Safeguard Administrator's Manual (G06.24+, H06.03+)
Table Of Contents
- What’s New in This Manual
- About This Manual
- 1 Introduction
- 2 Controlling User Access
- Introduction
- Using SAFECOM to Establish a Local User Community
- Using SAFECOM to Manage User Access to Your System
- Changing the Owner of a User Authentication Record
- Granting a User Temporary Access to Your System
- Requiring Users to Change Their Passwords
- Granting a Grace Period for Changing an Expired Password
- Forcing Immediate Expiration of a User’s Password
- Freezing a User's Ability to Access the System
- Specifying Auditing for a User ID
- Deleting Users
- Deleting Administrative Groups
- Using SAFECOM to Establish a Network of Users
- Using Safeguard With Nodes With Standard Security
- Identifying Network Users
- Granting a Network User Access to Objects on Your System
- Establishing a Community of Network Users
- Changes to the PAID During a User’s Session
- Additional Considerations for Aliases and Groups
- Additional Considerations for ACCESS with Network Specific Subject IDs
- Establishing Default Protection for a User's Disk Files
- Specifying a Default Command Interpreter for a User
- Establishing Guardian Defaults
- Assigning an Alias to a User
- 3 Managing User Groups
- 4 Securing Volumes and Devices
- 5 OBJECTTYPE Control
- 6 Managing Security Groups
- 7 Securing Terminals
- 8 Warning Mode
- 9 Configuration
- Safeguard Attributes
- Configuring User Authentication
- Configuring Password Control
- Configuring Device Control
- Configuring Process Control
- Configuring Disk-File Control
- Configuring Safeguard Auditing
- Configuring a Default Command Interpreter
- Configuring Communication With $CMON
- Configuring Logon Dialog
- Configuring Exclusive Access at Safeguard Terminals
- Configuring Warning Mode
- Configuring Persistence
- Configuring Attributes for Node Specific Subjects in ACLs
- 10 Installation and Management
- Safeguard Components
- Process Considerations for the SMP and SAFECOM
- Safeguard Subsystem Management Commands
- General Installation Procedure
- Installing the Safeguard Software
- Starting the SMP
- Converting to the Safeguard Subsystem
- Updating the Safeguard Software
- Guidelines for Securing the Safeguard Subsystem
- Monitoring the Safeguard Subsystem
- A SAFECOM Command Syntax
- Index
Warning Mode
Safeguard Administrator’s Manual—523317-013
8-4
Using Warning Mode
For more information about Guardian stop modes, see the SETSTOP procedure in the
Guardian Procedure Calls Reference Manual.
Using Warning Mode
Warning mode puts your system into a special state in which Safeguard security is
bypassed. To invoke warning mode, use the ALTER SAFEGUARD command to set the
SYSTEM-WARNING-MODE global configuration attribute to ON:
=ALTER SAFEGUARD, SYSTEM-WARNING-MODE ON
If you want to run warning mode with the Guardian fallback option disabled, you must
also set the WARNING-FALLBACK-SECURITY attribute to GRANT:
=ALTER SAFEGUARD, WARNING-FALLBACK-SECURITY GRANT
Table 8-3. Warning Mode Rulings on Process ACLs
Process Stop /
Safeguard ACL Ruling
Guardian
Security
Access
Result
Audit Record
Generated
Outcome in
Audit Record
Standard Mode
Grants
Denies
No record
Mode 0, 1
Mode 2
Mode 0, 1
Mode 2
Use Guardian
Yes
No**
No%
No**%
Yes/No
As specified
As specified
As specified
As specified
No
Granted
Granted
Denied%
Denied%
N.A.
Warning Mode Fallback
Guardian
Grants
Denies
No record
Mode 0,1
Mode 2
Mode 0,1
Mode 2
Use Guardian
Yes
No**
Yes*#%
No**%
Yes/No
As specified
As specified
Always*
Always*
No
Granted
Granted
Warning*%
Warning*%
N.A.
Warning Mode Fallback
Grant
Grants
Denies
No record
Mode 0, 1
Mode 2
Mode 0, 1
Mode 2
Use Guardian
Yes
No**
Yes*%
No**%
Yes/No
As specified
As specified
Always*
Always*
No
Granted
Granted
Warning*%
Warning*%
N.A.
* Indicates that access result is due to warning mode evaluation of the access control list.
** Attempts to stop a process at stop mode 2 proceed without a security violation message, but does not
succeed in stopping the process until the process sets itself to a lower stop mode. These requests are
pending and are audited as GRANTED or WARNING.
# Guardian rules are enforced for processes at stop mode 1. For more information, see the
Guardian
Procedure Calls Reference Manual
.
% Indicates if the requester is the one who started the process, the outcome will be GRANTED.