Forum Discussion

kkhoo's avatar
kkhoo
Level 5
7 years ago

Protect backup image from manual delete from nbu and catalog

Hi,

Need your expert advise. In our office, almost all in the team has FULL access in NBU. My concern is if someone has wrongly delete a backup image (under Catalog). Is there a way to prevent this? How to monitor who did what in NBU? Please advise, thanks.

  • With creating admin dir, i dont need to enable auditing right?

    Yes, no need to enable ehanced auditing.

    According to our Veritas consultant, enabling audit trail requires big disk space and NBU audit affects system performance?

    Space consumption will not increase drastically (you may not even notice it) as audit information is stored in NBDB tables and not in flat files. There is no impact on system performance as only user activity is audited and not the backgroud process. There will be no performance impact on backup, restore and other jobs however users (NetBackup admins) may complain of slow response in NetBackup administration console.

    I have seen login issues, other user specific issues and some other problems with Enhanced Auditing. I cannot comment if you may or may not face those issues in your environment. Looking at your requirement I would suggest its worth a try, if you dont like it you can always disable it. It is not scary like NBAC, which can potentailly break your environment.

    To disable Enhanced Auditing, run "bpnbaz -DisableExAudit" command.

    https://www.veritas.com/support/en_US/doc/21733320-127424841-0/v109984188-127424841

    Enabling Enhanced Auditing.

    https://www.veritas.com/content/support/en_US/doc/21733320-127424841-0/v106286614-127424841

     

  •  Currently there is no such feature in NetBackup to track/block image exipration for a user. When a backup image is expired from NetBackup console (catalog) it executes "bpexpdate" command in backend, this command gets logged in "<install_path>\netbackup\logs\admin" logs. You can enable this log and create a script to check for "bpexpdate".

    NetBackup does monitor other user activity (mainly realted to policies and SLP), you can use "nbauditreport" command to track them.

    https://www.veritas.com/support/en_US/doc/15263389-127350397-0/v38711607-127350397

     

     

    • kkhoo's avatar
      kkhoo
      Level 5

      hi,

      thanks for your reply. is admin a directory or file?

      please advise, thanks.

       

      • Anshu_Pathak's avatar
        Anshu_Pathak
        Level 5

        It's a directory. It uses legacy logging method, so if folder is not present you have to create it.

        C:\Program Files\Veritas\NetBackup\logs\admin>dir
        Directory of C:\Program Files\Veritas\NetBackup\logs\admin
        07/27/2018 08:03 AM 1,779,887 ALL_ADMINS.072718_00001.log
        07/29/2018 11:51 PM 761,479 ALL_ADMINS.072918_00001.log
        07/30/2018 10:50 PM 1,549,178 ALL_ADMINS.073018_00001.log

        # cd /usr/openv/netbackup/logs/admin
        # ls -al
        -rw-r--r-- 1 root root 0 Jul 30 23:02 root.073018_00001.log

  • Problem with NBAC is you will get all or nothing permission. So user will not be able to expire any image or can expire all images. Another issue is it does not update NetBackup audit table, so you will not be able to find who expired what. Another good to know thing about NBAC is, soon it will be obsolete.

    Closest solution would be to enable "Enhanced Auditing". Please note NBAC and Enhanced Auditing are mutually exclusive features.

    With Enahanced Auditing you would be able to track who expired images.

    https://www.veritas.com/support/en_US/doc/21733320-127424841-0/v101261421-127424841

    Catalogs

    bpexpdate, bpcatlist, bpimmedia, bpimagelist, bpverify, and nbdeployutil