Safeguard Administrator's Manual (G06.24+, H06.03+)
Table Of Contents
- What’s New in This Manual
- About This Manual
- 1 Introduction
- 2 Controlling User Access
- Introduction
- Using SAFECOM to Establish a Local User Community
- Using SAFECOM to Manage User Access to Your System
- Changing the Owner of a User Authentication Record
- Granting a User Temporary Access to Your System
- Requiring Users to Change Their Passwords
- Granting a Grace Period for Changing an Expired Password
- Forcing Immediate Expiration of a User’s Password
- Freezing a User's Ability to Access the System
- Specifying Auditing for a User ID
- Deleting Users
- Deleting Administrative Groups
- Using SAFECOM to Establish a Network of Users
- Using Safeguard With Nodes With Standard Security
- Identifying Network Users
- Granting a Network User Access to Objects on Your System
- Establishing a Community of Network Users
- Changes to the PAID During a User’s Session
- Additional Considerations for Aliases and Groups
- Additional Considerations for ACCESS with Network Specific Subject IDs
- Establishing Default Protection for a User's Disk Files
- Specifying a Default Command Interpreter for a User
- Establishing Guardian Defaults
- Assigning an Alias to a User
- 3 Managing User Groups
- 4 Securing Volumes and Devices
- 5 OBJECTTYPE Control
- 6 Managing Security Groups
- 7 Securing Terminals
- 8 Warning Mode
- 9 Configuration
- Safeguard Attributes
- Configuring User Authentication
- Configuring Password Control
- Configuring Device Control
- Configuring Process Control
- Configuring Disk-File Control
- Configuring Safeguard Auditing
- Configuring a Default Command Interpreter
- Configuring Communication With $CMON
- Configuring Logon Dialog
- Configuring Exclusive Access at Safeguard Terminals
- Configuring Warning Mode
- Configuring Persistence
- Configuring Attributes for Node Specific Subjects in ACLs
- 10 Installation and Management
- Safeguard Components
- Process Considerations for the SMP and SAFECOM
- Safeguard Subsystem Management Commands
- General Installation Procedure
- Installing the Safeguard Software
- Starting the SMP
- Converting to the Safeguard Subsystem
- Updating the Safeguard Software
- Guidelines for Securing the Safeguard Subsystem
- Monitoring the Safeguard Subsystem
- A SAFECOM Command Syntax
- Index
Installation and Management
Safeguard Administrator’s Manual—523317-013
10-5
Installing the Safeguard Software
Installing the Safeguard Software
The method you use to install the Safeguard software is based on the software RVU
you are running and manner in which you want the Safeguard software to be started
and stopped.
•
If you want the Safeguard software to run continuously from the time the system is
loaded until the time it is stopped:
•
For G-series RVUs, you must use the SCF ADD command to add the
Safeguard software to the Kernel subsystem and system configuration
database as a persistent process.
•
For D-series RVUs, you must configure the Safeguard software in your
CONFTEXT file and run SYSGEN to include it in the OSIMAGE file.
•
If you want to start the Safeguard software sometime after the system is loaded
and then stop it without stopping the system, use DSM/SCM to install the software
according to standard installation procedures. For more information about
DSM/SCM usage, see the DSM/SCM User’s Guide. For more information about
Safeguard installation instructions, see your Safeguard softdoc.
Adding the Safeguard Software to the Kernel Subsystem (G-
Series RVUs)
To add the Safeguard software to the Kernel subsystem as a persistent process, you
must execute an SCF ADD PROCESS command. This command shows
recommended settings for the command attributes:
-> ADD PROCESS $ZZKRN.#ZSMP, &
AUTORESTART 10, &
BACKUPCPU 1, &
PRIMARYCPU 0, &
DEFAULTVOL $SYSTEM.SYSTEM, &
EXTSWAP $SWAP01, &
HIGHPIN ON, &
HOMETERM $ZHOME, &
NAME $ZSMP, &
OUTFILE $ZHOME, &
PRIORITY 198, &
PROGRAM $SYSTEM.SYSTEM.OSMP, &
Note. Regardless of method used to install the Safeguard software, you can make the super
ID undeniable on the local system by adding the following line to the ALLPROCESSORS
PARAGRAPH of the CONFTEXT file:
SUPER_SUPER_IS_UNDENIABLE;
If you add this line, the Safeguard software ignores explicit denials of access authorities for the
super ID. The SUPER_SUPER_IS_UNDENIABLE parameter takes effect when the system is
loaded with the OSIMAGE file that was produced from the CONFTEXT file containing this
parameter. (This specification does not apply to remote nodes.)