Veritas NetBackup™ Appliance Security Guide
- About the NetBackup appliance Security Guide
- User authentication
- About user authentication on the NetBackup appliance
- About configuring user authentication
- About user name and password specifications
- User authorization
- Intrusion prevention and intrusion detection systems
- Log files
- Operating system security
- Data security
- Web security
- Network security
- Call Home security
- About AutoSupport
- About Call Home
- About SNMP
- Remote Management Module (RMM) I security
- STIG and FIPS conformance
- Appendix A. Security release content
About user authentication on the NetBackup appliance
The NetBackup appliance is administered and managed through user accounts. You can create local user accounts, or register users and user groups that belong to a remote directory service. Each user account must authenticate itself with a user name and password to access the appliance. For a local user, the user name and password are managed on the appliance. For a registered remote user, the user name and password are managed by the remote directory service.
In order for a new user account to log on and access the appliance, you must first authorize it with a role. By default, a new user account does not have an assigned role, and therefore it cannot log on until you grant it a role.
Table: NetBackup appliance account types describes the user accounts that are available on the appliance.
Table: NetBackup appliance account types
The admin account is the default Administrator user on the NetBackup appliance. This account provides full appliance access and control for the default Administrator user.
New NetBackup appliances are shipped with the following default logon credentials:
When mounting or mapping shares from an appliance, make note of the following:
The AMSadmin account provides full access to the following appliance interfaces:
For complete details about this account, see the Veritas Appliance Management Guide.
The maintenance account is used by Veritas Support through the NetBackup Appliance Shell Menu (after an administrative log-on). This account is used specifically to perform maintenance activity or to troubleshoot the appliance.
This account is also used to make GRUB changes, and for single user mode boot when the STIG option is enabled.
The nbasecadmin account is used by the Security Administrator user for role-based access control (RBAC) in NetBackup. Starting with appliance release 3.1.2, this user is created automatically when you perform the initial configuration on an appliance master server or when you upgrade an appliance master server.
Once created, this account is assigned the default appliance password. When this user first logs in to the NetBackup Appliance Shell Menu, they are prompted to change the default password for the account.
This user cannot log in to the NetBackup Web UI until the default password is changed.
After the default password has been changed, the nbasecadmin user is allowed the following access and privileges:
By default, the nbasecadmin user has privileges to log in to the NetBackup Web UI and set the user roles for other users and manage all NetBackup security settings. The access rules for the nbasecadmin user can also be changed to allow more privileges. To access the NetBackup Web UI, this user can open a browser window and enter the URL https:<appliance master server host name>/webui.
For more information about RBAC and NetBackup user role management, see the NetBackup Web UI Security Administrator's Guide.
The following describes the accounts that are available only for internal users. These accounts do not allow system access through the NetBackup Appliance Web Console or the NetBackup Appliance Shell Menu.
Table: NetBackup appliance internal account types
The sisips account is an internal user for implementing the SDCS policies.
The root account is a restricted user that is only accessed by Veritas Support to perform maintenance tasks. If you try to access this account, the following message is displayed:
Permission Denied !! Access to the root account requires overriding the Intrusion Security Policy. Please refer to the appliance security guide for overriding instructions.
Although you can override the Intrusion Security Policy (ISP) to gain access to the root account, doing so is not recommended. Overriding this policy puts the system at risk and makes it more vulnerable to an attack.
Supports authentication for access from the master to the media server.
Does not support authentication.
Does not support authentication.