Safeguard Administrator’s Manual Abstract This manual describes Safeguard commands and features reserved for security administrators and privileged users. Product Version Safeguard G06, H04 Supported Release Version Updates (RVUs) This publication supports G06.21 and all subsequent G-series RVUs and H06.03 and all subsequent H-series RVUs until otherwise indicated by its replacement publication.
Document History Part Number Product Version Published 523317-009 Safeguard G06, H03 May 2006 523317-010 Safeguard G06, H03 July 2006 523317-011 Safeguard G06, H03 August 2006 523317-012 Safeguard G06, H03 November 2006 523317-013 Safeguard G06, H04 February 2007
Safeguard Administrator’s Manual Index Figures Tables What’s New in This Manual vii Manual Information vii New and Changed Information About This Manual xi Notation Conventions vii xii 1. Introduction Who Can Use the Safeguard Subsystem? 1-1 The Importance of a Security Policy 1-2 Preliminary Security Planning 1-3 The Corporate Security Officer and Security Policy The Security Administrator 1-3 Objects That Require Protection 1-3 Who Can Run SAFECOM? 1-4 Analyzing Security Needs 1-4 1-3 2.
2. Controlling User Access (continued) Contents 2.
6. Managing Security Groups Contents 6. Managing Security Groups Adding Security Groups 6-3 Transferring Security Group Ownership 6-5 Freezing and Thawing Security Groups 6-6 Deleting Security Groups and Group Members 6-7 7. Securing Terminals Control of the Logon Dialog 7-2 Starting a Command Interpreter 7-2 Adding a Terminal Definition 7-3 Altering a Terminal Definition 7-4 Freezing and Thawing a Terminal 7-5 Deleting a Terminal Definition 7-5 8.
9. Configuration (continued) Contents 9. Configuration (continued) Configuring Attributes for Node Specific Subjects in ACLs 9-22 10.
Tables (continued) Contents Tables (continued) Table 4-1. Table 4-2. Table 5-1. Table 6-1. Table 6-2. Table 7-1. Table 7-2. Table 8-1. Table 8-2. Table 8-3. Table 9-1. Table 10-1.
Contents Safeguard Administrator’s Manual—523317-013 vi
What’s New in This Manual Manual Information Safeguard Administrator’s Manual Abstract This manual describes Safeguard commands and features reserved for security administrators and privileged users. Product Version Safeguard G06, H04 Supported Release Version Updates (RVUs) This publication supports G06.21 and all subsequent G-series RVUs and H06.03 and all subsequent H-series RVUs until otherwise indicated by its replacement publication.
Changes to the H06.08 Manual What’s New in This Manual Changes to the H06.08 Manual • • • Added the new Safeguard attributes, PASSWORD-COMPATIBILITY-MODE, and PASSWORD-MAXIMUM-LENGTH on page 2-2 and page 9-2.
Changes to the H06.
Changes to the H06.
About This Manual This manual describes features of the Safeguard software that are reserved for security administrators and privileged users. The first section of this manual introduces the Safeguard software and presents general guidelines and recommendations for establishing system security.
Notation Conventions About This Manual Notation Conventions Hypertext Links Blue underline is used to indicate a hypertext link within text. By clicking a passage of text with a blue underline, you are taken to the location described. For example: This requirement is described under Backup DAM Volumes and Physical Disk Drives on page 3-2. General Syntax Notation The following list summarizes the notation conventions for syntax presentation in this manual. UPPERCASE LETTERS.
General Syntax Notation About This Manual each side of the list, or horizontally, enclosed in a pair of brackets and separated by vertical lines. For example: FC [ num ] [ -num ] [ text ] K [ X | D ] address { } Braces. A group of items enclosed in braces is a list from which you are required to choose one item. The items in the list can be arranged either vertically, with aligned braces on each side of the list, or horizontally, enclosed in a pair of braces and separated by vertical lines.
Notation for Messages About This Manual Line Spacing. If the syntax of a command is too long to fit on a single line, each continuation line is indented three spaces and is separated from the preceding line by a blank line. This spacing distinguishes items in a continuation line from items in a vertical list of selections. For example: ALTER [ / OUT file-spec / ] LINE [ , attribute-spec ]… !i and !o.
Notation for Messages About This Manual Nonitalic text. Nonitalic letters, numbers, and punctuation indicate text that is displayed or returned exactly as shown. For example: Backup Up. lowercase italic letters. Lowercase italic letters indicate variable items whose values are displayed or returned. For example: p-register process-name [ ] Brackets. Brackets enclose items that are sometimes, but not always, displayed.
Notation for Management Programming Interfaces About This Manual Notation for Management Programming Interfaces The following list summarizes the notation conventions used in the boxed descriptions of programmatic commands, event messages, and error lists in this manual. UPPERCASE LETTERS. Uppercase letters indicate names from definition files; enter these names exactly as shown. For example: ZCOM-TKN-SUBJ-SERV lowercase letters.
1 Introduction As a security administrator or privileged user, you have access to Safeguard features that are not usually available to general users. This manual describes those features and the additional responsibilities you have as a member of the system security team.
Introduction • • The Importance of a Security Policy By default, the local super ID (user ID 255,255) can execute any SAFECOM command for any user or object. By default, only local super-group members (user ID 255,n) can initially add users to file-sharing groups and special security groups, execute audit service commands, add terminal definition records, and control the Safeguard configuration. You can limit or change these authorities to suit your company's security policy.
Preliminary Security Planning Introduction Preliminary Security Planning Advance planning is required before you install the Safeguard software. To plan the security for your installation, you must understand the applications used on your system, and you must know which users should be allowed to use system resources.
Who Can Run SAFECOM? Introduction Who Can Run SAFECOM? Decide who will use SAFECOM. Once a user runs SAFECOM, only the Safeguard internal restrictions limit the user's capabilities. The Safeguard software imposes internal restrictions on commands such as ADD USER, ALTER USER, and ADD DEVICE, and most SAFECOM operations on existing protection records are restricted to the record owner, the owner's group manager, and the local super ID. However many SAFECOM commands are unrestricted.
2 Controlling User Access This section describes how to use the SAFECOM user security commands to establish a local user community and to manage user access to a system protected by the Safeguard software. It also describes how to identify network users, how to set up network access for users, and how to establish default protection for users’ disk files. Introduction User security controls are established with USER security commands when you add or alter a user authentication record.
TERMINAL Commands Controlling User Access • • Initial directory, initial program, and initial program type for the user in an HP NonStop Open Systems Services (OSS) environment (INITIAL-DIRECTORY, INITIAL-PROGRAM, and INITIAL-PROGTYPE attributes) Automatic starting of a command interpreter for a user after logon at a terminal controlled by the Safeguard software (CI-PROG attribute) TERMINAL Commands The TERMINAL commands, which are described in Section 7, Securing Terminals, allow you to add terminal de
ALTER SAFEGUARD Command Controlling User Access • • • • • • • • • • • • • • • • 1Password uppercase required, specifies whether a user's password will be enforced to have at least one uppercase character (PASSWORD-UPPERCASE-REQUIRED) 1Password lowercase required, specifies whether a user's password will be enforced to have at least one lowercase character (PASSWORD-LOWERCASE-REQUIRED) 1Password numeric required, specifies whether a user's password will be enforced to have at least one numeric characte
Using SAFECOM to Establish a Local User Community Controlling User Access • Automatic starting of a command interpreter for a user after logon at a Safeguard terminal (CI-PROG) Using SAFECOM to Establish a Local User Community Before a new user can log on to a system, a group manager or the local super ID must use SAFECOM commands to create a user authentication record in the Safeguard subject database.
Adding Users to the System Controlling User Access An administrative group is defined implicitly when the first member of that group is added to the system. By default, only the local super ID can define a new administrative group with the ADD USER command. If your installation has group managers (with member number 255), you might want to add that user as the first group member. The group manager can then add other new members to the group.
Adding Users to the System Controlling User Access Table 2-1. User Security Attributes and Default Attribute Values (page 1 of 5) Attribute Description Default Value OWNER Identifies the primary owner of this user authentication record. The primary owner can: The default value is the user ID of the person who adds the new user. • • • • OWNER-LIST * Change any of the user's security attributes. Suspend and restore the user's ability to log on to the system.
Adding Users to the System Controlling User Access Table 2-1. User Security Attributes and Default Attribute Values (page 2 of 5) Attribute Description Default Value PASSWORD-MUSTCHANGE EVERY DAYS Specifies the maximum number of days that the user can use the same password. The default value is no required password change. PASSWORD-EXPIRYGRACE Specifies the number of days after a password expires that the user can change his or her password during logon. The default value is no grace period.
Adding Users to the System Controlling User Access Table 2-1. User Security Attributes and Default Attribute Values (page 3 of 5) Attribute Description Default Value TEXT-DESCRIPTION ^ Specifies a string of descriptive text to be associated with the user authentication record. The default value is no descriptive text. BINARY-DESCRIPTIONLENGTH Specifies the length in bytes of the binary description to be associated with the user authentication record. The default value is 0.
Adding Users to the System Controlling User Access Table 2-1. User Security Attributes and Default Attribute Values (page 4 of 5) Attribute Description Default Value GUARDIAN DEFAULT VOLUME Sets the Guardian default volume and subvolume for a user. The default value is $SYSTEM.NOSUBVOL. Specifies the command interpreter to be started automatically after the user logs on at a terminal controlled by the Safeguard software. The default value is no command interpreter.
Adding Users to the System Controlling User Access Table 2-1. User Security Attributes and Default Attribute Values (page 5 of 5) Attribute Description Default Value CI-PRI Specifies the priority at which the command interpreter is run when it is started at a terminal controlled by the Safeguard software. The default value is null. CI-PARAM-TEXT Specifies the parameter text to be used when the command interpreter is started after the user logs on at a terminal controlled by the Safeguard software.
Adding Users to the System Controlling User Access Table 2-2. User Security Commands (page 2 of 2) Command Description INFO USER Displays the current values of the security attributes defined for a user. ALTER USER Changes security attribute values for a user. FREEZE USER Suspends a user's ability to log on to the system. THAW USER Restores a user's ability to log on. DELETE USER Deletes a user from the system (by deleting the user authentication record for that user).
Adding Users to the System Controlling User Access Note. The TEXT-DESCRIPTION attribute is supported only on systems running G06.27 and later G-series RVUs and H06.06 and later H-series RVUs. Note. The OWNER-LIST attribute is supported only on systems running G06.27 and later G-series RVUs and H06.07 and later H-series RVUs. Add the group manager and specify a password: =ADD USER admin.
Adding Users to the System Controlling User Access In this sequence of commands, the owner of this record is by default the person who is adding the new user. In this case, the local super ID is the default owner. Because ADMIN.MANAGER is the first user added to group number 1, this sequence of commands creates a new administrative group, ADMIN. You can define all the administrative groups on the system by adding the first user to each group.
Adding Users to the System Controlling User Access The display shows: GROUP.USER ADMIN.
Using SAFECOM to Manage User Access to Your System Controlling User Access Using SAFECOM to Manage User Access to Your System The owner of a user authentication record can use SAFECOM to control these aspects of the user's ability to access the system: • • • • • • Ownership of the record can be transferred to another user. The user can be granted temporary access to the system. The user can be required to change his or her password periodically.
Granting a User Temporary Access to Your System Controlling User Access Then SECURITY.SUSAN checks the INFO display: =INFO USER admin.bob GROUP.USER ADMIN.BOB USER-ID 1,0 OWNER 200,1 LAST-MODIFIED 20JUN05, 11:25 LAST-LOGON * NONE * STATUS THAWED WARNING-MODE OFF Now the display shows that 200,1 (SECURITY.SUSAN) owns the user authentication record for ADMIN.BOB. ADMIN.MANAGER has thus limited the ability to change the user authentication record for ADMIN.BOB to only three users: SECURITY.
Granting a User Temporary Access to Your System Controlling User Access Next, enter a SHOW USER command to check the default attribute values: =SHOW USER TYPE USER OWNER 4,255 WARNING-MODE OFF PASSWORD = b9v7 USER-EXPIRES PASSWORD-EXPIRES PASSWORD-MUST-CHANGE EVERY PASSWORD-EXPIRY-GRACE GUARDIAN DEFAULT SECURITY GUARDIAN DEFAULT VOLUME = 19DEC05, 0:00 = * NONE * = * NONE * = * NONE * = OOOO = $SYSTEM.
Granting a User Temporary Access to Your System Controlling User Access Check the status of the SOFTWARE.GEORGE user authentication record with an INFO USER command: =INFO USER software.george, DETAIL GROUP.USER USER-ID OWNER SOFTWARE.
Requiring Users to Change Their Passwords Controlling User Access The ALTER user command can also be used to remove an expiration date. For example, if SOFTWARE.GEORGE is hired as a permanent employee, the manager of the SOFTWARE group removes his USER-EXPIRES date with this command: =ALTER USER software.george, USER-EXPIRES Specifying a USER-EXPIRES attribute without a date has the effect of removing any existing USER-EXPIRES date.
Requiring Users to Change Their Passwords Controlling User Access Any user can use the command interpreter PASSWORD program to change his or her own password. You can also change your password during logon without using the PASSWORD program. This method of changing your password is described in the Safeguard User’s Guide. To continue the example, suppose the date is July 27, 2005, and ADMIN.BOB changes his password with the PASSWORD command: 8> PASSWORD x87d9 After changing his password, ADMIN.
Requiring Users to Change Their Passwords Controlling User Access and asks her to find out why he cannot log on. Susan runs SAFECOM and enters the following INFO USER command: =INFO USER admin.bob GROUP.USER ADMIN.BOB USER-ID OWNER 1,0 200,1 LAST-MODIFIED 28JUN05, 14:09 LAST-LOGON STATUS WARNING-MODE 27JUL05, 08:02 PSWD-EXP OFF The STATUS field in the short INFO USER report shows SECURITY.SUSAN that ADMIN.BOB's password has expired. To restore ADMIN.BOB's ability to log on to the system, SECURITY.
Granting a Grace Period for Changing an Expired Password Controlling User Access Granting a Grace Period for Changing an Expired Password You can use the PASSWORD-EXPIRY-GRACE attribute to specify a grace period during which a user can change his or her expired password. The PASSWORD-EXPIRY-GRACE attribute can be specified either in the user authentication record for an individual user or in the Safeguard configuration record for all users.
Freezing a User's Ability to Access the System Controlling User Access For example, assume that the current time is 10:14 on July 29, 2005. To add the new user ADMIN.ALICE with an expired password and a password expiry grace period of five days, ADMIN.MANAGER enters this command: =ADD USER admin.alice, 1,6, LIKE admin.bob, PASSWORD abc,& =PASSWORD-EXPIRES 29 jul 2005, 10:00,& =PASSWORD-EXPIRY-GRACE 5 DAYS The PASSWORD-EXPIRES attribute specifies a time that has already passed.
Specifying Auditing for a User ID Controlling User Access For example, suppose ADMIN.BOB goes on vacation. SECURITY.SUSAN freezes the ADMIN.BOB user name with the FREEZE USER command and displays the record with the INFO USER command: =FREEZE USER admin.bob =INFO USER admin.bob GROUP.USER ADMIN.BOB USER-ID 1,0 OWNER 200,1 LAST-MODIFIED 5AUG05, 16:45 LAST-LOGON 5AUG05, 8:07 STATUS FROZEN WARNING-MODE OFF The STATUS field in the short INFO USER report shows the status of ADMIN.BOB is now frozen.
Deleting Users Controlling User Access Deleting Users The primary and secondary owners of a user authentication record can delete that user with the DELETE USER command. For example, SECURITY.SUSAN can delete ADMIN.BOB with this command: =DELETE USER admin.bob Note. After deleting a user, the security administrator should notify users to remove the deleted user ID from access control lists for objects they own. Also, objects that the deleted user ID owns should be transferred to other owners or deleted.
Controlling User Access Using SAFECOM to Establish a Network of Users Using SAFECOM to Establish a Network of Users Users can be granted access to nodes other than their own and can have access authority for remote objects. A user who can access objects on one or more remote nodes is called a network user. Being a system user on one node of a network of HP NonStop systems does not make you a network user.
Identifying Network Users Controlling User Access Table 2-3.
Granting a Network User Access to Objects on Your System Controlling User Access Granting a Network User Access to Objects on Your System This subsection gives instructions for using SAFECOM to set up remote passwords for a network user. The SAFECOM ADD USER and ALTER USER commands in this procedure can normally be executed only by the local super ID or the local group manager. Before a user on a remote system can access objects on your system, take these steps: 1.
Establishing a Community of Network Users Controlling User Access On the remote system, \LA ADMIN.BOB is given a remote password for his system, \LA: =ALTER USER 1,0, REMOTEPASSWORD \LA abc On the local system, \NY Give ADMIN.BOB a remote password for his system, \LA: =ALTER USER 1,0, REMOTEPASSWORD \LA abc Now the network user ADMIN.BOB has two-way access between \NY and \LA.
Controlling User Access Establishing a Community of Network Users be granted access to any system on which the user ID 1,0 is assigned to another user name, such as, ADMIN.CAROL. (The use of user aliases as network users can alter this behavior, as described at the end of this subsection.) Coordination of group names and numbers across a network also means that an administrative group can be defined as a network group or as a local group. A local group is unique to one node.
Establishing a Community of Network Users Controlling User Access Figure 2-1.
Controlling User Access Changes to the PAID During a User’s Session With these remote passwords, SALES.FRED can access objects on \SF when he is logged on with the alias Freddie at \NY. SOFTWARE.JOE can access objects on \NY when he is logged on with alias Freddie at \SF. However, Safeguard access control decisions are based on the underlying user ID of the alias at the remote node. In effect, SALES.BOB has access to objects to which SOFTWARE.JOE is normally granted access at \SF, and vice versa.
Establishing Default Protection for a User's Disk Files Controlling User Access However, the underlying user ID defined for the alias at the remote node is still used in access decisions based on Safeguard access control lists at that node. If the remote node is running a product version prior to D30 and does not support user aliases, the user ID identified by the PAID requesting the access is verified, and access decisions are based on that user ID.
Establishing a Default Access Control List Controlling User Access Default auditing specifications Note. Before using DEFAULT-PROTECTION, you might need to convert the USERID file. For more information, see Section 10, Installation and Management. Note. Specifying DEFAULT-PROTECTION when CHECK-DISKFILE-PATTERN is set to ONLY results in the creation of extraneous normal protection records, which will not be examined because ONLY only looks at pattern protection records.
Establishing Default Ownership Controlling User Access Establishing Default Ownership You can specify two types of ownership with DEFAULT-PROTECTION. You specify one with the OWNER attribute of the user record, and you specify the other with OWNER authority in an access control list. Both types of owners can modify the disk file authorization record after it is created. However, only the primary owner, specified by the OWNER attribute, can set the PROGID attribute to protect program code.
Eliminating Default Protection for a User Controlling User Access Assume that SECURITY.SUSAN wants to specify default auditing for all files that ADMIN.JEFF creates. To do so, she sets DEFAULT-PROTECTION to include auditing of all successful attempts to access Jeff's disk files: =ALTER USER 1,12, DEFAULT-PROTECTION & =AUDIT-ACCESS-PASS ALL Then she displays the record to verify the DEFAULT-PROTECTION audit settings: =INFO USER 1,12, DEFAULT-PROTECTION GROUP.USER ADMIN.
Establishing Guardian Defaults Controlling User Access Then she issues the INFO USER command with the CI option to check the results: INFO USER admin.jeff, CI The display shows: GROUP.USER ADMIN.JEFF USER-ID 1,12 OWNER 200,1 LAST-MODIFIED 15AUG05, 11:54 LAST-LOGON STATUS 12AUG05, 16:02 THAWED WARNING-MODE OFF CI-PROG = $SYSTEM.SYSTEM.
Specifying the Default Volume and Subvolume Controlling User Access Assume that SECURITY.SUSAN wants to change the Guardian default security string for ADMIN.JEFF to NUNU. To do so, SECURITY.SUSAN uses this SAFECOM command: =ALTER USER admin.jeff, GUARDIAN SECURITY 'NUNU' The word DEFAULT in the GUARDIAN DEFAULT SECURITY attribute is optional when you enter the command. You can include it for readability, but it is not required. Similarly, quotes around the security string specifier are also optional.
Assigning an Alias to a User Controlling User Access To verify the results of the command, SECURITY.SUSAN issues this INFO USER command: =INFO USER admin.jeff, GENERAL GROUP.USER ADMIN.
Assigning an Alias to a User Controlling User Access • In addition, the local super ID can add an alias for any user regardless of the existence of an OBJECTTYPE USER record (unless OBJECTTYPE USER specifically denies the super ID). Each alias must be unique within the local system. An alias is a case-sensitive text string that can be up to 32 alphanumeric characters in length. In addition to alphabetic and numeric characters, the characters period (.
Assigning an Alias to a User Controlling User Access The display shows: NAME RalphW USER-ID 4,32 OWNER 4,255 UID USER-EXPIRES PASSWORD-EXPIRES PASSWORD-MAY-CHANGE PASSWORD-MUST-CHANGE EVERY PASSWORD-EXPIRY-GRACE LAST-LOGON LAST-UNSUCESSFUL-ATTEMPT LAST-MODIFIED FROZEN/THAWED STATIC FAILED LOGON COUNT GUARDIAN DEFAULT SECURITY GUARDIAN DEFAULT VOLUME = = = = = = = = = = = = = AUDIT-AUTHENTICATE-PASS AUDIT-AUTHENTICATE-FAIL AUDIT-USER-ACTION-PASS AUDIT-USER-ACTION-FAIL NONE NONE ALL ALL = = = = STAT
Assigning an Alias to a User Controlling User Access Safeguard Administrator’s Manual—523317-013 2- 42
3 Managing User Groups This section describes how to use the SAFECOM group commands to define and manage supplementary user groups. Groups created explicitly with the ADD GROUP command can exist independently of user definitions and are typically used for file-sharing purposes. Groups with numbers ranging from 0 through 255 can be used as administrative groups. An administrative group exists primarily for user management although it can also be used for file sharing.
Adding User Groups Managing User Groups Adding User Groups Any super-group member can add a group definition group unless an OBJECTTYPE USER access control list exists. If an OBJECTTYPE USER record exists, only users with CREATE authority on that access control list can use the ADD GROUP command. Assume that the user ADMIN.DON (user ID 16,24) has C authority on the OBJECTTYPE USER access control list. To create a group that could be subsequently activated as an administrative group, ADMIN.
Adding and Deleting Group Members Managing User Groups The display shows: GROUP NAME NUMBER OWNER ProG4 1144 16,24 AUTO-DELETE = OFF DESCRIPTION = Inventory system programmers LAST-MODIFIED 23JUL94, 11:18 Because ADMIN.DON is the owner of these groups, he can use the ALTER GROUP command to manage the groups. In addition, because ADMIN.DON is on the OBJECTTYPE USER access control list, he can use the ADD USER command to add users to the group PROG4 and thereby activate it as an administrative group.
Transferring Group Ownership Managing User Groups The display shows: GROUP NAME NUMBER OWNER LAST-MODIFIED PROG4 144 16,24 23JUL94, 11:49 AUTO-DELETE = OFF DESCRIPTION = Maintenance programmers for Inventory System MEMBER = PROG4.SUSAN MEMBER = TEST.PHIL MEMBER = TEST.JUNE MEMBER = Group-Super Now any access control list entry that contains the entry 144,* is interpreted by the Safeguard software to include all members of group 144, including TEST.PHIL, TEST.JUNE, and Group-Super. Suppose that ADMIN.
Deleting Groups Managing User Groups Deleting Groups The AUTO-DELETE flag in a group definition record indicates whether the group is deleted automatically when its last member is deleted. Administrative groups that are created with the ADD USER command are deleted automatically when the last user is deleted from the group. Groups created with the ADD GROUP command are not deleted automatically. You can have file-sharing groups without members.
Deleting Groups Managing User Groups Safeguard Administrator’s Manual—523317-013 3 -6
4 Securing Volumes and Devices The Safeguard User's Guide explains how to secure disk files, subvolumes, and processes. This section describes how to secure disk volumes and devices. By default, only super-group members can add volumes and devices to the Safeguard database. (However, you can also define a special group of users to be responsible for volumes and devices. To do so, use the appropriate OBJECTTYPE authorization, as described in Section 5, OBJECTTYPE Control.
General Procedure for Securing Volumes and Devices Securing Volumes and Devices You can transfer ownership of a volume or device by changing the OWNER attribute. You can also designate additional owners by specifying OWNER authority in the access control list. Both forms of ownership allow an owner to modify the authorization record for the volume or device. Table 4-2.
Considerations for Volumes Securing Volumes and Devices Considerations for Volumes By default, only super-group users (255,*) can add a disk volume to the Safeguard database and specify the access authorities for the volume. If necessary, you can transfer ownership to a general user if that individual is to be responsible for protection of the volume. A disk volume is usually added to the Safeguard database to control who can create files on that volume.
Securing Volumes and Devices Considerations for Devices and Subdevices Considerations for Devices and Subdevices By default, only super-group users (255,*) can add devices and subdevices to the Safeguard database. If necessary, ownership can be transferred to another user responsible for protection of that device or subdevice. Until a device or subdevice is added to the Safeguard database, any process can open that device or subdevice for input or output.
5 OBJECTTYPE Control So far, you have seen how to protect an individual object such as a disk volume by creating an authorization record for it. This section describes how to use the OBJECTTYPE commands to control who can create authorization records for objects of a given type. By default, only super-group users can create authorization records for volumes, devices, and subdevices, but any user can create authorization records for processes, subprocesses, subvolumes, and disk files.
OBJECTTYPE Control SUBPROCESS OBJECTTYPE USER Note. OBJECTTYPE USER also controls who can use the ADD ALIAS and ADD GROUP commands. OBJECTTYPE DISKFILE has no effect on default protection for a user’s disk files. It only controls who can execute the ADD DISKFILE command. Initially, only super-group users can create an OBJECTTYPE authorization record. However, you can transfer this authority to designated users with OBJECTTYPE OBJECTTYPE.
Controlling an Entire Object Type OBJECTTYPE Control An OBJECTTYPE authorization record can have only two access authorities: CREATE The authority to add individual authorization records for that type of object OWNER The authority to modify the OBJECTTYPE record Note. Users with CREATE authority on an OBJECTTYPE access control list can add any object of that type regardless of the object's ownership.
Controlling Users as an Object Type OBJECTTYPE Control 2. Transfer ownership to user ID 12,8: =ALTER OBJECTTYPE DEVICE, OWNER 12,8 3.
Controlling Who Can Add an Object Type OBJECTTYPE Control Suppose you want only group 10 to add users, aliases, and groups. Consider this command: =ADD OBJECTTYPE USER, ACCESS 10,* C, OWNER 10,1 This command gives CREATE authority to all users who have group 10 as their administrative group. They can add users by creating user authentication records. Group managers no longer have authority to add users, but the super ID retains this authority.
OBJECTTYPE Auditing OBJECTTYPE Control The display shows: LAST-MODIFIED OBJECTTYPE OBJECTTYPE 27JAN88, 14:10 200,8 200,12 255,255 DENY OWNER STATUS 200,1 THAWED WARNING-MODE OFF C C C,O OBJECTTYPE Auditing All OBJECTTYPE authorization records provide auditing attributes. These attributes enable you to audit attempts to add individual authorization records as well as attempts to change the OBJECTTYPE authorization record.
OBJECTTYPE Auditing OBJECTTYPE Control The display shows: LAST-MODIFIED OWNER STATUS 26JAN88, 11:24 12,8 THAWED WARNING-MODE OBJECTTYPE DEVICE 012,* OFF C AUDIT-ACCESS-PASS = NONE AUDIT-ACCESS-FAIL = NONE AUDIT-MANAGE-PASS = ALL AUDIT-MANAGE-FAIL = NONE AUDIT-MANAGE-PASS is now set to ALL. For more information about auditing, see the Safeguard Audit Service Manual.
OBJECTTYPE Auditing OBJECTTYPE Control Safeguard Administrator’s Manual—523317-013 5 -8
6 Managing Security Groups The Safeguard subsystem allows you to define three special security groups to control the use of certain restricted commands.
Managing Security Groups Table 6-1. Security Groups and Restricted Commands (page 2 of 2) Command SECURITYADMINISTRATOR SYSTEMOPERATOR ADD EVENT-EXIT-PROCESS Yes No ALTER EVENT-EXIT-PROCESS Yes No DELETE EVENT-EXIT-PROCESS Yes No ALTER SAFEGUARD Yes No STOP SAFEGUARD Yes No Note. Until you add the SECURITY-ADMINISTRATOR and SYSTEM-OPERATOR security groups, any super-group user (user ID 255,n) can use all the commands listed in Table 6-1.
Adding Security Groups Managing Security Groups Table 6-2. SECURITY-GROUP Command Summary (page 2 of 2) Command Description SET SECURITY-GROUP Sets one or more group attribute values to specified default values. SHOW SECURITY-GROUP Displays the current default values of the group attributes. THAW SECURITY-GROUP Reenables a frozen group. Then user IDs with EXECUTE authority on the group access list can execute the restricted commands once again.
Adding Security Groups Managing Security Groups You also define membership in the SYSTEM-OPERATOR security group by adding an authorization record for that group. For example, this command creates the authorization record for the SYSTEM-OPERATOR security group and gives all authorities to SYSOP.
Transferring Security Group Ownership Managing Security Groups Transferring Security Group Ownership You can transfer ownership of a group authorization record to another user. For example, this command gives ownership of the SECURITY-ADMINISTRATOR authorization record to ADMIN.BOB (200,8): =ALTER SECURITY-GROUP SEC-ADM, OWNER admin.bob You can abbreviate the security group name as SEC-ADM.
Freezing and Thawing Security Groups Managing Security Groups Freezing and Thawing Security Groups A security group can be frozen by the primary owner or by any user with OWNER authority on the access control list for the group. When a group is frozen, the only individuals who can execute the commands restricted to that group are the primary owner, the primary owner's group manager, owners on the access control list, and the local super ID. For example, ADMIN.
Deleting Security Groups and Group Members Managing Security Groups To thaw the group: = THAW SECURITY-GROUP SECURITY-OSS-ADMINISTRATOR To verify the results: = INFO SECURITY-GROUP SECURITY-OSS-ADMINISTRATOR The display shows: LAST-MODIFIED SECURITY-OSS-ADMINISTRATOR 14MAR06, 1:29 240,001 240,002 240,003 240,004 OWNER STATUS 255,5 THAWED E E E O O O Deleting Security Groups and Group Members You delete a member from a security group in the same way that you remove users from access control lists fo
Managing Security Groups Deleting Security Groups and Group Members Safeguard Administrator’s Manual— 523317-013 6 -8
7 Securing Terminals This section explains how to add a terminal definition to the Safeguard database so that the Safeguard software controls that terminal.
Control of the Logon Dialog Securing Terminals Table 7-2. TERMINAL Command Summary Command Description ADD TERMINAL Adds a terminal definition record with the specified terminal attribute values. ALTER TERMINAL Changes one or more attribute values in a terminal definition record. DELETE TERMINAL Deletes a terminal definition record. FREEZE TERMINAL Disables a terminal from accepting the LOGON command. INFO TERMINAL Displays the existing attribute values in a terminal definition record.
Adding a Terminal Definition Securing Terminals change the configuration record, the command interpreter defined in that record is $SYSTEM.SYSTEM.TACL. The Safeguard software can honor the command interpreter specification only at a terminal that it controls. If the Safeguard software does not control the logon dialog at a terminal, all command interpreter specifications are ignored at that terminal.
Altering a Terminal Definition Securing Terminals the priority at which the command interpreter is to execute. For more information about these parameters, see the Safeguard Reference Manual. For example, this command adds terminal $TFOX.#T015 and causes TACL to be started after user authentication at the terminal: =ADD TERMINAL $tfox.#t015, PROG $system.system.tacl Use the INFO TERMINAL command to verify the results: =INFO TERMINAL $tfox.
Freezing and Thawing a Terminal Securing Terminals The display shows: TERMINAL PROG LIB PNAME SWAP CPU PRI = = = = = = $TFOX.#T015 STATUS THAWED $SYSTEM.SYSTEM.TACL * NONE * * NONE * $DATA2 4 150 PARAM-TEXT =5 Freezing and Thawing a Terminal When you freeze a Safeguard terminal, all logon attempts at that terminal are disallowed. For example, this command freezes the terminal $TFOX.#T014: FREEZE TERM $tfox.#t014 To reenable users to log on at the terminal: THAW TERM $tfox.
Deleting a Terminal Definition Securing Terminals Safeguard Administrator’s Manual—523317-013 7 -6
8 Warning Mode Warning mode is a special state that allows you to test the reliability and effectiveness of Safeguard protection on your system. In warning mode, the Safeguard software allows access to objects that have a protection record even if the protection record does not grant access. The Safeguard software audits any access attempt that would normally have been denied. Objects that are not protected by the Safeguard software are unaffected in warning mode.
Warning Mode Considerations for Disk Files and Processes Considerations for Disk Files and Processes Because disk files and processes have Guardian security associated with them, special circumstances can apply in warning mode when Safeguard protection is bypassed. For these two types of objects, you can specify that warning mode be run with a fallback option. The fallback option is controlled by a Safeguard global configuration attribute that can be set to either GUARDIAN or GRANT.
Process Stop Mode Security Warning Mode Table 8-2. Warning Mode Rulings on Disk-File ACLs Safeguard ACL Ruling Guardian Security Access Result Audit Record Generated Outcome in Audit Record Standard Mode Grants Denies No record N.A. N.A. Use Guardian Yes No Yes/No~ As specified As specified No Granted Denied N.A. Warning Mode Fallback Guardian Grants Denies Denies No record N.A. Grants Denies Use Guardian Yes Yes* No* Yes/No~ As specified Always As specified No Granted Warning* Denied N.A.
Using Warning Mode Warning Mode For more information about Guardian stop modes, see the SETSTOP procedure in the Guardian Procedure Calls Reference Manual. Table 8-3.
Using Warning Mode Warning Mode To verify the results of the commands: =INFO SAFEGUARD The display shows: AUTHENTICATE-MAXIMUM-ATTEMPTS = 3 AUTHENTICATE-FAIL-TIMEOUT = 60 SECONDS AUTHENTICATE-FAIL-FREEZE = OFF PASSWORD-REQUIRED = OFF PASSWORD-ENCRYPT = ON PASSWORD-HISTORY = 0 PASSWORD-MINIMUM-LENGTH = 0 PASSWORD-MAY-CHANGE = PASSWORD-EXPIRY-GRACE = 3 DAYS BEFORE-EXPIRATION 0 DAYS-AFTER-EXPIRATION SYSTEM-WARNING-MODE = ON OBJECT-WARNING-MODE = OFF WARNING-FALLBACK-SECURITY = GRANT DIRECTION-DEVICE C
Using Warning Mode Warning Mode Safeguard Administrator’s Manual—523317-013 8 -6
9 Configuration This section describes the restricted command ALTER SAFEGUARD. It is intended for trusted users who are members of the SECURITY-ADMINISTRATOR security group. If you have not defined a SECURITY-ADMINISTRATOR group, any super-group user can alter the Safeguard configuration or stop the Safeguard software. (For information about defining security groups, see Section 6, Managing Security Groups.
Safeguard Attributes Configuration At any time, you can display the current settings of the attributes by issuing the INFO SAFEGUARD command from SAFECOM. Table 9-1.
Safeguard Attributes Configuration Table 9-1.
Configuring User Authentication Configuration Table 9-1.
Configuring Password Control Configuration AUTHENTICATE-FAIL-TIMEOUT The specified timeout for a user ID if AUTHENTICATE-MAXIMUM-ATTEMPTS is exceeded. The default is 60 seconds. The command interpreter process at the terminal remains locked for the duration of the timeout period. Caution. Because the command interpreter process at the terminal remains locked for the duration of the AUTHENTICATE-FAIL-TIMEOUT period, avoid specifying an unreasonably long period.
Configuring Password Control Configuration PASSWORD-HISTORY Records a specified number of previously used passwords for each user and does not allow a user to change his or her password to any password in this history. You can specify a history of 0 to 60 passwords. (If you specify a history of more than 20 passwords, you must convert the USERID files as described in Section 10, Installation and Management.) Values of 0 and 1 allow the user to reuse any password, even if used recently.
Configuring Password Control Configuration 1PASSWORD-LOWERCASE-REQUIRED {ON / OFF} Specifies whether a user's password will be enforced to have at least one lowercase character. The initial value is OFF. 1PASSWORD-NUMERIC-REQUIRED {ON / OFF} Specifies whether a user's password will be enforced to have at least one numeric character. The initial value is OFF. 1PASSWORD-SPECIALCHAR-REQUIRED {ON / OFF} Specifies whether a user's password will be enforced to have at least one special character.
Configuring Password Control Configuration To change any of these values, issue the ALTER SAFEGUARD command from SAFECOM. For example, to maintain a history of the last 10 passwords for each user (and not allow reuse of these passwords): =ALTER SAFEGUARD, PASSWORD-HISTORY 10 To grant users a 15-day grace period during which they can change their expired passwords during logon: =ALTER SAFEGUARD, PASSWORD-EXPIRY-GRACE 15 DAYS You can change more than one attribute with a single command.
Configuring Device Control Configuration before July 17, the user should ask the owner of the user authentication record to change the password. Configuring Device Control If access control lists exist for both devices and subdevices, the Safeguard software must know which one to use. You can set the attributes that control how this is determined. These Safeguard attributes relate to device access control lists: CHECK-DEVICE Access control lists are checked at the device level. The initial value is ON.
Configuring Process Control Configuration To change any of these values, issue the ALTER SAFEGUARD command from SAFECOM.
Configuring Disk-File Control Configuration ACL-REQUIRED-PROCESS If no access control list is found, access is denied. If this attribute is OFF, and no access control list is found, Guardian rules apply. The initial value is OFF. Note. COMBINATION-PROCESS resolves conflicts between access control lists if CHECK-PROCESS and CHECK-SUBPROCESS are both ON. The Safeguard software searches for an access control list in the order determined by DIRECTION-PROCESS.
Configuring Disk-File Control Configuration DIRECTION-DISKFILE Determines which direction to search for access control lists if more than one of the preceding attributes is ON. The value can be either VOLUME-FIRST or FILENAME-FIRST. This attribute is used in conjunction with COMBINATION-DISKFILE. (For more information, see the following note.) The initial value is VOLUME-FIRST. COMBINATION-DISKFILE Determines how conflicts are resolved among volume, subvolume, and disk file access control lists.
Configuring Safeguard Auditing Configuration LAST specify that pattern searching will occur after the normal search if and only if the normal search result is NORECORD. ONLY specifies that only pattern searching will occur. That is, normal non-pattern searching will not be performed even if the pattern search returns NORECORD. Caution. Any user can add a diskfile-pattern to the database and thereby is able to control file access across an entire volume.
Configuring User Authentication Auditing Configuration • All system objects (devices, processes, and disk files) and their authorization records Auditing specified by configuration supplements the settings in the individual authorization records (if the Safeguard software is configured to check the individual record).
Configuring Device Auditing Configuration To change any of these values, issue the ALTER SAFEGUARD command from SAFECOM. For example, to audit successful and unsuccessful local logon attempts: =ALTER SAFEGUARD, AUDIT-AUTHENTICATE LOCAL Note the use of audit specification shorthand in this command. For more information, see the Safeguard Audit Service Manual.
Configuring Process Auditing Configuration Configuring Process Auditing You can configure systemwide auditing of all process names in addition to the audit settings in the individual process authorization records. Processes can be audited at the local level, at the remote level, or at both levels (ALL). These Safeguard attributes relate to auditing processes: AUDIT-PROCESS-ACCESS-PASS Successful attempts to access all processes or subprocesses on the system are audited.
Configuring Auditing of All System Objects Configuration AUDIT-DISKFILE-ACCESS-PASS Successful attempts to access a volume, subvolume, or disk file are audited. This setting supplements the audit settings for these individual objects. The conditions can be ALL, NONE, LOCAL, or REMOTE. The default is NONE. AUDIT-DISKFILE-ACCESS-FAIL Unsuccessful attempts to access a volume, subvolume, or disk file are audited. This setting supplements the audit settings for these individual objects.
Configuring Client Auditing Configuration AUDIT-OBJECT-MANAGE-PASS Successful attempts to create or manage authorization records for any system object are audited. This setting supplements the audit settings for the individual objects. The conditions can be ALL, NONE, LOCAL, or REMOTE. The default is NONE. AUDIT-OBJECT-MANAGE-FAIL Unsuccessful attempts to create or manage authorization records for any system object are audited. This setting supplements the audit settings for the individual objects.
Configuration Configuring a Default Command Interpreter Configuring a Default Command Interpreter When the Safeguard software controls a terminal, it automatically starts a particular command interpreter (process) at that terminal each time a user logs on successfully at the terminal. This command interpreter can also be specified in a user authentication record and in a terminal definition record.
Configuring Communication With $CMON Configuration Configuring Communication With $CMON You can set attributes in the configuration record to specify the manner in which the Safeguard software communicates with $CMON during processing at a Safeguard terminal. These attributes relate to $CMON: CMON ON specifies that the Safeguard software is to communicate with the $CMON process during the following events: logon, illegal logon attempts, logoff, and newprocess of the command interpreter.
Configuring Exclusive Access at Safeguard Terminals Configuration Use the ALTER SAFEGUARD command as necessary to change these configuration attributes. For example, use this command to allow the use of either user names or user IDs during logon: =ALTER SAFEGUARD, NAMELOGON OFF Configuring Exclusive Access at Safeguard Terminals You can set the TERMINAL-EXCLUSIVE-ACCESS attribute so that a user who is logged on at a Safeguard terminal has exclusive access to the terminal.
Configuring Persistence Configuration Configuring Persistence Use the ADD command to configure persistence, which allows you to create protection records for disk files. The NORMAL value of this attribute is designed to preserve backward compatibility. The ALWAYS value provides access to the persistence feature. Note. PROGID and LICENSE are reset for a disk file with a persistent protection record when the file is created.
10 Installation and Management This section is intended for the security administrator or trusted user who is responsible for installing, supervising, and maintaining the Safeguard subsystem. This section includes an overview of the Safeguard software components, procedures for installing the Safeguard subsystem, and guidelines for securing the Safeguard software. Safeguard Components Before you install the Safeguard software, you should have a basic understanding of its software components.
The Security Monitors (SMONs) Installation and Management Security Database Management The SMP makes all changes to the subject and object databases on the local system. You make changes to the databases with SAFECOM commands. SAFECOM interprets the commands and communicates with the SMP to change the database. When a SAFECOM user requests information about a user or a protected object, SAFECOM requests the information from the SMP.
Process Considerations for the SMP and SAFECOM Installation and Management Process Considerations for the SMP and SAFECOM The system uses a process identification number (PIN) to identify a process. When the system creates a new process, it assigns a PIN to the process. Processes on a system running D-series or G-series RVUs can have either a high or a low PIN as: • • A low PIN ranges from 0 through 254. A high PIN ranges from 256 through the maximum number supported by the processor.
Safeguard Subsystem Management Commands Installation and Management Safeguard Subsystem Management Commands The Safeguard subsystem management commands are entered through SAFECOM. Table 10-1 on page 10-4 described them briefly. The syntax of these commands is described in detail in the Safeguard Reference Manual. The procedures you use to install and monitor the Safeguard software are described later in this section. Table 10-1.
Installing the Safeguard Software Installation and Management Installing the Safeguard Software The method you use to install the Safeguard software is based on the software RVU you are running and manner in which you want the Safeguard software to be started and stopped.
Including the Safeguard Software in the OSIMAGE File (D-Series RVUs) Installation and Management SAVEABEND OFF, & STARTMODE KERNEL or SYSTEM, & STARTUPMSG "", & STOPMODE STANDARD, & TYPE OTHER, & USERID SUPER.SUPER Regarding the attribute values shown in the example: • • • • • • The values for NAME, PRIORITY, SAVEABEND, PROGRAM, STARTUPMSG, STOPMODE, TYPE, and USERID must be entered as shown.
Starting the SMP Installation and Management Safeguard software or a CIIN file. If necessary, you can use this backup SYSnn subvolume to recover from an inadvertent security lockout without performing a tape load. If the Safeguard software is included in the OSIMAGE file, take these precautions to prevent auditing from being suspended during a system load: 1. Before shutting down the system, ensure that the current audit pool resides on a disk that is connected to the same processor as the $SYSTEM disk.
Starting the SMP Installation and Management In this example, the backup SMP process is created in CPU 4. If you do not specify a backup processor, no backup process is created. Once the SMP is running, it automatically creates these files: $SYSTEM.SAFE.GUARD Contains object authorization records for all disk objects (volumes, subvolumes, and disk files) on $SYSTEM. $SYSTEM.SAFE.
Converting to the Safeguard Subsystem Installation and Management . $ZSnn - SMON running in CPU nn The SMP starts all the SMON processes with a priority of 199. Converting to the Safeguard Subsystem When the Safeguard software is installed on a system with an existing user community, it takes over the existing USERID file. The next time each user logs on, his or her record is expanded to contain security attributes, defined as: • • • • • • • OWNER is set to the user ID of the user's group manager.
Updating a Previous RVU With the Safeguard Software Running Installation and Management with previous product versions of the Safeguard software. Read this section carefully before attempting to update your system from a previous Safeguard RVU. Updating a Previous RVU With the Safeguard Software Running If the Safeguard software must always be running, the following steps are suggested to update your system from a previous RVU: 1.
Installation and Management Guidelines for Securing the Safeguard Subsystem Guidelines for Securing the Safeguard Subsystem After you install the Safeguard subsystem, take steps to ensure the security of its components. To do so: 1. Secure the SAFECOM program object file as necessary. If you create an access control list for SAFECOM, you can restrict the use of the command interpreter to certain users.
Installation and Management Monitoring the Safeguard Subsystem For all these objects, list the users who should be able to read, write, or create process names, devices, volumes, subvolumes, and disk files. For more information on securing objects, see the Security Management Guide. Note. Do not secure the process name $ZSMP or the subprocess name $ZSMP.#ZSPI. Also, you cannot secure the process name $0 with the Safeguard software. You need not establish an access control list for Safeguard SPI commands.
Safeguard Console Messages Installation and Management Safeguard Console Messages The Safeguard subsystem reports both status messages and internal error messages on the system console. Event messages report on events such as starting and stopping the Safeguard software, changing the Safeguard configuration, and opening a new audit file. For a description of the Safeguard console messages, see the Operator Messages Manual.
Installation and Management Managing Safeguard Audit Files Safeguard Administrator’s Manual—523317-013 10 -14
A SAFECOM Command Syntax This appendix summarizes the syntax of all the SAFECOM commands. The commands are listed in alphabetic order. SAFECOM reserved words can be abbreviated. Typically, a reserved word can be abbreviated to its first three characters unless a longer abbreviation is necessary to distinguish between similar reserved words. The syntax notation conventions used here and throughout this manual are listed in Notation Conventions on page xii.
Common Syntax Elements SAFECOM Command Syntax node-spec can take any of these forms: * | node-name | node-number node-name specifies the system name. node-number specifies the Expand node number. sec-group-list has the form: { sec-group-spec } { ( sec-group-spec [ , sec-group-spec ] ... ) } sec-group-spec can be any of: SECURITY-ADMINISTRATOR SYSTEM-OPERATOR SECURITY-OSS-ADMINISTRATOR Note. The SECURITY-OSS-ADMINISTRATOR security group is supported only on systems running G06.
SAFECOM Command Syntax SAFECOM Command Syntax For subprocesses, can be either a fully or a partially qualified subprocess name. For OBJECTTYPE, there is no object-spec. object-spec can contain * and ? wild-card characters except in ADD commands for devices, subdevices, processes, and subprocesses. object-name is the name of an existing protected object of the same type as the object-type of the command; used in the LIKE clause. terminal-name is a fully or partially qualified device or subdevice name.
SAFECOM Command Syntax SAFECOM Command Syntax file-spec is one of: EXTENTSIZE (primary-ext [ , secondary-ext ] ) MAXEXTENTS n MAXFILES n ADD EVENT-EXIT-PROCESS name [ [ , ] exit-attribute ] [ , exit-attribute ] ... exit-attribute specifies the name of the event-exit-process attribute to be set.
SAFECOM Command Syntax SAFECOM Command Syntax PNAME process-name SWAP swap-vol PRI priority PARAM-TEXT startup-param-text ADD USER group-name.user-name , group-num , user-num [ , ] [ LIKE user | user-attribute ] [ , user-attribute ] ... ALTER object-type object-list [ , ] { LIKE object-name | object-attribute } [ , object-attribute ] ... ALTER ALIAS { alias | ( alias [ , alias ] ... ) } [ , ] { LIKE user | user-attribute } [ , user-attribute ] ... [ [,] WHERE expression ] ALTER AUDIT POOL [ $vol.
SAFECOM Command Syntax SAFECOM Command Syntax ALTER SECURITY-GROUP sec-group-list [ , ] { LIKE sec-group-spec | sec-group-attribute } [ , sec-group-attribute ] ... ALTER TERMINAL terminal-name [ , ] { LIKE terminal-name | term-param } [ , term-param ] ... ALTER USER { user-spec | ( user-spec [ , user-spec ] ... ) } [ , ] { LIKE user-id | user-attribute } [ , user-attribute ] ...
SAFECOM Command Syntax SAFECOM Command Syntax command is one these DISPLAY commands: [ AS ] COMMANDS [ ON | OFF ] DETAIL [ ON | OFF ] HEADERS [ ON | OFF | ONCE ] PROMPT [ prompt-item ] [ ( prompt-item [ , prompt-item ] ) ... ] USER [ AS ] { NAME | NUMBER } WARNINGS [ ON | OFF ] prompt-item can be: ”string” ASSUME OBJECTTYPE COMMAND NUMBER CPU DATE END PROCESS NAME PROCESS NUMBER SUBVOLUME SYSTEM NAME SYSTEM NUMBER TIME USER NAME USER NUMBER VOLUME ENV [ / OUT listfile / ] [ env-parm [ , env-parm ] ...
SAFECOM Command Syntax SAFECOM Command Syntax WHERE option-list applies to disk files and diskfile-patterns only. FREEZE ALIAS { alias | ( alias [ , alias ] ... ) } [ [,] WHERE expression ] FREEZE SECURITY-GROUP sec-group-list FREEZE TERMINAL terminal-name FREEZE USER { user-spec | ( user-spec [ , user-spec ] ...
SAFECOM Command Syntax SAFECOM Command Syntax CI OSS REMOTEPASSWORD DEFAULT-PROTECTION GROUP OWNER-LIST TEXT-DESCRIPTION WHERE expression AUDIT POOL [ audit-trail ] INFO AUDIT SERVICE INFO EVENT-EXIT-PROCESS name INFO GROUP { [ NAME ] name-list | NUMBER num-list } [ , DETAIL ] INFO SAFEGUARD [ [ , ] option ] [ , option ] ...
SAFECOM Command Syntax SAFECOM Command Syntax OWNER-LIST TEXT-DESCRIPTION ALIAS WHERE expression LOG [ logfile ] NEXTFILE O[BEY] [ / OUT listfile / ] command-file OUT [ listfile ] RELEASE afile [ , afile ] ... [ IN $vol.subvol ] afile is one of: audit-file audit-file : audit-file RESET object-type [ [ , ] object-attribute-keyword ] [ , object-attribute-keyword ] ... RESET ALIAS [ [ , ] user-attribute-keyword ] [ , user-attribute-keyword ] ...
SAFECOM Command Syntax SAFECOM Command Syntax run-option is any of these run options, which are described in the TACL Reference Manual: CPU cpu-number INSPECT { OFF | ON | SAVEABEND } IN [ file-name ] LIB [ file-name ] MEM num-pages NAME [ $process-name ] NOWAIT OUT [ list-file ] PRI priority TERM [\system-name.]$terminal-name param-set is a program parameter or series of parameters sent to the new process in the startup message.
SAFECOM Command Syntax SAFECOM Command Syntax authority is one of: for disk files: R[EAD], W[RITE], E[XECUTE], P[URGE], C[REATE], O[WNER] for diskfile-patterns R[EAD], W[RITE], E[XECUTE], P[URGE], C[REATE], O[WNER] for volumes and subvolumes: R[EAD], W[RITE], E[XECUTE], for processes: R[EAD], W[RITE], C[REATE], P[URGE], C[REATE], O[WNER] P[URGE], O[WNER] for subprocesses: R[EAD], W[RITE], O[WNER] for devices and subdevices: R[EAD], W[RITE], O[WNER] audit-spec is one of: ALL LOCAL REMOTE NONE
SAFECOM Command Syntax SAFECOM Command Syntax authority-list is one of: { authority } { ( authority [ , authority ] ... ) } { * } authority is one of: E[XECUTE] O[WNER] audit-spec is one of: ALL LOCAL REMOTE NONE SET USER [ , ] { LIKE user-id | user-attribute } [ , user-attribute ] ...
SAFECOM Command Syntax SAFECOM Command Syntax time is hh:mm (24-hour clock). audit-spec is one of: ALL LOCAL REMOTE NONE SHOW [ / OUT listfile / ] object-type SHOW [ / OUT listfile / ] ALIAS SHOW [ / OUT listfile / ] SECURITY-GROUP SHOW [ / OUT listfile / ] USER STOP [ SAFEGUARD ] SYNTAX [ ONLY ] { ON | OFF } SYSTEM [ \system-name ] THAW object-type object-list [ [ , ] WHERE option-list ] WHERE option-list applies to disk files and diskfile-patterns only. THAW ALIAS { alias | ( alias [ , alias ] ...
SAFECOM Command Syntax SAFECOM Command Syntax ? [ [ [ [ ! string "string" linenum -linenum [ [ [ [ string "string" linenum -linenum ] ] ] ] ] ] ] ] Note. The OWNER-LIST attribute is supported only on systems running G06.27 and later G-series RVUs and H06.07 and later H-series RVUs. Note. The TEXT-DESCRIPTION attribute is supported only on systems running G06.27 and later G-series RVUs and H06.06 and later H-series RVUs.
SAFECOM Command Syntax SAFECOM Command Syntax Safeguard Administrator’s Manual— 523317-013 A -16
Index A ACCESS authorities for all objects 4-2 for devices and subdevices 4-4 for disk volumes 4-3 for OBJECTTYPE records 5-3 Access control lists device and subdevice priority 9-9 for terminals 7-1 process and subprocess priority 9-10 testing 8-1 volume, subvolume and disk-file priority 9-12 ADD ALIAS command 2-40 ADD DEVICE command 4-1, 4-4 ADD GROUP command 3-2 ADD OBJECTTYPE command 5-3 ADD SECURITY-GROUP command 6-3 ADD TERMINAL command 7-3 ADD USER command 2-10 ADD VOLUME command 4-1, 4-3 Adding a dev
D Index Changing the owner of a user record 2-15 CIIN file 10-6, 10-7 CI-CPU attribute 2-6 CI-LIB attribute 2-6 CI-NAME attribute 2-6 CI-PARAM-TEXT attribute 2-6 CI-PRI attribute 2-6 CI-PROG attribute 2-6 CI-PROG Safeguard attribute 9-19 CI-SWAP attribute 2-6 CMON attribute 9-20 Command interpreter specification for a terminal 7-2 for a user 2-36 for Safeguard configuration 9-19 precedence 7-2 Command syntax (SAFECOM) A-3 Commands for device security 4-1 for network users 2-27 for OBJECTTYPE control 5-3 f
E Index DETAIL option of INFO OBJECTTYPE command 5-6 of INFO USER command 2-12 Device security commands 4-1 Devices adding to the Safeguard database 4-4 valid ACCESS authorities 4-4 E Effective group ID 2-33 Establishing a network of users 2-26 Establishing a user community 2-4 Establishing network users 2-29 Exclusive access at Safeguard terminals 7-1, 9-21 Expiration date for users 2-16 F FREEZE DEVICE command 4-1 FREEZE OBJECTTYPE command 5-3 FREEZE SECURITY-GROUP command 6-6 FREEZE TERMINAL command
O Index Network users aliases as 2-32 defined 2-26 establishing 2-29 granting access to objects 2-28 identifying 2-27 managing with SAFECOM commands 2-27 managing with standard security 2-27 remote passwords for 2-28 O Object database 10-1 OBJECTTYPE attributes 5-1 OBJECTTYPE auditing 5-6 OBJECTTYPE commands 5-3 OBJECTTYPE DEVICE 5-1 OBJECTTYPE DISKFILE 5-1 OBJECTTYPE OBJECTTYPE 5-1, 5-5 OBJECTTYPE PROCESS 5-1 OBJECTTYPE SUBDEVICE 5-1 OBJECTTYPE SUBPROCESS 5-1, 5-4 OBJECTTYPE SUBVOLUME 5-1 OBJECTTYPE USE
R Index Process stop modes 8-3 Protecting an entire object type 5-3 Protecting an object 4-2 R Remote passwords converting to Safeguard protection 10-9 for network users 2-28 REMOTEPASSWORD attribute 2-6 RESET DEVICE command 4-1 RESET OBJECTTYPE command 5-3 RESET USER command 2-10 RESET VOLUME command 4-1 RESET-BINARY-DESCRIPTION attribute 2-8 Returning to a previous RVU 10-10 RPASSWRD program 2-27, 10-9 S SAFECOM 10-1 command syntax A-3 commands for network users 2-27 PIN considerations 10-3 Safeguard
T Index Specifying auditing for a user ID 2-24 Standard security programs 2-27 START SAFEGUARD command 10-4 Starting the SMP 10-7 STOP SAFEGUARD command 6-1, 10-4 Subdevices adding to the Safeguard database 4-4 valid ACCESS authorities 4-4 Subject database 10-1 Super ID denial of authorities 5-4 restricting authority 1-2 undeniable 10-5 Systemwide auditing for all objects 9-17 for devices 9-15 for disk files 9-16 for processes 9-16 for subvolumes 9-16 for user-authentication 9-14 for volumes 9-16 suppleme
Special Characters Index Special Characters $CMON 9-20 $SYSTEM.SAFE.A000000n 10-8 $SYSTEM.SAFE.CONFIG 10-8 $SYSTEM.SAFE.CONFIGA 10-8 $SYSTEM.SAFE.CONFIGP 10-8 $SYSTEM.SAFE.GUARD 10-8 $SYSTEM.SAFE.LUSERID 10-8 $SYSTEM.SAFE.LUSERIDG 10-8 $SYSTEM.SAFE.OTHER 10-8 $SYSTEM.SAFE.
Special Characters Index Safeguard Administrator’s Manual—523317-013 Index -8
