Manualshelf

Security Management Guide (G06.24+, H06.03+)

ManualsBrandsHP ManualsServerHP NonStop G-Series
31323334353637383940
Guardian System Security
Security Management Guide522283-008
2-10
Setting System Files to PROGID
Setting System Files to PROGID
Normally you should not run system programs as PROGID programs. Possible
exceptions to this rule involve copies of the BACKUP and RESTORE programs.
Default Security for User Files
Determine default security for user files on a user-by-user basis. Such assignments
should be consistent with your organizations policies.
The safest (and most restrictive) approach in the Guardian environment is to set all
user defaults to local owner only for all permissions (that is, OOOO). Then only
deliberate action can make a new file available to users other than the owner, the
owners group manager, or the super ID.
Checking Default Security
Issue the USERS command to check a users default security setting. You might find
security settings that allow newly created files to be examined and possibly modified.
You might also find default security strings in violation of your organization’s policy. For
example, consider the output of this USERS command:
1> USERS SUPER.*
GROUP . USER I.D. # SECURITY DEFAULT VOLUMEID
.
.
.
SUPER .PAT 255,015 NUNU $SPOOL.PAT
SUPER .ROBIN 255,200 AAAA $SPOOL.ROBIN
SUPER .SERVICE 255,253 NNNN $SPOOL.CEAIDS
SUPER .SPOOL 255,030 AAAA $SPOOL.SPOOLER
.
.
.
In the SECURITY column, you can see that SUPER.ROBIN and SUPER.SPOOL have
a default security setting that allows anyone on the local system to write to or purge
newly created files. An intruder might access these files to advantage. Similarly, the
user ID SUPER.SERVICE creates files that could be written to or purged by any
network user.
Examine the output of the USERS command. Or place the output in a text file and use
an editor’s column search feature to delete all lines where the default security is
acceptable. This method creates a list of users whose default security should be
revised.
Changing Default Security
Users can change their default security using the DEFAULT program. A user’s group
manager or the super ID can also change the user’s default security string. However,
the user’s group manager or the super ID must first log on as the user to change the