Veritas NetBackup™ Security and Encryption Guide
- Increasing NetBackup security
- Security deployment models
- Port security
- About NetBackup daemons, ports, and communication
- Additional port information for products that interoperate with NetBackup
- About configuring ports
- Auditing NetBackup operations
- Configuring Enhanced Auditing
- Access control security
- NetBackup Access Control Security (NBAC)
- Configuring NetBackup Access Control (NBAC)
- Configuring Access Control host properties for the master and media server
- Access Control host properties dialog for the client
- Troubleshooting Access Management
- Windows verification points
- UNIX verification points
- Verification points in a mixed environment with a UNIX master server
- Verification points in a mixed environment with a Windows master server
- About determining who can access NetBackup
- Configuring user groups
- About defining a user group and users
- Viewing specific user permissions for NetBackup user groups
- Security management in NetBackup
- About the Security Management utilities
- About audit events
- About host management
- Adding shared or cluster mappings
- Allowing or disallowing automatic certificate reissue
- About global security settings
- About host name-based certificates
- About host ID-based certificates
- Using the Certificate Management utility to issue and deploy host ID-based certificates
- About certificate deployment security levels
- Setting up trust with the master server (Certificate Authority)
- About reissuing host ID-based certificates
- About Token Management for host ID-based certificates
- About the host ID-based certificate revocation list
- About revoking host ID-based certificates
- Security certificate deployment in a clustered NetBackup setup
- About deployment of a host ID-based certificate on a clustered NetBackup host
- Data at rest encryption security
- About NetBackup client encryption
- Configuring standard encryption on clients
- About configuring standard encryption from the server
- Configuring legacy encryption on clients
- About configuring legacy encryption from the client
- About configuring legacy encryption from the server
- Additional legacy key file security for UNIX clients
- Data at rest key management
- About the Key Management Service (KMS)
- Installing KMS
- Configuring KMS
- About key groups and key records
- Overview of key record states
- Configuring NetBackup to work with KMS
- About using KMS for encryption
- KMS database constituents
- Command line interface (CLI) commands
- About exporting and importing keys from the KMS database
- Troubleshooting KMS
- Regenerating keys and certificates
- NetBackup web services account
Viewing the audit report
Within OpsCenter, the Monitor > Audit Trails section provides the details of the Audit logs and lets you export that information to Excel or save as a .pdf file.
See the Veritas NetBackup OpsCenter Administrator's Guide for more details.
If auditing is enabled but a user action fails to create an audit record, the audit failure is captured in the nbaudit log.
The failure to create an audit record has no effect on the user action that was performed.
If the user action succeeds, an exit code is returned that reflects the successful action. If auditing of the action fails, NetBackup status code 108 is returned (Action succeeded but auditing failed).
The NetBackup Administration Console (Windows and UNIX (jnbSA)) does not return an exit status code 108 when auditing fails.
To view the NetBackup audit report
- From a command prompt, locate the nbauditreport command on the master server in the following directory:
- In its simplest form, enter the nbauditreport command using the following syntax:
The nbauditreport can also be used with a number of options.
Use for assistance with the command at the command prompt.
Use to indicate the start date and time of the report data you want to view.
Use to indicate the end date and time of the report data you want to view.
Use -ctgy POLICY to display information pertaining to policy changes.
Use -ctgy JOB to display information pertaining to jobs.
Use -ctgy STU to display information pertaining to storage units.
Use -ctgy STORAGESRV to display information pertaining to storage servers.
Use -ctgy POOL to display information pertaining to storage pools.
Use -ctgy AUDITCFG to display information pertaining to audit configuration changes.
Use -ctgy BPCONF to display information pertaining to changes in the bp.conf file.
Use -ctgy CERT to display information pertaining to changes in certificate deployment.
Use -ctgy LOGIN to display information that is related to NetBackup Administration Console and NetBackup API login attempts.
Use -ctgy TOKEN to display information that is related to authorization tokens.
Use -ctgy SEC_CONFIG to display information that is related to changes made to the security configuration settings.
Use -ctgy HOLD to display information that is related to creating, modifying, and deleting hold operations.
Use -ctgy AZFAILURE to display information that is related to authorization failure when Enhanced Auditing is enabled.
Use -ctgy CATALOG to display information that is related to verifying and expiring images; and read requests sent for the front-end usage data.
Use -ctgy HOST to display NetBackup host database related operations.
Use -ctgy CONNECTION to display information about the host connections that were dropped.
Use the -ctgy USER to display information pertaining to addition and deletion of users in the Enhanced Auditing mode.
Use to indicate the name of the user for whom you'd like to display audit information.
If no report output format option (-fmt) is specified, the SUMMARY option is used by default.
The -fmt DETAIL option displays a comprehensive list of audit information. For example, when a policy is changed, this view lists the name of the attribute, the old value, and the new value.
The -fmt PARSABLE option displays the same set of information as the DETAIL report but in a parsable format. The report uses the pipe character (|) as the parsing token between the audit report data.
Use the -notruncate option to display the old and new values of a changed attribute on separate lines in the details section of the report.
-notruncate is valid only with the -fmt DETAIL option.
Use the -pagewidth option to set the page width for the details section of the report.
-pagewidth is valid only with the -fmt DETAIL option.
The -order option is valid only with -fmt PARSABLE. Use it to indicate the order in which the information appears.
Use the following parameters:
- The audit report contains the following details:
The details of the action that was performed. The details include the new values that are given to a modified object and the new values of all attributes for a newly created object. The details also include the identification of any deleted objects.
The identity of the user who performed the action. The identity includes the user name, the domain, and the domain type of the authenticated user.
The time that the action was performed. The time is given in Coordinated Universal Time (UTC) and indicated in seconds. (For example, 12/06/11 10:32:48.)
For certificate verification failures (CVFs) that involve SSL handshakes and revoked certificates, the timestamp indicates when the audit record is posted to the master server rather than when an individual certificate verification fails. A CVF audit record represents a group of CVF events over a time period. The record details provide the start and end times of the time period as well as the total number of CVFs that occurred in that period.
The category of user action that was performed. The CATEGORY displays only with the -fmt DETAIL|PARSABLE options.
Examples include the following:
AUDITSVC START, AUDITSVC STOP
POLICY CREATE, POLICY MODIFY, POLICY DELETE
The action that was performed. The ACTION displays only with the -fmt DETAIL|PARSABLE options.
Examples include the following:
CREATE, MODIFY, DELETE
The reason that the action was performed. A reason displays if a reason was specified in the command that created the change. The bpsetconfig and the nbsetconfig commands accept the -r option.
The reason displays only with the -fmt DETAIL|PARSABLE options.
An account of all of the changes, listing the old values and the new values. Displays only with the -fmt DETAIL|PARSABLE options.
If an exit status appears in the output, look up the code in the NetBackup Administration Console (Troubleshooter), the online Help, or the Status Codes Reference Guide.
Figure: Summary audit report example shows the default contents of an audit report that was run on server1.