Veritas NetBackup™ Appliance Security Guide

Last Published:
Product(s): Appliances (4.0)
Platform: NetBackup Appliance OS
  1. About the NetBackup appliance Security Guide
    1.  
      About the NetBackup appliance Security Guide
  2. User authentication
    1. About user authentication on the NetBackup appliance
      1.  
        User types that can authenticate on the NetBackup appliance
    2. About configuring user authentication
      1.  
        Generic user authentication guidelines
    3.  
      About authenticating LDAP users
    4.  
      About authenticating Active Directory users
    5.  
      About authentication using smart cards and digital certificates
    6.  
      About authenticating Kerberos-NIS users
    7.  
      About the appliance login banner
    8. About user name and password specifications
      1.  
        About STIG-compliant password policy rules
  3. User authorization
    1.  
      About user authorization on the NetBackup appliance
    2. About authorizing NetBackup appliance users
      1.  
        NetBackup appliance user role privileges
    3.  
      About the Administrator user role
    4.  
      About the NetBackupCLI user role
    5.  
      About user authorization in NetBackup
  4. Intrusion prevention and intrusion detection systems
    1.  
      About Symantec Data Center Security on the NetBackup appliance
    2.  
      About the NetBackup appliance intrusion prevention system
    3.  
      About the NetBackup appliance intrusion detection system
    4.  
      Reviewing SDCS events on the NetBackup appliance
    5.  
      Running SDCS in unmanaged mode on the NetBackup appliance
    6.  
      Running SDCS in managed mode on the NetBackup appliance
  5. Log files
    1.  
      About NetBackup appliance log files
    2.  
      Viewing log files using the Support command
    3.  
      Where to find NetBackup appliance log files using the Browse command
    4.  
      Gathering device logs on a NetBackup appliance
    5.  
      Log Forwarding feature overview
  6. Operating system security
    1.  
      About NetBackup appliance operating system security
    2.  
      Major components of the NetBackup appliance OS
    3.  
      Vulnerability scanning of the NetBackup appliance
    4.  
      Disable user access to the NetBackup appliance operating system
    5.  
      Manage support access to the maintenance shell
  7. Data security
    1.  
      About data security
    2.  
      About data integrity
    3.  
      About data classification
    4. About data encryption
      1.  
        KMS support
  8. Web security
    1.  
      About SSL usage
    2.  
      Implementing third-party SSL certificates
  9. Network security
    1.  
      About IPsec Channel Configuration
    2.  
      About NetBackup appliance ports
    3.  
      About the NetBackup Appliance firewall
  10. Call Home security
    1. About AutoSupport
      1.  
        Data security standards
    2. About Call Home
      1.  
        Configuring Call Home from the NetBackup Appliance Shell Menu
      2.  
        Enabling and disabling Call Home from the appliance shell menu
      3.  
        Configuring a Call Home proxy server from the NetBackup Appliance Shell Menu
      4.  
        Understanding the Call Home workflow
    3. About SNMP
      1.  
        About the Management Information Base (MIB)
  11. Remote Management Module (RMM) security
    1.  
      Introduction to IPMI configuration
    2.  
      Recommended IPMI settings
    3.  
      RMM ports
    4.  
      Enabling SSH on the Remote Management Module
    5.  
      Replacing the default IPMI SSL certificate
  12. STIG and FIPS conformance
    1.  
      OS STIG hardening for NetBackup appliance
    2.  
      Unenforced STIG hardening rules
    3.  
      FIPS 140-2 conformance for NetBackup appliance
  13. Appendix A. Security release content
    1.  
      NetBackup Appliance security release content
  14.  
    Index

Unenforced STIG hardening rules

This topic describes the Security Technical Implementation Guide (STIG) rules that are not currently enforced on NetBackup appliance. Rules in this list may not be enforced for reasons including, but not limited to the following:

  • Enforcement of the rule is planned for a future appliance software release.

  • An alternate method is used to provide protection that meets or exceeds the method described in the rule.

  • The method described in the rule is not used or supported on NetBackup appliance.

The following describes the STIG rules that are not currently enforced:

  • CCE-26876-3: Ensure that gpgcheck is enabled for all yum package repositories.

    Scanner severity level: High

  • CCE-27209-6: Verify and correct the file permissions for the rpm.

    Scanner severity level: High

  • CCE-27157-7: Verify file hashes with rpm.

    Scanner severity level: High

  • CCE-26818-5: Install intrusion detection software.

    Scanner severity level: High

  • CCE-80447-6: Configure the Firewalld Ports.

    Scanner severity level: Medium

  • CCE-80126-6: Install the Asset Configuration Compliance Module (ACCM).

    Scanner severity level: Medium

  • CCE-80369-2: Install the Policy Auditor (PA) module.

    Scanner severity level: Medium

  • CCE-27277-3: Disable modprobe loading of the USB storage driver.

    Scanner severity level: Medium

  • CCE-27349-0: Set default firewalld zone for incoming packets.

    Scanner severity level: Medium

  • CCE-80170-4: Install libreswan package.

    Scanner severity level: Medium

  • CCE-80223-1: Enable use of privilege separation.

    Scanner severity level: Medium

  • CCE-80347-8: Ensure that gpgcheck is enabled for local packages.

    Scanner severity level: High

  • CCE-80348-6: Ensure that gpgcheck is enabled for repository metadata.

    Scanner severity level: High

  • CCE-80358-5: Install the dracut_fips package.

    Security scanner level: Medium

  • CCE-80359-3: Enable FIPS mode in the GRand Unified Bootloader version 2 (GRUB2).

    Scanner severity level: Medium

  • CCE-27557-8: Set an interactive session timeout to terminate idle sessions.

    Scanner severity level: Medium

  • CCE-80377-5: Configure AIDE to FIPS 140-2 for validating hashes.

    Scanner severity level: Medium

  • CCE-80351-0: Ensure that users re-authenticate for privilege escalation (sudo_NOPASSWD).

    Scanner severity level: Medium

  • CCE-27355-7: Set account expiration following inactivity.

    Scanner severity level: Medium

  • CCE-80207-4: Enable smart card login.

    Scanner severity level: Medium

  • CCE-27370-6: Configure auditd_admin_space_left_action on low disk space.

    Security scanner level: Medium

  • CCE-27295-5: Use only approved ciphers.

    Scanner severity level: Medium

  • CCE-26548-8: Disable kernel support for USB from the bootloader configuration.

    Scanner severity level: Low

  • CCE-27128-8: Encrypt partitions.

    Scanner severity level: High

  • CCE-26895-3: Ensure that software patches are installed.

    Scanner security level: High

  • CCE-27279-9: Configure the SE Linux policy.

    Scanner severity level: High

  • CCE-27399-5: Uninstall the ypserv package.

    Scanner severity level: High

  • CCE-80128-2: Enable service nails.

    Scanner severity level: Medium

  • CCE-80129-0: Update virus scanning definitions.

    Scanner severity level: Medium

  • CCE-27288-0: Make sure that no daemons are unconfined by SE Linux. Make sure that all daemons are confined by SE Linux.

    Scanner severity level: Medium

  • CCE-27326-8: Make sure that no device files are unlabeled by SE Linux./Make sure that all device files are labeled by SE Linux.

    Scanner severity level: Medium

  • CCE-80354-4: Set the UEFI boot loader password.

    Scanner severity level: Medium

  • CCE-80171-2: Verify any configured IPSec tunnel connections.

    Scanner severity level: Medium

  • CCE-26960-5: Disable booting from USB devices in boot firmware.

    Scanner severity level: Low

  • CCE-27194-0: Assign a password to prevent changes to the boot firmware configuration.

    Scanner severity level: Low

  • CCE-80516-8: Configure the SSSD LDAP backend client CA certificate.

    Scanner severity level: Medium

  • CCE-80519-2: Install smart card packages for multi factor authentication.

    Scanner severity level: Medium

  • CCE-80520-0: Configure certificate status checking for smart cards.

    Scanner severity level: Medium

  • CCE-80526-7: User initialization files must be group-owned by the primary user.

    Scanner severity level: Medium

  • CCE-80523-4: User initialization files must not run world-writable programs.

    Scanner severity level: Medium

  • CCE-80527-5: User initialization files must be owned by the primary user.

    Scanner severity level: Medium

  • CCE-80524-2: Ensure that the user's path contains only local directories.

    Scanner severity level: Medium

  • CCE-80528-3: All interactive users must have a defined home directory.

    Scanner severity level: Medium

  • CCE-80529-1: All interactive users home directories must exist.

    Scanner severity level: Medium

  • CCE-80534-1: All user files and directories in the home directory must be group-owned by the primary user.

    Scanner severity level: Medium

  • CCE-80533-3: All user files and directories in the home directory must be owned by the primary user.

    Scanner severity level: Medium

  • CCE-80535-8: All user files and directories in the home directory must have permissions set to mode 0750 or less.

    Scanner severity level: Medium

  • CCE-80532-5: All interactive user home directories must be group-owned by the primary user.

    Scanner severity level: Medium

  • CCE-80531-7: All interactive user home directories must be owned by the primary user.

    Scanner severity level: Medium

  • CCE-80525-9: Ensure that all user initialization files have permissions set to mode 0740 or less.

    Scanner severity level: Medium

  • CCE-80530-9: All interactive user home directories must have permissions set to mode 0750 or less.

    Scanner severity level: Medium

  • CCE-80383-3: Record attempts to alter logon and logout events (faillock).

    Scanner severity level: Medium

  • CCE-80381-7: Shutdown system when auditing failures occur.

    Scanner severity level: Medium

  • CCE-80439-3: Configure the time service maxpoll interval.

    Scanner severity level: Low

  • CCE-80541-6: Configure audispd plugin to send logs to remote server.

    Scanner severity level: Medium

  • CCE-80539-0: Configure the disk_full_action option in the audispd's plugin.

    Scanner severity level: Medium

  • CCE-80540-8: Encrypt audit records sent with the audispd plugin.

    Scanner severity level: Medium

  • CCE-80538-2: Configure the network_failure_action option in the audispd's plugin.

    Scanner severity level: Medium

  • CCE-80542-4: Configure firewalld to rate limit connections.

    Scanner severity level: Medium

  • CCE-81153-9: Add the nosuid option to /home.

    Scanner severity level: Low

  • CCE-80543-2: Map system users to the appropriate SELinux role.

    Scanner severity level: Medium

  • CCE-80545-7: Verify and correct ownership of an rpm.

    Scanner severity level: High

  • CCE-80512-7: Prevent unrestricted mail relaying.

    Scanner severity level: Medium

  • CCE-26884-7: Set the lockout time for failed password attempts.

    Scanner severity level: Medium

See OS STIG hardening for NetBackup appliance.