
      2.  
        Unconfiguring Kerberos-NIS user authentication on the NetBackup Virtual Appliance
    16.  
      Generic user authentication guidelines
    17. About user authorization on the NetBackup Virtual Appliance
      1.  
        NetBackup Virtual Appliance user role privileges
      2.  
        About the Administrator user role
      3.  
        About the NetBackupCLI user role
    18. Creating NetBackup administrator user accounts
      1.  
        Logging on as a NetBackup administrator
      2.  
        Managing NetBackup administrator user account passwords
      3.  
        Viewing NetBackup administrator user accounts
      4.  
        Auditing NetBackup administrator accounts
    19.  
      Deleting NetBackup administrator user accounts
  10. Using the appliance
    1. About configuring Host parameters for your appliance on the NetBackup Virtual Appliance
      1.  
        Configuring data buffer options on the NetBackup Virtual Appliance
      2.  
        Configuring lifecycle parameters on the NetBackup Virtual Appliance
      3.  
        Managing NetBackup Virtual Appliance deduplication
      4. About BMR integration
        1.  
          Enabling BMR from the NetBackup Virtual Appliance Shell Menu
    2. About Copilot functionality and Share management
      1.  
        Creating a Share
      2.  
        Editing a Share
      3.  
        Deleting a Share
      4.  
        Moving a Share
      5.  
        Viewing Share information from the NetBackup Virtual Appliance Shell Menu
      6.  
        NFS export options
    3. About NetBackup Virtual Appliance as a VMware backup host
      1.  
        NetBackup Virtual Appliance as backup host: component overview
      2.  
        Notes on NetBackup Virtual Appliance as a VMware backup host
    4. About running NetBackup commands from the appliance
      1.  
        Running NetBackup commands from the NetBackup Virtual Appliance
      2.  
        Creating a NetBackup touch file from the NetBackup Virtual Appliance
      3.  
        Best practices for running NetBackup commands from the NetBackup Virtual Appliance
      4.  
        About NetBackup operating system commands
      5.  
        Known limitations of running NetBackup commands from the NetBackup Virtual Appliance
    5. About mounting a remote NFS
      1.  
        Mounting a remote NFS drive
      2.  
        Unmounting an NFS drive
    6. About Auto Image Replication from a NetBackup Virtual Appliance
      1.  
        Prerequisites for Auto Image Replication
      2.  
        Configuring a replication target
      3.  
        Determining the appliance deduplication password
    7.  
      Generating certificates
  11. Monitoring the appliance
    1.  
      About NetBackup Virtual Appliance alerts
    2.  
      Setting up email notifications for a NetBackup Virtual Appliance
    3.  
      Setting up SNMP notifications for a NetBackup Virtual Appliance
    4.  
      Enabling and disabling Call Home from the appliance shell menu
    5.  
      Configuring a Call Home proxy server from the NetBackup Virtual Appliance Shell Menu
    6. About SNMP
      1.  
        About the Management Information Base (MIB)
    7. About Call Home
      1.  
        Understanding the Call Home workflow
      2.  
        About the Product Improvement Program
    8.  
      About AutoSupport
    9.  
      About storage email alerts
  12. Appliance security
    1. About Symantec Data Center Security on the NetBackup Virtual Appliance
      1.  
        Auditing the SDCS logs on the NetBackup Virtual Appliance
      2.  
        Viewing SDCS audit log details
      3.  
        Changing the SDCS log retention settings on the NetBackup Virtual Appliance
      4.  
        About SDCS event type codes and severity codes on the NetBackup Virtual Appliance
    2.  
      About data security
    3.  
      About data integrity
    4.  
      About data classification
    5.  
      About data encryption
    6.  
      About the NetBackup Virtual Appliance intrusion detection system
    7.  
      About the NetBackup Virtual Appliance intrusion prevention system
    8.  
      Major components of the NetBackup Virtual Appliance OS
    9.  
      OS STIG hardening for NetBackup Virtual Appliance
    10.  
      Unenforced STIG hardening rules
    11.  
      FIPS 140-2 conformance for NetBackup Virtual Appliance
    12.  
      Vulnerability scanning of the NetBackup Virtual Appliance
    13.  
      About the appliance login banner
    14. Setting the appliance login banner
      1.  
        Creating the appliance login banner
      2.  
        Removing the appliance login banner
    15.  
      Log Forwarding feature overview
  13. Upgrading the appliance
    1. About upgrading to NetBackup Virtual Appliance software version 3.3.0.1
      1.  
        Supported upgrade paths
      2.  
        Preflight check before the upgrade
      3.  
        Appliance behavior during upgrades
      4.  
        About corresponding NetBackup software versions
      5.  
        About the Appliance Install Manager
    2. Requirements and best practices for upgrading NetBackup appliances
      1.  
        Upgrade time estimation
    3.  
      Pre-upgrade tasks for appliance upgrades
    4. Methods for downloading appliance software release updates
      1.  
        Downloading software updates directly to a NetBackup appliance
      2.  
        Downloading software updates to a NetBackup appliance using a client share
    5.  
      Installing a NetBackup Virtual Appliance software update using the NetBackup Virtual Appliance Shell Menu
    6.  
      Troubleshooting upgrade issues
  14. NetBackup client upgrades with VxUpdate
    1.  
      About VxUpdate
    2.  
      VxUpdate repository management
    3.  
      Deployment policy management
    4.  
      Manually initiating upgrades from the master server using VxUpdate
    5.  
      Manually initiating upgrades from the client using VxUpdate
    6.  
      Deployment job status
  15. Appliance restore
    1.  
      About appliance restore
    2.  
      Creating an appliance checkpoint from the appliance shell menu
    3.  
      Rollback to an appliance checkpoint from the appliance shell menu
    4.  
      About NetBackup Virtual Appliance factory reset
    5.  
      Factory reset best practices
    6.  
      How to factory reset the NetBackup Virtual Appliance
  16. Decommissioning and Reconfiguring
    1.  
      About decommissioning a NetBackup Virtual Appliance
    2.  
      Decommissioning a NetBackup Virtual Appliance with the media server role
  17. Troubleshooting
    1.  
      About troubleshooting the NetBackup Virtual Appliance
    2.  
      About contacting Technical Support
    3.  
      Determining the NetBackup Virtual Appliance serial number
    4. About disaster recovery
      1.  
        Recovering a NetBackup appliance master server using NetBackup catalog restore
    5. About NetBackup support utilities
      1.  
        NetBackup Domain Network Analyzer (NBDNA)
      2.  
        NetBackup Support Utility (NBSU)
    6.  
      Troubleshooting NetBackup Virtual Appliance initial deployment issues
    7.  
      Error messages displayed on the NetBackup Virtual Appliance Shell Menu
    8.  
      NetBackup status codes applicable for NetBackup Virtual Appliance
    9.  
      Installing an EEB
    10.  
      Rolling back an EEB using the NetBackup Virtual Appliance Shell Menu
  18. Appliance logging
    1.  
      About NetBackup Virtual Appliance log files
    2.  
      Viewing log files using the Support command
    3.  
      Where to find NetBackup Virtual Appliance log files using the Browse command
    4.  
      Enabling and disabling VxMS logging
    5.  
      Gathering device logs on a NetBackup virtual appliance
    6. About forwarding logs to an external server
      1.  
        Uploading certificates for TLS
      2.  
        Enabling log forwarding
      3.  
        Changing the log forwarding interval
      4.  
        Viewing the log forwarding configuration
      5.  
        Disabling log forwarding
  19. Commands overview
    1.  
      About the NetBackup Virtual Appliance Shell Menu
    2.  
      Logging on to the NetBackup Virtual Appliance Shell Menu
    3.  
      Using the NetBackup Virtual Appliance Shell Menu
    4.  
      About the NetBackup Virtual Appliance Shell Menu command views
  20. Appendix A. Appliance commands
    1.  
      Appliance > Master
    2.  
      Appliance > Media
    3.  
      Appliance > ShowDedupPassword
    4.  
      Appliance > Status
    5.  
      Appliance > Configure
  21. Appendix B. Manage commands
    1.  
      Manage > Software > Delete
    2.  
      Manage > Software > Download
    3.  
      Manage > Software > List
    4.  
      Manage > Software > Install
    5.  
      Manage > Software > Share
    6.  
      Manage > Software > Readme
    7.  
      Manage > Software > Rollback
    8.  
      Manage > Software > Cancel
    9.  
      Manage > Software > DownloadProgress
    10.  
      Manage > Software > UpgradeStatus
    11.  
      Manage > Software > VxUpdate
    12.  
      Manage > Storage > Show
    13.  
      Manage > Storage > Add
    14.  
      Manage > Storage > Create
    15.  
      Manage > Storage > Delete
    16.  
      Manage > Storage > Edit
    17.  
      Manage > Storage > Monitor
    18.  
      Manage > Storage > Move
    19.  
      Manage > Storage > Remove
    20.  
      Manage > Storage > Resize
    21.  
      Manage > Storage > Scan
    22.  
      Manage > OpenStorage > Install
    23.  
      Manage > OpenStorage > List
    24.  
      Manage > OpenStorage > Readme
    25.  
      Manage > OpenStorage > Share
    26.  
      Manage > OpenStorage > Uninstall
    27.  
      Manage > MountPoints > List
    28.  
      Manage > MountPoints > Mount
    29.  
      Manage > MountPoints > Unmount
    30.  
      Manage > License > Add
    31.  
      Manage > License > List
    32.  
      Manage > License > ListInfo
    33.  
      Manage > License > Remove
    34.  
      Manage > Certificates > Generate
    35.  
      Manage > Certificates > Delete
    36.  
      Manage > NetBackupCLI > Create
    37.  
      Manage > NetBackupCLI > Delete
    38.  
      Manage > NetBackupCLI > List
    39.  
      Manage > NetBackupCLI > PasswordExpiry
  22. Appendix C. Monitor commands
    1.  
      Monitor > Uptime
    2.  
      Monitor > Who
    3.  
      Monitor > NetworkStatus
    4.  
      Monitor > Top
    5.  
      Monitor > MemoryStatus
    6.  
      Monitor > SDCS
    7.  
      Monitor > NetBackup
    8.  
      Monitor > Hardware
  23. Appendix D. Network commands
    1.  
      Network > Configure
    2.  
      Network > Date
    3.  
      Network > DNS
    4.  
      Network > Gateway
    5.  
      Network > Hostname
    6.  
      Network > Hosts
    7.  
      Network > IPv4
    8.  
      Network > IPv6
    9.  
      Network > LinkAggregation
    10.  
      Network > NetStat
    11.  
      Network > NTPServer
    12.  
      Network > Ping
    13.  
      Network > SetProperty
    14.  
      Network > Show
    15.  
      Network > TimeZone
    16.  
      Network > TraceRoute
    17.  
      Network > Unconfigure
    18.  
      Network > WANOptimization
  24. Appendix E. Reports commands
    1.  
      Reports > Deduplication
    2.  
      Reports > Process
  25. Appendix F. Settings commands
    1.  
      Settings > Deduplication
    2.  
      Settings > LifeCycle
    3.  
      Settings > LogForwarding
    4.  
      Settings > NetBackup
    5.  
      Settings > Password
    6.  
      Settings > SystemLocale
    7.  
      Settings > Share
    8.  
      Settings > Sysctl
    9.  
      Settings > NetBackup DNAT
    10.  
      Settings > NetBackup NATServers
    11.  
      Settings > Notifications > LoginBanner
    12.  
      Settings > Security > Authentication > LDAP
    13.  
      Settings > Security > Authentication > ActiveDirectory
    14.  
      Settings > Security > Authentication > Kerberos
    15.  
      Settings > Security > Authentication > LocalUser
    16.  
      Settings > Security > Authorization
    17.  
      Main > Settings > Security > Certificate
    18.  
      Main > Settings > Security > STIG
    19.  
      Main > Settings > Security > FIPS
    20.  
      Settings > Alerts > CallHome
    21.  
      Settings > Alerts > SNMP
    22.  
      Settings > Alerts > Email
    23.  
      Settings > Alerts > Hardware
  26. Appendix G. Support commands
    1.  
      Support > Checkpoint
    2.  
      Support > DataCollect
    3.  
      Support > Disk
    4.  
      Support > Errors
    5.  
      Support > FactoryReset
    6.  
      Support > InfraServices
    7.  
      Support > iostat
    8.  
      Support > LogBrowser
    9.  
      Support > Logs
    10.  
      Support > Maintenance
    11.  
      Support > Messages
    12.  
      Support > NBDNA
    13.  
      Support > nbperfchk
    14.  
      Support > NBSU
    15.  
      Support > Processes
    16.  
      Support > Reboot
    17.  
      Support > Service
    18.  
      Support > Shutdown
    19.  
      Support > Storage SanityCheck
    20.  
      Support > Storage Reset
    21.  
      Support > Test

OS STIG hardening for NetBackup Virtual Appliance

The Security Technical Implementation Guides (STIGs) provide technical guidance for increasing the security of information systems and software to help prevent malicious computer attacks. This type of security is also referred to as hardening.

Starting with software version 3.2, you can enable OS STIG hardening rules for increased security. These rules are based on the following profile from the Defense Information Systems Agency (DISA):

STIG for Red Hat Enterprise Linux 7 Server - Version 0.1.43

To enable these rules, use the following command:

Main_Menu > Settings > Security > Stig Enable, followed by the maintenance password.

Note the following about enabling STIG:

  • When the option is enabled, a list of the enforced rules appears. The command output also shows exceptions to any rules that are not enforced.

  • This command does not allow individual rule control.

  • Once the option is enabled, a factory reset is required to disable the associated rules.

  • If Lightweight Directory Access Protocol (LDAP) is configured, it is recommended that you set it up to use Transport Layer Security (TLS) before you enable the option.

Note:

If you have enabled the STIG feature on an appliance and you need to upgrade it or install an EEB on it, do not plan such installations during the 4:00am - 4:30am time frame. By following this best practice, you can avoid interrupting the automatic update of the AIDE database and any monitored files, which can cause multiple alert messages from the appliance.

The following describes the hardening rules that are enforced after the option is enabled. Each rule is identified by a Common Configuration Enumerator (CCE) identifier, a short rule description, and a Security Content Automation Protocol (SCAP) scanner severity level.

Rules enforced after enabling the option
  • CCE-27127-0: Enable randomized layout of virtual address space.

    Scanner severity level: Medium

  • CCE-26900-1: Disable core dumps for SUID programs.

    Scanner severity level: Low

  • CCE-27050-4: Restrict access to kernel message buffer.

    Scanner severity level: Low

  • CCE-80258-7: Disable the kdump kernel crash analyzer.

    Scanner severity level: Medium

  • CCE-27220-3: Build and test AIDE database.

    Scanner severity level: Medium

  • CCE-26952-2: Configure periodic execution of AIDE.

    Scanner severity level: Medium

  • CCE-27303-7: Modify the system login banner.

    Scanner severity level: Medium

  • CCE-27386-2: Ensure that the default SNMP password is not used.

    Scanner severity level: High

    Note:

    The SNMP password is changed to the fully qualified domain name (FQDN) of the appliance.

  • CCE-27082-7: Set SSH client alive account.

    Scanner severity level: Medium

  • CCE-27314-4: Enable SSH warning banner.

    Scanner severity level: Medium

  • CCE-27437-3: Ensure that auditd collects information on the use of privileged commands.

    Scanner severity level: Medium

  • CCE-27309: Set boot loader password.

    Scanner severity level: High

  • CCE-80374-2: Configure notification of AIDE scan results.

    Scanner security level: Medium

  • CCE-80375-9: Configure AIDE to verify Access Control Lists (ACLs).

    Scanner severity level: Medium

  • CCE-80376-7: Configure AIDE to verify extended attributes.

    Scanner severity level: Medium

  • CCE-27375-5: Configure auditd_space_left_action on low disk space.

    Scanner severity level: Medium

  • CCE-27341-7: Configure auditd to use audispd_syslog_plugin.

    Scanner security level: Medium

  • CCE-27353-2: Record events that modify the system discretionary access controls (fremovexattr).

    Scanner severity level: Medium

  • CCE-27410-0: Record events that modify the system discretionary access controls (lremovexattr).

    Scanner severity level: Medium

  • CCE-27367-2: Record events that modify the system discretionary access controls (removexattr).

    Scanner severity level: Medium

  • CCE-27204-7: Record attempts to alter the logon and logout events.

    Scanner severity level: Medium

  • CCE-27347-4: Ensure that auditd collects unauthorized access attempts to files.

    Scanner severity level: Medium

  • CCE-27447-2: Ensure that auditd collects information on successful exporting to media.

    Scanner severity level: Medium

  • CCE-27206-2: Ensure that auditd collects file deletion events by the user.

    Scanner severity level: Medium

  • CCE-27129-6: Ensure that auditd collects information on kernel module loading and unloading.

    Scanner severity level: Medium

  • CCE-27333-4: Set the password rule for maximum consecutive repeating characters.

    Scanner severity level: Medium

  • CCE-27512-3: Set the password rule for maximum consecutive repeating characters from the same character class.

    Scanner severity level: Medium

  • CCE-27214-6: Set the password strength for minimum digit (numeric) characters.

    Scanner severity level: Medium

  • CCE-27293-0: Set the password rule for minimum length.

    Scanner severity level: Medium

  • CCE-27200-5: Set the password strength for minimum uppercase characters.

    Scanner severity level: Medium

  • CCE-27360-7: Set the password strength for minimum special characters.

    Scanner severity level: Medium

  • CCE-27345-8: Set the password strength for minimum lowercase characters.

    Scanner severity level: Medium

  • CCE-26631-2: Set the password strength for minimum different characters.

    Scanner severity level: Medium

  • CCE-27115-5: Disable modprobe loading of the USB storage driver.

    Scanner severity level: Medium

  • CCE-27350-8: Set the number of failed password attempts to deny access.

    Scanner severity level: Medium

  • CCE-80353-6: Configure the root account for failed password attempts.

    Scanner severity level: Medium

  • CCE-27297-1: Set the interval for counting failed password attempts.

    Scanner severity level: Medium

  • CCE-27002-5: Set the password minimum age.

    Scanner severity level: Medium

  • CCE-27051-2: Set the password maximum age.

    Scanner security level: Medium

  • CCE-27081-9: Limit the number of concurrent login sessions allowed for each user.

    Scanner severity level: Low

  • CCE-80522-6: Set the maximum age (period of time after which the set password expires and must be changed) for the existing password.

    Scanner severity level: Medium

  • CCE-80521-8: Set the minimum age (period of time a password must be used before it can be changed) for the existing password .

    Scanner severity level: Medium

  • CCE-27339-1: Record the events that modify the system's discretionary access controls (chmod).

    Scanner severity level: Medium

  • CCE-27364-9: Record the events that modify the system's discretionary access controls (chown).

    Scanner severity level: Medium

  • CCE-27393-8: Record the events that modify the system's discretionary access controls (fchmod).

    Scanner severity level: Medium

  • CCE-27388-8: Record the events that modify the system's discretionary access controls (fchmodat).

    Scanner severity level: Medium

  • CCE-27356-5: Record the events that modify the system's discretionary access controls (fchown).

    Scanner severity level: Medium

  • CCE-27387-0: Record the events that modify the system's discretionary access controls (fchownat).

    Scanner severity level: Medium

  • CCE-27389-6: Record the events that modify the system's discretionary access controls (fsetxattr).

    Scanner severity level: Medium

  • CCE-27083-5: Record the events that modify the system's discretionary access controls (lchown).

    Scanner severity level: Medium

  • CCE-27280-7: Record the events that modify the system's discretionary access controls (lsetxattr).

    Scanner severity level: Medium

  • CCE-27213-8: Record the events that modify the system's discretionary access controls (setxattr).

    Scanner severity level: Medium

  • CCE-27206-2: Ensure that auditd collects file deletion events executed by the user (rename).

    Scanner severity level: Medium

  • CCE-80413-8: Ensure that auditd collects file deletion events executed by the user (renameat).

    Scanner severity level: Medium

  • CCE-80412-0: Ensure that auditd collects file deletion events executed by the user (rmdir).

    Scanner severity level: Medium

  • CCE-27206-2: Ensure that auditd collects file deletion events executed by the user (unlink).

    Scanner severity level: Medium

  • CCE-80662-0: Ensure that auditd collects file deletion events executed by the user (unlinkat).

    Scanner severity level: Medium

  • CCE-80446-8: Ensure that auditd collects information on kernel module loading (insmod).

    Scanner severity level: Medium

  • CCE-80417-9: Ensure that auditd collects information on kernel module loading and unloading (modprobe).

    Scanner severity level: Medium

  • CCE-80416-1: Ensure that auditd collects information on kernel module unloading (rmmod).

    Scanner severity level: Medium

  • CCE-80384-1: Record attempts to alter logon and logout events (lastlog).

    Scanner severity level: Medium

  • CCE-80382-5: Record attempts to alter logon and logout events (tallylog).

    Scanner severity level: Medium

  • CCE-80398-1: Ensure that auditd collects information on the use of privileged commands (chage).

    Scanner severity level: Medium

  • CCE-80404-7: Ensure that auditd collects information on the use of privileged commands (chsh).

    Scanner severity level: Medium

  • CCE-80410-4: Ensure that auditd collects information on the use of privileged commands (crontab).

    Scanner severity level: Medium

  • CCE-80397-3: Ensure that auditd collects information on the use of privileged commands (gpasswd).

    Scanner severity level: Medium

  • CCE-80403-9: Ensure that auditd collects information on the use of privileged commands (newgrp).

    Scanner severity level: Medium

  • CCE-80411-2: Ensure that auditd collects information on the use of privileged commands (pam_timestamp_check).

    Scanner severity level: Medium

  • CCE-80395-7: Ensure that auditd collects information on the use of privileged commands (passwd).

    Scanner severity level: Medium

  • CCE-80406-2: Ensure that auditd collects information on the use of privileged commands (postdrop).

    Scanner severity level: Medium

  • CCE-80407-0: Ensure that auditd collects information on the use of privileged commands (postqueue).

    Scanner severity level: Medium

  • CCE-80408-8: Ensure that auditd collects information on the use of privileged commands (ssh-keysign).

    Scanner severity level: Medium

  • CCE-80400-5: Ensure that auditd collects information on the use of privileged commands (su).

    Scanner severity level: Medium

  • CCE-80401-3: Ensure that auditd collects information on the use of privileged commands (sudo).

    Scanner severity level: Medium

  • CCE-80405-4: Ensure that auditd collects information on the use of privileged commands (umount).

    Scanner severity level: Medium

  • CCE-80396-5: Ensure that auditd collects information on the use of privileged commands (unix_chkpwd).

    Scanner severity level: Medium

  • CCE-80399-9: Ensure that auditd collects information on the use of privileged commands (userhelper).

    Scanner severity level: Medium

  • CCE-27461-3: Ensure that auditd collects system administrator actions.

    Scanner severity level: Medium

  • CCE-80433-6: Record the events that modify user/group information (/etc/group).

    Scanner severity level: Medium

  • CCE-80432-8: Record the events that modify user/group information (/etc/gshadow).

    Scanner severity level: Medium

  • CCE-80430-2: Record the events that modify user/group information (/etc/security/opasswd).

    Scanner severity level: Medium

  • CCE-80435-1: Record the events that modify user/group information (/etc/passwd).

    Scanner severity level: Medium

  • CCE-80431-0: Record the events that modify user/group information (/etc/shadow).

    Scanner severity level: Medium

  • CCE-27309-4: Set boot loader password in grub2.

    Scanner severity level: High

  • CCE-80377-5: Configure aide to use fips 140-2 for validating hashes.

    Scanner severity level: Medium

  • CCE-80226-4: Enable encrypted X11 forwarding.

    Scanner severity level: High

  • CCE-80393-2: Record any attempts to run chcon.

    Scanner severity level: Medium

  • CCE-80391-6: Record any attempts to run semanage.

    Scanner severity level: Medium

  • CCE-80660-4: Record any attempts to run setfiles.

    Scanner severity level: Medium

  • CCE-80392-4: Record any attempts to run setsebool.

    Scanner severity level: Medium

  • CCE-80385-8: Record unauthorized (unsuccessful) access attempts to files (create).

    Scanner severity level: Medium

  • CCE-80390-8: Record unauthorized (unsuccessful) access attempts to files (ftruncate).

    Scanner severity level: Medium

  • CCE-80386-6: Record unauthorized (unsuccessful) access attempts to files (open).

    Scanner severity level: Medium

  • CCE-80388-2: Record unauthorized (unsuccessful) access attempts to files (open_by_handle_at).

    Scanner severity level: Medium

  • CCE-80387-4: Record unauthorized (unsuccessful) access attempts to files (openat).

    Scanner severity level: Medium

  • CCE-80389-0: Record unauthorized (unsuccessful) access attempts to files (truncate).

    Scanner severity level: Medium

  • CCE-80402-1: Ensure that auditd collects information on the use of privileged commands (sudoedit).

    Scanner severity level: Medium

  • CCE-80661-2: Ensure that auditd collects information on kernel module loading (create_module).

    Scanner severity level: Medium

  • CCE-80415-3: Ensure that auditd collects information on kernel module unloading (delete_module).

    Scanner severity level: Medium

  • CCE-80547-3: Ensure that auditd collects information on kernel module loading and unloading (finit_module).

    Scanner severity level: Medium

  • CCE-80414-6: Ensure that auditd collects information on kernel module loading (init_module).

    Scanner severity level: Medium

  • CCE-80537-4: Configure auditd space_left on Low Disk Space.

    Scanner severity level: Medium

Rules always enforced

The following rules are always enforced and cannot be disabled. Hardening of these rules complies with the specifications described in "NIST Special Publication 800-123". For more information, refer to the following:

http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-123.pdf

  • CCE-80165-4: Configure the kernel parameter to ignore ICMP broadcast echo requests.

    Scanner severity level: Medium

  • CCE-80156-3: Disable the kernel parameter for sending ICMP redirects by default.

    Scanner severity level: Medium

  • CCE-80156-3: Disable the kernel parameter for sending ICMP redirects for all interfaces.

    Scanner severity level: Medium

  • CCE-26828-4: Disable support for DCCP.

    Scanner severity level: Medium

  • CCE-27212-0: Enable auditing for the processes that start before the audit daemon.

    Scanner severity level: Medium

  • CCE-26957-1: Ensure that the Red Hat GPG key is installed.

    Scanner severity level: High

  • CCE-27096-7: Ensure that the AIDE package is installed.

    Scanner severity level: Medium

  • CCE-27351-6: Install the screen package.

    Scanner severity level: Medium

  • CCE-27268-2: Restrict serial port root logins.

    Scanner severity level: Low

  • CCE-27318-5: Restrict virtual console root logins.

    Scanner severity level: Medium

  • CCE-27401-9: Disable telnet service

    Scanner severity level: High

  • CCE-27471-2: Disable SSH access without a password.

    Scanner severity level: High

  • CCE-27286-4: Prevent login to accounts without a password.

    Scanner severity level: High

  • CCE-27511-5: Disable Ctrl-Alt-Del reboot activation.

    Scanner severity level: High

  • CCE-27320-1: Allow only SSH protocol version 2.

    Scanner severity level: High

  • CCE-27294-8: Do not allow direct root logins.

    Scanner severity level: Medium

  • CCE-80157-1: Disable the kernel parameter for IP forwarding.

    Scanner severity level: Medium

  • CCE-80158-9: Configure the kernel parameter for accepting ICMP redirects for all interfaces.

    Scanner severity level: Medium

  • CCE-80163-9: Configure the kernel parameter for accepting ICMP redirects by default.

    Scanner severity level: Medium

  • CCE-27327-6: Disable the Bluetooth kernel modules.

    Scanner severity level: Medium

  • CCE-80179-5: Configure the kernel parameter for accepting source-routed packets for all interfaces.

    Scanner severity level: Medium

  • CCE-80220-7: Disable the GSSAPI authentication.

    Scanner severity level: Medium

  • CCE-80221-5: Disable the Kerberos authentication.

    Scanner severity level: Medium

  • CCE-80222-3: Enable the use of strict mode checking.

    Scanner severity level: Medium

  • CCE-80224-9: Disable compression or set compression to delayed.

    Scanner severity level: Medium

  • CCE-27455-5: Use only FIPS approved MACs.

    Scanner severity level: Medium

  • CCE-80378-3: Verify the user that owns /etc/cron.allow.

    Scanner severity level: Medium

  • CCE-80379-1: Verify the group that owns /etc/cron.allow.

    Scanner severity level: Medium

  • CCE-80372-6: Disable SSH support for user-known hosts.

    Scanner severity level: Medium

  • CCE-80373-4: Disable SSH support for rhosts RSA authentication.

    Scanner severity level: Medium

  • CCE-27363-1: Do not allow SSH environment options.

    Scanner severity level: Medium

  • CCE-26989-4: Ensure that gpgcheck is globally activated.

    Scanner severity level: High

  • CCE-80349--4: Ensure that the installed OS is certified.

    Scanner severity level: High

  • CCE-27175-9: No UID except zero.

    Scanner severity level: High

  • CCE-27498-5: Disable the auto-mounter.

    Scanner severity level: Medium

  • CCE-80134-0: No files not owned by user.

    Scanner severity level: Medium

  • CCE-80135-7: No file permissions not owned by group.

    Scanner severity level: Medium

  • CCE-27211-2: sysctl_kernal_exec_shield.

    Scanner severity level: Medium

  • CCE-27352-4: Verify that all account password hashes are shadowed.

    Scanner severity level: Medium

  • CCE-27104-9: Set the password hashing algorithm systemauth.

    Scanner severity level: Medium

  • CCE-27124-7: Set the password hashing algorithm logindefs.

    Scanner severity level: Medium

  • CCE-27053-8: Set the password hashing algorithm libusercon.

    Scanner severity level: Medium

  • CCE-27078-5: Disable pre-linking software.

    Scanner severity level: Low

  • CCE-27116-3: Install the PAE kernel on supported 32-bit x86 systems.

    Scanner severity level: Low

  • CCE-27503-2: All GIDs referenced in /etc/password must be defined in /etc/group.

    Scanner severity level: Low

  • CCE-27160-1: Password pam retry.

    Scanner severity level: Low

  • CCE-27275-7: Display login attempts.

    Scanner severity level: Low

  • CCE-80350-2: Remove no_authenticate on sudo.

    Scanner severity level: Medium

  • CCE-26961-3: Ensure that SELinux is not disabled in /etc/default/grub.

    Scanner severity level: Medium

  • CCE-80245-4: Uninstall the vsftpd package.

    Scanner severity level: High

  • CCE-80216-5: Enable the OpenSSH service.

    Scanner severity level: Medium

  • CCE-27407-6: Enable the auditd service.

    Scanner severity level: Medium

  • CCE-27361-5: Verify that firewalld is enabled.

    Scanner severity level: Medium

  • CCE-80544-0: Ensure that users cannot change GNOME3 session idle settings.

    Scanner severity level: Medium

  • CCE-80371-8: Ensure that users cannot change GNOME3 screensaver settings.

    Scanner severity level: Medium

  • CCE-80563-0: Ensure that users cannot change GNOME3 screensaver lock after idle period.

    Scanner severity level: Medium

  • CCE-80112-6: Enable GNOME3 screensaver lock after idle period.

    Scanner severity level: Medium

  • CCE-80370-0: Set GNOME3 screensaver lock delay after activation period.

    Scanner severity level: Medium

  • CCE-80110-0: Set GNOME3 screensaver inactivity timeout.

    Scanner severity level: Medium

  • CCE-80564-8: Ensure that users cannot change the GNOME3 screensaver idle activation.

    Scanner severity level: Medium

  • CCE-80162-1: Configure the kernel parameter for accepting source-routed packets by default.

    Scanner severity level: Medium

  • CCE-80111-8: Enable GNOME3 screensaver idle activation.

    Scanner severity level: Medium

  • CCE-80105-0: Disable GDM guest login.

    Scanner severity level: High

  • CCE-80104-3: Disable GDM automatic login.

    Scanner severity level: High

  • CCE-80108-4: Enable the GNOME3 login smartcard authentication.

    Scanner severity level: Medium

  • CCE-27279-9: Configure the SELinux policy.

    Scanner severity level: High

  • CCE-80148-0: Add the nosuid option to removable media partitions.

    Scanner severity level: Low

  • CCE-80136-5: Ensure that all world-writable directories are owned by a system account.

    Scanner severity level: Low

  • CCE-80174-6: Ensure that the system is not acting as a network sniffer.

    Scanner severity level: Medium

  • CCE-80438-5: Configure multiple DNS servers in /etc/resolv.conf.

    Scanner severity level: Low

  • CCE-27358-1: Deactivate wireless network interfaces.

    Scanner severity level: Medium

  • CCE-27287-2: Require authentication for Single User mode.

    Scanner severity level: Medium

  • CCE-27434-0: Configure the kernel parameter for accepting IPv4 source-routed packets for all interfaces.

    Scanner severity level: Medium

  • CCE-80447-6: Configure the Firewalld Ports.

    Scanner severity level: Medium

  • CCE-80380-9: Ensure that cron is able to log in to Rsyslog.

    Scanner severity level: Medium

  • CCE-80354-4: Set the UEFI boot loader password.

    Scanner severity level: Medium

  • CCE-80517-6: Boat loader is not installed on removeable media.

    Scanner severity level: Medium

  • CCE-27394-6: Configure the auditd mail_acct action on low disk space.

    Scanner severity level: Medium

  • CCE-80434-4: Ensure that home directories are created for new users.

    Scanner severity level: Medium

  • CCE-80536-6: Ensure that the default umask is set correctly for interactive users.

    Scanner severity level: Medium

  • CCE-26923-3: Limit password reuse.

    Scanner severity level: Medium

  • CCE-26892-0: Set the GNOME3 login warning banner text.

    Scanner severity level: Medium

  • CCE-26970-4: Enable GNOME3 login warning banner.

    Scanner severity level: Medium

  • CCE-27218-7: Remove the X Windows package group.

    Scanner severity level: Medium

  • CCE-80215-7: Install the OpenSSH server package.

    Scanner severity level: Medium

  • CCE-27311-0: Verify Permissions on SSH Server public *.pub key files.

    Scanner severity level: Medium

  • CCE-27485-2: Verify Permissions on SSH Server private *_key key files.

    Scanner severity level: Medium

  • CCE-80223-1: Enable Use of Privilege Separation.

    Scanner severity level: Medium

  • CCE-27295-5: Use Only FIPS 140-2 Validated Ciphers.

    Scanner severity level: Medium

  • CCE-80225-6: Enable SSH Print Last Log.

    Scanner severity level: Medium

  • CCE-27445-6: Disable SSH root login.

    Scanner severity level: Medium

  • CCE-27377-1: Disable SSH support for .rhosts files.

    Scanner severity level: Medium

  • CCE-27413-4: Disable host-based authentication.

    Scanner severity level: Medium

  • CCE-27458-9: Mount remote file systems with Kerberos Security.

    Scanner severity level: Medium

  • CCE-80214-0: Ensure tftp daemon uses secure mode.

    Scanner severity level: Medium

  • CCE-80213-2: Uninstall the tftp-server package.

    Scanner severity level: High

  • CCE-27165-0: Uninstall the telnet-server package.

    Scanner severity level: High

  • CCE-27342-5: Uninstall the rsh-server package.

    Scanner severity level: High

  • CCE-80514-3: Remove user host-based authentication files.

    Scanner severity level: High

  • CCE-80513-5: Remove host-based authentication files.

    Scanner severity level: High

  • CCE-27399-5: Uninstall the ypserv package.

    Scanner severity level: High

  • CCE-80240-5: Mount remote file systems with nosuid.

    Scanner severity level: Medium

  • CCE-80436-9: Mount remote file systems with noexec.

    Scanner severity level: Medium

  • CCE-80205-8: Ensure that the default umask is set correctly in login.defs.

    Scanner severity level: Medium

See Unenforced STIG hardening rules.