Installing NetBackup Snapshot Manager on CIS Level 2 v2 configured host

The Center for Internet Security (CIS) provides a set of benchmarks for different software system. These benchmarks are used to harden software and systems. CIS lists Level 1, 2 and 3 benchmarks.

NetBackup Snapshot Manager deployment is now supported on CIS Level 2 v2 benchmark for Red Hat Enterprise Linux 8 machines.

To install NetBackup Snapshot Manager on CIS Level 2 v2 configured host

Prepare Red Hat Enterprise Linux 8 with CIS Level 2 v2 benchmarks.
For CIS host, iptables firewall is supported.
Ensure that you meet all the 'NetBackup Snapshot Manager host requirements' provided in the following section:
Ensure that IPv4 and IPv6 forwarding are enabled.

Use OpenScap tool to remediate the machine with the following set of rules skipped for NetBackup Snapshot Manager:

xccdf_org.ssgproject.content_rule_package_iptables-services_removed
xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding
xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward
xccdf_org.ssgproject.content_rule_accounts_tmout  
xccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action  
xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action  
xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action  
xccdf_org.ssgproject.content_rule_banner_etc_issue  
xccdf_org.ssgproject.content_rule_banner_etc_issue_net  
xccdf_org.ssgproject.content_rule_grub2_uefi_password  
xccdf_org.ssgproject.content_rule_mount_option_var_noexec
xccdf_org.ssgproject.content_rule_package_bind_removed  
xccdf_org.ssgproject.content_rule_package_cups_removed  
xccdf_org.ssgproject.content_rule_package_dhcp_removed  
xccdf_org.ssgproject.content_rule_package_dovecot_removed  
xccdf_org.ssgproject.content_rule_package_httpd_removed  
xccdf_org.ssgproject.content_rule_package_mcstrans_removed  
xccdf_org.ssgproject.content_rule_package_net-snmp_removed  
xccdf_org.ssgproject.content_rule_package_openldap-clients_removed  
xccdf_org.ssgproject.content_rule_package_rsync_removed  
xccdf_org.ssgproject.content_rule_package_samba_removed  
xccdf_org.ssgproject.content_rule_package_setroubleshoot_removed  
xccdf_org.ssgproject.content_rule_package_squid_removed  
xccdf_org.ssgproject.content_rule_package_talk_removed  
xccdf_org.ssgproject.content_rule_package_telnet-server_removed  
xccdf_org.ssgproject.content_rule_package_tftp-server_removed  
xccdf_org.ssgproject.content_rule_package_vsftpd_removed  
xccdf_org.ssgproject.content_rule_package_xinetd_removed  
xccdf_org.ssgproject.content_rule_package_xorg-x11-server-common_removed  
xccdf_org.ssgproject.content_rule_package_ypserv_removed  
xccdf_org.ssgproject.content_rule_rsyslog_files_permissions  
xccdf_org.ssgproject.content_rule_selinux_state  
xccdf_org.ssgproject.content_rule_service_firewalld_enabled  
xccdf_org.ssgproject.content_rule_set_firewalld_default_zone  
xccdf_org.ssgproject.content_rule_sudo_require_authentication  
xccdf_org.ssgproject.content_rule_sudo_require_reauthentication

Following is an example for using the oscap command with the remediate option:

# oscap xccdf eval --skip-rule <x> --skip-rule <y> --skip-rule <z> --results demo-remediate2.xml --profile xccdf_org.ssgproject.content_profile_cis --remediate /usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml

Add all the above rules to the --skip-rule option as provided in the above example. This would skip the specified rules and would generate a report.

For more information, refer to Red Hat System Design Guide.

Install NetBackup Snapshot Manager and register with NetBackup primary server.
Ensure that Podman communication is working properly. Refer to Red Hat knowledge base article.
When performing the agentless configuration for protecting CIS Level 2 v2 VM workload, ensure that you meet the requirements mentioned in the following section and delete the noexec permission from the /tmp folder on the agentless VM workload:

After successful NetBackup Snapshot Manager deployment, an openscap CIS score of 97% could be achieved.

More Information

Meeting system requirements

Prerequisites for the agentless configuration

Installing NetBackup Snapshot Manager on CIS Level 2 v2 configured host

Feedback

Feedback