Manualshelf

H06.27 Release Version Update Compendium

ManualsBrandsHP ManualsServerHP Integrity NonStop Release and Migration
11121314151617181920
Safeguard V5R2
Safeguard V5R2 has the following new features:
A new, optional security administration group, SECURITY-PERSISTENCE-ADMIN, is added
to support a more flexible security model for persistent process management through $ZZKRN.
When AUDIT-USER-ACTION-FLAGS for a user is set to a value other than NONE, and a
persistent protection record exists for a file, Safeguard reports an outcome of OTHER under
the following scenarios:
Open of a non-existent diskfile followed by an attempt to create the same where the
diskfile name is governed by a Safeguard persistent protection record and the user does
not have the create authority.
Creation of a diskfile by a name that is already in use and the diskfile name is governed
by a Safeguard persistent protection record, and the user does not have the create
authority.
Purging of a non-existent diskfile or a diskfile whose file expiration time (NOPURGEUNTIL)
is in the future.
If the caller of USER_AUTHENTICATE_ has supplied an IP address, Safeguard includes that
information in requests sent to a configured authentication Security Event Exit Process (SEEP).
To prevent accidental issuance of a STOP SAFEGUARD command, a user can configure a
new Safeguard attribute, PROMPT-BEFORE-STOP, to require confirmation of a SAFECOM
STOP SAFEGUARD command. The default value is OFF. Note that the new option does not
affect SPI commands.
Migration Considerations
There is no change to the current rulings by the persistence manager, unless the new security
administration group is created.
Programs that read Safeguard audit and parse outcomes might see OTHER as an outcome
value.
Authentication SEEPs can be modified to incorporate security rulings based on IP address (if
present). The information is in a part of the message reserved for future use, so there is no
impact on existing authentication SEEPs.
Fallback Considerations
If the new security administration group is created, it is ignored by prior versions of both
Safeguard and $ZZKRN. If the installed Kernel Subsystem Manager SPR provides the flexibility
to select the users who are allowed to add persistent processes, HP recommends not
downgrading the Standard Security to a version older than the initial support if the new security
administration group is required. However, Safeguard can be downgraded to an older version
without any problems. Prior to fallback, HP recommends that the
SECURITY-PERSISTENCE-ADMIN security group be deleted (if it exists). This prevents the
group from remaining in the protection record database and being utilized unexpectedly in
some future upgrade that supports the SECURITY-PERSISTENCE-ADMIN security group.
After fallback, authentication SEEPs that have been modified to use the IP address will not
supply the IP address, as the field always contains zeroes.
The PROMPT-BEFORE-STOP attribute is ignored by older versions of Safeguard.
14 Manageability and Security Products