Veritas NetBackup™ Appliance Security Guide
- About the NetBackup appliance Security Guide
- User authentication
- User authorization
- Intrusion prevention and intrusion detection systems
- About Symantec Data Center Security on the NetBackup appliance
- About the NetBackup appliance intrusion prevention system
- About the NetBackup appliance intrusion detection system
- Reviewing SDCS events on the NetBackup appliance
- Running SDCS in unmanaged mode on the NetBackup appliance
- Running SDCS in managed mode on the NetBackup appliance
- Log files
- Operating system security
- Data security
- Web security
- Network security
- Call Home security
- Remote Management Module (RMM) I security
- STIG and FIPS conformance
- Appendix A. Security release content
About user name and password specifications
The user name for the NetBackup appliance user account must be in the format that the selected authentication system accepts. Table: User name specifications lists the user name specifications for each user type.
Note:
The Manage > NetBackupCLI > Create command is used to create local users with the NetBackupCLI role. All the local user and password specifications apply to these users.
Table: User name specifications
Description | Administrator (local user) | NetBackupCLI (local user) | Registered remote user |
|---|---|---|---|
Maximum length | No restrictions applied | No restrictions applied | Determined by the LDAP, AD, or NIS policy |
Minimum length | 2 characters | 2 characters | Determined by the LDAP, AD, or NIS policy |
Restrictions | User names must not start with:
| User names must not start with:
| Determined by the LDAP, AD, or NIS policy |
Space inclusion | User names must not include spaces. | User names must not include spaces. | Determined by the LDAP, AD, or NIS policy |
The NetBackup appliance password policy has been updated to increase security on the appliance. The password for the appliance user account must be in the format that the selected authentication system accepts. Table: Password specifications lists the password specifications for each user type.
Table: Password specifications
Description | Administrator (local user) | NetBackupCLI (local user) | Registered remote user |
|---|---|---|---|
Maximum length | No restrictions applied | No restrictions applied | Determined by the LDAP, AD, or NIS policy |
Minimum length | Passwords must contain at least eight characters. | Passwords must contain at least eight characters. | Determined by the LDAP, AD, or NIS policy |
Requirements |
|
| Determined by the LDAP, AD, or NIS policy |
Space inclusion | Passwords must not include spaces. | Passwords must not include spaces. | Determined by the LDAP, AD, or NIS policy |
Minimum password age | 0 day | 0 day Note: You can manage the user password age using the Manage > NetBackupCLI > PasswordExpiry command from the NetBackup Appliance Shell Menu. For more information, refer to the NetBackup Appliance Command Reference Guide. | Determined by the LDAP, AD, or NIS policy |
Maximum password age | 99999 days (doesn't expire) | 99999 days (doesn't expire) | Determined by the LDAP, AD, or NIS policy |
Password history | The last seven passwords cannot be reused and the new password cannot be similar to previous passwords. | The last seven passwords cannot be reused and the new password cannot be similar to previous passwords. | Determined by the LDAP, AD, or NIS policy |
Password expiry | Not applicable as the password does not expire | Use the Manage > NetBackupCLI > PasswordExpiry command to manage NetBackupCLI user passwords. | Determined by the LDAP, AD, or NIS policy |
Password lockout | None | None | Determined by the LDAP, AD, or NIS policy |
Lockout duration | None | None | Determined by the LDAP, AD, or NIS policy |
Note:
To increase the security of your appliance environment, Veritas recommends that you change the default admin and maintenance account passwords upon initial login to the appliance. You can use the page from the NetBackup Appliance Web Console or the Settings > Password command from the NetBackup Appliance Shell Menu to change the password.
Warning:
The NetBackup appliance does not support setting the Maintenance account password using commands like passwd. A password that is set in this fashion is overwritten once the system is upgraded. You should use the NetBackup Appliance Shell Menu to change the Maintenance account password.
The NetBackup appliance uses the following password protection measures:
Starting with NetBackup appliance software version 2.6.1.1, the SHA-512 hashing algorithm is used for protecting the passwords of all customer-accessible local appliance users (local users, NetBackupCLI users, the Administrator user, and the Maintenance user). Whenever you create a new local appliance user, or change an existing local appliance user password, the password is hashed using SHA-512.
Note:
Before 2.6.1.1, the appliance used a variety of default password hashing algorithms that included SHA-512, SHA-256, and Blowfish. When you upgrade to version 2.6.1.1 or later, the existing password hashes are preserved even though the new default is SHA-512. Although the previous algorithms remain functional and secure, Veritas recommends that you eventually change the passwords of all the local appliance users after an upgrade to NetBackup appliance software version 2.6.1.1 or later so that they use the new default.
The password history is set to 7, meaning that the old passwords are protected and logged up to seven times. If you try to use the old password as the new password, the appliance displays a token manipulation error.
Passwords in transit include the following:
An SSH login where the password is protected by the SSH protocol.
A NetBackup Appliance Web Console login where the password is protected by HTTPS communication.
For detailed password instructions, refer to the NetBackup Appliance Administrator's Guide.