Veritas NetBackup™ Security and Encryption Guide
- Increasing NetBackup security
- Security deployment models
- Port security
- About NetBackup daemons, ports, and communication
- Additional port information for products that interoperate with NetBackup
- About configuring ports
- Auditing NetBackup operations
- Configuring Enhanced Auditing
- Access control security
- About AD and LDAP domains
- Security management in NetBackup
- About configuring a third-party certificate for the NetBackup web server
- About the Security Management utilities
- About audit events
- About host management
- Adding shared or cluster mappings
- Allowing or disallowing automatic certificate reissue
- About global security settings
- About host name-based certificates
- About host ID-based certificates
- Using the Certificate Management utility to issue and deploy host ID-based certificates
- About NetBackup certificate deployment security levels
- Setting up trust with the master server (Certificate Authority)
- About reissuing host ID-based certificates
- About Token Management for host ID-based certificates
- About the host ID-based certificate revocation list
- About revoking host ID-based certificates
- Security certificate deployment in a clustered NetBackup setup
- About deployment of a host ID-based certificate on a clustered NetBackup host
- Data at rest encryption security
- About NetBackup client encryption
- Configuring standard encryption on clients
- About configuring standard encryption from the server
- Configuring legacy encryption on clients
- About configuring legacy encryption from the client
- About configuring legacy encryption from the server
- Additional legacy key file security for UNIX clients
- Data at rest key management
- About the Key Management Service (KMS)
- Installing KMS
- Configuring KMS
- About key groups and key records
- Overview of key record states
- Configuring NetBackup to work with KMS
- About using KMS for encryption
- KMS database constituents
- Command line interface (CLI) commands
- About exporting and importing keys from the KMS database
- Troubleshooting KMS
- Regenerating keys and certificates
- NetBackup web services account
- Appendix A. NetBackup Access Control Security (NBAC)
- Configuring NetBackup Access Control (NBAC)
- Configuring Access Control host properties for the master and media server
- Access Control host properties dialog for the client
- Troubleshooting Access Management
- Windows verification points
- UNIX verification points
- Verification points in a mixed environment with a UNIX master server
- Verification points in a mixed environment with a Windows master server
- About determining who can access NetBackup
- Configuring user groups
- About defining a user group and users
- Viewing specific user permissions for NetBackup user groups
Viewing the audit report
You can view the actions NetBackup audits in the Security events in the NetBackup web user interface or in the NetBackup Administration Console. You can see full audit event details in the audit report.
To view the audit report, use either the nbauditreport command on a NetBackup master server or view the settings using NetBackup OpsCenter. In OpsCenter, go to Monitor > Audit Trails to see audit log details and export it or save it as a file.
See the Veritas NetBackup OpsCenter Administrator's Guide for more details.
To view the NetBackup audit report
- From a command prompt, locate the nbauditreport command on the master server in the following directory:
- In its simplest form, enter the nbauditreport command using the following syntax:
The nbauditreport can also be used with a number of options.
Use for assistance with the command at the command prompt.
Use to indicate the start date and time of the report data you want to view.
Use to indicate the end date and time of the report data you want to view.
Use -ctgy POLICY to display information pertaining to policy changes.
Use -ctgy JOB to display information pertaining to jobs.
Use -ctgy STU to display information pertaining to storage units.
Use -ctgy STORAGESRV to display information pertaining to storage servers.
Use -ctgy POOL to display information pertaining to storage pools.
Use -ctgy AUDITCFG to display information pertaining to audit configuration changes.
Use -ctgy BPCONF to display information pertaining to changes in the bp.conf file.
Use -ctgy CERT to display information pertaining to changes in certificate deployment.
Use -ctgy LOGIN to display information that is related to NetBackup Administration Console and NetBackup API login attempts.
Use -ctgy TOKEN to display information that is related to authorization tokens.
Use -ctgy SEC_CONFIG to display information that is related to changes made to the security configuration settings.
Use -ctgy HOLD to display information that is related to creating, modifying, and deleting hold operations.
Use -ctgy AZFAILURE to display information that is related to authorization failure when Enhanced Auditing is enabled.
Use -ctgy CATALOG to display information that is related to verifying and expiring images; and read requests sent for the front-end usage data.
Use -ctgy HOST to display NetBackup host database related operations.
Use -ctgy CONNECTION to display information about the host connections that were dropped.
Use -ctgy USER to display information pertaining to addition and deletion of users in the Enhanced Auditing mode.
Use -ctgy DATAACCESS to display information that is related to restore and browse image content audit records.
Use -ctgy SLP to display information that is related to creating, modifying, or deleting storage lifecycle policies (SLPs).
Activating and suspending an SLP using the nbstlutil command are not audited. These operations are audited only when they are initiated from a NetBackup graphical user interface or API.
Use -ctgy ASSET to display information that is related to deleting an asset, such as a vCenter server or a virtual machine, as part of the POST /asset-cleanup process in the Asset Database API.
Use -ctgy ASSETGROUP to display information that is related to creating, modifying, or deleting an asset group as well any action on an asset group for which a user is not authorized.
Use to indicate the name of the user for whom you'd like to display audit information.
If no report output format option (-fmt) is specified, the SUMMARY option is used by default.
The -fmt DETAIL option displays a comprehensive list of audit information. For example, when a policy is changed, this view lists the name of the attribute, the old value, and the new value.
The -fmt PARSABLE option displays the same set of information as the DETAIL report but in a parsable format. The report uses the pipe character (|) as the parsing token between the audit report data.
Use the -notruncate option to display the old and new values of a changed attribute on separate lines in the details section of the report.
-notruncate is valid only with the -fmt DETAIL option.
Use the -pagewidth option to set the page width for the details section of the report.
-pagewidth is valid only with the -fmt DETAIL option.
The -order option is valid only with -fmt PARSABLE. Use it to indicate the order in which the information appears.
Use the following parameters:
- The audit report contains the following details:
The details of the action that was performed. The details include the new values that are given to a modified object and the new values of all attributes for a newly created object. The details also include the identification of any deleted objects.
The identity of the user who performed the action. The identity includes the user name and the domain of the authenticated user.
The time that the action was performed. The time is given in Coordinated Universal Time (UTC) and indicated in seconds. (For example, 12/06/11 10:32:48.)
For certificate verification failures (CVFs) that involve SSL handshakes and revoked certificates, the timestamp indicates when the audit record is posted to the master server rather than when an individual certificate verification fails. A CVF audit record represents a group of CVF events over a time period. The record details provide the start and end times of the time period as well as the total number of CVFs that occurred in that period.
The category of user action that was performed. The CATEGORY displays only with the -fmt DETAIL|PARSABLE options.
Examples include the following:
AUDITSVC START, AUDITSVC STOP
POLICY CREATE, POLICY MODIFY, POLICY DELETE
The action that was performed. The ACTION displays only with the -fmt DETAIL|PARSABLE options.
Examples include the following:
CREATE, MODIFY, DELETE
The reason that the action was performed. A reason displays if a reason was specified in the command that created the change. The bpsetconfig and the nbsetconfig commands accept the -r option.
The reason displays only with the -fmt DETAIL|PARSABLE options.
An account of all of the changes, listing the old values and the new values. Displays only with the -fmt DETAIL|PARSABLE options.
If an exit status appears in the output, look up the code in the NetBackup Administration Console (Troubleshooter) or the Status Codes Reference Guide.
Example of the audit report:
[root@server1 admincmd]# ./nbauditreport TIMESTAMP USER DESCRIPTION 04/20/2018 11:52:43 root@server1 Policy 'test_pol_1' was saved but no changes were detected 04/20/2018 11:52:42 root@server1 Schedule 'full' was added to Policy 'test_pol_1' 04/20/2018 11:52:41 root@server1 Policy 'test_pol_1' was saved but no changes were detected 04/20/2018 11:52:08 root@server1 Policy 'test_pol_1' was created 04/20/2018 11:17:00 root@server1 Audit setting(s) of master server 'server1' were modified Audit records fetched: 5