Veritas NetBackup™ Flex Scale Administrator's Guide
- Product overview
- Viewing information about the NetBackup Flex Scale cluster environment
- NetBackup Flex Scale infrastructure management
- User management
- About Universal Shares
- Node and disk management
- License management
- User management
- NetBackup Flex Scale network management
- Bonding operations
- Data network configurations
- NetBackup Flex Scale infrastructure monitoring
- Resiliency in NetBackup Flex Scale
- EMS server configuration
- Site-based disaster recovery in NetBackup Flex Scale
- Performing disaster recovery using RESTful APIs
- NetBackup Flex Scale security
- Troubleshooting
- Collecting logs for cluster nodes
- Troubleshooting NetBackup Flex Scale issues
- Appendix A. Configuring NetBackup optimized duplication
- Appendix B. Disaster recovery terminologies
- Appendix C. Configuring Auto Image Replication
Enabling STIG for NetBackup Flex Scale
With NetBackup Flex Scale version 3.0, you can enable STIG hardening rules for increased security. These rules are based on the following profile from the Defense Information Systems Agency (DISA):
STIG for Red Hat Enterprise Linux 7 Security Technical Implementation Guide - Version 3, Release 3.
After the STIG option is enabled:
A STIG-compliant password policy is automatically enforced. All current user passwords that were created under the default password policy remain valid. Once a password expires, you must follow the STIG-compliant policy rules when you change the password.
The STIG default login banner is displayed when you log in to the NetBackup Flex Scale UI and the NetBackup Administration Console. View the
window and click to proceed.
Review the following guidelines before enabling STIG:
When you enable STIG, the STIG option is configured for all the nodes in a cluster. The cluster must be configured before you enable the STIG option.
The STIG option does not allow individual rule control.
Before you enable STIG, it is recommended that you complete the following prerequisites. However, not completing the prerequisites does not prevent you from enabling STIG. You can complete these requirements after you enable the STIG option.
Configure at least two NTP servers for the cluster.
Configure at least two DNS servers for the cluster.
Configure an SMTP server to enable notifications.
After the STIG option is enabled, a factory reset is required to disable the associated rules. You cannot disable the option using the UI or the REST APIs.
Veritas recommends that you do not perform any other tasks while the STIG operation is in progress.
If site-based disaster recovery is configured, ensure that both the primary and the secondary clusters have similar STIG configuration. If STIG is enabled for the primary cluster, the STIG option must be enabled for the secondary cluster. Similarly, if STIG is not enabled for the primary cluster, do not enable STIG for the secondary cluster.
To enable the STIG hardening rules, complete the following steps:
- Use any one of the following options to log in using the user account that you created:
Use a user account with both Appliance Administrator and NetBackup Administrator role, or a user account with only an Appliance administrator role to log in to the NetBackup Flex Scale web interface
https://ManagementServerIPorFQDN/webui
where ManagementServerIPorFQDN is the public IP address or the FQDN that you specified for the NetBackup Flex Scale management server during the cluster configuration. In the left pane click Cluster Monitor > Infrastructure, in the upper-right corner click Cluster dashboard, and when prompted click Open cluster dashboard.Use a user account with an Appliance Administrator role to log in to the NetBackup Flex Scale infrastructure management console
https://ManagementServerIPorFQDN:14161
where ManagementServerIPorFQDN is the public IP address or the FQDN that you specified for the NetBackup Flex Scale management server during the cluster configuration.
- In the navigation pane, click Settings.
- Click Security management.
- On the STIG tab, click Enable STIG.
If the prerequisites are not met, you are prompted to resolve the errors. However you can choose to ignore these errors and proceed by clicking Continue. You can complete the prerequisites later after you enable the STIG option. If the requirements are met, review the displayed guidelines and click Enable.
Note:
Do not perform any other tasks until the STIG enable operation is complete.
- To monitor the progress, click View details on the Security page. The ongoing and completed tasks for the operation are also displayed in Recent activity.
After the operation is complete, you can view the STIG status for all the cluster nodes. If STIG is enabled for a node, the status is displayed as Enabled. If the STIG option cannot be enabled for a node, the status is displayed as Not Enabled, and if the node status cannot be retrieved because the node is stopped, shut down, or not reachable, the status is displayed as Unknown.
For nodes that display Unknown status, you can enable the STIG option again or wait for the node to automatically synchronize its status with the cluster after the node is up.
If some of the STIG rules fail or you make any updates to the cluster settings or configuration, you can enforce the STIG rules again on the nodes where the STIG option is already enabled by clicking
.You can use the following API to enable STIG:
PATCH /api/appliance/v1.0/security/stig
You can find the REST APIs at https://ManagementServerIPorFQDN:14161/swagger/infra/v1.0/
where ManagementServerIPorFQDN is the public IP address or FQDN that you specified for the management server and API gateway during the cluster configuration. For more details about the APIs, see the NetBackup Flex Scale APIs on SORT.