Safeguard User’s Guide Abstract This manual describes the Safeguard product, the use of the command interpreter SAFECOM, and the basic security tasks performed by all users. The manual is intended for security administrators, system managers, and general users of HP NonStop™ systems. Product Version Safeguard G06, H06 Supported Release Version Updates (RVUs) This manual supports G06.21 and all subsequent G-series RVUs and H06.
Document History Part Number Product Version Published 422089-004 Safeguard G06 December 2004 422089-005 Safeguard G06 January 2005 422089-006 Safeguard G06, H06 September 2005 422089-008 Safeguard G06, H06 August 2006 422089-009 Safeguard G06, H06 November 2006
Safeguard User’s Guide Glossary Index Figures What’s New in This Manual vii Manual Information vii New and Changed Information About This Manual ix Notation Conventions Tables vii x 1. Introduction to the Safeguard Subsystem Subjects and Objects 1-1 What Can the Safeguard Subsystem Do? 1-1 User Authentication 1-2 Object Authorization 1-2 Auditing 1-4 The Safeguard Subsystem and Standard Security Components of the Safeguard Subsystem 1-7 Who Can Use the Safeguard Subsystem? 1-7 1-4 2.
3. Securing Disk Files (continued) Contents 3.
7. Working With SAFECOM (continued) Contents 7.
9. Working with Patterns (continued) Contents 9. Working with Patterns (continued) ADD DISKFILE-PATTERN 9-9 ALTER DISKFILE-PATTERN 9-9 DELETE DISKFILE-PATTERN 9-10 FREEZE DISKFILE-PATTERN 9-10 INFO DISKFILE-PATTERN 9-10 RESET DISKFILE-PATTERN 9-12 SET DISKFILE-PATTERN 9-12 SHOW DISKFILE-PATTERN 9-12 THAW DISKFILE-PATTERN 9-13 A.
Tables (continued) Contents Tables (continued) Table 8-1. Table 8-2. Table 9-1. Table 9-2. Table A-1.
Contents Safeguard User’s Guide—422089-009 vi
What’s New in This Manual Manual Information Safeguard User’s Guide Abstract This manual describes the Safeguard product, the use of the command interpreter SAFECOM, and the basic security tasks performed by all users. The manual is intended for security administrators, system managers, and general users of HP NonStop™ systems. Product Version Safeguard G06, H06 Supported Release Version Updates (RVUs) This manual supports G06.21 and all subsequent G-series RVUs and H06.
Changes to the G06.27 Manual What’s New in This Manual ° ° • TEXT-DESCRIPTION attribute on page 6-3 and page 6-6 OWNER-LIST and TEXT-DESCRIPTION attributes in the ADD USER, ALTER USER, INFO USER, SET USER, and SHOW USER commands on page C-4 and page C-7 under Modified the definition of NORMALLAST in Table 9-1 on page 9-7. Changes to the G06.27 Manual • • • In Section 3, Securing Disk Files: ° Under Other Disk-File Security Features, added a description of the TRUST attribute.
About This Manual This user's guide is intended for all Safeguard users. It is intended especially for the general user who needs to use the Safeguard software to secure disk files, subvolumes, and processes. The manual describes the basic features of the Safeguard distributed security management facility and its command interpreter, SAFECOM. This manual does not cover those Safeguard features normally reserved for privileged users.
Notation Conventions About This Manual Notation Conventions Hypertext Links Blue underline is used to indicate a hypertext link within text. By clicking a passage of text with a blue underline, you are taken to the location described. For example: This requirement is described under Backup DAM Volumes and Physical Disk Drives on page 3-2. General Syntax Notation The following list summarizes the notation conventions for syntax presentation in this manual. UPPERCASE LETTERS.
General Syntax Notation About This Manual each side of the list, or horizontally, enclosed in a pair of brackets and separated by vertical lines. For example: FC [ num ] [ -num ] [ text ] K [ X | D ] address { } Braces. A group of items enclosed in braces is a list from which you are required to choose one item. The items in the list may be arranged either vertically, with aligned braces on each side of the list, or horizontally, enclosed in a pair of braces and separated by vertical lines.
Notation for Messages About This Manual Line Spacing. If the syntax of a command is too long to fit on a single line, each continuation line is indented three spaces and is separated from the preceding line by a blank line. This spacing distinguishes items in a continuation line from items in a vertical list of selections. For example: ALTER [ / OUT file-spec / ] LINE [ , attribute-spec ]… !i and !o.
Notation for Messages About This Manual Nonitalic text. Nonitalic letters, numbers, and punctuation indicate text that is displayed or returned exactly as shown. For example: Backup Up. lowercase italic letters. Lowercase italic letters indicate variable items whose values are displayed or returned. For example: p-register process-name [ ] Brackets. Brackets enclose items that are sometimes, but not always, displayed.
About This Manual Notation for Management Programming Interfaces Notation for Management Programming Interfaces The following list summarizes the notation conventions used in the boxed descriptions of programmatic commands, event messages, and error lists in this manual. UPPERCASE LETTERS. Uppercase letters indicate names from definition files; enter these names exactly as shown. For example: ZCOM-TKN-SUBJ-SERV lowercase letters.
1 Introduction to the Safeguard Subsystem The Safeguard subsystem extends the security features of the Guardian environment to provide more comprehensive security for your system. The Safeguard subsystem works with the Guardian environment and allows you to apply more extensive and specific security controls. A comparison of Guardian security features and the extended features of the Safeguard software is presented later in this section.
Introduction to the Safeguard Subsystem User Authentication additional control over the authentication process, even though it provides the first line of defense against intrusion into your files and the entire system. • • Authorization—Checking access control lists to determine whether another user has authority to access your disk files, subvolumes, and processes. You can designate the specific access authorities that another user may have to your objects.
Object Authorization Introduction to the Safeguard Subsystem Figure 1-1 shows the Safeguard object databases and depicts the process of the Safeguard software checking an object authorization record to authorize use of an object. This figure is representational. For simplicity, it omits certain technical details regarding the object databases. Figure 1-1.
Introduction to the Safeguard Subsystem Auditing Auditing At your request, the Safeguard subsystem can create audit records of attempts to access your objects. When a user attempts to access an object for which auditing is specified, the Safeguard software records the attempt in an audit file. Records in the audit files contain information such as the name of the object, the date and time of the access attempt, and the user ID of the user attempting the access.
Introduction to the Safeguard Subsystem The Safeguard Subsystem and Standard Security and modify an access control list (ACL) for that object. The ACL specifies which individual users and specific user groups can access the object and what access authorities those users have to the object. Without the Safeguard subsystem installed, the Guardian environment provides basic security controls for users and disk files.
Introduction to the Safeguard Subsystem The Safeguard Subsystem and Standard Security Table 1-1. Comparing Guardian Security and Safeguard Security (page 2 of 2) Security Feature Guardian Security Safeguard Security Audit of attempts to access a file - Yes Audit of attempts to manage a Safeguard record N.A. Yes ACL authorities - RWEPCO Audit of attempts to access a volume or subvolume - Yes Audit of attempts to manage a Safeguard record N.A.
Introduction to the Safeguard Subsystem Components of the Safeguard Subsystem install the Safeguard software on a single node in your network, on a few nodes, or on every node. Components of the Safeguard Subsystem The Safeguard subsystem consists of three major processes and several security database files.
Introduction to the Safeguard Subsystem Who Can Use the Safeguard Subsystem? Safeguard User’s Guide—422089-009 1 -8
2 Safeguard Logon Dialog This section explains how to log on and how to change your password on systems where the Safeguard subsystem is running. If the Safeguard subsystem is not running on your system, see the Guardian User’s Guide for logon instructions. To gain access to your system, use the LOGON command. To do so, you must have a user name and user ID assigned to you. In addition, you should be given a password.
Using the LOGON Command Safeguard Logon Dialog You can also terminate the LOGON command at any time by pressing Ctrl/Y or Break. Using the LOGON Command The LOGON command accepts your user name and password in several different formats, as the following examples shows. Logging On With a Blind Password In the standard Safeguard configuration, passwords are blind. They are not displayed when typed at the password prompt.
Safeguard Logon Dialog Changing Your Password With Blind Passwords Changing Your Password With Blind Passwords You can change your password as part of the logon sequence. Initially, the logon dialog is the same as a normal logon. However, to indicate that you want to change your password, type a comma at the end of your password. The system prompts you for a new password and then requests reentry of the new password to verify it. The following dialog shows a sequence in which support.
Logging On With Displayable Passwords Safeguard Logon Dialog and allowed your password to expire, you can change your password during the grace period. The following example shows how support.jane can change her expired password during the grace period: SAFEGUARD 1> LOGON support.jane Password: alpha4 Password expired Enter new password: BigTop Reenter new password: BigTop The password for support.jane has been changed.
Logging On to a Remote System Safeguard Logon Dialog Logging On to a Remote System To access a remote system using the Safeguard logon dialog, you must use the Safeguard LOGON program. To run this program, you must already be logged on to your local system, and the Safeguard software must be running on the remote system. The program initiates the logon prompt from the Safeguard software on the remote system so that you can log on to that system from your local terminal.
Logging On to a Remote System Safeguard Logon Dialog Safeguard User’s Guide—422089-009 2 -6
3 Securing Disk Files This section acquaints you with the process of securing disk files with the Safeguard subsystem.
Securing Disk Files Table 3-1. Disk-File Commands (page 2 of 2) Command Action SET DISKFILE Establishes default disk-file attributes that you specify. Any subsequent ADD DISKFILE commands use these defaults for attributes not specified in the ADD DISKFILE command. SHOW DISKFILE Displays the current default attributes for disk files. Any subsequent ADD DISKFILE commands use these defaults for attributes not specified in the ADD DISKFILE command.
Getting Started Securing Disk Files Table 3-2. Disk-File Attributes (page 2 of 2) Attribute Function PROGID Applicable only to files that contain object code; sets the process access ID (PAID) to the user ID of the file's primary owner. TRUST Specifies whether or not the file can be trusted to not access I/O buffers during execution. Applies only to program files. Only the super ID can set this attribute. This attribute is valid only on systems running H-series RVUs.
Adding a Disk File to the Safeguard Subsystem Securing Disk Files The following exercise acquaints you with the process of adding a disk file to the Safeguard database. The exercise assumes your user ID is 2,1, that you have a file named report1, and that your default subvolume is $data.sales. The exercise further assumes that you have started an interactive session by typing SAFECOM at the TACL prompt.
Controlling Default Attributes Securing Disk Files The file report1 is protected by the Safeguard software with a simple access control list that consists of only your user ID. To modify or expand the access control list, see Working With Access Control Lists on page 3-6. Note. If you display the Guardian security string with the FUP INFO command or the TACL FILEINFO command, the value of the RWEP field appears as four asterisks ("****") for any file that has a Safeguard disk-file protection record.
Working With Access Control Lists Securing Disk Files The display shows: TYPE DISKFILE OWNER 2,1 AUDIT-ACCESS-PASS = NONE AUDIT-ACCESS-FAIL = NONE WARNING-MODE OFF AUDIT-MANAGE-PASS = NONE AUDIT-MANAGE-FAIL = NONE LICENSE = OFF PROGID = OFF CLEARONPURGE = OFF TRUST = OFF (H-series RVUs only) 002,001 002,* PERSISTENT = OFF R,W,E,P R, E The default attributes include an access control list.
Establishing a Default Access Control List Securing Disk Files Establishing a Default Access Control List If you are adding several disk files to the Safeguard database during one SAFECOM session, you might want to create a default access control list. Then, if you want to use the same access control list for each file, you do not need to respecify it each time you add a file to the Safeguard database. To establish a default access control list, use the SET DISKFILE command.
Specifying Access With the ADD DISKFILE Command Securing Disk Files Specifying Access With the ADD DISKFILE Command If you specify access control list entries with the ADD DISKFILE command, those entries plus the default entries make up the access control list for the added file. Assume you want to use the default access control list for a file named quarter1 and you also want to add user 4,12 with only READ access.
Specifying Access With the ALTER DISKFILE Command Securing Disk Files For example, you can grant user 9,23 both READ and WRITE authority to quarter1: =ALTER DISKFILE quarter1, ACCESS 9,23 (R,W) After changing the access control list, make sure the modified access control list is correct: =INFO DISKFILE quarter1 The display shows: $DATA.
Deleting an Access Control List Entry Securing Disk Files User ID 2,6 has been denied WRITE authority. Note. A denial of authorities for a user takes away only those authorities specifically denied. Any other authorities granted to that user or that user's group are still valid for the user. A grant of authorities for a specific user is not cumulative even if that user's group also appears on the access control list.
Using One Authorization Record to Define Another Securing Disk Files Using One Authorization Record to Define Another Managing long access control lists can be time consuming. To save time, you can use an existing disk file authorization record to define another when you are adding a new disk file. Use the keyword LIKE. You can use this keyword with the ADD DISKFILE or SET DISKFILE command to specify the attributes and access control list of one file as the base authorization record of another file.
Specifying Auditing Conditions Securing Disk Files Note. Freezing an access control list has no effect on processes that already have the file open. To restore a frozen access control list, use the THAW DISKFILE command. Any user who can freeze an access control list can also thaw it.
Specifying Ownership Securing Disk Files Similarly, the following command specifies auditing of all unsuccessful attempts (local and remote) to manage the authorization record for the file quarter1: =ALT DISK quarter1, AUDIT-MANAGE-FAIL ALL To display the audit settings for quarter1: =INFO DISKFILE quarter1, DETAIL The DETAIL option shows an expanded version of the INFO display: $DATA.
Other Disk-File Security Features Securing Disk Files but then you would no longer own the file. Instead, you might want to grant user ID 2,18 OWNER authority in an access control list. To give user ID 2,18 OWNER authority: =ALTER DISK quarter1, ACC 2,18 O The INFO display now shows an O in the entry for user ID 2,18: =INFO DISK quarter1, DETAIL $DATA.
The PERSISTENT Attribute Securing Disk Files To verify that the CLEARONPURGE attribute is on: =INFO DISKFILE quarter1, DETAIL $DATA.
The LICENSE Attribute Securing Disk Files The PERSISTENT attribute is set to ON, and user 2,18 can create this file with the same access control list if it is purged. Note. If a file with persistent protection is purged, the PROGID and LICENSE attributes are set to OFF. The PERSISTENT attribute is associated with a file name. Because of this, persistent protection is lost when you rename a file.
The TRUST Attribute Securing Disk Files To verify the setting: =INFO DISK progfile, DET $DATA.SALES PROGFILE 005,005 004,* 005,* LAST-MODIFIED OWNER STATUS 24JUL05, 11:38 5,5 THAWED OFF R,W,E,P R,E R,W AUDIT-ACCESS-PASS = NONE AUDIT-ACCESS-FAIL = NONE LICENSE = OFF TRUST = OFF WARNING-MODE PROGID = ON AUDIT-MANAGE-PASS = NONE AUDIT-MANAGE-FAIL = NONE CLEARONPURGE = OFF PERSISTENT = OFF You can use the special WHERE PROGID option with most disk file commands to select only PROGID files.
Removing a File From Safeguard Control Securing Disk Files • TRUST SHARED specifies that the program can be trusted not to access buffers private to the process, or shared with another process that also has TRUST SHARED set, before I/O completion. To set the TRUST attribute of the program file progfile used in the previous example: =ALTER DISKFILE progfile, TRUST SHARED To verify the setting: =INFO DISK progfile, DET $DATA.
4 Securing Subvolumes The Safeguard subsystem allows you to secure disk subvolumes in generally the same manner as you secure disk files. The same principles apply when you add, change, or delete authorization records for subvolumes. You use the same basic set of commands—ADD, ALTER, DELETE, FREEZE, INFO, RESET, SET, SHOW, and THAW. For example, to add a subvolume to the Safeguard database, use the ADD SUBVOLUME command. You can also use the same security attributes to specify auditing for subvolumes.
Access Authorities for Subvolumes Securing Subvolumes Access Authorities for Subvolumes By default, anyone can protect a subvolume by adding it to the Safeguard database and specifying the access authorities for the subvolume.
5 Securing Processes and Subprocesses You secure processes and subprocesses in generally the same manner as disk files and subvolumes. You use the same set of commands: ADD, ALTER, DELETE, FREEZE, INFO, RESET, SET, SHOW, and THAW. Also, except for EXECUTE authority, the same access authorities—READ, WRITE, PURGE, CREATE, and OWNER—apply to individual processes and subprocesses. There is no EXECUTE authority for processes and subprocesses.
Securing Processes and Subprocesses Protecting Processes Protecting Processes Process descriptors contain a sequence number. Because this sequence number is not part of SAFECOM syntax, do not include it when protecting process names with the Safeguard subsystem. Upon creation of a process, you have the option of naming the process. You can either name the process yourself or allow the system to generate a name.
6 Obtaining User and Alias Information As a general user, you can obtain security information about your disk files, subvolumes, and processes, as well as information about your own user authentication record. As discussed in previous sections of this manual, you use the SHOW command to display default security attributes for a session and the INFO command to display current security attributes for an existing file, subvolume, or process.
Obtaining User and Alias Information Viewing Your User Authentication Record The user authentication record also contains information that is of primary interest to your security administrator or the owner of your authentication record. The INFO USER command has several display options. The DETAIL option used in the following example selects all of the attributes. You can use other options to select specific portions of the record. For example, you can use the AUDIT option to select the audit attributes.
Viewing Your User Authentication Record Obtaining User and Alias Information 1> SAFECOM INFO USER 8,54, DETAIL GROUP.USER STATUS ACCTS.
Obtaining User and Alias Information What the INFO USER Display Tells You What the INFO USER Display Tells You Assuming you are the user in the preceding example, the INFO USER display shows that your user ID has no expiration date, that you must change your password every 30 days, and that your current password will expire on July 23, 2005. You can change your password as often as you want because no value is defined in the PASSWORDMAY-CHANGE field.
Obtaining User and Alias Information About Alias Authentication Records When you are logged on using an alias, the Safeguard software makes access decisions based on your underlying user ID. For example, if you log on as J-Brown, your ability to access protected objects is based on the access authorities of user ID 8,54. If you have an alias, you can view the alias authentication record with the INFO ALIAS command. The INFO ALIAS command has several display options.
Viewing an Alias Authentication Record Obtaining User and Alias Information Viewing an Alias Authentication Record The following example shows how to check the authentication record for the user alias J-Brown.
Obtaining User and Alias Information What the INFO ALIAS Display Tells You The INFO ALIAS display for J-Brown shows that the alias expires on September 30, 2005, and that the Safeguard software audits all attempted actions by the alias J-Brown. The display also shows that there are no special requirements for changing the alias password. Safeguard default protection is not defined for this alias. Therefore, the default Guardian security string "NUNU" is applied to disk files that J-Brown creates.
Obtaining User and Alias Information What the INFO ALIAS Display Tells You Safeguard User’s Guide—422089-009 6 -8
7 Working With SAFECOM SAFECOM is the Safeguard command interpreter. You can use SAFECOM to enter commands in any of the following modes of operation: • • • Interactive mode Execute-and-quit mode Batch mode Interactive mode allows you to enter any number of commands and verify the results before proceeding. For the general user, this mode is simple to use yet flexible enough to handle routine Safeguard tasks. Execute-and-quit mode is most useful for entering one or two commands.
SAFECOM Session-Control Commands Working With SAFECOM allows you to use the HISTORY, ?, !, and FC session-control commands to recall, edit, and execute commands entered earlier in the same session. SAFECOM Session-Control Commands After you start an interactive SAFECOM session, you can enter either of two types of commands: session-control commands, which manage your interactive session, and security commands, which specify the security controls for your disk files and subvolumes.
Checking Your Progress Working With SAFECOM Table 7-1. SAFECOM Session-Control Commands (page 2 of 2) Command Meaning ? (Question mark) Displays a specified command that you previously entered during the current SAFECOM session. ! (Exclamation point) Displays and executes a specified command that you previously entered during the current SAFECOM session. -- (Two hyphens) Delimits comments in SAFECOM command lines. & (Ampersand) Indicates that the command is continued on the next line.
Continuing Commands From One Line to the Next Working With SAFECOM The comments "Interactive, OUT = IN" in the display indicate an interactive session. (The OUT file is the same as the IN file.) Note. Do not put a semicolon within a comment because it terminates the line and causes the remainder of the comment to be treated as a SAFECOM command.
Redirecting Output for a Single Command Working With SAFECOM Redirecting Output for a Single Command Usually, with SAFECOM operating in interactive mode, output is displayed on the home terminal because the home terminal is the default OUT file. However, SAFECOM can be directed to report to an EDIT file or to list a SAFECOM report on a printer. To do this, include an OUT option to redirect SAFECOM output for a single command.
Getting Online Help Working With SAFECOM To display a list of the commands at the SAFECOM prompt: =HELP HELP is available for the following SAFECOM commands: ADD FC OBEY SHOW ! ALTER FREEZE OUT STOP ASSUME HELP RELEASE SYNTAX DELETE HISTORY RESET SYSTEM DISPLAY INFO RUN THAW ENV LOG SELECT VOLUME EXIT NEXTFILE SET ? Enter HELP COMMANDS for brief descriptions of all SAFECOM commands. Enter HELP GRAMMAR for the complete syntax of all SAFECOM commands.
Displaying and Editing Previous Commands Working With SAFECOM Displaying and Editing Previous Commands SAFECOM provides four commands that allow you to display, change, and execute commands that you previously entered during the current session. These commands and their functions are: HISTORY Displays a designated number of the most recent commands entered during the current session; also can clear the last command or all commands from the history buffer.
Displaying and Editing Previous Commands Working With SAFECOM Displaying a Specific Command The ? command allows you to display a specific command entered earlier in the current session. You can specify the command to be displayed by entering a line number, a relative line number, or a text string, as the following examples show.
Displaying and Editing Previous Commands Working With SAFECOM Correcting Mistakes Using the FC Command The FC command allows you to display and edit a command you entered previously in the current session. This feature is handy for correcting typographical errors or for executing several similar commands. FC supports the same search options as the ? and ! commands. You can request a command line by line number, relative line number, or text string.
Leaving SAFECOM Without Losing Defaults (Using the Break Key) Working With SAFECOM PROGFILE is changed to FILE03. After the command has been altered to your satisfaction, press the Return key on the editing line to execute the edited command: =FC 18 =ALTER DISKFILE PROGFILE, PROGID ON . dddd .ALTER DISKFILE FILE, PROGID ON . i03 .ALTER DISKFILE FILE03, PROGID ON .
Using SAFECOM in Execute-and-Quit Mode Working With SAFECOM Using SAFECOM in Execute-and-Quit Mode If you need to enter only a few SAFECOM commands, you can use the execute-andquit mode from TACL. To run SAFECOM in this mode, type "SAFECOM," followed by one or more security commands. SAFECOM executes the commands and immediately returns control to TACL. If you want to execute another SAFECOM command, you must begin that command by retyping SAFECOM at the TACL prompt.
Placing Comments in a Command File Working With SAFECOM execute the commands in the EDIT file, run SAFECOM and, using the IN option, name the EDIT file as the input file. For example, suppose this sequence of commands is in an EDIT file called $system.secmgt.saleinfo: INFO INFO INFO INFO INFO INFO INFO VOLUME SUBVOLUME DISKFILE SUBVOLUME DISKFILE SUBVOLUME DISKFILE $data $data.sales1 $data.sales1.* $data.sales2 $data.sales2.* $data.sales3 $data.sales3.
Executing a Command File During an Interactive Session Working With SAFECOM You can embed comments within a command by including double hyphens at the beginning and end of the comment: ALTER DISKFILE report1, ACCESS 2,78 -- give ted jones -- READ When SAFECOM encounters a double hyphen (--), it ignores all following characters until it reaches either the end of the line or the next double hyphen.
Error Handling in Command Files Working With SAFECOM session in which a batch operation uses the command file $system.mgr.tight to set up current default values for disk-file attributes: =VOLUME $system.mgr =OBEY tight =ASSUME DISKFILE . . .
Examples Working With SAFECOM Wild-card characters differ from pattern wild-card characters. Pattern wild-card characters are specified when you use the diskfile-pattern objecttype. For more information, see Section 9, Working with Patterns. Examples The following examples illustrate the use of wild-card characters in SAFECOM commands. It is assumed that the DISPLAY HEADERS ONCE and DISPLAY WARNINGS OFF options are used as described in Section 8, Changing Display Options.
Restrictions Working With SAFECOM Similarly, this command displays the attributes of all disk files whose names are five characters long and whose first four characters are ACCT: =INFO DISK acct? $DATA.SALES ACCT4 LAST-MODIFIED OWNER STATUS 15JUL05, 11:00 2,1 THAWED LAST-MODIFIED OWNER STATUS 22JUL05, 10:34 2,1 THAWED WARNING-MODE OFF NO ACCESS CONTROL LIST DEFINED $DATA.
Running Other Programs From SAFECOM Working With SAFECOM The same command, using abbreviated reserved words, is as follows: =ALT SUBV star, OWN 12,8, AUD-ACC-PAS LOC The following three pairs of reserved words represent a special case in which you can use the same three-character abbreviation for either reserved word: Reserved Words Abbreviation ALL ALLOCATE ALL NAME NAMED NAM REMOTE REMOTEPASSWORD REM Running Other Programs From SAFECOM You can run another program without exiting from SAFECOM.
Checking Command Syntax Only Working With SAFECOM To return to the normal mode of operation, in which SAFECOM executes commands, use the following command: =SYNTAX OFF Safeguard User’s Guide—422089-009 7- 18
8 Changing Display Options SAFECOM provides a DISPLAY command that allows you to customize your SAFECOM prompt and to control various INFO command options during an interactive session.
Editing Your SAFECOM Prompt Changing Display Options Table 8-2. Prompt Items for the DISPLAY PROMPT Command Item Description string Displays a user-supplied text string in the prompt. ASSUME OBJECTTYPE Displays the currently assumed object type. If no object type is assumed, nothing additional is displayed COMMAND NUMBER Displays the current command line number. CPU Displays the number of the CPU in which SAFECOM is running. DATE Displays the current date.
Controlling INFO Report Warnings Changing Display Options Controlling INFO Report Warnings SAFECOM normally displays a warning message if you issue an INFO DISKFILE command for a file that has not been added to the Safeguard database. You can inhibit the display of this message for an entire SAFECOM session by using the DISPLAY WARNINGS command. This feature can be convenient if you are requesting information on all files in a subvolume.
Controlling INFO Report Headings Changing Display Options The INFO command WARNINGS option has three forms: WARNINGS OFF turns off warning messages for this command. WARNINGS ON turns on warning messages for this command. WARNINGS turns on warning messages for this command. For example, even if you turn off warnings for the session, you can use the following INFO command to turn on warnings for the command: =INFO DISKFILE $data.sales.*, WARNINGS ON The display shows: $DATA.
Controlling the INFO DETAIL Option for a Session Changing Display Options The display shows: $DATA.SALES REPORT1 LAST-MODIFIED OWNER STATUS 18JUL92, 11:00 2,1 THAWED LAST-MODIFIED OWNER STATUS 18JUL92, 11:02 2,1 THAWED LAST-MODIFIED OWNER STATUS 18JUL92, 11:05 2,1 THAWED WARNING-MODE OFF NO ACCESS CONTROL LIST DEFINED! $DATA.SALES REPORT2 WARNING-MODE OFF NO ACCESS CONTROL LIST DEFINED! $DATA.
Displaying User IDs or User Names Changing Display Options DISPLAY DETAIL has three forms: DISPLAY DETAIL OFF turns off the DETAIL option for the session. DISPLAY DETAIL ON turns on the DETAIL option for the session. DISPLAY DETAIL turns on the DETAIL option for the session. If you use the DISPLAY DETAIL OFF command to turn off the detail option for a session, you can override it for a single INFO command by specifying the DETAIL option in that command.
Displaying INFO Output as Commands Changing Display Options By default, the INFO report identifies users by their user IDs. To view user names instead of user IDs, execute the following SAFECOM commands: =DISPLAY USER AS NAME =INFO DISKFILE quarter1 The display shows: LAST-MODIFIED $DATA.SALES QUARTER1 ADMIN.BILL ADMIN.LYNN ADMIN.* 23JUL92, 15:00 OWNER ADMIN.BILL STATUS WARNING-MODE THAWED OFF R,W,E,P,C,O R,W R Note.
Specifying a DISPLAY Command List Changing Display Options By default, the INFO command output is displayed in report form. To view this output as SAFECOM commands, rather than as a report: =DISPLAY AS COMMANDS ON =INFO DISKFILE rpt01, DETAIL The display shows: ADD ALTER ALTER ALTER DISKFILE DISKFILE ACCESS DISKFILE ACCESS DISKFILE $DATA.SALES.RPT01 $DATA.SALES.RPT01 002,005 (R,W,E,P, $DATA.SALES.RPT01 ,& 002,* (R $DATA.SALES.
9 Working with Patterns Background The NonStop operating system groups files into subvolumes and volumes. Safeguard provides three levels of access control to files using the volume, subvolume, and file name. If all the files in a subvolume can have the same access requirements, then one subvolume protection record will meet the requirements for many files. Similarly one volume protection record would suffice if all the files and subvolumes on a single volume have the same access requirements.
How do Patterns Differ From What was Used Before? Working with Patterns How do Patterns Differ From What was Used Before? There are now two types of protection records that can secure disk files: • • Diskfile protection records Diskfile-pattern protection records Diskfile protection records represented a one to one mapping of a protection record to a disk file, or subvolume, or volume.
Pattern Generality Working with Patterns Not a legal pattern protection record because it has wildcards in the volume name. $D0201.* Not a legal pattern because there is only a subvolume component, and not a diskfile component. However, when adding this pattern into Safecom, the current subvolume will be taken from the environment. The pattern will be translated into a legal pattern: $D0201.subvol.*. $SYSTEM.SYS00.OSIMAGE Not a legal pattern because it contains no wildcards. SYS??.
One-Dimensional Search Working with Patterns Both of these patterns match files 1 and 2. However, only one protection record can be used to protect these files. The more specific pattern is used, which in this case is pattern 2, because the APPL? is more specific than the APPL*. One-Dimensional Search A one-dimensional search is a search using the volume only, the subvolume only, or the filename only. A multi-dimensional search is one in which any two or three dimensions are searched.
Safeguard Pattern Configuration Working with Patterns Safeguard Pattern Configuration Use the Safeguard configuration attribute CHECK-DISKFILE-PATTERN to enable, disable, and control the search order for pattern and non-pattern protection records. • OFF Specifies no pattern searches will occur. This configuration is equivalent to Safeguard versions prior to G06.25.
Safeguard Pattern Configuration Working with Patterns required only authentication services. The use of ONLY is not recommended for installations that have a substantial number of non-pattern protection records. In order to avoid operational issues for installations that do have non-pattern protection records, HP recommends you backup the SAFE.
Safeguard Pattern Configuration Working with Patterns Table 9-1.
SAFECOM Diskfile-Pattern Commands Working with Patterns • To disable diskfile pattern searches (that is, perform only non-pattern checking): ALTER SAFEGUARD, CHECK-DISKFILE-PATTERN OFF • To set diskfile pattern searches to be the only search (that is, to disable non-pattern checking for diskfile protection records): ALTER SAFEGUARD, CHECK-DISKFILE-PATTERN ONLY SAFECOM Diskfile-Pattern Commands The ALTER, DELETE, FREEZE, INFO, and THAW commands search for existing protection records.
ADD DISKFILE-PATTERN Working with Patterns Table 9-2. Diskfile-Pattern Commands (page 2 of 2) Command Action INFO DISKFILE-PATTERN Displays the security attributes of the diskfile-pattern authorization record. RESET DISKFILEPATTERN Resets one or more default diskfile-pattern attributes to values predefined by the Safeguard software. Any subsequent ADD DISKFILE-PATTERN commands use these predefined defaults for attributes not specified in the ADD DISKFILEPATTERN command.
DELETE DISKFILE-PATTERN Working with Patterns DELETE DISKFILE-PATTERN DELETE DISKFILE-PATTERN Examples • To delete the diskfile pattern $ABC.*.*: DELETE DISKFILE-PATTERN $ABC.*.* • To delete all diskfile patterns that match the search pattern $ABC.*.*: DELETE DISKFILE-PATTERN $ABC.*.*, ALL • To delete all diskfile patterns that match the search pattern $AB*.D*.*F DELETE DISKFILE-PATTERN $AB*.D*.
INFO DISKFILE-PATTERN Working with Patterns If you added this pattern, ADD DISKFILE-PATTERN $*.*.*, to the above patterns, a one-dimensional search that will add the pattern “*.*” to every volume that matches “$*”. If you had volumes $DATA1, $DATA2, and $DATA3, the following patterns would be added: 5. $DATA1.*.* 6. $DATA2.*.* 7. $DATA3.*.* If you now did INFO DISKFILE-PATTERN $*.*.*, which patterns would be returned? Patterns 1, 2, 3, 4, 5, 6, and 7 are wrong. The answer is 5, 6, and 7.
RESET DISKFILE-PATTERN Working with Patterns A multi-dimensional search ignores the setting of WARNINGS. Therefore no warning message is displayed. • To display all diskfile patterns that match the search pattern $A.B.* and suppress warning/error messages: INFO DISKFILE-PATTERN $A.B.*, ALL, WARNINGS OFF A multi-dimensional search ignores the setting of WARNINGS. Therefore no warning message is displayed. • To display all diskfile patterns that match the search pattern $A.B.*: INFO DISKFILE-PATTERN $A.
THAW DISKFILE-PATTERN Working with Patterns THAW DISKFILE-PATTERN THAW DISKFILE-PATTERN Example • To thaw all diskfile patterns that have a volume name ending in the letter P: THAW DISKFILE-PATTERN $*P.*.
THAW DISKFILE-PATTERN Working with Patterns Safeguard User’s Guide—422089-009 9- 14
A Guardian File Security The Guardian environment automatically provides a basic level of security for all disk files. You can manipulate Guardian file security through TACL and FUP.
Displaying Default Security Guardian File Security Table A-1. Guardian File Security Settings Code Access O Only the owner of the file on the local system can access the file. U Only the owner of the file on the local system or on the network can access the file. G Any member of the owner's group on the local system can access the file. C Any member of the owner's group, either on the local system or on the network, can access the file. A Any user on the local system can access the file.
Displaying File Security Guardian File Security Displaying File Security You can examine the security string for a specific file or all files in your current subvolume. Both the TACL FILEINFO command and the FUP INFO command display security strings for your files.
Changing the Security String Through FUP Guardian File Security 1. Use the TACL WHO command to check your current default security string: 1> WHO Home terminal: $HOLDEN TACL process: \MEL.$G633 Primary CPU: 8 (TXP) Backup CPU: 9 (TXP) Default Segment File: $BILLS.#5582 Pages allocated: 12 Pages Maximum: 1024 Bytes Used:18924 (0%) Bytes Maximum: 2097152 Current volume: $BILLS.HOLDEN Saved volume: $BILLS.HOLDEN Userid: 7,124 Username: PAY.HOLDEN Security: "NUNU" 2> 2.
Changing the Security String Through FUP Guardian File Security 1. Create the new files: 1> FUP File Utility Program - T9074C31 - (02AUG93) System \MEL Copyright Tandem Computers Incorporated 1981, 1983, 1985-1993 -CREATE ACCT4 CREATED - $BILLS.HOLDEN.ACCT4 -CREATE ACCT5 CREATED - $BILLS.HOLDEN.ACCT4 - 2. Change the security string for each file: -SECURE ACCT4, "GOGO" -SECURE ACCT5, "GOGO" - 3. Verify the security strings and then exit from FUP: -INFO ACCT4 CODE BLOCK $BILLS.
Guardian File Security Changing the Security String Through FUP Safeguard User’s Guide—422089-009 A- 6
B Protecting Your Terminal As a general user, you need to take certain precautions to protect your terminal and prevent unauthorized access to your system. Namely, you must ensure the secrecy of your password, and you should log off or lock your terminal if you plan to leave it unattended. Protecting Your Password To log on to your system, you identify yourself by entering your user name (or user ID) and password.
Logging Off Protecting Your Terminal As a final precaution in logging off, always clear your screen. Usually, TACL is configured to handle this automatically. If your terminal screen is not cleared automatically when you log off, be sure that no sensitive data is left on the screen.
C SAFECOM Command Syntax This appendix summarizes the syntax of the SAFECOM commands presented in this manual. The commands are listed in alphabetical order. In every command that manages a system object, object-type can be omitted if it is the current assumed object type. Remember that SAFECOM reserved words can be abbreviated. Typically, a reserved word can be abbreviated to its first three characters unless a longer abbreviation is necessary to distinguish between similar reserved words.
SAFECOM Command Syntax SAFECOM Command Syntax object-type can be any of the following: DISKFILE DISKFILE-PATTERN SUBVOLUME PROCESS SUBPROCESS (DISKFILE can also be spelled as DISCFILE.) object-list has the following form: { object-spec } { ( object-spec [ , object-spec ] ... ) } object-spec for disk files, can be either a fully or a partially qualified disk-file name or a disk-file set. for diskfile patterns, can be fully qualified diskfile-pattern name or set.
SAFECOM Command Syntax SAFECOM Command Syntax ALTER object-type object-list [ , ] { LIKE object-name | object-attribute } [ , object-attribute ] ... ASSUME [ object-type ] DELETE object-type object-list DISPLAY command [ , command ] ... command is one of the following DISPLAY commands: [ AS ] COMMANDS [ ON | OFF ] DETAIL [ ON | OFF ] HEADERS [ ON | OFF | ONCE ] PROMPT [ prompt-item ] [ ( prompt-item [ , prompt-item ] ) ...
SAFECOM Command Syntax SAFECOM Command Syntax DETAIL SUMMARY EXIT FC [ [ [ [ string “string” linenum -linenum FREEZE ] ] ] ] object-type object-list HELP [ / OUT listfile / ] [ [ [ [ [ command-name keyword COMMANDS ALL * ] ] ] ] ] HISTORY [ lines ] [ RESET LAST ] [ RESET ALL ] INFO [ / OUT listfile / ] { alias ALIAS | ( alias [ , alias ] ... ) } [ [ , ] option ] [ , option ] ...
SAFECOM Command Syntax SAFECOM Command Syntax INFO [ / OUT listfile / ] object-type object-list [ , ] [ display-option ] [ , display-option ] INFO [ / OUT listfile / ] { user-spec USER | ( user-spec [ , user-spec ] ... ) } [ [ , ] option ] [ , option ] ... option is one of the following: GENERAL DETAIL AUDIT CI OSS REMOTEPASSWORD DEFAULT-PROTECTION GROUP OWNER-LIST TEXT-DESCRIPTION WHERE expression Note. The OWNER-LIST and TEXT-DESCRIPTION attributes are supported only on systems running H06.
SAFECOM Command Syntax SAFECOM Command Syntax AUDIT-ACCESS-FAIL [audit-spec] AUDIT-MANAGE-PASS [audit-spec] AUDIT-MANAGE-FAIL [audit-spec] TEXT-DESCRIPTION "[text]" Disk files also have the following attributes: LICENSE PROGID CLEARONPURGE PERSISTENT TRUST { { { { { ON ON ON ON ME | | | | | OFF } OFF } OFF } OFF } SHARED | OFF } (H-series only) access-spec has the following form: user-list [-] [DENY] authority-list user-list is one of the following: { net-user-spec } { ( net-user-spec [ , net-user-sp
SAFECOM Command Syntax SAFECOM Command Syntax SYSTEM [ \system-name ] THAW object-type object-list VOLUME [ $volume ] [ $volume.subvolume ] [ subvolume ] ? [ [ [ [ ! string “string” linenum -linenum [ [ [ [ string “string” linenum -linenum ] ] ] ] ] ] ] ] Note. The OWNER-LIST attribute is supported only on systems running G06.27 and later G-series RVUs and H06.07 and later H-series RVUs. Note. The TEXT-DESCRIPTION attribute is supported only on systems running G06.
SAFECOM Command Syntax SAFECOM Command Syntax Safeguard User’s Guide—422089-009 C- 8
Glossary access control list. A list associated with an object that itemizes the subjects authorized to access that object and shows the access authorities granted to each subject. ACL. See access control list. alias. An alternate name for logging on to the system. attribute. A security characteristic assigned to an object to apply special protection to that object. Examples are CLEARONPURGE and LICENSE. audit.
primary owner Glossary primary owner. The owner of a Safeguard protection record whose user ID appears as the OWNER attribute in the record. PROGID attribute. A security attribute for disk files that contain object code. When PROGID is ON, the user running the process obtains the privileges of the file's primary owner. SAFECOM. The Safeguard command interpreter. Secondary owners.
Index A Abbreviating reserved words 3-2, 7-16 ACCESS attribute 1-2 ACCESS authorities for disk files 3-6 for disk volumes and subvolumes 4-2 for processes and subprocesses 5-1 Access control lists 3-6 deleting an entry 3-10 freezing and thawing 3-11 modifying 3-8 specifying 3-7, 3-8 using one to define another 3-11 ADD DISKFILE command 3-1, 3-4, 3-8 ADD DISKFILE-PATTERN command 9-8 ADD PROCESS command 5-1 ADD SUBVOLUME command 4-2 Alias name 2-1 ALTER DISKFILE command 3-1, 3-4, 3-9 ALTER DISKFILE-PATTERN co
E Index Disk file (continued) commands 3-1 OWNER attribute 3-4 removing from Safeguard control 3-18 securing 3-1 valid ACCESS authorities 3-6 Diskfile pattern commands 9-8 DISPLAY commands 8-1 DISPLAY options AS COMMANDS 8-7 DETAIL 8-5 HEADERS 8-4 in a command list 8-8 PROMPT 8-1 USER AS NAME 8-6 USER AS NUMBER 8-6 WARNINGS 8-3 Displaying default attributes 3-5, 3-7 E ENV command 7-2, 8-1 Errors in SAFECOM command files 7-14 Establishing a default access list 3-7 Execute-and-quit mode (SAFECOM) 7-11 Exec
O Index O OBEY command 7-2 Object authorization 1-2 OUT option (SAFECOM) 7-2, 7-5 Output from SAFECOM, directing 7-5 OWNER attribute for disk file authorization record 3-4, 3-13 Ownership 3-13 P Password 2-2 changing 2-4, B-1 changing with blind passwords 2-3 expired 2-3 grace period for change 2-3, 6-4 protecting B-1 Processes securing 5-1 valid ACCESS authorities 5-1 PROGID disk-file attribute 3-16 PROMPT option 8-1 Protecting an object 4-1 R Redirecting SAFECOM output 7-5 Remote system logon 2-5 Remo
T Index Setting default attributes 3-5 SHOW DISKFILE command 3-1, 3-5, 3-7 SHOW DISKFILE-PATTERN command 9-8 SMON (Security Monitor) 1-7 SMP (Security Manager Process) 1-7 Special considerations for subvolumes 4-2 Specifying access when adding a disk file 3-8 with default access control list 3-7 with the ALTER DISKFILE command 3-8 Specifying ownership of disk file authorization record 3-13 Standard security, compared to Safeguard 1-4 Starting SAFECOM 7-1 STATUS field of INFO display 3-12 Subprocesses secu