Security Management Guide (G06.24+, H06.03+)

ManualsBrandsHP ManualsServerHP NonStop G-Series

121

122

123

124

125

126

127

128

129

130

Concerns for the System Administration Team

Security Management Guide—522283-008

7-14

Restricting Access to System Software

For example, without adequate controls, an intruder might persuade you to install an

update tape that you believe to contain legitimate software but that actually allows the

intruder unlimited and undetected access to the system.

Whenever you install new software or updates from computer vendors, use a checklist

of questions such as these to assess legitimacy:

•

Did the software come through ordinary channels?

•

Is the software documented in the way that is usual for the organization?

•

If the software is an update, does it update the particular version of the software

you already have?

•

Are the installation instructions ordinary, or do they require you to expose your

system security?

Be sure that access to the new software follows your organization’s security policy.

Exercise similar care when dealing with software created by your system programmers

or application programmers. Review their software carefully, especially if it performs

actions on behalf of other users or uses special privileges. Include the following

questions in your check list:

•

Was the software subjected to standard quality assurance and offline testing?

•

Was the software reviewed and approved by management?

•

Does the software require privileges for an obscure or unnecessary function?

Also include other questions appropriate to your environment.

Restricting Access to System Software

Not all organizations allow the entire user community access to the standard system

software. Depending on your organization’s security policy, you might be required to

restrict access so that only selected users or user groups can execute the software.

You can use standard Guardian protection to limit access to simple groups. However,

Safeguard access control lists can limit access to a very specific set of users.

For example, the following SAFECOM commands create a Safeguard access control

list that allows only the super ID (255,255) and the operators who have user IDs 255,1

and 255,2 to execute the PUP utility. (Although the super ID implicitly has execute

access to the file regardless of the access control list, it is included here to illustrate

that all three IDs can access the program.) Suppose $SYSTEM.SYS13 is the current

system subvolume.

=VOLUME $system.sys13

=ADD DISKFILE pup

=ALTER DISKFILE pup, LICENSE ON

=ALTER DISKFILE pup, ACCESS (255,1, 255,2, 255,255) E