Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. NetBackup™ Snapshot Manager for Cloud Install and Upgrade Guide
  3. Section I. NetBackup Snapshot Manager for Cloud installation and configuration
  4. Deploying NetBackup Snapshot Manager for Cloud using container images
  5. Installing NetBackup Snapshot Manager on CIS Level 2 v2 configured host
NetBackup™ Snapshot Manager for Cloud Install and Upgrade Guide

Installing NetBackup Snapshot Manager on CIS Level 2 v2 configured host

The Center for Internet Security (CIS) provides a set of benchmarks for different software system. These benchmarks are used to harden software and systems. CIS lists Level 1, 2 and 3 benchmarks.

NetBackup Snapshot Manager deployment is now supported on CIS Level 2 v2 benchmark for Red Hat Enterprise Linux 8 machines.

To install NetBackup Snapshot Manager on CIS Level 2 v2 configured host

  1. Prepare Red Hat Enterprise Linux 8 with CIS Level 2 v2 benchmarks.
  2. For CIS host, iptables firewall is supported.
  3. Ensure that you meet all the 'NetBackup Snapshot Manager host requirements' provided in the following section:

  4. Ensure that IPv4 and IPv6 forwarding are enabled.
  5. Use OpenScap tool to remediate the machine with the following set of rules skipped for NetBackup Snapshot Manager:
    xccdf_org.ssgproject.content_rule_package_iptables-services_removed
    xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding
    xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward
    xccdf_org.ssgproject.content_rule_accounts_tmout  
    xccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action  
    xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action  
    xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action  
    xccdf_org.ssgproject.content_rule_banner_etc_issue  
    xccdf_org.ssgproject.content_rule_banner_etc_issue_net  
    xccdf_org.ssgproject.content_rule_grub2_uefi_password  
    xccdf_org.ssgproject.content_rule_mount_option_var_noexec
    xccdf_org.ssgproject.content_rule_package_bind_removed  
    xccdf_org.ssgproject.content_rule_package_cups_removed  
    xccdf_org.ssgproject.content_rule_package_dhcp_removed  
    xccdf_org.ssgproject.content_rule_package_dovecot_removed  
    xccdf_org.ssgproject.content_rule_package_httpd_removed  
    xccdf_org.ssgproject.content_rule_package_mcstrans_removed  
    xccdf_org.ssgproject.content_rule_package_net-snmp_removed  
    xccdf_org.ssgproject.content_rule_package_openldap-clients_removed  
    xccdf_org.ssgproject.content_rule_package_rsync_removed  
    xccdf_org.ssgproject.content_rule_package_samba_removed  
    xccdf_org.ssgproject.content_rule_package_setroubleshoot_removed  
    xccdf_org.ssgproject.content_rule_package_squid_removed  
    xccdf_org.ssgproject.content_rule_package_talk_removed  
    xccdf_org.ssgproject.content_rule_package_telnet-server_removed  
    xccdf_org.ssgproject.content_rule_package_tftp-server_removed  
    xccdf_org.ssgproject.content_rule_package_vsftpd_removed  
    xccdf_org.ssgproject.content_rule_package_xinetd_removed  
    xccdf_org.ssgproject.content_rule_package_xorg-x11-server-common_removed  
    xccdf_org.ssgproject.content_rule_package_ypserv_removed  
    xccdf_org.ssgproject.content_rule_rsyslog_files_permissions  
    xccdf_org.ssgproject.content_rule_selinux_state  
    xccdf_org.ssgproject.content_rule_service_firewalld_enabled  
    xccdf_org.ssgproject.content_rule_set_firewalld_default_zone  
    xccdf_org.ssgproject.content_rule_sudo_require_authentication  
    xccdf_org.ssgproject.content_rule_sudo_require_reauthentication

    Following is an example for using the oscap command with the remediate option:

    # oscap xccdf eval --skip-rule <x> --skip-rule <y> --skip-rule <z> --results demo-remediate2.xml --profile xccdf_org.ssgproject.content_profile_cis --remediate /usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml

    Add all the above rules to the --skip-rule option as provided in the above example. This would skip the specified rules and would generate a report.

    For more information, refer to Red Hat System Design Guide.

  6. Install NetBackup Snapshot Manager and register with NetBackup primary server.
  7. Ensure that Podman communication is working properly. Refer to Red Hat knowledge base article.
  8. When performing the agentless configuration for protecting CIS Level 2 v2 VM workload, ensure that you meet the requirements mentioned in the following section and delete the noexec permission from the /tmp folder on the agentless VM workload:

After successful NetBackup Snapshot Manager deployment, an openscap CIS score of 97% could be achieved.

More Information

Meeting system requirements

Prerequisites for the agentless configuration

Feedback

Was this page helpful?
Previous

Installing NetBackup Snapshot Manager in the Docker/Podman environment

Next

Securing the connection to NetBackup Snapshot Manager

Feedback

Was this page helpful?