PCI requirement to show encryption - get a plan!

Genericus · ‎01-08-2015

PCI audit - the auditor wants to SEE the encryption.

Not just verify that KEYS exist, not test backup and restore, with and with out keys.

He wants to see the data on tape using OS commands, and then see what it looks like once keys are deleted.

Do you know your OS commands to write data to tape and read it back? I did 10 years ago, lol...

NetBackup 9.1.0.1 on Solaris 11, writing to Data Domain 9800 7.7.4.0
duplicating via SLP to LTO5 & LTO8 in SL8500 via ACSLS

mph999 · ‎01-08-2015

Hopefully it's Linux/ Unix ... (I do see Solaris listed).

Here is little example I have put together ...

How to use dd to read data off a tape

On occassion it may be necessary to try and read data off a tape if there is a failure in NetBackup. Usually this will be only to demonstrate that the tape is unreadable dur to an issue outside of NetBackup.

It is easier to explain this via example.

We can see from bpimagelist that the image nbmedia00_1418641103 spans 2 tapes, E01001 and E01002

IMAGE nbmedia00 0 0 8 nbmedia00_1418641103 nbmedia_big 0 *NULL* root Full 0 1 1418641103 130 1419850703 0 0 2545152 1 1 2 0 nbmedia_big_1418641103_FULL.f *NULL* *NULL* 0 1 0 0 0 *NULL* 0 0 0 0 0 0 0 *NULL* 0 0 0 *NULL* 269 0 0 740 0 0 *NULL* *NULL* 0 0 0 0 *NULL* *NULL*
HISTO -1 -1 -1 -1 -1 -1 -1 -1 -1 -1
FRAG 1 1 1566208 0 2 6 1 E01001 nbmedia00 262144 2 1418641103 2 0 *NULL* 1419850703 0 65537 0 0 0 1 0 1418641233 0 *NULL* *NULL*
FRAG 1 2 978944 0 2 6 1 E01002 nbmedia00 262144 2 1418641103 2 0 *NULL* 0 0 0 0 0 0 1 0 0 0 *NULL* *NULL*

It does not actually matter if the image spans multiple tapes, or is contained on a single media, the procedure is exactly the same.

First, use scsi_command -map to obtain an image of what is on the tape, this needs to be done in fragment order, so E01001 is the first tape as it contains fragment 1, E01002 is the second tape as it contains fragement 2.

[root@nbmedia00 testdata]# scsi_command -map -f /dev/nst1
00000000: file 1: record 1: size 1024: NBU MEDIA header (E01001)
00000001: file 1: eof after 1 records: 1024 bytes
00000002: file 2: record 1: size 1024: NBU BACKUP header
backup_id nbmedia00_1418641103: frag 1: file 1: copy 1
expiration 1419850703: retention 1: block_size 262144
flags 0x0: mpx_headers 0: resume_count 0: media E01001
00000003: file 2: record 2: size 262144
00006121: file 2: eof after 6119 records: 1603798016 bytes
eot

We see that the header for the backup image nbmedia00_1418641103 is located at file 2, and the data fragment is immediate after the header as expected.

We need to first read this fragment using dd, into a file on disk, followed by the actual data in fragment 1.

We can build the commands required by referencing the output of scsi_command -map output, consideration must be given to filenames and blocksize used to allow the read via dd to be successful, and correct identification of the files later. In this example we have used the backupid, follwed by a description of what part of the image the file relates to.

NOTE:
We want to position the tape to file 2, fsf 1 is correct as it positions after file 1, which of course is just before file 2.
mkdir /tmp/recover

mt -f /dev/nst1 rewind
mt -f /dev/nst1 fsf 1
dd if=/dev/nst1 of=/tmp/recover/bu-nbmedia00_1418641103_frag1header bs=1k count=1
dd if=/dev/nst1 of=/tmp/recover/bu-nbmedia00_1418641103_frag1 bs=256k

A quick look at the files created :

-rw-r--r-- 1 root root 1603796992 Dec 15 03:16 bu-nbmedia00_1418641103_frag1
-rw-r--r-- 1 root root 1024 Dec 15 03:15 bu-nbmedia00_1418641103_frag1header

The frag1header (which is the backup header) is 1K in size which is correct for a header.

We now need to recover any remaining fragments for the image from the next tape, so as before, we repeat the process and run scsi_command -map -d <device> on the next tape, E01002.

00000000: file 1: record 1: size 1024: NBU MEDIA header (E01002)
00000001: file 1: eof after 1 records: 1024 bytes
00000002: file 2: record 1: size 1024: NBU BACKUP header
backup_id nbmedia00_1418641103: frag 2: file 1: copy 1
expiration 1419850703: retention 1: block_size 262144
flags 0x0: mpx_headers 0: resume_count 0: media E01002
00000003: file 2: record 2: size 262144
00003827: file 2: eof after 3825 records: 1002439680 bytes
00003828: file 3: record 1: size 1024: NBU EMPTY header (file 2)
00003829: file 3: eof after 1 records: 1024 bytes
eot

Here we see that we have frag 2 of backup header for frag 2 of image nbmedia00_1418641103 at the position file 2, so we can again put the required commands together.
In this case, because the fragements we want are both the first fragments on the tapes, the commands we need are the same, so we just change the filenames.

mt -f /dev/nst1 rewind
mt -f /dev/nst1 fsf 1
dd if=/dev/nst1 of=/tmp/recover/bu-nbmedia00_1418641103_frag2header bs=1k count=1
dd if=/dev/nst1 of=/tmp/recover/bu-nbmedia00_1418641103_frag2 bs=256k

Looking now at the files we have created :

-rw-r--r-- 1 root root 1603796992 Dec 15 03:16 bu-nbmedia00_1418641103_frag1
-rw-r--r-- 1 root root 1024 Dec 15 03:15 bu-nbmedia00_1418641103_frag1header
-rw-r--r-- 1 root root 1002438656 Dec 15 03:22 bu-nbmedia00_1418641103_frag2
-rw-r--r-- 1 root root 1024 Dec 15 03:22 bu-nbmedia00_1418641103_frag2header

We have the two backup headers (one for each fragment) for reference if required, and the two files holding the actual data.

We can then 'cat' the two files containing each fragment of the image into one file:

cat bu-nbmedia00_1418641103_frag* >bu-backup

And read this single tar file back, which contains the data from the backup.

[root@nbmedia00 recover]# /usr/openv/netbackup/bin/tar tvf bu-backup
Erwxr-xr-x root/root 103 Dec 15 02:58 2014 .AtTrIbUtEs.0
--Extra header --
drwxr-xr-x root/root 0 Dec 15 02:41 2014 /
drwxr-xr-x root/root 0 Dec 15 02:49 2014 /testdata/
-rw-r--r-- root/root 1532471296 Dec 15 02:50 2014 /testdata/tarfile1

If you are using Windows, you can use nt_ttu to read, but this is a Symantec command (but NOT a NetBackup command) - I don't think Windows has any of it's own commands to read a tape.

Nicolai · ‎01-08-2015

I think the PCI guy ask to much.

Just because you delete the key, it does not mean data will change on tape. Actual some sort of communication has to be established to retrive the encryption key from NBU KMS. Else data will be total scrambled using Martin guide.

I would suggest you take a look at this tech note:

http://www.symantec.com/docs/TECH127166

If you change the active encryption key to "deprecated" in NBU KMS restore won't no longer work.

mph999 · ‎01-08-2015

I think the audit guy is asking too much also, but if he wants to see scrambled data, then my post should work, or as an easier alternative, just rewind the tape and run the tar commandan over and over, it will complain a bit as it jumps over the headers but should read the data back.

Oh, if the backups are multiplexed, not sure if this will work, it might do, never tried, certainly the data won't be recovered even if not encrypted, but it might still disposal the scrambled data you want to see, you just won't know which client it is from.

All audits I've been involved with, just showing the restore fails when the keys are removed has been sufficient.

Nicolai · ‎01-09-2015

+1 for Martin post

One thing extra. How will the auditor see the difference between a binary steam and a encrypted binary stream - I can't see the difference :)

Andrew_Madsen · ‎01-09-2015

The auditor obviously has Binary Hex Differentiation Comparison Disease (BHDCD). This disease is contracted by sending an MBA with no technical background to a training class and certifying them in a technical field. The classic symptom is to demand data that the BHDCD affected believe should meet their criteria which it to do a really tough audit.

The data on tape is not binary it is hex.

mph999 · ‎01-09-2015

Good point Nicolai ....

Of coiurse, my method (which is just a slightly neater version of other technotes/ connect posts) uses NetBackup tar to 'read' the files, so of course if they are readable they are not encrypted.

So, hang on a sec ... I'm doing from the command line exactly (well, nearly) what NBU does ...

So, the only other way would be to stream the data using dd I guess and just don;t pipe it through tar - so you'll have a tar format file on the disk. Guess you could run 'strings' on it

strings <filename>

As an alternative, can you get a new auidtor - the one you have appears to be faulty ...

mph999 · ‎01-09-2015

Ha ha - excellent ...

Nicolai · ‎01-09-2015

+1 for Andrew comment as well

And of course data is hex and not binary - my bad.

I was wondering if you where tpmounting the tape if Netbackup would send the encryption key along with it. I don't think its that simple since both encrypted and unencrypted backup can exist on the same tape.

Will_Restore · ‎01-09-2015

This thread is an amusing end to an otherwise bland week. :)

Andrew_Madsen · ‎01-09-2015

We always attempt to look to the lighter side of those times we are vexed by the uninformed. You are welcome have a nice weekend. I know I will freeze my lower extremities off.

VOX

PCI requirement to show encryption - get a plan!