Safeguard User’s Guide Abstract This manual describes the Safeguard product, the use of the command interpreter SAFECOM, and the basic security tasks performed by all users. The manual is intended for security administrators, system managers, and general users of HP NonStop™ systems. Product Version Safeguard G07, H05 Supported Release Version Updates (RVUs) This publication supports J06.03 and all subsequent J-series RVUs, H06.08 and all subsequent H-series RVUs, and G06.
Document History Part Number Product Version Published 422089-013 Safeguard G07, H04 August 2009 422089-014 Safeguard G07, H04 November 2009 422089-015 Safeguard G07, H04 February 2010 422089-016 Safeguard G07, H04 August 2010 422089-017 Safeguard G07, H04 February 2011 422089-019 Safeguard G07, H04 August 2011 422089-020 Safeguard G07, H05 February 2014
Legal Notices © Copyright 2014 Hewlett-Packard Development Company L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Safeguard User’s Guide Glossary Index Figures Tables Legal Notices What’s New in This Manual vii Manual Information vii New and Changed Information About This Manual xi Notation Conventions vii xii 1.
3. Securing Disk Files (continued) Contents 3.
. Working With SAFECOM (continued) Contents 7.
9. Working with Patterns (continued) Contents 9. Working with Patterns (continued) Multi-Dimensional Search 9-4 Safeguard Pattern Configuration 9-5 SAFECOM Diskfile-Pattern Commands 9-11 ADD DISKFILE-PATTERN 9-12 ALTER DISKFILE-PATTERN 9-13 DELETE DISKFILE-PATTERN 9-13 FREEZE DISKFILE-PATTERN 9-13 INFO DISKFILE-PATTERN 9-13 RESET DISKFILE-PATTERN 9-15 SET DISKFILE-PATTERN 9-15 SHOW DISKFILE-PATTERN 9-16 THAW DISKFILE-PATTERN 9-16 A.
Tables (continued) Contents Tables (continued) Table 3-1. Table 3-2. Table 7-1. Table 8-1. Table 8-2. Table 9-1. Table 9-2. Table 9-3. Table 9-4. Table A-1.
Contents Safeguard User’s Guide — 422089-020 vi
What’s New in This Manual Manual Information Safeguard User’s Guide Abstract This manual describes the Safeguard product, the use of the command interpreter SAFECOM, and the basic security tasks performed by all users. The manual is intended for security administrators, system managers, and general users of HP NonStop™ systems. Product Version Safeguard G07, H05 Supported Release Version Updates (RVUs) This publication supports J06.03 and all subsequent J-series RVUs, H06.
Changes to 422089-019 Manual: What’s New in This Manual Changes to 422089-019 Manual: • Added new example on page 3-10. Changes to the H06.22/J06.11 Manual: • • • Updated the Safeguard product version on page -1. Updated the description of PRIV-LOGON ^ in Table 3-2 on page 3-3. Updated the SAFECOM screen display on page 7-14. Changes to the H06.21/J06.10 Manual • • • Added Safeguard Helper Process to the Components of the Safeguard Subsystem on page 1-7.
Changes to the H06.19/J06.08 Manual What’s New in This Manual • • ° ° DISK-FILE-ATTRIBUTES Table 3-2 on page 3-2. ° ° ° Viewing an Alias Authentication Record section on page 6-7. AUDIT-PRIV-LOGON attribute on pages 3-5, 3-6, 3-8, 3-16, 3-17, 3-18, 3-19, 3-20, 3-22, and C-7. CREATION_TIME of User on page 6-2. Viewing Your User Authentication Record section on page 6-4. Updated the DISKFILE display with OBJECT-TEXT-DESCRIPTION on page 7-4 and 7-14.
What’s New in This Manual Changes to the H06.19/J06.
About This Manual This user's guide is intended for all Safeguard users. It is intended especially for the general user who needs to use the Safeguard software to secure disk files, subvolumes, and processes. The manual describes the basic features of the Safeguard distributed security management facility and its command interpreter, SAFECOM. This manual does not cover those Safeguard features normally reserved for privileged users.
Notation Conventions About This Manual Notation Conventions Hypertext Links Blue underline is used to indicate a hypertext link within text. By clicking a passage of text with a blue underline, you are taken to the location described. For example: This requirement is described under Backup DAM Volumes and Physical Disk Drives on page 3-2. General Syntax Notation The following list summarizes the notation conventions for syntax presentation in this manual. UPPERCASE LETTERS.
General Syntax Notation About This Manual each side of the list, or horizontally, enclosed in a pair of brackets and separated by vertical lines. For example: FC [ num ] [ -num ] [ text ] K [ X | D ] address { } Braces. A group of items enclosed in braces is a list from which you are required to choose one item. The items in the list may be arranged either vertically, with aligned braces on each side of the list, or horizontally, enclosed in a pair of braces and separated by vertical lines.
Notation for Messages About This Manual Line Spacing. If the syntax of a command is too long to fit on a single line, each continuation line is indented three spaces and is separated from the preceding line by a blank line. This spacing distinguishes items in a continuation line from items in a vertical list of selections. For example: ALTER [ / OUT file-spec / ] LINE [ , attribute-spec ]… !i and !o.
Notation for Messages About This Manual Nonitalic text. Nonitalic letters, numbers, and punctuation indicate text that is displayed or returned exactly as shown. For example: Backup Up. lowercase italic letters. Lowercase italic letters indicate variable items whose values are displayed or returned. For example: p-register process-name [ ] Brackets. Brackets enclose items that are sometimes, but not always, displayed.
Notation for Management Programming Interfaces About This Manual Notation for Management Programming Interfaces The following list summarizes the notation conventions used in the boxed descriptions of programmatic commands, event messages, and error lists in this manual. UPPERCASE LETTERS. Uppercase letters indicate names from definition files; enter these names exactly as shown. For example: ZCOM-TKN-SUBJ-SERV lowercase letters.
1 Introduction to the Safeguard Subsystem The Safeguard subsystem extends the security features of the Guardian environment to provide more comprehensive security for your system. The Safeguard subsystem works with the Guardian environment and allows you to apply more extensive and specific security controls. A comparison of Guardian security features and the extended features of the Safeguard software is presented later in this section.
Introduction to the Safeguard Subsystem User Authentication additional control over the authentication process, even though it provides the first line of defense against intrusion into your files and the entire system. • • Authorization—Checking access control lists to determine whether another user has authority to access your disk files, subvolumes, and processes. You can designate the specific access authorities that another user may have to your objects.
Object Authorization Introduction to the Safeguard Subsystem Figure 1-1 shows the Safeguard object databases and depicts the process of the Safeguard software checking an object authorization record to authorize use of an object. This figure is representational. For simplicity, it omits certain technical details regarding the object databases. Figure 1-1.
Introduction to the Safeguard Subsystem Auditing Auditing At your request, the Safeguard subsystem can create audit records of attempts to access your objects. When a user attempts to access an object for which auditing is specified, the Safeguard software records the attempt in an audit file. Records in the audit files contain information such as the name of the object, the date and time of the access attempt, and the user ID of the user attempting the access.
Introduction to the Safeguard Subsystem The Safeguard Subsystem and Standard Security and modify an access control list (ACL) for that object. The ACL specifies which individual users and specific user groups can access the object and what access authorities those users have to the object. Without the Safeguard subsystem installed, the Guardian environment provides basic security controls for users and disk files.
Introduction to the Safeguard Subsystem The Safeguard Subsystem and Standard Security Table 1-1. Comparing Guardian Security and Safeguard Security (page 2 of 2) Security Feature Guardian Security Safeguard Security LICENSE, CLEARONPURGE, PROGID Yes Yes PERSISTENT protection - Yes Audit of attempts to access a file - Yes Audit of attempts to manage a Safeguard record N.A.
Introduction to the Safeguard Subsystem Components of the Safeguard Subsystem The relationship between the Safeguard subsystem and the Guardian environment can extend to a network of HP systems. Depending on your security requirements, you can install the Safeguard software on a single node in your network, on a few nodes, or on every node. Components of the Safeguard Subsystem The Safeguard subsystem consists of three major processes and several security database files.
Introduction to the Safeguard Subsystem Who Can Use the Safeguard Subsystem? The security administrator can decide to limit or expand any user's authorities to suit the company's security policy. In certain instances you might be given additional authority. For example, your system administrator could add an object such as a printer to the Safeguard database and then grant owner authority to you as a general user. With owner authority, you can manage the access control list for that printer.
2 Safeguard Logon Dialog This section explains how to log on and how to change your password on systems where the Safeguard subsystem is running. If the Safeguard subsystem is not running on your system, see the Guardian User’s Guide for logon instructions. To gain access to your system, use the LOGON command. To do so, you must have a user name and user ID assigned to you. In addition, you should be given a password.
Using the LOGON Command Safeguard Logon Dialog You can also terminate the LOGON command at any time by pressing Ctrl/Y or Break. Using the LOGON Command The LOGON command accepts your user name and password in several different formats, as the following examples shows. From H06.28/J06.17 RVU onwards, the PASSWORD-ERROR-DETAIL global attribute is supported for password change during LOGON also.
Safeguard Logon Dialog Changing Your Password With Blind Passwords appears only if the password has an expiration date and the user is allowed to change the password at this time. Another message indicates the date and time of the last successful logon for this user. Most systems also display a greeting message that typically includes the name of the system being accessed. Another message describes failed logon attempts.
Logging On With an Expired Password Safeguard Logon Dialog Last Logon: 18 DEC 1994, 11:23 Last Unsuccessful Attempt: 18 Dec 1994, 11:20 Total Failures: 5 Good Morning. Welcome to \SFO Another option for changing the password is to enter the current and new passwords on one line and the verification of the new password on the next line: SAFEGUARD 1> LOGON support.jane Password: alpha4,BigTop Reenter new password: BigTop The password for support.jane has been changed.
Changing Your Password With Displayable Passwords Safeguard Logon Dialog procedure. With displayable passwords, you type your user name and password on the same line, separated by a comma: SAFEGUARD 1> LOGON support.jane,alpha4 *WARNING* Password Expires: 4 Jan 1995, 12:00 Last Logon: 18 DEC 1994, 11:23 Last Unsuccessful Attempt: 18 Dec 1994, 11:20 Total Failures: 5 Good Morning.
Logging On to a Remote System Safeguard Logon Dialog Logging On to a Remote System To access a remote system using the Safeguard logon dialog, you must use the Safeguard LOGON program. To run this program, you must already be logged on to your local system, and the Safeguard software must be running on the remote system. The program initiates the logon prompt from the Safeguard software on the remote system so that you can log on to that system from your local terminal.
3 Securing Disk Files This section acquaints you with the process of securing disk files with the Safeguard subsystem.
Securing Disk Files Table 3-1. Disk-File Commands (page 2 of 2) Command Action SET DISKFILE Establishes default disk-file attributes that you specify. Any subsequent ADD DISKFILE commands use these defaults for attributes not specified in the ADD DISKFILE command. SHOW DISKFILE Displays the current default attributes for disk files. Any subsequent ADD DISKFILE commands use these defaults for attributes not specified in the ADD DISKFILE command.
Getting Started Securing Disk Files Table 3-2. Disk-File Attributes (page 2 of 2) Attribute Function PERSISTENT Specifies that the authorization record for a file is to be retained if the file is purged. PROGID Applicable only to files that contain object code; sets the process access ID (PAID) to the user ID of the file's primary owner. TRUST Specifies whether or not the file can be trusted to not access I/O buffers during execution. Applies only to program files.
Adding a Disk File to the Safeguard Subsystem Securing Disk Files Safeguard control by creating an authorization record for the file. You can define the security for a file by setting the file's attributes in the authorization record. One of these attributes is the OWNER attribute. Unless you change the OWNER attribute, you are the owner, and only you (or a privileged user, namely, owner’s group manager and super user) can make changes to the authorization record.
Controlling Default Attributes Securing Disk Files Once again, display the authorization record: =INFO DISKFILE report1 The display shows: $DATA.SALES REPORT1 002,001 LAST-MODIFIED OWNER STATUS 18JUL05, 11:03 2,1 THAWED WARNING-MODE OFF R,W,E,P, O The file report1 is protected by the Safeguard software with a simple access control list that consists of only your user ID. To modify or expand the access control list, see Working With Access Control Lists on page 3-7. Note.
Controlling Default Attributes Securing Disk Files The display shows the default attributes for a disk file that are in effect when you start a SAFECOM session. No access control list is defined. You can change any of the default attributes at any time during the session, and the changes remain in effect until you exit SAFECOM. The default attributes return to their original state when you exit SAFECOM. To change any of the default attributes, use the SET DISKFILE command.
Working With Access Control Lists Securing Disk Files Working With Access Control Lists You can define access control lists in three ways: • • • By setting a default access control list for a SAFECOM session (with the SET DISKFILE command) By specifying an access control list when you add the file to the Safeguard database (with the ADD DISKFILE command) By altering the authorization record (with the ALTER DISKFILE command) In every case, the access control list for a disk file defines the users and us
Specifying Access With the ADD DISKFILE Command Securing Disk Files Parentheses enclose multiple access authorities in three of the commands. You can include more than one access specification in a single SET command, as in the last command, by separating the specifications with a semicolon. There are two ways to specify users—by name or by number. In the last command, the user name admin.bill corresponds to user ID 8,4. The DENY keyword in the last command specifically denies admin.
Specifying Access With the ALTER DISKFILE Command Securing Disk Files To see the settings for quarter1: =INFO DISKFILE quarter1 The display shows: $DATA.SALES QUARTER1 LAST-MODIFIED OWNER STATUS 23JUL05, 15:00 2,1 THAWED WARNING-MODE OFF 002,001 R,W,E,P 002,018 R,W,E,P 004,012 R 008,004 DENY R 002,* R,W 008,* R The access control list includes both the new entry with READ authority for user 4,12, and the entries specified in the default access control list.
Specifying Access With the ALTER DISKFILE Command Securing Disk Files The display shows: $DATA.SALES QUARTER1 LAST-MODIFIED OWNER STATUS 23JUL05, 15:08 2,1 THAWED WARNING-MODE OFF 002,001 R,W,E,P 002,018 R,W,E,P 004,012 R 008,004 DENY R 009,023 R,W 002,* R,W 008,* R An entry for user ID 9,23 has been added. When you specify a new access control list entry, that entry does not replace the existing entries. It is added to them.
Deleting an Access Control List Entry Securing Disk Files The display shows: LAST-MODIFIED OWNER STATUS WARNING-MODE 14JUL11, 17:34 255,255 THAWED OFF $SYSTEM.SFGD TEST NO ACCESS CONTROL LIST DEFINED! PROCESS-ACCESS LIST = 2,1 E . Note. A denial of authorities for a user takes away only those authorities specifically denied. Any other authorities granted to that user or that user's group are still valid for the user.
Granting or Denying Access to an ACL Securing Disk Files The entry for user ID 9, 23 has been removed from the access control list. Note. If you are attempting to remove a deleted user from an access control list, you must specify the user ID, not the user name. A deleted user is one whose user authentication record has been deleted from the Safeguard database. Granting or Denying Access to an ACL You can grant or deny access to entries in an ACL.
Using One Authorization Record to Define Another Securing Disk Files Example 1: DENY 040,002 R 040,004 R 040,006 R 040,* R In this example, the owner of the object wants to allow read access to only specific users in group 40. However, the DENY statement overrides the other ACLs. Example 2: DENY 040,002 R DENY 040,004 R DENY 040,006 R 040,* R In this example, read access is granted to all group 40 users except those specified in the DENY statements.
Freezing and Thawing an Access Control List Securing Disk Files For example, suppose you want to use the same authorization record you defined for quarter1 for another disk file called quarter2. To add quarter2 to the Safeguard database, using the same security attributes and access control list as quarter1: =ADD DISK quarter2, LIKE quarter1 Note. The LIKE keyword sets all the security attributes of one file (not just the access control list) to those of another file.
Specifying Auditing Conditions Securing Disk Files For example, the owner of the disk file (user ID 2,1) can restore the access control list for quarter1 by entering: =THAW DISKFILE quarter1 The STATUS field of the INFO display shows that the access control list is thawed: =INFO DISKFILE quarter1 $DATA.
Specifying Ownership Securing Disk Files To display the audit settings for quarter1: =INFO DISKFILE quarter1, DETAIL The DETAIL option shows an expanded version of the INFO display: $DATA.
Other Disk-File Security Features Securing Disk Files In the previous examples in this section, you are the only owner of quarter1. Assume you want user ID 2,18 to own quarter1 also. You could change the OWNER attribute, but then you would no longer own the file. Instead, you might want to grant user ID 2,18 OWNER authority in an access control list.
The PERSISTENT Attribute Securing Disk Files To set the CLEARONPURGE attribute for the file quarter1, used in the previous examples: =ALTER DISKFILE quarter1, CLEARONPURGE ON To verify that the CLEARONPURGE attribute is on: =INFO DISKFILE quarter1, DETAIL $DATA.
The LICENSE Attribute Securing Disk Files To verify the setting: =INFO DISKFILE quarter1, DETAIL $DATA.
The PROGID Attribute Securing Disk Files You can also use the WHERE LICENSE option with the ALTER, DELETE, FREEZE, and THAW commands. The PROGID Attribute The PROGID attribute applies only to disk files that contain object code. The PROGID attribute is used to determine the process access ID (PAID) when a program file is run as a process.
The TRUST Attribute Securing Disk Files The TRUST Attribute The TRUST attribute enables the operating system to optimize I/O performance and applies only to object files. It is available only in H-series RVUs and can be set only by the super ID.
The PRIV-LOGON { ON | OFF} Attribute Securing Disk Files To verify the setting: =INFO DISK progfile, DET $DATA.SALES PROGFILE 005,005 004,* 005,* LAST-MODIFIED OWNER STATUS WARNING-MODE 24JUL05, 11:38 5,5 THAWED OFF R,W,E,P R,E R,W OBJECT-TEXT-DESCRIPTION = AUDIT-PRIV-LOGON = OFF AUDIT-ACCESS-PASS = NONE AUDIT-ACCESS-FAIL = NONE LICENSE = OFF PROGID = ON TRUST = SHARED AUDIT-MANAGE-PASS = NONE AUDIT-MANAGE-FAIL = NONE CLEARONPURGE = OFF PERSISTENT = OFF PRIV-LOGON = OFF Note.
Removing a File From Safeguard Control Securing Disk Files When a file is removed from the Safeguard database, the user specified by the OWNER attribute becomes the Guardian owner. Users who had OWNER authority on the access control list no longer own the file. Removing a disk file from the Safeguard database does not change the setting of the CLEARONPURGE, LICENSE, or PROGID attributes. These settings remain in effect with Guardian security.
Securing Disk Files Removing a File From Safeguard Control Safeguard User’s Guide — 422089-020 3 - 24
4 Securing Subvolumes The Safeguard subsystem allows you to secure disk subvolumes in generally the same manner as you secure disk files. The same principles apply when you add, change, or delete authorization records for subvolumes. You use the same basic set of commands—ADD, ALTER, DELETE, FREEZE, INFO, RESET, SET, SHOW, and THAW. For example, to add a subvolume to the Safeguard database, use the ADD SUBVOLUME command. You can also use the same security attributes to specify auditing for subvolumes.
Access Authorities for Subvolumes Securing Subvolumes Access Authorities for Subvolumes By default, anyone can protect a subvolume by adding it to the Safeguard database and specifying the access authorities for the subvolume.
5 Securing Processes and Subprocesses You secure processes and subprocesses in generally the same manner as disk files and subvolumes. You use the same set of commands: ADD, ALTER, DELETE, FREEZE, INFO, RESET, SET, SHOW, and THAW. Also, except for EXECUTE authority, the same access authorities—READ, WRITE, PURGE, CREATE, and OWNER—apply to individual processes and subprocesses. There is no EXECUTE authority for processes and subprocesses.
Securing Processes and Subprocesses Protecting Processes Protecting Processes Process descriptors contain a sequence number. Because this sequence number is not part of SAFECOM syntax, do not include it when protecting process names with the Safeguard subsystem. Upon creation of a process, you have the option of naming the process. You can either name the process yourself or allow the system to generate a name.
6 Obtaining User and Alias Information As a general user, you can obtain security information about your disk files, subvolumes, and processes, as well as information about your own user authentication record. As discussed in previous sections of this manual, you use the SHOW command to display default security attributes for a session and the INFO command to display current security attributes for an existing file, subvolume, or process.
Obtaining User and Alias Information • Viewing Your User Authentication Record CREATION-TIME of the user. Note. The CREATION-TIME attribute is supported only on systems running J06.04 and later J-series RVUs, H06.15 and later H-series RVUs and G06.32 and later G-series RVUs. • Creator details specifying name, type, user ID, and node number where user was created. Note. This information is supported only on systems running J06.04 and later J-series RVUs, H06.15 and later H-series RVUs, and G06.
Viewing Your User Authentication Record Obtaining User and Alias Information 1> SAFECOM INFO USER 8,54, DETAIL GROUP.USER STATUS ACCTS.
Obtaining User and Alias Information What the INFO USER Display Tells You Note. The TEXT-DESCRIPTION attribute is supported only on systems running G06.27 and later G-series RVUs and H06.06 and later H-series RVUs. The CREATION-TIME, CREATOR-USER-NAME, CREATOR-USER-TYPE and CREATORNODENUMBER attributes are supported only on systems running J06.04 and later J-series RVUs, H06.15 and later H-series RVUs, and G06.32 and later G-series RVUs.
Obtaining User and Alias Information About Alias Authentication Records unexpectedly, notify your security administrator. The failed logon count and last failed logon time also appear as a part of the Safeguard logon dialog. About Alias Authentication Records You can have one or more user aliases. An alias is an alternate name that you can use to log on to the system. An alias has its own authentication record with attributes that can differ from those in your user authentication record.
Viewing an Alias Authentication Record Obtaining User and Alias Information Viewing an Alias Authentication Record The following example shows how to check the authentication record for the user alias J-Brown.
Obtaining User and Alias Information What the INFO ALIAS Display Tells You Note. The TEXT-DESCRIPTION attribute is supported only on systems running G06.27 and later G-series RVUs and H06.06 and later H-series RVUs. The CREATION-TIME, CREATOR-USER-NAME, CREATOR-USER-TYPE and CREATORNODENUMBER attributes are supported only on systems running J06.04 and later J-series RVUs, H06.15 and later H-series RVUs, and G06.32 and later G-series RVUs.
Obtaining User and Alias Information What the INFO ALIAS Display Tells You Safeguard User’s Guide — 422089-020 6-8
7 Working With SAFECOM SAFECOM is the Safeguard command interpreter. You can use SAFECOM to enter commands in any of the following modes of operation: • • • Interactive mode Execute-and-quit mode Batch mode Interactive mode allows you to enter any number of commands and verify the results before proceeding. For the general user, this mode is simple to use yet flexible enough to handle routine Safeguard tasks. Execute-and-quit mode is most useful for entering one or two commands.
SAFECOM Session-Control Commands Working With SAFECOM allows you to use the HISTORY, ?, !, and FC session-control commands to recall, edit, and execute commands entered earlier in the same session. SAFECOM Session-Control Commands After you start an interactive SAFECOM session, you can enter either of two types of commands: session-control commands, which manage your interactive session, and security commands, which specify the security controls for your disk files and subvolumes.
Checking Your Progress Working With SAFECOM Table 7-1. SAFECOM Session-Control Commands (page 2 of 2) Command Meaning ? (Question mark) Displays a specified command that you previously entered during the current SAFECOM session. ! (Exclamation point) Displays and executes a specified command that you previously entered during the current SAFECOM session. -- (Two hyphens) Delimits comments in SAFECOM command lines. & (Ampersand) Indicates that the command is continued on the next line.
Continuing Commands From One Line to the Next Working With SAFECOM The comments "Interactive, OUT = IN" in the display indicate an interactive session. (The OUT file is the same as the IN file.) Note. Do not put a semicolon within a comment because it terminates the line and causes the remainder of the comment to be treated as a SAFECOM command.
Redirecting Output for a Single Command Working With SAFECOM Redirecting Output for a Single Command Usually, with SAFECOM operating in interactive mode, output is displayed on the home terminal because the home terminal is the default OUT file. However, SAFECOM can be directed to report to an EDIT file or to list a SAFECOM report on a printer. To do this, include an OUT option to redirect SAFECOM output for a single command.
Getting Online Help Working With SAFECOM To display a list of the commands at the SAFECOM prompt: =HELP HELP is available for the following SAFECOM commands: ADD FC OBEY SHOW ! ALTER FREEZE OUT STOP ASSUME HELP RELEASE SYNTAX DELETE HISTORY RESET SYSTEM DISPLAY INFO RUN THAW ENV LOG SELECT VOLUME EXIT NEXTFILE SET ? Enter HELP COMMANDS for brief descriptions of all SAFECOM commands. Enter HELP GRAMMAR for the complete syntax of all SAFECOM commands.
Displaying and Editing Previous Commands Working With SAFECOM Displaying and Editing Previous Commands SAFECOM provides four commands that allow you to display, change, and execute commands that you previously entered during the current session. These commands and their functions are: HISTORY Displays a designated number of the most recent commands entered during the current session; also can clear the last command or all commands from the history buffer.
Displaying and Editing Previous Commands Working With SAFECOM Displaying a Specific Command The ? command allows you to display a specific command entered earlier in the current session. You can specify the command to be displayed by entering a line number, a relative line number, or a text string, as the following examples show.
Displaying and Editing Previous Commands Working With SAFECOM Correcting Mistakes Using the FC Command The FC command allows you to display and edit a command you entered previously in the current session. This feature is handy for correcting typographical errors or for executing several similar commands. FC supports the same search options as the ? and ! commands. You can request a command line by line number, relative line number, or text string.
Leaving SAFECOM Without Losing Defaults (Using the Break Key) Working With SAFECOM PROGFILE is changed to FILE03. After the command has been altered to your satisfaction, press the Return key on the editing line to execute the edited command: =FC 18 =ALTER DISKFILE PROGFILE, PROGID ON . dddd .ALTER DISKFILE FILE, PROGID ON . i03 .ALTER DISKFILE FILE03, PROGID ON .
Using SAFECOM in Execute-and-Quit Mode Working With SAFECOM Using SAFECOM in Execute-and-Quit Mode If you need to enter only a few SAFECOM commands, you can use the execute-andquit mode from TACL. To run SAFECOM in this mode, type "SAFECOM," followed by one or more security commands. SAFECOM executes the commands and immediately returns control to TACL. If you want to execute another SAFECOM command, you must begin that command by retyping SAFECOM at the TACL prompt.
Placing Comments in a Command File Working With SAFECOM execute the commands in the EDIT file, run SAFECOM and, using the IN option, name the EDIT file as the input file. For example, suppose this sequence of commands is in an EDIT file called $system.secmgt.saleinfo: INFO INFO INFO INFO INFO INFO INFO VOLUME SUBVOLUME DISKFILE SUBVOLUME DISKFILE SUBVOLUME DISKFILE $data $data.sales1 $data.sales1.* $data.sales2 $data.sales2.* $data.sales3 $data.sales3.
Executing a Command File During an Interactive Session Working With SAFECOM You can embed comments within a command by including double hyphens at the beginning and end of the comment: ALTER DISKFILE report1, ACCESS 2,78 -- give ted jones -- READ When SAFECOM encounters a double hyphen (--), it ignores all following characters until it reaches either the end of the line or the next double hyphen.
Error Handling in Command Files Working With SAFECOM which a batch operation uses the command file $system.mgr.tight to set up current default values for disk-file attributes: =VOLUME $system.mgr =OBEY tight =ASSUME DISKFILE . . .
Working With SAFECOM Using Wild-Card Characters in SAFECOM Commands Using Wild-Card Characters in SAFECOM Commands In most SAFECOM commands, you can use wild-card characters to match characters in an object name. In certain instances, you can also specify wild-card characters in user names. The following wild-card characters are supported: * Use an asterisk (*) to match any number of characters (zero, one, or more). ? Use a question mark (?) to match a single character.
Restrictions Working With SAFECOM The following command displays attributes of all disk files in the current subvolume whose names begin with the letters ACCT: =INFO DISKFILE acct* $DATA.
Abbreviating SAFECOM Commands Working With SAFECOM • Wild cards in ADD commands for disk files, volumes, and subvolumes affect only objects that already exist. For example, the following command protects only files that currently exist on volume $VOL1 and subvolume DATA: =ADD DISKFILE $VOL1.DATA.* • • • You cannot use wild cards in ADD commands for devices, subdevices, processes, subprocesses, and terminals.
Checking Command Syntax Only Working With SAFECOM SAFECOM RUN command are the same as those of the TACL RUN command. For further details regarding this command, refer to the Safeguard Reference Manual. For example, the following command runs the program TRACKER that resides in the current default subvolume: =RUN TRACKER / IN TRACK1, OUT TRACK2, NOWAIT / This command specifies that the file TRACK1 is the input file for the program, and the file TRACK2 is the output file for the program.
8 Changing Display Options SAFECOM provides a DISPLAY command that allows you to customize your SAFECOM prompt and to control various INFO command options during an interactive session.
Editing Your SAFECOM Prompt Changing Display Options Table 8-2. Prompt Items for the DISPLAY PROMPT Command Item Description string Displays a user-supplied text string in the prompt. ASSUME OBJECTTYPE Displays the currently assumed object type. If no object type is assumed, nothing additional is displayed COMMAND NUMBER Displays the current command line number. CPU Displays the number of the CPU in which SAFECOM is running. DATE Displays the current date.
Controlling INFO Report Warnings Changing Display Options Controlling INFO Report Warnings SAFECOM normally displays a warning message if you issue an INFO DISKFILE command for a file that has not been added to the Safeguard database. You can inhibit the display of this message for an entire SAFECOM session by using the DISPLAY WARNINGS command. This feature can be convenient if you are requesting information on all files in a subvolume.
Controlling INFO Report Headings Changing Display Options The INFO command WARNINGS option has three forms: WARNINGS OFF turns off warning messages for this command. WARNINGS ON turns on warning messages for this command. WARNINGS turns on warning messages for this command. For example, even if you turn off warnings for the session, you can use the following INFO command to turn on warnings for the command: =INFO DISKFILE $data.sales.*, WARNINGS ON The display shows: $DATA.
Controlling the INFO DETAIL Option for a Session Changing Display Options The display shows: $DATA.SALES REPORT1 LAST-MODIFIED OWNER STATUS WARNING-MODE 18JUL92, 11:00 2,1 THAWED OFF LAST-MODIFIED OWNER STATUS WARNING-MODE 18JUL92, 11:02 2,1 THAWED OFF LAST-MODIFIED OWNER STATUS WARNING-MODE 18JUL92, 11:05 2,1 THAWED OFF NO ACCESS CONTROL LIST DEFINED! $DATA.SALES REPORT2 NO ACCESS CONTROL LIST DEFINED! $DATA.
Displaying User IDs or User Names Changing Display Options DISPLAY DETAIL has three forms: DISPLAY DETAIL OFF turns off the DETAIL option for the session. DISPLAY DETAIL ON turns on the DETAIL option for the session. DISPLAY DETAIL turns on the DETAIL option for the session. If you use the DISPLAY DETAIL OFF command to turn off the detail option for a session, you can override it for a single INFO command by specifying the DETAIL option in that command.
Displaying INFO Output as Commands Changing Display Options By default, the INFO report identifies users by their user IDs. To view user names instead of user IDs, execute the following SAFECOM commands: =DISPLAY USER AS NAME =INFO DISKFILE quarter1 The display shows: LAST-MODIFIED $DATA.SALES QUARTER1 ADMIN.BILL ADMIN.LYNN ADMIN.* 23JUL92, 15:00 OWNER ADMIN.BILL STATUS THAWED WARNING-MODE OFF R,W,E,P,C,O R,W R Note.
Specifying a DISPLAY Command List Changing Display Options The display shows: $DATA.SALES RPT01 002,005 002,* LAST-MODIFIED OWNER STATUS 26JUL92, 13:04 2,5 THAWED R,W,E,P, R WARNING-MODE OFF O OBJECT-TEXT-DESCRIPTION = ‘’Record Created’’ AUDIT-ACCESS-PASS = NONE AUDIT-ACCESS-FAIL = NONE LICENSE = OFF PROGID = OFF AUDIT-MANAGE-PASS = NONE AUDIT-MANAGE-FAIL = NONE CLEARONPURGE = OFF PERSISTENT = OFF By default, the INFO command output is displayed in report form.
9 Working with Patterns Background The NonStop operating system groups files into subvolumes and volumes. Safeguard provides three levels of access control to files using the volume, subvolume, and file name. If all the files in a subvolume can have the same access requirements, then one subvolume protection record will meet the requirements for many files. Similarly one volume protection record would suffice if all the files and subvolumes on a single volume have the same access requirements.
How do Patterns Differ From What was Used Before? Working with Patterns How do Patterns Differ From What was Used Before? There are now two types of protection records that can secure disk files: • • Diskfile protection records Diskfile-pattern protection records Diskfile protection records represented a one to one mapping of a protection record to a disk file, or subvolume, or volume.
Pattern Generality Working with Patterns Not a legal pattern protection record because it has wildcards in the volume name. $D0201.* Not a legal pattern because there is only a subvolume component, and not a diskfile component. However, when adding this pattern into Safecom, the current subvolume will be taken from the environment. The pattern will be translated into a legal pattern: $D0201.subvol.*. $SYSTEM.SYS00.OSIMAGE Not a legal pattern because it contains no wildcards. SYS??.
One-Dimensional Search Working with Patterns Both of these patterns match files 1 and 2. However, only one protection record can be used to protect these files. The more specific pattern is used, which in this case is pattern 2, because the APPL? is more specific than the APPL*. One-Dimensional Search A one-dimensional search is a search using the volume only, the subvolume only, or the filename only. A multi-dimensional search is one in which any two or three dimensions are searched.
Safeguard Pattern Configuration Working with Patterns Safeguard Pattern Configuration Use the Safeguard configuration attribute CHECK-DISKFILE-PATTERN to enable, disable, and control the search order for pattern and non-pattern protection records. • OFF Specifies no pattern searches will occur. This configuration is equivalent to Safeguard versions prior to G06.25.
Safeguard Pattern Configuration Working with Patterns The pattern protection records are stored in a new file in each volume’s SAFE subvolume. The file name is SAFE.PATGUARD. The integrity of the existing SAFE.GUARD files must be maintained. Therefore, the existing rules for managing non-pattern protection records will be maintained, even though the access result would be satisfied using a pattern protection record.
Safeguard Pattern Configuration Working with Patterns Table 9-1.
Safeguard Pattern Configuration Working with Patterns access evaluation based on the Safeguard global configuration attribute COMBINATION-DISKFILE values FIRST-ACL, FIRST-RULE, and ALL. Table 9-2.
Safeguard Pattern Configuration Working with Patterns the Safeguard global configuration attribute COMBINATION-DISKFILE values FIRSTACL, FIRST-RULE, and ALL. Table 9-3.
Safeguard Pattern Configuration Working with Patterns Table 9-3.
Working with Patterns SAFECOM Diskfile-Pattern Commands Examples • To set diskfile pattern searches to be performed after NORECORD is returned for non-pattern checking: ALTER SAFEGUARD, CHECK-DISKFILE-PATTERN LAST • To set diskfile pattern searches to be performed first, if the result is NORECORD non-pattern checking will be done: ALTER SAFEGUARD, CHECK-DISKFILE-PATTERN FIRST • To disable diskfile pattern searches (that is, perform only non-pattern checking): ALTER SAFEGUARD, CHECK-DISKFILE-PATTERN
ADD DISKFILE-PATTERN Working with Patterns security commands, see the Safeguard Reference Manual. Patterns may be used in SPI also. Table 9-4. Diskfile-Pattern Commands Command Action ADD DISKFILE-PATTERN Adds a diskfile pattern to the Safeguard database by creating an authorization record for the file. ALTER DISKFILEPATTERN Changes one or more of the security attributes in the diskfilepattern authorization record.
ALTER DISKFILE-PATTERN Working with Patterns ALTER DISKFILE-PATTERN ALTER DISKFILE-PATTERN Examples • To alter a diskfile pattern to give SUPER.SUPER read and write access: ALTER DISKFILE-PATTERN $DATA.APLOGS.LOG*, & ACCESS SUPER.SUPER (R,W) • To alter all diskfile pattern that match $DATA*.APLOGS.LOG*: ALTER DISKFILE-PATTERN $DATA*.APLOGS.LOG*, ALL, & ACCESS SUPER.SUPER (R,W) DELETE DISKFILE-PATTERN DELETE DISKFILE-PATTERN Examples • To delete the diskfile pattern $ABC.*.
INFO DISKFILE-PATTERN Working with Patterns 4. $DATA3.A*.B* INFO DISKFILE-PATTERN $DATA1.A*.* would return pattern 1. INFO DISKFILE-PATTERN $DATA1.A*.*, ALL would return patterns 1 and 2. INFO DISKFILE-PATTERN $DATA*.A*.* would return patterns 1 and 3 (one dimensional search). INFO DISKFILE-PATTERN $DATA*.A*.*, ALL would return patterns 1, 2, 3, & 4 (a multi-dimensional search). If you added this pattern, ADD DISKFILE-PATTERN $*.*.
RESET DISKFILE-PATTERN Working with Patterns GROUP TEST R,W,E,P,C GROUP \KONA.TEST R \*.*.* • To display the diskfile pattern $A.B.*: INFO DISKFILE-PATTERN $A.B.* • To display all diskfile patterns that match the search pattern $A.B.*: INFO DISKFILE-PATTERN $A.B.*, ALL A multi-dimensional search ignores the setting of WARNINGS. Therefore no warning message is displayed. • To display all diskfile patterns that match the search pattern $A.B.
SHOW DISKFILE-PATTERN Working with Patterns SHOW DISKFILE-PATTERN SHOW DISKFILE-PATTERN Example To show the current default values for the diskfile pattern: SHOW DISKFILE-PATTERN THAW DISKFILE-PATTERN THAW DISKFILE-PATTERN Example To thaw all diskfile patterns that have a volume name ending in the letter P: THAW DISKFILE-PATTERN $*P.*.*, ALL SAFECOM Saved-Diskfile-Pattern Commands Table 9-5 lists the SAFECOM saved-diskfile-pattern commands.
ADD SAVED-DISKFILE-PATTERN Working with Patterns Table 9-5. Saved-Diskfile-Pattern Commands (page 2 of 2) Command Action SET DISKFILE-PATTERN Establishes default diskfile-pattern attributes that you specify. Any subsequent ADD SAVED-DISKFILE-PATTERN commands use these defaults for attributes not specified in the ADD SAVED-DISKFILE-PATTERN command. SHOW DISKFILEPATTERN Displays the current default attributes for the attributes associated with object type.
DELETE SAVED-DISKFILE-PATTERN Working with Patterns This command alters the saved-diskfile-pattern for all matching patterns. For example, if the following patterns exist, they are altered: $DATA01.APLOGS.LOGAPR* $DATA1.APLOGS.LOG* $DATA123.APLOGS.LOG? $DATA.APLOGS.LOG???? $DATABLE.APLOGS.LOGON?1A DELETE SAVED-DISKFILE-PATTERN DELETE SAVED-DISKFILE-PATTERN Examples 1. To delete the saved-diskfile-pattern $ABC.*.*: DELETE SAVED-DISKFILE-PATTERN $ABC.*.* 2.
RESET SAVED-DISKFILE-PATTERN Working with Patterns GROUP \KONA.TEST R \*.*.* R 2. To display the saved-diskfile-pattern $DATA.*TEST.*, DETAIL: =INFO SAVED-DISKFILE-PATTERN $DATA.*TEST.*,DETAIL The display appears as: LAST-MODIFIED OWNER STATUS WARNING-MODE $DATA.*TEST * 28SEP04, 5:44 255,255 THAWED \KONA.PROD.CARLY \KONA.TEST.JIMMY GROUP TEST GROUP \KONA.TEST \*.*.
SHOW SAVED-DISKFILE-PATTERN Working with Patterns SHOW SAVED-DISKFILE-PATTERN SHOW SAVED-DISKFILE-PATTERN Example To display the current default values for the diskfile pattern: SHOW SAVED-DISKFILE-PATTERN THAW SAVED-DISKFILE-PATTERN THAW SAVED-DISKFILE-PATTERN Example To thaw all the saved-diskfile-pattern records that have a volume name ending in the letter P: THAW SAVED-DISKFILE-PATTERN $*P.*.
A Guardian File Security The Guardian environment automatically provides a basic level of security for all disk files. You can manipulate Guardian file security through TACL and FUP.
Displaying Default Security Guardian File Security Table A-1. Guardian File Security Settings Code Access O Only the owner of the file on the local system can access the file. U Only the owner of the file on the local system or on the network can access the file. G Any member of the owner's group on the local system can access the file. C Any member of the owner's group, either on the local system or on the network, can access the file. A Any user on the local system can access the file.
Displaying File Security Guardian File Security Displaying File Security You can examine the security string for a specific file or all files in your current subvolume. Both the TACL FILEINFO command and the FUP INFO command display security strings for your files.
Changing the Security String Through FUP Guardian File Security 1. Use the TACL WHO command to check your current default security string: 1> WHO Home terminal: $HOLDEN TACL process: \MEL.$G633 Primary CPU: 8 (TXP) Backup CPU: 9 (TXP) Default Segment File: $BILLS.#5582 Pages allocated: 12 Pages Maximum: 1024 Bytes Used:18924 (0%) Bytes Maximum: 2097152 Current volume: $BILLS.HOLDEN Saved volume: $BILLS.HOLDEN Userid: 7,124 Username: PAY.HOLDEN Security: "NUNU" 2> 2.
Changing the Security String Through FUP Guardian File Security 1. Create the new files: 1> FUP File Utility Program - T9074C31 - (02AUG93) System \MEL Copyright Tandem Computers Incorporated 1981, 1983, 1985-1993 -CREATE ACCT4 CREATED - $BILLS.HOLDEN.ACCT4 -CREATE ACCT5 CREATED - $BILLS.HOLDEN.ACCT4 - 2. Change the security string for each file: -SECURE ACCT4, "GOGO" -SECURE ACCT5, "GOGO" - 3. Verify the security strings and then exit from FUP: -INFO ACCT4 CODE BLOCK $BILLS.
Guardian File Security Changing the Security String Through FUP Safeguard User’s Guide — 422089-020 A-6
B Protecting Your Terminal As a general user, you need to take certain precautions to protect your terminal and prevent unauthorized access to your system. Namely, you must ensure the secrecy of your password, and you should log off or lock your terminal if you plan to leave it unattended. Protecting Your Password To log on to your system, you identify yourself by entering your user name (or user ID) and password.
Logging Off Protecting Your Terminal As a final precaution in logging off, always clear your screen. Usually, TACL is configured to handle this automatically. If your terminal screen is not cleared automatically when you log off, be sure that no sensitive data is left on the screen.
C SAFECOM Command Syntax This appendix summarizes the syntax of the SAFECOM commands presented in this manual. The commands are listed in alphabetical order. In every command that manages a system object, object-type can be omitted if it is the current assumed object type. Remember that SAFECOM reserved words can be abbreviated. Typically, a reserved word can be abbreviated to its first three characters unless a longer abbreviation is necessary to distinguish between similar reserved words.
SAFECOM Command Syntax SAFECOM Command Syntax object-type can be any of the following: DISKFILE DISKFILE-PATTERN SUBVOLUME PROCESS SUBPROCESS (DISKFILE can also be spelled as DISCFILE.) object-list has the following form: { object-spec } { ( object-spec [ , object-spec ] ... ) } object-spec for disk files, can be either a fully or a partially qualified disk-file name or a disk-file set. for diskfile patterns, can be fully qualified diskfile-pattern name or set.
SAFECOM Command Syntax SAFECOM Command Syntax ALTER object-type object-list [ , ] { LIKE object-name | object-attribute } [ , object-attribute ] ... ASSUME [ object-type ] DELETE object-type object-list DISPLAY command [ , command ] ... command is one of the following DISPLAY commands: [ AS ] COMMANDS [ ON | OFF ] DETAIL [ ON | OFF ] HEADERS [ ON | OFF | ONCE ] PROMPT [ prompt-item ] [ ( prompt-item [ , prompt-item ] ) ...
SAFECOM Command Syntax SAFECOM Command Syntax DETAIL SUMMARY EXIT FC [ [ [ [ string “string” linenum -linenum FREEZE ] ] ] ] object-type object-list HELP [ / OUT listfile / ] [ [ [ [ [ command-name keyword COMMANDS ALL * ] ] ] ] ] HISTORY [ lines ] [ RESET LAST ] [ RESET ALL ] INFO [ / OUT listfile / ] { alias ALIAS | ( alias [ , alias ] ... ) } [ [ , ] option ] [ , option ] ...
SAFECOM Command Syntax SAFECOM Command Syntax INFO [ / OUT listfile / ] object-type object-list [ , ] [ display-option ] [ , display-option ] INFO [ / OUT listfile / ] { user-spec USER | ( user-spec [ , user-spec ] ... ) } [ [ , ] option ] [ , option ] ... option is one of the following: GENERAL DETAIL AUDIT CI OSS REMOTEPASSWORD DEFAULT-PROTECTION GROUP OWNER-LIST TEXT-DESCRIPTION WHERE expression Note. The OWNER-LIST and TEXT-DESCRIPTION attributes are supported only on systems running H06.
SAFECOM Command Syntax SAFECOM Command Syntax AUDIT-ACCESS-FAIL [audit-spec] AUDIT-MANAGE-PASS [audit-spec] AUDIT-MANAGE-FAIL [audit-spec] OBJECT-TEXT-DESCRIPTION "[text]" Disk files also have the following attributes: LICENSE { ON | OFF } PROGID { ON | OFF } CLEARONPURGE { ON | OFF } PERSISTENT { ON | OFF } TRUST { ME | SHARED | OFF } (H-series only) AUDIT-PRIV-LOGON { ON | OFF} access-spec has the following form: user-list [-] [DENY] authority-list user-list is one of the following: { net-user-spec } {
SAFECOM Command Syntax SAFECOM Command Syntax SYNTAX [ ONLY ] ON | OFF SYSTEM [ \system-name ] THAW object-type object-list VOLUME [ $volume ] [ $volume.subvolume ] [ subvolume ] ? [ [ [ [ ! string “string” linenum -linenum [ [ [ [ ] ] ] ] string “string” linenum -linenum ] ] ] ] Note. The OWNER-LIST attribute is supported only on systems running G06.27 and later G-series RVUs and H06.07 and later H-series RVUs. Note. The TEXT-DESCRIPTION attribute is supported only on systems running G06.
SAFECOM Command Syntax SAFECOM Command Syntax Safeguard User’s Guide — 422089-020 C-8
Glossary access control list. A list associated with an object that itemizes the subjects authorized to access that object and shows the access authorities granted to each subject. ACL. See access control list. alias. An alternate name for logging on to the system. attribute. A security characteristic assigned to an object to apply special protection to that object. Examples are CLEARONPURGE and LICENSE. audit.
primary owner Glossary primary owner. The owner of a Safeguard protection record whose user ID appears as the OWNER attribute in the record. PROGID attribute. A security attribute for disk files that contain object code. When PROGID is ON, the user running the process obtains the privileges of the file's primary owner. SAFECOM. The Safeguard command interpreter. Secondary owners.
Index A C Abbreviating reserved words 3-2, 7-17 ACCESS attribute 1-2 ACCESS authorities for disk files 3-7 for disk volumes and subvolumes 4-2 for processes and subprocesses 5-1 Access control lists 3-7 deleting an entry 3-11 freezing and thawing 3-14 modifying 3-9 specifying 3-7, 3-8 using one to define another 3-13 ADD DISKFILE command 3-1, 3-4, 3-8 ADD DISKFILE-PATTERN command 9-12, 9-16 ADD PROCESS command 5-1 ADD SAVED-DISKFILE-PATTERN command 9-16, 9-17 ADD SUBVOLUME command 4-2 Alias name 2-1 ALTER
E Index DETAIL option of INFO DISKFILE command 3-16 Direction Diskfile Filename first note 9-8 Direction Diskfile Volume First note 9-9 Disk file attributes, setting defaults 3-6 authorization record 3-4 commands 3-1 OWNER attribute 3-4 removing from Safeguard control 3-22 securing 3-1 valid ACCESS authorities 3-7 Diskfile pattern commands 9-12, 9-16 DISPLAY commands 8-1 DISPLAY options AS COMMANDS 8-7 DETAIL 8-5 HEADERS 8-4 in a command list 8-8 PROMPT 8-1 USER AS NAME 8-6 USER AS NUMBER 8-6 WARNINGS 8-3
M Index Logging on 2-2 Logon dialog 2-2 Logon prompt 2-1 RESET DISKFILE-PATTERN command 9-12, 9-16 RESET SAVED-DISKFILE-PATTERN command 9-19 Restoring default attributes 3-6 RUN command 7-17 M Managing a SAFECOM session 7-2 S O OBEY command 7-2 Object authorization 1-2 OUT option (SAFECOM) 7-2, 7-5 Output from SAFECOM, directing 7-5 OWNER attribute for disk file authorization record 3-4, 3-16 Ownership 3-16 P Password 2-2 changing 2-5, B-1 changing with blind passwords 2-3 expired 2-4 grace period fo
T Index Safeguard, compared to standard security 1-4 Securing disk files 3-1 Securing disk subvolumes 4-2 Securing processes 5-1 Securing subprocesses 5-1 Semicolon and line termination 7-4, 7-13 Session-control commands (SAFECOM) 7-2 SET DISKFILE command 3-1, 3-6, 3-7 SET DISKFILE-PATTERN command 9-12, 9-16, 9-17 SET SAVED-DISKFILE-PATTERN command 9-19 Setting default attributes 3-6 SHOW DISKFILE command 3-1, 3-5, 3-8 SHOW DISKFILE-PATTERN command 9-12, 9-16, 9-17 SHOW SAVED-DISKFILE-PATTERN command 9-20
Special Characters Index = (equal sign) SAFECOM command prompt 7-1 ? (question mark) command displays a previous command 7-8 Safeguard User’s Guide — 422089-020 Index - 5
Special Characters Index Safeguard User’s Guide — 422089-020 Index - 6