Safeguard Administrator's Manual (G06.24+, H06.03+)
Table Of Contents
- What’s New in This Manual
- About This Manual
- 1 Introduction
- 2 Controlling User Access
- Introduction
- Using SAFECOM to Establish a Local User Community
- Using SAFECOM to Manage User Access to Your System
- Changing the Owner of a User Authentication Record
- Granting a User Temporary Access to Your System
- Requiring Users to Change Their Passwords
- Granting a Grace Period for Changing an Expired Password
- Forcing Immediate Expiration of a User’s Password
- Freezing a User's Ability to Access the System
- Specifying Auditing for a User ID
- Deleting Users
- Deleting Administrative Groups
- Using SAFECOM to Establish a Network of Users
- Using Safeguard With Nodes With Standard Security
- Identifying Network Users
- Granting a Network User Access to Objects on Your System
- Establishing a Community of Network Users
- Changes to the PAID During a User’s Session
- Additional Considerations for Aliases and Groups
- Additional Considerations for ACCESS with Network Specific Subject IDs
- Establishing Default Protection for a User's Disk Files
- Specifying a Default Command Interpreter for a User
- Establishing Guardian Defaults
- Assigning an Alias to a User
- 3 Managing User Groups
- 4 Securing Volumes and Devices
- 5 OBJECTTYPE Control
- 6 Managing Security Groups
- 7 Securing Terminals
- 8 Warning Mode
- 9 Configuration
- Safeguard Attributes
- Configuring User Authentication
- Configuring Password Control
- Configuring Device Control
- Configuring Process Control
- Configuring Disk-File Control
- Configuring Safeguard Auditing
- Configuring a Default Command Interpreter
- Configuring Communication With $CMON
- Configuring Logon Dialog
- Configuring Exclusive Access at Safeguard Terminals
- Configuring Warning Mode
- Configuring Persistence
- Configuring Attributes for Node Specific Subjects in ACLs
- 10 Installation and Management
- Safeguard Components
- Process Considerations for the SMP and SAFECOM
- Safeguard Subsystem Management Commands
- General Installation Procedure
- Installing the Safeguard Software
- Starting the SMP
- Converting to the Safeguard Subsystem
- Updating the Safeguard Software
- Guidelines for Securing the Safeguard Subsystem
- Monitoring the Safeguard Subsystem
- A SAFECOM Command Syntax
- Index
Configuration
Safeguard Administrator’s Manual—523317-013
9-13
Configuring Safeguard Auditing
LAST
specify that pattern searching will occur after the normal search if and only if
the normal search result is NORECORD.
ONLY
specifies that only pattern searching will occur. That is, normal non-pattern
searching will not be performed even if the pattern search returns
NORECORD.
To change any of these values, issue the ALTER SAFEGUARD command from
SAFECOM. For example, to check access control lists at the volume, subvolume, and
disk file levels, issue this command:
=ALTER SAFEGUARD, CHECK-DISKFILE ON, CHECK-VOLUME ON, &
=CHECK-SUBVOLUME ON
This command specifies that the Safeguard software is to use the first access control
list it finds in this following order—disk file, subvolume, volume:
=ALTER SAFEGUARD, COMBINATION-DISKFILE FIRST-ACL, &
=DIRECTION-DISKFILE DISKFILE-FIRST
Configuring Safeguard Auditing
Normally, the Safeguard software audits only items that have auditing specified in their
protection records. However, you can configure systemwide auditing so that auditing is
performed even if it is not specified in individual protection records. You can configure
Safeguard auditing:
•
All attempts relating to user authentication
•
All devices and their authorization records
•
All processes and their authorization records
•
All disk files and their authorization records
Caution. Any user can add a diskfile-pattern to the database and thereby is able to control file
access across an entire volume. If the CHECK-DISKFILE-PATTERN FIRST/LAST/ONLY
configuration is needed, use the ADD OBJECTTYPE DISKFILE-PATTERN command to specify
who can control diskfile-patterns. For more information, see Section 5, OBJECTTYPE Control
.
Caution. If you set CHECK-SUBVOLUME ON and set DIRECTION-DISKFILE to
VOLUME-FIRST, any user can gain access to someone else's files. All files that are in
subvolumes that have not been added to the Safeguard database are vulnerable. This situation
occurs because any user can add the subvolume to the database and thereby own it. If this
configuration is needed, use the ADD OBJECTTYPE or ALTER OBJECTTYPE command to
specify who can control subvolumes. For more information, see Section 5, OBJECTTYPE
Control.