• Please help support our sponsors by considering their products and services.
    Our sponsors enable us to serve you with this high-speed Internet connection and fast webservers you are currently using at ADSM.ORG.
    They support this free flow of information and knowledge exchange service at no cost to you.

    Please welcome our latest sponsor Tectrade . We can show our appreciation by learning more about Tectrade Solutions
  • Community Tip: Please Give Thanks to Those Sharing Their Knowledge.

    If you receive helpful answer on this forum, please show thanks to the poster by clicking "LIKE" link for the answer that you found helpful.

  • Community Tip: Forum Rules (PLEASE CLICK HERE TO READ BEFORE POSTING)

    Click the link above to access ADSM.ORG Acceptable Use Policy and forum rules which should be observed when using this website. Violators may be banned from this website. This notice will disappear after you have made at least 3 posts.

Restore Logging

ypcat

ADSM.ORG Member
#1
Hello,

Is there a way to monitor/restrict or log admins who restore with regards to sensitive data? Let's say the mayor's office has some sensitive files. How do we restrict restore access to that data from the admin pool?

Thanks.
 

marclant

ADSM.ORG Moderator
#2
There are 2 groups that can do restore. The node that did the backup and any node that has been granted access, by default, only the node has access to restore it's data, access to other nodes has to be granted after, so you should be safe on that front. The other group is administrators. Any administrator that has SYSTEM authority can restore from any node, as well as any admininistrator that do not have SYSTEM, but was granted node access. So it's hard to control by means of access, because any admin with SYSTEM authority can perform a restore. However, one could argue that if they can't be trusted with sensitive data, they should not be granted SYSTEM authority.

The best approach would be to encrypt the backups, so in addition to needing access to the node to restore the data, you also need the encryption password. That ensures that any TSM admin with SYSTEM authority cannot restore the data (unless you give them the encryption password). https://ibm.biz/BdRNQc
 

ypcat

ADSM.ORG Member
#3
Thanks for your answer but correct me if I'm wrong. Encrypted data has three options save/prompt/generate. We need to keep backups automated and we need the system to encrypt and decrypt for data processes like GENERATE BACKUPSET so encryptkey save would be the option we use. In those cases you're not prompted for the encryption key upon restore so this won't work for automated backup reliant systems. There has to be a way to control who restores data.

Lab

tsm> i c:\testing\*

Incremental backup of volume 'c:\testing\*'
Normal File--> 16,151 \\gorgon\c$\testing\deeper\devlist.out [Sent]
Normal File--> 262,249 \\gorgon\c$\testing\deeper\qact.txt [Sent]
Normal File--> 428,978 \\gorgon\c$\testing\deeper\qsys.out [Sent]
Successful incremental backup of '\\gorgon\c$\testing\*'


Total number of objects inspected: 7
Total number of objects backed up: 3
Total number of objects updated: 0
Total number of objects rebound: 0
Total number of objects deleted: 0
Total number of objects expired: 0
Total number of objects failed: 0
Total number of subfile objects: 0
Total number of bytes inspected: 783.34 KB
Total number of bytes transferred: 691.83 KB
Data transfer time: 2.28 sec
Network data transfer rate: 303.15 KB/sec
Aggregate data transfer rate: 175.09 KB/sec
Objects compressed by: 0%
Total data reduction ratio: 11.69%
Subfile objects reduced by: 0%
Elapsed processing time: 00:00:03
tsm>

tsm> q backup c:\testing\ -subdir=yes -detail -traceflags=query
Size Backup Date Mgmt Class A/I File
---- ----------- ---------- --- ----
0 B 02/12/2014 16:07:45 TOCMGMT A \\gorgon\c$\testing\deeper
Modified: 02/12/2014 12:47:57 Created: 01/15/2014 10:39:42
Compressed: NO Encryption Type: 128-bit AES
Client-deduplicated: NO
66,865 B 02/12/2014 16:07:45 PTONLINE30MGMT A \\gorgon\c$\testing\stderr
Modified: 06/26/2013 12:09:36 Created: 01/15/2014 10:35:03
Compressed: NO Encryption Type: 128-bit AES
Client-deduplicated: NO
27,902 B 02/12/2014 16:07:45 PTONLINE30MGMT A \\gorgon\c$\testing\stdout
Modified: 06/26/2013 12:09:36 Created: 01/15/2014 10:35:07
Compressed: NO Encryption Type: 128-bit AES
Client-deduplicated: NO
16,151 B 02/12/2014 16:41:34 PTONLINE30MGMT A \\gorgon\c$\testing\deeper\devlist.out
Modified: 07/17/2011 16:59:59 Created: 01/15/2014 10:40:02
Compressed: NO Encryption Type: 128-bit AES
Client-deduplicated: NO
262,249 B 02/12/2014 16:41:34 PTONLINE30MGMT A \\gorgon\c$\testing\deeper\qact.txt
Modified: 01/21/2014 09:51:00 Created: 02/12/2014 12:06:23
Compressed: NO Encryption Type: 128-bit AES
Client-deduplicated: NO
428,978 B 02/12/2014 16:41:34 PTONLINE30MGMT A \\gorgon\c$\testing\deeper\qsys.out
Modified: 08/26/2013 15:51:56 Created: 02/12/2014 12:06:23
Compressed: NO Encryption Type: 128-bit AES
Client-deduplicated: NO
tsm>

tsm: TSM_MASTER_1>generate backupset STAFF_FLAT_GORGON01 encryptiontestbackupset2 devclass=tsm_devclass_tape retention=2 desc="test archive for encryption" wait=no toc=no

12 GENERATE BACKUPSET 0 of 1 backup sets have completed for a total of
0 objects and 0 bytes, with 0 objects skipped.
Of these, 0 backup sets have failed. Currently
generating backup set ENCRYPTIONTESTBACKUPSET2.-
2064942014 for node STAFF_FLAT_GORGON01 (data
type File). For this backup set, there have
been 0 objects inspected, 0 objects and 0 bytes
written, and 0 objects skipped.

tsm: TSM_MASTER_1>

ANR1779I GENERATE BACKUPSET process completed: 1 backupset(s) were generated or defined out of 1 backupset(s) requested by the command's specifications.
ANR0986I Process 12 for GENERATE BACKUPSET running in the BACKGROUND processed 7 items for a total of 805,784 bytes with a completion state of SUCCESS at 16:42:38.
ANR8336I Verifying label of LTO volume C00655L3 in drive TAPE_DRV_4 (/dev/rmt3).
ANR8468I LTO volume C00655L3 dismounted from drive TAPE_DRV_4 (/dev/rmt3) in library TSM_LIB_1.

tsm> q backupset

Backup Set Name Generation Date Retention Description
------------------------------ ------------------- ---------- -----------
1 ENCRYPTIONTESTBACKUPSET.2064932109 02/12/2014 16:19:26 2 test archive for encryption
2 ENCRYPTIONTESTBACKUPSET2.2064942014 02/12/2014 16:42:09 2 test archive for encryption
tsm> restore backupset ENCRYPTIONTESTBACKUPSET2.2064942014 -loc=server -subdir=yes
Restore function invoked.

ANS1247I Waiting for files from the server...
Restoring 0 \\gorgon\c$\testing [Done]
Restoring 0 \\gorgon\c$\testing\deeper [Done]


--- User Action is Required ---
File '\\gorgon\c$\testing\deeper\devlist.out' exists

Select an appropriate action
1. Replace this object
2. Replace all objects that already exist
3. Skip this object
4. Skip all objects that already exist
A. Abort this operation
Action [1,2,3,4,A] : 2
Restoring 16,151 \\gorgon\c$\testing\deeper\devlist.out [Done]
Restoring 262,249 \\gorgon\c$\testing\deeper\qact.txt [Done]
Restoring 428,978 \\gorgon\c$\testing\deeper\qsys.out [Done]
Restoring 66,865 \\gorgon\c$\testing\stderr [Done]
Restoring 27,902 \\gorgon\c$\testing\stdout [Done]

Restore processing finished.

Total number of objects restored: 7
Total number of objects failed: 0
Total number of bytes transferred: 787.11 KB
Data transfer time: 0.54 sec
Network data transfer rate: 1,446.81 KB/sec
Aggregate data transfer rate: 48.19 KB/sec
Elapsed processing time: 00:00:22
tsm>
 

marclant

ADSM.ORG Moderator
#4
On a Windows machine, if you save the encryption key, it saves it locally and encrypted in the registry. So, only if you perform a restore on the same machine as the backup was taken, that you will not be prompted, if someone tries to restore on any other machine, they will be prompted because the password is not stored locally.

For backupsets, the data is NOT decrypted when generating the backupset, it is copied encrypted. If trying to restore from backupset, you will be prompted for the key if not restoring on the original machine with the saved key. http://www-01.ibm.com/support/docview.wss?uid=swg21413286
 
Last edited:

Advertise at ADSM.ORG

If you are reading this, so are your potential customer. Advertise at ADSM.ORG right now.

UpCloud high performance VPS at $5/month

Get started with $25 in credits on Cloud Servers. You must use link below to receive the credit. Use the promo to get upto 5 month of FREE Linux VPS.

The Spectrum Protect TLA (Three-Letter Acronym): ISP or something else?

  • Every product needs a TLA, Let's call it ISP (IBM Spectrum Protect).

    Votes: 17 19.5%
  • Keep using TSM for Spectrum Protect.

    Votes: 53 60.9%
  • Let's be formal and just say Spectrum Protect

    Votes: 10 11.5%
  • Other (please comement)

    Votes: 7 8.0%

Forum statistics

Threads
31,468
Messages
134,118
Members
21,568
Latest member
MESSID
Top