Safeguard Administrator's Manual (G06.24+, H06.03+)
Table Of Contents
- What’s New in This Manual
- About This Manual
- 1 Introduction
- 2 Controlling User Access
- Introduction
- Using SAFECOM to Establish a Local User Community
- Using SAFECOM to Manage User Access to Your System
- Changing the Owner of a User Authentication Record
- Granting a User Temporary Access to Your System
- Requiring Users to Change Their Passwords
- Granting a Grace Period for Changing an Expired Password
- Forcing Immediate Expiration of a User’s Password
- Freezing a User's Ability to Access the System
- Specifying Auditing for a User ID
- Deleting Users
- Deleting Administrative Groups
- Using SAFECOM to Establish a Network of Users
- Using Safeguard With Nodes With Standard Security
- Identifying Network Users
- Granting a Network User Access to Objects on Your System
- Establishing a Community of Network Users
- Changes to the PAID During a User’s Session
- Additional Considerations for Aliases and Groups
- Additional Considerations for ACCESS with Network Specific Subject IDs
- Establishing Default Protection for a User's Disk Files
- Specifying a Default Command Interpreter for a User
- Establishing Guardian Defaults
- Assigning an Alias to a User
- 3 Managing User Groups
- 4 Securing Volumes and Devices
- 5 OBJECTTYPE Control
- 6 Managing Security Groups
- 7 Securing Terminals
- 8 Warning Mode
- 9 Configuration
- Safeguard Attributes
- Configuring User Authentication
- Configuring Password Control
- Configuring Device Control
- Configuring Process Control
- Configuring Disk-File Control
- Configuring Safeguard Auditing
- Configuring a Default Command Interpreter
- Configuring Communication With $CMON
- Configuring Logon Dialog
- Configuring Exclusive Access at Safeguard Terminals
- Configuring Warning Mode
- Configuring Persistence
- Configuring Attributes for Node Specific Subjects in ACLs
- 10 Installation and Management
- Safeguard Components
- Process Considerations for the SMP and SAFECOM
- Safeguard Subsystem Management Commands
- General Installation Procedure
- Installing the Safeguard Software
- Starting the SMP
- Converting to the Safeguard Subsystem
- Updating the Safeguard Software
- Guidelines for Securing the Safeguard Subsystem
- Monitoring the Safeguard Subsystem
- A SAFECOM Command Syntax
- Index
Safeguard Administrator’s Manual—523317-013
9-1
9 Configuration
This section describes the restricted command ALTER SAFEGUARD. It is intended for
trusted users who are members of the SECURITY-ADMINISTRATOR security group. If
you have not defined a SECURITY-ADMINISTRATOR group, any super-group user
can alter the Safeguard configuration or stop the Safeguard software. (For information
about defining security groups, see Section 6, Managing Security Groups.)
Safeguard Attributes
Many of the Safeguard control features are determined by attributes in the
configuration file. One of these attributes, for example, controls the minimum password
length allowed by the Safeguard software.
You can configure the following aspects of the Safeguard software:
•
User authentication attempts (such as the number of failed logon attempts before a
timeout occurs)
•
Password control (such as requiring a minimum password length and granting a
grace period during which a user can change an expired password)
•
Priority of access control lists between devices and subdevices
•
Priority of access control lists between processes and subprocesses
•
Priority of access control lists among volumes, subvolumes, disk files, and
diskfile-patterns
•
Auditing (such as setting systemwide auditing in addition to the auditing specified
in the individual authorization records)
•
The logon dialog (such as prohibiting the use of user IDs for logon)
•
The command interpreter to be started after a user logs on at a Safeguard terminal
•
Exclusive access for the user logged on at a Safeguard terminal
•
Client subsystem auditing
•
System-level warning mode
You can configure the Safeguard software to suit your own security policy. However,
any changes you make are systemwide and might affect system performance and
security. For example, configuring the software to audit all system objects might cause
severe performance delays. In general, change only attributes that must be changed to
implement your security policy.
Table 9-1 on page 9-2 lists the initial values for the configurable Safeguard attributes.
In most cases, these initial values are also the default values. The next subsections
explain these attributes in detail.