Safeguard Administrator's Manual (G06.24+, H06.03+)
Table Of Contents
- What’s New in This Manual
- About This Manual
- 1 Introduction
- 2 Controlling User Access
- Introduction
- Using SAFECOM to Establish a Local User Community
- Using SAFECOM to Manage User Access to Your System
- Changing the Owner of a User Authentication Record
- Granting a User Temporary Access to Your System
- Requiring Users to Change Their Passwords
- Granting a Grace Period for Changing an Expired Password
- Forcing Immediate Expiration of a User’s Password
- Freezing a User's Ability to Access the System
- Specifying Auditing for a User ID
- Deleting Users
- Deleting Administrative Groups
- Using SAFECOM to Establish a Network of Users
- Using Safeguard With Nodes With Standard Security
- Identifying Network Users
- Granting a Network User Access to Objects on Your System
- Establishing a Community of Network Users
- Changes to the PAID During a User’s Session
- Additional Considerations for Aliases and Groups
- Additional Considerations for ACCESS with Network Specific Subject IDs
- Establishing Default Protection for a User's Disk Files
- Specifying a Default Command Interpreter for a User
- Establishing Guardian Defaults
- Assigning an Alias to a User
- 3 Managing User Groups
- 4 Securing Volumes and Devices
- 5 OBJECTTYPE Control
- 6 Managing Security Groups
- 7 Securing Terminals
- 8 Warning Mode
- 9 Configuration
- Safeguard Attributes
- Configuring User Authentication
- Configuring Password Control
- Configuring Device Control
- Configuring Process Control
- Configuring Disk-File Control
- Configuring Safeguard Auditing
- Configuring a Default Command Interpreter
- Configuring Communication With $CMON
- Configuring Logon Dialog
- Configuring Exclusive Access at Safeguard Terminals
- Configuring Warning Mode
- Configuring Persistence
- Configuring Attributes for Node Specific Subjects in ACLs
- 10 Installation and Management
- Safeguard Components
- Process Considerations for the SMP and SAFECOM
- Safeguard Subsystem Management Commands
- General Installation Procedure
- Installing the Safeguard Software
- Starting the SMP
- Converting to the Safeguard Subsystem
- Updating the Safeguard Software
- Guidelines for Securing the Safeguard Subsystem
- Monitoring the Safeguard Subsystem
- A SAFECOM Command Syntax
- Index
Installation and Management
Safeguard Administrator’s Manual—523317-013
10-9
Converting to the Safeguard Subsystem
.
$ZSnn - SMON running in CPU nn
The SMP starts all the SMON processes with a priority of 199.
Converting to the Safeguard Subsystem
When the Safeguard software is installed on a system with an existing user community,
it takes over the existing USERID file. The next time each user logs on, his or her
record is expanded to contain security attributes, defined as:
•
OWNER is set to the user ID of the user's group manager. (For example, the
OWNER attribute for a person with a user ID of 4,56 is set to 4,255.) The
Safeguard software does not verify that a group manager exists. The
authentication records for users who belong to a group without a group manager
are owned by a nonexistent user.
•
PASSWORD does not change. (The user keeps the existing logon password.)
•
USER-EXPIRES is set to null. (The user's ability to log on to the system does not
expire.)
•
PASSWORD-MUST-CHANGE EVERY num DAYS is set to null. (The user's
password does not expire.)
•
AUDIT-ACCESS-PASS, AUDIT-ACCESS-FAIL, AUDIT-MANAGE-PASS, and
AUDIT-MANAGE-FAIL are all set to NONE. (No auditing is performed.)
•
REMOTEPASSWORD does not change. (All remote passwords currently defined
for a user are retained.)
•
DEFAULT-PROTECTION is not specified for a user's disk files. (Guardian
protection applies.)
For Safeguard product versions prior to D30, HP recommends that the ADDUSER,
DELUSER, and RPASSWRD program object files be deleted when the Safeguard
software is installed on a system. With D30, it is no longer necessary to delete these
programs because they now coordinate requests for their services through the
Safeguard software.
When the Safeguard software is installed for the first time, Expand line handlers need
to be restarted. This action enables the line handlers to open the LUSERID file which is
created by the Safeguard subsystem to manage user alias information and OSS user
attributes. If line handlers are not restarted, any access using an alias will generate
security violations across nodes.
Updating the Safeguard Software
Some current Safeguard capabilities are incompatible with previous product versions
of the Safeguard software, and they might cause operational difficulties during
installation and operation. This is also true for the audit files, which are incompatible