Safeguard Reference Manual Abstract This manual describes the syntax of commands needed to secure an HP NonStop™ system using the Safeguard software. The manual is intended for security administrators and general users. Product Version Safeguard G06, H04 Supported Release Version Updates (RVUs) This publication supports G06.21 and all subsequent G-series RVUs and H06.
Document History Part Number Product Version Published 520618-009 Safeguard G06, H03 May 2006 520618-010 Safeguard G06, H03 July 2006 520618-011 Safeguard G06, H03 August 2006 520618-012 Safeguard G06, H03 November 2006 520618-013 Safeguard G06, H04 February 2007
Safeguard Reference Manual Index Figures What’s New in This Manual xix Manual Information xix New and Changed Information About This Manual xxiii Organization of This Manual Notation Conventions xxv Tables xix xxiii 1.
1. Introduction (continued) Contents 1. Introduction (continued) Unauthenticated User 1-9 Local Request 1-9 Remote Request 1-9 Interaction of Local and Remote Users and Requests Components of the Safeguard Subsystem 1-10 Who Can Use SAFECOM Commands 1-10 Abbreviating SAFECOM Commands 1-13 The Super ID 1-13 2.
2. Common SAFECOM Language Elements (continued) Contents 2.
3. The Command to Run SAFECOM Contents 3. The Command to Run SAFECOM Modes of Program Operation Command Syntax 3-1 Considerations 3-4 Examples 3-4 3-1 4.
4. SAFECOM Session-Control Commands (continued) Contents 4.
5. User Security Commands (continued) Contents 5.
6. User Alias Security Commands (continued) Contents 6. User Alias Security Commands (continued) Considerations 6-23 Examples 6-23 INFO ALIAS Command 6-23 INFO ALIAS Brief Report 6-25 INFO ALIAS Detailed Report 6-28 Examples 6-32 RESET ALIAS Command 6-32 Examples 6-36 SET ALIAS Command 6-37 Considerations 6-48 Examples 6-49 SHOW ALIAS Command 6-50 SHOW ALIAS Report Format 6-51 Examples 6-54 THAW ALIAS Command 6-55 Examples 6-56 7.
8. Disk-File Security Commands Contents 8.
Contents 8. Disk-File Security Commands (continued) 8. Disk-File Security Commands (continued) Examples 8-53 RESET DISKFILE-PATTERN Command 8-54 Considerations 8-54 Example 8-54 SET DISKFILE Command 8-55 Examples 8-63 SET DISKFILE-PATTERN Command 8-64 Example 8-68 SHOW DISKFILE Command 8-68 SHOW DISKFILE Report Format 8-69 Examples 8-71 SHOW DISKFILE-PATTERN Command 8-71 Example 8-72 THAW DISKFILE Command 8-72 Examples 8-73 THAW DISKFILE-PATTERN Command 8-73 Example 8-74 9.
Contents 9. Disk Volume and Subvolume Security Commands (continued) 9. Disk Volume and Subvolume Security Commands (continued) RESET VOLUME and SUBVOLUME Commands 9-24 Consideration 9-25 Examples 9-25 SET VOLUME and SUBVOLUME Commands 9-26 Examples 9-31 SHOW VOLUME and SUBVOLUME Commands 9-32 SHOW VOLUME and SUBVOLUME Report Format 9-32 Examples 9-34 THAW VOLUME and SUBVOLUME Commands 9-34 Examples 9-35 10.
Contents 10. Device and Subdevice Security Commands (continued) 10. Device and Subdevice Security Commands (continued) SHOW DEVICE and SUBDEVICE Report Format 10-31 Example 10-32 THAW DEVICE and SUBDEVICE Commands 10-33 Example 10-34 11.
11. Process and Subprocess Security Commands (continued) Contents 11. Process and Subprocess Security Commands (continued) THAW PROCESS and SUBPROCESS Commands Example 11-37 11-36 12.
13. Security Group Commands (continued) Contents 13.
14. Terminal Security Commands (continued) Contents 14. Terminal Security Commands (continued) INFO TERMINAL Command 14-8 INFO TERMINAL Report Format 14-9 Examples 14-10 THAW TERMINAL Command 14-10 Considerations 14-11 Examples 14-11 15.
15. Event-Exit-Process Commands (continued) Contents 15. Event-Exit-Process Commands (continued) User Database Synchronization 15-31 General Procedure 15-32 Password Synchronization 15-32 Event-Exit Design, Management, and Operation 15-33 16. Safeguard Subsystem Commands Command Syntax 16-1 STOP SAFEGUARD Command 16-2 Considerations 16-2 INFO SAFEGUARD Command 16-3 ALTER SAFEGUARD Command 16-4 17. Running Other Programs From SAFECOM Run Command 17-1 Consideration 17-2 Example 17-2 A.
Figures (continued) Contents Figures (continued) Figure 10-2. Figure 10-3. Figure 11-1. Figure 11-2. Figure 11-3. Figure 12-1. Figure 12-2. Figure 12-3. Figure 13-1. Figure 13-2. Figure 13-3. Figure 14-1. Figure 15-1. Figure 15-2.
Tables (continued) Contents Tables (continued) Table 15-6. Table 15-7. Table 15-8. Table 15-9. Table 15-10. Table 15-11. Table 16-1. Table B-1. Table B-2.
Contents Safeguard Reference Manual—520618-013 xviii
What’s New in This Manual Manual Information Safeguard Reference Manual Abstract This manual describes the syntax of commands needed to secure an HP NonStop™ system using the Safeguard software. The manual is intended for security administrators and general users. Product Version Safeguard G06, H04 Supported Release Version Updates (RVUs) This publication supports G06.21 and all subsequent G-series RVUs and H06.
Changes to the H06.08 Manual What’s New in This Manual ° ° ° ° PASSWORD-NUMERIC-REQUIRED {ON/OFF} PASSWORD-SPECIALCHAR-REQUIRED {ON/OFF} PASSWORD-SPACES-ALLOWED {ON/OFF} PASSWORD-MIN-QUALITY-REQUIRED {0 - 4} Changes to the H06.
Changes to the G06.29 Manual What’s New in This Manual • • RESET-BINARY-DESCRIPTION attribute on page 5-20 NONPRINTABLE CHARACTERS error message on page A-35 Changes to the G06.29 Manual • • • • • • • • • Updated the Disk-File Ownership on page 8-2 to include the support of **** display of the Safeguard secured files. Updated the Disk-File Access Authorization on page 8-3 to include the processes group list information.
Changes to the H06.06 Manual What’s New in This Manual • • Added the definition for the PASSWORD-ALGORITHM attribute on page 16-19.
About This Manual This reference manual presents the detailed syntax for the commands of SAFECOM, the command interpreter for the Safeguard subsystem. You use SAFECOM to establish Safeguard protection for users and system objects. Readership of the Manual This manual is intended for security administrators or other users who want to secure objects on their system or control user access to the system.
Related Manuals About This Manual Section Description (page 2 of 2) Section 16, Safeguard Subsystem Commands Describes the Safeguard subsystem management commands, which are used to obtain information about the Safeguard subsystem, alter the Safeguard configuration, and stop the Safeguard software. Section 17, Running Other Programs From SAFECOM Describes the SAFECOM RUN command Appendix A, SAFECOM Error and Warning Messages and Explain SAFECOM error messages and define disk file access rules.
Notation Conventions About This Manual Notation Conventions Hypertext Links Blue underline is used to indicate a hypertext link within text. By clicking a passage of text with a blue underline, you are taken to the location described. For example: This requirement is described under Backup DAM Volumes and Physical Disk Drives on page 3-2. General Syntax Notation The following list summarizes the notation conventions for syntax presentation in this manual. UPPERCASE LETTERS.
General Syntax Notation About This Manual each side of the list, or horizontally, enclosed in a pair of brackets and separated by vertical lines. For example: FC [ num ] [ -num ] [ text ] K [ X | D ] address { } Braces. A group of items enclosed in braces is a list from which you are required to choose one item. The items in the list may be arranged either vertically, with aligned braces on each side of the list, or horizontally, enclosed in a pair of braces and separated by vertical lines.
Notation for Messages About This Manual Line Spacing. If the syntax of a command is too long to fit on a single line, each continuation line is indented three spaces and is separated from the preceding line by a blank line. This spacing distinguishes items in a continuation line from items in a vertical list of selections. For example: ALTER [ / OUT file-spec / ] LINE [ , attribute-spec ]… !i and !o.
Notation for Messages About This Manual Nonitalic text. Nonitalic letters, numbers, and punctuation indicate text that is displayed or returned exactly as shown. For example: Backup Up. lowercase italic letters. Lowercase italic letters indicate variable items whose values are displayed or returned. For example: p-register process-name [ ] Brackets. Brackets enclose items that are sometimes, but not always, displayed.
Notation for Management Programming Interfaces About This Manual Notation for Management Programming Interfaces The following list summarizes the notation conventions used in the boxed descriptions of programmatic commands, event messages, and error lists in this manual. UPPERCASE LETTERS. Uppercase letters indicate names from definition files; enter these names exactly as shown. For example: ZCOM-TKN-SUBJ-SERV lowercase letters.
Change Bar Notation About This Manual Safeguard Reference Manual—520618-013 xxx
1 Introduction This section introduces the Safeguard software and presents important basic concepts: • • • • Safeguard security-management features ° ° ° ° ° ° ° User Authentication Object-access authorization Auditing Control of logon dialog Security groups File-sharing groups Event-exit processes Definition of the terms authentication, remote, and local Who can use the SAFECOM commands and how this authority is granted Definition of the super ID’s capabilities and limitations For more information
User Authentication Introduction • Group managers can create Safeguard authentication records (ADD USER and ADD ALIAS) unless an alternative list of users has been specified with the access control list for OBJECTTYPE USER. A user-authentication record contains these attributes: • • • • ° ° OWNER ° ° ° ° ° ° ° ° ° ° ° ° ° ° ° ° ° PASSWORD OWNER-LIST (supported on systems running G06.27 and later G-series RVUs and H06.
Object-Access Authorization Introduction Object-Access Authorization With the Safeguard software, you can secure these types of system objects: • • • • Disk files Disk volumes and subvolumes Devices and subdevices (including terminals, tape drives, communication lines, and printers) Processes and subprocesses (both named and unnamed) You protect objects by defining an access control list (ACL) with the ACCESS attribute. ACLs specify who can access an object and what authorities they have.
Object-Access Authorization Introduction Control Features for Disk Volumes • Any local super-group user can create a Safeguard disk volume authorization record (ADD VOLUME) unless specific users have been designated with an access control list for OBJECTTYPE VOLUME.
Object-Access Authorization Introduction • • • ° ° OWNER—ownership can be transferred to any user ° Auditing specifications ACCESS—an access control list to authorize access: Read, Write, Owner (RWO) The owner of a device authorization record can modify the record (ALTER DEVICE). The owner of a device record can freeze and thaw access to the device (FREEZE DEVICE and THAW DEVICE). The owner of a device record can delete the record (DELETE DEVICE).
Object-Access Authorization Introduction • • The owner of a process-name record can freeze and thaw access to the process name (FREEZE PROCESS and THAW PROCESS). The owner of a process-name record can delete the record (DELETE PROCESS). Control Features for Subprocesses • Any user can create a Safeguard subprocess-name record (ADD SUBPROCESS), unless a specific list of users has been designated with an access control list for OBJECTTYPE SUBPROCESS.
File-Sharing Groups Introduction File-Sharing Groups The Safeguard software allows you to create user groups for file-sharing purposes. With the GROUP commands, users can be assigned to multiple groups and group membership can be extended beyond 256 users. Section 7, Group Commands, describes how to create and maintain file-sharing groups.
Definition of Terms: Authentication, Local, and Remote Introduction to manage the Safeguard audit service itself. For the audit service commands, see the Safeguard Audit Service Manual. Object Auditing The four auditing attributes for objects: AUDIT-ACCESS-PASS AUDIT-ACCESS-FAIL AUDIT-MANAGE-PASS AUDIT-MANAGE-FAIL For protected objects, AUDIT-ACCESS attributes control the auditing of attempts to access the object.
Interaction of Local and Remote Users and Requests Introduction Authentication The verification of a user’s claimed identity as a valid local user. Authentication might or might not be followed by logging the user on to the system. That is, authentication is always a part of logon, but logon does not always occur after authentication. A user must be authenticated before logon is permitted.
Introduction Components of the Safeguard Subsystem Thus, if REMOTE is the value of AUDIT-ACCESS-PASS for a disk file, the Safeguard software audits any attempt that it authorizes to access the file (that is, any authorized OPEN requests for READ, WRITE, EXECUTE, or PURGE access) that originate from a remote system or are sent by a remote user. The remote user described here is not the same as the network user (defined in Section 2, Common SAFECOM Language Elements).
Introduction Who Can Use SAFECOM Commands Safeguard record for an object or user. In general, the SAFECOM commands that manage an existing Safeguard record are restricted to the user who owns the record and to that user’s group manager. However, the record can also be managed by any user who has been granted OWNER authority on the object’s access control list. This includes both the primary owner and any secondary owners.
Who Can Use SAFECOM Commands Introduction Table 1-1.
Abbreviating SAFECOM Commands Introduction Abbreviating SAFECOM Commands You can abbreviate any SAFECOM reserved words, including commands, attributes, and keywords. In most instances, you can abbreviate a reserved word to its first three characters although you can use more than three characters for clarity. However, you cannot use fewer than three characters.
The Super ID Introduction • Add the first member of a new group or add a group manager (ADDUSER program or SAFECOM ADD USER command) unless specified by the OBJECTTYPE USER. You can restrict the authority of the super ID in several ways. For example, you can use the FREEZE USER command to freeze the super ID except for emergency situations. Then use the THAW USER command to thaw the super ID as required.
2 Common SAFECOM Language Elements Many syntax elements in the SAFECOM command language are common to several SAFECOM commands. This simplifies learning and using the language. For example, the language elements that identify users are used in the user security commands and as components of object access lists.
Common SAFECOM Language Elements Wild-Card Characters attributes of all disk files whose names are five characters long and whose first four characters are ACCT.
Common SAFECOM Language Elements • Object Names You must begin a device name with $ and a subdevice name with # even when you use wild cards. For example: =DELETE DEVICE $* =INFO TERM $c0.#* • Do not mix wild cards with characters in user names when you specify an access control list. For example, the name PROG*.DON is invalid in specifying an access control list entry. Wild cards can only be used in only two instances when you specify user names for an access control list.
Common SAFECOM Language Elements Specifying Disk-File Names file names. An example is \MYSYS.$SYSTEM.SYSTEM.SAFECOM. A partially qualified file name omits one or more parts of the name. SAFECOM uses the current default system, volume, and subvolume names to expand the name to a fully qualified name, possibly altered by SAFECOM SYSTEM and VOLUME commands. Specifying Disk-File Names You can identify a disk file with either a fully or a partially qualified disk file name.
Common SAFECOM Language Elements Partially Qualified Disk-File Names Examples =INFO DISKFILE \tops.$data.stats.rpt1 =INFO DISKFILE \sfo.$users1.nelson.rpt* =ALTER DISKFILE \sys*.$ops?.*.quarter2, OWNER 86,2 =ADD DISKFILE \pts.$*.stats.*, OWNER admin.bob =INFO /OUT safelist/ DISKFILE \*.$*.*.* Partially Qualified Disk-File Names In a partially qualified disk-file name, one or more of the system, volume, and subvolume names is omitted.
Common SAFECOM Language Elements File-Name Lists In this example, SAFECOM uses only the default system and subvolume names to create this partially qualified disk-file name: =SYSTEM \london =VOLUME $data.sales =INFO DISKFILE $books.report1 A fully qualified disk-file name follows: \LONDON.$BOOKS.SALES.REPORT1 Examples =FREEZE DISKFILE report4 =INFO DISKFILE $data.stats.report4 =INFO DISKFILE stats.report4 =THAW DISKFILE \stl.$data.report4 =ADD DISKFILE $dat*.*.*, LIKE $data.master.
Common SAFECOM Language Elements Patterns Patterns Diskfile patterns reduce administrative burden by supplying one pattern that can match many subvolumes or filenames. For more information, see the Safeguard User’s Guide. Specifying Disk Volume Names You can identify a disk volume with either a fully or a partially qualified volume name. To specify more than one volume in a command, you can use wild cards in a volume name, or you can use a volume name list.
Common SAFECOM Language Elements Volume Name Lists Examples =FREEZE VOLUME $data =ADD VOLUME $mail*, LIKE $data =INFO VOLUME $* =THAW VOLUME $?com Volume Name Lists A volume name list is a list of fully qualified or partially qualified volume names. A volume name list specifies a group of disk volumes on which the same operation is to be performed. ( volume [ , volume ] ... ) volume is either a fully or a partially qualified volume name. Examples =ALTER VOLUME ($mail, $sail, $trail), OWNER ops.
Common SAFECOM Language Elements Partially Qualified Subvolume Names Examples =DELETE SUBVOLUME \tops.$data.jones =ADD SUBVOLUME \tops.$dat*.* =ADD SUBVOLUME \tops.$*.valdez =INFO SUBVOLUME \*.$data.* Partially Qualified Subvolume Names A partially qualified subvolume name is a subvolume name with the system name or the volume name (or both) omitted. [\system.][$volume.]subvolume \system is a system name. If omitted, the current default system name is used. $volume is a disk volume name.
Common SAFECOM Language Elements Specifying Device Names =THAW SUBVOLUME (\sfo.$users.data, $*.*) =INFO SUBVOLUME (\*.$users.*, jones) Specifying Device Names You can identify a device with either a fully or a partially qualified device name. To specify more than one device in a command, you can use wild cards in a device name, or you can use a device name list. However, you cannot use wild cards to specify a device name in an ADD command.
Common SAFECOM Language Elements Device Name Lists Examples =ADD DEVICE $lp2 LIKE $lp1 =INFO DEVICE $lp* =FREEZE DEVICE $lazer* Device Name Lists A device name list is a list of fully qualified or partially qualified device names. A device name list specifies a group of devices on which the same operation is to be performed. ( device-name [ , device-name ] ... ) device-name is either a fully or a partially qualified device name.
Common SAFECOM Language Elements Partially Qualified Subdevice Names Examples =ADD SUBDEVICE \apex.$tc02.#p04 =INFO SUBDEVICE \apex.$tc12*.#t04 =FREEZE SUBDEVICE \tops.$cl4.#lazer* Partially Qualified Subdevice Names For subdevices that can be accessed over a network, a partially qualified subdevice name is a device name followed by a subdevice name. SAFECOM expands the partially qualified name by adding the current default system name. $device.#subdevice $device.#subdevice is expanded to: \system-name.
Common SAFECOM Language Elements Specifying Process Names Specifying Process Names You can identify a named process with either a fully or a partially qualified process name. To specify more than one named process in a command, you can use wild cards in a process name, or you can use a process name list. However, you cannot use wild cards to specify a process name in an ADD command. Fully Qualified Process Names A fully qualified process name includes both the system name and process name. [\system-name.
Common SAFECOM Language Elements Process Name Lists Examples =ADD PROCESS $spell LIKE $cedit =INFO PROCESS $loc* =THAW PROCESS $limit Process Name Lists A process name list is a list of fully qualified or partially qualified process names. A process name list specifies a group of processes on which the same operation is to be performed. ( process-name [ , process-name ] ... ) process-name is either a fully or a partially qualified process name.
Common SAFECOM Language Elements Partially Qualified Subprocess Names Examples =ADD SUBPROCESS \argon.$pc12.#tl06 =INFO SUBPROCESS \ajax.$rpt*.#prt =FREEZE SUBPROCESS \fred.$ted*.#clup Partially Qualified Subprocess Names Subprocess names can be partially qualified. As with device names, the only part of a subprocess name you can omit is the system name. When you enter a subprocess name without a system name, SAFECOM expands the partially qualified name by adding the current default system name.
Identifying System Users Common SAFECOM Language Elements Identifying System Users The system user community supported by the operating system is organized into 256 groups, each of which can include 256 individual users for purposes of administration. (Groups can include more than 256 users for file-sharing purposes.) Each system user added to a NonStop system is assigned a user ID and a user name.
Common SAFECOM Language Elements User Names User Names A user name consists of a group name and a member name, separated by a period. group-name.member-name group-name is the name of an administrative group. It is one to eight alphanumeric characters long, the first of which must be alphabetic. In most SAFECOM commands, an administrative group name is case-insensitive. The alphabetic characters are assumed to be uppercase.
Common SAFECOM Language Elements User Sets The network form of a user name and user ID can have the following form: NETWORK FORM OF USER ID: \node-spec.group-num , member-num NETWORK FORM OF USER NAME: \node-spec.group-name.member-name Note. You may only use node-spec in the ACCESS clause of SAFECOM. For example, suppose a network user has a user ID of 3,3, a user name of SALES.BOB, and is on the NYC node. This network user can be identified on an access list with either of these forms: \NYC.3,3 \NYC.
Common SAFECOM Language Elements User-Set Lists In access control list entries, these forms specify all the local users who are members of the group identified by group-name or group-num. This includes users who have been specified as members of the group with the MEMBER clause in an ADD or ALTER GROUP command. *.* and *,* each specifies all the local users defined for your system. \node-spec.group-name.* \node-spec.
Common SAFECOM Language Elements Identifying User Groups alias is a case-sensitive text string of up to 32 alphanumeric and special characters. The first character of an alias name must be alphabetic. The following special characters are allowed in an alias name: period (.), hyphen (-), and underscore (_). Identifying User Groups User groups are created implicitly with the ADD USER command and explicitly with the ADD GROUP command.
3 The Command to Run SAFECOM This section contains the syntax description of the command to run SAFECOM, followed by examples that show each of the three modes of program operation. For more examples of running SAFECOM, see the Safeguard User’s Guide. For instructions on starting the Safeguard software, see the Safeguard Administrator’s Manual. Modes of Program Operation To run the SAFECOM program, you must have the necessary EXECUTE authority for the SAFECOM program object file ($SYSTEM.SYSnn.SAFECOM).
The Command to Run SAFECOM Command Syntax sign (=). You can enter a SAFECOM command at the prompt. To exit SAFECOM, enter the EXIT command. (For more information, see Section 4, SAFECOM Session-Control Commands.) run-opt is any run option for the RUN command of the command interpreter. (For a complete list of run options, see the description of the RUN[D] command in the TACL Reference Manual.
The Command to Run SAFECOM Command Syntax NOWAIT instructs your command interpreter to return to your terminal for more commands after starting a SAFECOM process. Typically, you use NOWAIT in the batch mode, in which you specify an EDIT command file as the IN file for SAFECOM, or in the execute-and-quit mode. The NOWAIT option means that SAFECOM runs in the background, and you can use your terminal for other work.
Considerations The Command to Run SAFECOM Considerations • Running SAFECOM without a local SMP You can run SAFECOM even if the Safeguard security-manager process ($ZSMP) is not currently running on your system.
4 SAFECOM Session-Control Commands The SAFECOM session-control commands establish a working environment for your SAFECOM session. For example, the SYSTEM and VOLUME commands establish the default system, volume, and subvolume names that SAFECOM uses to expand partially qualified disk file names. Similarly, the ASSUME command establishes a default object class (such as DISKFILE or USER) so that you can enter objectmanagement commands without specifying the default object class in each command.
SAFECOM Session-Control Commands Session-Control Command Syntax Session-Control Command Syntax Table 4-1. Session-Control Command Summary (page 1 of 2) Command Function ASSUME Establishes a default object class for subsequent object-management commands during the current session. DISPLAY COMMANDS Displays the output of an INFO or SHOW command as SAFECOM commands. DISPLAY DETAIL Controls the DETAIL option of the INFO command for an entire session.
SAFECOM Session-Control Commands ASSUME Command Table 4-1. Session-Control Command Summary (page 2 of 2) Command Function ! Displays and executes a specified command that you previously entered during the current session. -- (two hyphens) Delimits comments in SAFECOM commands. & (ampersand) Indicates that the command is continued on the next line. The rest of this section contains individual syntax descriptions.
SAFECOM Session-Control Commands DISPLAY Command SUBPROCESS SUBVOLUME TERMINAL USER VOLUME Note. The ASSUME command is not valid for OBJECTTYPE, GROUP, or SECURITY-GROUP. Example In this example, ASSUME establishes DISKFILE as the default object class: =ASSUME DISKFILE =SET ACCESS (sales.*, admin.*) r =ADD $data.q3.report SAFECOM then executes the SET and ADD commands as though you had entered: =SET DISKFILE ACCESS (sales.*, admin.*) r =ADD DISKFILE $data.q3.
DISPLAY Command SAFECOM Session-Control Commands DISPLAY AS COMMANDS Option DISPLAY AS COMMANDS controls whether the output of an INFO or SHOW command is displayed as a report or as a list of SAFECOM commands. Normally, INFO and SHOW commands produce reports. To display the output of INFO and SHOW as commands, use the DISPLAY AS COMMANDS option.
DISPLAY Command SAFECOM Session-Control Commands By default, the INFO command output is displayed in report form. To view this output as SAFECOM commands rather than as a report: =DISPLAY AS COMMANDS ON =INFO DISKFILE rpt01, DETAIL The following information appears: ADD ALTER ALTER DISKFILE DISKFILE ACCESS DISKFILE ACCESS $DATA.SALES $DATA.SALES 002,005 $DATA.SALES 002,* .RPT01 .RPT01 (R,W,E,P, 0) .
SAFECOM Session-Control Commands DISPLAY Command DISPLAY HEADERS Option DISPLAY HEADERS controls the display of heading lines in INFO command reports for a session. SAFECOM normally displays a heading line above each object reported on by an INFO command. DISPLAY HEADERS allows you to either suppress the display of the heading line or specify that it should appear only once in an INFO report.
DISPLAY Command SAFECOM Session-Control Commands The following information appears: $DATA.SALES REPORT1 LAST-MODIFIED OWNER STATUS WARNING-MODE 18JUL88, 11:00 2,1 THAWED OFF LAST-MODIFIED OWNER STATUS WARNING-MODE 18JUL88, 11:02 2,1 THAWED OFF LAST-MODIFIED OWNER STATUS WARNING-MODE 18JUL88, 11:05 2,1 THAWED OFF NO ACCESS CONTROL LIST DEFINED! $DATA.SALES REPORT2 NO ACCESS CONTROL LIST DEFINED! $DATA.
SAFECOM Session-Control Commands DISPLAY Command DISPLAY PROMPT entered by itself without any prompt-item, causes the default SAFECOM prompt (=) to be displayed. prompt-item specifies the text to be added to the standard SAFECOM prompt. If you include multiple prompt items in a DISPLAY PROMPT command, they must be separated by commas and enclosed in parentheses.
SAFECOM Session-Control Commands DISPLAY Command DATE specifies that the current date is displayed in the SAFECOM prompt. The date is displayed in the form mm/dd/yyyy. END specifies that the equal sign (=) is not displayed to terminate the SAFECOM prompt and that any prompt-item following the word END is ignored. PROCESS NAME specifies that the current process name is displayed in the SAFECOM prompt. PROCESS NUMBER specifies that the current process number is displayed in the SAFECOM prompt.
SAFECOM Session-Control Commands DISPLAY Command Considerations • If used, END should be the last prompt item specified. Any prompt items following END are ignored. Examples 1. This command adds the current command line number to the SAFECOM prompt: =DISPLAY PROMPT COMMAND NUMBER 2= 2. This command adds the user name for the user ADMIN.BILL to the SAFECOM prompt: =DISPLAY PROMPT USER NAME ADMIN.BILL= 3. This command changes the SAFECOM prompt for the user ADMIN.
SAFECOM Session-Control Commands DISPLAY Command Examples In this example, DISPLAY USER specifies that user identities are displayed as user names rather than user IDs: =DISPLAY USER NAME DISPLAY WARNINGS Option DISPLAY WARNINGS controls the display of warning messages on INFO DISKFILE reports for the current session. SAFECOM normally displays a warning message if you issue an INFO DISKFILE command for a file that has not been added to the Safeguard database.
ENV Command SAFECOM Session-Control Commands The following information appears: $DATA.SALES REPORT1 LAST-MODIFIED OWNER STATUS WARNING-MODE 18JUL88, 11:00 2,1 THAWED OFF NO ACCESS CONTROL LIST DEFINED! * WARNING * RECORD FOR DISKFILE $DATA.SALES.REPORT2 NOT FOUND * WARNING * RECORD FOR DISKFILE $DATA.SALES.REPORT3 NOT FOUND Use the following command to turn off the warning messages: =DISPLAY WARNINGS OFF Then issue the same INFO command: =INFO DISKFILE $data.sales.
SAFECOM Session-Control Commands EXIT Command env-parm is any one of these environmental parameters: SYSTEM VOLUME OUT LOG ASSUME WARNINGS USER DETAIL AS COMMANDS HEADERS PROMPT Examples 1. This ENV command requests a report on all the current environmental parameter values. The report is sent to a file called $DATA.SECURE.ENVPARMS. =ENV / OUT envparms / = After this ENV command completes, $DATA.SECURE.
SAFECOM Session-Control Commands FC Command Consideration • You can also press Ctrl-Y to exit SAFECOM. Ctrl-Y is equivalent to end-of-file (EOF). (Ctrl-Y means to hold down the Ctrl key while pressing the Y key.) FC Command The FC command lets you retrieve, edit, and execute a command line you have previously entered during the current session. FC is useful for correcting mistyped commands and for entering a series of commands that differ by only a few characters.
SAFECOM Session-Control Commands FC Command FC Editing Subcommands When you execute the FC command, it displays the specified command and positions the cursor on the next line. This blank line is the command editing line in which you can use the FC editing subcommands. The editing subcommands modify the characters displayed above them in the command line. When you move the cursor in the command editing line, use only the spacebar and the backspace key.
HELP Command SAFECOM Session-Control Commands Considerations • • To abort the FC command, enter only the subcommand separator (//) on the new blank line and then immediately press RETURN. The (possibly altered) command line is discarded without execution. You can also press Ctrl-Y to stop the FC command. If you enter FC alone, the last command you entered is displayed. Examples 1.
SAFECOM Session-Control Commands HISTORY Command If listfile does not exist, SAFECOM creates an EDIT-format file and then writes the HELP report to that file. If listfile does exist, SAFECOM opens the file and appends the HELP report. topic is the topic for which SAFECOM displays information. For a brief list of topics, enter HELP without any parameters. ALL displays help text for all commands (typically used with the OUT listfile option).
SAFECOM Session-Control Commands LOG Command Examples 1. The following command displays the last four commands entered during the current session. The example assumes that the HISTORY command is the ninth command entered during the session. =HISTORY 4 6=ASSUME DISKFILE 7=SHOW 8=ADD RPT05, ACCESS 14,* R 9=HISTORY 4 = 2. The following sequence of commands shows the function of the HISTORY RESET LAST command.
SAFECOM Session-Control Commands OBEY Command logfile establishes a log file for SAFECOM. You can specify any file name. If logfile does not exist, SAFECOM creates an EDIT-format file and writes the session log records to that file. If logfile exists, SAFECOM opens the file and appends the log records. Considerations • Changing log files in the middle of a session You can change the log file in the middle of a session by entering a LOG command that specifies a different file as logfile.
OBEY Command SAFECOM Session-Control Commands OUT listfile redirects SAFECOM output to listfile for all the commands in command-file. For listfile, specify any file name. If listfile does not exist, SAFECOM creates an EDIT-format file and then writes all output text to that file. If listfile exists, SAFECOM opens the file and appends the output text. command-file is the name of a file containing SAFECOM commands (usually an EDIT-format file). The name can be any file name.
OUT Command SAFECOM Session-Control Commands OUT Command OUT directs SAFECOM output text to a specified file. SAFECOM output text includes both input commands and the response to those commands. Output text directed to a specific file is not echoed to the screen. Typically, OUT is used in command files, where it directs the command-file output to a list file. OUT [ listfile ] OUT entered without listfile, closes the current listfile.
SAFECOM Session-Control Commands SYNTAX Command SYNTAX Command SYNTAX enables and disables syntax-only mode. In syntax-only mode, SAFECOM only checks the syntax of commands. It does not execute the commands. You can execute only four SAFECOM commands in syntax-only mode: SYNTAX, ASSUME, OBEY, and EXIT. SYNTAX [ ONLY ] { ON | OFF } SYNTAX [ ONLY ] specifies that SAFECOM syntax-only mode is enabled or disabled. The keyword ONLY is optional and can be included for readability.
SYSTEM Command SAFECOM Session-Control Commands SYSTEM entered without \system-name, sets the default system name to the name of the system you are currently using. \system-name is a valid system name to be used as the default for subsequent SAFECOM commands. Considerations • • The SYSTEM command has no effect on user names because the system name is not part of a user name.
VOLUME Command SAFECOM Session-Control Commands VOLUME Command VOLUME establishes a default disk volume name and a default subvolume name. SAFECOM uses the current default volume and subvolume names to expand partially qualified disk file names. SAFECOM uses the current volume name to expand partially qualified subvolume names. When you start SAFECOM, the default volume and subvolume names established through your command interpreter become your current SAFECOM default volume and subvolume names.
? Command SAFECOM Session-Control Commands =ASSUME DISKFILE -- Establishes DISKFILE as the default object class =VOLUME $data.sales -- Establishes the default volume and subvolume =INFO report1 -- Reports on $DATA.SALES.REPORT1 =INFO $system.report2 -- Reports on $SYSTEM.SALES.REPORT2 =INFO admin.report3 -- Reports on $DATA.ADMIN.REPORT3 =INFO * -- Reports on all disk files on the $DATA.
SAFECOM Session-Control Commands ! Command Examples 1. The following ? command retrieves command line number 6: =? 6 =ADD DISKFILE SEC03, LIKE SEC01 2. The following ? command retrieves the last command in the history buffer: =? =INFO VOLUME $DATA 3. The following ? command retrieves the last command in the history buffer that contains the character string RPT06: =? "RPT06" =ADD DISKFILE $DATA01.ACCT.RPT06, LIKE RPT01 4.
SAFECOM Session-Control Commands Comment Delimiters "string" is a text string enclosed in quotes. The ! command displays and executes the most recent command in the history buffer that contains the specified text string. The command need not begin with the specified string. Examples 1. The following ! command retrieves and executes command line number 13: =! 13 =RESET DISKFILE = 2.
SAFECOM Session-Control Commands Continuation Character Example Comment lines are particularly useful in command files, as an example, to annotate the way a file works. This example demonstrates the use of the comment line with the INFO command: =OBEY --year-end report-- data.sales.report1 =--sent to operations line printer-=OUT $s.#lp =--report on all admin users-=INFO USER admin.
SAFECOM Session-Control Commands Safeguard Reference Manual—520618-013 4- 30 Continuation Character
5 User Security Commands SAFECOM user security commands are restricted such that, only specific users can execute the commands and thereby control user security. These users include system managers, security administrators, and group managers, as qualified by the list of users specified with OBJECTTYPE USER. SAFECOM commands can add user IDs to the system, delete user IDs from the system, and suspend user IDs ability to log on to the system.
Who Can Manage User Security User Security Commands user’s ability to log on to the system, and delete the user (ALTER USER, FREEZE USER, THAW USER, and DELETE USER commands, respectively). The original primary owner and the secondary owners of a user authentication record can change the OWNER attribute to the user ID of any other user. That other user then has control of the user’s ability to access the system.
User Security Command Summary User Security Commands Table 5-1. Who Can Use the User Security Commands (page 2 of 2) USER Command Who Can Use ADD USER If no ACL exists for OBJECTTYPE USER, the local group manager can add a member of an existing group. The local super ID can add members of a group or add a group manager. If an ACL exists for OBJECTTYPE USER, only members listed in that ACL can add users. (Thereafter, the owner can manage the user record).
ADD USER Command User Security Commands • • • • • A summary of the function performed by the command, including the restrictions on who can use the command Descriptions of the command parameters and variables The format for the command listing or report (for commands that produce displays or listings) Considerations for the use of the command Examples of command usage ADD USER Command ADD USER adds a user to the system and creates a Safeguard authentication record for that user.
ADD USER Command User Security Commands If group-name already exists, the group-num of the new user must match the group-num of the existing group-name, and the member-name and membernum assigned to the new user must not already be assigned to an existing group member. Both group-name and member-name are from one to eight alphanumeric characters, the first of which must be alphabetic. The group-name and member-name variables cannot contain wild-card characters.
ADD USER Command User Security Commands USER-EXPIRES [date [, time]] PASSWORD-MUST-CHANGE [EVERY num DAYS] PASSWORD-EXPIRY-GRACE [num [DAYS]] PASSWORD-EXPIRES [ date [ , time] ] AUDIT-AUTHENTICATE-PASS [audit-spec] AUDIT-AUTHENTICATE-FAIL [audit-spec] AUDIT-MANAGE-PASS [audit-spec] AUDIT-MANAGE-FAIL [audit-spec] AUDIT-USER-ACTION-PASS [audit-spec] AUDIT-USER-ACTION-FAIL [audit-spec] REMOTEPASSWORD \system-name remote-password DEFAULT-PROTECTION [ obj-attr ] [ ( obj-attr [ , obj-attr ] ...
ADD USER Command User Security Commands When the Safeguard software is installed on a system that has an existing user community, it expands the existing USERID file to add the Safeguard user attributes for every user currently defined on the system. The record for each user is expanded the first time that user logs on after the Safeguard software has been installed.
ADD USER Command User Security Commands This command adds a user who has the user name PRS.DARLENE and the user ID 86,1. Darlene’s logon password is market. The other user attributes for PRS.DARLENE have their default values. 2. This command adds another member to the PRS group: =ADD USER prs.harry, 86,2 , PASSWORD SELLit The new user has the user name PRS.HARRY, the user ID 86,2, and the logon password SELLit. 3. Now the PRS group manager adds two more group members.
ADD USER Command User Security Commands The report shows: TYPE USER OWNER 86,255 PASSWORD = USER-EXPIRES PASSWORD-EXPIRES PASSWORD-MUST-CHANGE EVERY PASSWORD-EXPIRY-GRACE GUARDIAN DEFAULT SECURITY GUARDIAN DEFAULT VOLUME = 26JUN05, 0:00 = * NONE * = 60 DAYS = * NONE * = NUNU = $SYSTEM.
ALTER USER Command User Security Commands ALTER USER Command ALTER USER changes one or more user attributes in a user’s authentication record. Only the primary owner and secondary owners of a user’s authentication record, the primary owner’s group manager, or the local super ID can use ALTER USER to change the user-attribute values in a user’s authentication record. For all attributes other than REMOTEPASSWORD, the ALTER USER command replaces the current attribute value with the newly specified value.
ALTER USER Command User Security Commands LIKE changes the values of all user attributes except: PASSWORD [password] REMOTEPASSWORD \system-name remote-password GUARDIAN [DEFAULT] SECURITY ["]string["] GUARDIAN [DEFAULT] [SUB]VOLUME [\system.]$vol.
ALTER USER Command User Security Commands OWNER [owner-id] transfers the primary ownership of a user’s authentication record to the user whose user ID is specified as owner-id. For owner-id, specify either: [\*.]group-name.member-name [\*.]group-num , member-num If you omit owner-id, it is set to your user ID. OWNER-LIST [[-]user-list] changes the secondary ownership of a user’s authentication record by adding or deleting owners in the owner list.
ALTER USER Command User Security Commands PASSWORD [password] changes a user’s logon password. password is a string of one to 64 characters. It can contain any alphanumeric characters except blanks, commas, semicolons, and the ASCII null character. The case of the letters is preserved. Lowercase letters remain lowercase, and uppercase remain uppercase. If omitted, the value for password is set to null. In this case, a password is not required for the user to log on to the system.
ALTER USER Command User Security Commands min is an integer from 0 through 59, specifying the minute. PASSWORD-MUST-CHANGE [EVERY num DAYS] changes the maximum number of days that a user can use the same password. For num, specify an integer from 1 through 32,767. Changing the PASSWORD-MUST-CHANGE attribute causes the Safeguard software to calculate a new PASSWORD-EXPIRES date. The PASSWORDEXPIRES date is set to the current date plus num days.
ALTER USER Command User Security Commands day is a 1-digit or 2-digit integer from 1 to 31, specifying the day of the month. year is a 4-digit integer, specifying the year. hour is an integer from 0 to 23, specifying the hour. min is an integer from 0 to 59, specifying the minute.
ALTER USER Command User Security Commands AUDIT-MANAGE-FAIL [audit-spec] changes the audit-spec for unsuccessful attempts to manage a user’s authentication record. The form of audit-spec is: { ALL | LOCAL | REMOTE | NONE } For a description of the audit-specs, see the SET USER Command on page 5-39. Omitting audit-spec specifies NONE. AUDIT-USER-ACTION-PASS [audit-spec] changes the audit-spec for successful events performed by this user.
ALTER USER Command User Security Commands semicolons, and the ASCII null character. The case of the letters is preserved; lowercase letters remain lowercase, and uppercase letters remain uppercase. You cannot set multiple remote passwords with one command. DEFAULT-PROTECTION [ obj-attr ] [ ( obj-attr [ , obj-attr ] ...) ] changes one or more attributes to be assigned immediately to new disk files created by processes with a PAID equal to this user ID.
ALTER USER Command User Security Commands group-name. You can include it in the command for readability. group-name is the name of a group to which the user already belongs. group-num is the number of a group to which the user already belongs. You can specify the primary group by group name or by group number, but not both. You cannot include PRIMARY-GROUP NAME and PRIMARY-GROUP NUMBER attributes in the same command.
ALTER USER Command User Security Commands CI-PROG [prog-filename] changes the command interpreter to be started after this user is authenticated at a Safeguard terminal. prog-filename is the name of the command interpreter’s object file. It must be a local file name. If you omit prog-filename, the other user attributes associated with CIPROG prog-filename in this record are not meaningful.
ALTER USER Command User Security Commands If you omit startup-param-text, the string is set to null. (No text is supplied in the startup message.) TEXT-DESCRIPTION "[text]" specifies a string of characters to replace the existing text description for this record. Because SAFECOM allows a maximum command length of 528 characters, the specified text string must contain fewer than 528 characters.
ALTER USER Command User Security Commands Considerations • Changing your logon password Only the owner of a user’s authentication record or the owner’s group manager can use the ALTER USER command to change a user’s password. However, with the Guardian PASSWORD program, any users can change their own password. In addition, users can change their own passwords during logon.
DELETE USER Command User Security Commands 2. The primary owner of the user authentication record for ACCTG.HARRY sets up Safeguard auditing for successful and failed authentication attempts (both local and remote) made under Harry’s user name: =ALTER USER acctg.harry, AUDIT-AUTHENTICATE-PASS all,& =AUDIT-AUTHENTICATE-FAIL all 3. The primary owner of the user authentication record for PRS.
DELETE USER Command User Security Commands user-spec specifies the user or users to be deleted from the system. user-spec can be any of: group-num , member-num group-name.member-name group-num , * *,* group-name and member-name can contain wild-card characters. WHERE expression causes the DELETE command to apply to only authentication records for users who belong to the groups specified by expression. For a description of WHERE expression, see the ALTER USER Command on page 5-10.
FREEZE USER Command User Security Commands Examples 1. The group manager for the ACCTG group enters this command to delete the user ACCTG.HARRY: =DELETE USER acctg.harry 2. The group manager for the PROG group enters this command to delete all users in the PROG group who are also members of the TEMP group: =DELETE USER prog.*, WHERE GROUP=TEMP FREEZE USER Command FREEZE USER temporarily suspends a user’s ability to log on to the system. You can later restore this ability through the THAW USER command.
INFO USER Command User Security Commands The super ID can be frozen. The result of freezing the super ID is that this ID cannot log on. Freezing the super ID has no effect on any existing processes owned by the super ID, including logged-on TACLs. • Freezing a user who is currently logged on Although a user can be frozen while logged on, freezing has no effect on the user’s current command interpreter session.
INFO USER Command User Security Commands • • The primary owner’s group manager The super ID INFO [ / OUT listfile / ] USER { user-spec | ( user-spec [ , user-spec ] ... ) } [ [ , ] option ] [ , option ] ... OUT listfile directs SAFECOM output to listfile for the INFO report. (After executing the INFO command, SAFECOM redirects its output to the current OUT file.) For listfile, specify any file name. SAFECOM opens listfile and appends the output text to it.
INFO USER Command User Security Commands GENERAL displays the basic user attributes, including password settings, user expiration, UID, Guardian security, and Guardian default volume. DETAIL displays all user attributes, including those displayed by all other options. AUDIT displays only attributes related to auditing. CI displays only attributes related to the default command interpreter. OSS displays only attributes related to OSS initial settings.
INFO USER Command User Security Commands INFO USER Brief Report Figure 5-1 shows the format of the brief INFO USER report. A description of the userattribute values and status fields immediately follows it. Figure 5-1. INFO USER Brief Report Format GROUP.USER user-name USER-ID u-id OWNER LAST-MODIFIED o-id [+] date,time LAST-LOGON date,time STATUS status GROUP.USER user-name is the user name of the user whose current user attributes appear.
INFO USER Command User Security Commands STATUS status indicates this user’s current status. status can be any of: USEREXP The user’s ability to log on to the system has expired. Until the user’s USER-EXPIRES date is changed to some future date, the user cannot log on to the system. PSWDEXP The user’s password has expired. Until the user’s password is changed or until the user’s PASSWORD-MUST-CHANGE period is extended (through the ALTER USER command), the user cannot log on to the system.
INFO USER Command User Security Commands Figure 5-2. INFO USER Detailed Report Format GROUP.
INFO USER Command User Security Commands USER-EXPIRES = date, time is the date and time when this user’s ability to log on to the system will be suspended (in local civil time). After the USER-EXPIRES command suspends a user’s ability to log on to the system, changing the user’s USER-EXPIRES attribute to some future date restores that ability. PASSWORD-EXPIRES = date, time is the date and time when this user’s password will expire.
INFO USER Command User Security Commands GUARDIAN DEFAULT SECURITY = string is the Guardian default security string for this user. GUARDIAN DEFAULT VOLUME = $vol.subvol is the Guardian default subvolume for this user.
INFO USER Command User Security Commands CI-PRI = [ num ] is the priority at which the command interpreter runs. CI-PARAM-TEXT = [ text ] is the startup parameter text supplied to the command interpreter. It is blank if no text is specified. INITIAL-PROGTYPE = prog-type is the initial program type: PROGRAM, WINDOW, or SERVICE. INITIAL-PROGRAM = [ prog-path ] is the initial program pathname for the OSS file system. It is blank if no pathname is specified.
RESET USER Command User Security Commands SUBJECT OWNER-LIST SECTION lists the secondary owners of the user’s authentication record. Examples 1. This example of the INFO USER command displays the user attributes for user PRS.HARRY before and after he is frozen: =INFO USER prs.harry GROUP.USER PRS.HARRY USER-ID 86,2 OWNER 86,255 LAST-MODIFIED 23MAY05, 15:43 LAST-LOGON 28MAY05, 9:22 STATUS THAWED =FREEZE USER prs.harry =INFO USER prs.harry GROUP.USER PRS.
RESET USER Command User Security Commands user-attribute-keyword sets the current default value of the specified user attribute to a predefined value.
RESET USER Command User Security Commands PASSWORD-EXPIRY-GRACE num days is set to null. (The user has no extension period during which to change the expired password). PASSWORD-EXPIRES date,time are set to null (no expiration date). AUDIT-AUTHENTICATE-PASS audit-spec is set to NONE. AUDIT-AUTHENTICATE-FAIL audit-spec is set to NONE. AUDIT-MANAGE-PASS audit-spec is set to NONE. AUDIT-MANAGE-FAIL audit-spec is set to NONE. AUDIT-USER-ACTION-PASS audit-spec is set to NONE.
RESET USER Command User Security Commands INITIAL-DIRECTORY dir-path is set to null (no pathname). INITIAL-PROGRAM prog-path is set to null (no pathname). INITIAL-PROGTYPE prog-type is set to PROGRAM. CI-PROG prog-filename is set to null. (No command interpreter is in this user record.) CI-LIB lib-filename is set to null (no library file). CI-CPU cpu-number is set to ANY. CI-NAME process-name is set to null. (The Safeguard software generates a name.) CI-SWAP $vol is set to null.
RESET USER Command User Security Commands Examples The PRS group manager wants to restore the current default user attributes (set in previous SET USER commands) to their predefined values.
SET USER Command User Security Commands The report shows: TYPE USER OWNER 86,255 PASSWORD = USER-EXPIRES PASSWORD-EXPIRES PASSWORD-MUST-CHANGE EVERY PASSWORD-EXPIRY-GRACE GUARDIAN DEFAULT SECURITY GUARDIAN DEFAULT VOLUME = * NONE * = * NONE * = * NONE * = * NONE * = OOOO = $SYSTEM.
SET USER Command User Security Commands LIKE user sets some of the current default user attribute values to the same as those currently defined for the user or alias specified with user. user is one of the following: group-num,member-num group-name.member-name alias LIKE sets the current default values for all user attributes except: PASSWORD [password] REMOTEPASSWORD \system-name remote-password GUARDIAN [DEFAULT] SECURITY ["]string["] GUARDIAN [DEFAULT] [SUB]VOLUME [\system.]$vol.
SET USER Command User Security Commands CI-PARAM-TEXT [startup-param-text] OWNER [owner-id] specifies the owner of a user authentication record. For owner-id, specify either of: [\*.]group-name.member-name [\*.]group-num , member-num If you omit owner-id, your user ID becomes the current owner-id. OWNER-LIST [[-]user-list] changes the secondary ownership of a user’s authentication record by adding or deleting owners in the owner list.
SET USER Command User Security Commands PASSWORD [password] specifies a logon password for a user. Typically, users must enter their user name and a password to log on to a system. For password, specify the user’s logon password, which can be one to eight characters long. Use any alphanumeric characters except blanks, commas, semicolons, and the ASCII null character. The case of letters in a password is preserved. Lowercase letters remain lowercase, and uppercase letters remain uppercase.
SET USER Command User Security Commands When you add a user with a PASSWORD-MUST-CHANGE attribute, the Safeguard software calculates a PASSWORD-EXPIRES date by adding num days to the current date. If the user’s password is not changed before the PASSWORD-EXPIRES date, the user cannot log on to the system after that date (unless a PASSWORD-EXPIRY-GRACE period has been established).
SET USER Command User Security Commands hour is an integer from 0 through 23. min is an integer from 0 through 59. AUDIT-AUTHENTICATE-PASS [audit-spec] establishes an audit-spec for successful user authentication attempts. The audit-spec specifies the conditions under which the Safeguard software writes an audit record to the audit file when the user successfully logs on to the system. The form of audit-spec is: { ALL | LOCAL | REMOTE | NONE } ALL All successful logons are audited.
SET USER Command User Security Commands LOCAL Only unsuccessful logons from the local system are audited. REMOTE This form has no effect. Remote authentication is not supported. NONE No unsuccessful logons are audited. Omitting audit-spec specifies NONE. AUDIT-MANAGE-PASS [audit-spec] establishes an audit-spec for successful attempts to manage a user’s authentication record.
SET USER Command User Security Commands ALL All unsuccessful management attempts are audited. LOCAL Only unsuccessful management attempts from the local system are audited. REMOTE Only unsuccessful management attempts from a remote system are audited. NONE No unsuccessful management attempts are audited. Omitting audit-spec specifies NONE.
SET USER Command User Security Commands which the Safeguard software writes an audit record to the audit file when the user unsuccessfully attempts to perform an event. The form of audit-spec is: { ALL | LOCAL | REMOTE | NONE } ALL All unsuccessful events are audited. LOCAL Only unsuccessful events on the local system are audited. REMOTE Only unsuccessful events by a remote user are audited. NONE No unsuccessful events are audited. Omitting audit-spec specifies NONE.
SET USER Command User Security Commands the ASCII null character. The case of letters is preserved. Lowercase letters remain lowercase, and uppercase letters remain uppercase. Only one remote password can be set with a SET command. Note. Use RESET USER REMOTEPASSWORD to clear a default remote password that you have previously established with the SET command. DEFAULT-PROTECTION [ obj-attr ] [ ( obj-attr [ ,obj-attr ] ...
SET USER Command User Security Commands INITIAL-DIRECTORY [dir-path] specifies the initial working directory within the OSS file system for the user. dir-path is a case-sensitive text string of up to 256 characters. It must be a syntactically valid OSS pathname. If you specify the INITIAL-DIRECTORY attribute, it must be the last attribute in the command string. If you omit dir-path, no pathname is used.
SET USER Command User Security Commands CI-LIB [lib-filename] specifies the library file to be used with the command interpreter started when this user is authenticated at a Safeguard terminal. lib-filename must be a local file name. If you omit lib-filename, no library file is used. CI-CPU [cpu-number | ANY] specifies the number of the CPU in which the command interpreter is to run. If you specify ANY, any CPU is used. If you do not specify cpu-number, any CPU is used.
SET USER Command User Security Commands • GUARDIAN DEFAULT attributes are equivalent to using the Guardian DEFAULT command. Setting the user’s Guardian default file security or default subvolume with the GUARDIAN SECURITY or GUARDIAN VOLUME attributes is equivalent to using the Guardian DEFAULT command. Similarly, you can use the DEFAULT command to change these attributes. • PASSWORD-EXPIRES takes precedence over PASSWORD-MUST-CHANGE.
SET USER Command User Security Commands The report displays: TYPE USER OWNER 18,255 PASSWORD = lintel USER-EXPIRES PASSWORD-EXPIRES PASSWORD-MUST-CHANGE EVERY PASSWORD-EXPIRY-GRACE GUARDIAN DEFAULT SECURITY GUARDIAN DEFAULT VOLUME = 30SEP05, 12:00 = * NONE * = * NONE * = * NONE * = OOOO = $DATA2.
SHOW USER Command User Security Commands The report displays: GROUP.USER STATUS TEMP.
SHOW USER Command User Security Commands Figure 5-3. SHOW USER Report Format TYPE USER OWNER gn,un PASSWORD = [password] USER-EXPIRES PASSWORD-EXPIRES PASSWORD-MUST-CHANGE EVERY PASSWORD-EXPIRY-GRACE GUARDIAN DEFAULT SECURITY GUARDIAN DEFAULT VOLUME AUDIT-AUTHENTICATE-PASS AUDIT-AUTHENTICATE-FAIL AUDIT-USER-ACTION-PASS AUDIT-USER-ACTION-FAIL = = = = = { date,time | * NONE * } = { date,time | * NONE * } = { n DAYS | * NONE * } = { n DAYS | * NONE * } = string = $vol.
SHOW USER Command User Security Commands PASSWORD-MUST-CHANGE EVERY = { n DAYS | * NONE * } either gives the maximum number of days that the user can retain the same password or indicates that no limit has been set. PASSWORD-EXPIRY-GRACE = { n DAYS | * NONE * } either gives the number of days after password expiration that the user can change his or her password during logon or indicates that no extension period is allowed.
SHOW USER Command User Security Commands CI-CPU = { num | ANY } either gives the number of the CPU in which the command interpreter runs or indicates any CPU is used. CI-PRI = { num | * NONE * } either gives the priority at which the command interpreter runs or indicates that no priority is assigned in the user record. CI-PARAM-TEXT = [ text ] either gives the startup parameter text supplied to the command interpreter or appears blank to indicate that no parameter is supplied.
SHOW USER Command User Security Commands The report displays: TYPE USER OWNER 86,2 PASSWORD = USER-EXPIRES PASSWORD-EXPIRES PASSWORD-MUST-CHANGE EVERY PASSWORD-EXPIRY-GRACE GUARDIAN DEFAULT SECURITY GUARDIAN DEFAULT VOLUME = * NONE * = * NONE * = * NONE * = * NONE * = OOOO = $SYSTEM.
THAW USER Command User Security Commands The report displays: TYPE USER OWNER 86,255 PASSWORD = macaroon USER-EXPIRES PASSWORD-EXPIRES PASSWORD-MUST-CHANGE EVERY PASSWORD-EXPIRY-GRACE GUARDIAN DEFAULT SECURITY GUARDIAN DEFAULT VOLUME = 15DEC05, 0:00 = * NONE * = 30 DAYS = * NONE * = NUNU = $TOPS.
THAW USER Command User Security Commands user-spec specifies the user (or users) whose ability to log on is to be restored. user-spec can be any of: group-num , member-num group-name.member-name group-num , * *,* group-name and member-name can contain wild-card characters. WHERE expression causes the THAW command to apply only to authentication records for users who belong to the groups specified by expression. For a description of WHERE expression, see the ALTER USER Command on page 5-10. Examples 1.
THAW USER Command User Security Commands Safeguard Reference Manual—520618-013 5- 60
6 User Alias Security Commands Each user can be assigned one or more additional names, called “user aliases.” An alias is an alternate name that can be used to log on to the system. Each alias has its own alias authentication record and set of user attributes. The values assigned to the user attributes in the alias authentication record can differ from those values assigned to the user attributes in the user authentication record.
Who Can Manage User Aliases User Alias Security Commands An alias authentication record can have multiple owners. The OWNER attribute in an alias authentication record designates the record’s primary owner. The OWNER-LIST attribute optionally designates one or more secondary owners. By default, the OWNER attribute contains the user ID of the user who first created the alias authentication record.
Aliases and Access Control Lists User Alias Security Commands Table 6-1. Who Can Use the User Alias Commands (page 2 of 2) ALIAS Command Who Can Use THAW ALIAS Primary and secondary record owners, primary owner’s group manager, and super ID DELETE ALIAS Primary and secondary record owners, primary owner’s group manager, and super ID ADD ALIAS See the description at the beginning of this subsection Aliases and Access Control Lists An alias name cannot appear on a Safeguard access control list.
User Alias Command Summary User Alias Security Commands User Alias Command Summary Table 6-2 on page 6-4 summarizes each of the user alias commands. Table 6-2. User Alias Command Summary Command Function ADD ALIAS Adds a user alias to the system and creates an authentication record for that alias with the user attribute values specified in the command. For any unspecified attributes, the current default values are used. (To set default values, use the SET ALIAS command.
ADD ALIAS Command User Alias Security Commands ADD ALIAS Command ADD ALIAS adds a user alias to the system and creates a Safeguard authentication record for that alias. Once a new alias is added to the system for a user, the user can log on to the system with that alias. To execute the ADD ALIAS command, you must have the authority both to add the underlying user ID and to alter the authentication record for that user ID. For more information, see Who Can Manage User Aliases on page 6-1.
ADD ALIAS Command User Alias Security Commands group-num,member-num is the user ID of the user with which this alias is to be associated. The groupnum,member-num must already exist. LIKE user adopts the attribute values from an existing alias or user authentication record as the attribute values for the alias authentication record being added. user is an existing user, specified in one of these formats: alias group-num,member-num group-name.
ADD ALIAS Command User Alias Security Commands INITIAL-PROGRAM [prog-path] INITIAL-PROGTYPE [prog-type] CI-PROG [prog-filename] CI-LIB [lib-filename] CI-CPU [cpu-number | ANY] CI-NAME [process-name] CI-SWAP [$vol.[subvol.filename]] CI-PRI [priority] CI-PARAM-TEXT [startup-param-text] Multiple remote-password entries are not allowed on the same line.
ADD ALIAS Command User Alias Security Commands =AUDIT-AUTHENTICATE-PASS all & =PASSWORD-MUST-CHANGE EVERY 60 DAYS & =OWNER-LIST 86,6 & =TEXT-DESCRIPTION "Fred’s group" These users must change passwords for their aliases every 60 days. Their ability to log on using the aliases expires at midnight on June 28, 2005. All successful authentication attempts using the aliases are audited by the Safeguard software. User 86,6 is added as a default secondary owner of the alias authentication records.
ALTER ALIAS Command User Alias Security Commands PRS.MABEL has the user alias Mgr-Mabel and the password seaSide, and PRS.JACK has the user alias Admin-Jack and the password TROUT3. The authentication records for both aliases belong to user 86,2. 3. To add the alias BENNY1 for the user 86,4, the PRS manager uses the LIKE clause with the ADD command: =ADD ALIAS BENNY1, 86,4 , LIKE prs.
ALTER ALIAS Command User Alias Security Commands user is an existing user specified in one of these formats: alias group-num,member-num group-name.member-name LIKE changes the values of all attributes except: PASSWORD [password] REMOTEPASSWORD \system-name remote-password GUARDIAN [DEFAULT] SECURITY ["]string["] GUARDIAN [DEFAULT] [SUB]VOLUME [\system.]$vol.
ALTER ALIAS Command User Alias Security Commands CI-PRI [priority] CI-PARAM-TEXT [startup-param-text] OWNER [owner-id] transfers the primary ownership of an alias authentication record to the user whose user ID is specified as owner-id. For owner-id, specify either of: [\*.]group-name.member-name [\*.]group-num , member-num If you omit owner-id, it is set to your user ID.
ALTER ALIAS Command User Alias Security Commands character. The case of the letters is preserved. Lowercase letters remain lowercase, and uppercase remain uppercase. If omitted, the value for password is set to null. In this case, the password is not required for the user to log on to the system. The password is subject to the restrictions imposed by the configuration options described in Section 16, Safeguard Subsystem Commands. WARNING. Only the first eight characters of the password will be considered.
ALTER ALIAS Command User Alias Security Commands PASSWORD-MUST-CHANGE [EVERY num DAYS] changes the maximum number of days that a user can use the same password. For num, specify an integer from 1 through 32,767. Changing the PASSWORD-MUST-CHANGE attribute causes the Safeguard software to calculate a new PASSWORD-EXPIRES date. The PASSWORDEXPIRES date is set to the current date, plus num days.
ALTER ALIAS Command User Alias Security Commands year is a 4-digit integer. hour is an integer from 0 through 23. min is an integer from 0 through 59. Setting the PASSWORD-MUST-CHANGE attribute after setting the PASSWORD-EXPIRES attribute causes the PASSWORD-EXPIRES date calculated as a result of setting PASSWORD-MUST-CHANGE to override the explicit setting of the PASSWORD-EXPIRES attribute.
ALTER ALIAS Command User Alias Security Commands AUDIT-MANAGE-FAIL [audit-spec] changes the audit-spec for unsuccessful attempts to manage the alias authentication record. The form of audit-spec is: { ALL | LOCAL | REMOTE | NONE } For a description of audit-spec, see the SET ALIAS Command on page 6-37. Omitting audit-spec specifies NONE. AUDIT-USER-ACTION-PASS [audit-spec] changes the audit-spec for successful events performed using this alias.
ALTER ALIAS Command User Alias Security Commands REMOTEPASSWORD [ \system-name [ remote-password] ] adds a new remote password, changes the remote password currently defined for a particular system, or deletes a remote password. An alias can have zero, one, or many remote passwords (one for each remote system to which the alias is granted access, as well as one for the local system matching that remote system).
ALTER ALIAS Command User Alias Security Commands GUARDIAN [DEFAULT] SECURITY ["]string["] changes the Guardian default disk file security string for the alias. The word DEFAULT is optional, as are the quotes that surround the security string specifier. You can include them in the command for readability. string is a four-character string that specifies the Guardian default security string. Each position in the string can contain one of these characters: O, U, G, C, A, or N.
ALTER ALIAS Command User Alias Security Commands INITIAL-PROGRAM [prog-path] changes the initial program pathname within the OSS environment for the alias. prog-path is a case-sensitive text string of up to 256 characters. It must be a syntactically valid OSS pathname. If you specify the INITIALDIRECTORY attribute, it must be the last attribute in the command string. This feature is not currently implemented on NonStop systems. It is reserved for future use.
ALTER ALIAS Command User Alias Security Commands CI-NAME [process-name] changes the process name to be assigned to the command interpreter specified by CI-PROG. process-name must be a local process name. If you omit process-name, the Safeguard software generates a process name. CI-SWAP [$vol[.subvol.filename]] changes the name of the volume or file to be used as the swap volume or file for the command interpreter. $vol must be a local volume name. You can optionally supply a subvolume name and file name.
ALTER ALIAS Command User Alias Security Commands group is one of: GROUP [NAME]=group-name GROUP NUMBER=group-num PRIMARY-GROUP [NAME]=group-name PRIMARY-GROUP NUMBER=group-num Wild-card characters are not allowed in the group names or group numbers. Multiple groups within the expression can be enclosed within parentheses to change the order of evaluation of a complex expression, see Example 4. group-name is case-sensitive.
DELETE ALIAS Command User Alias Security Commands the user who has user ID 14,2 and to require that Darlene change the logon password for this alias every 35 days: =ALTER ALIAS Admin_Darlene, OWNER 14,2, & =PASSWORD-MUST-CHANGE EVERY 35 DAYS Because the OWNER attribute for Admin_Darlene was changed to a member of another group, PRS.MANAGER can no longer manage this authentication record. 2.
FREEZE ALIAS Command User Alias Security Commands alias specifies the alias or aliases whose authentication records are to be deleted. alias is a text-string as defined under the ADD ALIAS command. The alias can contain wild-card characters. WHERE expression causes the DELETE command to apply only to authentication records for aliases who belong to the groups specified by expression. For a description of WHERE expression, see the ALTER ALIAS Command on page 6-9.
INFO ALIAS Command User Alias Security Commands ALIAS specifies ALIAS as the object type of the FREEZE command. Omit it if ALIAS is the assumed object type. (For more information about assumed types, see the ASSUME Command on page 4-3.) alias specifies the alias or aliases whose authentication records are to be frozen. alias is a text-string as defined under the ADD ALIAS command. The alias can contain wild-card characters.
INFO ALIAS Command User Alias Security Commands Use of the INFO ALIAS command is limited to these users: • • • • The user assigned the alias The primary and secondary owners of the alias authentication record The primary owner’s group manager The super ID Any alias of the user can execute the INFO USER command for any other alias of the user. INFO [ / OUT listfile / ] ALIAS { alias | ( alias [ , alias ] ... ) } [ [ , ] option ] [ , option ] ...
INFO ALIAS Command User Alias Security Commands TEXT-DESCRIPTION WHERE expression GENERAL displays the basic user attributes including UID, password settings, user expiration, Guardian security, and Guardian default volume. DETAIL displays all attributes, including those displayed by all other options. AUDIT displays only attributes related to auditing. CI displays only attributes related to the default command interpreter. OSS displays only attributes related to OSS initial settings.
INFO ALIAS Command User Alias Security Commands Figure 6-1. INFO ALIAS Brief Report Format NAME alias USER-ID u-id OWNER STATUS o-id [+] status NAME alias is the user alias whose current user attributes are being displayed. USER-ID u-id is the structured view of the user ID of the user associated with this alias. OWNER o-id is the user ID of the user who is the primary owner of this alias authentication record. If o-id is the network form of a user ID, the primary owner is a network user.
INFO ALIAS Command User Alias Security Commands The values of the status field are listed in the order of their priority. When two or more of the conditions described by a status value apply to a user alias, only the highest priority is displayed. For example, if a password is expired and the alias is frozen, status is displayed as PSWD-EXP.
INFO ALIAS Command User Alias Security Commands INFO ALIAS Detailed Report Figure 6-2 on page 6-28 shows the format of the detailed INFO ALIAS report. Figure 6-2.
INFO ALIAS Command User Alias Security Commands LAST-LOGON = date,time is the time and date when the user last logged onto the system with this alias (in local civil time). LAST-MODIFIED = date,time is the time and date when this alias authentication record was last changed (in local civil time). USER-EXPIRES = date, time is the date and time when the user’s ability to log on to the system with this alias will be suspended (in local civil time).
INFO ALIAS Command User Alias Security Commands FROZEN/THAWED = frozen | thawed indicates whether or not a user’s access to the system with this alias has been frozen. While the alias is frozen, the user cannot log on to the system with this alias. STATIC FAILED LOGON COUNT = count is the number of total unsuccessful logon attempts made with this alias since it was created. (This count cannot be reset.) GUARDIAN DEFAULT SECURITY = string is the Guardian default security string for this alias.
INFO ALIAS Command User Alias Security Commands CI-NAME = [ process-name ] is the process name assigned to the command interpreter. CI-SWAP = [ $vol[.subvol.filename] ] is the swap volume or file used with the command interpreter. CI-CPU = num | ANY is the number of the CPU in which the command interpreter runs. ANY indicates any CPU. CI-PRI = [ num ] is the priority at which the command interpreter runs. CI-PARAM-TEXT = [ text ] is the startup parameter text supplied to the command interpreter.
RESET ALIAS Command User Alias Security Commands SUBJECT DEFAULT PROTECTION SECTION shows the default protection assigned to the user’s disk files when they are added to the Safeguard database. OWNER-LIST-SECTION is a list of the secondary owners of the user’s authentication record. Examples 1.
RESET ALIAS Command User Alias Security Commands ALIAS specifies ALIAS as the object type of the RESET command. Omit it if ALIAS is the assumed type. (For more information, see the ASSUME Command on page 4-3.) user-attribute-keyword sets the current default value of the specified user attribute to a predefined value.
RESET ALIAS Command User Alias Security Commands PASSWORD-MUST-CHANGE num days is set to null. (The alias password never has to be changed.) PASSWORD-EXPIRY-GRACE num days is set to null. (There is no extension period during which to change an expired alias password.) PASSWORD-EXPIRES date,time are set to null (no expiration date). AUDIT-AUTHENTICATE-PASS audit-spec is set to NONE. AUDIT-AUTHENTICATE-FAIL audit-spec is set to NONE. AUDIT-MANAGE-PASS audit-spec is set to NONE.
RESET ALIAS Command User Alias Security Commands GUARDIAN [DEFAULT] [SUB]VOLUME $vol.subvol is set to $SYSTEM.NOSUBVOL. INITIAL-DIRECTORY dir-path is set to null (no pathname). INITIAL-PROGRAM prog-path is set to null (no pathname). INITIAL-PROGTYPE prog-type is set to PROGRAM. CI-PROG prog-filename is set to null (no command interpreter in this alias record). CI-LIB lib-filename is set to null (no library file). CI-CPU cpu-number is set to ANY. CI-NAME process-name is set to null.
RESET ALIAS Command User Alias Security Commands Examples To restore the current default user attributes (set in previous SET ALIAS commands) to their predefined values, you can first enter the SHOW ALIAS commands to display the current user attributes: =SHOW ALIAS The report shows: TYPE ALIAS OWNER 86,2 PASSWORD = USER-EXPIRES PASSWORD-EXPIRES PASSWORD-MUST-CHANGE EVERY PASSWORD-EXPIRY-GRACE GUARDIAN DEFAULT SECURITY GUARDIAN DEFAULT VOLUME = * NONE * = * NONE * = 30 DAYS = * NONE * = OOOO = $DATA2.
SET ALIAS Command User Alias Security Commands The report shows: TYPE ALIAS OWNER 86,255 PASSWORD = USER-EXPIRES PASSWORD-EXPIRES PASSWORD-MUST-CHANGE EVERY PASSWORD-EXPIRY-GRACE GUARDIAN DEFAULT SECURITY GUARDIAN DEFAULT VOLUME = * NONE * = * NONE * = * NONE * = * NONE * = OOOO = $SYSTEM.
SET ALIAS Command User Alias Security Commands user is an existing user specified in one of these formats: alias group-num,member-num group-name.member-name LIKE sets the current default values for all user attributes except: PASSWORD [password] REMOTEPASSWORD \system-name remote-password GUARDIAN [DEFAULT] SECURITY ["]string["] GUARDIAN [DEFAULT] [SUB]VOLUME [\system.]$vol.
SET ALIAS Command User Alias Security Commands OWNER [owner-id] specifies the primary owner of an alias authentication record. For owner-id, specify either of: [\*.]group-name.member-name [\*.]group-num , member-num If you omit owner-id, your user ID becomes the current owner-id. OWNER-LIST [[-]user-list] changes the secondary ownership of an alias authentication record by adding or deleting owners in the owner list.
SET ALIAS Command User Alias Security Commands preserved. Lowercase letters remain lowercase, and uppercase letters remain uppercase. If you omit password, the value for password is set to null. (No password is required for logon.) USER-EXPIRES [ date [ , time] ] establishes a date and time after which a user cannot log on to the system with this alias. Specify date and time as local civil time. If you omit both date and time, the user-expiration attribute value is set to null (no expiration date).
SET ALIAS Command User Alias Security Commands Omitting the EVERY num DAYS clause disables PASSWORD-MUSTCHANGE. (That is, the password never expires unless the PASSWORDEXPIRES attribute is set.) PASSWORD-EXPIRY-GRACE num [DAYS] specifies the number of days after password expiration during which the password for this alias can be changed during logon. For num, specify an integer from 0 through 32,767. A value of 0 means no extension period.
SET ALIAS Command User Alias Security Commands AUDIT-AUTHENTICATE-PASS [audit-spec] establishes an audit-spec for successful user authentication attempts. The audit-spec specifies the conditions under which the Safeguard software writes an audit record to the audit file when the user successfully logs on to the system with this alias. The form of audit-spec is: { ALL | LOCAL | REMOTE | NONE } ALL All successful logons are audited. LOCAL Only successful logons from the local system are audited.
SET ALIAS Command User Alias Security Commands NONE No unsuccessful logons are audited. Omitting audit-spec specifies NONE. AUDIT-MANAGE-PASS [audit-spec] establishes an audit-spec for successful attempts to manage the alias authentication record. The audit-spec specifies the conditions under which an audit record is written to the audit file when the alias authentication record is managed. The form of audit-spec is: { ALL | LOCAL | REMOTE | NONE } ALL All successful management attempts are audited.
SET ALIAS Command User Alias Security Commands REMOTE Only unsuccessful management attempts from a remote system are audited. NONE No unsuccessful management attempts are audited. Omitting audit-spec specifies NONE. AUDIT-USER-ACTION-PASS [audit-spec] establishes an audit-spec for successful events performed by the user logged on with this alias, including attempts to access objects and attempts to create or manage Safeguard protection records.
SET ALIAS Command User Alias Security Commands ALL All unsuccessful events are audited. LOCAL Only unsuccessful events on the local system are audited. REMOTE Only unsuccessful events by a remote user are audited. NONE No unsuccessful events are audited. Omitting audit-spec specifies NONE. TEXT-DESCRIPTION "[text]" specifies a string of descriptive text to be associated with the alias. The text must consist of printable characters.
SET ALIAS Command User Alias Security Commands DEFAULT-PROTECTION [ obj-attr ] [ ( obj-attr [ ,obj-attr ] ...) ] specifies one or more attributes to be assigned immediately to new disk files created by this alias. If you omit obj-attr, new disk files remain under Guardian protection. If any obj-attr is specified, the attribute updates the current default protection record. obj-attr is one of: OWNER [ owner-id ] ACCESS [ access-spec [ ; access-spec ] ...
SET ALIAS Command User Alias Security Commands If you omit dir-path, no pathname is used. INITIAL-PROGRAM [prog-path] specifies the initial program pathname within the OSS environment for the alias. prog-path is a case-sensitive text string of up to 256 characters. It must be a syntactically valid OSS pathname. If you specify the INITIALDIRECTORY attribute, it must be the last attribute in the command string. This feature is not currently implemented on NonStop systems.
SET ALIAS Command User Alias Security Commands CI-CPU [cpu-number | ANY] specifies the number of the CPU in which the command interpreter is to run. If you specify ANY, any CPU is used. If you do not specify cpu-number, any CPU is used. CI-NAME [process-name] specifies the process name to be assigned to the command interpreter specified by CI-PROG. If you omit process-name, Safeguard assigns a process name. processname must be a local process name. CI-SWAP [$vol.[subvol.
SET ALIAS Command User Alias Security Commands • PASSWORD-EXPIRES takes precedence over PASSWORD-MUST-CHANGE. If the PASSWORD-EXPIRES and PASSWORD-MUST-CHANGE attributes are set in the same command, the setting of the PASSWORD-EXPIRES attribute takes precedence over the PASSWORD-EXPIRES date calculated as a result of setting the PASSWORD-MUST-CHANGE attribute. Examples The group manager for group 14 enters the following SET and ADD commands to add a temporary alias for user 14,22.
SHOW ALIAS Command User Alias Security Commands Next the group manager issues the ADD ALIAS command to add the alias Temp3 for user 14,22: =ADD ALIAS Temp3, 14,22 Finally the group manager issues the INFO ALIAS command to confirm that the alias was added: =INFO ALIAS Temp3 The report displays: NAME Temp3 USER-ID 14,22 OWNER 14,255 STATUS THAWED SHOW ALIAS Command SHOW ALIAS displays the current default values for user attributes.
SHOW ALIAS Command User Alias Security Commands SHOW ALIAS Report Format The SHOW ALIAS command displays the default user attributes and their current values in the format shown in Figure 6-3 on page 6-51. Figure 6-3.
SHOW ALIAS Command User Alias Security Commands PASSWORD-EXPIRES = { date,time | * NONE * } either gives the date and time when the password expires or indicates that no expiration date has been specified. PASSWORD-MUST-CHANGE EVERY = { n DAYS | * NONE * } either gives the maximum number of days that the alias can retain the same password or indicates that no limit has been set.
SHOW ALIAS Command User Alias Security Commands CI-SWAP = { $vol[.subvol.filename] | * NONE * } either gives the swap volume or file used with the command interpreter or indicates no swap volume or file is specified. CI-CPU = { num | ANY } either gives the number of the CPU in which the command interpreter runs or indicates any CPU will be used. CI-PRI = { num | * NONE * } either gives the priority at which the command interpreter runs or indicates that no priority is assigned in the user record.
SHOW ALIAS Command User Alias Security Commands Examples 1. This sample SHOW ALIAS command displays the predefined user-attribute settings for the user who has user ID 86,2: =SHOW ALIAS The report displays: TYPE ALIAS OWNER 86,2 PASSWORD = USER-EXPIRES PASSWORD-EXPIRES PASSWORD-MUST-CHANGE EVERY PASSWORD-EXPIRY-GRACE GUARDIAN DEFAULT SECURITY GUARDIAN DEFAULT VOLUME = * NONE * = * NONE * = * NONE * = * NONE * = OOOO = $SYSTEM.
THAW ALIAS Command User Alias Security Commands The PRS group manager enters: =SHOW ALIAS The report displays: TYPE ALIAS OWNER 86,255 PASSWORD = Pasta USER-EXPIRES PASSWORD-EXPIRES PASSWORD-MUST-CHANGE EVERY PASSWORD-EXPIRY-GRACE GUARDIAN DEFAULT SECURITY GUARDIAN DEFAULT VOLUME = 15DEC05, 0:00 = * NONE * = 30 DAYS = * NONE * = NUNU = $TOPS.
THAW ALIAS Command User Alias Security Commands alias specifies the alias (or aliases) whose ability to log on is to be restored. alias can contain wild-card characters. WHERE expression causes the THAW command to apply to only authentication records for aliases who belong to the groups specified by expression. For a description of WHERE expression, see the ALTER ALIAS Command on page 6-9. Examples 1.
7 Group Commands The GROUP commands allow a security administrator to define user groups and manage the membership of those groups. User groups created explicitly with the ADD GROUP command can exist independently of user definitions. The groups created in this manner usually serve as file-sharing groups rather than as administrative groups. Typically, an administrative group is created implicitly with the ADD USER command, as described in Section 5, User Security Commands. Note.
Group Names and Access Control Lists Group Commands Group Names and Access Control Lists Currently, only administrative group names and numbers are allowed on Safeguard ACLs. File-sharing group names and numbers are not permitted in ACLs. However, the Safeguard software’s method of evaluating ACLs recognizes extended group membership. An ACL entry in the form group-name.
Syntax of Group Commands Group Commands Table 7-1. Group Command Summary Command Description ADD GROUP Adds a group definition record with the specified group attribute values. ALTER GROUP Changes one or more attribute values in a group definition record. DELETE GROUP Deletes a group definition record. GROUP Displays the existing attribute values in a group definition record. Syntax of Group Commands The remainder of this section describes each group command in detail.
ADD GROUP Command Group Commands alphabetic or numeric. The group-name must not already exist as a administrative group name. Note. If you want to define a group that can be subsequently used as an administrative group, the group name and group number must meet the syntactical requirements for administrative groups: • • The group name must be from one to eight alphabetic or numeric characters, the first of which must be alphabetic.
ADD GROUP Command Group Commands You can specify up to 32 members to be added to the list in a single ADD GROUP command. DESCRIPTION [ text ] specifies up to 255 characters of descriptive text. All text following the keyword DESCRIPTION to the end of the command is considered to be descriptive text. Therefore, if you specify a description, it must appear last in the command string. If you omit text, no descriptive text is included in the group record.
ALTER GROUP Command Group Commands description that identifies this group as first-shift administrators. No members are added to the group. =ADD GROUP shift1-admin NUMBER 656, DESCRIPTION All & =first-shift system administrators 2. The following command adds a group definition record for the group named ADMIN, which is assigned the group number 120. No descriptive text is included.
ALTER GROUP Command Group Commands NUMBER num-list specifies the numeric ID of the group or groups to be altered. The num-list can contain up to 32 entries. num-list specifies one or more groups for which definition records are to be altered. num-list can be either of: group-num ( group-num [ , group-num] ... ) group-num can be any group number. Wild-card characters are not valid in a groupnum. group-attribute changes the current value of the specified attribute.
ALTER GROUP Command Group Commands The group number.member number form of a user ID is not allowed in a MEMBER list. You can specify up to 32 members to be added to the list and up to 32 members to deleted from the list in a single command. If necessary, you can use more than one MEMBER clause in a single ALTER GROUP command. To add and delete members in the same command, use separate MEMBER clauses, as Example 3 shows.
DELETE GROUP Command Group Commands DELETE GROUP Command The DELETE GROUP command deletes group definition records for specified groups. You can specify groups by either group name or group number in a DELETE GROUP command, but you cannot mix names and numbers within the same command. If you specify group names, they can contain wild-card characters. A group cannot be deleted if it contains members. You must remove all members from a group before you can delete that group record.
INFO GROUP Command Group Commands Considerations • Unlike an administrative group that is created implicitly with the ADD USER command, a group created with the ADD GROUP command is not deleted automatically when its last member is deleted. (For additional details, see the INFO GROUP Detailed Report on page 7-11.
INFO GROUP Command Group Commands num-list can be either of: group-num ( group-num [ , group-num ] ... ) group-num can be any group number. Wild-card characters are not valid in a group-num. INFO GROUP Brief Report Figure 7-1 shows the format of the brief INFO GROUP report. A description of the group attribute values and status fields immediately follows it. Figure 7-1.
INFO GROUP Command Group Commands Figure 7-2. INFO GROUP Detailed Report Format GROUP NAME group-name AUTO-DELETE = {ON | OFF} DESCRIPTION = [text] MEMBER = [member] NUMBER groupnum OWNER o-id LAST-MODIFIED date,time In addition to the attributes and status fields displayed in the brief INFO GROUP report, the detailed INFO GROUP report also displays these attributes: AUTO-DELETE = { ON/OFF } is the AUTO-DELETE group attribute, which is a read-only attribute. It cannot be set through SAFECOM.
8 Disk-File Security Commands The SAFECOM disk file security commands give disk-file owners access control of protected disk files and the ability to specify when to audit attempts to access and manage the authorization records for these files. By default, only the disk file’s owner, the owner’s group manager, or the super ID can add a Safeguard authorization record unless a list of users is specified by the OBJECTTYPE DISKFILE. (For more information, see Section 12, OBJECTTYPE Security Commands.
Disk-File Access Authorities Disk-File Security Commands The primary owner can also set the PROGID attribute through the ALTER DISKFILE command. The PROGID attribute is controlled exclusively by the primary owner, however, and is not transferable. When a disk file is under Safeguard protection, the Safeguard software controls all security attributes. The FUP GIVE, LICENSE, REVOKE, and SECURE commands are superseded by Safeguard protection.
Disk-File Access Authorization Disk-File Security Commands Disk-File Access Authorization When a process attempts to access a protected disk file, the Safeguard software checks the processes group list and the disk file ACL to see if the user identified by the process accessor ID (PAID) of that process has the required access authority. If that user lacks the authority, the access attempt is rejected with a security violation error (file error 48).
Disk-File Security Command Summary Disk-File Security Commands Note. If a persistent protection record exists for the new file name, the renamed file assumes that persistent ACL. If the current file has a Safeguard ACL and the new file name does not have a persistent protection record, the renamed file assumes the ACL of the current file. However, if the PERSISTENT flag is ON in the current file’s protection record, that ACL is not transferred to the renamed file.
Syntax of Disk-File Security Commands Disk-File Security Commands Table 8-2. Disk-File Security Command Summary (page 2 of 2) Command Description RESET DISKFILE Resets one or more default attribute values to predefined values. RESET DISKFILEPATTERN Resets one or more default diskfile-pattern attributes to values predefined by the Safeguard software. Any subsequent ADD DISKFILE-PATTERN commands use these predefined defaults for attributes not specified in the ADD DISKFILE-PATTERN command.
ADD DISKFILE Command Disk-File Security Commands disk file are subject to a Safeguard authorization check and optionally to Safeguard auditing. Only the owner of a disk file, the owner’s group manager, or the local super ID can add an authorization record for a disk file. You can use SET DISKFILE to establish default disk-file attribute values and then use ADD DISKFILE simply to name the disk files to which the default attributes are to be applied.
ADD DISKFILE Command Disk-File Security Commands disk-file-attribute defines a disk-file attribute value for the disk-file authorization record or records being added. The disk-file attributes are: OWNER [owner-id] ACCESS access-spec [ ; access-spec ] ...
ADD DISKFILE Command Disk-File Security Commands [\node-spec.]*.* [\node-spec.]*,* (minus-sign) operates on existing ACL entries. The minus-sign form of access-spec modifies the current default ACL. The authority entries are removed from the default ACL entries for the users specified with user-list. group-list can take either of these forms: net-group-spec ( net-group-spec [ , net-user-spec ] ... ) net-group-spec can take any of these forms: GROUP [NAME][\node-spec.] group-name GROUP NUMBER [\node-spec.
ADD DISKFILE Command Disk-File Security Commands (minus-sign) operates on existing ACL entries. The minus-sign form of access-spec modifies the current default ACL. The authority entries are removed from the default ACL entries for the users specified with user-list. Note. Specifying ACCESS access-spec through the ADD command does not override the current default ACL (established through the SET command).
ADD DISKFILE Command Disk-File Security Commands LICENSE OFF revokes the license of all program object files specified with filenamelist. PROGID {ON|OFF} changes the PROGID attribute of a program object file. When the PROGID attribute is set ON, the process accessor ID (PAID) of a process that is executed from that object file is set to the user ID of the primary owner of the object file.
ADD DISKFILE Command Disk-File Security Commands PERSISTENT OFF indicates the authorization record for the disk file is deleted if the file is purged. AUDIT-ACCESS-PASS [audit-spec] changes the audit-spec for successful attempts to access the disk file. The form of audit-spec is: { ALL | LOCAL | REMOTE | NONE } For a description of audit-spec, see the SET DISKFILE Command on page 8-55. Omitting audit-spec specifies NONE.
ADD DISKFILE Command Disk-File Security Commands TRUST { ME | SHARED | OFF } sets the TRUST attribute for the specified disk file. The disk file must be a program object file. The initial value is OFF. This attribute is valid only on systems running H-series RVUs. Only the super ID can set this attribute. Considerations • Attributes in an ADD command affect only the record added.
ADD DISKFILE Command Disk-File Security Commands To secure a partitioned disk file completely, add a separate disk-file authorization record for each partition. Adding an authorization record for only the primary partition protects the partitioned file from any accesses made by opening the primary partition but does not prevent the secondary partitions from being opened individually.
ADD DISKFILE-PATTERN Command Disk-File Security Commands Examples 1. The owner of the disk file $DATA.KEEP.INFO uses these commands to add a Safeguard authorization record for the file and give ownership of the file to a member of group 86: =SET DISKFILE ACCESS 86,2 (r,w,e,p); 86,* (r,e) =SET DISKFILE CLEARONPURGE ON, AUDIT-ACCESS-PASS all,& =AUDIT-MANAGE-PASS all =ADD DISKFILE $data.keep.
ADD DISKFILE-PATTERN Command Disk-File Security Commands that contains at least one wildcard in either the subvolume or file name component, comprised of these three components: • • • A volume name, which will include only valid volume characters. For the ADD command, wildcards are not valid in the volume name component of the pattern-spec when used for a LIKE operation. One wildcard character is required in either the subvolume or filename.
ADD DISKFILE-PATTERN Command Disk-File Security Commands user-list specifies users who are granted (or denied) the access authorities specified with the following authority-list. user-list can be either of: net-user-spec ( net-user-spec [ , net-user-spec ] ... ) net-user-spec can be any of: [\node-spec.]adm-group-name.user-name [\node-spec.]adm-group-num , user-num [\node-spec.]adm-group-name.* [\node-spec.]adm-group-num , * [\node-spec.]*.* [\node-spec.]*,* (minus-sign) operates on existing ACL entries.
ADD DISKFILE-PATTERN Command Disk-File Security Commands adm-group-name specifies the name of the administrative group. admin-group-name specifies the group number of an administrative group. group-name specifies the name of any group. group-num specifies the group number of any group. (minus-sign) operates on existing ACL entries. The minus-sign form of access-spec modifies the current default ACL. The authority entries are removed from the default ACL entries for the users specified with user-list.
ADD DISKFILE-PATTERN Command Disk-File Security Commands C[REATE] O[WNER] * (asterisk) specifies all the disk-file access authorities (R, W, E, P, C, and O). AUDIT-ACCESS-PASS [audit-spec] changes the audit-spec for successful attempts to access the diskfile pattern. The form of audit-spec is: { ALL | LOCAL | REMOTE | NONE } For a description of audit-spec, see the SET DISKFILE Command on page 8-55. Omitting audit-spec specifies NONE.
ADD DISKFILE-PATTERN Command Disk-File Security Commands ON enables warning mode for the specified diskfile pattern. The initial value is OFF, which disables warning mode for the specified diskfile pattern. Considerations • Attributes in an ADD command affect only the record added. Any attribute specifications in an ADD DISKFILE command affect only the authorization record being created and do not change the current default disk-file attribute values.
ALTER DISKFILE Command Disk-File Security Commands primary partition but does not prevent the secondary partitions from being opened individually. Examples 1. To add a protection record that describes all production data base files that reside on $DATA with subvolume names that begin with PROD: ADD DISKFILE-PATTERN $DATA.PROD*.*, & ACCESS PROD.* (R,W) 2. To add a diskfile pattern for all files in subvolume $A.B ADD DISKFILE-PATTERN $A.B.*, ACCESS *.* (R,W) 3.
ALTER DISKFILE Command Disk-File Security Commands filename-list can be either of: disk-file-name ( disk-file-name [ , disk-file-name ] ... ) disk-file-name can be any disk-file name. The name can contain wild-card characters. LIKE disk-file-name changes the attribute values of the disk files specified with filename-list to the same as the existing attribute values for disk-file-name. For the ACCESS attribute, LIKE only adds ACL entries or adds authorities to existing entries.
ALTER DISKFILE Command Disk-File Security Commands An ACL contains as many as 50 entries that grant or deny access authorities to users and user groups. access-spec has the form: user-list [-] [DENY] authority-list group-list [-] [DENY] authority-list user-list specifies users who are granted (or denied) the access authorities specified with the following authority-list. user-list can be either of: net-user-spec ( net-user-spec [ , net-user-spec ] ... ) net-user-spec can be any of: [\node-spec.
ALTER DISKFILE Command Disk-File Security Commands node-name specifies the system name. node-number specifies the Expand node number. adm-group-name specifies the name of the administrative group. admin-group-name specifies the group number of an administrative group. group-name specifies the name of any group. group-num specifies the group number of any group. (minus-sign) operates on existing ACL entries. The minus-sign form of access-spec modifies the current default ACL.
ALTER DISKFILE Command Disk-File Security Commands C[REATE] O[WNER] * indicates all the disk-file access authorities except CREATE authority (R, W, E, P, and O). LICENSE {ON|OFF} either licenses a program object file or revokes the license of a currently licensed program object file. (For more information about the LICENSE attribute, see SET DISKFILE Command on page 8-55.) LICENSE ON licenses all program object files specified with filename-list.
ALTER DISKFILE Command Disk-File Security Commands CLEARONPURGE OFF when a disk file is purged, its entry in the volume directory is deleted. PERSISTENT {ON|OFF} changes the PERSISTENT attribute for all the disk files in filename-list. The PERSISTENT attribute specifies whether the authorization record for a disk file is retained if the disk file is purged. PERSISTENT ON indicates that the authorization record for the disk file is retained if the file is purged.
ALTER DISKFILE Command Disk-File Security Commands AUDIT-MANAGE-FAIL [audit-spec] changes the audit-spec for unsuccessful attempts to change or read a disk file authorization record. The form of audit-spec is: { ALL | LOCAL | REMOTE | NONE } For a description of audit-spec, see the SET DISKFILE Command on page 8-55. Omitting audit-spec specifies NONE. WHERE option-list specifies that only disk files in filename-list that have LICENSE, PROGID, WARNING-MODE, TRUST ME, or TRUST SHARED set are to be altered.
ALTER DISKFILE Command Disk-File Security Commands The following list of command pairs shows the equivalent SAFECOM commands to use for the disabled FUP commands: FUP GIVE filename-list , group-num,member-num ALTER DISKFILE filename-list , OWNER owner-id FUP SECURE filename-list , PROGID ALTER DISKFILE filename-list , PROGID ON FUP REVOKE filename-list , PROGID ALTER DISKFILE filename-list , PROGID OFF FUP SECURE filename-list , CLEARONPURGE ALTER DISKFILE filename-list , CLEARONPURGE ON FUP REVOKE filena
ALTER DISKFILE-PATTERN Command Disk-File Security Commands Now the users who have user IDs 86,8 and 86,10 can read, write, and execute this file, and user PRS.DARLENE cannot write, execute, or purge the file. The ACL entry for group 86 is changed so that members of group 86 no longer have EXECUTE authority for the file. 2. The super ID uses this command to alter authorization records for all files on the volume $DATA that have either the PROGID or LICENSE attribute set ON.
ALTER DISKFILE-PATTERN Command Disk-File Security Commands pattern-spec are the characters that define the pattern that describe a set of objects.
ALTER DISKFILE-PATTERN Command Disk-File Security Commands ACCESS access-spec [ ; access-spec ] ... changes the ACL for filename-list by adding or deleting ACL entries or by changing the authority list of a current ACL entry. An ACL contains as many as 50 entries that grant or deny access authorities to users and user groups.
ALTER DISKFILE-PATTERN Command Disk-File Security Commands node-spec has the form: * | node-name | node-number node-name specifies the system name. node-number specifies the Expand node number. adm-group-name specifies the name of the administrative group. admin-group-name specifies the group number of an administrative group. group-name specifies the name of any group. group-num specifies the group number of any group. (minus-sign) operates on existing ACL entries.
ALTER DISKFILE-PATTERN Command Disk-File Security Commands authority-list specifies the access authorities to be granted (or denied) to user-list. authority-list can be any one of: authority ( authority [ , authority ] ... ) * authority is any one of: R[EAD] W[RITE] E[XECUTE] P[URGE] C[REATE] O[WNER] * (asterisk) specifies all the disk-file access authorities (R, W, E, P, C, and O). AUDIT-ACCESS-PASS [audit-spec] changes the audit-spec for successful attempts to access the diskfile pattern.
ALTER DISKFILE-PATTERN Command Disk-File Security Commands AUDIT-MANAGE-FAIL [audit-spec] changes the audit-spec for unsuccessful attempts to manage (change or read) a diskfile-pattern authorization record. The form of audit-spec is: { ALL | LOCAL | REMOTE | NONE } For a description of audit-spec, see the SET DISKFILE Command on page 8-55. Omitting audit-spec specifies NONE. WARNING-MODE { ON | OFF } defines whether warning mode is enabled for the specified diskfile pattern. The value is required.
DELETE DISKFILE Command Disk-File Security Commands • • • $DATA123.APLOGS.LOG? $DATA.APLOGS.LOG???? $DATABLE.APLOGS.LOGON?1A DELETE DISKFILE Command The DELETE DISKFILE command deletes the authorization record for a disk file. After a file-authorization record is deleted, the file is placed under the control of the standard Guardian security system and is no longer subject to Safeguard authorization checks or Safeguard auditing.
DELETE DISKFILE Command Disk-File Security Commands option-list has the form: [ ( ] option [ OR option ] [ ) ] option can be one of: PROGID LICENSE WARNING-MODE TRUSTME (H-series only) TRUSTSHARED (H-series only) Considerations • Deleting a disk-file authorization record places the file under standard Guardian security. When you delete a disk-file authorization record, the disk file is no longer subject to Safeguard authorization checks and auditing.
DELETE DISKFILE-PATTERN Command Disk-File Security Commands DELETE DISKFILE-PATTERN Command DELETE DISKFILE-PATTERN deletes the pattern authorization record for a diskfile pattern. The owner of a diskfile pattern, the primary owner’s group manager, the local super ID, and any user with OWNER authority on the ACL can delete a diskfile-pattern authorization record.
FREEZE DISKFILE Command Disk-File Security Commands ALL instructs SAFEGUARD to use all the wildcard characters as a part of a search string, not as part of the pattern. Consideration • Deleting a diskfile-pattern authorization record places all files described by that pattern, that are not described by another pattern, under standard Guardian security.
FREEZE DISKFILE Command Disk-File Security Commands DISKFILE specifies DISKFILE as the object type of the FREEZE command. Omit it if DISKFILE is the assumed object type. (For more information on assumed object types, see the ASSUME Command on page 4-3.) filename-list specifies the disk file or files for which access is to be frozen. filename-list can be either: disk-file-name ( disk-file-name [ , disk-file-name ] ... ) disk-file-name can be any disk-file name. The name can contain wild-card characters.
FREEZE DISKFILE-PATTERN Command Disk-File Security Commands A brief report shows: LAST-MODIFIED $DATA.HARRY SALES 086,001 086,002 086,255 8JUN87, 14:32 R R,W,E,P, R,W,E,P, OWNER 86,2 STATUS WARNING-MODE THAWED OFF STATUS WARNING-MODE FROZEN OFF O O To freeze the file: =FREEZE $data.harry.sales To see the new status: =INFO $data.harry.sales A brief report shows: LAST-MODIFIED $DATA.
FREEZE DISKFILE-PATTERN Command Disk-File Security Commands that contains at least one wildcard in either the subvolume or file name component, comprised of these three components: • • • A volume name, which will include only valid volume characters; that is, wildcard characters are not part of the pattern, and if present, imply a onedimensional search. A subvolume name, which may include wildcard characters and valid subvolume characters.
INFO DISKFILE Command Disk-File Security Commands INFO DISKFILE Command INFO DISKFILE displays the attribute values currently stored in a disk-file authorization record. INFO DISKFILE produces two types of reports: brief and detailed. The formats for the two report types follow the syntax. Any user can produce an INFO report for any disk file. INFO [ / OUT listfile / ] DISKFILE filename-list [ , ] [ display-option ] [ , display-option ] ... OUT listfile directs the INFO DISKFILE report to listfile.
INFO DISKFILE Command Disk-File Security Commands DETAIL [ ON ] adds the audit-spec variables defined for the file and the current values of the LICENSE, PROGID, CLEARONPURGE, and PERSISTENT attributes to the INFO report. For a full description of the four audit-spec variables, see the SET DISKFILE Command on page 8-55. DETAIL OFF inhibits the display of additional information for this command. If you omit the DETAIL option, DETAIL OFF is the default.
INFO DISKFILE Command Disk-File Security Commands Figure 8-1. INFO DISKFILE Brief Report Format LAST-MODIFIED OWNER $volume.subvol filename date, time owner-id STATUS WARNING-MODE status {ON|OFF} user-spec [DENY] authority-list user-spec [DENY] authority-list . . . [ NO ACCESS CONTROL LIST DEFINED! ] Figure 8-1 contains these attribute values and status fields: $volume.subvol filename is the name of the disk file whose existing attribute values are displayed.
INFO DISKFILE Command Disk-File Security Commands user-spec can be any of: group-num , member-num group-num , * *,* \node-spec.group-num , member-num \node-spec.group-num , * \node-spec.*,* node-spec has this form: * | node-name | node-number node-name specifies the system name. node-number specifies the Expand node number. group-num, member-num identifies a single local user. group-num,* identifies all the local users in the group that has group-num.
INFO DISKFILE Command Disk-File Security Commands authority-list can contain any of these codes: R READ authority W WRITE authority E EXECUTE authority P PURGE authority C CREATE authority O OWNER authority [ NO ACCESS CONTROL LIST DEFINED! ] indicates that no ACL entries are defined for this file. Use ALTER DISKFILE . . . ACCESS to define ACL entries for an existing file-authorization record. Only the local super ID can access a disk file for which no ACL is defined.
INFO DISKFILE Command Disk-File Security Commands For a complete description of each a-spec, see the appropriate audit-spec under the SET DISKFILE command. LICENSE = {ON|OFF} for program object files containing privileged code, indicates whether the object file is licensed for use by users other than the local super ID. ON This program object file is licensed for use by any user. OFF This program object file can be executed only by the local super ID.
INFO DISKFILE Command Disk-File Security Commands PERSISTENT ON indicates the authorization record for the disk file is retained if the file is purged. If you purge a file with PERSISTENT ON and later create a file with the same name, that file assumes the authorization record associated with the old file. PERSISTENT OFF indicates that the authorization record for the disk file is deleted if the file is purged.
INFO DISKFILE-PATTERN Command Disk-File Security Commands Examples 1. Any user on the system can display Safeguard status information about the file $DATA.BENNY.PROFIT: =INFO DISKFILE $data.benny.profit, DETAIL $DATA.
INFO DISKFILE-PATTERN Command Disk-File Security Commands For listfile, specify any file name. SAFECOM opens listfile and appends the INFO report to the file. If listfile does not exist, SAFECOM creates an EDIT file by that name and writes the INFO report to that file. DISKFILE-PATTERN specifies DISKFILE-PATTERN as the object type for the INFO command. Omit it if DISKFILE-PATTERN is the assumed object type. (For more information on assumed object types, see the ASSUME Command on page 4-3.
INFO DISKFILE-PATTERN Command Disk-File Security Commands DETAIL [ ON ] adds the audit-spec variables defined for the file to the INFO report. For a full description of the four audit-spec variables, see the SET DISKFILE Command on page 8-55. DETAIL OFF inhibits the display of additional information for this command. If you omit the DETAIL option, DETAIL OFF is the default. WARNINGS [ ON | OFF ] allows the display of warning messages for this command to be inhibited.
INFO DISKFILE-PATTERN Command Disk-File Security Commands \KONA.TEST.JIMMY GROUP TEST GROUP \KONA.TEST \*.*.* R,W R,W,E,P,C R R 2. To display the diskfile pattern $DATA.*TEST.*, DETAIL (that is, display a single diskfile pattern) using display user as name: =INFO DISKFILE-PATTERN $DATA.*TEST.*,DETAIL This information appears: LAST-MODIFIED OWNER STATUS WARNING-MODE $DATA.*TEST * 28SEP04, 5:44 MLH1.MGR THAWED \KONA.PROD.CARLY \KONA.TEST.JIMMY GROUP TEST GROUP \KONA.TEST \*.*.
RESET DISKFILE Command Disk-File Security Commands 5. To list all diskfile patterns that start with the letters $A.B.C: INFO DISKFILE-PATTERN $A.B.C*, ALL 6. To display multiple diskfile patterns that have warning-mode enabled: INFO DISKFILE-PATTERN $*.*.*, ALL, WHERE WARNING-MODE RESET DISKFILE Command RESET DISKFILE resets the current default disk file attribute values to their predefined values.
RESET DISKFILE Command Disk-File Security Commands Considerations • • Specifying an attribute name without a value in an ADD or ALTER command causes the attribute to be assigned the predefined default value (as defined for the RESET DISKFILE Command on page 8-52).
RESET DISKFILE-PATTERN Command Disk-File Security Commands 2. This command resets the default OWNER attribute to the user ID of the current SAFECOM user and resets the AUDIT-ACCESS-PASS specification to NONE: =RESET DISKFILE OWNER, AUDIT-ACCESS-PASS RESET DISKFILE-PATTERN Command RESET DISKFILE-PATTERN returns the named attribute to its predefined value from a default value that optionally had been specified via the SET command.
SET DISKFILE Command Disk-File Security Commands SET DISKFILE Command SET DISKFILE establishes default values for one or more disk-file attributes. Later, when you add an authorization record for a disk file, the current default disk-file attribute values are used for any attributes you do not specify in your ADD DISKFILE command. To display the current default disk-file attribute values, use the SHOW DISKFILE command.
SET DISKFILE Command Disk-File Security Commands OWNER [owner-id] specifies the owner of a disk file. (A disk-file owner also owns the disk-file authorization record.) owner-id can be either of: [\node-spec.]group-name.member-name [\node-spec.]group-num , member-num If you omit owner-id, owner-id is set to your user ID (that is, the process accessor ID of the current SAFECOM process). ACCESS access-spec [ ; access-spec ] ...
SET DISKFILE Command Disk-File Security Commands net-group-spec ( net-group-spec [ , net-user-spec ] ... ) net-group-spec can take any of these forms: GROUP [NAME][\node-spec.] group-name GROUP NUMBER [\node-spec.] node-spec takes this form: * | node-name | node-number node-name specifies the system name. node-number specifies the Expand node number. adm-group-name specifies the name of the administrative group. admin-group-num specifies the group number of an administrative group.
SET DISKFILE Command Disk-File Security Commands authority-list can be any of: authority ( authority [ , authority ] ... ) * authority is any one of the access authorities: R[EAD] W[RITE] E[XECUTE] P[URGE] C[REATE] O[WNER] * indicates all the disk-file access authorities except CREATE authority. (These access authorities include R, W, E, P, and O.) LICENSE { ON | OFF } has meaning only for disk files containing object code for privileged programs.
SET DISKFILE Command Disk-File Security Commands PROGID ON means that the PROGID attribute is set to ON for all program object files in the filename-list of subsequent ADD DISKFILE commands. PROGID OFF means that the PROGID attribute is set to OFF for all program object files specified in the filename-list of subsequent ADD DISKFILE commands. CLEARONPURGE {ON|OFF} specifies whether the data pages for a disk file are physically cleared when the disk file is purged.
SET DISKFILE Command Disk-File Security Commands PERSISTENT ON indicates that the PERSISTENT attribute is set to ON for all disk files in filename-list for subsequent ADD DISKFILE commands. PERSISTENT OFF indicates that the PERSISTENT attribute is set to OFF for all disk files in filename-list for subsequent ADD DISKFILE commands. AUDIT-ACCESS-PASS [audit-spec] establishes an audit-spec for successful attempts to access a disk file.
SET DISKFILE Command Disk-File Security Commands LOCAL Only unsuccessful access attempts made by local users are audited. REMOTE Only unsuccessful access attempts made by remote users are audited. NONE No unsuccessful access attempts are audited. Omitting audit-spec specifies NONE. AUDIT-MANAGE-PASS [audit-spec] establishes an audit-spec for successful attempts to manage a disk-fileauthorization record.
SET DISKFILE Command Disk-File Security Commands ALL All unsuccessful management attempts are audited. LOCAL Only unsuccessful management attempts made by local users are audited. REMOTE Only unsuccessful management attempts made by remote users are audited. NONE No unsuccessful management attempts are audited. Omitting audit-spec specifies NONE. WARNING-MODE { ON | OFF } defines whether warning mode is enabled for the specified disk file. The value is required.
SET DISKFILE Command Disk-File Security Commands Examples 1.
SET DISKFILE-PATTERN Command Disk-File Security Commands owner of COPY full access to the file and remove write and purge access from user 33,6. The INFO DISKFILE command verifies this: =INFO DISKFILE copy, DETAIL $DATA.
SET DISKFILE-PATTERN Command Disk-File Security Commands pattern-attribute defines a pattern attribute value for the diskfile-pattern authorization record or records being added. The pattern attributes are: OWNER [owner-id] ACCESS access-spec [ ; access-spec ] ... AUDIT-ACCESS-PASS [audit-spec] AUDIT-ACCESS-FAIL [audit-spec] AUDIT-MANAGE-PASS [audit-spec] AUDIT-MANAGE-FAIL [audit-spec] WARNING-MODE {ON|OFF} OWNER [owner-id] specifies the new owner of the diskfile pattern. owner-id can be either of: [\*.
SET DISKFILE-PATTERN Command Disk-File Security Commands (minus-sign) operates on existing ACL entries. The minus-sign form of access-spec modifies the current default ACL. The authority entries are removed from the default ACL entries for the users specified with user-list. group-list can take either of these forms: net-group-spec ( net-group-spec [ , net-user-spec ] ... ) net-group-spec can take any of these forms: GROUP [NAME][\node-spec.] group-name GROUP NUMBER [\node-spec.
SET DISKFILE-PATTERN Command Disk-File Security Commands (minus-sign) operates on existing ACL entries. The minus-sign form of access-spec modifies the current default ACL. The authority entries are removed from the default ACL entries for the users specified with user-list. Note. Specifying ACCESS access-spec through the ADD command does not override the current default ACL (established through the SET command).
SHOW DISKFILE Command Disk-File Security Commands AUDIT-ACCESS-FAIL [audit-spec] changes the audit-spec for unsuccessful attempts to access the diskfile pattern. The form of audit-spec is: { ALL | LOCAL | REMOTE | NONE } For a description of audit-spec, see the SET DISKFILE Command on page 8-55. Omitting audit-spec specifies NONE. AUDIT-MANAGE-PASS [audit-spec] changes the audit-spec for successful attempts to manage (change or read) a diskfile-pattern authorization record.
SHOW DISKFILE Command Disk-File Security Commands OUT listfile directs the SHOW DISKFILE report to listfile. After it executes the SHOW command, SAFECOM redirects its output to the current OUT file. For listfile, specify any file name. SAFECOM opens listfile and appends the SHOW DISKFILE report to the file. If listfile does not exist, SAFECOM creates an EDIT-format file and then writes the SHOW DISKFILE report to that file. DISKFILE specifies DISKFILE as the object type of the SHOW command.
SHOW DISKFILE Command Disk-File Security Commands AUDIT-ACCESS-PASS = a-spec AUDIT-ACCESS-FAIL = a-spec AUDIT-MANAGE-PASS = a-spec AUDIT-MANAGE-FAIL = a-spec indicate the conditions under which the Safeguard software audits attempts to access this file or to change or read its authorization record. These four fields are described under the SET DISKFILE Command on page 8-55. LICENSE = { ON|OFF } indicates whether the LICENSE attribute is set on.
SHOW DISKFILE-PATTERN Command Disk-File Security Commands Examples User 33,3 owns the disk file $DATA.MONEY.BUSNS.
THAW DISKFILE Command Disk-File Security Commands Example 1. To show the current default values for the diskfile pattern: SHOW DISKFILE-PATTERN Output appears: TYPE DISKFILE-PATTERN OWNER 20,33 AUDIT-ACCESS-PASS = NONE AUDIT-ACCESS-FAIL = NONE \*.*,* WARNING-MODE OFF AUDIT-MANAGE-PASS = NONE AUDIT-MANAGE-FAIL = NONE R,W,E,P,C,O THAW DISKFILE Command THAW DISKFILE restores the ACL for a frozen disk file.
THAW DISKFILE-PATTERN Command Disk-File Security Commands option-list has the form: [ ( ] option [ OR option ] [ ) ] option can be one of: PROGID LICENSE WARNING-MODE TRUSTME (H-series only) TRUSTSHARED (H-series only) Examples The file $DATA.MONEY.BUSNS is frozen. The file owner can enter THAW DISKFILE to restore the file’s ACL: =THAW DISKFILE $data.money.busns THAW DISKFILE-PATTERN Command THAW DISKFILE-PATTERN restores the ACL for a frozen diskfile pattern.
THAW DISKFILE-PATTERN Command Disk-File Security Commands • • A subvolume name, which may include wildcard characters and valid subvolume characters. A file name, which may include wildcard characters and valid file name characters. WHERE option-list specifies that only disk files in filename-list that have WARNING-MODE set are to be altered.
9 Disk Volume and Subvolume Security Commands SAFECOM volume and subvolume security commands control who can create and access disk files. The disk volume and subvolume commands also specify when the Safeguard software should audit attempts to create or read volume or subvolume authorization records. By default, only a local super-group user can add a volume authorization record to the Safeguard object database, but any user can add a subvolume authorization record.
Disk Volume and Subvolume Security Commands Subvolume Authorization Record Ownership can always be specified for all volumes protected by the Safeguard software. With an ACL in effect, the OWNER authority is always included whenever the * (asterisk) authority code is used. It can also be abbreviated as O. With the Safeguard software, the owner of a volume can also be defined as a network user.
Disk Volume and Subvolume Security Commands Volume and Subvolume Security Command Summary 1. It determines whether an authorization record exists for the volume on which the file is to be created. 2. If a volume authorization record exists, it checks the ACL to determine whether the user has the authority to create or access a file on that volume. 3. If the volume ACL does not grant the user the authority, the user’s request is rejected with a security violation (file error 48).
Disk Volume and Subvolume Security Commands Volume and Subvolume Security Command Summary Table 9-1. Disk Volume and Subvolume Security Command Summary Command Description ADD [SUB]VOLUME Adds a volume or subvolume authorization record with the specified attribute values. The current default volume or subvolume attribute values are used for any attributes not specified in the ADD VOLUME or ADD SUBVOLUME command.
Disk Volume and Subvolume Security Commands Syntax of Disk Volume and Subvolume Security Commands Syntax of Disk Volume and Subvolume Security Commands The rest of this section contains individual syntax descriptions for the SAFECOM disk volume and subvolume security commands.
Disk Volume and Subvolume Security Commands ADD VOLUME and SUBVOLUME Commands volume-list specifies one or more disk volumes for which authorization records are to be added. volume-list can be either of: $volume ( $volume [ , $volume ] ... ) $volume can be any volume name. The name can contain wild-card characters. subvol-list specifies one or more subvolumes for which authorization records are to be added. subvol-list can be either: subvol-name ( subvol-name [ , subvol-name ...
Disk Volume and Subvolume Security Commands ADD VOLUME and SUBVOLUME Commands ACCESS access-spec [ ; access-spec ] ... changes the ACL for filename-list by adding or deleting ACL entries or by changing the authority list of a current ACL entry. An ACL contains as many as 50 entries that grant or deny access authorities to users and user groups.
Disk Volume and Subvolume Security Commands ADD VOLUME and SUBVOLUME Commands node-spec takes this form: * | node-name | node-number node-name specifies the system name. node-number specifies the Expand node number. adm-group-name specifies the name of the administrative group. adm-group-num specifies the group number of an administrative group. group-name specifies the name of any group. group-num specifies the group number of any group. (minus-sign) operates on existing ACL entries.
Disk Volume and Subvolume Security Commands ADD VOLUME and SUBVOLUME Commands authority-list can be any one of: authority ( authority [ , authority ] ... ) * authority is the authority to create a disk file on the volume or subvolume being altered. authority can be one of: C[REATE] O[WNER] R[EAD] W[RITE] E[XECUTE] P[URGE] * (asterisk) specifies all six authorities in any volume or subvolume access-specs.
Disk Volume and Subvolume Security Commands ADD VOLUME and SUBVOLUME Commands For a description of each audit-spec, see the SET VOLUME and SUBVOLUME Commands on page 9-26. Omitting audit-spec specifies NONE. AUDIT-MANAGE-FAIL [audit-spec] changes the audit-spec for unsuccessful attempts to manage a volume or subvolume authorization record. The form of audit-spec is: { ALL | LOCAL | REMOTE | NONE } For a description of each audit-spec, see the SET VOLUME and SUBVOLUME Commands on page 9-26.
Disk Volume and Subvolume Security Commands ALTER VOLUME and SUBVOLUME Commands 2. Modify the attribute values specified in a LIKE clause by specifying the values for the attributes you want to change in the ADD command. For example, this command adds an authorization record for $DATA1 that has the same attribute values as $DATA2 except for the OWNER attribute: =ADD VOLUME $data1, LIKE $data2, OWNER sales.
Disk Volume and Subvolume Security Commands ALTER VOLUME and SUBVOLUME Commands subvol-list specifies one or more subvolumes for which authorization records are to be changed. subvol-list can be either: subvol-name ( subvol-name [ , subvol-name ... ] ) subvol-name can be any subvolume name. The name can contain wild-card characters. LIKE [\system.]$volume LIKE [\system.][$volume.
Disk Volume and Subvolume Security Commands ALTER VOLUME and SUBVOLUME Commands access-spec has the form: user-list [-] [DENY] authority-list group-list [-] [DENY] authority-list user-list specifies users who are granted (or denied) the access authorities specified with the following authority-list. user-list can be either of: net-user-spec ( net-user-spec [ , net-user-spec ] ... ) net-user-spec can be any of these forms: [\node-spec.]adm-group-name.user-name [\node-spec.
Disk Volume and Subvolume Security Commands ALTER VOLUME and SUBVOLUME Commands node-number specifies the Expand node number. adm-group-name specifies the name of the administrative group. adm-group-num specifies the group number of an administrative group. group-name specifies the name of any group. group-num specifies the group number of any group. (minus-sign) operates on existing ACL entries. The minus-sign form of access-spec modifies the current default ACL.
Disk Volume and Subvolume Security Commands ALTER VOLUME and SUBVOLUME Commands E[XECUTE] P[URGE] * (asterisk) specifies all six authorities in any volume or subvolume access-specs. AUDIT-ACCESS-PASS [audit-spec] changes the audit-spec for successful attempts to create or access a disk file on the volume or subvolume. The form of audit-spec is: { ALL | LOCAL | REMOTE | NONE } For a description of each audit-spec, see the SET VOLUME and SUBVOLUME Commands on page 9-26. Omitting audit-spec specifies NONE.
Disk Volume and Subvolume Security Commands DELETE VOLUME and SUBVOLUME Commands WHERE option-list specifies that only volumes or subvolumes in filename-list that have LICENSE, PROGID, or WARNING-MODE set are to be altered. option-list has the form: ( ] option [ OR option ] [ ) ] option can be either: PROGID LICENSE WARNING-MODE WARNING-MODE { ON | OFF } defines whether warning mode is enabled for the specified volume or subvolume. The value is required.
Disk Volume and Subvolume Security Commands DELETE VOLUME and SUBVOLUME Commands volume-list specifies one or more disk volumes for which authorization records are to be deleted. volume-list can be either of: $volume ( $volume [ , $volume ] ... ) $volume can be any volume name. The name can contain wild-card characters. subvol-list specifies one or more subvolumes for which authorization records are to be deleted. subvol-list can be either: subvol-name ( subvol-name [ , subvol-name ...
Disk Volume and Subvolume Security Commands FREEZE VOLUME and SUBVOLUME Commands Now these three subvolumes are no longer subject to Safeguard access control or auditing. However, the Safeguard volume access controls remain in effect for any of the subvolumes that reside on a disk volume protected by the Safeguard software. FREEZE VOLUME and SUBVOLUME Commands FREEZE VOLUME temporarily suspends the access authorities granted to users through a volume ACL.
INFO VOLUME and SUBVOLUME Commands Disk Volume and Subvolume Security Commands subvol-name can be any subvolume name. The name can contain wild-card characters. WHERE option-list specifies that only volumes or subvolumes in filename-list that have LICENSE, PROGID, or WARNING-MODE set are to be frozen. option-list has the form: [ ( ] option [ OR option ] [ ) ] option can be either: PROGID LICENSE WARNING-MODE Examples User PRS.HARRY is about to leave on vacation.
Disk Volume and Subvolume Security Commands INFO VOLUME and SUBVOLUME Commands For listfile, specify any file name. SAFECOM opens listfile and appends the INFO report to the file. If listfile does not exist, SAFECOM creates an EDIT file and writes the INFO report to that file. volume-list specifies one or more disk volumes for which INFO reports are to be produced. volume-list can be either: $volume ( $volume [ , $volume ] ... ) $volume can be any volume name. The name can contain wild-card characters.
Disk Volume and Subvolume Security Commands INFO VOLUME and SUBVOLUME Commands Figure 9-1 contains the following attribute values and status fields: $volume for INFO VOLUME reports, is the name of the disk volume whose existing attribute values are being displayed. $volume.subvol for INFO SUBVOLUME reports, is the name of the subvolume whose existing attribute values are being displayed.
Disk Volume and Subvolume Security Commands INFO VOLUME and SUBVOLUME Commands * | node-name | node-number node-name specifies the system name. node-number specifies the Expand node number. group-num , member-num identifies a single local user. group-num,* identifies all the local users in the group that has group-num. *,* identifies all the local users at the node where this volume or subvolume resides. \node-spec.
INFO VOLUME and SUBVOLUME Commands Disk Volume and Subvolume Security Commands P PURGE authority for the volume or subvolume C CREATE authority for the volume or subvolume O OWNER authority for the volume or subvolume [ NO ACCESS CONTROL LIST DEFINED! ] indicates this volume or subvolume has no default ACL. Use ALTER...ACCESS to define ACL entries. Only the local super ID can access a volume or subvolume that has no ACL.
RESET VOLUME and SUBVOLUME Commands Disk Volume and Subvolume Security Commands Examples Using the ASSUME SUBVOLUME and the INFO commands, a user displays a report for the subvolume RAGS on the disk volume $SILK: =ASSUME SUBVOLUME =INFO $silk.rags The display shows: LAST-MODIFIED OWNER STATUS WARNING-MODE $SILK.RAGS 15AUG86, 12:22 \*.086,002 086,010 086,255 \*.
Disk Volume and Subvolume Security Commands AUDIT-MANAGE-PASS AUDIT-MANAGE-FAIL WARNING-MODE RESET VOLUME and SUBVOLUME Commands NONE (no auditing) NONE (no auditing) OFF (warning mode disabled) For a complete description of each vol-subvol-attribute, see the SET VOLUME and SUBVOLUME Commands on page 9-26. Consideration • • Specifying an attribute name without a value in an ADD or ALTER command causes the attribute to be assigned the predefined default value (as defined for the RESET command).
Disk Volume and Subvolume Security Commands SET VOLUME and SUBVOLUME Commands The display shows: TYPE VOLUME OWNER 86,2 AUDIT-ACCESS-PASS = NONE AUDIT-ACCESS-FAIL = NONE WARNING-MODE OFF AUDIT-MANAGE-PASS = NONE AUDIT-MANAGE-FAIL = NONE NO ACCESS CONTROL LIST DEFINED! SET VOLUME and SUBVOLUME Commands SET VOLUME establishes default values for one or more volume attributes. SET SUBVOLUME establishes default values for one or more subvolume attributes.
Disk Volume and Subvolume Security Commands SET VOLUME and SUBVOLUME Commands AUDIT-MANAGE-FAIL [audit-spec] WARNING-MODE {ON|OFF} OWNER [owner-id] specifies the owner of a volume or subvolume. owner-id can be either: [\node-spec.]group-name.member-name [\node-spec.]group-num , member-num If you omit owner-id, owner-id is set to your user ID (that is, the user ID of the current user). ACCESS access-spec [ ; access-spec ] ...
Disk Volume and Subvolume Security Commands SET VOLUME and SUBVOLUME Commands net-group-spec ( net-group-spec [ , net-user-spec ] ... ) net-group-spec can be any of: GROUP [NAME][\node-spec.] group-name GROUP NUMBER [\node-spec.] node-spec takes this form: * | node-name | node-number node-name specifies the system name. node-number specifies the Expand node number. adm-group-name specifies the name of the administrative group. admin-group- name specifies the group number of an administrative group.
Disk Volume and Subvolume Security Commands SET VOLUME and SUBVOLUME Commands authority-list specifies the access authorities to be granted (or denied) to the user or users specified with user-list. authority-list can be: authority authority [ , authority ] ... ) * authority is the authority to create and access a disk file on a volume or subvolume. authority can be any of: R[EAD] W[RITE] E[XECUTE] P[URGE] C[REATE] O[WNER] * (asterisk) all authorities in any volume or subvolume access-spec.
Disk Volume and Subvolume Security Commands SET VOLUME and SUBVOLUME Commands NONE No successful attempts to create or access a disk file are audited. Omitting audit-spec specifies NONE. AUDIT-ACCESS-FAIL [audit-spec] establishes an audit-spec for unsuccessful attempts to create or access a disk file on a volume or subvolume. This audit-spec specifies the conditions under which an audit record is written to the audit file when an attempt to create or access a disk file fails.
Disk Volume and Subvolume Security Commands SET VOLUME and SUBVOLUME Commands REMOTE Only successful management attempts by remote users are audited. NONE No successful management attempts are audited. Omitting audit-spec specifies NONE. AUDIT-MANAGE-FAIL [audit-spec] establishes an audit-spec for unsuccessful attempts to manage a volume or subvolume authorization record.
Disk Volume and Subvolume Security Commands SHOW VOLUME and SUBVOLUME Commands Also, the Safeguard software audits successful attempts to manage the subvolume authorization record: =ASSUME SUBVOLUME =SET ACCESS 86,* c; 86,8 DENY c =SET AUDIT-MANAGE-PASS all =SHOW The display shows: TYPE SUBVOLUME OWNER 86,2 WARNING-MODE OFF AUDIT-ACCESS-PASS = NONE AUDIT-ACCESS-FAIL = NONE 086,008 DENY 086,* AUDIT-MANAGE-PASS = ALL AUDIT-MANAGE-FAIL = NONE C C SHOW VOLUME and SUBVOLUME Commands SHOW VOLUME displays t
SHOW VOLUME and SUBVOLUME Commands Disk Volume and Subvolume Security Commands Figure 9-3. SHOW VOLUME and SUBVOLUME Report Format TYPE {vol|svol} OWNER gn,un WARNING-MODE {ON|OFF} AUDIT-ACCESS-PASS = a-spec AUDIT-ACCESS-FAIL = a-spec AUDIT-MANAGE-PASS = a-spec AUDIT-MANAGE-FAIL = a-spec user-spec [DENY] authority user-spec [DENY] authority . . . . . .
Disk Volume and Subvolume Security Commands THAW VOLUME and SUBVOLUME Commands [ NO ACCESS CONTROL LIST DEFINED! ] indicates no default ACL entries are defined. Use SET...ACCESS to define default ACL entries. You can also use ADD...ACCESS to define ACL entries when you create an authorization record. Caution. If you do not specify an ACL for a volume or subvolume, only the local super ID can access the volume or subvolume.
Disk Volume and Subvolume Security Commands THAW VOLUME and SUBVOLUME Commands THAW VOLUME and THAW SUBVOLUME have no effect on volumes and subvolumes that are not frozen. THAW VOLUME volume-list [ [ , ] WHERE option-list ] THAW SUBVOLUME subvol-list [ [ , ] WHERE option-list ] volume-list specifies one or more disk volumes to be thawed. volume-list can be either: $volume ( $volume [ , $volume ] ... ) $volume can be any volume name. The name can contain wild-card characters.
THAW VOLUME and SUBVOLUME Commands Disk Volume and Subvolume Security Commands This display shows: LAST-MODIFIED OWNER STATUS WARNING-MODE $DATA.DEBITS 9NOV86, 11:38 033,013 33,13 FROZEN OFF C These commands are entered: =THAW SUBVOLUME $data.debits =INFO SUBVOLUME $data.debits This display shows: LAST-MODIFIED OWNER STATUS WARNING-MODE $DATA.
10 Device and Subdevice Security Commands With SAFECOM device and subdevice security commands, any user whose ID appears in the access control list (ACL) as owner of a protected device or subdevice can control access to that device or subdevice. By default, only a local super-group user can add a device or subdevice authorization record to the Safeguard object data base.
Device and Subdevice Security Commands Device and Subdevice Access Authorities to do. They are equal, in every way, to the primary owner. For example, they can modify the Safeguard authorization records for any device or subdevice they own, and they can access any device or subdevice for which they own the authorization record when that device or subdevice has been FROZEN.
Device and Subdevice Security Commands Device and Subdevice Security Command Summary \*.4,*, or \*.*,*. Otherwise, the open request is rejected with a security violation error (file error 48). An open request that has passed the Safeguard authorization check can nevertheless fail. For example, if a process attempts to open a device or subdevice already opened by another process that has exclusive access, the second open attempt fails with file error 12 (file in use).
Device and Subdevice Security Commands Syntax of Device and Subdevice Security Commands Table 10-1. Device and Subdevice Security Command Summary (page 2 of 2) Command Description SET [SUB]DEVICE Sets one or more default device or subdevice attribute values to specified values. When a device or subdevice authorization record is added, the current default device or subdevice attribute values are used for any attributes not specified in the ADD DEVICE or ADD SUBDEVICE command.
Device and Subdevice Security Commands ADD DEVICE and SUBDEVICE Commands the device attributes in your ADD DEVICE or ADD SUBDEVICE command. The current default values are used for any attributes not specified in your command. ADD DEVICE device-list [ , ] [ LIKE device-name | device-attribute ] [ , device-attribute ] ... ADD SUBDEVICE subdevice-list [ , ] [ LIKE subdevice-name | device-attribute ] [ , device-attribute ] ...
Device and Subdevice Security Commands ADD DEVICE and SUBDEVICE Commands LIKE subdevice-name adopts the existing device attribute values of subdevice-name as the attribute values to be used for the authorization record or records being added. subdevice-name identifies the subdevice whose current device-attribute values are to be assigned to the subdevice authorization record or records being added. subdevice-name can be any subdevice name.
Device and Subdevice Security Commands ADD DEVICE and SUBDEVICE Commands net-user-spec can be any of: [\node-spec.]adm-group-name.user-name [\node-spec.]adm-group-num , user-num [\node-spec.]adm-group-name.* [\node-spec.]adm-group-num , * [\node-spec.]*.* [\node-spec.]*,* (minus-sign) operates on existing ACL entries. The minus-sign form of access-spec modifies the current default ACL. The authority entries are removed from the default ACL entries for the users specified with user-list.
Device and Subdevice Security Commands ADD DEVICE and SUBDEVICE Commands group-num specifies the group number of any group. (minus-sign) operates on existing ACL entries. The minus-sign form of access-spec modifies the current default ACL. The authority entries are removed from the default ACL entries for the users specified with user-list. Note. Specifying ACCESS access-spec with ADD DEVICE or SUBDEVICE does not override the current default ACL (established through SET DEVICE or SUBDEVICE).
Device and Subdevice Security Commands ADD DEVICE and SUBDEVICE Commands AUDIT-ACCESS-FAIL [audit-spec] changes the audit-spec for unsuccessful attempts to access the device or subdevice. The form of audit-spec is: { ALL | LOCAL | REMOTE | NONE } For a description of the audit-specs, see the SET DEVICE and SUBDEVICE Commands on page 10-25. Omitting audit-spec specifies NONE.
Device and Subdevice Security Commands ALTER DEVICE and SUBDEVICE Commands Example You can use a LIKE device-name clause to define all the attribute values for a device and then change any of those values by specifying one or more attribute values after the LIKE attribute. For example, this command adds an authorization record for $LP2 that has the same device attribute values (and ACL) as $LP1 except for the OWNER attribute: =ADD DEVICE $lp2, LIKE $lp1, OWNER super.
Device and Subdevice Security Commands ALTER DEVICE and SUBDEVICE Commands LIKE device-name adopts the existing device attribute values of device-name as the attribute values to be used for the authorization record or records being altered. For the ACCESS attribute, LIKE only adds ACL entries or adds authorities to existing entries. It does not replace or delete ACL entries or authorities.
Device and Subdevice Security Commands ALTER DEVICE and SUBDEVICE Commands OWNER [owner-id] specifies the new owner of the devices or subdevices being altered. owner-id can be either: [\node-spec.]group-name.member-name [\node-spec.]group-num , member-num If you omit owner-id, owner-id is set to your user ID. ACCESS access-spec [ ; access-spec ] ... changes the ACL for filename-list by adding or deleting ACL entries or by changing the authority list of a current ACL entry.
Device and Subdevice Security Commands ALTER DEVICE and SUBDEVICE Commands net-group-spec can be any of: GROUP [NAME][\node-spec.] group-name GROUP NUMBER [\node-spec.] node-spec takes this form: * | node-name | node-number node-name specifies the system name. node-number specifies the Expand node number. adm-group-name specifies the name of the administrative group. adm-group-num specifies the group number of an administrative group. group-name specifies the name of any group.
Device and Subdevice Security Commands ALTER DEVICE and SUBDEVICE Commands ( authority [ , authority ] ... ) * authority is any of: R[EAD] W[RITE] O[WNER] * (asterisk) specifies read, write, and owner. AUDIT-ACCESS-PASS [audit-spec] changes the audit-spec for successful attempts to access the device or subdevice. The form of audit-spec is: { ALL | LOCAL | REMOTE | NONE } For a description of the audit-specs, see the SET DEVICE and SUBDEVICE Commands on page 10-25. Omitting audit-spec specifies NONE.
Device and Subdevice Security Commands ALTER DEVICE and SUBDEVICE Commands For a description of the audit-specs, see the SET DEVICE and SUBDEVICE Commands on page 10-25. Omitting audit-spec specifies NONE. WHERE WARNING-MODE specifies that only devices or subdevices in filename-list that have WARNING-MODE set are to be deleted. WARNING-MODE { ON | OFF } defines whether warning mode is enabled for the specified device or subdevice. The value is required.
DELETE DEVICE and SUBDEVICE Commands Device and Subdevice Security Commands This report shows: LAST-MODIFIED OWNER STATUS WARNING-MODE $LPRINT 18SEP87, 13:48 086,001 086,002 086,003 086,008 \*.086,255 255,* \*.86,255 THAWED OFF R,W R,W R,W R,W R,W R,W To alter the ACL for the tape device: =ALTER DEVICE $tape, ACCESS prs.harry - * ; \*.33,13 * To see the new device status: =INFO DEVICE $tape The report shows: LAST-MODIFIED OWNER STATUS WARNING-MODE $LPRINT 22SEP86, 086,001 086,003 086,008 \*.
Device and Subdevice Security Commands FREEZE DEVICE and SUBDEVICE Commands device-list specifies one or more devices for which authorization records are to be deleted. device-list can be either: device-name ( device-name [ , device-name ] ... ) device-name can be any device name. The name can contain wild-card characters. subdevice-list specifies one or more subdevices for which authorization records are to be deleted. subdevice-list can be either: subdevice-name ( subdevice-name [ , subdevice-name ...
Device and Subdevice Security Commands FREEZE DEVICE and SUBDEVICE Commands Use THAW DEVICE or SUBDEVICE to restore all the access authorities granted to users on the ACL before access was frozen. FREEZE DEVICE device-list [ [ , ] WHERE WARNING-MODE] FREEZE SUBDEVICE subdevice-list [ [ , ] WHERE WARNING-MODE] device-list specifies one or more devices for which access is to be frozen. device-list can be either: device-name ( device-name [ , device-name ] ... ) device-name can be any device name.
INFO DEVICE and SUBDEVICE Commands Device and Subdevice Security Commands Example The owner of the authorization record for the device $TTYP enters this command to suspend access to the device: =FREEZE DEVICE $ttyp INFO DEVICE and SUBDEVICE Commands INFO DEVICE and SUBDEVICE displays the attribute values currently stored in an authorization record. INFO DEVICE and SUBDEVICE produces two types of reports: brief and detailed. The formats for the two report types are illustrated following the syntax.
INFO DEVICE and SUBDEVICE Commands Device and Subdevice Security Commands subdevice-list specifies one or more subdevices for which INFO reports are to be produced. subdevice-list can be either: subdevice-name ( subdevice-name [ , subdevice-name ... ] ) subdevice-name can be any subdevice name. The name can contain wild-card characters. DETAIL adds the audit-specs defined for the device or subdevice to the INFO report.
Device and Subdevice Security Commands INFO DEVICE and SUBDEVICE Commands status is the current status of this device or subdevice. status is either FROZEN or THAWED. WARNING-MODE {ON|OFF} is the current warning-mode state of this device or subdevice. ON indicates that the protection record is in warning mode. The initial value is OFF, which indicates that warning mode is disabled for this device or subdevice. user-spec [DENY] authority-list is an entry in the ACL defined for this device or subdevice.
INFO DEVICE and SUBDEVICE Commands Device and Subdevice Security Commands [ NO ACCESS CONTROL LIST DEFINED! ] appears for a device or subdevice that has no ACL. Use ALTER DEVICE...ACCESS or ALTER SUBDEVICE...ACCESS to define ACL entries for an existing authorization record. Only the local super ID can access a device or subdevice for which no ACL is defined.
RESET DEVICE and SUBDEVICE Commands Device and Subdevice Security Commands Example A sample brief INFO DEVICE report for a line printer follows: =INFO DEVICE $lprint LAST-MODIFIED OWNER STATUS WARNING-MODE $LPRINT 18AUG86, 17:28 \*.86,255 THAWED OFF 086,002 DENY R,W 033,* R,W 086,* R,W 255,* R,W This report gives these information: • • • The owner of this device authorization record is a network user who is the manager for group 86 (with user ID 86,255).
RESET DEVICE and SUBDEVICE Commands Device and Subdevice Security Commands AUDIT-MANAGE-PASS AUDIT-MANAGE-FAIL WARNING-MODE NONE (no auditing) NONE (no auditing) OFF (warning mode disabled) For a complete description of the device-attributes, see the SET DEVICE and SUBDEVICE Commands on page 10-25.
Device and Subdevice Security Commands SET DEVICE and SUBDEVICE Commands SET DEVICE and SUBDEVICE Commands SET DEVICE or SUBDEVICE establishes default values for one or more device attributes. When you add an authorization record, the default attribute values are used for any attributes you do not specify in your ADD DEVICE or SUBDEVICE command. To display the current default values for the attribute, use the SHOW DEVICE or SUBDEVICE command.
Device and Subdevice Security Commands SET DEVICE and SUBDEVICE Commands OWNER [owner-id] specifies the owner of an authorization record for a device or subdevice. owner-id can be either of the following: [\node-spec.]group-name.member-name [\node-spec.]group-num , member-num If you omit owner-id, owner-id is set to your user ID (the user ID of the current user). ACCESS access-spec [ ; access-spec ] ...
Device and Subdevice Security Commands SET DEVICE and SUBDEVICE Commands net-group-spec ( net-group-spec [ , net-user-spec ] ... ) net-group-spec can be any of: GROUP [NAME][\node-spec.] group-name GROUP NUMBER [\node-spec.] node-spec takes this form: * | node-name | node-number node-name specifies the system name. node-number specifies the Expand node number. adm-group-name specifies the name of the administrative group. adm-group-num specifies the group number of an administrative group.
Device and Subdevice Security Commands SET DEVICE and SUBDEVICE Commands authority-list specifies the access authorities to be granted (or denied) to user-list. authority-list can be any of: authority ( authority [ , authority ] ... ) * authority can be any of: R[EAD] W[RITE] O[WNER] * (asterisk) specifies read, write, and owner. AUDIT-ACCESS-PASS [audit-spec] establishes an audit-spec for successful attempts to access a device or subdevice.
Device and Subdevice Security Commands SET DEVICE and SUBDEVICE Commands AUDIT-ACCESS-FAIL [audit-spec] establishes an audit-spec for unsuccessful attempts to access a device or subdevice. This audit-spec specifies the conditions under which an audit record is written to the audit file when an attempt to access a device or subdevice fails. The form of audit-spec is: { ALL | LOCAL | REMOTE | NONE } ALL All unsuccessful attempts to access the device or subdevice are audited.
Device and Subdevice Security Commands SET DEVICE and SUBDEVICE Commands NONE No successful management attempts are audited. Omitting audit-spec specifies NONE. AUDIT-MANAGE-FAIL [audit-spec] establishes an audit-spec for unsuccessful attempts to manage an authorization record. This audit-spec specifies the conditions under which an audit record is written to the audit file when an attempt to manage an authorization record fails.
SHOW DEVICE and SUBDEVICE Commands Device and Subdevice Security Commands • • • • The owner of the authorization record for the device is the PRS manager. The Safeguard software audits successful access of the device and successful local management of the device’s authorization record. All members of groups 33, 86, and 255 can read and write to the device except PRS.HARRY, who is specifically denied access. All members of group 86 and 255 have OWNER authority except PRS.
SHOW DEVICE and SUBDEVICE Commands Device and Subdevice Security Commands OWNER gn, un is the user ID (group number and member number) of the user who will own this authorization record if a device or subdevice with these attribute values is added to Safeguard protection. WARNING-MODE {ON|OFF} is the current warning-mode state of this device or subdevice. ON indicates that the protection record is in warning mode.
Device and Subdevice Security Commands THAW DEVICE and SUBDEVICE Commands These current default values indicate these: • • • The owner of the authorization record for a device that has these attribute values is the local super-group user with user ID 255,18. The Safeguard software audits all successful and unsuccessful attempts to access a device that has these attribute values. The users IDs 33,13 and 255,18 as well as the group 33 manager can read and write to a device that has these attribute values.
Device and Subdevice Security Commands THAW DEVICE and SUBDEVICE Commands WHERE WARNING-MODE specifies that only devices or subdevices in filename-list that have WARNING-MODE set are to be thawed.
11 Process and Subprocess Security Commands With the SAFECOM process and subprocess security commands, any user can assume ownership of a process name by adding an authorization record for that name to the Safeguard object database. After an authorization record is added for a name, all attempts to access a process or subprocess that has the protected name are subject to Safeguard authorization checks and, optionally, to Safeguard access auditing.
Process and Subprocess Security Commands Process and Subprocess Access Authorities Process and Subprocess Access Authorities The ACL for a process name can grant any combination of these access authorities to users and user groups: READ Open a process or subprocess with a protected name for input operations. WRITE Open a process or subprocess with a protected name for output operations. CREATE Create a process with a protected name.
Process and Subprocess Security Commands Stopping a Process With a Protected Name The Safeguard software distinguishes between local and remote open requests. A remote open request is one made by a process that was created by a network user logged on to a remote system. If a process is remote with respect to the process or subprocess that it is attempting to open, the opener’s PAID must identify a network user who has been granted remote access to the process or subprocess.
Process and Subprocess Security Commands Special NAMED and UNNAMED Process Protection Records another user by changing the OWNER attribute with the ALTER PROCESS or ALTER SUBPROCESS command. Because the primary owner can add owners to an ACL, that individual can specify additional ownership by the OWNER authority code for ACL entries. Such OWNER authority is an independent extension of the primary owner. Additional owners can do anything that the primary owner is permitted to do.
Process and Subprocess Security Commands Process and Subprocess Security Command Summary If you create the NAMED protection record, it is advisable to create other process protection records. For NAMED and UNNAMED records, the only valid access authorities are CREATE, PURGE, and OWNER authorities. READ and WRITE authorities are not valid. If you use these special process protection records, be sure to alter your Safeguard configuration to specify FIRST-RULE for COMBINATION-PROCESS.
Process and Subprocess Security Commands Syntax of the Process and Subprocess Security Commands Table 11-1. Process and Subprocess Security Command Summary (page 2 of 2) Command Description SET [SUB]PROCESS Sets one or more default values for the process attributes to specified values. When a process name authorization record is added, the current default values for the process or subprocess attribute values are used for any attributes not specified in the ADD PROCESS or ADD SUBPROCESS command.
Process and Subprocess Security Commands ADD PROCESS and SUBPROCESS Commands SUBPROCESS to specify the process name to which the default values are to be applied. You can also specify values for attributes in your ADD PROCESS or SUBPROCESS command. The current default values are used for any attributes not specified in the ADD PROCESS or SUBPROCESS command. ADD PROCESS process name-list [ , ] [ LIKE process-name | process-attribute ] [ , process-attribute ] ...
Process and Subprocess Security Commands ADD PROCESS and SUBPROCESS Commands subprocess name-list specifies one or more subprocesses for which authorization records are to be added. subprocess name-list can be either: subprocess-name ( subprocess-name [ , subprocess-name ... ] ) subprocess-name can be any subprocess name. The name cannot contain wild-card characters.
Process and Subprocess Security Commands ADD PROCESS and SUBPROCESS Commands access-spec has the form: user-list [-] [DENY] authority-list group-list [-] [DENY] authority-list user-list specifies users who are granted (or denied) the access authorities specified with the following authority-list. user-list can be either: net-user-spec ( net-user-spec [ , net-user-spec ] ... ) net-user-spec can be any of: [\node-spec.]adm-group-name.user-name [\node-spec.]adm-group-num , user-num [\node-spec.
Process and Subprocess Security Commands ADD PROCESS and SUBPROCESS Commands node-number specifies the Expand node number. adm-group-name specifies the name of the administrative group. adm-group-num specifies the group number of an administrative group. group-name specifies the name of any group. group-num specifies the group number of any group. (minus-sign) operates on existing ACL entries. The minus-sign form of access-spec modifies the current default ACL.
Process and Subprocess Security Commands ADD PROCESS and SUBPROCESS Commands authority is any one of: R[EAD] W[RITE] C[REATE] P[URGE] O[WNER] R and W are not valid for NAMED and UNNAMED processes. C and P are not valid for subprocesses. * (asterisk) specifies all the process authorities (R, W, C, P, and O). AUDIT-ACCESS-PASS [audit-spec] changes the audit-spec for successful attempts to access the process or subprocess name.
Process and Subprocess Security Commands ALTER PROCESS and SUBPROCESS Commands AUDIT-MANAGE-FAIL [audit-spec] changes the audit-spec for unsuccessful attempts to manage (change or read) this authorization record. The form of audit-spec is: { ALL | LOCAL | REMOTE | NONE } For a description of each audit-spec, see the SET PROCESS and SUBPROCESS Commands on page 11-27. Omitting audit-spec specifies NONE.
Process and Subprocess Security Commands ALTER PROCESS and SUBPROCESS Commands Using ALTER PROCESS or SUBPROCESS to specify a new ACCESS access-spec adds the new access-spec to the current ACL. To remove existing authorities granted to users, use the minus-sign (-) form of access-spec. ALTER PROCESS process name-list [ , ] { LIKE process-name | process-attribute } [ , process-attribute ] ... ALTER SUBPROCESS subprocess name-list [ , ] { LIKE subprocess-name | process-attribute } [ , process-attribute ] ..
Process and Subprocess Security Commands ALTER PROCESS and SUBPROCESS Commands subprocess name-list specifies one or more subprocesses for which authorization records are to be changed. subprocess name-list can be either: subprocess-name ( subprocess-name [ , subprocess-name ... ] ) subprocess-name can be any subprocess name. The name can contain wild-card characters.
Process and Subprocess Security Commands ALTER PROCESS and SUBPROCESS Commands An ACL contains as many as 50 entries that grant or deny access authorities to users and user groups. access-spec has the form: user-list [-] [DENY] authority-list group-list [-] [DENY] authority-list user-list specifies users who are granted (or denied) the access authorities specified with the following authority-list. user-list can be either: net-user-spec ( net-user-spec [ , net-user-spec ] ...
Process and Subprocess Security Commands ALTER PROCESS and SUBPROCESS Commands node-name specifies the system name. node-number specifies the Expand node number. adm-group-name specifies the name of the administrative group. adm-group-num specifies the group number of an administrative group. group-name specifies the name of any group. group-num specifies the group number of any group. (minus-sign) operates on existing ACL entries. The minus-sign form of access-spec modifies the current default ACL.
Process and Subprocess Security Commands ALTER PROCESS and SUBPROCESS Commands P[URGE] O[WNER] R and W are not valid for NAMED and UNNAMED processes. C and P are not valid for subprocesses. * (asterisk) specifies all the process authorities (R, W, C, P, and O). AUDIT-ACCESS-PASS [audit-spec] changes the audit-spec for successful attempts to access the process or subprocess name.
Process and Subprocess Security Commands ALTER PROCESS and SUBPROCESS Commands WHERE WARNING-MODE specifies that only processes or subprocesses in filename-list that have WARNING-MODE set are to be altered. WARNING-MODE { ON | OFF } defines whether warning mode is enabled for the specified process or subprocess. The value is required. For more information on warning mode, see the Safeguard Administrator's Manual. ON enables warning mode for the specified process or subprocess.
DELETE PROCESS and SUBPROCESS Commands Process and Subprocess Security Commands The report shows: LAST-MODIFIED OWNER STATUS 20AUG86, 13:44 33,13 THAWED WARNING-MODE $JAM 033,013 \*.086,255 033,* 255,* R,W, R,W, R,W, R,W, OFF P,C C C C This change allows the group manager for group 86 (who is possibly a network user) to read, write, or create processes with the protected process name. DELETE PROCESS and SUBPROCESS Commands DELETE PROCESS or SUBPROCESS deletes an authorization record.
Process and Subprocess Security Commands FREEZE PROCESS and SUBPROCESS Commands subprocess-name can be any subprocess name. The name can contain wild-card characters. WHERE option-list specifies that only processes or subprocesses in filename-list that have WARNING-MODE set are to be deleted.
Process and Subprocess Security Commands INFO PROCESS and SUBPROCESS Commands subprocess name-list specifies one or more subprocesses to which access is to be frozen. subprocess name-list can be either: subprocess-name ( subprocess-name [ , subprocess-name ... ] ) subprocess-name can be any subprocess name. The name can contain wild-card characters.
Process and Subprocess Security Commands INFO PROCESS and SUBPROCESS Commands Any user can produce an INFO report for any process or subprocess name. INFO [ / OUT listfile / ] PROCESS process name-list [ [ , ] DETAIL ] INFO [ / OUT listfile / ] SUBPROCESS subprocess name-list [ [ , ] DETAIL ] OUT listfile directs the INFO PROCESS or SUBPROCESS report to listfile. After executing the INFO command, SAFECOM redirects its output to the current OUT file. For listfile, specify any file name.
INFO PROCESS and SUBPROCESS Commands Process and Subprocess Security Commands INFO PROCESS and SUBPROCESS Brief Report The brief INFO PROCESS or SUBPROCESS report gives you information about the process name or names you specify. Figure 11-1 shows the format of the brief INFO PROCESS report. The format of the INFO SUBPROCESS report is similar, except that the name of the subprocess replaces the name of the process. Figure 11-1.
Process and Subprocess Security Commands INFO PROCESS and SUBPROCESS Commands user-spec has the forms: group-num , member-num group-num,* *,* \node-spec.group-num , member-num \node-spec.group-num,* \node-spec.*,* group-num, member-num identifies a single local user. group-num,* identifies all local users in the group that has group-num. *.* identifies all local users on this process name’s node. \node-spec.
INFO PROCESS and SUBPROCESS Commands Process and Subprocess Security Commands Figure 11-2. INFO PROCESS Detailed Report Format LAST-MODIFIED OWNER STATUS WARNING-MODE $process date, time owner-id status {ON|OFF} user-spec [DENY] auth-list user-spec [DENY] auth-list . . .
RESET PROCESS and SUBPROCESS Commands Process and Subprocess Security Commands • • • • User ID 33,13 can read and write to processes that have this process name, but user 33,17 is specifically denied authority to create processes that have this name. The group manager for group 86 has four access authorities for this process name (READ, WRITE, CREATE, and PURGE), and all other members of group 86 have READ, WRITE, and CREATE authority for this process name.
SET PROCESS and SUBPROCESS Commands Process and Subprocess Security Commands Considerations • • Specifying an attribute name without a value in an ADD or ALTER command causes the attribute to be assigned the predefined default value (as defined for the RESET command). If you enter the RESET PROCESS or SUBPROCESS command (or RESET when the assumed object type is PROCESS or SUBPROCESS) and you do not include any process-attribute-keyword, all the attributes are returned to their predefined values.
Process and Subprocess Security Commands SET PROCESS and SUBPROCESS Commands To display the current default attribute values, use the SHOW PROCESS or SUBPROCESS command. SET PROCESS process name-list [ , ] { LIKE process-name | process-attribute } [ , process-attribute ] ... SET SUBPROCESS subprocess name-list [ , ] { LIKE subprocess-name | process-attribute } [ , process-attribute ] ...
Process and Subprocess Security Commands SET PROCESS and SUBPROCESS Commands OWNER [owner-id] specifies the owner of a process or subprocess name. owner-id can be either: [\node-spec.]group-name.member-name [\node-spec.]group-num , member-num If you omit owner-id, owner-id is set to the user ID of the current user. ACCESS access-spec [ ; access-spec ] ... changes the ACL for filename-list by adding or deleting ACL entries or by changing the authority list of a current ACL entry.
Process and Subprocess Security Commands SET PROCESS and SUBPROCESS Commands net-group-spec can be any of: GROUP [NAME][\node-spec.] group-name GROUP NUMBER [\node-spec.] node-spec takes this form: * | node-name | node-number node-name specifies the system name. node-number specifies the Expand node number. adm-group-name specifies the name of the administrative group. adm-group-num specifies the group number of an administrative group. group-name specifies the name of any group.
Process and Subprocess Security Commands SET PROCESS and SUBPROCESS Commands ( authority [ , authority ] ... ) * authority can be any of: R[EAD] W[RITE] C[REATE] P[URGE] O[WNER] R and W are not valid for NAMED and UNNAMED processes. C and P are not valid for subprocesses. * specifies all the access authorities (R, W, C, P, and O). AUDIT-ACCESS-PASS [audit-spec] establishes an audit-spec for successful attempts to access a process or subprocess name.
Process and Subprocess Security Commands SET PROCESS and SUBPROCESS Commands AUDIT-ACCESS-FAIL [audit-spec] establishes an audit-spec for unsuccessful attempts to access a process or subprocess name. This audit-spec specifies the conditions under which an audit record is written to the audit file when an attempt to access a process name fails. (A name is accessed when a process or subprocess is created with that name or when a process or subprocess running with that name is opened or stopped.
Process and Subprocess Security Commands SET PROCESS and SUBPROCESS Commands NONE No successful management attempts are audited. Omitting audit-spec specifies NONE. AUDIT-MANAGE-FAIL [audit-spec] establishes an audit-spec for unsuccessful attempts to change or read an authorization record. This audit-spec specifies the conditions under which an audit record is written to the audit file when an attempt to manage an authorization record fails.
SHOW PROCESS and SUBPROCESS Commands Process and Subprocess Security Commands =SET ACCESS 86,2 (r,w,p,c) ; 86,1 DENY c; 86,* (r,w,c) =SET ACCESS 33,255 (r,w,c) =SET AUDIT-ACCESS-PASS all , AUDIT-ACCESS-FAIL local =SHOW This report shows: TYPE PROCESS OWNER 86,2 WARNING-MODE OFF AUDIT-ACCESS-PASS = ALL AUDIT-ACCESS-FAIL = LOCAL 033,255 R,W, 086,001 DENY 086,002 R,W, 086,* R,W, AUDIT-MANAGE-PASS = NONE AUDIT-MANAGE-FAIL = NONE C C P,C C These SET PROCESS commands specify: • • • • • • The owner of the
Process and Subprocess Security Commands SHOW PROCESS and SUBPROCESS Commands OUT listfile directs the SHOW PROCESS or SUBPROCESS report to listfile. After executing the SHOW command, SAFECOM redirects its output to the current OUT file. For listfile, specify any file name. SAFECOM opens listfile and appends the SHOW PROCESS report to the file. If listfile does not exist, SAFECOM creates an EDIT file and writes the SHOW PROCESS report to that file.
THAW PROCESS and SUBPROCESS Commands Process and Subprocess Security Commands user-spec [DENY] auth-list is a current default ACL entry for processes. For a full description, see INFO PROCESS and SUBPROCESS Brief Report on page 11-23. [ NO ACCESS CONTROL LIST DEFINED! ] indicates no ACL entries have been defined in the current default attribute values. Use SET PROCESS...ACCESS or SET SUBPROCESS...ACCESS to define default ACL entries. You can use ADD PROCESS...ACCESS or ADD SUBPROCESS...
Process and Subprocess Security Commands THAW PROCESS and SUBPROCESS Commands process name-list specifies one or more process names that are to be thawed. process namelist can be either: process-name ( process-name [ , process-name ] ... ) process-name can be any process name or one of the special names NAMED and UNNAMED. The name can contain wild-card characters. subprocess name-list specifies one or more subprocess names to be thawed.
Process and Subprocess Security Commands THAW PROCESS and SUBPROCESS Commands Safeguard Reference Manual—520618-013 11 -38
12 OBJECTTYPE Security Commands Safeguard OBJECTTYPE security allows a security administrator to define the user or groups of users who can add new subjects or objects to the Safeguard database. Each kind of subject and object (such as DISKFILE, DEVICE, or USER) can be given a corresponding OBJECTTYPE protection record. For example, the protection record to control adding new DISKFILEs is an entry for OBJECTTYPE DISKFILE.
OBJECTTYPE Access Authorities OBJECTTYPE Security Commands Table 12-1. Defaults for Undefined OBJECTTYPE ACLs Type of Object Who Can Place an Object Under Safeguard Control ALIAS Group manager of underlying user ID. Also must be the owner of underlying user ID or owner’s group manager.
OBJECTTYPE Security Commands Syntax of OBJECTTYPE Security Commands Table 12-2. OBJECTTYPE Security Command Summary Command Description ADD OBJECTTYPE Adds an OBJECTTYPE authorization record with the specified OBJECTTYPE attribute values. If you do not specify attribute values, the current default is used. By default, only a member of the local super group can add an authorization record for an object type. ALTER OBJECTTYPE Changes one or more attribute values in an OBJECTTYPE authorization record.
OBJECTTYPE Security Commands • ADD OBJECTTYPE Command Examples of command usage ADD OBJECTTYPE Command ADD OBJECTTYPE creates a Safeguard authorization record for a class of objects. After an OBJECTTYPE authorization record is created, every attempt to create an authorization record for an object of that type is subject to Safeguard authorization checks and, optionally, to Safeguard auditing.
OBJECTTYPE Security Commands ADD OBJECTTYPE Command objecttype-spec identifies the OBJECTTYPE whose current objecttype-attribute values are to be assigned to the OBJECTTYPE authorization record or records being added. objecttype-spec can be any object class or type name. objecttype-attribute defines an OBJECTTYPE attribute value for the OBJECTTYPE authorization record or records being added. The permitted objecttype-attributes are: OWNER [owner-id] ACCESS access-spec [ ; access-spec ] ...
OBJECTTYPE Security Commands ADD OBJECTTYPE Command [\node-spec.]*.* [\node-spec.]*,* (minus-sign) operates on existing ACL entries. The minus-sign form of access-spec modifies the current default ACL. The authority entries are removed from the default ACL entries for the users specified with user-list. group-list can be either: net-group-spec ( net-group-spec [ , net-user-spec ] ... ) net-group-spec can be any of: GROUP [NAME][\node-spec.] group-name GROUP NUMBER [\node-spec.
OBJECTTYPE Security Commands ADD OBJECTTYPE Command (minus-sign) operates on existing ACL entries. The minus-sign form of access-spec modifies the current default ACL. The authority entries are removed from the default ACL entries for the users specified with user-list. DENY denies the user IDs or user groups specified by user-list the access authorities specified by authority-list. authority-list specifies the access authorities to be granted (or denied) to user-list.
OBJECTTYPE Security Commands ADD OBJECTTYPE Command For a description of the audit-specs, see the SET OBJECTTYPE Command on page 12-20. Omitting audit-spec specifies NONE. AUDIT-MANAGE-PASS [audit-spec] changes the audit-spec for successful attempts to manage this authorization record. The form of audit-spec is: { ALL | LOCAL | REMOTE | NONE } For a description of the audit-specs, see the SET OBJECTTYPE Command on page 12-20. Omitting audit-spec specifies NONE.
OBJECTTYPE Security Commands ALTER OBJECTTYPE Command ALTER OBJECTTYPE Command ALTER OBJECTTYPE changes one or more attribute values in an OBJECTTYPE authorization record. The owner, the primary owner’s group manager, and the super ID can change an OBJECTTYPE authorization record. In addition, any user ID that has an ACL entry granting it O[WNER] authority can modify the OBJECTTYPE authorization record.
OBJECTTYPE Security Commands ALTER OBJECTTYPE Command objecttype-spec identifies the class of objects whose existing objecttype-attribute values are to be assigned to the OBJECTTYPE authorization record being changed. objecttype-spec can be any object class name. objecttype-attribute changes the existing value of the specified object-class attribute for the object type being changed. The objecttype-attributes values are: OWNER [owner-id] ACCESS access-spec [ ; access-spec ] ...
OBJECTTYPE Security Commands ALTER OBJECTTYPE Command [\node-spec.]*.* [\node-spec.]*,* (minus-sign) operates on existing ACL entries. The minus-sign form of access-spec modifies the current default ACL. The authority entries are removed from the default ACL entries for the users specified with user-list. group-list can be either: net-group-spec ( net-group-spec [ , net-user-spec ] ... ) net-group-spec can be any of: GROUP [NAME][\node-spec.] group-name GROUP NUMBER [\node-spec.
OBJECTTYPE Security Commands ALTER OBJECTTYPE Command (minus-sign) operates on existing ACL entries. The minus-sign form of access-spec modifies the current default ACL. The authority entries are removed from the default ACL entries for the users specified with user-list. DENY denies the user IDs or user groups specified by user-list the access authorities specified by authority-list. authority-list specifies the access authorities to be granted (or denied) to user-list.
OBJECTTYPE Security Commands DELETE OBJECTTYPE Command AUDIT-MANAGE-PASS [audit-spec] changes the audit-spec for successful attempts to manage this authorization record. The form of audit-spec is: { ALL | LOCAL | REMOTE | NONE } For a description of the audit-spec variables, see the SET OBJECTTYPE Command on page 12-20. Omitting audit-spec specifies NONE. AUDIT-MANAGE-FAIL [audit-spec] changes the audit-spec for unsuccessful attempts to manage this authorization record.
OBJECTTYPE Security Commands FREEZE OBJECTTYPE Command objecttype-spec can be any object class name, including OBJECTTYPE: DEVICE DISKFILE DISKFILE-PATTERN OBJECTTYPE PROCESS SUBDEVICE SUBPROCESS SUBVOLUME USER VOLUME Example As owner of the object class DEVICE, you can enter the command to delete the Safeguard authorization record for OBJECTTYPE DEVICE: =DELETE OBJECTTYPE device FREEZE OBJECTTYPE Command FREEZE OBJECTTYPE temporarily suspends the authorities granted to user IDs listed on an object-clas
OBJECTTYPE Security Commands INFO OBJECTTYPE Command SUBVOLUME USER VOLUME Consideration While a class of objects is frozen, the primary owner, the owner’s group manager, and an owner on the ACL are implicitly granted all the access authorities. The local super ID also retains ownership and has all the authority of any user or group manager unless explicitly denied.
INFO OBJECTTYPE Command OBJECTTYPE Security Commands objecttype-spec can be any object-class name, including OBJECTTYPE: DEVICE DISKFILE DISKFILE-PATTERN OBJECTTYPE PROCESS SUBDEVICE SUBPROCESS SUBVOLUME USER VOLUME DETAIL adds the audit-specs defined for the object type to the INFO report. For a full description of the four audit-specs, see the SET OBJECTTYPE Command on page 12-20.
OBJECTTYPE Security Commands INFO OBJECTTYPE Command OWNER owner-id is the user ID of the person who owns this OBJECTTYPE authorization record. STATUS status indicates the current status of this object class. status is either FROZEN or THAWED. user-spec [DENY] authority-list is an entry in the ACL defined for this object class. user-spec identifies a single user or user group.
INFO OBJECTTYPE Command OBJECTTYPE Security Commands NO ACCESS CONTROL LIST DEFINED! appears for an object class that has no ACL. Use ALTER OBJECTTYPE...ACCESS to define ACL entries for an existing object-class authorization record. Caution. If you do not specify an ACL for an object class, only the local super ID can add an authorization record for an object of that object class.
RESET OBJECTTYPE Command OBJECTTYPE Security Commands The report shows: LAST-MODIFIED OWNER STATUS \*.86,255 THAWED DEVICE 18AUG86, 17:28 086,002 DENY C,O 033,* C,O 086,* C,O 255,* C,O The preceding report shows: • • • The owner of this OBJECTTYPE authorization record is a network user who is the manager for group 86 (with user ID 86,255). All users who are members of group number 33 or 255 are granted both CREATE and OWNER authority for the object-class device.
SET OBJECTTYPE Command OBJECTTYPE Security Commands Consideration If you enter RESET OBJECTTYPE but do not include an objecttype-attributekeyword, all the object-class attributes return to their predefined values. Example To display the current attribute values: =SHOW OBJECTTYPE A brief report shows: TYPE OWNER OBJECTTYPE \*.86,255 AUDIT-ACCESS-PASS = ALL AUDIT-ACCESS-FAIL = NONE 255,255 \*.
OBJECTTYPE Security Commands SET OBJECTTYPE Command To display the current default OBJECTTYPE attribute values, use the SHOW OBJECTTYPE command. SET OBJECTTYPE [ , ] { LIKE objecttype-spec | objecttype-attribute } [ , objecttype-attribute ] ... LIKE objecttype-spec sets the current default objecttype-attribute values to the existing objecttype-name-spec values. objecttype-spec identifies a class of objects whose existing attribute values are to become the default objecttype-attribute values.
OBJECTTYPE Security Commands SET OBJECTTYPE Command ACCESS access-spec [ ; access-spec ] ... changes the ACL for filename-list by adding or deleting ACL entries or by changing the authority list of a current ACL entry. An ACL contains as many as 50 entries that grant or deny access authorities to users and user groups.
OBJECTTYPE Security Commands SET OBJECTTYPE Command node-spec takes this form: * | node-name | node-number node-name specifies the system name. node-number specifies the Expand node number. adm-group-name specifies the name of the administrative group. adm-group-num specifies the group number of an administrative group. group-name specifies the name of any group. group-num specifies the group number of any group. (minus-sign) operates on existing ACL entries.
OBJECTTYPE Security Commands SET OBJECTTYPE Command authority can be either: C[REATE] O[WNER] * (asterisk) specifies both CREATE and OWNER. AUDIT-ACCESS-PASS [audit-spec] establishes an audit-spec for successful attempts to add an authorization record for a specific object. This audit-spec specifies the conditions under which an audit record is written to the object-audit file.
OBJECTTYPE Security Commands SET OBJECTTYPE Command LOCAL Only unsuccessful attempts made by local users to add an authorization record are audited. REMOTE Only unsuccessful attempts made by remote users to add an authorization record are audited. NONE No unsuccessful attempts to add an authorization record are audited. Omitting audit-spec specifies NONE. AUDIT-MANAGE-PASS [audit-spec] establishes an audit-spec for successful attempts to manage an OBJECTTYPE authorization record.
OBJECTTYPE Security Commands SHOW OBJECTTYPE Command ALL All unsuccessful management attempts are audited. LOCAL Only unsuccessful management attempts made by local users are audited. REMOTE Only unsuccessful management attempts made by remote users are audited. NONE No unsuccessful management attempts are audited. Omitting audit-spec specifies NONE. Example These commands define default values for a new object class: =SET OBJECTTYPE OWNER prs.
SHOW OBJECTTYPE Command OBJECTTYPE Security Commands listfile For listfile, specify any file name. SAFECOM opens the listfile and appends the SHOW OBJECTTYPE report to that file. If listfile does not exist, SAFECOM creates it as an EDIT-format file. SHOW OBJECTTYPE Report Format Figure 12-3 shows the format of the SHOW OBJECTTYPE report. Figure 12-3.
THAW OBJECTTYPE Command OBJECTTYPE Security Commands [ NO ACCESS CONTROL LIST DEFINED! ] indicates no default ACL entries are defined. Use SET OBJECTTYPE...ACCESS to define default ACL entries. You can use ADD OBJECTTYPE...ACCESS to define ACL entries when you create an authorization record. Caution. If you do not specify an ACL for an object class, only the local super ID can add an authorization record for an object of that object class.
OBJECTTYPE Security Commands THAW OBJECTTYPE Command objecttype-list specifies the object classes to be thawed. objecttype-list can be either: objecttype-spec ( objecttype-spec [ , objecttype-spec ] ...
OBJECTTYPE Security Commands Safeguard Reference Manual—520618-013 12 -30 THAW OBJECTTYPE Command
13 Security Group Commands Safeguard security group commands allow a security administrator to define security groups of users who can execute certain restricted commands. The security group commands are similar to OBJECTTYPE commands. Note. In prior product versions, the Safeguard security groups were managed by GROUP commands. GROUP commands are now used to manage file-sharing groups, as described in Section 7, Group Commands.
Security Group Commands Security Group Access Authorities RELEASE SELECT FREEZE TERMINAL THAW TERMINAL The SECURITY-OSS-ADMINISTRATOR security group designates a list of users that are granted additional OSS security management privileges over normal users for the operations: acl(ACL_SET) chown(2) chmod(2) chdir(2) opendir(3) Note.
Syntax of Security Group Commands Security Group Commands Table 13-1. Security-Group Command Summary Command Description ADD SECURITYGROUP Adds a security group authorization record with the specified group attribute values. If you do not specify attribute values, the current defaults are used. Only a member of the local super group can add an authorization record for a security group. ALTER SECURITYGROUP Changes one or more attribute values in a security group authorization record.
ADD SECURITY-GROUP Command Security Group Commands ADD SECURITY-GROUP Command ADD SECURITY-GROUP creates an authorization record for one or more security groups. Only a member of the local super group can add an authorization record for a security group. You can specify values for the security group attributes in the ADD SECURITYGROUP command. The current default values are used for any attributes not specified. These default values are established with the SET command.
ADD SECURITY-GROUP Command Security Group Commands AUDIT-MANAGE-PASS [audit-spec] AUDIT-MANAGE-FAIL [audit-spec] OWNER [owner-id] specifies the new owner of this security group authorization record. The owner-id can be either: [\node-spec.]group-name.member-name [\node-spec.]group-num , member-num If you omit owner-id, owner-id is set to your user ID. ACCESS access-spec [ ; access-spec ] ...
ADD SECURITY-GROUP Command Security Group Commands net-group-spec ( net-group-spec [ , net-user-spec ] ... ) net-group-spec can be any of: GROUP [NAME][\node-spec.] group-name GROUP NUMBER [\node-spec] node-spec takes this form: * | node-name | node-number node-name specifies the system name. node-number specifies the Expand node number. adm-group-name specifies the name of the administrative group. adm-group-num specifies the group number of an administrative group.
ADD SECURITY-GROUP Command Security Group Commands authority-list specifies the access authorities to be granted (or denied) to user-list. authority-list can be either: authority ( authority [ , authority ] ... ) authority is either: E[XECUTE] O[WNER] AUDIT-ACCESS-PASS [audit-spec] changes the audit-spec for successful attempts to execute a restricted command. You need not specify AUDIT-ACCESS-PASS because the Safeguard software automatically audits all attempts to execute restricted commands.
ALTER SECURITY-GROUP Command Security Group Commands Considerations • Additional owners can modify the authorization record. In addition to the owner, the primary owner’s group manager, and the local super ID, any user ID that has an ACL entry granting OWNER authority can also modify the security group authorization record. • Attributes in an ADD command affect only the record added.
ALTER SECURITY-GROUP Command Security Group Commands ACL. To remove authorities previously granted to user IDs, use the minus-sign (-) form of access-spec. ALTER SECURITY-GROUP sec-group-list [ , ] { LIKE sec-group-spec | sec-group-attribute } [ , sec-group-attribute ] ... sec-group-list specifies one or more security groups whose existing sec-group-attribute values are to be changed.
ALTER SECURITY-GROUP Command Security Group Commands OWNER [owner-id] specifies the new owner of the security group authorization record. The owner-id can be either: [\node-spec.]group-name.member-name [\node-spec.]group-num , member-num If you omit owner-id, owner-id is set to your user ID. ACCESS access-spec [ ; access-spec ] ... changes the ACL for filename-list by adding or deleting ACL entries or by changing the authority list of a current ACL entry.
ALTER SECURITY-GROUP Command Security Group Commands net-group-spec can be any of: GROUP [NAME][\node-spec.] group-name GROUP NUMBER [\node-spec.] node-spec takes this form: * | node-name | node-number node-name specifies the system name. node-number specifies the Expand node number. adm-group-name specifies the name of the administrative group. adm-group-num specifies the group number of an administrative group. group-name specifies the name of any group.
ALTER SECURITY-GROUP Command Security Group Commands authority-list specifies the access authorities to be granted (or denied) to user-list. authority-list can be either: authority ( authority [ , authority ] ... ) authority is either: E[XECUTE] O[WNER] AUDIT-ACCESS-PASS [audit-spec] changes the audit-spec for successful attempts to execute restricted commands. You need not specify AUDIT-ACCESS-PASS because all attempts to execute restricted commands are audited automatically.
DELETE SECURITY-GROUP Command Security Group Commands number 12 to execute the commands restricted to the SECURITY-ADMINISTRATOR security group: =ALTER SECURITY-GROUP sec-admin, OWNER 12,4, ACCESS 12,* e Ownership of a group authorization record can be transferred to another user by the ALTER command. For example, =ALTER SECURITY-GROUP SECURITY-OSS-ADMINISTRATOR, & ACCESS TEST1.USER1 – (E); TEST1.
FREEZE SECURITY-GROUP Command Security Group Commands FREEZE SECURITY-GROUP Command FREEZE SECURITY-GROUP temporarily suspends the authorities granted to user IDs listed on a security group ACL. While the security group is frozen, only the primary owner, the primary owner’s group manager, an owner on the ACL, and the local super ID can execute the commands restricted to that security group.
INFO SECURITY-GROUP Command Security Group Commands INFO SECURITY-GROUP Command INFO SECURITY-GROUP displays the attribute values currently stored in a security group authorization record and produces two types of reports: brief and detailed. The format of each report is illustrated after these syntax description. Any user can produce an INFO report on any security group. INFO [ / OUT listfile / ] SECURITY-GROUP [ , ] sec-group-list [ [ , ] DETAIL ] OUT directs the INFO SECURITY-GROUP report to listfile.
INFO SECURITY-GROUP Command Security Group Commands Figure 13-1. INFO SECURITY-GROUP Brief Report Format LAST-MODIFIED OWNER STATUS sec-group date, time owner-id status user-spec [DENY] authority-list user-spec [DENY] authority-list . . . [ NO ACCESS CONTROL LIST DEFINED! ] Figure 13-1 contains these SECURITY-GROUP attribute values and status fields: sec-group is the name of the security group whose existing attribute values are being displayed.
INFO SECURITY-GROUP Command Security Group Commands group-num, member-num identifies a single local user. group-num,* identifies all the local users in the group that has group-num. *,* identifies all the local users. \node-spec.group-num, member-num identifies both the local user with user ID group-num, member-num and a network user with the same user name and user ID as that local user. \node-spec.
INFO SECURITY-GROUP Command Security Group Commands In addition to the security group attribute values displayed in the brief INFO SECURITY-GROUP report, the detailed INFO SECURITY-GROUP report displays these attribute values: AUDIT-ACCESS-PASS = a-spec AUDIT-ACCESS-FAIL = a-spec AUDIT-MANAGE-PASS = a-spec AUDIT-MANAGE-FAIL = a-spec These values indicate the conditions under which the Safeguard software audits attempts to execute a restricted command and attempts to manage this authorization record.
RESET SECURITY-GROUP Command Security Group Commands To verify the results: =INFO SECURITY-GROUP SECURITY-OSS-ADMINISTRATOR LAST-MODIFIED SECURITY-OSS-ADMINISTRATOR 1FEB05, 13:20 OWNER STATUS SUPER.SUPER THAWED RESET SECURITY-GROUP Command RESET SECURITY-GROUP returns the default group attribute values to their predefined values.
SET SECURITY-GROUP Command Security Group Commands A brief report shows: TYPE SECURITY-GROUP OWNER \*.86,255 AUDIT-ACCESS-PASS = ALL AUDIT-ACCESS-FAIL = NONE 255,255 \*.086,255 086,* AUDIT-MANAGE-PASS = REMOTE AUDIT-MANAGE-FAIL = ALL E,O E,O E,O To restore the default group ACL to its predefined value (that is, no ACL): =RESET SECURITY-GROUP ACCESS To display the new attribute values: =SHOW SECURITY-GROUP A brief report shows: TYPE SECURITY-GROUP OWNER \*.
SET SECURITY-GROUP Command Security Group Commands sec-group-spec can be either: SECURITY-ADMINISTRATOR SYSTEM-OPERATOR sec-group-attribute defines a default value for the specified group attribute. The sec-groupattribute values are: OWNER [owner-id] ACCESS access-spec [ ; access-spec ] ... AUDIT-ACCESS-PASS [audit-spec] AUDIT-ACCESS-FAIL [audit-spec] AUDIT-MANAGE-PASS [audit-spec] AUDIT-MANAGE-FAIL [audit-spec] OWNER [owner-id] specifies the owner of a security group. owner-id can be either: [\node-spec.
SET SECURITY-GROUP Command Security Group Commands [\node-spec.]adm-group-num , * [\node-spec.]*.* [\node-spec.]*,* (minus-sign) operates on existing ACL entries. The minus-sign form of access-spec modifies the current default ACL. The authority entries are removed from the default ACL entries for the users specified with user-list. group-list can be either: net-group-spec ( net-group-spec [ , net-user-spec ] ... ) net-group-spec can be any of: GROUP [NAME][\node-spec.
SET SECURITY-GROUP Command Security Group Commands (minus-sign) operates on existing ACL entries. The minus-sign form of access-spec modifies the current default ACL. The authority entries are removed from the default ACL entries for the users specified with user-list. DENY denies the user IDs or user groups specified with user-list the access authorities specified with authority-list. authority-list specifies the access authorities granted (or denied) to user-list.
SET SECURITY-GROUP Command Security Group Commands The form of audit-spec is: { ALL | LOCAL | REMOTE | NONE } ALL All successful management attempts are audited. LOCAL Only successful management attempts by local users are audited. REMOTE Only successful management attempts by remote users are audited. NONE No successful management attempts are audited. Omitting audit-spec specifies NONE.
SHOW SECURITY-GROUP Command Security Group Commands Example These commands define default values for a new security group: =SET SECURITY-GROUP OWNER prs.manager =SET SECURITY-GROUP AUDIT-ACCESS-PASS all, & =AUDIT-MANAGE-PASS local =SET SECURITY-GROUP ACCESS 33,* (e,o); (86,*, 255,*) * =SET SECURITY-GROUP ACCESS prs.harry DENY * The default group attribute values defined in this example are: • • • The security group owner is the manager of the PRS group.
SHOW SECURITY-GROUP Command Security Group Commands Figure 13-3. SHOW SECURITY-GROUP Report Format TYPE SECURITY-GROUP OWNER gn,un AUDIT-ACCESS-PASS = a-spec AUDIT-ACCESS-FAIL = a-spec AUDIT-MANAGE-PASS = a-spec AUDIT-MANAGE-FAIL = a-spec user-spec [DENY] authority-list user-spec [DENY] authority-list . . . . . .
THAW SECURITY-GROUP Command Security Group Commands The report shows: TYPE SECURITY-GROUP OWNER 255,18 AUDIT-ACCESS-PASS = ALL AUDIT-ACCESS-FAIL = ALL 033,013 033,255 255,018 AUDIT-MANAGE-PASS = NONE AUDIT-MANAGE-FAIL = NONE E,O E,O E,O These current default values indicate that: • • • The owner of a security group that has these attribute values is the local supergroup member with user ID 255,18.
THAW SECURITY-GROUP Command Security Group Commands Example To thaw the SYSTEM-OPERATOR ACL: =THAW SECURITY-GROUP system-operator The SECURITY-OSS-ADMINISTRATOR security group can be thawn by the primary owner or by any user with OWNER authority on the access control list for the group.
14 Terminal Security Commands The terminal commands allow a security administrator to add and manage terminal definition records. When you add a terminal definition record, the Safeguard software takes control of the logon dialog at that terminal. When you define a terminal, you can also specify a particular command interpreter to be started automatically at the terminal after user authentication. Terminal definitions can be added selectively for some or all of the terminals on your system.
Syntax of Terminal Commands Terminal Security Commands Table 14-1. Terminal Command Summary (page 2 of 2) Command Description FREEZE TERMINAL Temporarily disables a terminal from accepting the LOGON command. INFO TERMINAL Displays the existing attribute values in a terminal definition record. THAW TERMINAL Reenables a frozen terminal so that it accepts the LOGON command. Syntax of Terminal Commands The remainder of this section describes each terminal command in detail.
ADD TERMINAL Command Terminal Security Commands terminal-name specifies the terminal to be controlled by the Safeguard software. terminalname is a network name with the following form: [\system.]$device[.#subdevice] If you omit \system, your current default system name is used. If you omit #subdevice, no subdevice name is assumed. LIKE terminal-name adopts the existing terminal definition for terminal-name as the definition for the terminal being added in this command.
ADD TERMINAL Command Terminal Security Commands If you omit lib-filename, no library file is used. CPU [cpu-number | ANY] specifies the number of the CPU in which the command interpreter is to run. If you specify ANY, any CPU will be used. If you omit cpu-number, any CPU will be used. PNAME [process-name] specifies the process name to be assigned to the command interpreter started at this terminal after user authentication. process-name must be a local process name.
ADD TERMINAL Command Terminal Security Commands • • • When you add a terminal on a remote system (\system.device), you must ensure that the terminal is completely accessible to the super ID. For example, the appropriate remote passwords must be established, and the terminal must not have an ACL that denies access to the super ID. If you specify a PNAME, be sure it is unique for each terminal. For this reason, LIKE does not include the PNAME attribute.
ALTER TERMINAL Command Terminal Security Commands ALTER TERMINAL Command The ALTER TERMINAL command changes one or more terminal attribute values in a terminal definition record. You can specify only one terminal name in an ALTER TERMINAL command, but that name can contain wild-card characters. If you have defined a SECURITY-ADMINISTRATOR security group, only members of that group can use the ALTER terminal command.
DELETE TERMINAL Command Terminal Security Commands For a complete description of each terminal attribute, see the ADD TERMINAL Command on page 14-2. Considerations • If you specify a PNAME attribute, be sure is unique for each terminal. For this reason, LIKE does not include the PNAME attribute. Examples The following command alters the terminal definition for the terminal $TFOX.#T009.
FREEZE TERMINAL Command Terminal Security Commands Examples To delete the terminal definition record for terminal $TCO2.#A14: =DELETE TERMINAL $tc02.#a14 FREEZE TERMINAL Command The FREEZE TERMINAL command freezes a terminal definition record so that the logon dialog at that terminal becomes disabled. Only one terminal name can be specified in a FREEZE TERMINAL command, but that name can contain wild-card characters.
INFO TERMINAL Command Terminal Security Commands Any user can execute the INFO TERMINAL command. INFO [ / OUT listfile / ] TERMINAL [ , ] terminal-spec TERMINAL specifies TERMINAL as the object type of the INFO command. Omit this option if TERMINAL is the assumed object type. (For more information on assumed object types, see the ASSUME Command on page 4-3.) OUT directs the INFO TERMINAL report to listfile. After it executes the INFO command, SAFECOM redirects its output to the current OUT file.
THAW TERMINAL Command Terminal Security Commands PROG = prog-filename is the name of the object file of the command interpreter started at this terminal. LIB lib-filename is the name of the library file used with the command interpreter. CPU { cpu-number | ANY } is the number of the CPU in which the command interpreter runs. PNAME process-name is the process name assigned to the command interpreter that runs at this terminal. SWAP $vol[.subvol.
THAW TERMINAL Command Terminal Security Commands If you have defined SECURITY-ADMINISTRATOR and SYSTEM-OPERATOR security groups, use of THAW TERMINAL is restricted to the members of those security groups. THAW TERMINAL terminal-spec TERMINAL specifies TERMINAL as the object type of the THAW command. Omit this option if TERMINAL is the assumed object type. (For more information on assumed object types, see the ASSUME Command on page 4-3.
THAW TERMINAL Command Terminal Security Commands Safeguard Reference Manual—520618-013 14 -12
15 Event-Exit-Process Commands The event-exit-process commands allow a security administrator to configure and manage the security event exit process. A security event-exit process is a user-written process that is allowed to participate in security policy enforcement. Depending on how the event-exit process is configured, the Safeguard subsystem passes it requests for authorization, authentication, and password changes.
ADD EVENT-EXIT-PROCESS Command Event-Exit-Process Commands • • • • The command syntax, including descriptions of the command parameters and variables The format for any command listing or report Considerations for the use of the command Examples of command usage In addition, this section contains these information about the event-exit process: • • The format of interprocess messages exchanged between the Safeguard subsystem and the event-exit process Programming considerations for writing an event-exi
ADD EVENT-EXIT-PROCESS Command Event-Exit-Process Commands PRI [ priority ] PARAM-TEXT [ startup-param-text ] ENABLED { ON | OFF } defines whether the security event exit is enabled. ON indicates that the event exit is enabled and that the Safeguard software is to start the event-exit process and send designated security event messages to the process.
ADD EVENT-EXIT-PROCESS Command Event-Exit-Process Commands ENABLE-AUTHORIZATION-EVENT { ON | OFF } specifies whether authorization events are to be sent to the event-exit process. ON indicates that the events will be sent to the event-exit process when it is enabled. For a complete list of events that are sent when ENABLEAUTHORIZATION-EVENT is ON, see Design Considerations on page 15-24. The default value is OFF. If you omit this attribute, it is set to the default value.
ADD EVENT-EXIT-PROCESS Command Event-Exit-Process Commands SWAP [$vol[.subvol.filename]] specifies the name of the volume or file to be used as the swap volume or file for the event-exit process. $vol must be a local volume name. You can optionally supply a local subvolume name and file name. If you omit this attribute, the value used for SWAP when starting PROG is the same volume that contains the PROG object file.
ALTER EVENT-EXIT-PROCESS Command Event-Exit-Process Commands • Do not specify $SYSTEM.SYSTEM.NULL as prog-filename. The process must open its $RECEIVE queue in order to complete the enable. Examples 1. The following command adds a configuration record for the event-exit process LOGON1, enables the event-exit process for password and logon events, specifies that the program object file named $DEV.SECURE.
ALTER EVENT-EXIT-PROCESS Command Event-Exit-Process Commands ENABLED { ON | OFF } defines whether the security event exit is enabled. ON indicates that the event exit is enabled and that the Safeguard software is to start the event-exit process and send designated security event messages to the process. If another process with the same name is running when the event-exit process is enabled, Safeguard kills that process before starting the event-exit process.
ALTER EVENT-EXIT-PROCESS Command Event-Exit-Process Commands ENABLE-PASSWORD-EVENT { ON | OFF } specifies whether password change events are sent to the event-exit process for a password-quality check. ON indicates that the events are sent to the event-exit process when it is enabled. If ENABLE-PASSWORD-EVENT is ON and ENABLE-AUTHENTICATIONEVENT is also ON, password changes that occur during a logon dialog are not sent to the password-quality exit.
DELETE EVENT-EXIT-PROCESS Command Event-Exit-Process Commands The default value is no process name, which indicates that the Safeguard software is to generate a process name. A null entry resets the value to the default value. CPU [cpu-number | ANY] specifies the number of the CPU in which the event-exit process is to run. If you specify ANY, any CPU is used. The default value is ANY CPU. A null entry resets the value to the default value.
INFO EVENT-EXIT-PROCESS Command Event-Exit-Process Commands The event exit must be disabled before its configuration record can be deleted. If you have defined a SECURITY-ADMINISTRATOR security group, only members of that group can use the DELETE EVENT-EXIT-PROCESS command. If you have not defined the SECURITY-ADMINISTRATOR security group, any super-group member can use this command. DELETE EVENT-EXIT-PROCESS name name specifies the name of the event-exit process-configuration record to be deleted.
INFO EVENT-EXIT-PROCESS Command Event-Exit-Process Commands Figure 15-1. Detailed INFO EVENT-EXIT-PROCESS Report EVENT-EXIT-PROCESS = name ENABLED = { ON | OFF } RESPONSE-TIMEOUT = n SECONDS ENABLE-AUTHENTICATION-EVENT = { ON | OFF } ENABLE-AUTHORIZATION-EVENT = { ON | OFF } ENABLE-PASSWORD-EVENT = { ON | OFF } PROG = [prog-filename] LIB = [lib-filename] SWAP = [$vol[.subvol.
Interprocess Communication Messages Event-Exit-Process Commands SWAP [ $vol[.subvol.filename] ] is the name of the volume or file used as the swap volume or swap file for the event-exit process. NAME [ process-name ] is the process name assigned to the event-exit process when it is started. CPU { cpu-number | ANY } is the number of the CPU in which the event-exit process runs. PRI [ priority ] is the priority at which the event-exit process runs.
Interprocess Communication Messages Event-Exit-Process Commands Subject_Data. The event-exit process might return the Message_Response_Data, depending on the type of event. Message_Data sent by the Safeguard software has a different structure for each type of event, as shown in Table 15-4 on page 15-18 through Table 15-6 on page 15-22.
Interprocess Communication Messages Event-Exit-Process Commands Table 15-2 shows the structure of the header data sent from the Safeguard subsystem to the event-exit process. The header is always present. When the event-exit process responds to an event request, it is expected to alter these fields in the header data: • • • • • Message_Tag Error Status Subject_Data Message_Data Table 15-2. Header_Data (page 1 of 3) Base INT[0:-1] The base from which the offsets to other data areas are calculated.
Interprocess Communication Messages Event-Exit-Process Commands Table 15-2. Header_Data (page 2 of 3) SSID SSID-STRUCT Subsystem ID of the sender in standard SSID format. This is the Safeguard SSID (ZSFG). Timestamp TIMESTAMP (FIXED) The time the message is sent, in Greenwich mean time (GMT). OriginSystemNumber NT(32) The system number of the system originating the request. Message_Tag INT(32) Indicates continuity of ongoing dialog for challenge/response or password dialog interactions.
Interprocess Communication Messages Event-Exit-Process Commands Table 15-2. Header_Data (page 3 of 3) Error INT A return value that indicates the event exit’s response to the message. The value is always 0 when the message is sent. Valid return values are as follows: 0 = OK (The event exit successfully processed the message and is returning a valid status.) 3501 = Message size exceeded maximum expected message size. 3503 = Event exit process does not support this message data type.
Interprocess Communication Messages Event-Exit-Process Commands Table 15-3. Subject_Data (page 1 of 2) UserName VARSTRING The subject’s user name, in external format. UserID INT(32) The user ID associated with the user name. For authentication requests, this is the user ID of the process calling USER_AUTHENTICATE_ or VERIFYUSER. CAID INT(32) CAID of the subject. For authentication requests, this is the CAID of the process calling USER_AUTHENTICATE_ or VERIFYUSER.
Interprocess Communication Messages Event-Exit-Process Commands Table 15-3. Subject_Data (page 2 of 2) GroupList VARSTRING The list of groups of which this subject is a member. Currently, the subject’s administrative group is the only group in this list. AuthNodeValid BOOLEAN True indicates the field AuthNode contains a valid remote node value. FEA 52 bytes A future expansion area; currently filled with zeros.
Interprocess Communication Messages Event-Exit-Process Commands Table 15-4. Access_Data (Access Control Message_Data) (page 2 of 2) Altervalid INT Used by requests for ChangeOwner (GIVE), PROGID, and LICENSE. These three requests can be present in one physical request. One bit is set for each of the three requests. The value is 0 if none of the three are present.
Interprocess Communication Messages Event-Exit-Process Commands Table 15-5. Logon_Data (Logon Message_Data Interactive/Programmatic) (page 1 of 2) Dialogue_Possible BOOLEAN True indicates that the request came from a process that is calling USER_AUTHENTICATE_ and is capable of engaging in dialog with the event-exit process. False indicates that the requestor cannot understand anything except Yes or No (from VERIFYUSER or from callers of USER_AUTHENTICATE_ that cannot handle a dialog).
Interprocess Communication Messages Event-Exit-Process Commands Table 15-5. Logon_Data (Logon Message_Data Interactive/Programmatic) (page 2 of 2) Logon_Name_Phrase VARSTRING The user name string typed by the user. If the user entered a password, also includes the password phrase, separated from the name by a comma. Maximum length is 256 bytes. This is the string from which the Logon_Name and Logon_UserID are decomposed. The field is present only when the caller is USER_AUTHENTICATE_.
Interprocess Communication Messages Event-Exit-Process Commands Table 15-6. Password_Change_Data (Change Message_Data from PASSWORD Program) Target_User VARSTRING The user name or alias, in external format, of the user whose password is being changed. This can be a user name or an alias. Target_UserID INT(32) The user ID associated with Target_User. IsAlias BOOLEAN True indicates that Target_User is a user alias. Password STRING The clear text password to be evaluated for password quality.
Interprocess Communication Messages Event-Exit-Process Commands Table 15-7. Logon_Response_Data (Interactive/Programmatic Logon) (page 2 of 2) Password VARSTRING The 64-character password string returned from the event exit to be filled in the Safeguard database. Blanks if the password is not returned. This field is filed without checking by Safeguard.
Design Considerations Event-Exit-Process Commands Table 15-10 lists operations and modifiers for access control events. Table 15-10. Authorization Operations and Modifiers CREATE OPEN READ OPEN WRITE OPEN WRITEREAD OPEN EXECUTE OPEN CREATE For Dialect_Zero compatibility with FileSystem READ request, which is mapped to OPEN in Safeguard SMON. OPEN PURGE For Dialect_Zero compatibility with FileSystem READ request, which is mapped to OPEN in Safeguard SMON.
Security Requests Sent to the Event-Exit Process Event-Exit-Process Commands Security Requests Sent to the Event-Exit Process Depending on how the event-exit process is configured, the following specific requests are passed to it by the Safeguard subsystem.
Processing of Authorization Requests Event-Exit-Process Commands Processing of Authorization Requests When ENABLE-AUTHORIZATION-EVENT is ON, authorization requests are routed to the event-exit process. When a subject attempts to access an object, the request flows through the application to the appropriate subsystem software, which calls the privileged library procedure PROTECTION_CHECK_.
Processing of Authorization Requests Event-Exit-Process Commands Table 15-11.
Processing of Authentication Requests Event-Exit-Process Commands If the event-exit process is disabled while a request is pending, the request is allowed to complete, providing it does so within the timeout interval. If a timeout occurs and the request is from a deniable user, a ruling of NORECORD and a status of NOLINK is returned to PROTECTION_CHECK_.
Event-Exit-Process Commands Processing of Authentication Requests authentication request to the event-exit process. $CMON has the option of denying the logon attempt prior to authentication by the event-exit process. Similarly, if Safeguard is configured to do so, it sends a logon message to $CMON after authentication occurs. $CMON again has the option of denying the logon attempt even after the user has been authenticated.
Processing of Password-Quality Requests Event-Exit-Process Commands Logon^Abort Processing A Logon^Abort can occur during the processing of either an interactive or programmatic authentication attempt. The $ZSMP process sends a Logon^Abort message to the event-exit process if either of these events occurs: • • At a Safeguard terminal, the user presses the BREAK key, or an I/O error occurs during the logon dialog.
User Database Synchronization Event-Exit-Process Commands subjected to custom validation. Rules that supplement the Safeguard password controls can be applied to password validation. If password rules are disabled in the Safeguard configuration record, validation by the password-quality exit effectively replaces Safeguard password controls. The password-quality exit is separate from the authentication-exit, and it is not invoked by the Safeguard software during an authentication event.
User Database Synchronization Event-Exit-Process Commands • • • When user records are added or altered in the event-exit database When passwords are changed during authentication dialog with the event-exit process After the event-exit process has been stopped General Procedure Except for reading the Safeguard password field, all of these synchronization efforts can be handled with the following Safeguard SPI commands: ADD USER/ALIAS, ALTER USER/ALIAS, and INFO USER/ALIAS.
Event-Exit-Process Commands Event-Exit Design, Management, and Operation the database by calling the USER_AUTHENTICATE_ procedure in Authenticate Only mode at authentication time. Once a user is authenticated, the event-exit process can either store the entered password or force a password change. Turn off the AUTHENTICATE-FAIL-FREEZE and AUTHENTICATE-FAIL-TIMEOUT Safeguard configuration attributes during this authentication.
Event-Exit-Process Commands Event-Exit Design, Management, and Operation If the event-exit process stops abnormally, $ZSMP attempts to restart the process until it is successfully restarted or disabled. An EMS message is sent to the console informing the operator each time a restart is attempted. $ZSMP attempts each restart at an interval designed to avoid a negative impact to the performance of the $ZSMP. Messages are not be sent to the event-exit process until the restart is successful.
16 Safeguard Subsystem Commands This section describes the commands that affect the Safeguard subsystem itself. Table 16-1 gives a brief summary of these Safeguard subsystem commands. Table 16-1. Safeguard Subsystem Command Summary Command Description STOP SAFEGUARD Disables Safeguard authorization checks and access auditing for all local protected objects.
Safeguard Subsystem Commands STOP SAFEGUARD Command STOP SAFEGUARD Command STOP SAFEGUARD stops each Security Monitor (SMON) process and the Safeguard Security Manager Process (SMP) pair. The command also stops an event-exit process if one is running. After these processes are stopped, disk files that have Safeguard protection can be accessed only by the primary owner, the owner’s group manager, and the super ID.
Safeguard Subsystem Commands ° • INFO SAFEGUARD Command Only the user identified by a named process’s creator accessor ID (CAID), that user’s group manager, and the local super ID can stop a named process. Effect of the STOP SAFEGUARD command on user authentication Following the execution of the STOP SAFEGUARD command, logon attempts are subject only to the standard Guardian security authentication. User IDs that are frozen, expired, or have expired passwords are no longer prevented from logging on.
ALTER SAFEGUARD Command Safeguard Subsystem Commands GENERAL displays the same global configuration attributes as INFO SAFEGUARD with no option specified. DETAIL displays all of the global configuration attributes including those for auditing, the default command interpreter, communication with $CMON, and logon dialog. AUDIT displays only global configuration attributes that relate to auditing. CI displays only global configuration attributes that relate to the default command interpreter.
ALTER SAFEGUARD Command Safeguard Subsystem Commands PASSWORD-REQUIRED { ON | OFF } PASSWORD-EXPIRY-GRACE [ n [ DAYS ] ] PASSWORD-ENCRYPT { ON | OFF } CHECK-DEVICE { ON | OFF } CHECK-SUBDEVICE { ON | OFF } DIRECTION-DEVICE { DEVICE-FIRST } { SUBDEVICE-FIRST } COMBINATION-DEVICE { FIRST-RULE } { FIRST-ACL } { ALL } ACL-REQUIRED-DEVICE { ON | OFF } CHECK-PROCESS { ON | OFF } CHECK-SUBPROCESS { ON | OFF } DIRECTION-PROCESS { PROCESS-FIRST } { SUBPROCESS-FIRST } COMBINATION-PROCESS { FIRST-RULE } { FIRST-ACL
ALTER SAFEGUARD Command Safeguard Subsystem Commands { { { { { { { { { { { { { { { { AUDIT-OBJECT-ACCESS-PASS AUDIT-OBJECT-ACCESS-FAIL AUDIT-OBJECT-MANAGE-PASS AUDIT-OBJECT-MANAGE-FAIL AUDIT-DEVICE-ACCESS-PASS AUDIT-DEVICE-ACCESS-FAIL AUDIT-DEVICE-MANAGE-PASS AUDIT-DEVICE-MANAGE-FAIL AUDIT-PROCESS-ACCESS-PASS AUDIT-PROCESS-ACCESS-FAIL AUDIT-PROCESS-MANAGE-PASS AUDIT-PROCESS-MANAGE-FAIL AUDIT-DISKFILE-ACCESS-PASS AUDIT-DISKFILE-ACCESS-FAIL AUDIT-DISKFILE-MANAGE-PASS AUDIT-DISKFILE-MANAGE-FAIL } } } } } }
Safeguard Subsystem Commands ALTER SAFEGUARD Command G06.29 and later G-series RVUs and H06.08 and later H-series RVUs) PASSWORD-ALGORITHM { DES | HMAC256 } (only for systems running G06.29 and later G-series RVUs and H06.06 and later H-series RVUs) PASSWORD-MAXIMUM-LENGTH n (only for systems running H06.08 and later H-series RVUs) PASSWORD-COMPATIBILITY-MODE { ON | OFF } (only for systems running H06.
Safeguard Subsystem Commands ALTER SAFEGUARD Command against that user ID. The initial value is OFF. (User IDs are not automatically frozen.) Caution. If you set AUTHENTICATE-FAIL-FREEZE ON, a user can freeze the user IDs of others by attempting to log on with those other user names or user IDs. PASSWORD-HISTORY n n defines the number of previous passwords to retain in a per-user-ID password database. Any new password must be different from all the previously retained passwords to be acceptable.
Safeguard Subsystem Commands ALTER SAFEGUARD Command PASSWORD-EXPIRY-GRACE can also be specified in individual user authentication records. If the value of this attribute is not specified in a user authentication record, the Safeguard software uses the value specified in the Safeguard configuration record. PASSWORD-ENCRYPT { ON | OFF } defines whether new passwords are stored in an encrypted form. Changing this setting does not affect current passwords. The initial value is OFF. Note.
Safeguard Subsystem Commands ALTER SAFEGUARD Command FIRST-ACL specifies that the Safeguard software is to determine access based on the first ACL it finds. ALL specifies that all consulted ACLs must grant the requested access for the success of the operation. ACL-REQUIRED-DEVICE { ON | OFF } defines whether the absence of an ACL for a device or subdevice causes the denial of access to that device or subdevice. The initial value is OFF. (The absence of ACLs causes operation to revert to Guardian rules.
Safeguard Subsystem Commands ALTER SAFEGUARD Command FIRST-ACL specifies that the Safeguard software is to determine access based on the first ACL it finds. ALL specifies that all consulted ACLs must grant the requested access for the success of the operation. ACL-REQUIRED-PROCESS { ON | OFF } defines whether the absence of an ACL for a process or subprocess causes the denial of access to that process or subprocess. The initial value is OFF. (The absence of ACLs reverts operation to Guardian rules.
Safeguard Subsystem Commands ALTER SAFEGUARD Command COMBINATION-DISKFILE { FIRST-RULE | FIRST-ACL | ALL } defines the method by which overlapping ACLs are resolved for access to volumes, subvolumes, and disk files. COMBINATION-DISKFILE is used in conjunction with DIRECTION-DISKFILE to resolve access conflicts. The initial value is ALL. (For more information about the evaluation of overlapping ACLs, see Appendix B, Disk-File Access Rules.
Safeguard Subsystem Commands ALTER SAFEGUARD Command AUDIT-SUBJECT-MANAGE-PASS [ LOCAL | REMOTE | ALL | NONE ] defines additional auditing for successful attempts to manage user and alias authentication records. This setting supplements the audit settings in user or alias authentication records. The default value is NONE. (Auditing is selected by the individual audit settings.
Safeguard Subsystem Commands ALTER SAFEGUARD Command This attribute can also affect auditing of some HP client subsystems. For more information, see the Safeguard Audit Service Manual. AUDIT-DEVICE-ACCESS-FAIL [ LOCAL | REMOTE | ALL | NONE ] defines additional auditing for unsuccessful device or subdevice accesses. This setting supplements the audit settings in all device and subdevice protection records. The default value is NONE. (Auditing is selected by the individual audit settings.
Safeguard Subsystem Commands ALTER SAFEGUARD Command subprocess protection records. The default value is NONE. (Auditing is selected by the individual audit settings.) AUDIT-PROCESS-MANAGE-FAIL [ LOCAL | REMOTE | ALL | NONE] defines additional auditing for unsuccessful process or subprocess authorization record accesses. This setting supplements the audit settings in all process and subprocess protection records. The default value is NONE. (Auditing is selected by the individual audit settings.
Safeguard Subsystem Commands ALTER SAFEGUARD Command Guardian clients. The initial value is ON. For more information about client subsystem auditing, see the Safeguard Audit Client Service Manual. Note. The AUDIT-CLIENT-GUARDIAN attribute is a synonym for AUDIT-CLIENT-SERVICE attribute. CI-PROG [ prog-filename ] prog-filename defines the command interpreter started after user authentication at a Safeguard terminal if no command interpreter is defined for the user or the terminal.
Safeguard Subsystem Commands ALTER SAFEGUARD Command be the last attribute in the command string. A null entry for this attribute resets the value to the default value. CMON { ON | OFF } defines whether the Safeguard software is to communicate with the $CMON process during the following events: logon, illegal logon attempts, logoff, and newprocess of the command interpreter. The initial value is OFF. (The Safeguard software does not communicate during these events.
Safeguard Subsystem Commands ALTER SAFEGUARD Command SYSTEM-WARNING-MODE { ON | OFF } defines whether warning mode for individual objects is to be enabled. (For more information about warning mode, see the Safeguard Administrator’s Manual.) ON enables warning mode for individual objects. The initial value is OFF. WARNING-FALLBACK-SECURITY { GUARDIAN | GRANT } defines whether Guardian security settings are to be enforced when warning mode is enabled. GUARDIAN specifies that the rules are to be enforced.
Safeguard Subsystem Commands ALTER SAFEGUARD Command ALLOW-NODE-ID-ACL { ON | OFF } defines whether ACL entries containing explicit node identifiers for subjects are consulted to determine remote access. The initial value is OFF, ignoring ACL entries containing explicit node identifiers. CHECK-DISKFILE-PATTERN { OFF | ONLY | FIRST | LAST } defines diskfile-patterns operations. OFF specifies that no pattern searches will occur.
ALTER SAFEGUARD Command Safeguard Subsystem Commands HMAC256 indicates to use the HMAC with SHA-256 algorithm to encrypt passwords, when PASSWORD-ENCRYPT is ON. Encrypted passwords are stored in the L/USERAX files. PASSWORD-MAXIMUM-LENGTH {n} specifies the maximum acceptable length of a password. The initial value is 8 and the maximum value is 64. Note. The attribute, PASSWORD-MAXIMUM-LENGTH, is supported only on systems running H06.08 and later H-series RVUs.
Safeguard Subsystem Commands ALTER SAFEGUARD Command PASSWORD-SPACES-ALLOWED to ON shall result in an error. The error messages displayed are: THIS ATTRIBUTE CANNOT BE MODIFIED UNLESS PASSWORD-ALGORITHM = HMAC256, PASSWORD-ENCRYPT = ON, and PASSWORD-COMPATIBILITY-MODE = OFF; COMMAND NOT EXECUTED. ZSFG^ERR^PSWD^SPACE^NEED^CMOFF 1PASSWORD-MIN-QUALITY-REQUIRED defines the minimum quality criteria that have to be met when a password is set or changed. The initial value is 0.
Safeguard Subsystem Commands Safeguard Reference Manual—520618-013 16 -22 ALTER SAFEGUARD Command
17 Running Other Programs From SAFECOM You can execute the RUN command directly from SAFECOM. This feature allows a security administrator to run programs without having to leave SAFECOM. The SAFECOM RUN command is a modified form of the TACL RUN command. It differs from the TACL RUN command in these ways: • • • An implicit RUN command is not supported. The RUND command is not supported. Several run options are not supported.
Running Other Programs From SAFECOM Consideration run-option is any of the following run options, which are described in the TACL Reference Manual: CPU cpu-number INSPECT { OFF | ON | SAVEABEND } IN [ file-name ] LIB [ file-name ] MEM num-pages NAME [ $process-name ] NOWAIT OUT [ list-file ] PRI priority TERM [\system-name.]$terminal-name param-set is a program parameter or series of parameters sent to the new process in the startup message.
A SAFECOM Error and Warning Messages If SAFECOM encounters a condition that prohibits it from successfully executing a command, SAFECOM displays an error or warning message. The error or warning message gives a brief description of the condition that prohibited SAFECOM from executing the command. This appendix describes the SAFECOM error and warning messages. The messages are listed in alphabetical order.
SAFECOM Error and Warning Messages 2. Provide the Safeguard configuration in effect when the error occurred. Also include information on a user who is experiencing the problem. To obtain this information, execute the following SAFECOM commands: > SAFECOM INFO SAFEGUARD, DETAIL > SAFECOM INFO USER user-ID, DETAIL 3. If the problem is reproducible, list in detail the steps required to reproduce the problem. If the problem is not reproducible, provide the EMSLOG that was active when the problem occurred. 4.
SAFECOM Error and Warning Messages CPU OR SYSTEM UNAVAILABLE Cause. The CPU option in a RUN command specified a CPU that is unavailable, or the program was to be run on a system that is unavailable. Effect. The command is rejected. Recovery. Specify a different CPU or system, or retry when the CPU or system is available. DIFFERENT LIBRARY CURRENTLY IN USE Cause. The LIB option in a RUN command specified a library other than the one the program is currently using. Effect. The command is rejected.
SAFECOM Error and Warning Messages * ERROR * Audit file does not exist Cause. An attempt to execute a RELEASE command failed because the audit file does not exist. Effect. The command is rejected. Recovery. None. * ERROR * Audit file in use - unable to release Cause. An attempt to release an audit file failed because the specified file is the current audit file. Effect. The command is rejected. Recovery. None. * ERROR * Audit file is foreign - unable to release Cause.
SAFECOM Error and Warning Messages * ERROR * Audit Pool is defined as CURRENT Cause. An attempt to execute a DELETE AUDIT POOL command failed because the audit pool is the current audit pool. Effect. The command is rejected. Recovery. Select a different audit pool to be the current pool and then retry the command. * ERROR * Audit Pool is defined as NEXT Cause. An attempt to execute a DELETE AUDIT POOL command failed because the audit pool is the next audit pool. Effect. The command is rejected.
SAFECOM Error and Warning Messages * ERROR * CANNOT ADD DISKFILE filename: OWNER MUST BE SPECIFIED FOR NON-EXISTENT DISKFILES Cause. You attempted to add a persistent protection record for a disk file that does not exist, specify the OWNER attribute. Effect. The command is not executed. Recovery. Specify OWNER [owner-id] and retry the command. * ERROR * CANNOT ADD DISKFILE filename : SUBVOLUME RESERVED FOR OSS Cause.
SAFECOM Error and Warning Messages * ERROR * CANNOT ADD objtype objname : SECURITY VIOLATION Cause. You lack the authority required to add an authorization record for the indicated object. (Only the owner of a disk file, the owner’s group manager, or the local super ID can add an authorization record for a disk file. Only a member of the local super group can add an authorization record for a device or disk volume.) Effect. An authorization record for the object is not added to the object database.
SAFECOM Error and Warning Messages * ERROR * CANNOT OPEN $ZSMP : SECURITY VIOLATION Cause. You lack the authority required to access the SMP. For example, your command requested an operation on a remote object, and you have not been granted access to the remote object’s system. You can also get this warning if your system manager has created an ACL for the SMP process name, and the ACL does not grant you READ or WRITE access authority to the SMP process. Effect. The command is not executed. Recovery.
SAFECOM Error and Warning Messages Recovery. Report the problem to your system manager. Your system manager should ensure that the Safeguard software has been installed properly. If your system manager cannot solve the problem, report the error to your HP representative. (The System Messages Manual describes file-system errors.) * ERROR * COMMAND FAILED : SECURITY VIOLATION Cause. The command failed because you lack the authority required to perform the command. Effect. The command is not executed.
SAFECOM Error and Warning Messages Effect. The process cannot be started when ENABLED is set to ON. Recovery. Correct the invalid attribute and then retry the command. * ERROR * File system error num from procedure name, file audit-file Cause. An attempt to execute an audit service command was rejected because the specified file’s disk volume is down. Effect. The command is rejected. Recovery. Bring up the disk volume and retry the command. * ERROR * Max process entries 1 exceeded. Cause.
SAFECOM Error and Warning Messages Recovery. Reenter the command with a user alias that does not match an existing user name. * ERROR * No objects of type obj-type matching obj-name were found. Cause. A command specified a nonexistent object name. Effect. The command is rejected. Recovery. Specify an existing object name and retry the command. * ERROR * Password in history Cause.
SAFECOM Error and Warning Messages * ERROR * RECORD FOR objtype objname : ALREADY EXISTS Cause. An attempt to add an authorization record for the indicated object failed because an authorization record for the object already exists. Effect. The authorization record for the object is not changed. Recovery. None. * ERROR * RECORD FOR objtype objname : FILE ERROR = ### Cause. The SMP encountered the indicated file-system error while attempting to access the authorization record for the indicated object.
SAFECOM Error and Warning Messages * ERROR * RECORD FOR objtype objname : SECURITY VIOLATION Cause. You lack the authority required to perform the requested operation on the indicated object. Only the owner of an object, the owner’s group manager, or the local super ID can alter, freeze, thaw, or delete an object’s authorization record. Effect. The command is not executed for the object. Recovery. Ask the owner of the object to perform the operation.
SAFECOM Error and Warning Messages * ERROR * Security violation Cause. The user is not authorized to execute this command. Effect. The command is rejected. Recovery. Log on with a user ID that is authorized to execute the command and then retry. * ERROR * Small Userid file Cause. There are two possible causes: (1) The command contained some DEFAULTPROTECTION attributes, which cannot fit within the record size defined for older, small-size USERID files.
SAFECOM Error and Warning Messages * ERROR * SUBVOLUME subvol-name: SUBVOLUME RESERVED FOR OSS Cause. You attempted an operation on a subvolume reserved for OSS. Effect. The command is not executed. Recovery. Specify another subvolume and retry the command. * ERROR * Terminal (LU) in use - FREEZE prior to DELETE Cause. You attempted to delete a terminal that is not frozen. Effect. The command is rejected. Recovery.
SAFECOM Error and Warning Messages Recovery. Specify a different group number and reenter the command. * ERROR * The requested group name group-name is already defined. Cause. A case-sensitive search found that the group name already exists. Effect. The ADD GROUP command is not executed. Recovery. Specify a different group name and reenter the command. * ERROR * The requested group name group-name is not defined. Cause. You specified a group that does not exist. Effect.
SAFECOM Error and Warning Messages Recovery. Make appropriate corrections to the daylight savings time (DST) table and retry the command. ** ERROR ** UNABLE TO CONVERT TIMESTAMP: DST table not loaded Cause. The Guardian procedure CONVERTTIMESTAMP failed with an error. Effect. The command is not executed. Recovery. Make appropriate corrections to the daylight savings time (DST) table and retry the command. ** ERROR ** UNABLE TO CONVERT TIMESTAMP: ERROR UNKNOWN Cause.
SAFECOM Error and Warning Messages Recovery. Retry the command when more memory is available. EXTENDED SEGMENT SWAP FILE ERROR nnn Cause. The program specified in a RUN command required more disk space than is currently available. Effect. The command is rejected. Recovery. Retry the command when more disk space is available. GROUP-ID OR USER-ID NOT DEFINED; COMMAND NOT EXECUTED. Cause. A group-number or member-number not defined for this system was used. Effect. The command is not executed. Recovery.
SAFECOM Error and Warning Messages ILLEGAL LIBRARY FILE FORMAT FILE NOT FIXED-UP BY BINDER Cause. The LIB option in a RUN command specifies a library file that is corrupted. Effect. The command is rejected. Recovery. Specify a different library or restore the library. Then retry the command. ILLEGAL LIBRARY FILE FORMAT HEADER INITSEGS NOT CONSISTENT WITH SIZE Cause. The LIB option in a RUN command specifies a library file that is corrupted. Effect. The command is rejected. Recovery.
SAFECOM Error and Warning Messages Effect. The command is rejected. Recovery. Specify a different library file that is a disk file and retry the command. ILLEGAL LIBRARY FILE FORMAT NOT CORRECT FILE STRUCTURE Cause. The LIB option in a RUN command specifies a library file that is corrupted. Effect. The command is rejected. Recovery. Specify a different library or restore the library. Then retry the command. ILLEGAL LIBRARY FILE FORMAT NOT FILE CODE 100 Cause.
SAFECOM Error and Warning Messages Recovery. Specify a different library or restore the library. Then retry the command. ILLEGAL LIBRARY FILE FORMAT UNRESOLVED REFERENCES FROM DATA BLOCK TO CODE BLOCK Cause. The LIB option in a RUN command specifies a library file that is corrupted. Effect. The command is rejected. Recovery. Specify a different library or restore the library. Then retry the command. ILLEGAL PROCESS DEVICE SUBTYPE Cause. The program object file specified in a RUN command is corrupted.
SAFECOM Error and Warning Messages Cause. The program object file specified in a RUN command is corrupted. Effect. The command is rejected. Recovery. Specify a different program file or restore the file. Then retry the command. ILLEGAL PROGRAM FILE FORMAT NO DATA PAGES Cause. The program object file specified in a RUN command is corrupted. Effect. The command is rejected. Recovery. Specify a different program file or restore the file. Then retry the command.
SAFECOM Error and Warning Messages ILLEGAL PROGRAM FILE FORMAT NPERR^BADFILE ERROR SUBCODE nnn Cause. The program object file specified in a RUN command is corrupted. Effect. The command is rejected. Recovery. Specify a different program file or restore the file. Then retry the command. ILLEGAL PROGRAM FILE FORMAT REQUIRES LATER VERSION OF NONSTOP KERNEL Cause. The program file specified in a RUN command requires a later product version of the operating system. Effect. The command is rejected. Recovery.
SAFECOM Error and Warning Messages INTERNAL SAFECOM SPI ERROR nnn Cause. SAFECOM encountered an internal error attempting to interpret a command. Effect. The command is not executed. Recovery. Exit SAFECOM and then rerun SAFECOM. If the error persists, contact your HP representative. INTERNAL SCANNER PROCEDURE ERROR; COMMAND NOT EXECUTED. Cause. SAFECOM encountered an internal error attempting to interpret a command. Effect. The command is not executed. Recovery. Exit SAFECOM and then rerun SAFECOM.
SAFECOM Error and Warning Messages Effect. The command is not executed. Recovery. Correct the name and then retry the command. LIBRARY FILE ERROR nnn Cause. A problem exists with the library file specified by the LIB option in a RUN command. Effect. The command is not executed. Recovery. Look up the error number in the System Messages Manual and resolve the problem according to instructions given there. LIBRARY FILE IS LOCKED Cause.
SAFECOM Error and Warning Messages NO HELP IS AVAILABLE Cause. No help exists for the specified topic. Effect. The command is not executed. Recovery. Reenter the command specifying a topic for which help exists, or type HELP or HELP COMMANDS to see lists of topics for which help is available. NO PROCESS CONTROL BLOCK AVAILABLE Cause. The system limit on process control blocks (PCBs) has been reached. Effect. The command is not executed. Recovery. Retry the command later.
SAFECOM Error and Warning Messages PARSER CALLED APPLY WITH BAD PRODUCTION RULE. Cause. SAFECOM encountered an internal error while attempting to interpret the command. Effect. The command is not executed. Recovery. Contact your HP representative. PROCESS NAME ERROR nnn Cause. The NAME option in a RUN command specified an invalid or duplicate process name. Effect. The command is not executed. Recovery.
SAFECOM Error and Warning Messages Cause. The specified prompt string is too long. Effect. The command is rejected. Recovery. Shorten the prompt to fewer than 81 characters and then retry the command. SAFECOM RUNS ONLY IN NONSTOP SYSTEMS; THIS IS A NONSTOP1+ SYSTEM Cause. Your system is an HP NonStop 1+ system. Effect. SAFECOM abends. Recovery. None. SAFECOM runs only on NonStop systems. SAFEGUARD/NONSTOP KERNEL VERSIONS (Xnn/Zmm) ARE INCOMPATIBLE; COMMAND NOT EXECUTED. Cause.
SAFECOM Error and Warning Messages Recovery. Look up the error number in the System Messages Manual and resolve the problem according to instructions given there. SYSTEM SPECIFIED DOES NOT EXIST; COMMAND NOT EXECUTED. Cause. A remote system named in the REMOTEPASSWORD attribute is not known at your node, or a system specified in a GUARDIAN VOLUME attribute does not exist. Effect. The command is not executed. Recovery.
SAFECOM Error and Warning Messages Cause. The command contains a name or keyword whose length exceeds that allowed. Typically, this error occurs when a word is misspelled or when a missing punctuation character causes two words to be concatenated. Effect. The command is not executed. Recovery. Correct the spelling of the name or keyword, or supply the missing punctuation, and reenter the command. THIS NUMBER IS OUT OF RANGE; COMMAND NOT EXECUTED. Cause.
SAFECOM Error and Warning Messages Effect. The command indicated by the circumflex characters (^^^) is not executed. Any commands following the indicated command are not executed. Recovery. Enter the sequence of commands on two or more command lines. TOO MANY ITEMS IN GROUP LIST; COMMAND NOT EXECUTED. Cause. Too many groups were specified in a command. Effect. The command is rejected. Recovery. Reduce the number of groups in the command to 32 or fewer and then retry the command.
SAFECOM Error and Warning Messages Effect. The command is not executed. Recovery. Diagnose the file-system error included in the message, correct the error, and then retry the command. UNDEFINED GROUP; COMMAND NOT EXECUTED Cause. A specified group name does not exist. Possibly an uppercase name was typed in lowercase. Effect. The command is rejected. Recovery. Check for spelling or typing errors, correct the group name, and then retry the command. UNDEFINED SUBJECT; COMMAND NOT EXECUTED Cause.
SAFECOM Error and Warning Messages be missing or not protected by a Safeguard ACL when ACL-REQUIRED-DISKFILE is in effect. Effect. The command is not executed. Recovery. If the USERID file is missing, recover it immediately. If ACL-REQUIREDDISKFILE is in effect, either turn it off or protect this file with an authorization record that includes an appropriate ACL. * WARNING * Cannot remove derived group group-name. Cause. An attempt was made to remove a user from that user’s administrative group. Effect.
SAFECOM Error and Warning Messages Effect. The command is not successfully executed. Recovery. Retry the command later. * WARNING * User would have too many groups. Cause. An attempt was made to execute a command that would make a user a member of more than 32 groups. Effect. The command is accepted, but the user is not added to the group’s member list. Other parts of the command are executed. Recovery. Remove the user from another group and then add the user to the member list of this group.
SAFECOM Error and Warning Messages Effect. The command is not executed. Recovery. Remove the nonprintable characters or replace them with printable characters. The printable characters are: • • • • • Lowercase letters a through z Uppercase letters A through Z Digits 0 through 9 Special characters { } ! @ # $ % ^ & * ( ) - _ + = { } ~ ‘ : ; ? / > . < , . Space Note. The nonprintable characters error message is supported only on systems running G06.27 and later G-series RVUs and H06.
SAFECOM Error and Warning Messages ERROR: PASSWORD-MAXIMUM-LENGTH CANNOT BE MODIFIED UNLESS PASSWORD-ALGORITHM= HMAC256 AND ENCRYPT = ON; COMMAND NOT EXECUTED Cause. PASSWORD-ALGORITHM is DES and PASSWORD-ENCRYPT is ON or, PASSWORD-ALGORITHM is DES and PASSWORD-ENCRYPT is OFF, when PASSWORD-MAXIMUM-LENGTH is not equal to eight. Effect. The command is not executed. Recovery. PASSWORD-MAXIMUM-LENGTH is equal to eight or PASSWORD-ALGORITHM is HMAC256 and PASSWORD-ENCRYPT is ON.
B Disk-File Access Rules Table B-1 on page B-2 shows how disk file access rules are evaluated depending on how the Safeguard software applies the access control lists (ACL) in disk file, volume, and subvolume protection records. FIRST-RULE, FIRST-ACL, and ALL are the settings allowed for the Safeguard configuration attribute COMBINATION-DISKFILE. This attribute defines the manner in which overlapping ACLs are resolved for access to volumes, subvolumes, and disk files.
Disk-File Access Rules The settings of CHECK-VOLUME, CHECK-SUBVOLUME, and CHECK-FILENAME have no effect when an attempt is made to create a disk file. Any attempt to create a disk file is subject to access checking at all levels, regardless of the settings of these configuration attributes.
Disk-File Access Rules Table B-1.
Disk-File Access Rules Table B-1.
Disk-File Access Rules Table B-2. CHECK-DISKFILE-PATTERN settings Result from: CHECK-DISKFILE-PATTERN value Normal Pattern OFF FIRST LAST ONLY N Y N1 Y4 N3 Y6 N N N1 N4 N3 N6 N NR N1 N2 N3 NR6 NR Y NR1 Y4 Y5 Y6 NR N NR1 N4 N5 N6 NR NR NR1 NR 2 NR5 NR6 N the request is denied (NO) Y the request is granted (YES) NR no norecord was found (NORECORD) CHECK-DISKFILE-PATTERN OFF searches only for normal protection records.
Disk-File Access Rules Safeguard Reference Manual—520618-013 B- 6
Index A Abbreviating SAFECOM commands 1-13 Access control lists additional owner 8-1, 9-1, 10-1, 11-4 defined 8-3 DENY option 8-57, 9-28, 10-27, 11-30, 12-23, 13-23 effect of deleting a user from system 5-22, 5-23 effect of freezing a user from system 5-24 for devices 10-2 for disk files 8-2 for OBJECTTYPES 12-2 for process 11-2 for security groups 13-2 for subdevices 10-2 for subprocess 11-2 for subvolumes 9-2 for volumes 9-2 freezing access 8-37 initial owner 8-1, 9-1, 10-1, 11-4 thawing access 8-72 ADD A
B Index ALTER USER command changing a logon password 5-14, 5-21 description 5-10 ALTER VOLUME command 9-11 ASSUME command 4-3 Attributes for all objects 1-3, 1-4 for devices 10-1 for disk files 8-7, 8-15, 8-29, 8-55, 8-65 for OBJECTTYPES 12-4, 12-13 for security groups 13-4 for subdevices 10-1 for subvolumes 9-1 for user 5-39 for user alias 6-37 for volumes 9-1 Auditing for devices 10-28 for disk files 8-60, 8-61 for OBJECTTYPES 12-24 for processes 11-31 for security groups 13-23 for subdevices 10-28 for
D Index Control features (continued) for subprocesses 1-6 for subvolumes 1-4 for terminals 1-7 for volumes 1-4 D DELETE ALIAS command 6-21 DELETE DEVICE command 10-16 DELETE DISKFILE command 8-34 DELETE EVENT-EXIT-PROCESS command 15-10 DELETE GROUP command 7-9 DELETE OBJECTTYPE command 12-13 DELETE PROCESS command 11-19 DELETE SECURITY-GROUP command 13-13 DELETE SUBDEVICE command 10-16 DELETE SUBPROCESS command 11-19 DELETE SUBVOLUME command 9-16 DELETE TERMINAL command 14-7 DELETE USER command descripti
F Index EXIT command 4-14 F Fallback option 16-18 FC command 4-15 File error 48 8-3, 11-2 File names for disk 2-4, 2-6 fully qualified 2-3 partially qualified 2-3 File-sharing group 7-1 FREEZE ALIAS command 6-22 FREEZE DEVICE command description 10-17 with device open 10-18 FREEZE DISKFILE command 8-37 FREEZE OBJECTTYPE command 12-14 FREEZE PROCESS command 11-20 FREEZE SECURITY-GROUP command 13-14 FREEZE SUBDEVICE command description 10-17 with subdevice open 10-18 FREEZE SUBPROCESS command 11-20 FREEZE
L Index INFO USER command description 5-25 display options 5-26 who can execute 5-2 INFO VOLUME command 9-19 Initial directory 5-49, 6-46 Initial ownership 8-1, 9-1, 10-1, 11-4, 13-2 Initial program path name 5-49, 6-47 type 5-49, 6-47 L LICENSE attribute description 8-13, 8-26, 8-58 FUP command 8-2, 8-12, 8-19 Line termination 4-28 Lists for devices 2-11 for disk files 2-6 for processes 2-14 for subdevices 2-12 for subprocesses 2-15 for subvolumes 2-9 for volumes 2-8 Local request 1-9, 1-10 Local user 1
P Index Object class adding 12-4 altering 12-9 deleting 12-13 displaying default values 12-26 displaying information 12-15 freezing 12-14 resetting default values 12-19 setting default values 12-20 thawing 12-28 Object database 1-10 OBJECTTYPE authorization record adding 12-4 altering 12-9 deleting 12-13 displaying default values 12-26 displaying information 12-15 freezing 12-14 resetting default values 12-19 setting default values 12-20 thawing 12-28 OBJECTTYPE security commands 12-2 OUT command 4-22 OWN
R Index Process authorization record (continued) displaying information 11-21 freezing 11-20 resetting default values 11-26 setting default values 11-27 thawing 11-36 Process names fully qualified 2-13 partially qualified 2-13 Process security for process names 11-1 for program object disk files 11-1 Process security commands 11-5 Processes Group List 8-3 PROGID attribute 8-14, 8-24, 8-46, 8-58 R Rejecting access 8-3 Remote password 11-3 Remote request 1-9, 1-10 Remote user 1-10 REMOTEPASSWORD adding 5-1
S Index SAFECOM session-control commands (continued) ? command 4-26 Safeguard subsystem stopping 16-2 with an existing user community 5-6 Securing terminals 14-1 Security group authorization record adding 13-4 altering 13-8 deleting 13-13 displaying defaults for 13-25 displaying information 13-15 freezing 13-14 resetting default values 13-19 setting defaults for 13-20 thawing 13-27 Security group commands, access authorization 13-2 Security management components of 1-10 features of 1-1 Security Manager Pr
T Index Subdevice names fully qualified 2-11 partially qualified 2-12 specifying 2-11 Subdevice security commands 10-3 Subject database 1-10 Subprocess accessor ID 1-6 Subprocess authorization record adding 11-6 altering 11-12 attributes of 1-6 deleting 11-19 displaying default values 11-34 displaying information 11-21 freezing 11-20 resetting default values 11-26 setting default values 11-27 thawing 11-36 Subprocess names fully qualified 2-14 partially qualified 2-15 specifying 2-14 Subprocess security c
U Index U UID 5-30 Undeniable super ID 16-3 UNNAMED process protection records 11-3 User alias commands, summary of 6-4 defined 2-19 name 6-1, 6-5 primary group 6-7 record, adding 6-5 record, setting attribute values 6-37 User authentication record adding 5-4 altering 5-10 deleting 5-22 deleting owner 5-23 displaying default values 5-53 freezing 5-24 group manager 5-1 information about 5-25 resetting values for 5-34 setting attribute values 5-39 thawing user access 5-58 who can manage 5-1 who owns 5-1 Use
Special Characters Index & (ampersand) continuation character 4-1, 4-29 * wild card 2-1 * (asterisk) all access authorities 8-58, 9-29, 10-28, 11-31 both CREATE and OWNER 12-24 both EXECUTE and OWNER 13-23 identifies users 2-18 in device names 2-10 in file names 2-6 in process names 2-13 in subdevice names 2-11 in subprocess names 2-14 in subvolume names 2-8 in volume names 2-7 - (minus-sign) modifies access-list 8-20, 10-10, 11-13, 12-9, 13-9 modifies owner-list 5-12, 5-41, 6-39 -- (two hyphens) comment
Special Characters Index Safeguard Reference Manual—520618-013 Index -12