Veritas NetBackup™ Security and Encryption Guide
- Increasing NetBackup security
- Security deployment models
- Port security
- About NetBackup daemons, ports, and communication
- Additional port information for products that interoperate with NetBackup
- About configuring ports
- Auditing NetBackup operations
- Configuring Enhanced Auditing
- Access control security
- NetBackup Access Control Security (NBAC)
- Configuring NetBackup Access Control (NBAC)
- Configuring Access Control host properties for the master and media server
- Access Control host properties dialog for the client
- Troubleshooting Access Management
- Windows verification points
- UNIX verification points
- Verification points in a mixed environment with a UNIX master server
- Verification points in a mixed environment with a Windows master server
- About determining who can access NetBackup
- Configuring user groups
- About defining a user group and users
- Viewing specific user permissions for NetBackup user groups
- Security management in NetBackup
- About the Security Management utilities
- About audit events
- About host management
- Adding shared or cluster mappings
- About global security settings
- About host name-based certificates
- About host ID-based certificates
- Using the Certificate Management utility to issue and deploy host ID-based certificates
- About certificate deployment security levels
- Setting up trust with the master server (Certificate Authority)
- About reissuing host ID-based certificates
- About Token Management for host ID-based certificates
- About the host ID-based certificate revocation list
- About revoking host ID-based certificates
- Security certificate deployment in a clustered NetBackup setup
- About deployment of a host ID-based certificate on a clustered NetBackup host
- Data at rest encryption security
- About NetBackup client encryption
- Configuring standard encryption on clients
- About configuring standard encryption from the server
- Configuring legacy encryption on clients
- About configuring legacy encryption from the client
- About configuring legacy encryption from the server
- Additional legacy key file security for UNIX clients
- Data at rest key management
- About the Key Management Service (KMS)
- Installing KMS
- Configuring KMS
- About key groups and key records
- Overview of key record states
- Configuring NetBackup to work with KMS
- About using KMS for encryption
- KMS database constituents
- Command line interface (CLI) commands
- About exporting and importing keys from the KMS database
- Troubleshooting KMS
- Regenerating keys and certificates
- NetBackup web services account
Viewing the audit report
To view the audit report, use either the nbauditreport command on a NetBackup master server or view the settings using NetBackup OpsCenter.
Within OpsCenter, the Monitor > Audit Trails section provides the details of the Audit logs and lets you export that information to Excel or save as a .pdf file.
See the Veritas NetBackup OpsCenter Administrator's Guide for more details.
If auditing is enabled but a user action fails to create an audit record, the audit failure is captured in the nbaudit log.
The Alert Notification button in the NetBackup Administration Console can notify administrators when an audit failure occurs.
See Audit alert notification for audit failures.
The failure to create an audit record has no effect on the user action that was performed.
If the user action succeeds, an exit code is returned that reflects the successful action. If auditing of the action fails, NetBackup status code 108 is returned (Action succeeded but auditing failed).
The NetBackup Administration Console (Windows and UNIX (jnbSA)) does not return an exit status code 108 when auditing fails.
To view the NetBackup audit report
- From a command prompt, locate the nbauditreport command on the master server in the following directory:
- In its simplest form, enter the nbauditreport command using the following syntax:
The nbauditreport can also be used with a number of options.
- The audit report contains the following details:
The details of the action that was performed. The details include the new values that are given to a modified object and the new values of all attributes for a newly created object. The details also include the identification of any deleted objects.
The identity of the user who performed the action. The identity includes the user name, the domain, and the domain type of the authenticated user.
The time that the action was performed. The time is given in Coordinated Universal Time (UTC) and indicated in seconds. (For example, 12/06/11 10:32:48.)
For certificate verification failures (CVFs) that involve SSL handshakes and revoked certificates, the timestamp indicates when the audit record is posted to the master server rather than when an individual certificate verification fails. A CVF audit record represents a group of CVF events over a time period. The record details provide the start and end times of the time period as well as the total number of CVFs that occurred in that period.
The category of user action that was performed. The CATEGORY displays only with the -fmt DETAIL|PARSABLE options.
Examples include the following:
AUDITSVC START, AUDITSVC STOP
POLICY CREATE, POLICY MODIFY, POLICY DELETE
The action that was performed. The ACTION displays only with the -fmt DETAIL|PARSABLE options.
Examples include the following:
CREATE, MODIFY, DELETE
The reason that the action was performed. A reason displays if a reason was specified in the command that created the change. The bpsetconfig and the nbsetconfig commands accept the -r option.
See Using the command line -reason or -r option.
The reason displays only with the -fmt DETAIL|PARSABLE options.
An account of all of the changes, listing the old values and the new values. Displays only with the -fmt DETAIL|PARSABLE options.
If an exit status appears in the output, look up the code in the NetBackup Administration Console (Troubleshooter), the online Help, or the Status Codes Reference Guide.
Figure: Summary audit report example shows the default contents of an audit report that was run on server1.