Restore Logging

ypcat

ypcat

ADSM.ORG Member
Joined
Oct 30, 2007
Messages
130
Reaction score
1
Points
0
Location
Toronto Canada
Hello,

Is there a way to monitor/restrict or log admins who restore with regards to sensitive data? Let's say the mayor's office has some sensitive files. How do we restrict restore access to that data from the admin pool?

Thanks.
 
There are 2 groups that can do restore. The node that did the backup and any node that has been granted access, by default, only the node has access to restore it's data, access to other nodes has to be granted after, so you should be safe on that front. The other group is administrators. Any administrator that has SYSTEM authority can restore from any node, as well as any admininistrator that do not have SYSTEM, but was granted node access. So it's hard to control by means of access, because any admin with SYSTEM authority can perform a restore. However, one could argue that if they can't be trusted with sensitive data, they should not be granted SYSTEM authority.

The best approach would be to encrypt the backups, so in addition to needing access to the node to restore the data, you also need the encryption password. That ensures that any TSM admin with SYSTEM authority cannot restore the data (unless you give them the encryption password). https://ibm.biz/BdRNQc
 
Thanks for your answer but correct me if I'm wrong. Encrypted data has three options save/prompt/generate. We need to keep backups automated and we need the system to encrypt and decrypt for data processes like GENERATE BACKUPSET so encryptkey save would be the option we use. In those cases you're not prompted for the encryption key upon restore so this won't work for automated backup reliant systems. There has to be a way to control who restores data.

Lab

tsm> i c:\testing\*

Incremental backup of volume 'c:\testing\*'
Normal File--> 16,151 \\gorgon\c$\testing\deeper\devlist.out [Sent]
Normal File--> 262,249 \\gorgon\c$\testing\deeper\qact.txt [Sent]
Normal File--> 428,978 \\gorgon\c$\testing\deeper\qsys.out [Sent]
Successful incremental backup of '\\gorgon\c$\testing\*'


Total number of objects inspected: 7
Total number of objects backed up: 3
Total number of objects updated: 0
Total number of objects rebound: 0
Total number of objects deleted: 0
Total number of objects expired: 0
Total number of objects failed: 0
Total number of subfile objects: 0
Total number of bytes inspected: 783.34 KB
Total number of bytes transferred: 691.83 KB
Data transfer time: 2.28 sec
Network data transfer rate: 303.15 KB/sec
Aggregate data transfer rate: 175.09 KB/sec
Objects compressed by: 0%
Total data reduction ratio: 11.69%
Subfile objects reduced by: 0%
Elapsed processing time: 00:00:03
tsm>

tsm> q backup c:\testing\ -subdir=yes -detail -traceflags=query
Size Backup Date Mgmt Class A/I File
---- ----------- ---------- --- ----
0 B 02/12/2014 16:07:45 TOCMGMT A \\gorgon\c$\testing\deeper
Modified: 02/12/2014 12:47:57 Created: 01/15/2014 10:39:42
Compressed: NO Encryption Type: 128-bit AES
Client-deduplicated: NO
66,865 B 02/12/2014 16:07:45 PTONLINE30MGMT A \\gorgon\c$\testing\stderr
Modified: 06/26/2013 12:09:36 Created: 01/15/2014 10:35:03
Compressed: NO Encryption Type: 128-bit AES
Client-deduplicated: NO
27,902 B 02/12/2014 16:07:45 PTONLINE30MGMT A \\gorgon\c$\testing\stdout
Modified: 06/26/2013 12:09:36 Created: 01/15/2014 10:35:07
Compressed: NO Encryption Type: 128-bit AES
Client-deduplicated: NO
16,151 B 02/12/2014 16:41:34 PTONLINE30MGMT A \\gorgon\c$\testing\deeper\devlist.out
Modified: 07/17/2011 16:59:59 Created: 01/15/2014 10:40:02
Compressed: NO Encryption Type: 128-bit AES
Client-deduplicated: NO
262,249 B 02/12/2014 16:41:34 PTONLINE30MGMT A \\gorgon\c$\testing\deeper\qact.txt
Modified: 01/21/2014 09:51:00 Created: 02/12/2014 12:06:23
Compressed: NO Encryption Type: 128-bit AES
Client-deduplicated: NO
428,978 B 02/12/2014 16:41:34 PTONLINE30MGMT A \\gorgon\c$\testing\deeper\qsys.out
Modified: 08/26/2013 15:51:56 Created: 02/12/2014 12:06:23
Compressed: NO Encryption Type: 128-bit AES
Client-deduplicated: NO
tsm>

tsm: TSM_MASTER_1>generate backupset STAFF_FLAT_GORGON01 encryptiontestbackupset2 devclass=tsm_devclass_tape retention=2 desc="test archive for encryption" wait=no toc=no

12 GENERATE BACKUPSET 0 of 1 backup sets have completed for a total of
0 objects and 0 bytes, with 0 objects skipped.
Of these, 0 backup sets have failed. Currently
generating backup set ENCRYPTIONTESTBACKUPSET2.-
2064942014 for node STAFF_FLAT_GORGON01 (data
type File). For this backup set, there have
been 0 objects inspected, 0 objects and 0 bytes
written, and 0 objects skipped.

tsm: TSM_MASTER_1>

ANR1779I GENERATE BACKUPSET process completed: 1 backupset(s) were generated or defined out of 1 backupset(s) requested by the command's specifications.
ANR0986I Process 12 for GENERATE BACKUPSET running in the BACKGROUND processed 7 items for a total of 805,784 bytes with a completion state of SUCCESS at 16:42:38.
ANR8336I Verifying label of LTO volume C00655L3 in drive TAPE_DRV_4 (/dev/rmt3).
ANR8468I LTO volume C00655L3 dismounted from drive TAPE_DRV_4 (/dev/rmt3) in library TSM_LIB_1.

tsm> q backupset

Backup Set Name Generation Date Retention Description
------------------------------ ------------------- ---------- -----------
1 ENCRYPTIONTESTBACKUPSET.2064932109 02/12/2014 16:19:26 2 test archive for encryption
2 ENCRYPTIONTESTBACKUPSET2.2064942014 02/12/2014 16:42:09 2 test archive for encryption
tsm> restore backupset ENCRYPTIONTESTBACKUPSET2.2064942014 -loc=server -subdir=yes
Restore function invoked.

ANS1247I Waiting for files from the server...
Restoring 0 \\gorgon\c$\testing [Done]
Restoring 0 \\gorgon\c$\testing\deeper [Done]


--- User Action is Required ---
File '\\gorgon\c$\testing\deeper\devlist.out' exists

Select an appropriate action
1. Replace this object
2. Replace all objects that already exist
3. Skip this object
4. Skip all objects that already exist
A. Abort this operation
Action [1,2,3,4,A] : 2
Restoring 16,151 \\gorgon\c$\testing\deeper\devlist.out [Done]
Restoring 262,249 \\gorgon\c$\testing\deeper\qact.txt [Done]
Restoring 428,978 \\gorgon\c$\testing\deeper\qsys.out [Done]
Restoring 66,865 \\gorgon\c$\testing\stderr [Done]
Restoring 27,902 \\gorgon\c$\testing\stdout [Done]

Restore processing finished.

Total number of objects restored: 7
Total number of objects failed: 0
Total number of bytes transferred: 787.11 KB
Data transfer time: 0.54 sec
Network data transfer rate: 1,446.81 KB/sec
Aggregate data transfer rate: 48.19 KB/sec
Elapsed processing time: 00:00:22
tsm>
 
On a Windows machine, if you save the encryption key, it saves it locally and encrypted in the registry. So, only if you perform a restore on the same machine as the backup was taken, that you will not be prompted, if someone tries to restore on any other machine, they will be prompted because the password is not stored locally.

For backupsets, the data is NOT decrypted when generating the backupset, it is copied encrypted. If trying to restore from backupset, you will be prompted for the key if not restoring on the original machine with the saved key. http://www-01.ibm.com/support/docview.wss?uid=swg21413286
 
Last edited:
You must log in or register to reply here.

Data Privacy Impact Assessment

Compliance Assurance in Every Byte: Discover the Impact of Our DPIA Services.

Sponsor ADSM.ORG

If you are reading this, so are your potential customer. Advertise at ADSM.ORG right now.

Navigation Menu

Forums
   IBM TSM
   EMC Backup and Recovery
   Symantec NetBackup  
   SAN  
   NAS
   Platforms / OS
Mailing List Archives
   ADSM-L
User Groups

NordVPN 3 Months FREE

Help Support ADSM.ORG and Get NordVPN with 64% Off and 3 Months FREE.

NordVPN with 64% off + 3 months FREE

Forum statistics

Threads
31,968
Messages
135,434
Members
21,947
Latest member
dylbrawn
Back
Top