Manualshelf

Security Management Guide (G06.24+, H06.03+)

ManualsBrandsHP ManualsServerHP NonStop G-Series
51525354555657585960
Safeguard System Security
Security Management Guide522283-008
3-4
Controlling the OBJECTTYPE Records
Perhaps you want general users to be able to add Safeguard protection records for
their own files. If so, do not create an OBJECTTYPE DISKFILE authorization record.
Otherwise, only users on the OBJECTTYPE DISKFILE access control list can add
Safeguard protection records for disk files. Also, anyone on this access control list can
protect files regardless of ownership. Unless your security policy expresses a need for
OBJECTTYPE DISKFILE, avoid using it.
Controlling the OBJECTTYPE Records
Any super-group user can create OBJECTTYPE authorization records, such as
OBJECTTYPE USER or OBJECTTYPE DEVICE. You might want to limit this capability
to a few trusted users. If so, add an OBJECTTYPE OBJECTTYPE authorization record
with an access control list that contains only those trusted users.
For example, this command, entered through SAFECOM, gives two users the authority
to create OBJECTTYPE authorization records of any type:
=ADD OBJECTTYPE OBJECTTYPE, ACCESS (sec.admin, sec.alt) C
Membership in Security Groups
You can create a SECURITY-ADMINISTRATOR security group, SYSTEM-OPERATOR
security group, and SECURITY-OSS-ADMINISTRATOR security group through
SAFECOM. If you create these security groups, only members of those groups can
perform certain functions normally reserved for super-group members. Limit the size of
security groups. However, be sure to specify at least two members for each group to
cover vacations and emergencies.
Members of the Safeguard SECURITY-ADMINISTRATOR security group can configure
the Safeguard subsystem, add terminals to the Safeguard database (for authentication
control), manage the audit service, manage an event-exit process, and stop the
Safeguard subsystem.
Members of the Safeguard SYSTEM-OPERATOR security group can freeze and thaw
Safeguard terminals and issue selected audit service commands.
Members of the SECURITY-OSS-ADMINISTRATOR security group are granted
additional OSS security management priviliges over normal users. Membership is
flagged in the user’s environment during initial logon.
The SECURITY-OSS-ADMINISTRATOR security group designates a list of users that
are granted additional OSS security management privileges over normal users for the
operations on directories:
acl(ACL_SET)
chown(2)
chmod(2)
chdir(2)
opendir(3)