VOX

Hi Revaro, 

I tried to install Netbackup Cleint as a server user .  Even if that was possible I would have been happy . Coz I can  keep all the files to be backed up in that users home directory. And I could be relieved that security of the server is not compromised. I tried to install it as a server user but it fails saying it needs to be run as root. 

Consider  the old method, Samba , In samba I can share a folder assign it  a user name password and mount it on a backup server  as a localdisk . This user will have access to only the folder shared over samba . I doubt there might be a method by which we can implement this is NetBackup Linux cleint as well hopefully.

Regards,

Alan

Yes NetBackup client HAS to be installed as root. It has to update system files such as /etc/services etc.

Why do you think NetBackup compromises your security? This is software provided by a software and security company!

Hi Revaroo,

 I am not saying Netbackup is compromising security . But Beeing a company which is concerned about security Symantec should have considered the fact that it is making an enitre Linux Server open and  is making passwordless and limitless access to every files on the Linux Server including system binaries and authentication files in /etc  . I am supposed to answer and reveal backup process to security audtiors , already  we have raised this as a secuiry concern to backup team. Coz they are planning to impement the NB backup on other Linux Servers as well.  Either there should be some method to restrict the files which are visible and editable to the Netbackup server Admin. Coz I do not have any restrction for the backup team.  Can you ask the NB Linux cleint  developers if there is anyway to restict the access ? Or could you gulde me how can I get a solution for this concern.

Regards,

Alan

You could use the same argument about Anti-virus software that has access to all files on a Windows server.

NetBackup needs access to all files, otherwise it can't do it's job as it was intended.

You can limit what specific users can do. For example you can configure it so a specific user can only restore and not run backups. NetBackup will still run as root.

Hi Revaro,

We should not compare Windows with Linux. Linux is far more stable and secure than Windows. If it is not possible to limit netbackup cleint to specific folders ( Netbackup is just a backup cleint not an antivirus to run as root , Samba or scp or rsync initiated from Linux Server as a system user could do backup more securely to a remote Linux Machine or Windows Machine). If this feature is still not present in any current versions of Netbakup Linux cleint, please raise it as concern to the developement team or people who are designing Backup Cleint for Linux as a wishlist for any future releases.

Regards,

Alan

Alex,

You can configure you policies to only backup specific directories for example /home or /home/joebloggs and that's all it will touch. You can also use EXCLUDE_LIST files so if you backup / and cross mount points is selected you can specify to exclude /etc /dev /tmp /home  for example.

Is this what you are looking for?

Hi Revaro,

Guess that policy needs to be set from Netbackup Server Admin from his interface .Or  Can I create the exclude list file on Client ( LInux Server ) . If so could you gimme a link where I can refer to how to do that.

Regards,

Alan

Alan,

The policy is set on the Master (it can be created from a Java or Admin console installed on a remote PC controlled by a login with authorised priviledges).

The exclude list can be set via the GUI or on a linux/unix machine by creating a /usr/openv/netbackup/exclude_list on the client. Normally you would need root permissions to do this.

Here is a technote on exclude lists:

http://www.symantec.com/business/support/index?page=content&id=TECH30603

Hi Revaro,

Does this exclude_list makes it possible for me to restrict Netbackup server admin to hide the files mentioned in the exclude list  while he  browse through my linux server files or it helps only to exclude backup of files matching the pattern or folders metioned in the exclude list for a job  scheduled.

Regards,

Alan

Alan,

From the NetBackup console, you cannot browse through the files on a linux server.

You have to manually enter the directories you wish to backup.

If I have /etc in my exclude_list on the client, but the NetBackup admin adds /etc into the file selection in the policy, he won't see the files in there. When a backup runs for this, /etc/ will be excluded from the backup because of what is in the exclude_list file on the client.

Hi Revaroo,

I had seen a vnc sharing session of the Backup process testing  from Netbackup Server console . I could see that for selecting the folder to be backup, NB server admin had browsed throgh  my Linux Server File System , and then selected a test folder. I could see that he could freely browse through the filesystem. This is the concern which I have. I understand if we use the exclude_list I can avoid those files being backup like *.log files or /tmp e..t.c.

Regards,

Alan

NetBackup FULLY supports backing up network shares.

What makes you say that NBU cannot backup a Samba share on the backup server?

If you tell us the OS on the backup server and how the share is mapped/mounted, we can point you to the correct section in the Admin Guide.

Hi Mariane,

That is a good news. So if I share a folder on the Linux  server over samba ( or is ftp  / sftp possbile ) ,  Without installing Netbackup Linux Client on any of my Linux Servers, it will be possible to backup this files from Netbackup Server Admin interface right . Netbackup Admin Server is a Windows Server, I guess it is Windows Server 2003 or Windows Server 2008. I will need to check with the backup team if you need the exact version of Windows . Actaully installation of Netbackup Linux Client was requested as a must by our backup team. Netbackup Client version is NetBackup_7.0.

Regards,

Alan

"Backup Network Drive" is covered in Admin Guide for Windows, I  http://www.symantec.com/docs/TECH127079

The requirement is that backup selection must be specified as UNC path and that path must be accessible to user account that is starting up NBU Client Service.

Please go through the section starting on p. 474 (ignore the reference to Win95, Win98, and ME).

I believe that Unix/Linux shares should rather be backed up via another Unix/Linux client. Backing up via Windows server/client will mean the backup type will be MS-Windows. Unix/Linux file attributes might not be backed up, resulting in unpredictable restore results (e.g. ownership/permissions).
Do test backups using the UNC path, followed by test restores.

PS: Your backup team should be considered the MOST trustworthy team in the entire organisation.  If you feel that they cannot be trusted, you need to take the matter up with your management.
I have been working with NBU for 13 years now, supporting a large number of NBU customers, setting up backups (with Client software installed) on servers with most important financial (and other) data. 
I have never seen 'data theft' committed by backup admins. Have seen cases at customers where dba's and sysadmins were found guilty....

Following on from Mariannes outstanding post ...

"PS: Your backup team should be considered the MOST trustworthy team in the entire organisation.  If you feel that they cannot be trusted, you need to take the matter up with your management.

I have been working with NBU for 13 years now, supporting a large number of NBU customers, setting up backups (with Client software installed) on servers with most important financial (and other) data. 
I have never seen 'data theft' committed by backup admins. Have seen cases at customers where dba's and sysadmins were found guilty...."

I'm glad Marianne posted this - I typed out something similar, but was unsure if I should really post it ...

I'm going to jump in with Marianne ....

The simple answer - make sure the master server is protected, that is, limit the access to that machine.  (NBAC is an option to restrict vearious functions to particular users).

As Marianne says, if you have  an issue with the honesty of individaul members of a team, then you have serious personal issues that need to be addressed with management.

Martin

Hi,

Actually I meant the server folder to be backed up is residing on RHEL 6 Linux server. If I share

the same over samba or nfs, will Netbackup be able to take backup of this shared folder without installing Netbackup Linux Client on the Linux Machine. Netbackup Admin Server is the one running windows.

Note : It is not about trust on a person, it is about security of an operating system ( Linux ) being overridden by a software which is installed on the Linux Machine.

Regards,

Alan

The Linux folder will appear as a drive letter/mount point on the Windows server, right?

Therefore the backup selection will be a UNC path in a MS-Windows policy with the backup server as client name. Files/folders will be backed up as Windows files.

Sorry, I don't understand your issue with security... Seems your problem is rather with NBU as an application?

Even working with multiple customers over the years in most secure environments in government, financial and telecom institutions, I have never come across an 'issue' such as yours....
We have always installed NBU on the servers and just backed up file systems and/or folders that server owners needed to be backed up.
The need for root access during installation and root account for background processes (vnetd and bpcd) is described by revaroo above (and in NBU manuals) and is no different from other backup products where agent is installed.

Hi Mariane,

It says "Mapped drive letters cannot be backed up. Drive letters do not appear in
the Backup, Archive, and Restore console when backups are browsed." in note on page 475 in the Guide. Correct me if I am wrong,  this means if I mount a Linux Samba Share as a Network drive say z drive then Netbackup admin wont be able to backup this drive right? If so how i will I backup the samba share. In the doc it is given using example of win_client and win_PC.  I could not find a guide to backup a samba shared folder on Linux Box. If I use Samba I can avoid installing Netbackup Linux Cleint on My Linux Server. But again since "Mapped drive letter can't be backed up it will again be a blocker right ? . If so how can I proceed. I just need to have a Linux samba or network share backed up.

Regards,

Alan