Overriding the Symantec IPS on a NetBackup Appliance

From Peter Pap's Technowiki
Jump to: navigation, search

NetBackup appliances are basically SUSE Linux boxes with Symantec's own interface over the top. They are designed to be a black box appliance that just works and therefore, Symantec try to keep you out of the base OS so you don't break it. However, there are instances where you might like to be able to access the base OS. In order to do so, you need to bypass the Symantec Intrusion Security Policy (IPS...no I don't know why that accronym doesn't match the name). If you're an experienced Unix/Linux admin, this is safe to do and the instructions here are taken from Symantec's own NetBackup 52xx Appliance Security Guide.

1. Log on to the NetBackup Appliance Shell Menu as an Administrator.

2. Run the Support > Maintenance command.

3. To enter your Maintenance account, run the following command, and provide the password when you receive a prompt.

4. In the Maintenance mode, type the following command to override the Symantec Intrusion Security Policy:

  /opt/Symantec/scspagent/IPS/sisipsoverride.sh

The appliance displays the following message:

  Symantec Critical Protection Policy Override
  Agent Version: 5.2.9 (build 739)
  Current Policy: NetBackup Appliance Prevention Policy, r19
  Policy Prevention: Enabled
  Policy Override: Allowed
  Override State: Not overridden
  To override the policy and disable protection,
  enter your login password.
Password:

5. Enter your maintenance password.

The appliance then displays the following options:

  Choose the type of override that you wish to perform:
  1. Override Prevention except for Self Protection
  2. Override Prevention Completely
  Choice?

6. Enter 1 to override prevention except for self protection.

Note: Symantec recommends that you use Option 1. Selecting Option 1 allows modification only to the NetBackup Appliance Shell Menu and NOT to the SCSP Agent.

The appliance displays the following options:

  Choose the amount of time after which to automatically re-enable:
  1. 15 minutes
  2. 30 minutes
  3. 1 hour
  4. 2 hours
  5. 4 hours
  6. 8 hours
  7. never

7. Enter the appropriate number from 1 to 7 based on the time required to debug the Symantec support case.

The appliance displays the following message:

  Enter a comment. Press Enter to continue.
  Disabling the security policy for
  debugging a Symantec
  support case no - XYZ

8. Enter a relevant comment as to why the override is required.

The appliance overrides the policy and displays the following message:

  Please wait while the policy is being overridden.
  ........
  The policy was successfully overridden.

9. Run the elevate command to become root.

  maintenance - !> elevate

You should now have access to the root account.