Security Management Guide Abstract This guide for security administrators discusses ways to use Guardian and Safeguard security features to control access to HP NonStop™ systems. Product Version Safeguard G06, H03 Supported Release Version Updates (RVUs) This publication supports G06.21 and all subsequent G-series RVUs and H06.03 and all subsequent H-series RVUs until otherwise indicated by its replacement publication.
Document History Part Number Product Version Published 522283-004 Safeguard G06 Guardian D30 December 2003 522283-005 Safeguard G06 Guardian D30 April 2005 522283-006 Safeguard G06, H03 May 2006 522283-007 Safeguard G06, H03 July 2006 522283-008 Safeguard G06, H03 November 2006
Security Management Guide Glossary Index What’s New in This Manual ix Manual Information ix New and Changed Information About This Manual xiii Who Should Use This Manual What’s in This Manual xiii Suggested Reading xiv Notation Conventions xvi Figures Tables ix xiii 1. Introduction Security Policy and Procedures 1-1 Least Privilege 1-2 Segregation of Duties 1-2 Proper Physical Security 1-2 Security Practice Review 1-2 System Access Control 1-3 Reasons to Use Safeguard Features 1-3 2.
2. Guardian System Security (continued) Contents 2.
3. Safeguard System Security (continued) Contents 3.
4. OSS System Security (continued) Contents 4. OSS System Security (continued) Process Security Attributes 4-7 Adopting the Owner ID of a Program File 4-9 5.
6. Concerns for the Application Programmer (continued) Contents 6. Concerns for the Application Programmer (continued) Authentication User IDs 6-1 Application-Specific User IDs 6-4 7.
7. Concerns for the System Administration Team (continued) Contents 7. Concerns for the System Administration Team (continued) Operators and Privileges 7-15 Securing Network Access 7-15 Creating a Network User ID 7-16 Managing the Network User IDs 7-16 Security Precautions 7-16 Encrypting Data Between Nodes 7-17 Communicating With Other System Managers 7-17 8.
C. TACL Macros (continued) Contents C. TACL Macros (continued) Example 5. Lock Routine C-6 Glossary Index Figures Figure 4-1. OSS File and Directory Permissions 4-4 Tables Table i. Table 2-1. Table 2-2. Table 2-3. Table 2-4. Table 3-1. Table 4-1. Table 4-2. Table 4-3. Table 5-1. Table 5-2. Table 5-3. Table 7-1.
Contents Security Management Guide —522283-008 viii
What’s New in This Manual Manual Information Security Management Guide Abstract This guide for security administrators discusses ways to use Guardian and Safeguard security features to control access to HP NonStop™ systems. Product Version Safeguard G06, H03 Supported Release Version Updates (RVUs) This publication supports G06.21 and all subsequent G-series RVUs and H06.03 and all subsequent H-series RVUs until otherwise indicated by its replacement publication.
Changes to the G06.29 Manual What’s New in This Manual • Updated to address the OSS ACLs features for H-series support: ° ° Note on page 3-1 ° ° Interoperability With Safeguard Security on page 4-1 SECURITY-OSS-ADMINISTRATOR information under Membership in Security Groups on page 3-4 Access Control Lists on page 4-4 Changes to the G06.
Changes to the G06.27 Manual What’s New in This Manual • Product names in graphic representations are consistent with the current product interface. These changes have been made for this edition: • Starting with G06.26, Safeguard volume protection records are no longer consulted for creation of NonStop Open System Services (OSS) files.
Changes to the G06.
About This Manual Both the HP NonStop operating system environment and the Safeguard subsystem provide tools to help you secure your system. This manual suggests ways of using these tools. Who Should Use This Manual Sections 1 through 4 of this manual are intended for the security administrator. A security administrator helps to develop and implement a security policy to ensure the integrity of information within the data-processing organization.
Suggested Reading About This Manual Table i. Summary of Contents (page 2 of 2) Appendix A, Sample Policies Provides examples of two security policies. Appendix B, How Passwords are Encrypted Explains how passwords are encrypted on a NonStop system. Appendix C, TACL Macros Provides examples of HP Tandem Advanced Command Language (TACL) macros to be used when developing security macros. The Glossary provides definitions for terms used in the manual.
OSS Environment About This Manual OSS Environment • • • • Open System Services User’s Guide Open System Services Management and Operations Guide Open System Services Shell and Utilities Reference Manual Open System Services System Calls Reference Manual Atalla Security Tools • • Atalla Key Block Banking Command Reference Manual Installation and Operations Guide for Atalla NSP Series Products General Security* • • • • • • • • • • • • • • Security, Accuracy, and Privacy in Computer Systems, J.
Notation Conventions About This Manual • Managing Information Security Risks: The OCTAVE Approach, C. Alberts and A. Dorofee, Addison Wesley Professional, July 2002. * The Hewlett Packard Company, together with its subsidiaries and affiliates (collectively "HP") has provided the reading lists suggested herein solely for informational purposes and for no other purpose.
General Syntax Notation About This Manual italic computer type. Italic computer type letters within text indicate C and Open System Services (OSS) variable items that you supply. Items not enclosed in brackets are required. For example: pathname [ ] Brackets. Brackets enclose optional syntax items. For example: TERM [\system-name.]$terminal-name INT[ERRUPTS] A group of items enclosed in brackets is a list from which you can choose one item or none.
General Syntax Notation About This Manual Quotation marks around a symbol such as a bracket or brace indicate the symbol is a required character that you must enter as shown. For example: "[" repetition-constant-list "]" Item Spacing. Spaces shown between items are required unless one of the items is a punctuation symbol such as a parenthesis or a comma. For example: CALL STEPMOM ( process-id ) ; If there is no space between two items, spaces are not permitted.
Notation for Messages About This Manual Notation for Messages The following list summarizes the notation conventions for the presentation of displayed messages in this manual. Bold Text. Bold text in an example indicates user input entered at the terminal. For example: ENTER RUN CODE ?123 CODE RECEIVED: 123.00 The user must press the Return key after typing the input. Nonitalic text. Nonitalic letters, numbers, and punctuation indicate text that is displayed or returned exactly as shown.
Notation for Management Programming Interfaces About This Manual | Vertical Line. A vertical line separates alternatives in a horizontal list that is enclosed in brackets or braces. For example: Transfer status: { OK | Failed } % Percent Sign. A percent sign precedes a number that is not in decimal notation. The % notation precedes an octal number. The %B notation precedes a binary number. The %H notation precedes a hexadecimal number.
1 Introduction Security is more than just system controls. Security for your site should also include user training, security procedures customized for each department, and physical controls if necessary. A security policy should guide all of the security-relevant activities of your organization. This section provides guidelines to help you develop a security policy and security procedures. It also introduces extended security features provided by the Safeguard software.
Least Privilege Introduction Consider these practices and concepts when developing security programs and procedures for your site: • • • • Least privilege access Segregation of duties Proper physical security Security practice review Least Privilege Least privilege dictates that each user access the system based on user need.
System Access Control Introduction System Access Control Four major components of system access control: Authentication The process of ensuring accurate user identification. Authentication might involve the use of passwords or more advanced measures such as biometrics or the Atalla Challenge-Response unit. Authorization The process of controlling access to resources on the system.
Introduction • • • • • Reasons to Use Safeguard Features Users and aliases can be temporarily frozen to prevent access to the system. Special user groups can be defined independent of user definitions. These groups can be used to facilitate file-sharing, particularly in the OSS environment. Password management features allow you to specify attributes such as password expiration and password minimum length.
2 Guardian System Security The security of an application for a NonStop system depends on both the protection designed into it and the protection offered by the Guardian environment. This section provides an overview of Guardian security features as well as guidance on how to use these features to help secure your system. For more information, about security features and other Guardian utilities, see the Guardian User’s Guide.
Overview of Guardian Security Features Guardian System Security Table 2-1. Security-Relevant Commands and Programs Command or Program Function ADDUSER Adds new users to the system (User ID must be n,255.) DEFAULT Sets system, volume, subvolume, and disk-file default security attributes (RWEP) DELUSER Deletes users from the system (User ID must be n,255.
Guardian User Security Guardian System Security Guardian User Security Users on a NonStop system fall into one of these four classes. Each class is determined by the user ID: General users Log on to a system to run one or more specific applications such as a text editor or manufacturing application. (General users are sometimes called application users.) Group managers Are responsible for members of a specific administrative group on the system. The user ID is n,255, where n is the number of the group.
Guardian File Security Guardian System Security With the ADDUSER program or the Safeguard ADD USER command, the super ID user creates new administrative groups and adds new users to these groups. After being added by the super ID user, a group manager (user ID n,255) can also add new users to the administrative group with the group number n. For each new user, a user name and corresponding user ID must be specified.
Guardian Process Security Guardian System Security Table 2-2. Guardian Disk-File Security Settings (page 2 of 2) Code Access A Any user on the local system can perform the designated operation. N Any user on the local system or on the network can perform the designated operation. - Only the local super ID can perform the designated operation.
Guardian Process Security Guardian System Security A Guardian process can determine its CAID and PAID by using the PROCESS_GETINFO_ procedure. For more information, see the Guardian Programmer’s Guide. The PAID (along with the effective group ID and group list) is used to determine if Guardian file access is allowed.
Sanitizing a NonStop System Guardian System Security Adopting the Owner ID of a Program File (PROGID) PROGID allows the owner of a program file (or the super ID) to specify that the PAID of any Guardian process created by running that program file is the same as the owner ID of the program file rather than the PAID of the creating process.
HP Trusted Software Guardian System Security • • • • The security administrator, working with the system manager and operating as the super ID, should sanitize the system. Assume that any newly delivered system is not adequately secure, and do not grant access to it until it is sanitized. Failure to sanitize a new system can make it easy for an intruder to introduce security holes that might not be detected later. Be sure to set up your user community properly.
Owning System Files Guardian System Security The following subsections discuss the security of the different types of system files. The security settings of these files depend on your security policy and how your system is used. Owning System Files Unless your security policy states otherwise, the super ID (255,255) should own system files. The special files shown in Table 2-4 on page 2-8 (TANDUMP, DIVER, USERID, and USERIDAK) should be secured “----”, thus prohibiting access to all but the super ID.
Setting System Files to PROGID Guardian System Security Setting System Files to PROGID Normally you should not run system programs as PROGID programs. Possible exceptions to this rule involve copies of the BACKUP and RESTORE programs. Default Security for User Files Determine default security for user files on a user-by-user basis. Such assignments should be consistent with your organization’s policies.
Disposition of Orphan Files Guardian System Security user’s default security. For example, after logging on as SUPER.ROBIN, the following command changes the default security to NUNU for SUPER.ROBIN: 2> DEFAULT, "NUNU" This change takes effect the next time SUPER.ROBIN logs on. Disposition of Orphan Files An orphan file is a file, other than a system file, owned by a nonexistent user. A file becomes an orphan when the file owner leaves your organization, and you delete the owner’s user ID.
Optional Security Features Guardian System Security These features available to the user in the PASSWORD program by setting the BINDER option: Note. The BINDER option is not supported on systems running G06.29 and later G-series RVUs and H06.06 and later H-series RVUs. BLINDPASSWORD MINPASSWORDLEN ENCRYPTPASSWORD PROMPTPASSWORD Note. • • • • These options were not previously documented although they were available in the PASSWORD program. Be careful when setting the BINDER option.
Optional Security Features Guardian System Security password length. To use these features (password encryption and password minimum length check) and to overcome this limitation, instead of setting the PASSWORD program's ENCRYPTPASSWORD option, set the Safeguard subsystem's PASSWORD-ENCRYPT attribute. This approach enable Safeguard to enforce the minimum length for the password if the PASSWORD-MINIMUM-LENGTH attribute is set.
PWCONFIG Utility Guardian System Security Usage Note. The BINDER option is not supported on systems running G06.29 and later G-series RVUs and H06.06 and later H-series RVUs. The procedure to set the BINDER option is: Note. If you do not feel comfortable executing these procedure, contact the Global Customer Support Center (GCSC) for assistance. BIND @ADD * FROM PASSWORD @MODIFY DATA name , value @BUILD NEWPASS @DUMP DATA name * FROM NEWPASS @EXIT name identifies the BINDER option specified previously.
PWCONFIG Utility Guardian System Security BLIND prompts for the old and new passwords. The passwords are not displayed on the screen. ECHO prompts for the old and new passwords. The passwords are echoed on the screen. OFF reads the new password from the command line. The default value is BLIND. • ENCRYPTPASSWORD specifies whether passwords are to be encrypted. This attribute is similar to the Safeguard configuration attribute, PASSWORDENCRYPT.
PWCONFIG Utility Guardian System Security will be between 0 and eight when the ALGORITHM is DES or CLEAR. The syntax for the MINPASSWORDLEN attribute is: PWCONFIG MINPASSWORDLEN { n } n specifies the minimum length allowed when the passwords are changed. n is an integer from 0 through 64. 0 indicates that NULL passwords are acceptable. The default value is six. • MAXPASSWORDLEN specifies the maximum length of the password that can be specified during password change.
PWCONFIG Utility Guardian System Security the above options are specified when Safeguard is up, the command is rejected with the following error message: SAFEGUARD IS RUNNING; USE SAFECOM TO CONFIGURE PASSWORDS For more information about SAFECOM, see the Safeguard Administrator's Manual. The PROMPTPASSWORD and INFO commands are serviced by the PWCONFIG utility, irrespective of Safeguard being up or down.
$CMON Guardian System Security When Safeguard is installed on the system, the following EMS message is displayed if the password configuration attribute, PASSWORD-COMPATIBILITY-MODE, is altered using the PWCONFIG program. TANDEM.SFG.H04 000100 \.$SYSTEM.SYSnn.
Controlling the Super ID Guardian System Security Without special mechanisms provided by the Safeguard software, the super ID has unlimited access to all resources on a local system. For example, a user logged on as the super ID could: • • • Log on as any other user ID without knowing that user’s password Read, write, execute, or purge any file Bring up or take down any device The special abilities of the super ID on one system do not extend to another system.
Operating Without the Super ID Guardian System Security following tasks, often associated with the super ID, can be performed by operators and other users with proper access authorities. In the following subsections and throughout this manual, super-group user means a user whose administrative group is group number 255; that is, one whose user ID is 255,n.
Tasks That Require the Super ID Guardian System Security Controlling Applications The requirements for controlling an application are determined by the application itself. Running INSTALL Normally the super ID is required to perform a system installation or update. However, if the INSTALL program has PROGID set to the super ID, other users can run INSTALL. Secure INSTALL so only the super-group user has EXECUTE authority. In this instance, file-sharing super-group users also receive EXECUTE authority.
Licensing Programs Guardian System Security Initializing NonStop SQL/MP The super ID is needed to initialize HP NonStop SQL/MP and to reinitialize subsequent RVUs. Controlling User IDs The super ID is needed to add new user groups or to add user IDs to administrative groups that do not have a group manager ID. The super ID is also needed to delete user IDs from administrative groups that do not have a group manager ID.
The Licensing Operation Guardian System Security To access hardware resources, user programs request operating system services by executing Guardian procedure calls. To access software resources, terminal users request operating system services by executing licensed system programs, such as ADDUSER, BACKUP, DEFAULT, DELUSER, FUP, PASSWORD, RESTORE, RPASSWRD, and USERS. The Licensing Operation Licensing is accomplished through the FUP program.
Limiting Access to HP Licensed Programs Guardian System Security • • Change the intruder program’s effective user ID or process access ID (PAID) in the process control block to gain the privileges of other users (including the super ID) and then browse and change files Directly manipulate physical hardware resources Limiting Access to HP Licensed Programs HP programs maintain data integrity and allow safe access to user resources. Also, do not allow all users to execute these programs.
General Comments Guardian System Security Monitoring for Changes Both the security administrator and the system manager should maintain a list of licensed programs. The system files that require licensing can vary from one RVU to another. To determine which files need to be licensed, consult the CUSTFILE files. The CUSTFILE indicates licensing requirements in section 2 with an L in column 62 for modules that must be licensed.
PROGID Programs Guardian System Security SYS00.CMPLIB SYS00.DEFAULT SYS00.DELUSER SYS00.DSAP SYS00.FUP SYS00.PASSWORD SYS00.PUP SYS00.RESTORE SYS00.RPASSWRD SYS00.USERS 100L 100L 100L 100L 100L 100L 100L 100L 100L 100L PROGID Programs This subsection discusses the PROGID attribute and its implications for security. When a user executes an ordinary program, the program operates using the privileges of the user and accesses only resources to which the user has access.
Enabling a PROGID Program Guardian System Security • • • Allowing updates contingent upon completeness, quality, or independent authorization of transaction data items Granting access to selected fields of a record to which the user should not be granted unlimited access Auditing of database transactions to whatever degree of detail is needed For example, a personnel application might allow employees to look at only their own personnel records.
Possible Security Concerns Guardian System Security Improper Handling of Requests Without sufficient checking of the input data range and form, an incompletely debugged PROGID program can unintentionally provide unauthorized access to restricted data. For example, a PROGID program might display the home address from an employee’s payroll record.
Detecting PROGID Programs Guardian System Security Detecting PROGID Programs To list the names of all PROGID programs residing on a disk volume, use the DSAP command. For example, this command lists the PROGID programs residing on volume $SYSTEM: 1> DSAP $SYSTEM,PROGID Name/ID Filename Type Code ... LIBRARY.USER (5,1) SYSTEM.LIBRARY 100I ... ADMIN.SUE (149,60) SYSTEM.CRS SYSTEM.TPS 100I 100I ... ...
Detecting PROGID Programs Guardian System Security Security Management Guide —522283-008 2- 30
3 Safeguard System Security This section explains how to use Safeguard features to secure your system. Also read Section 2, Guardian System Security, to become familiar with the basic Guardian security features. Safeguard features provide additional capabilities in the following areas: Authentication More control is provided over authentication attempts and password management through global configuration attributes and through individual user authentication records.
Preliminary Preparation Safeguard System Security Preliminary Preparation Install or update the Safeguard software according the instructions in the Safeguard Administrator’s Manual Before you start using Safeguard features, perform the tasks described in the following subsections. Read the Safeguard Manuals Read the Safeguard manuals to become familiar with the product’s features before you use them to secure your system. Let your security policy guide you in determining which features to use.
Privileged User Roles Safeguard System Security Privileged User Roles From your security policy, determine the responsibilities of the security staff and other privileged users. For example, determine who is responsible for adding users to the system, who should secure certain types of objects, and who should control the Safeguard configuration. Special security privileges such as these can be granted through OBJECTTYPE authorization and membership in Safeguard security groups.
Controlling the OBJECTTYPE Records Safeguard System Security Perhaps you want general users to be able to add Safeguard protection records for their own files. If so, do not create an OBJECTTYPE DISKFILE authorization record. Otherwise, only users on the OBJECTTYPE DISKFILE access control list can add Safeguard protection records for disk files. Also, anyone on this access control list can protect files regardless of ownership.
Controlling the Super ID Safeguard System Security Initially, only a super-group user can create either security group. However, after the record for a group is created, only the security group OWNER (and any members with OWNER authority) can control the record. For more information about security groups, see the Safeguard Administrator’s Manual and the Safeguard Reference Manual. Note. The SECURITY-OSS-ADMINISTRATOR security group is supported only on systems running G06.
Controlling User Access Safeguard System Security Controlling Backups With Safeguard Access Control Lists To back up a file through BACKUP, a user must have READ access to that file. To back up the entire system, the user must have READ access to all files. You might want to create a special backup ID that is used only for backups. Give the ID read-only access to all files and give the password to a trusted user responsible for backups.
Adding Users to a System Safeguard System Security Adding Users to a System When the Safeguard software is installed on a system with an existing user community, it takes over the existing user ID file. The next time each user logs on, the user record is expanded to include Safeguard attributes. Add new users with the ADD USER command. Always specify passwords when adding users. Be sure to tell users to change their passwords immediately after logging on for the first time.
User Configuration Issues Safeguard System Security particular file. Again, your security policy should state whether users can control the security of their files. The following SAFECOM command alters the user record for PROG.DONNA by specifying DEFAULT-PROTECTION for her files: =ALTER USER prog.donna, DEFAULT-PROTECTION (ACCESS & =10,200 (r,w,e); (4,*, 8,*) r, OWNER sec.admin) The preceding command gives PROG.DONNA READ, WRITE, and EXECUTE authority for any files she creates.
Controlling the Logon Process With the Safeguard Software Safeguard System Security Do not set AUTHENTICATE-FAIL-FREEZE to ON unless your policy specifically requires it. An intruder could easily freeze all the IDs on a system by simply exceeding AUTHENTICATE-MAXIMUM-ATTEMPTS for each user. Password Configuration Your security policy might require some control over passwords.
Vacations and Other Absences Safeguard System Security • • Ability to specify different command interpreters to be started automatically after logon for different users (For example, you can specify SAFECOM as the initial command interpreter for the security staff.) Ability to specify that the user logged on at the terminal has exclusive access to it To have Safeguard control the logon process at a particular terminal, use SAFECOM to create a terminal definition with the ADD TERMINAL command.
Creating File-Sharing Groups Safeguard System Security values assigned to those user attributes. For example, each alias assigned to the same user ID can have a different password. The use of aliases can provide individual accountability and separation of duties when several users share the same user ID or when a single user performs separate job functions.
Safeguard Access Control Lists Safeguard System Security Safeguard Access Control Lists An access control list specifies access authorities associated with a particular object (such as a disk file). Access control lists allow you to specify access to a greater level of detail than Guardian security strings allow. For example, with an access control list, you can grant access to one or two members of a group without having to grant access to the entire group.
Emulating Guardian Security Strings Safeguard System Security Emulating Guardian Security Strings If you want Guardian files protected by Safeguard access control lists, but you want to keep the access equivalent to the Guardian settings, you can emulate these security settings with the Safeguard software. For example, you can create a Safeguard access control list to emulate the Guardian security string of AOAO.
Testing Access Control Lists Safeguard System Security by an access control list. For example, if two groups need access to the file, the original Guardian string would have to give everyone access. However, with a Safeguard access control list, you can specify only the two groups that need access. Testing Access Control Lists You can test access control lists in a special state of Safeguard operation called warning mode.
Securing Critical Objects Safeguard System Security What Processes Should Be Secured? Secure process names used by the operating system and the Safeguard software. Also secure process names or subprocess names used by your applications. The following list includes some process names you should secure: • • • • $CMON (Command Monitor) Pathway Monitor (usually $PM) Spooler Supervisor (usually $SPLS) Spooler Collector Names (usually $S, $S1, $S2 and so on) Note. The process names $ZSMP and $ZSMP.
Setting CLEARONPURGE Through SAFECOM Safeguard System Security • Subvolumes shared by user groups Advantages of Subvolume Security Whether you secure subvolumes depends on your security policy. You can use subvolume security to supplement disk-file security. Subvolume security offers several advantages: • • • There are fewer authorization records to manage. Because many files on a subvolume might need the same protection scheme, you can protect them all with one access control list on a subvolume.
Licensing Programs Through SAFECOM Safeguard System Security Licensing Programs Through SAFECOM Programs already under Safeguard protection must be licensed using SAFECOM commands.
Command Files Safeguard System Security contains the settings common to several objects and add these objects to the Safeguard database using this file. After you add the objects, you might need to make only minor changes to the individual records. Consider using a log file from a SAFECOM session as the source of your command file. The log file requires some editing before you can use it as a command file. However, it can be helpful when you try to duplicate a complex SAFECOM session.
Auditing Safeguard System Security Auditing Safeguard auditing attributes allow you to record authentication attempts, object access attempts, attempts to change or read Safeguard records, and attempts by a specific user to perform an action. Additionally, you can use the audit service commands to manage the audit trail. For more information about auditing, see the Safeguard Audit Service Manual.
Auditing Attempts to Change or Read Safeguard Records Safeguard System Security specifying object auditing easier. For more information on configuration, see the Safeguard Administrator’s Manual. Auditing Attempts to Change or Read Safeguard Records The Safeguard auditing attributes also allow you to record attempts to change or read both object authorization records and user authentication records. Specify auditing for attempts to change or read the user authentication records for all privileged users.
Special Considerations Safeguard System Security Specify Security Groups With the Safeguard software, you can specify three security groups to designate who can issue restricted audit commands. These three groups are the SECURITYADMINISTRATOR security group, SYSTEM-OPERATOR security group and the SECURITY-OSS-ADMINISTRATOR. The Safeguard Reference Manual describes the capabilities of each group. Note.
Default Protection for User’s Files Safeguard System Security If the Safeguard subsystem is stopped for any reason, disk files with Safeguard authorization records are accessible only by the primary owner, the primary owner’s group manager, and the super ID. The security string still appears as ****. The super ID can return the file to Guardian protection by issuing the FUP SECURE command with a desired security string.
4 OSS System Security This section describes the security features relevant if you are working in the OSS environment. Also review Section 2, Guardian System Security, and Section 3, Safeguard System Security, because some Guardian and Safeguard security features apply to the OSS environment. In particular, the Safeguard software must be used to add and manage users who will work in the OSS environment. All users must log on through the Guardian environment.
File-Sharing Groups OSS System Security The following example illustrates creating the directory /home/dandy in the OSS environment and then assigning that directory as the initial working directory for the user PROG.DAN. In the OSS environment, issue the following command to create the directory: $ mkdir /home/dandy Be sure PROG.DAN owns the directory and is granted all permissions for it. In SAFECOM, execute the following command to specify the directory as the initial directory for PROG.
OSS File and Directory Security OSS System Security (C) authority on the access control list for that volume. If the user does not have create authority on that access control list, the Safeguard software denies the file-creation attempt. Note. Starting with G06.26, Safeguard volume protection records are no longer consulted for creation of NonStop Open System Services (OSS) files.
Access Control Lists OSS System Security Figure 4-1 shows the format of a file-permission code. Figure 4-1.
Access Control Lists OSS System Security An ACL entry prefixed with d: or default:, can only occur in a directory's ACL. This ACL indicates that the remainder of the entry cannot be used in determining the access rights to the directory, instead it can be applied to any files or subdirectories created in the directory. The uid and gid fields contain either numeric user or group IDs, or their corresponding character strings from the system's user authentication database and group database.
File and Directory Commands OSS System Security ACL Uniqueness Entries are unique in each ACL. There can only be one of each type of base entry, and one entry for any given user or group ID. Likewise, there can only be one of each type of default base entry, and one default entry for any given user or group ID. ACL Inheritance When a directory's ACL contains default entries, those entries are not used in determining access to the directory itself.
OSS Process Security OSS System Security OSS automatically assigns default permissions to files and directories when they are created. The umask command can be used to establish a user mask, which specifies the maximum permissions that can be applied to a file or directory when it is created. The super ID can include a umask command in the /etc/profile file to specify the user mask for all users who log on to the shell. An individual user can also include a umask command in his or her .
Process Security Attributes OSS System Security Table 4-2. Security-Related OSS Process Attributes Attribute Description (continued) Effective user ID The user ID under which the process is currently running. Always kept synchronized with the PAID. The effective user ID is initialized to the same user ID as the real user ID when the process is authenticated. The effective user ID is changed if the process executes a program file that has its set-user-ID bit set.
Adopting the Owner ID of a Program File OSS System Security Table 4-3.
OSS System Security Adopting the Owner ID of a Program File effective user ID and saved-set-user-ID of any process created by running the program file are set to owner ID of the program file (rather than the effective user ID) and savedset-user-ID of the creating process. This option allows the owner of the program file to control the files that the new process can access and to control the operations that can be performed on or by the process.
5 Concerns for the User This section discusses security concerns for all users of NonStop systems. Concerns for All Users In some work environments, an application program runs continuously but requires you to log on and present an individual password before beginning operations. The application program determines the range of operations you can perform. In other work environments, you might have to log on through the TACL command interpreter or the Safeguard software to run an application program.
Changing Your Password Concerns for the User When the Safeguard software controls the logon dialog, a security event-exit process can also participate in the logon procedure. This process allows a custom dialog to occur at your terminal. For more information about the logon dialog, see the Safeguard User’s Guide. Blind Logon Depending on how your system is configured, the TACL command interpreter might require you to enter your password on a different line from your user name (or user ID).
Protecting Your Terminal Concerns for the User Protecting Your Terminal Whenever you log on, be sure that no one discovers your password by watching your fingers as you type. After you are logged on, the system associates your user name with your operations. That is, the system checks that you are authorized to perform these operations. The system can also generate an audit trail of the transactions associated with your user name and password.
Concerns for the TACL User Concerns for the User After you log off, the system normally returns you to a TACL or Safeguard prompt. Verify that the system has returned you to the appropriate prompt to be sure the system has logged you off. If the application program logs you off, be sure to wait for evidence that the application has logged you off before you leave your terminal.
Privileged User Classes Concerns for the User This example shows a user name in which ROBIN is a member of the SALES administrative group: SALES.ROBIN Similarly, this example shows a user name in which PAT is a member of the SALES group: SALES.PAT The fact that Robin and Pat share administrative group membership also entitles them to privileges extended only to group members. For more information about these privileges, see Group Membership on page 5-7.
Privileged User Classes Concerns for the User A remote super ID has more restricted access to the local system. The remote super ID has only the privileges associated with a remote member of the super group. Privileges of the Super Group Super-group IDs (255,n), also called system-operator IDs, have the privileges needed to operate the system. For example, these operators can start and stop devices. The detailed privileges available to members of the super group are described in the Guardian manuals.
Group Membership Concerns for the User Group Membership Every user always belongs to an administrative group. Users can also belong to filesharing groups. Administrative groups exist primarily to define and manage the user authentication records for users on your system. An administrative group must have a group number from 0 through 255. You are always a member of only one administrative group. Your user name and user ID are based on the name and number of your administrative group.
Group Membership Concerns for the User SALES SALES SALES .JIM .KENOYE .USER SALES SALES SALES SALES .TRACY .MARCIA .BOBM .PAT 147,001 147,002 147,003 . . . 147,064 147,067 147,190 147,255 GGGO NUNU GGGG $BRIDGE.JIMT $PERSNL.KENOYE $PERSNL.APLTUSER NONO NUNU AGGO NUNU $PERSNL.TRACY $DATAI.MARCIA $BRIDGE.MARSHALL $ADM.PAT Users from other administrative groups can be members of the SALES group for filesharing purposes. File-sharing group membership is managed with the SAFECOM GROUP commands.
Privileges of Group Members Concerns for the User File-Sharing Groups If you belong to file-sharing groups, you can share access to files secured for group access by those groups. You can use the SAFECOM INFO USER command to view the entire list of groups to which you belong. For example, suppose your user name is SALES.ROBIN and you issue the following command: 4> SAFECOM INFO USER SALES.ROBIN, GROUP GROUP.USER STATUS SALES.
Guardian Security Concerns for the User NOTES CODE 101 EOF LAST MODIFICATION 21484 10-APR-90 15:16:56 OWNER 147,36 RWEP "GOOO" The security setting GOOO appears under the heading RWEP (read, write, execute, and purge). In this example, any local member of the owner’s group (G) can read the file, but only the owner (O) can write, execute, or purge the file.
Guardian Security Concerns for the User You are a local user if you access the file from a local process. A local process is either: • • A process that has executed a successful logon call to the USER_AUTHENTICATE_ procedure (such as a TACL process that has executed such a call on behalf of a user entering a LOGON command) A process started from a local process on the same system Any process that is not a local process is a remote process. For example, suppose MYFILE resides on system \SYS1.
Guardian Security Concerns for the User If your logon default security setting is restrictive (for example, OOOO, which limits access to you alone), you must resecure a new file to make it accessible to others. By using a restrictive security setting, you avoid the risk of forgetting to secure a sensitive file.
Erasing Purged Files With CLEARONPURGE Concerns for the User to GUGU, which gives your local group members read and execute authorities to the new files you create. This new setting takes effect the next time you log on. 14> DEFAULT ,"GUGU" THE DEFAULT file-security HAS BEEN CHANGED TO "GUGU". Default File Security Settings When a process creates a file in the Guardian environment, the file inherits the filecreation security setting of that process.
TACL Process Security Concerns for the User for a new file, the information from the file remains on the disk, still readable by programs that examine the disk directly. Designate CLEARONPURGE for all sensitive files. For files not under Safeguard protection, CLEARONPURGE can be set through the FUP SECURE command or by a program using a SETMODE or SETMODENOWAIT procedure call.
Safeguard Access Control Lists (ACLs) Concerns for the User These commands create a Safeguard access control list (ACL) that implements these constraints: 17> SAFECOM SAFEGUARD COMMAND INTERPRETER - T9750Xxx - (ddMMMyy) =ADD DISKFILE myfile =ALTER DISKFILE myfile, ACCESS (147,36, 10,20) (r,w) =ALTER DISKFILE myfile, ACCESS (147,*) (r) The following command displays the access control list: =INFO DISKFILE myfile $BOOKS1.
Encryption Concerns for the User Encryption You can also encrypt the contents of your files. Encryption ensures that the information is accessible only to those who know the complete method by which the information was encrypted. Encryption usually consists of: • • An encryption algorithm (which is usually known) A key (which is private) HP does not provide a standard encryption package although such a package can be built with the Atalla A-5000 High Performance Security Module (HPSM).
Trojan Horses Concerns for the User • People (especially recipients who do not ordinarily receive sensitive mail) often read mail without regard to who is standing near their terminals. Suggestions for Using Electronic Mail The following suggestions can help you avoid divulging sensitive information through electronic mail: • • • Use the subject line to alert recipients of sensitive messages. The recipient can then take care to read the message in private.
Securing Your TACLCSTM and TACL Macro Files Concerns for the User Report atypical symptoms such as: • • • Your first attempt to log on is refused although you entered the correct user ID and password. In this case, a Trojan horse program might have displayed a TACL prompt on your terminal and waited for you to log on. When you tried to log on, you gave your secret password to the Trojan horse program. Someone other than you has relaxed the security of your files.
Search List Hazards Concerns for the User 21> FILEINFO TACLCSTM $SALES.ROBIN TACLCSTM CODE 101 {confirms security} EOF 2896 LAST MODIFICATION 27-APR-90 9:57:36 OWNER 147,36 RWEP "OOOO" Also secure TACL macro files other than your TACLCSTM file. Otherwise, an intruder might insert commands that execute under your user ID when you execute the macros. In this example, you have macros in the file named TACLMACS.
Suggestions for Dial-Up Users Concerns for the User In addition to specific subvolume names, your search list can include #DEFAULTS, which designates your current subvolume. However, including #DEFAULTS in your search list can lead you to accidentally execute a Trojan horse program, especially if #DEFAULTS appears before $SYSTEM.SYSTEM in your search list. If you must use #DEFAULTS in your search list, put it after $SYSTEM.SYSTEM.
Altering File and Directory Permissions Concerns for the User If the file has an associated ACL, the above display would contain an additional “+” sign to indicate the same: $ ls -l myfile2 -rwxr-xr-x+ 1 PROG.WILSON PROG 102 Jul 5 10:14 myfile2 The first string of characters in the display shows the permissions assigned to the file. The file permissions indicate that the owner, PROG.
Default File Security Concerns for the User $ chgrp PROJMGR myfile2 $ chmod g=rwx myfile2 $ ls -l myfile2 -rwxrwx--- 1 PROG.WILSON PROJMGR 102 Jul 6 11:20 myfile2 Default File Security OSS automatically assigns default permissions to your files and directories when they are created. To restrict the default permissions assigned to your files, you must establish a user mask with the umask command.
6 Concerns for the Application Programmer An application programmer creates application programs, customized to an organization’s environment and business needs. The programmer must make the application secure. This section describes features available to you for creating secure applications.
Concerns for the Application Programmer Authentication User IDs Automatic Execution Through TACL The TACLCSTM file in the user’s default subvolume can be configured so that the user is placed directly into your application. For example, the last few lines of the TACLCSTM file for CLERK.ROBIN might be: RUN $DATA.APP.PROG LOGOFF Then, when CLERK.ROBIN successfully completes the logon procedure, the TACL process on Robin’s terminal executes the TACLCSTM file, which contains orders to execute the $DATA.APP.
Concerns for the Application Programmer Authentication User IDs Name Selection If you decide that the standard user IDs or aliases are satisfactory for your application, consult your security administration staff to work out the user names and user IDs for anyone who will use your application. Creating and Maintaining the Name Database The Guardian environment maintains the database for user IDs.
Concerns for the Application Programmer Application-Specific User IDs Application-Specific User IDs If you choose not to use standard user IDs, your application can use applicationspecific user IDs. Because the Guardian environment does not manage or interpret these user IDs, you have the full flexibility to design the syntax and semantics within your application. Thus, you can make the application’s security as simple or as powerful as you need.
Concerns for the Application Programmer Application-Specific User IDs Using the Name Database to Authenticate a User At the beginning of your application, include algorithms to authenticate the user. For example, you might display a query screen that asks for the user’s name (as known to the application) and then a password. Ensure that the only way to reach any other portion of the program is to successfully complete this screen.
Concerns for the Application Programmer Security Management Guide —522283-008 6 -6 Application-Specific User IDs
7 Concerns for the System Administration Team The system administration team consists of a system manager, system programmers, and system operators although the titles of these functions can vary from one site to another. At a small installation, one person might perform all these functions. The system manager administers the system. A large network might have more than one system manager, but one person usually assumes overall responsibility for this function.
Concerns for the System Administration Team File-Sharing Groups entries allowed by the Safeguard implementation. The list can also be so large that determining the proper changes to the list when a user is added or deleted can be difficult or impossible. Proper selection of administrative groups and file-sharing groups can reduce this problem by having some of the ACLs refer to group permission rather than to individuals. Two common ways of assigning administrative groups: • • By function.
Concerns for the System Administration Team Multiple User Names for One Person evaluates an access control list entry that specifies all members of a particular group. For example, the entry 141,* on an access control list grants access to all members of group 141, including users who are file-sharing members of the group.
Concerns for the System Administration Team Super-Group User IDs regularly because they need to log on to each separate user ID to make the change. • • • Common TACL macros, utility programs, and other files needed for each role tend to be loosely protected to make them easily accessible. These files can provide information helpful to an intruder. A user who has multiple IDs can establish TACL macros or programs that make it easy to switch roles.
Concerns for the System Administration Team • • • • Anonymous or Guest User IDs Log on as any user whose administrative group is group number 8 without knowing that user’s password (unless the Safeguard PASSWORD-REQUIRED option is set) Create new users whose administrative group is group number 8 (unless the Safeguard OBJECTTYPE USER protection record has been defined otherwise) Delete the user authentication records for users whose administrative group is group number 8 (unless those group members are o
Concerns for the System Administration Team • • Removing a User From the System Enforce user-expiration dates on all user IDs and aliases. Then, from time to time, obtain a list of current authorized users from other department managers. Use this list to extend the expiration dates for current users, and allow the user IDs of those not specifically reported to expire.
Concerns for the System Administration Team Managing Passwords volumes named $SYSTEM and $DATA, and you plan to remove CLERK.CHRIS from the system, you can find Chris’s files by entering these commands: 1> DSAP $SYSTEM, USER CLERK.CHRIS, DETAIL . (output from DSAP) . 2> DSAP $DATA, USER CLERK.CHRIS, DETAIL . (output from DSAP) . To find OSS files owned by a specific user, use the find / -user command.
Concerns for the System Administration Team Password Reuse This command requires that a password be at least 36 characters long the next time a user changes the password. Use of this command is restricted to super-group members (or to members of the SECURITY-ADMINISTRATOR security group if that security group is defined). If the command is restricted, ask an authorized user to issue the command. The attribute PASSWORD-MAXIMUM-LENGTH specifies the maximum acceptable length of a password.
Password Change Periods Concerns for the System Administration Team The following command displays the user authentication record for CLERK.ROBIN: =INFO USER CLERK.ROBIN, GENERAL GROUP.USER USER-ID CLERK.
Concerns for the System Administration Team Physical Security Physical Security Weakness in the physical security of your computer installation can provide an easy avenue of intrusion. The following paragraphs discuss some of the more common areas where you should be concerned about physical security. The Computer Room Access to the equipment in the computer room can provide ample opportunity for both system intrusion and accidental or malicious system damage.
Concerns for the System Administration Team The Tape Units You might want to have a dedicated printer for sensitive information in a specially secured area, perhaps with card-key access required. The Tape Units Like all computer peripherals, protect tape units physically and procedurally from accidental and malicious damage. Unprotected, they offer an avenue of intrusion.
Concerns for the System Administration Team Additional External Passwords dial-up users) can call USER_AUTHENTICATE_ without consulting $CMON and thus deny $CMON the opportunity to provide additional authentication or auditing. Additional External Passwords Some systems demand an additional systemwide password during the dial-up logon sequence. The system password is roughly the dial-up equivalent of allowing physical access to the main work site.
Concerns for the System Administration Team Automatic Terminal Authentication that is heavily audited and alarmed, or have a method by which an operator can connect to a requested phone number. Automatic Terminal Authentication Some terminals can be programmed to hold an answer-back string of characters. By setting a terminal’s answer-back string to a value unknown to the user, you can create an additional authentication method.
Concerns for the System Administration Team Restricting Access to System Software For example, without adequate controls, an intruder might persuade you to install an update tape that you believe to contain legitimate software but that actually allows the intruder unlimited and undetected access to the system.
Operators and Privileges Concerns for the System Administration Team The following command displays the access control list: =INFO DISKFILE PUP $SYSTEM.SYS13 PUP 255,001 255,002 255,255 LAST-MODIFIED OWNER STATUS 6JUL90, 255,0 THAWED 9:29 E E E If you perform a system load from a different subvolume, you would need to repeat the procedure, substituting that subvolume name in the VOLUME command.
Concerns for the System Administration Team Creating a Network User ID Creating a Network User ID The general procedure for creating a network user ID follows: 1. Establish identical user names and user IDs on all nodes to be accessed by the network user. 2. Log on to each user ID on each node and establish both a local password (which should be different for each node) and a set of remote passwords. For a given user, all remote passwords designating a given node must be identical.
Concerns for the System Administration Team Encrypting Data Between Nodes Encrypting Data Between Nodes With the standard network software, data moves between nodes without encryption. However, you might want to consider the Atalla A-5000 High Speed Security Module for encryption of sensitive data. For more information, see the High Performance Security Module (HPSM) User’s Guide.
Concerns for the System Administration Team Communicating With Other System Managers Security Management Guide —522283-008 7- 18
8 Concerns for the EDP Auditor This section is written for EDP auditors of NonStop systems. It addresses many issues are unique to NonStop systems as well as some common auditing concerns. In order to effectively audit a NonStop system, you must have a user ID and password.
The Super ID Concerns for the EDP Auditor The Super ID Check that the super ID is not used for routine purposes. Determine how many people know the password for the super ID. Your policy should state who can have access to the super ID. If the Safeguard software is installed, the super ID can be frozen until needed. You can verify the status of the super ID with the INFO USER command.
Dial-Up Access Concerns for the EDP Auditor Dial-Up Access If your policy allows dial-up access to your system, check for a list of authorized dial-up users. Make sure only these users can dial up. Also check for special security mechanisms, such as call-back facilities, if your policy requires them. Network Security If your policy allows network user IDs, make sure only users who need access to the network have network IDs (and matching remote passwords).
User Expiration Concerns for the EDP Auditor User Expiration If your policy requires expiration for certain user IDs, such as contract and temporary employees, check the USER-EXPIRES attribute for the affected user IDs and their aliases. Ask the owner of the user ID to issue the following command: 6> SAFECOM INFO USER user-spec, DETAIL where user-spec is the user ID or user name in question. Use the SAFECOM INFO ALIAS command to check the expiration date for an alias.
User Knowledge of File Security Concerns for the EDP Auditor User Knowledge of File Security If users can control the security of their own files, determine whether they know how to change the security of their files. If they are using Guardian security strings to secure their files, they should be familiar with the FUP SECURE command and the significance of the characters in the security string.
Security Event Exits Concerns for the EDP Auditor Use PERUSE to check the output of the DSAP program. Review documentation for all PROGID programs. Make sure the programs are written so they perform only specified tasks. Make sure only specified users can execute PROGID programs. PROGID programs run under the user ID of the owner, not under the user ID of the person executing the program.
A Sample Policies A security policy should be a brief description of an organization’s goals regarding protection of information and computer resources. Specific procedures should be written to deal with issues such as adding users and securing objects. These procedures vary from department to department but should be consistent with the goals of the policy. This appendix presents two sample policies. Both policies address the protection goals of the organization.
Sample Policy 2 Sample Policies 2. All employees shall comply with the security requirements set forth by the Information Security Group. 3. Adherence to this policy shall be monitored by the EDP Audit Group. The EDP Audit Group shall issue periodic reports detailing the level of conformance to security requirements and issue exception reports whenever a serious violation occurs. Management shall be responsible for any corrective action recommended by the EDP Audit Group.
B How Passwords are Encrypted When the Safeguard PASSWORD-ENCRYPT configuration attribute is enabled, passwords are encrypted using the algorithm specified by the PASSWORDALGORITHM attribute. If the value of PASSWORD-ALGORITHM is set to DES, then passwords are encrypted using DES as a one-way encryption algorithm. If the value of PASSWORD-ALGORITHM is set to HMAC256, then passwords are encrypted using HMAC with SHA256 as a one-way hash algorithm. The system can verify passwords but cannot decrypt them.
How Passwords are Encrypted Security Management Guide —522283-008 B- 2
C TACL Macros The following macros are intended only as examples of how to develop security macros. These examples might not work with all releases and configurations of the operating system. To use TACL routines, store them in a file and then use the LOAD command to load them into your TACL. Example 1. Snapshot Routine The following TACL snapshot routine captures major parameters that describe a collection of files. The routine then puts these descriptions in a snapshot file.
Example 2.
Example 2.
Example 3. Fapply Routine TACL Macros existence, code, eof, licensed, modification, owner, progid, security / [:^fullname] ] ] [#if (:^existence) == did file exist? |then| == yes -- check fields and report errors: :^check CODE :^check EOF :^check LICENSED :^check MODIFICATION :^check OWNER :^check PROGID :^check SECURITY |else| == no -- file disappeared #output [:^fullname] has been PURGED. ] ] #unframe == To invoke snapshotcheck, enter SNAPSHOTCHECK and the name of the snapshot file at the TACL prompt.
Example 4. Findone Routine TACL Macros == followed by existing file, or non-existing file? | 1 existingfile | #if [#argument /text :^template/ template] == exists, so start at that file | 2 nonexistingfile | #if [#argument /text :^template/ template] [#set :^curfile [#filenames /maximum 1, previous [:^curfile]/ [ ][:^template]] ] == does not exist...
Example 5. Lock Routine TACL Macros | otherwise | ] #unframe To use this macro, load it into your TACL along with the fapply routine. Then, to scan all files on $SYSTEM.SYSTEM (for example): 3> FAPPLY FINDONE $system.system.* Example 5.
Example 5. Lock Routine TACL Macros #set :^wrongs ???* ] == if user says "lock !", allow infinite wrong guesses #set :^prompt Password? #inputv /noecho/ :^pw1 :^prompt == fetch user's desired password [#if [#inputeof] |then| #raise EXIT ] == if ^Y on input, abort routine :^toascii :^pw1 == change ABC into 065066067 (and so on) [#if (not [#match ????????????* [:^pw1]]) |then| #output Password must be at least [ ]three characters... aborting.
Example 5. Lock Routine TACL Macros |then| #output Logging off... logoff/segrelease/ #logoff/segrelease/ [|if first one failed...
Glossary access control list (ACL). A list of subjects that are allowed access to a particular object. The list specifies the types of access allowed for all subjects on the list. The Safeguard software maintains access control lists for all objects under its protection. administrative group name. The Guardian name for a group of users who have the same administrative group ID. accountability. The ability to provide a correlation between an action and the individual responsible for that action. ACL.
auto logoff Glossary auto logoff. A process that terminates an interactive session after a preset number of minutes in which the terminal has been idle or unattended. backup. To copy online data to an offline storage media (such as tape) for safekeeping. baseline security. A minimal level of implemented security policies and procedures that is reasonable for a particular circumstance. biometrics. The use of personal characteristics, such as fingerprints or eye blood vessel prints, for user identification.
default security string Glossary default security string. A security string associated with a Guardian process that defines the initial security string for all files created by that process. See also logon default security string and security string. DES. Abbreviation for Data Encryption Standard. A standard method of encrypting a 64-bit block of data using a 56-bit key. dial-up. A telephone connection through standard (switched) telephone lines. directory.
external password Glossary external password. A secondary password provided for additional authentication when a person first establishes a terminal session. External passwords are usually system wide, and changed on a regular basis to prevent unauthorized access to the system. file permission bits. Information about a file that is used, along with other information, to determine whether a process has read, write, or execute/search permission to that file.
logoff Glossary logoff. To terminate an interactive session that began when a user logged on to the system. logon. To establish an interactive session and provide necessary authentication information (such as a user name and password). logon default security string. A security string associated with a user ID that becomes the default security string for each new logon by that user ID. See also default security string and security string. maintenance.
password expiration Glossary password expiration. A procedural technique whereby passwords become invalid after a certain time period or certain number of uses. Pathway. A collection of NonStop system tools that aid in designing and operating a terminal-based database application. peripheral. A device suitable for input or output, such as a terminal, printer, disk drive, or magnetic tape unit. physical security.
real user ID Glossary real user ID. An attribute of a process. When a process is created, the real user ID identifies the user or parent process that created the new process. The real user ID cannot be changed after process creation. reference monitor. The portion of the computer system responsible for granting user IDs access to objects. remote password. A character string used for user authentication when the user accesses another system on an Expand network. requester.
segregation of duties Glossary passwords. A file receives an initial security string from the default security string of the process that created the file. The security string can later be changed through FUP or a system procedure call. See also default security string and logon default security string. segregation of duties. The practice of separating roles within an organization, especially with regard to information processing.
system operator Glossary system operator. The person (or persons) responsible for the routine operations necessary to keep a system functioning. Such operations can include daily or weekly backups, performing a system load after an extended power outage, and handling user requests or questions. TACL. Abbreviation for HP Tandem Advanced Command Language, the user interface to the Guardian environment. TACL is both a command interpreter and a command language.
user name Glossary user name. A name (such as ADMIN.MATHEW) associated with a user or class of users. For each user name, there is a unique user ID, and for each unique user ID, there is a user name. warm start. Returning a system that is in dormant state to an active state. See also system load.
Index A Access authorities, Guardian 5-10 Access control lists example of 5-15 using 3-12 using DENY with 3-12 ACL Inheritance 4-6 ACL Notation 4-4 ACL Uniqueness 4-6 ACL-REQUIRED-DISKFILE attribute 3-22 ADD GROUP command 3-11 ADD TERMINAL command 3-10 ADD USER command 3-7 Adding users authority for 3-3 description of 3-7 ADDUSER program, removing 3-2 Administrative groups and file-sharing groups 3-11 defined 5-7 displaying members 5-7 managing 7-1 Aliases 3-10, 7-4 Answer-back string 7-13 Application progr
D Index CLEARONPURGE for sensitive files 8-5 setting with ALTER DISKFILE 3-16 setting with FUP 5-14 setting with SAFECOM 5-15 Command files 3-17 Configuration for logon attempts 3-8 for subvolume security 3-16 of passwords 3-9 Converting the USERID file 3-2 Critical disk files, securing 3-14 Critical processes, securing 3-15 E Educating users 1-1 Effective group ID 4-7 Effective user ID 4-7 Electronic mail 5-16, 5-17 Emergencies requiring the super ID 2-22 EMS Message 2-17 Encryption of passwords 3-9 of
G Index FUP and licensing 2-9 using to reassign orphan files 2-11 FUP SECURE command 5-11 K G Last logon date 5-3 Least privilege 1-2 Licensed programs control of 2-24 copying, effect of 2-23 detecting 2-25, 8-5 hazards of 2-25 security implications of 2-23 Licensing and the super ID 2-9, 2-21 enabling and disabling 2-23 for system files 2-9 for trusted programs 2-9 Licensing FUP 2-9 Licensing PUP 2-9 Local user 5-11 Log files 3-18 Logging off 5-3 Logoff, automatic through TACLCSTM file 6-2 Logon and T
N Index N Network access 7-15 Network user IDs 7-15, 7-16, 8-3 O Object code files 3-14 OBJECTTYPE DEVICE 3-3 OBJECTTYPE DISKFILE 3-3 OBJECTTYPE OBJECTTYPE 3-4 OBJECTTYPE records, controlling 3-4 OBJECTTYPE USER 3-3, 3-5 OBJECTTYPE VOLUME 3-3 Operator privileges 7-15 Optional ACL entries 4-5 Orphan files detecting 2-11 disposition of 2-11 OSS Auditing 4-3 directory permissions 4-3 file permissions 4-3 file security 4-7 initial directory 4-1 Ownership for system files 2-9 P PAID (process access ID) 2-24
R Index Processes critical 3-15 stopping 3-5 PROCESS_GETINFO_ system procedure call 2-6 PROCESS_SETINFO_ system procedure call 5-13 PROGID and system files 2-10 audit consequences of 2-27, 8-5 detecting 2-29, 8-5 enabling and disabling 2-27 for backups 2-20, 2-26 for database control 2-27 for super ID programs 2-21 hazards of 2-27, 8-5 Protecting key definitions 5-19 Protecting printouts 5-3 Protecting your terminal 5-3 PUP and licensing 2-9 PURGE authority 5-10 Purge protection 3-5 PWCONFIG 2-14 R READ
T Index set 4-10 SETTIME 2-20 Set-group-ID permission bit 4-10 Set-user-ID permission bit 4-9 Sharing group resources 5-9 Software installation controls 7-13 trusted 2-8 Specifying audit pools 3-21 Specifying audit recovery actions 3-21 Specifying security groups 3-21 Spooler, controlling 2-20 Stopping processes 3-5 Subvolumes advantages of securing 3-16 configuration for security of 3-16 CREATE authority for 3-16 critical 3-15 protection 5-15 Super ID abilities of 2-18 and controlling applications 2-21 a
V Index User attributes DEFAULT-PROTECTION 3-7 INITIAL-DIRECTORY 4-1 USER-EXPIRES 3-7 User community and Safeguard 3-7 verifying validity of 8-2 User education 1-1 User expiration example 3-7 verifying existence of 8-4 User IDs and authentication 5-5 freezing 3-10 maintenance of 6-3 removing 3-10, 7-6 reusing 7-7 syntax of 5-5 using in applications 6-1 User mask 4-7 User names and authentication 5-4 defined 2-3 managing 7-1 reusing 7-7 USERID file converting 3-2 ownership of 2-9 security of 2-9 USERS comm
Special Characters Index Security Management Guide —522283-008 Index -8
