Veritas-bu
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Veritas-bu] bpgp

2002-08-14 11:57:42
Subject: [Veritas-bu] bpgp
From: CJManders AT LBL DOT GOV (Christopher Manders)
Date: Wed, 14 Aug 2002 08:57:42 -0700 
Hi again,

The command is absolutely worth not saying much about other than I'd be very
cautious with it.

It is another reason that I think most security 'experts' have very little
scope of backups as a serious crow gem to be guarded dearly. I am possibly a
paranoid individual, but I have also possibly seen some scary stuff on the
Internet. Typicaly, backups are brought up as a security measure, not as a
potentially serious vulerability. I think that because of the former it
should always be considered as the later.

I think if you use these much you may want to 1) turn on the keystroke
logging features of your OS (Solaris is acct stuff) and/or 2) use a machine
on the same wire segment to tcpdump all network activity on the bp* ports.
You can then use some programs to reconstruct what was done, after the fact.
I would, in fact, not even allow that machine to have more than 'listen'
wires enabled on its ethernet link, so that you might have to go through a
terminal server to actually get to the box from the network....or via SSH,
of course, tightly wrapped.

I can personally think of at least 8 ways to break into a box by having root
on a NetBackup machine. Most use the tool we are discussing. So, beware.
(Actually, on our machine I renamed the bpgp and bpdir commands to be
somewhat, shall we say, ambiguous. In my case, obfuscation is not confusion,
though others may be. ;-)

All of that being said, we do some great stuff with it. For instance, we
have this unbelievable user base. Almost everyone has a PhD and thinks of
themselves as somewhat inflated in intellegence (IMHO). Anyway, it is a very
mixed environment of every flavor and version of Operating System (mostly
UNIXes and Macintoshes), and we have very little control over
machines...until they can't get their data, when it becomes our fault. So,
we have taken to grabbing at least the include_list.* and exclude_list.*
files nightly from all clients and diffing them against yesterday's files.
We have found most problems are from aggressive users editing these files
wrongly. So, we have a script that diffs the files and if there are
differences it emails the owner/contact of a system and CC's us as the
backup group. The syntax being what it is, we have found this to have helped
alot in minimizing problems.

We also use 'bpdir -M myclient1 /' to see their filesystem and such.


I hope that helps further.


Yours,

Chris




----- Original Message -----
From: "Dennis Dwyer" <dfdwyer AT tecoenergy DOT com>
To: <CJManders AT lbl DOT gov>; <veritas-bu AT mailman.eng.auburn DOT edu>;
<mndunfee AT statestreetkc DOT com>
Sent: Wednesday, August 14, 2002 4:51 AM
Subject: Re: [Veritas-bu] bpgp


> Say more ... Is this command documented anywhere?
>
> Quote: "Time is not a test of the truth"
> Translation: Just because you've always done it that way, doesn't make it
right
>
> Dennis F. Dwyer
> Enterprise Storage Manager
> Tampa Electric Company
>
> (813) 225-5181  - Voice
> (813) 275-3599  - FAX
>
> Visit our corporate website at www.tecoenergy.com
>
> >>> "Christopher Manders" <CJManders AT LBL DOT GOV> 08/13/2002 4:33:00 PM >>>
>
>
> bpgp from <hostname> <absolute/path/to/remote/file>
> <absolute/path/to/local/file>
>
> as with 'to' instead of 'from'
>
> Cheers!
>
> Chris
>
> ----- Original Message -----
> From: <mndunfee AT statestreetkc DOT com>
> To: <veritas-bu AT mailman.eng.auburn DOT edu>
> Sent: Tuesday, August 13, 2002 11:40 AM
> Subject: [Veritas-bu] bpgp
>
>
> > Does anyone know the syntax for the 'bpgp' command?  Supposedly this can
> be
> > used to update the configuration file on your Netbackup clients.
> >
> > Thanks!
> >
> > Matt Dunfee
> > State Street
> > Information Technology
> > W: 816-691-3689
> > C:  816-985-0134
> > mndunfee AT statestreetkc DOT com
> >
> >
> >
> > *****************************************************************
> > This email and any files transmitted with it are confidential
> > and intended solely for the use of the individual or entity
> > to whom they are addressed. If you have received this email
> > in error please notify postmaster AT statestreetkc DOT com.
> > *****************************************************************
> >
> > _______________________________________________
> > Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu
> > http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
> >
>
> _______________________________________________
> Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu
> http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
>
> _______________________________________________
> Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu
> http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
>
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Veritas-bu] NetBackup 4.5 ?, Jeff Kennedy
Next by Date:  [Veritas-bu] bpsched vs. bpbackup??, Ballowe, Charles
Previous by Thread:  [Veritas-bu] bpgp, Dennis Dwyer
Next by Thread:  [Veritas-bu] bpgp, Arsenault, Donald (FUSA)
Indexes:  [Date] [Thread] [Top] [All Lists]