Veritas NetBackup™ Appliance Security Guide
- About the NetBackup appliance Security Guide
- User authentication
- About user authentication on the NetBackup appliance
- About configuring user authentication
- About user name and password specifications
- User authorization
- Intrusion prevention and intrusion detection systems
- Log files
- Operating system security
- Data security
- Web security
- Network security
- Call Home security
- About AutoSupport
- About Call Home
- About SNMP
- Remote Management Module (RMM) I security
- STIG and FIPS conformance
- Appendix A. Security release content
About user authorization on the NetBackup appliance
The NetBackup appliance is administered and managed through user accounts. You can create local user accounts, or register users and user groups that belong to a remote directory service. In order for a new user account to log on and access the appliance, you must first authorize it with a role. By default, a new user account does not have an assigned role, and therefore it cannot log on until you grant it a role.
Table: NetBackup appliance user roles
A user account that is assigned the Administrator role is provided administrative privileges to manage the NetBackup appliance. An Administrator user is allowed to log on, view, and perform all functions on the NetBackup Appliance Web Console and the NetBackup Appliance Shell Menu. These user accounts have permissions to log on to the appliance and run NetBackup commands with superuser privileges.
A user account that is assigned the NetBackupCLI role is solely restricted to run a limited set of NetBackup CLI commands and does not have access outside the scope of NetBackup software directories. Once these users log on to the appliance, they are taken to a restricted shell menu from where they can manage NetBackup. The NetBackupCLI users do not have access to the NetBackup Appliance Web Console and the NetBackup Appliance Shell Menu.
A user account that is assigned the AMSadmin role is provided administrative privileges to access the Appliance Manager that is hosted on the AMS. An AMSadmin user is allowed to perform all the functions on the Appliance Manager and centrally manage multiple appliances. The AMSadmin user cannot log on the NetBackup Appliance Shell Menu for AMS. An Administrator can create AMSadmin users.
The following list describes some of the characteristics of NetBackup appliance authorization:
Ability to prevent unintended access to the appliance by password protecting logins.
Access to shared data is provided only to authorized appliance users and NetBackup processes.
Data that is stored within an appliance cannot inherently protect itself from unintended modification or deletion by a malicious user that knows the admin credentials to the appliance.
Network access to the NetBackup Appliance Shell Menu is only allowed through SSH, and the NetBackup Appliance Web Console over HTTPS. You can also directly connect a monitor and keyboard to the appliance and log on using administrative credentials.
rloginare disabled on all appliances.
Starting with software version 3.1, the NetBackup appliance limits login attempts and enforces lockout policies only when the STIG feature is enabled. For more information, refer to the following topic: See About STIG-compliant password policy rules.
Starting with NetBackup Appliance release 3.1.2, the
Telnet packaged has been removed from VxOS to comply with the STIG feature when it is enabled on NetBackup appliances. The
Telnet protocol is not secure or encrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The
ssh package provides an encrypted session and stronger security, and is included in VxOS.