Open System Services Management and Operations Guide (G06.29+, H06.07+)

ManualsBrandsHP ManualsServerHP NonStop G-Series

251

252

253

254

255

256

257

258

259

260

Managing Security

Open System Services Management and Operations Guide—527191-005

8-24

OSS Security Auditing

This definition prevents use of the Guardian environment default volume and

subvolume as the initial working directory. It also causes use of the OSH command to

fail for that user and give the user the suggested pathname as part of an OSH error

message.

Note that this approach to user and alias definitions can add significantly to logs of

error messages or of process failures.

Configuring Special Users

UNIX administrators traditionally reserve certain user names for special uses. The user

name root is almost universally used for the user who has super ID permissions

(appropriate privileges for the use of all restricted system facilities).

Consider configuring the super ID with the alias of root. That configuration provides

behavior consistent with most UNIX systems and might prevent confusion.

To configure the super ID with the alias root, you would enter an appropriate version

of the following SAFECOM commands:

ADD ALIAS root, 255,255, PASSWORD Doom1

ALTER ALIAS root, GUARDIAN DEFAULT SECURITY ----

ALTER ALIAS root, GUARDIAN DEFAULT VOLUME $SYSTEM.SYSTEM

ALTER ALIAS root, INITIAL-DIRECTORY /

The user name SUPER.SUPER is predefined in the security database as the user ID

(255,255), which is the super ID with appropriate privileges in the OSS environment.

OSS Security Auditing

As it does in the Guardian environment, the Safeguard audit service records and

retrieves information about file access decisions that have occurred within the OSS

subsystem. The audit service records the outcome of requests for permission to

create, open, or delete files; change file content, permissions, or ownership; add or

alter filesets; and create or delete directories. Actions that create or change the state of

OSS processes can also be audited, such as the kill command or any of the

tdm_exec, tdm_spawn, exec, and tdm_fork() or fork() function calls.

The following subsections provide more information about:

•

Audit Records for OSS Objects on page 8-24

•

Auditing of OSS Shell Commands on page 8-27

Audit Records for OSS Objects

Audited events are recorded in the Safeguard audit files (collectively referred to as the

audit trail). Every audited event describes:

•

The user or process initiating the event

•

The object affected by the event