Veritas NetBackup™ Appliance Security Guide
- About the NetBackup appliance Security Guide
- User authentication
- About user authentication on the NetBackup appliance
- About configuring user authentication
- About user name and password specifications
- User authorization
- Intrusion prevention and intrusion detection systems
- Log files
- Operating system security
- Data security
- Web security
- Network security
- Call Home security
- About AutoSupport
- About Call Home
- About SNMP
- Remote Management Module (RMM) I security
- STIG and FIPS conformance
- Appendix A. Security release content
Reviewing SDCS events on the NetBackup appliance
You can use thepage to view the Symantec Data Center Security (SDCS) logs. These audit logs can help in detecting security breaches and abnormal activity on the appliance. An event in the audit log includes the following details:
When - Displays the timestamp of the logged event.
Who - Displays which user had logged on when the event took place.
What - Displays the description of the event and the resource involved.
How - Displays the Process Name, Process ID, Operation Permissions, and Sandbox Details.
Severity - Displays the severity of the event.
Enforcement Action - Displays whether the event was allowed or denied.
The SDCS events are retrieved and are represented using the severity types that are described in Table: SDCS event severity types
Table: SDCS event severity types
Events with a severity as Info contain information about normal system operation.
For example the following message provides the basic information relating to a generic event.
general CLISH message Event source: SYSLOG PID: 30315 Complete message: May 21 06:58:55 nb-appliance CLISH: User admin executed Return
Events with a severity as Notice contain information about normal system operation.
An event that helps confirm the successful execution of an event is recorded as a Notice. For example the following message helps the user to understand that the event has been successfully executed.
successful SUDO to root Event source: SYSLOG [sudo facility] Command: /bin/su From Username: AppComm To Username: root Port: unknown
Events with a severity as Warning indicate unexpected activity or problems that have already been handled by SDCS. These Warning messages might indicate that a service or application on a target computer is functioning improperly with the applied policy. After investigating the policy violations, you can configure the policy and allow the service or application to access to the specific resources if necessary.
For example, the following event helps to identify and unexpected activity, like the inbound connection from a local IP address.
Inbound connection allowed from <IPaddress> to local address.
Events with a severity as Major imply a more serious effect than Warning and less effect than Critical.
For example, the following event helps to identify unauthorized access.
General luser message Event source:SYSLOG Complete message: Feb 5 21:57 luser Unauthorized user by luser Denying access to system.
Events with a severity as Critical indicate activity or problems that might require administrator intervention to correct.
For example, the following event can help to identify critical events that can affect the appliance in an unexpected manner.
Group Membership for "group1" CHANGED from 'admin1' to 'admin2'
For more information about retrieving SDCS audit logs, refer to the NetBackup Appliance Administrator's Guide.
For information about the appliance operating system logs, such as syslogs and other appliance logs, See About NetBackup appliance log files.