Safeguard Reference Manual (G06.29+, H06.08+, J06.03+)
Table Of Contents
- Safeguard Reference Manual
- Legal Notices
- Contents
- What is New in this Manual
- Manual Information
- New and Changed Information
- Changes to the 520618-030 manual
- Changes to the 520618-029 manual
- Changes to the 520618-028 manual
- Changes to the 520618-027 manual
- Changes to the 520618-026 manual
- Changes to the 520618-025 manual
- Changes to the H06.22/J06.11 manual
- Changes to the H06.21/J06.10 Manual
- Changes to the H06.20/J06.09 Manual
- Changes to the 520618-020 Manual
- Changes to the H06.19/J06.08 Manual
- About This Manual
- 1 Introduction
- 2 Common SAFECOM Language Elements
- 3 The Command to Run SAFECOM
- 4 SAFECOM Session-Control Commands
- 5 User Security Commands
- 6 User Alias Security Commands
- 7 Group Commands
- 8 Disk-File Security Commands
- Disk-File Ownership
- Disk-File Access Authorities
- Disk-File Access Authorization
- Disk-File Security Command Summary
- Syntax of Disk-File Security Commands
- ADD DISKFILE Command
- ADD DISKFILE-PATTERN Command
- ALTER DISKFILE Command
- ALTER DISKFILE-PATTERN Command
- DELETE DISKFILE Command
- DELETE DISKFILE-PATTERN Command
- FREEZE DISKFILE Command
- FREEZE DISKFILE-PATTERN Command
- INFO DISKFILE Command
- INFO DISKFILE-PATTERN Command
- RESET DISKFILE Command
- RESET DISKFILE-PATTERN Command
- SET DISKFILE Command
- SET DISKFILE-PATTERN Command
- SHOW DISKFILE Command
- SHOW DISKFILE-PATTERN Command
- THAW DISKFILE Command
- THAW DISKFILE-PATTERN Command
- SAFECOM Saved Diskfile Pattern Commands
- ADD SAVED-DISKFILE-PATTERN Command
- ALTER SAVED-DISKFILE-PATTERN Command
- DELETE SAVED-DISKFILE-PATTERN Command
- FREEZE SAVED-DISKFILE-PATTERN Command
- INFO SAVED-DISKFILE-PATTERN Command
- RESET SAVED-DISKFILE-PATTERN Command
- SET SAVED-DISKFILE-PATTERN Command
- SHOW SAVED-DISKFILE-PATTERN Command
- THAW SAVED-DISKFILE-PATTERN Command
- 9 Disk Volume and Subvolume Security Commands
- Volume Authorization Record Ownership
- Subvolume Authorization Record Ownership
- Volume and Subvolume Access Authorities
- Volume and Subvolume Access Authorization
- Volume and Subvolume Security Command Summary
- Syntax of Disk Volume and Subvolume Security Commands
- ADD VOLUME and SUBVOLUME Commands
- ALTER VOLUME and SUBVOLUME Commands
- DELETE VOLUME and SUBVOLUME Commands
- FREEZE VOLUME and SUBVOLUME Commands
- INFO VOLUME and SUBVOLUME Commands
- RESET VOLUME and SUBVOLUME Commands
- SET VOLUME and SUBVOLUME Commands
- SHOW VOLUME and SUBVOLUME Commands
- THAW VOLUME and SUBVOLUME Commands
- 10 Device and Subdevice Security Commands
- Device and Subdevice Authorization Record Ownership
- Device and Subdevice Access Authorities
- Device and Subdevice Access Authorization
- Device and Subdevice Security Command Summary
- Syntax of Device and Subdevice Security Commands
- ADD DEVICE and SUBDEVICE Commands
- ALTER DEVICE and SUBDEVICE Commands
- DELETE DEVICE and SUBDEVICE Commands
- FREEZE DEVICE and SUBDEVICE Commands
- INFO DEVICE and SUBDEVICE Commands
- RESET DEVICE and SUBDEVICE Commands
- SET DEVICE and SUBDEVICE Commands
- SHOW DEVICE and SUBDEVICE Commands
- THAW DEVICE and SUBDEVICE Commands
- 11 Process and Subprocess Security Commands
- Process and Subprocess Security
- Process and Subprocess Access Authorities
- Special NAMED and UNNAMED Process Protection Records
- Process and Subprocess Security Command Summary
- Syntax of the Process and Subprocess Security Commands
- ADD PROCESS and SUBPROCESS Commands
- ALTER PROCESS and SUBPROCESS Commands
- DELETE PROCESS and SUBPROCESS Commands
- FREEZE PROCESS and SUBPROCESS Commands
- INFO PROCESS and SUBPROCESS Commands
- RESET PROCESS and SUBPROCESS Commands
- SET PROCESS and SUBPROCESS Commands
- SHOW PROCESS and SUBPROCESS Commands
- THAW PROCESS and SUBPROCESS Commands
- 12 OBJECTTYPE Security Commands
- 13 Security Group Commands
- 14 Terminal Security Commands
- 15 Event-Exit-Process Commands
- 16 Safeguard Subsystem Commands
- 17 Running Other Programs From SAFECOM
- A SAFECOM Error and Warning Messages
- B Disk-File Access Rules
- Index
Event-Exit-Process Commands
Safeguard Reference Manual — 520618-030
15 - 29
Processing of Authentication Requests
If the event-exit process responds NO to an access attempt, the failure is not audited in
Safeguard because the event exit and SMON auditing are not integrated. If the event-
exit process responds YES or NORECORD, the Safeguard subsystem rules on the
request, and auditing is performed as specified for the object.
Therefore, the basic concept in auditing is that if Safeguard is involved in the ruling,
auditing is applied as specified. If Safeguard is not involved in the ruling, no auditing is
performed.
Processing of Authentication Requests
When ENABLE-AUTHENTICATION-EVENT is ON, authentication requests are routed
to the event-exit process. Both interactive and programmatic logon authentication
requests are sent to the event-exit process. Unlike authorization events, the rulings on
these events are the sole responsibility of the event-exit process. The Safeguard
software does not participate in authentication rulings.
However, if the Safeguard subsystem is configured to communicate with the $CMON
process, it sends a prelogon message to $CMON and awaits a reply before routing the
authentication request to the event-exit process. $CMON has the option of denying the
logon attempt prior to authentication by the event-exit process. Similarly, if Safeguard
is configured to do so, it sends a logon message to $CMON after authentication
occurs. $CMON again has the option of denying the logon attempt even after the user
has been authenticated.
Processing of Interactive Authentication
For interactive logon attempts, a process such as TACL provides the logon input and
authentication request in a call to USER_AUTHENTICATE_. This input is forwarded by
USER_AUTHENTICATE_ to the Safeguard $ZSMP process, which in turn routes it to
the event-exit process for evaluation. If the interactive logon attempt occurs at a
Safeguard terminal, the Safeguard software captures the input directly, and $ZSMP
routes it to the event-exit process. USER_AUTHENTICATE_ is not involved when the
logon attempt occurs at a Safeguard terminal.
The event-exit process can approve or deny the logon request, or it can engage in a
challenge/response dialog before approving or denying
the request. Additionally, the
event-exit process can return a generated password as part of a password change
dialog. The Safeguard software does not check passwords or otherwise participate in
the authentication. It only routes messages between the event-exit process and
USER_AUTHENTICATE_. When the authentication is complete, the Safeguard
software updates the last logon time and logon failure count in the user’s record in the
Safeguard database. It also files the new password if a password change occurred and
the event-exit process requested filing of the password.
The password-quality exit is separate from the authentication exit, and it is not invoked
by the Safeguard software during an authentication event. For more information, see
Processing of Password-Quality Requests on page 15-31.