Open System Services Management and Operations Guide (G06.30+, H06.08+, J06.03+)

ManualsBrandsHP ManualsServerHP NonStop G-Series

221

222

223

224

225

226

227

228

229

230

• Perform auditing for OSS files and the OSS environment’s filesets

• Control access to the /E directory using the REMOTEPASSWORD attribute

• Use the OSS EasySetup product

This guide illustrates the use of the Safeguard product in the Guardian environment.

You create a user definition with the SAFECOM ADD USER command, and you create a user

group definition with the SAFECOM ADD GROUP command.

A NonStop operating system user can have alternate user names, called aliases. Most of the

attributes of an alias can differ from those of its underlying user definition. You create an alias with

the SAFECOM ADD ALIAS command.

A Safeguard user group is either an administrative group or a file-sharing group. An administrative

group is used to manage user access; a file-sharing group is used to manage file access.

A NonStop operating system user belongs to a primary group and can belong to more than one

file-sharing group. File-sharing groups other than the primary group are called supplementary

groups in POSIX terminology, although that term does not appear in Safeguard manuals. All groups

configured for the user make up the user’s group list.

By default, the primary group for a new user is the administrative group of the user. The primary

group should not be an administrative group and can be changed to any other group in the user’s

group list.

You should also configure an OSS user’s initial working directory when you configure the user.

You configure the user’s initial working directory with the SAFECOM ADD USER, ALTER USER,

ADD ALIAS, and ALTER ALIAS commands.

You cannot:

• Move user or group membership definitions directly from a UNIX system into the OSS

environment. If you want to duplicate your UNIX system user and group definitions, you must

recreate them through the Safeguard subsystem.

• Copy an /etc/group file to define user groups for the OSS environment. OSS security

processing does not use an /etc/group file.

• Copy an /etc/passwd file to define users for the OSS environment. OSS security processing

does not use an /etc/passwd file.

• Copy an /etc/ftpusers file to bar specific users from FTP access to the OSS and Guardian

file systems.

• Use UNIX Network Information Service (NIS) “yellow pages” to define users for the OSS

environment. OSS security processing does not currently support NIS.

For information about managing users and groups in the OSS environment, see “Managing Users

and Groups” (page 204).

OSS Security Auditing

As it does in the Guardian environment, the Safeguard audit service records and retrieves

information about file access decisions that have occurred within the OSS subsystem. The audit

service records the outcome of requests for permission to create, open, or delete files; change file

content, permissions, or ownership; add or alter filesets; and create or delete directories. Actions

that create or change the state of OSS processes can also be audited, such as the kill command

or any of the tdm_exec, tdm_spawn, exec, and tdm_fork() or fork() function calls.

The following subsections provide more information about:

• “Audit Records for OSS Objects” (page 224)

• “Auditing of OSS Shell Commands” (page 225)

OSS Security Auditing 223