Manualshelf

Security Management Guide (G06.24+, H06.03+)

ManualsBrandsHP ManualsServerHP NonStop G-Series
131132133134135136137138139140
Concerns for the EDP Auditor
Security Management Guide522283-008
8-4
User Expiration
User Expiration
If your policy requires expiration for certain user IDs, such as contract and temporary
employees, check the USER-EXPIRES attribute for the affected user IDs and their
aliases. Ask the owner of the user ID to issue the following command:
6> SAFECOM INFO USER user-spec, DETAIL
where user-spec is the user ID or user name in question.
Use the SAFECOM INFO ALIAS command to check the expiration date for an alias.
Be sure the value of the USER-EXPIRES attribute is consistent with your security
policy.
$CMON
$CMON programs can monitor and control requests to the command interpreter, such
as logon requests and explicit or implicit RUN commands. However, requests made
through other programs, such as TEDIT, are not monitored by $CMON.
If your system has a $CMON program, it can help as a source of an audit trail,
depending on how it is written. Review a listing of the code and any relevant
documentation.
Check if the object code file for the $CMON program is protected. If it is protected with
a Guardian security string, WRITE authority should be restricted (preferably to the
owner only). If it is protected with a Safeguard access control list, READ and WRITE
authority should be limited to programmers who are responsible for maintaining the
code.
For more information on $CMON, see the Guardian Programmer’s Guide.
Permissive Security
Check for objects with permissive security settings, such as a file with a Guardian
security string of AAAA or NNNN. Make sure such a setting is appropriate for these
objects.
If users or aliases on your system use the Safeguard DEFAULT-PROTECTION
attribute, check if they have default access control lists that are too permissive. To
check a user’s DEFAULT-PROTECTION setting, ask the owner of the user record to
issue the following command:
7> SAFECOM INFO USER user-spec, DETAIL
where user-spec is a user ID or user name.
For more information on DEFAULT-PROTECTION, see the Safeguard Administrators
Manual.