Veritas NetBackup™ Appliance Security Guide

Last Published:
Product(s): Appliances (3.1.1)
Platform: 5220,5230,5240,5330,5340
  1. About the NetBackup appliance Security Guide
    1.  
      About the NetBackup appliance Security Guide
  2. User authentication
    1. About user authentication on the NetBackup appliance
      1.  
        User types that can authenticate on the NetBackup appliance
    2. About configuring user authentication
      1.  
        Generic user authentication guidelines
    3.  
      About authenticating LDAP users
    4.  
      About authenticating Active Directory users
    5.  
      About authenticating Kerberos-NIS users
    6.  
      About the appliance login banner
    7. About user name and password specifications
      1.  
        About STIG-compliant password policy rules
  3. User authorization
    1.  
      About user authorization on the NetBackup appliance
    2. About authorizing NetBackup appliance users
      1.  
        NetBackup appliance user role privileges
    3.  
      About the Administrator user role
    4.  
      About the NetBackupCLI user role
  4. Intrusion prevention and intrusion detection systems
    1.  
      About Symantec Data Center Security on the NetBackup appliance
    2.  
      About the NetBackup appliance intrusion prevention system
    3.  
      About the NetBackup appliance intrusion detection system
    4.  
      Reviewing SDCS events on the NetBackup appliance
    5.  
      Running SDCS in unmanaged mode on the NetBackup appliance
    6.  
      Running SDCS in managed mode on the NetBackup appliance
    7.  
      Overriding the NetBackup appliance intrusion prevention system policy
    8.  
      Re-enabling the NetBackup appliance intrusion prevention system policy
  5. Log files
    1.  
      About NetBackup appliance log files
    2.  
      Viewing log files using the Support command
    3.  
      Where to find NetBackup appliance log files using the Browse command
    4.  
      Gathering device logs on a NetBackup appliance
    5.  
      Log Forwarding feature overview
  6. Operating system security
    1.  
      About NetBackup appliance operating system security
    2.  
      Major components of the NetBackup appliance OS
    3.  
      Vulnerability scanning of the NetBackup appliance
  7. Data security
    1.  
      About data security
    2.  
      About data integrity
    3.  
      About data classification
    4. About data encryption
      1.  
        KMS support
  8. Web security
    1.  
      About SSL usage
    2.  
      Implementing third-party SSL certificates
  9. Network security
    1.  
      About IPsec Channel Configuration
    2.  
      About NetBackup appliance ports
  10. Call Home security
    1. About AutoSupport
      1.  
        Data security standards
    2. About Call Home
      1.  
        Configuring Call Home from the NetBackup Appliance Shell Menu
      2.  
        Enabling and disabling Call Home from the appliance shell menu
      3.  
        Configuring a Call Home proxy server from the NetBackup Appliance Shell Menu
      4.  
        Understanding the Call Home workflow
    3. About SNMP
      1.  
        About the Management Information Base (MIB)
  11. Remote Management Module (RMM) I security
    1.  
      Introduction to IPMI configuration
    2.  
      Recommended IPMI settings
    3.  
      RMM ports
    4.  
      Enabling SSH on the Remote Management Module
    5.  
      Replacing the default IPMI SSL certificate
  12. STIG and FIPS conformance
    1.  
      OS STIG hardening for NetBackup appliances
    2.  
      Unenforced STIG hardening rules
    3.  
      FIPS 140-2 conformance for NetBackup appliances
  13. Appendix A. Security release content
    1.  
      NetBackup Appliance security release content

Unenforced STIG hardening rules

This topic describes the Security Technical Implementation Guide (STIG) rules the are not currently enforced on NetBackup appliances. Rules in this list may not be enforced for reasons including, but not limited to the following:

  • Enforcement of the rule is planned for a future appliance software release.

  • An alternate method is used to provide protection that meets or exceeds the method described in the rule.

  • The method described in the rule is not used or supported on NetBackup appliances.

The following describes the STIG rules that are not currently enforced:

  • CCE-26876-3: Ensure that gpgcheck is enabled for all yum package repositories.

    Scanner severity level: High

  • CCE-27209-6: Verify and correct the file permissions for the rpm.

    Scanner severity level: High

  • CCE-27157-7: Verify file hashes with rpm.

    Scanner severity level: High

  • CCE-80127-4: Install McAfee Antivirus

    Scanner severity level: High

  • CCE-26818-5: Install intrusion detection software.

    Scanner severity level: High

  • CCE-27334-2: Ensure SELinux state is enforcing.

    Scanner severity level: High

  • CCE-80226-4: Enable encrypted X11 forwarding.

    Scanner severity level: High

  • CCE-27386-2: Ensure that the default SNMP password is not used.

    Scanner severity level: High

  • CCE-80126-6: Install the Asset Configuration Compliance Module (ACCM).

    Scanner severity level: Medium

  • CCE-80369-2: Install the Policy Auditor (PA) module.

    Scanner severity level: Medium

  • CCE-27277-3: Disable modprobe loading of the USB storage driver.

    Scanner severity level: Medium

  • CCE-27349-0: Set default firewalld zone for incoming packets.

    Scanner severity level: Medium

  • CCE-80170-4: Install libreswan package.

    Scanner severity level: Medium

  • CCE-80223-1: Enable use of privilege separation.

    Scanner severity level: Medium

  • CCE-80347-8: Ensure that gpgcheck is enabled for local packages.

    Scanner severity level: High

  • CCE-80348-6: Ensure that gpgcheck is enabled for repository metadata.

    Scanner severity level: High

  • CCE-80358-5: Install the dracut_fips package.

    Security scanner level: Medium

  • CCE-80359-3: Enable FIPS mode in the GRand Unified Bootloader version 2 (GRUB2).

    Scanner severity level: Medium

  • CCE-27557-8: Set an interactive session timeout to terminate idle sessions.

    Scanner severity level: Medium

  • CCE-80377-5: Configure AIDE to FIPS 140-2 for validating hashes.

    Scanner severity level: Medium

  • CCE-80351-0: Ensure that users re-authenticate for privilege escalation (sudo_NOPASSWD).

    Scanner severity level: Medium

  • CCE-27355-7: Set account expiration following inactivity.

    Scanner severity level: Medium

  • CCE-80207-4: Enable smart card login.

    Scanner severity level: Medium

  • CCE-27370-6: Configure auditd_admin_space_left_action on low disk space.

    Security scanner level: Medium

  • CCE-27295-5: Use only approved ciphers.

    Scanner severity level: Medium

  • CCE-26548-8: Disable kernel support for USB from the bootloader configuration.

    Scanner severity level: Low

  • CCE-27128-8: Encrypt partitions.

    Scanner severity level: High

  • CCE-26895-3: Ensure that software patches are installed.

    Scanner security level: High

  • CCE-27279-9: Configure the SE Linux policy.

    Scanner severity level: High

  • CCE-27399-5: Uninstall the ypserv package.

    Scanner severity level: High

  • CCE-80128-2: Enable service nails.

    Scanner severity level: Medium

  • CCE-80129-0: Update virus scanning definitions.

    Scanner severity level: Medium

  • CCE-27288-0: Make sure that no daemons are unconfined by SE Linux. Make sure that all daemons are confined by SE Linux.

    Scanner severity level: Medium

  • CCE-27326-8: Make sure that no device files are unlabeled by SE Linux./Make sure that all device files are labeled by SE Linux.

    Scanner severity level: Medium

  • CCE-80354-4: Set the UEFI boot loader password.

    Scanner severity level: Medium

  • CCE-80171-2: Verify any configured IPSec tunnel connections.

    Scanner severity level: Medium

  • CCE-26960-5: Disable booting from USB devices in boot firmware.

    Scanner severity level: Low

  • CCE-27194-0: Assign a password to prevent changes to the boot firmware configuration.

    Scanner severity level: Low

See OS STIG hardening for NetBackup appliances.