Manualshelf

Security Management Guide (G06.24+, H06.03+)

ManualsBrandsHP ManualsServerHP NonStop G-Series
131132133134135136137138139140
Concerns for the EDP Auditor
Security Management Guide522283-008
8-2
The Super ID
The Super ID
Check that the super ID is not used for routine purposes. Determine how many people
know the password for the super ID. Your policy should state who can have access to
the super ID.
If the Safeguard software is installed, the super ID can be frozen until needed. You can
verify the status of the super ID with the INFO USER command. If this is your
company’s policy, verify the status by having the owner of the super ID issue this
command:
1> SAFECOM INFO USER 255,255
Privileged IDs
Check that the capabilities of other privileged IDs (such as the super group and group
managers) are consistent with your security policy. If the Safeguard software is used,
make sure any special authorities granted by OBJECTTYPE commands and by
membership in security groups are also appropriate. You can check OBJECTTYPE
authorities with the SAFECOM INFO OBJECTTYPE commands. You can determine
membership in the security groups with the INFO SECURITY-GROUP command. For
more information, see the Safeguard Reference Manual.
Segregation of Duties
If your security policy encourages segregation of duties (and it should), check that the
system’s security mechanisms enforce it. Safeguard mechanisms, such as
OBJECTTYPE authorization and membership in security groups, can be used to
enforce segregation of duties.
The User Community
Check a listing of user IDs against employee listings (of permanent, temporary, and
contract employees). Make sure the user’s privileges are authorized by the security
policy. Also check to see that user IDs for terminated employees have been deleted.
To get a listing of all user IDs on your system:
2> USERS /OUT outfile/ *.*
where outfile is the name of a file where you want the listing to go.
To copy the listing to a printer:
3> FUP COPY outfile, device
where device is the name of the print device.
Check for the existence of the user ID 0,0 (NULL.NULL) and user ID 0,255. If present,
remove them unless they are specifically required by the security policy.