Security Management Guide Abstract This guide for security administrators discusses ways to use Guardian and Safeguard security features to control access to HP NonStop™ systems. Product Version Safeguard G07, H05 Supported Release Version Updates (RVUs) This publication supports J06.03 and all subsequent J-series RVUs, H06.08 and all subsequent H-series RVUs, and G06.29 and all subsequent G-series RVUs, until otherwise indicated by its replacement publications.
Document History Part Number Product Version Published 522283-012 Safeguard G07, H04 June 2008 522283-013 Safeguard G07, H04 July 2008 522283-014 Safeguard G07, H04 August 2009 522283-017 Safeguard G07, H04 May 2010 522283-019 Safeguard G07, H05 February 2011 522283-021 Safeguard G07, H05 August 2012
Legal Notices Copyright 2012 Hewlett-Packard Development Company L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Security Management Guide Glossary Index Figures Tables Legal Notices What’s New in This Manual 3 Manual Information 3 New and Changed Information About This Manual ix Who Should Use This Manual What’s in This Manual ix Suggested Reading x Notation Conventions xii 3 ix 1. Introduction Security Policy and Procedures 1-1 Least Privilege 1-2 Segregation of Duties 1-2 Proper Physical Security 1-2 Security Practice Review 1-2 System Access Control 1-3 Reasons to Use Safeguard Features 1-3 2.
3.
4.
5. Concerns for the Application Programmer Contents File Privilege 4-7 OSS Process Security 4-9 Process Security Attributes 4-10 Adopting the Owner ID of a Program File 4-12 5. Concerns for the Application Programmer Authentication 5-1 Authentication User IDs 5-1 Application-Specific User IDs 5-4 6.
7.
8. Concerns for the EDP Auditor Contents Search List Hazards 7-19 Suggestions for Dial-Up Users 7-20 Concerns for the OSS Environment 7-20 File Security 7-20 Altering File and Directory Permissions Group Permissions 7-21 Default File Security 7-22 .profile File Security 7-22 7-21 8.
B. How Passwords are Encrypted Contents B. How Passwords are Encrypted C. TACL Macros Example 1. Snapshot Routine C-1 Example 2. Snapshotcheck Routine C-2 Example 3. Fapply Routine C-4 Example 4. Findone Routine C-5 Example 5. Lock Routine C-6 D. HP- Supplied Files with LICENSE and PROGID Attributes Licensed Files PROGID Files D-1 D-4 Glossary Index Figures Figure 4-1. OSS File and Directory Permissions 4-4 Tables Table i. Table 2-1. Table 2-2. Table 2-3. Table 2-4. Table 3-1. Table 4-1.
Contents Security Management Guide — 522283-021 viii
What’s New in This Manual Manual Information Security Management Guide Abstract This guide for security administrators discusses ways to use Guardian and Safeguard security features to control access to HP NonStop™ systems. Product Version Safeguard G07, H05 Supported Release Version Updates (RVUs) This publication supports J06.03 and all subsequent J-series RVUs, H06.08 and all subsequent H-series RVUs, and G06.29 and all subsequent G-series RVUs, until otherwise indicated by its replacement publications.
Changes to the H06.22/J06.11 manual What’s New in This Manual Changes to the H06.22/J06.11 manual Updated the Safeguard product version on page -1. Updated PWCONFIG Utility on page 2-14 to add support for PSWDMINLOWERCASEREQ, PSWDMINUPPERCASEREQ, PSWDMINNUMERICREQ, PSWDMINSPECIALCHARREQ, PSWDALPHAREQ, and PSWDMINALPHAREQ. Added information on the SECURITY-PRIV-ADMINISTRATOR security group in Membership in Security Groups on page 3-4.
What’s New in This Manual Changes to the 522283-012 Manual Security Management Guide — 522283-021 xi
What’s New in This Manual Changes to the 522283-012 Manual Security Management Guide — 522283-021 xii
About This Manual Both the HP NonStop operating system environment and the Safeguard subsystem provide tools to help you secure your system. This manual suggests ways of using these tools. Who Should Use This Manual Sections 1 through 4 of this manual are intended for the security administrator. A security administrator helps to develop and implement a security policy to ensure the integrity of information within the data-processing organization.
Suggested Reading About This Manual Table i. Summary of Contents (page 2 of 2) Appendix B, How Passwords are Encrypted Explains how passwords are encrypted on a NonStop system. Appendix C, TACL Macros Provides examples of HP Tandem Advanced Command Language (TACL) macros to be used when developing security macros. Appendix D, HPSupplied Files with LICENSE and PROGID Attributes Lists the HP-supplied files that have the LICENSE and PROGID attribute set.
OSS Environment About This Manual TACL Programming Guide OSS Environment Open System Services User’s Guide Open System Services Management and Operations Guide Open System Services Shell and Utilities Reference Manual Open System Services System Calls Reference Manual Atalla Security Tools Atalla Key Block Banking Command Reference Manual Installation and Operations Guide for Atalla NSP Series Products General Security* Security, Accuracy, and Privacy in C
Notation Conventions About This Manual Computer Security Handbook, 4th Edition, S. Bosworth and M. Kabay, John Wiley and Sons, April 2002. Managing Information Security Risks: The OCTAVE Approach, C. Alberts and A. Dorofee, Addison Wesley Professional, July 2002. * The Hewlett-Packard Company, together with its subsidiaries and affiliates (collectively "HP") has provided the reading lists suggested herein solely for informational purposes and for no other purpose.
General Syntax Notation About This Manual italic computer type. Italic computer type letters within text indicate C and Open System Services (OSS) variable items that you supply. Items not enclosed in brackets are required. For example: pathname [ ] Brackets. Brackets enclose optional syntax items. For example: TERM [\system-name.]$terminal-name INT[ERRUPTS] A group of items enclosed in brackets is a list from which you can choose one item or none.
General Syntax Notation About This Manual Quotation marks around a symbol such as a bracket or brace indicate the symbol is a required character that you must enter as shown. For example: "[" repetition-constant-list "]" Item Spacing. Spaces shown between items are required unless one of the items is a punctuation symbol such as a parenthesis or a comma. For example: CALL STEPMOM ( process-id ) ; If there is no space between two items, spaces are not permitted.
Notation for Messages About This Manual Notation for Messages The following list summarizes the notation conventions for the presentation of displayed messages in this manual. Bold Text. Bold text in an example indicates user input entered at the terminal. For example: ENTER RUN CODE ?123 CODE RECEIVED: 123.00 The user must press the Return key after typing the input. Nonitalic text. Nonitalic letters, numbers, and punctuation indicate text that is displayed or returned exactly as shown.
Notation for Management Programming Interfaces About This Manual | Vertical Line. A vertical line separates alternatives in a horizontal list that is enclosed in brackets or braces. For example: Transfer status: { OK | Failed } % Percent Sign. A percent sign precedes a number that is not in decimal notation. The % notation precedes an octal number. The %B notation precedes a binary number. The %H notation precedes a hexadecimal number.
1 Introduction Security is more than just system controls. Security for your site should also include user training, security procedures customized for each department, and physical controls if necessary. A security policy should guide all of the security-relevant activities of your organization. This section provides guidelines to help you develop a security policy and security procedures. It also introduces extended security features provided by the Safeguard software.
Least Privilege Introduction Consider these practices and concepts when developing security programs and procedures for your site: Least privilege access Segregation of duties Proper physical security Security practice review Least Privilege Least privilege dictates that each user access the system based on user need.
System Access Control Introduction System Access Control Four major components of system access control: Authentication The process of ensuring accurate user identification. Authentication might involve the use of passwords or more advanced measures such as biometrics or the Atalla Challenge-Response unit. Authorization The process of controlling access to resources on the system.
Introduction Reasons to Use Safeguard Features Users and aliases can be temporarily frozen to prevent access to the system. Special user groups can be defined independent of user definitions. These groups can be used to facilitate file-sharing, particularly in the OSS environment. Password management features allow you to specify attributes such as password expiration and password minimum length.
2 Guardian System Security The security of an application for a NonStop system depends on both the protection designed into it and the protection offered by the Guardian environment. This section provides an overview of Guardian security features as well as guidance on how to use these features to help secure your system. For more information, about security features and other Guardian utilities, see the Guardian User’s Guide.
Guardian User Security Guardian System Security Table 2-1. Security-Relevant Commands and Programs Command or Program Function ADDUSER Adds new users to the system (User ID must be n,255.) DEFAULT Sets system, volume, subvolume, and disk-file default security attributes (RWEP) DELUSER Deletes users from the system (User ID must be n,255.
Guardian File Security Guardian System Security Identifying System Users Each system user has a unique user name and user ID. A user name is in the form: group-name.member-name where group-name is the name of the administrative group to which the user belongs and member-name identifies the individual user within the group.
Guardian File Security Guardian System Security The Guardian security specifier is a four-character string. Each position in the string sets the security for one of four disk file operations: RWEP The first position (R) specifies who can read the file. The second position (W) specifies who can write to the file. The third position (E) specifies who can execute the file. The fourth position (P) specifies who can purge the file.
Guardian Process Security Guardian System Security Additionally, the FILEINFO and FUP INFO commands display the owner of a file. To transfer ownership, the owner can issue the FUP GIVE command to specify a new owner. Guardian Process Security The Guardian environment provides security features that protect and restrict access to and by running processes. These features include several process attributes that identify a process and control process access.
Guardian Process Security Guardian System Security Table 2-3.
Sanitizing a NonStop System Guardian System Security Guardian Network Security Users can be granted access to more than one node and can have access authority for remote objects. A user who can access objects on one or more remote nodes is called a network user. Defining a network user requires that the user be given the same user name, user ID, and remote password at both nodes.
Owning System Files Guardian System Security Referring to the recommended settings in the first column of Table 2-4, set the position marked x to A, N, G, or C: A All local users can access the file. N All network users can access the file. G Only local group members can access the file. C Only network group members can access the file. Table 2-4.
Licensing System Files Guardian System Security of a Trojan horse for the legitimate file. For more information, see Trojan Horses on page 7-17. Because purge capability might be needed for the RESTORE program, you can provide a copy of RESTORE with PROGID set to the super ID. Restrict this copy so only super-group users have EXECUTE authority. Licensing System Files The security administrator should be aware of every licensed file.
Disposition of Orphan Files Guardian System Security SUPER SUPER SUPER SUPER . . . .PAT .ROBIN .SERVICE .SPOOL 255,015 255,200 255,253 255,030 NUNU AAAA NNNN AAAA $SPOOL.PAT $SPOOL.ROBIN $SPOOL.CEAIDS $SPOOL.SPOOLER In the SECURITY column, you can see that SUPER.ROBIN and SUPER.SPOOL have a default security setting that allows anyone on the local system to write to or purge newly created files. An intruder might access these files to advantage. Similarly, the user ID SUPER.
Optional Security Features Guardian System Security Disc Space Analysis Program -- T9074Xnn - (ddMMMyy) Summary of space use for ????????.???????? on $SYSTEM No files allocated. The output from DSAP shows that the user 254,10 does not own any files on $SYSTEM, so the disk is free from any orphan files owned by that user. If DSAP finds any files owned by the user ID in question, DSAP displays those files. You must determine what to do about orphan files.
Optional Security Features Guardian System Security These features available to the user in the PASSWORD program by setting the BINDER option: Note. The BINDER option is not supported on systems running G06.29 and later G-series RVUs and H06.06 and later H-series RVUs. BLINDPASSWORD MINPASSWORDLEN ENCRYPTPASSWORD PROMPTPASSWORD Note. These options were not previously documented although they were available in the PASSWORD program. Be careful when setting the BINDER option.
Optional Security Features Guardian System Security password length. To use these features (password encryption and password minimum length check) and to overcome this limitation, instead of setting the PASSWORD program's ENCRYPTPASSWORD option, set the Safeguard subsystem's PASSWORD-ENCRYPT attribute. This approach enable Safeguard to enforce the minimum length for the password if the PASSWORD-MINIMUM-LENGTH attribute is set.
PWCONFIG Utility Guardian System Security Usage Note. The BINDER option is not supported on systems running G06.29 and later G-series RVUs and H06.06 and later H-series RVUs. The procedure to set the BINDER option is: Note. If you do not feel comfortable executing these procedure, contact the Global Mission Critical Solution Center (GMCSC) for assistance.
PWCONFIG Utility Guardian System Security BLIND prompts for the old and new passwords. The passwords are not displayed on the screen. ECHO prompts for the old and new passwords. The passwords are echoed on the screen. OFF reads the new password from the command line. The default value is BLIND. ENCRYPTPASSWORD specifies whether passwords are to be encrypted. This attribute is similar to the Safeguard configuration attribute, PASSWORD-ENCRYPT.
PWCONFIG Utility Guardian System Security configuration attribute, PASSWORD-MINIMUM-LENGTH. The value of the attribute can be greater than eight only when the ALGORITHM is HMAC256 and the value will be between 0 and eight when the ALGORITHM is DES or CLEAR. The syntax for the MINPASSWORDLEN attribute is: PWCONFIG MINPASSWORDLEN { n } n specifies the minimum length allowed when the passwords are changed. n is an integer from 0 through 64. 0 indicates that NULL passwords are acceptable.
PWCONFIG Utility Guardian System Security INFO specifies the current password configuration information. PWCONFIG INFO PWCONFIG-INFO returns the current password configuration.
PWCONFIG Utility Guardian System Security PSWDUPPERCASEREQ PSWDLOWERCASEREQ PSWDNUMERICREQ PSWDSPECIALCHARREQ PSWDALPHAREQ PSWDSPACESALLOWED PSWDMINQUALITYREQ PSWDMINUPPERCASEREQ PSWDMINLOWERCASEREQ PSWDMINNUMERICREQ PSWDMINSPECIALCHARREQ PSWDMINALPHAREQ Note. PSWDMINLOWERCASEREQ, PSWDMINUPPERCASEREQ, PSWDMINNUMERICREQ, PSWDMINSPECIALCHARREQ, PSWDALPHAREQ, and PSWDMINALPHAREQ are supported only on systems running on J06.11 and later J-series RVUs and H06.
PWCONFIG Utility Guardian System Security When Safeguard is not installed on the system, the following EMS message is displayed if the password configuration attribute is altered using the PWCONFIG program. \.$SYSTEM.SYSnn.
$CMON Guardian System Security When Safeguard is installed on the system, the following EMS message is displayed if the password configuration attribute, PSWDUPPERCASEREQ, is altered using the PWCONFIG program. .$SYSTEM.SYSnn.
Managing the Super ID Guardian System Security Managing the Super ID The super ID is user ID 255,255. Managing its use is crucial to protecting a NonStop system because the super ID bypasses the protective restrictions that the operating system applies to other users. In general, the less you rely on the super ID, the more secure your system is. Abilities of the Super ID The super ID sets up a system initially and resolves system emergencies. It is not intended for routine operational use.
Operating Without the Super ID Guardian System Security If no CIIN file was specified when the system was generated, you can perform a system load from the system console. The system console operator becomes the super ID and can then add the super ID to the USERID file. If a CIIN file was specified when the system was generated, you must perform a system load from a tape. The USERID file on the tape contains an entry for the super ID.
Tasks That Require the Super ID Guardian System Security Starting and Stopping TMF To start or stop HP NonStop Transaction Management Facility (TMF) requires only that the user be logged on as a super-group user and have execute access to TMFCOM. To clear the TMF configuration or the TMF catalog (through DELETE TMF or DELETE CATALOG) requires that the user be logged on as the super ID.
Licensing Programs Guardian System Security For more information, see Licensing Programs on page 2-24. Setting PROGID to Super ID The super ID must set PROGID for programs that need to run under the super ID. Examples of this strategy are given for BACKUP and INSTALL earlier in this section. For more information, see PROGID Programs on page 2-28. Initializing NonStop SQL/MP The super ID is needed to initialize HP NonStop SQL/MP and to reinitialize subsequent RVUs.
Controlled and Orderly Access to Resources Guardian System Security Controlled and Orderly Access to Resources The operating system uses privileged operations to control access to hardware and certain software resources. The operating system prevents user programs and terminal users from directly performing privileged operations. When a user program needs to perform a privileged operation (for example, when accessing a disk or terminal), it must request that the operating system perform the operation.
Limiting Access to HP Licensed Programs Guardian System Security Execute ordinary instructions using privileged addressing modes, thus permitting references to system global (SG) data space Execute procedures that have either the PRIV or CALLABLE attribute Although the operating system needs these privileges to perform work on behalf of users, if an intruder’s program is licensed, the intruder can: Modify protected memory areas containing a program’s instructions and data, without leaving ev
General Comments Guardian System Security Compilation and Binding To assure that the source code matches the actual object program, the system manager should perform the compiling and binding operations. Testing Test the program to ensure that it does not perform or allow any actions that would be considered security violations. This test is usually done by the security-administration staff.
Detecting Licensed Programs Guardian System Security Detecting Licensed Programs To list the names of all licensed programs residing on a disk volume, use the DSAP command. For example, this command lists the licensed programs on volume $SYSTEM: 1> DSAP $SYSTEM,LICENSED ... User Name/ID Filename SUPER.SYS (255,0) SYS00.ADDUSER SYS00.BACKUP SYS00.CMP SYS00.CMPLIB SYS00.DEFAULT SYS00.DELUSER SYS00.DSAP SYS00.FUP SYS00.PASSWORD SYS00.PUP SYS00.RESTORE SYS00.RPASSWRD SYS00.USERS Type Code ...
Enabling a PROGID Program Guardian System Security backs up a tape of files to which that operator does not have access. If the system operator cannot use the super ID, a PROGID program provides a convenient and secure solution. To use PROGID in this example, the system manager creates a program that invokes the system BACKUP utility with a predetermined argument list. The argument list defines the files to be backed up.
Possible Security Concerns Guardian System Security Effect of Giving a Program to Another User A PROGID program given to another user becomes an ordinary (not PROGID) program. However, the new owner can reenable the program as a PROGID program. Effect of Loading a Program From Magnetic Tape A PROGID program restored from magnetic tape becomes an ordinary program. The owner can reenable the program as a PROGID program.
Detecting PROGID Programs Guardian System Security Created Processes The privileges of a PROGID program propagate to any processes created by the program. This situation can create a serious security risk. For example, some programs, such as TEDIT and TACL, provide a user interface that allows the user to arbitrarily execute other programs. If a PROGID program starts TEDIT, the invoker of the PROGID program can use the TEDIT RUN command to perform any operation allowed to the PROGID program owner.
Detecting PROGID Programs Guardian System Security (5,1) SYSTEM.LIBRARY ADMIN.SUE (149,60) SYSTEM.CRS SYSTEM.TPS 100I ... 100I 100I ... ...
3 Safeguard System Security This section explains how to use Safeguard features to secure your system. Also read Section 2, Guardian System Security, to become familiar with the basic Guardian security features. Safeguard features provide additional capabilities in the following areas: Authentication More control is provided over authentication attempts and password management through global configuration attributes and through individual user authentication records.
Preliminary Preparation Safeguard System Security Preliminary Preparation Install or update the Safeguard software according the instructions in the Safeguard Administrator’s Manual Before you start using Safeguard features, perform the tasks described in the following subsections. Read the Safeguard Manuals Read the Safeguard manuals to become familiar with the product’s features before you use them to secure your system. Let your security policy guide you in determining which features to use.
Privileged User Roles Safeguard System Security Privileged User Roles From your security policy, determine the responsibilities of the security staff and other privileged users. For example, determine who is responsible for adding users to the system, who should secure certain types of objects, and who should control the Safeguard configuration. Special security privileges such as these can be granted through OBJECTTYPE authorization and membership in Safeguard security groups.
Controlling the OBJECTTYPE Records Safeguard System Security Perhaps you want general users to be able to add Safeguard protection records for their own files. If so, do not create an OBJECTTYPE DISKFILE authorization record. Otherwise, only users on the OBJECTTYPE DISKFILE access control list can add Safeguard protection records for disk files. Also, anyone on this access control list can protect files regardless of ownership.
Controlling the Super ID Safeguard System Security chdir(2) opendir(3) Note. Only the locally authenticated users who are part of the SECURITY-OSS-ADMINISTRATOR security group are granted the above specified previleges, not the remotely authenticated users. Members of the SECURITY-PRV-ADMINISTRATOR (SPA) security group can set or reset the RESTRICTEDACCESS fileset attribute. They can also set or reset the PRIVSOARFOPEN and PRIVSETID file privileges on an executable file or a DLL. Note.
Controlling the Super ID Safeguard System Security the file. If the file needs to be purged, however, the owner of the Safeguard record (preferably not the super ID) can add PURGE authority to the record. Establishing Privileged User IDs By default, only the super ID can add or delete super-group user IDs (user IDs of the form 255,n) and group-manager IDs (user IDs of the form n,255). The operating system grants specific abilities to these IDs.
Controlling User Access Safeguard System Security Controlling User Access When a user ID is added through SAFECOM, the user ID is defined by a Safeguard user authentication record. The following subsection describes how to add users through SAFECOM and how to control user access through the attributes of the user authentication record. Many of a user’s privileges are determined by object authorization records rather than by the user authentication record.
User Configuration Issues Safeguard System Security Default Protection Consider DEFAULT-PROTECTION for a user’s Guardian disk files. It guarantees that Safeguard authorization records are created for any files the user creates in the Guardian environment. The DEFAULT-PROTECTION attribute allows you to specify a default access control list for a user’s files. Specify more restrictive access control lists for some users than for others, depending on what type of files they manipulate.
Controlling the Logon Process With the Safeguard Software Safeguard System Security A timeout of the logon process occurs determined by the value of AUTHENTICATE-FAIL-TIMEOUT. The user ID is frozen if AUTHENTICATE-FAIL-FREEZE is ON. You might want to change the value of AUTHENTICATE-FAIL-TIMEOUT to a slightly longer period, further slowing down an intruder’s attempts to break in. However, avoid unreasonably long periods.
Vacations and Other Absences Safeguard System Security Ability to require blind logons (Passwords are not echoed to the screen when typed.) Ability to require logons by user name only (Logon attempts by user ID number are not allowed.) Ability to specify a password expiration grace period (This feature allows users the opportunity to specify a new password during logon if their old password has expired.
Assigning User Aliases Safeguard System Security 5. If the user ID is a network ID, inform the administrators of all systems where the user ID is valid. Be sure the preceding steps are followed for the user ID on these other systems. Assigning User Aliases User aliases are defined using SAFECOM ALIAS commands. A user alias is an alternate name that can be assigned to a user for purposes of logging on to the system. An alias name has more flexible syntax than a user’s user name.
Securing Objects Safeguard System Security File-sharing group names and numbers can appear on a Safeguard access control list and can be used in the OSS environment to specify group IDs for file permission codes. For more information on security implications regarding file-sharing groups, see File-Sharing Groups on page 6-2. For more information on file-sharing groups, see the Safeguard Administrator’s Manual and the Safeguard Reference Manual.
Emulating Guardian Security Strings Safeguard System Security If you grant users network access to an object, only users with matching remote passwords are actually granted access. When you use the network form of a user ID, the user is also given access at the local level. To grant a user all valid ACCESS authorities for a given object, use an asterisk (*) instead of specifying each individual authority. However, be careful not to grant a user more authorities than intended.
Testing Access Control Lists Safeguard System Security Because the Guardian string grants everyone READ and EXECUTE authority, the owner (8,141) is implicitly granted these authorities. The Guardian string also grants the owner WRITE and PURGE authority. Therefore, specify an entry granting the owner all four authorities: READ, WRITE, EXECUTE, and PURGE.
Securing Critical Objects Safeguard System Security should own the record for the frozen user, which should be thawed only in emergencies. Always secure the object code files for utilities and applications. Grant EXECUTE authority to users who need to run the program, and grant READ and WRITE authorities to those users who need to maintain the code. Secure all data files used by applications and system programs. These files need to be accessible by the user ID under which the programs run.
Securing Critical Objects Safeguard System Security HP subvolumes, such as $SYSTEM.SYSTEM, $SYSTEM.SYSnn, and the $vol.SAFE subvolume on each disk volume Subvolumes containing process snapshot (saveabend) files generated by the Inspect subsystem. These subvolumes are named ZZSAPRIV and should be secured to restrict read access.
Setting CLEARONPURGE Through SAFECOM Safeguard System Security Setting CLEARONPURGE Through SAFECOM You can set CLEARONPURGE for individual files with the ALTER DISKFILE command. To specify CLEARONPURGE for disk files that do not have Safeguard authorization records, use FUP to set CLEARONPURGE. To set CLEARONPURGE for all files on the system, use the Safeguard global configuration attribute CLEARONPURGE-DISKFILE. However, setting CLEARONPURGE for all files might have an adverse effect system performance.
Command Files Safeguard System Security In addition, if there is an OBJECTTYPE DISKFILE authorization record, you might want to grant CREATE authority so the user can secure the disk file containing the object code. Command Files If several objects require similar security settings, you might be able to use a command file to make the task of securing them easier.
Auditing Object-Access Attempts Safeguard System Security individually. The following SAFECOM command specifies auditing of authentication attempts for all users (both successful and failed logon attempts): =ALTER SAFEGUARD, AUDIT-AUTHENTICATE-PASS LOCAL, & =AUDIT-AUTHENTICATE-FAIL LOCAL Auditing Object-Access Attempts Specify auditing for all critical system objects. Some critical objects are mentioned in Securing Critical Objects on page 3-14.
Managing the Audit Service Safeguard System Security Additionally, the Safeguard software audits several actions automatically. These actions include attempts to manage the Safeguard configuration, attempts to manage the Safeguard audit service, and attempts to execute TERMINAL and EVENT-EXITPROCESS commands. The Safeguard software also accepts and stores audit records of security-related events generated by other HP privileged subsystems.
Special Considerations Safeguard System Security requests. Your security policy should guide you in deciding which recovery actions are appropriate. Special Considerations Consider the following issues when using the Safeguard software to secure your system. The Safeguard Bit Disk-file labels contain a bit to indicate whether a file is protected by a Safeguard authorization record. The bit is set to 1 when the Safeguard protection record is created.
Safeguard System Security The ACL-REQUIRED-DISKFILE Attribute Security Management Guide — 522283-021 3 - 22
4 OSS System Security This section describes the security features relevant if you are working in the OSS environment. Also review Section 2, Guardian System Security, and Section 3, Safeguard System Security, because some Guardian and Safeguard security features apply to the OSS environment. In particular, the Safeguard software must be used to add and manage users who will work in the OSS environment. All users must log on through the Guardian environment.
File-Sharing Groups OSS System Security The following example illustrates creating the directory /home/dandy in the OSS environment and then assigning that directory as the initial working directory for the user PROG.DAN. In the OSS environment, issue the following command to create the directory: $ mkdir /home/dandy Be sure PROG.DAN owns the directory and is granted all permissions for it. In SAFECOM, execute the following command to specify the directory as the initial directory for PROG.
OSS File and Directory Security OSS System Security (C) authority on the access control list for that volume. If the user does not have create authority on that access control list, the Safeguard software denies the file-creation attempt. Note. Starting with G06.26, Safeguard volume protection records are no longer consulted for creation of NonStop Open System Services (OSS) files.
Access Control Lists OSS System Security Unlike Guardian files, no purge permission exists for OSS files. Write permission for a file allows the contents to be deleted, but write permission for the file’s directory is also required to remove the file name. Figure 4-1 shows the format of a file-permission code. Figure 4-1.
Access Control Lists OSS System Security [d[efault]:]u[ser]:[uid]:perm [d[efault]:]g[roup]:[gid]:perm [d[efault]:]c[lass]:perm [d[efault]:]o[ther]:perm An ACL entry prefixed with d: or default:, can only occur in a directory's ACL. This ACL indicates that the remainder of the entry cannot be used in determining the access rights to the directory, instead it can be applied to any files or subdirectories created in the directory.
File and Directory Commands OSS System Security useful because it means that the chmod(1) command can usefully affect the permissions of a file that has additional ACL entries. ACL Uniqueness Entries are unique in each ACL. There can only be one of each type of base entry, and one entry for any given user or group ID. Likewise, there can only be one of each type of default base entry, and one default entry for any given user or group ID.
OSS System Security Restricted-Access Filesets and File Privileges Unlike the FUP GIVE command in the Guardian environment, the OSS chown command cannot be used by the file owner to transfer ownership of a file. Only the super ID can transfer file ownership by using the chown command. OSS automatically assigns default permissions to files and directories when they are created.
File Privilege OSS System Security Can be set by members of the Safeguard SECURITY-PRV-ADMINISTRATOR (SPA) group, using either the SETFILEPRIV command or the setfilepriv()function. Use the GETFILEPRIV command to get information about the file privileges for a file. For information about the GETFILEPRIV command, see the getfilepriv(1) reference page either online or in the Open System Service Shell and Utilities Reference Manual.
OSS Process Security OSS System Security The PRIV_SETID file privilege can be inherited by child processes created using fork() because the parent and child process share the same executable. Any child processes created by other process creation functions or procedure calls (such as exec() or PROCESS_CREATE_) acquire their file privileges from that target executable file.
Process Security Attributes OSS System Security You can also control the privileges of OSS processes through the set-user-ID and set-group-ID permission bits of an OSS program file. Process Security Attributes For OSS processes, several attributes associated with each process control process access. These attributes are listed in Table 4-2. They are used to determine if the process has the authority to make requests to the system (to open an OSS file, stop another OSS process, and so on). Table 4-2.
Process Security Attributes OSS System Security An OSS process can determine its process security attributes by using the function calls listed in Table 4-3 on page 4-11. For more information about these functions, see the Open System Services System Calls Reference Manual. Table 4-3.
Adopting the Owner ID of a Program File OSS System Security process can kill another OSS process. A process can successfully send a kill() signal to another process under the following conditions: The sending process has the effective user ID of the super ID user. The sending process has an effective user ID equal to the real user ID of the target process. The sending process has an effective user ID equal to the saved-set-user-ID of the target process.
5 Concerns for the Application Programmer An application programmer creates application programs, customized to an organization’s environment and business needs. The programmer must make the application secure. This section describes features available to you for creating secure applications.
Concerns for the Application Programmer Authentication User IDs Automatic Execution Through TACL The TACLCSTM file in the user’s default subvolume can be configured so that the user is placed directly into your application. For example, the last few lines of the TACLCSTM file for CLERK.ROBIN might be: RUN $DATA.APP.PROG LOGOFF Then, when CLERK.ROBIN successfully completes the logon procedure, the TACL process on Robin’s terminal executes the TACLCSTM file, which contains orders to execute the $DATA.APP.
Concerns for the Application Programmer Authentication User IDs Name Selection If you decide that the standard user IDs or aliases are satisfactory for your application, consult your security administration staff to work out the user names and user IDs for anyone who will use your application. Creating and Maintaining the Name Database The Guardian environment maintains the database for user IDs.
Concerns for the Application Programmer Application-Specific User IDs Application-Specific User IDs If you choose not to use standard user IDs, your application can use applicationspecific user IDs. Because the Guardian environment does not manage or interpret these user IDs, you have the full flexibility to design the syntax and semantics within your application. Thus, you can make the application’s security as simple or as powerful as you need.
Concerns for the Application Programmer Application-Specific User IDs Using the Name Database to Authenticate a User At the beginning of your application, include algorithms to authenticate the user. For example, you might display a query screen that asks for the user’s name (as known to the application) and then a password. Ensure that the only way to reach any other portion of the program is to successfully complete this screen.
Concerns for the Application Programmer Security Management Guide — 522283-021 5-6 Application-Specific User IDs
6 Concerns for the System Administration Team The system administration team consists of a system manager, system programmers, and system operators although the titles of these functions can vary from one site to another. At a small installation, one person might perform all these functions. The system manager administers the system. A large network might have more than one system manager, but one person usually assumes overall responsibility for this function.
Concerns for the System Administration Team File-Sharing Groups entries allowed by the Safeguard implementation. The list can also be so large that determining the proper changes to the list when a user is added or deleted can be difficult or impossible. Proper selection of administrative groups and file-sharing groups can reduce this problem by having some of the ACLs refer to group permission rather than to individuals. Two common ways of assigning administrative groups: By function.
Concerns for the System Administration Team Multiple User Names for One Person evaluates an access control list entry that specifies all members of a particular group. For example, the entry 141,* on an access control list grants access to all members of group 141, including users who are file-sharing members of the group.
Concerns for the System Administration Team Super-Group User IDs Because multiple user IDs can potentially weaken system security, issue them only if absolutely necessary. In deciding whether to assign multiple user IDs, consider these points: When people have many user IDs, the corresponding passwords tend to be either the same or written down. These users are reluctant to change passwords regularly because they need to log on to each separate user ID to make the change.
Concerns for the System Administration Team Group-Manager User IDs Group-Manager User IDs Member 255 of any administrative group is a group-manager ID. For example, user ID 8,255 is the group-manager ID of group number 8.
Concerns for the System Administration Team Unused User IDs Unused User IDs Whenever a user changes roles, the user’s permissions might need to be changed. This change might include deleting the user from the system and altering any Safeguard access control list that includes the user’s ID. Institute a procedure for keeping the system current, as follows: Enforce user-expiration dates on all user IDs and aliases.
Concerns for the System Administration Team Managing Passwords Terminated Employees Your security policy should address terminated employees. For example, an employee who can add users to the system might add a new user ID and then continue using the system under this new ID after being otherwise removed. To find and eliminate a terminated employee’s Guardian files, run DSAP with the USER option for each volume on your system.
Concerns for the System Administration Team Password Length Password Length The Guardian environment permits blank passwords, but intruders might be aware of this situation and use them to log on. A Safeguard configuration attribute can be used to forbid blank passwords. For example: 3> SAFECOM ALTER SAFEGUARD, PASSWORD-MINIMUM-LENGTH 12 This command requires that a password be at least 12 characters long the next time a user changes the password.
Concerns for the System Administration Team Password Reuse PASSWORD-MIN-QUALITY-REQUIRED - When set to a value between 0 to 5, it specifies the minimum number of quality criteria that have to be met when a password is set or changed. Note. The Quality password and embedded spaces are supported only on systems running G06.31 and later G-series RVUs and H06.09 and later H-series RVUs.
Concerns for the System Administration Team Initial Password This command requires that when a user changes a password, the new password must differ from the previous twelve passwords used by that user. Initial Password Do not derive initial passwords from the user name or user ID because an inside intruder might log on to a user ID that has been created but not yet assigned. The initial password should be used only to enable the user to log on for the first time.
Initial Password Concerns for the System Administration Team STATIC-FAILED-LOGON-RESET-TIME = * NONE * GUARDIAN DEFAULT SECURITY = OOOO GUARDIAN DEFAULT VOLUME = $SYSTEM.NOSUBVOL Passwords Ending with ‘&’ The TACL and SAFECOM command interpreters treat the ampersand (&) as a line continuation character. Therefore, special attention is required while providing passwords, which end with an ampersand (&) in SAFECOM and while logging on with this password in TACL.
Initial Password Concerns for the System Administration Team The display appears as follows: TACL 1> logon test.user1 Password: password&& Password: & Last Logon: * NONE * Last Unsuccessful Attempt: * NONE * Example 2: To add a user TEST.USER2 as user ID 40,2, using ‘password&&’ as the initial password, enter the following SAFECOM command: =add user test.user2,40,2,password password&&; To confirm if the user has been added successfully, enter the following command: =info user test.user2 GROUP.
Concerns for the System Administration Team Password Change Periods Password Change Periods With the PASSWORD-MUST-CHANGE attribute in each Safeguard user authentication record, you can force a user’s password to expire after a specified period of time. This Safeguard feature motivates people to change their passwords before the expiration date. After a password is changed, a new expiration date is automatically set, and the new password remains valid until that date.
Concerns for the System Administration Team The Remote Maintenance Interface (RMI) console logged on as a privileged ID and avoid leaving the key within reach of an intruder. For additional security, rekey your system console with a unique key. Initially, all system consoles use the same key. The Remote Maintenance Interface (RMI) For systems with an RMI, be sure the remote maintenance password is enabled and is known only to those responsible for maintaining the system.
Concerns for the System Administration Team Off-Site Storage Off-Site Storage Protect the off-site storage area from intruders. Consider carefully who can request vault materials, and allow access to approved persons only. Create clear hand-over procedures between the vault staff (especially contracted vault services) and your staff. Dial-Up Access and Security This subsection discusses the following considerations for protecting dial-up access.
Concerns for the System Administration Team Automatic Terminal Authentication 4. The computer terminates the connection and then calls the user back at a prearranged phone number. 5. The user (or the user’s modem) answers, reestablishes modem connections, and then continues the logon sequence. Because the list of phone numbers for any particular user is limited and prearranged, the chances for intrusion are limited.
Concerns for the System Administration Team Periodic Password and Phone Number Changes lines should include special criteria for screening requests for dial-up access. Users of dial-up systems are sometimes required to accept legal and financial liability for intrusions carried out using their access codes. Periodic Password and Phone Number Changes Periodically change system passwords and phone numbers, but avoid both changing them too often and retaining them too long.
Concerns for the System Administration Team Restricting Access to System Software Does the software require privileges for an obscure or unnecessary function? Also include other questions appropriate to your environment. Restricting Access to System Software Not all organizations allow the entire user community access to the standard system software.
Securing Network Access Concerns for the System Administration Team Table 6-1.
Concerns for the System Administration Team Managing the Network User IDs Managing the Network User IDs Handling network user IDs requires careful planning and cooperation among (possibly) geographically separated organizations. The Guardian environment requires that network user IDs have the same user name and user ID on all affected nodes. This condition requires advance networkwide planning.
Concerns for the System Administration Team Communicating With Other System Managers greatest effectiveness, keep the practice of immediately acknowledging sensitive requests itself a secret.
Concerns for the System Administration Team Communicating With Other System Managers Security Management Guide — 522283-021 6 - 22
7 Concerns for the User This section discusses security concerns for all users of NonStop systems. Concerns for All Users In some work environments, an application program runs continuously but requires you to log on and present an individual password before beginning operations. The application program determines the range of operations you can perform. In other work environments, you might have to log on through the TACL command interpreter or the Safeguard software to run an application program.
Changing Your Password Concerns for the User When the Safeguard software controls the logon dialog, a security event-exit process can also participate in the logon procedure. This process allows a custom dialog to occur at your terminal. For more information about the logon dialog, see the Safeguard User’s Guide. Blind Logon Depending on how your system is configured, the TACL command interpreter might require you to enter your password on a different line from your user name (or user ID).
Protecting Your Terminal Concerns for the User Your organization might require you to choose passwords according to specific rules and might enforce time limits on how long you can use a password without changing it. Protecting Your Terminal Whenever you log on, be sure that no one discovers your password by watching your fingers as you type. After you are logged on, the system associates your user name with your operations. That is, the system checks that you are authorized to perform these operations.
Logging Off Concerns for the User Logging Off Logging off notifies the system that you are no longer using the terminal, and blocks the other users from using your privileges to perform operations that are traceable to you. After you log off, the system returns you to the TACL prompt. In case of Safeguard protected terminals, if the log off is performed by the last opener of the terminal, then screen is cleared and Safeguard prompt will not be displayed on the terminal.
Privileged User Classes Concerns for the User User Names Your user name is in the form: group-name.member-name where group-name is the name of the administrative group to which you are assigned, and member-name is the assigned name that distinguishes you from other members of your administrative group. This example shows a user name in which ROBIN is a member of the SALES administrative group: SALES.ROBIN Similarly, this example shows a user name in which PAT is a member of the SALES group: SALES.
Privileged User Classes Concerns for the User If you are a general user, you might have to call on a privileged user to handle certain tasks. If you are a privileged user, you might have to handle some tasks for a general user. Privileges of the Super ID The local super ID (255,255) has unrestricted access to the entire local system unless Safeguard security mechanisms have been used to restrict the powers of the super ID. A remote super ID has more restricted access to the local system.
Group Membership Concerns for the User Given your administrative group number (147), you enter the USERS command and n,255 to learn that user name SALES.PAT is your group manager (that is, member 255 of your administrative group): 3> USERS 147,255 GROUP . USER SALES .PAT I.D. # 147,255 SECURITY NUNU DEFAULT VOLUMEID $SALES.PAT Group Membership Every user always belongs to an administrative group. Users can also belong to file-sharing groups.
Group Membership Concerns for the User SALES SALES SALES .TRACY .USER .VERNA 147,064 147,003 147,045 NONO GGGG CUCU $PERSNL.TRACY $PERSNL.APLTUSER $PERSNL.VERNA This USERS command uses the group-ID to list the same information. The user IDs (under I.D. #) appear in ascending order. 5> USERS 147,* GROUP . USER SALES .JIM SALES .KENOYE SALES .USER SALES SALES SALES SALES .TRACY .MARCIA .BOBM .PAT I.D. # 147,001 147,002 147,003 . . .
Privileges of Group Members Concerns for the User File-Sharing Groups If you belong to file-sharing groups, you can share access to files secured for group access by those groups. You can use the SAFECOM INFO USER command to view the entire list of groups to which you belong. For example, suppose your user name is SALES.ROBIN and you issue the following command: 4> SAFECOM INFO USER SALES.ROBIN, GROUP GROUP.USER USER-ID OWNER LAST-MODIFIED LAST-LOGON STATUS SALES.
Guardian Security Concerns for the User NOTES CODE 101 EOF LAST MODIFICATION 21484 10-APR-90 15:16:56 OWNER 147,36 RWEP "GOOO" The security setting GOOO appears under the heading RWEP (read, write, execute, and purge). In this example, any local member of the owner’s group (G) can read the file, but only the owner (O) can write, execute, or purge the file.
Guardian Security Concerns for the User You are a local user if you access the file from a local process. A local process is either: A process that has executed a successful logon call to the USER_AUTHENTICATE_ procedure (such as a TACL process that has executed such a call on behalf of a user entering a LOGON command) A process started from a local process on the same system Any process that is not a local process is a remote process. For example, suppose MYFILE resides on system \SYS1.
Guardian Security Concerns for the User If your logon default security setting is restrictive (for example, OOOO, which limits access to you alone), you must resecure a new file to make it accessible to others. By using a restrictive security setting, you avoid the risk of forgetting to secure a sensitive file.
Erasing Purged Files With CLEARONPURGE Concerns for the User to GUGU, which gives your local group members read and execute authorities to the new files you create. This new setting takes effect the next time you log on. 14> DEFAULT ,"GUGU" THE DEFAULT file-security HAS BEEN CHANGED TO "GUGU". Default File Security Settings When a process creates a file in the Guardian environment, the file inherits the file-creation security setting of that process.
TACL Process Security Concerns for the User for a new file, the information from the file remains on the disk, still readable by programs that examine the disk directly. Designate CLEARONPURGE for all sensitive files. For files not under Safeguard protection, CLEARONPURGE can be set through the FUP SECURE command or by a program using a SETMODE or SETMODENOWAIT procedure call.
Safeguard Access Control Lists (ACLs) Concerns for the User These commands create a Safeguard access control list (ACL) that implements these constraints: 17> SAFECOM SAFEGUARD COMMAND INTERPRETER - T9750Xxx - (ddMMMyy) =ADD DISKFILE myfile =ALTER DISKFILE myfile, ACCESS (147,36, 10,20) (r,w) =ALTER DISKFILE myfile, ACCESS (147,*) (r) The following command displays the access control list: =INFO DISKFILE myfile LAST-MODIFIED $BOOKS1.
Encryption Concerns for the User Encryption You can also encrypt the contents of your files. Encryption ensures that the information is accessible only to those who know the complete method by which the information was encrypted. Encryption usually consists of: An encryption algorithm (which is usually known) A key (which is private) HP does not provide a standard encryption package although such a package can be built with the Atalla A-5000 High Performance Security Module (HPSM).
Trojan Horses Concerns for the User People (especially recipients who do not ordinarily receive sensitive mail) often read mail without regard to who is standing near their terminals. Suggestions for Using Electronic Mail The following suggestions can help you avoid divulging sensitive information through electronic mail: Use the subject line to alert recipients of sensitive messages. The recipient can then take care to read the message in private.
Securing Your TACLCSTM and TACL Macro Files Concerns for the User Report atypical symptoms such as: Your first attempt to log on is refused although you entered the correct user ID and password. In this case, a Trojan horse program might have displayed a TACL prompt on your terminal and waited for you to log on. When you tried to log on, you gave your secret password to the Trojan horse program. Someone other than you has relaxed the security of your files.
Search List Hazards Concerns for the User 21> FILEINFO TACLCSTM $SALES.ROBIN CODE EOF TACLCSTM 101 2896 {confirms security} LAST MODIFICATION 27-APR-90 9:57:36 OWNER 147,36 RWEP "OOOO" Also secure TACL macro files other than your TACLCSTM file. Otherwise, an intruder might insert commands that execute under your user ID when you execute the macros. In this example, you have macros in the file named TACLMACS.
Suggestions for Dial-Up Users Concerns for the User In addition to specific subvolume names, your search list can include #DEFAULTS, which designates your current subvolume. However, including #DEFAULTS in your search list can lead you to accidentally execute a Trojan horse program, especially if #DEFAULTS appears before $SYSTEM.SYSTEM in your search list. If you must use #DEFAULTS in your search list, put it after $SYSTEM.SYSTEM.
Altering File and Directory Permissions Concerns for the User If the file has an associated ACL, the above display would contain an additional “+” sign to indicate the same: $ ls -l myfile2 -rwxr-xr-x+ 1 PROG.WILSON PROG 102 Jul 5 10:14 myfile2 The first string of characters in the display shows the permissions assigned to the file. The file permissions indicate that the owner, PROG.
Default File Security Concerns for the User $ chgrp PROJMGR myfile2 $ chmod g=rwx myfile2 $ ls -l myfile2 -rwxrwx--- 1 PROG.WILSON PROJMGR 102 Jul 6 11:20 myfile2 Default File Security OSS automatically assigns default permissions to your files and directories when they are created. To restrict the default permissions assigned to your files, you must establish a user mask with the umask command.
8 Concerns for the EDP Auditor This section is written for EDP auditors of NonStop systems. It addresses many issues are unique to NonStop systems as well as some common auditing concerns. In order to effectively audit a NonStop system, you must have a user ID and password.
The Super ID Concerns for the EDP Auditor The Super ID Check that the super ID is not used for routine purposes. Determine how many people know the password for the super ID. Your policy should state who can have access to the super ID. If the Safeguard software is installed, the super ID can be frozen until needed. You can verify the status of the super ID with the INFO USER command.
Dial-Up Access Concerns for the EDP Auditor Dial-Up Access If your policy allows dial-up access to your system, check for a list of authorized dial-up users. Make sure only these users can dial up. Also check for special security mechanisms, such as call-back facilities, if your policy requires them. Network Security If your policy allows network user IDs, make sure only users who need access to the network have network IDs (and matching remote passwords).
User Expiration Concerns for the EDP Auditor User Expiration If your policy requires expiration for certain user IDs, such as contract and temporary employees, check the USER-EXPIRES attribute for the affected user IDs and their aliases. Ask the owner of the user ID to issue the following command: 6> SAFECOM INFO USER user-spec, DETAIL where user-spec is the user ID or user name in question. Use the SAFECOM INFO ALIAS command to check the expiration date for an alias.
User Knowledge of File Security Concerns for the EDP Auditor User Knowledge of File Security If users can control the security of their own files, determine whether they know how to change the security of their files. If they are using Guardian security strings to secure their files, they should be familiar with the FUP SECURE command and the significance of the characters in the security string.
Security Event Exits Concerns for the EDP Auditor Use PERUSE to check the output of the DSAP program. Review documentation for all PROGID programs. Make sure the programs are written so they perform only specified tasks. Make sure only specified users can execute PROGID programs. PROGID programs run under the user ID of the owner, not under the user ID of the person executing the program.
A Sample Policies A security policy should be a brief description of an organization’s goals regarding protection of information and computer resources. Specific procedures should be written to deal with issues such as adding users and securing objects. These procedures vary from department to department but should be consistent with the goals of the policy. This appendix presents two sample policies. Both policies address the protection goals of the organization.
Review Sample Policies 2. All employees shall comply with the security requirements set forth by the Information Security Group. 3. Adherence to this policy shall be monitored by the EDP Audit Group. The EDP Audit Group shall issue periodic reports detailing the level of conformance to security requirements and issue exception reports whenever a serious violation occurs. Management shall be responsible for any corrective action recommended by the EDP Audit Group.
B How Passwords are Encrypted When the Safeguard PASSWORD-ENCRYPT configuration attribute is enabled, passwords are encrypted using the algorithm specified by the PASSWORDALGORITHM attribute. If the value of PASSWORD-ALGORITHM is set to DES, then passwords are encrypted using DES as a one-way encryption algorithm. If the value of PASSWORD-ALGORITHM is set to HMAC256, then passwords are encrypted using HMAC with SHA256 as a one-way hash algorithm. The system can verify passwords but cannot decrypt them.
How Passwords are Encrypted Security Management Guide — 522283-021 B-2
C TACL Macros The following macros are intended only as examples of how to develop security macros. These examples might not work with all releases and configurations of the operating system. To use TACL routines, store them in a file and then use the LOAD command to load them into your TACL. Example 1. Snapshot Routine The following TACL snapshot routine captures major parameters that describe a collection of files. The routine then puts these descriptions in a snapshot file.
Example 2.
Example 2.
Example 3. Fapply Routine TACL Macros existence, code, eof, licensed, modification, owner, progid, security / [:^fullname] ] ] [#if (:^existence) == did file exist? |then| == yes -- check fields and report errors: :^check CODE :^check EOF :^check LICENSED :^check MODIFICATION :^check OWNER :^check PROGID :^check SECURITY |else| == no -- file disappeared #output [:^fullname] has been PURGED.
Example 4. Findone Routine TACL Macros == followed by existing file, or non-existing file? | 1 existingfile | #if [#argument /text :^template/ template] == exists, so start at that file | 2 nonexistingfile | #if [#argument /text :^template/ template] [#set :^curfile [#filenames /maximum 1, previous [:^curfile]/ [ ][:^template]] ] == does not exist...
Example 5. Lock Routine TACL Macros | otherwise | ] #unframe To use this macro, load it into your TACL along with the fapply routine. Then, to scan all files on $SYSTEM.SYSTEM (for example): 3> FAPPLY FINDONE $system.system.* Example 5.
Example 5. Lock Routine TACL Macros #set :^wrongs ???* ] == if user says "lock !", allow infinite wrong guesses #set :^prompt Password? #inputv /noecho/ :^pw1 :^prompt == fetch user's desired password [#if [#inputeof] |then| #raise EXIT ] == if ^Y on input, abort routine :^toascii :^pw1 == change ABC into 065066067 (and so on) [#if (not [#match ????????????* [:^pw1]]) |then| #output Password must be at least [ ]three characters... aborting.
Example 5. Lock Routine TACL Macros |then| #output Logging off... logoff/segrelease/ #logoff/segrelease/ [|if first one failed...
D HP- Supplied Files with LICENSE and PROGID Attributes This section lists the HP-supplied files that have the LICENSE and PROGID attribute set. Licensed Files Several system programs that HP distributes (for example, FUP and PASSWORD) must be licensed before they can be executed by users other than the super ID. For information about the LICENSE attribute, see The LICENSE Attribute on page 2-6. For information on licensing and its implications, see Licensing Programs on page 2-24.
Licensed Files HP- Supplied Files with LICENSE and PROGID Attributes Table D-1. Files with the LICENSE Attribute Set Location ($Volume.Subvolume) File Name T Number Product Name CLP01600 T1270H23 SQL/MX down-rev executor $SYSTEM.ZSQLMX CMP01600 T1270H23 SQL/MX down-rev compiler $SYSTEM.ZSQLMX SNOOP T2076H01 NS TMF UTILITIES $SYSTEM.SYSnn SNOOPDR T2076H01 NS TMF UTILITIES $SYSTEM.SYSnn TMFARUL2 T2781H01 NS TMF AUDITREAD2 $SYSTEM.ZTMF NSKCOM T5838H01 NSKCOM $SYSTEM.
Licensed Files HP- Supplied Files with LICENSE and PROGID Attributes Table D-1. Files with the LICENSE Attribute Set File Name T Number Product Name Location ($Volume.Subvolume) TMFTMP T8608H01 TMF TMP $SYSTEM.SYSnn TMFBOUT T8609H01 TMF $SYSTEM.SYSnn TMFFRCV T8609H01 TMF $SYSTEM.SYSnn TMFFRLS T8609H01 TMF $SYSTEM.SYSnn TMFVRCV T8609H01 TMF $SYSTEM.SYSnn AUDSERV T8669H01 SQL/MP AUD $SYSTEM.SYSnn SCPTC T8952H01 TRACE $SYSTEM.SYSnn SCPTCOL T8952H01 TRACE $SYSTEM.
PROGID Files HP- Supplied Files with LICENSE and PROGID Attributes Table D-1. Files with the LICENSE Attribute Set Location ($Volume.Subvolume) File Name T Number Product Name CIP T9216H01 Distributed System Network Management $SYSTEM.ZDSMS CMDSVR T9216H01 Distributed System Network Management $SYSTEM.ZDSMS PWI T9216H01 Distributed System Network Management $SYSTEM.ZDSMS SCPI T9216H01 Distributed System Network Management $SYSTEM.
PROGID Files HP- Supplied Files with LICENSE and PROGID Attributes Table D-2. Files with the PROGID attribute set File Name T Number Product Name Location ($Volume.Subvolume) CBEXE T6031H02 DSM/SCM $.ZDSMSCM TAEXE T6031H02 DSM/SCM $.
HP- Supplied Files with LICENSE and PROGID Attributes Security Management Guide — 522283-021 D-6 PROGID Files
E HP NonStop Port Details This section provides port details for various NonStop products. It provides information about product number (where applicable) and names, their corresponding default ports, the configuration details, and, where needed, considerations about each of them. Table E-1, lists the general (Host) port details of NonStop products. Table E-1.
HP NonStop Port Details Table E-1. General (Host) Port Details for Standard Products Product Name Default Port(s) Reconfi gurable Configurable Range Considerations Unencrypted OSM CIMOM* 5988 No N/A Inbound from NSC over http * Cannot be used if HP SIM or Insight Remote Support Advanced functionality is required ** Either unencrypted or encrypted port needs to be open.
HP NonStop Port Details Table E-2.
HP NonStop Port Details Table E-2.
HP NonStop Port Details Table E-2.
HP NonStop Port Details Table E-2.
HP NonStop Port Details Table E-2. General (Host) Port Details for Optional Products Product Name Default Port(s) Reconfi gurable Configurable Range SCOBOL JAVA PACKAGE, ITS CLIENT OBJECT MANAGER,iT S Connection Router None Yes Any available TCP/IP port number needs to be updated in CONTROL.html file of Converted SCOBOL application. This port number number should be same as that of the ROUTER(T0527) process.
HP NonStop Port Details Table E-2. General (Host) Port Details for Optional Products Product Name Default Port(s) Reconfi gurable Configurable Range TNS/R C++ COMPILER Any port in the ephemeral range (1024 to 65535) Yes 1024 to 65535 NMCOBOL Any port in the ephemeral range (1024 to 65535) Yes 1024 to 65535 SQL/MP COMP AGENT Any port in the ephemeral range (1024 to 65535) Yes 1024 to 65535 Considerations Note.
HP NonStop Port Details Table E-3 lists the maintenance LAN (Host) port details of NonStop products. Table E-3. Maintenance LAN (Host) Port Details Product Name Default Port(s) Reconfigurable Configurable Range VIO ME Firmware 23, 111, 301, 303, 1009 No N/A ME (Maintenance Entity) Eth connections are to Maintenance LAN only, not customer facing, and not on the NonStop host OS TCP/IP stack.
HP NonStop Port Details Table E-4, lists the NonStop System Console (NSC) (outbound) port details of NonStop products. Table E-4. NSC (Outbound) Port Details Function Default Port(s) FTP 20 ftp To NonStop host OS TCP/IP stack. FTP 21 ftp To NonStop host OS TCP/IP stack. Secure Shell 22 ssh/sftp For TACL and SFTP Telnet 23 telnet For TACL Domain Name lookups 53 dns Domain Name lookups Dynamic addressing 67 dhcp / bootp If using dynamic addressing.
HP NonStop Port Details Table E-4. NSC (Outbound) Port Details Function Default Port(s) SNMP 161 snmp If the console has an SNMP-based management application (for example, HP SIM), and is managing a managed device using SNMP. (This port is not needed for NonStop management by HP SIM). Maintenance interfaces 443 https Transfer Dial out IRs to HP from the CMS. Low Level Link connection 630 onc/rpc Not connecting to NonStop host OS TCP/IP stack.
HP NonStop Port Details Table E-4. NSC (Outbound) Port Details Function Default Port(s) Reconfigurable Reconfigureable Range Protocol SSL-enabled OSM CIMOM 5989 https OSM Service Connection server 9990 http OSM Event Viewer Server 9991 http or https Security Management Guide — 522283-021 E - 12 Consideratio ns Secured WBEM CIMOM protocol over https/SOAP. Used to communicate with WBEM end point notes.
HP NonStop Port Details Table E-5, lists the NSC (inbound) port details. Table E-5. NSC (Inbound) Port Details Function Port FTP Reconfigurable Reconfigurable Range Protocol Considerations 20 ftp For CLIM software update. FTP 21 ftp For CLIM software update. Domain Name Server 53 dns If this console is being used as a Domain Name Server. DHCP Server 67 dhcp / bootp If this console is being used as a DHCP server. Trivial FTP 69 tftp Trivial FTP for HSS.
HP NonStop Port Details Table E-5. NSC (Inbound) Port Details Function Port https port for listener running in the Director's Web Interface Reconfigurable Reconfigurable Range Protocol Considerations 7906 https Only if console is also Central Management Server (CMS). WEBES 7920 https Insight Remote Support Advanced NonStop dial out. HP System Insight Manager default SSL port 50000 https If running as HP Systems Insight Manager CMS.
CLIM TCP/IP Ports HP NonStop Port Details CLIM TCP/IP Ports Table E-6, lists outbound CLIM ports. These ports are used on the maintenance LAN only, not the customer LAN(s). Table E-6.
CLIM TCP/IP Ports HP NonStop Port Details Table E-7. Inbound CLIM Ports Open on the Maintenance LAN Function Port Reconfi gurable Reconfigur able Range Protocol Considerations SNMP 161 No N/A snmp UDP Racoon 500 No N/A IPSec Running whether or not IPSec is configured on the CLIM. This service only runs on the maintenance LAN for CLIMs that do not support multiple data providers.
Glossary access control list (ACL). A list of subjects that are allowed access to a particular object. The list specifies the types of access allowed for all subjects on the list. The Safeguard software maintains access control lists for all objects under its protection. administrative group name. The Guardian name for a group of users who have the same administrative group ID. accountability. The ability to provide a correlation between an action and the individual responsible for that action. ACL.
auto logoff Glossary auto logoff. A process that terminates an interactive session after a preset number of minutes in which the terminal has been idle or unattended. backup. To copy online data to an offline storage media (such as tape) for safekeeping. baseline security. A minimal level of implemented security policies and procedures that is reasonable for a particular circumstance. biometrics. The use of personal characteristics, such as fingerprints or eye blood vessel prints, for user identification.
default security string Glossary default security string. A security string associated with a Guardian process that defines the initial security string for all files created by that process. See also logon default security string and security string. DES. Abbreviation for Data Encryption Standard. A standard method of encrypting a 64-bit block of data using a 56-bit key. dial-up. A telephone connection through standard (switched) telephone lines. directory.
external password Glossary external password. A secondary password provided for additional authentication when a person first establishes a terminal session. External passwords are usually system wide, and changed on a regular basis to prevent unauthorized access to the system. file permission bits. Information about a file that is used, along with other information, to determine whether a process has read, write, or execute/search permission to that file.
logoff Glossary logoff. To terminate an interactive session that began when a user logged on to the system. logon. To establish an interactive session and provide necessary authentication information (such as a user name and password). logon default security string. A security string associated with a user ID that becomes the default security string for each new logon by that user ID. See also default security string and security string. maintenance.
password expiration Glossary password expiration. A procedural technique whereby passwords become invalid after a certain time period or certain number of uses. Pathway. A collection of NonStop system tools that aid in designing and operating a terminal-based database application. peripheral. A device suitable for input or output, such as a terminal, printer, disk drive, or magnetic tape unit. physical security.
real user ID Glossary real user ID. An attribute of a process. When a process is created, the real user ID identifies the user or parent process that created the new process. The real user ID cannot be changed after process creation. reference monitor. The portion of the computer system responsible for granting user IDs access to objects. remote password. A character string used for user authentication when the user accesses another system on an Expand network. requester.
segregation of duties Glossary passwords. A file receives an initial security string from the default security string of the process that created the file. The security string can later be changed through FUP or a system procedure call. See also default security string and logon default security string. segregation of duties. The practice of separating roles within an organization, especially with regard to information processing.
system operator Glossary system operator. The person (or persons) responsible for the routine operations necessary to keep a system functioning. Such operations can include daily or weekly backups, performing a system load after an extended power outage, and handling user requests or questions. TACL. Abbreviation for HP Tandem Advanced Command Language, the user interface to the Guardian environment. TACL is both a command interpreter and a command language.
user name Glossary user name. A name (such as ADMIN.MATHEW) associated with a user or class of users. For each user name, there is a unique user ID, and for each unique user ID, there is a user name. warm start. Returning a system that is in dormant state to an active state. See also system load.
Index A Access authorities, Guardian 7-10 Access control lists example of 7-15 using 3-12 using DENY with 3-12 ACL Inheritance 4-6 ACL Notation 4-4 ACL Uniqueness 4-6 ACL-REQUIRED-DISKFILE attribute 3-21 ADD GROUP command 3-11 ADD TERMINAL command 3-10 ADD USER command 3-7 Adding users authority for 3-3 description of 3-7 ADDUSER program, removing 3-2 Administrative groups and file-sharing groups 3-11 defined 7-7 displaying members 7-7 managing 6-1 Aliases 3-11, 6-4 Answer-back string 6-16 Application progr
D Index setting with FUP 7-14 setting with SAFECOM 7-15 Command files 3-18 Configuration for logon attempts 3-8 for subvolume security 3-16 of passwords 3-9 Converting the USERID file 3-2 Critical disk files, securing 3-14 Critical processes, securing 3-15 Effective group ID 4-10 Effective user ID 4-10 Electronic mail 7-16, 7-17 Emergencies requiring the super ID 2-24 EMS Message 2-18 Encryption of passwords 3-9 of sensitive data 6-20 Event-exit process 5-1 EXECUTE authority 7-10 D F Data files 3-15 D
G Index G Grace period for password changes 3-10 Group administrative 7-7 defined 7-7 file-sharing 7-9 list 2-4, 4-10 permissions 7-21 privileges 7-5, 7-9 resources, sharing 7-9 Group manager authorities 6-5 privileges 7-6 Guardian access authorities 7-10 file ownership 7-11 Guardian security strings defined 2-4 for Safeguard protected files 7-15 Guest user IDs 6-5 H HP trusted software 2-7 HPSM (High Performance Security Module) 7-16 I Initial password changing 7-1 setting 6-10 INITIAL-DIRECTORY attrib
O Index O Object code files 3-15 OBJECTTYPE DEVICE 3-3 OBJECTTYPE DISKFILE 3-3 OBJECTTYPE OBJECTTYPE 3-4 OBJECTTYPE records, controlling 3-4 OBJECTTYPE USER 3-3, 3-6 OBJECTTYPE VOLUME 3-3 Operator privileges 6-18 Optional ACL entries 4-5 Orphan files detecting 2-10 disposition of 2-10 OSS Auditing 4-3 directory permissions 4-3 file permissions 4-3 file security 4-7 initial directory 4-1 Ownership for system files 2-8 P PAID (process access ID) 2-26 PASSWORD 2-16 PASSWORD program security features of 2-11
R Index Privileged user IDs adding 3-6 control of 3-6 defined 7-5 verifying validity of 8-2 PRIV_SETID 4-8 PRIV_SOARFOPEN 4-8 Processes critical 3-15 stopping 3-5 PROCESS_GETINFO_ system procedure call 2-5 PROCESS_SETINFO_ system procedure call 7-13 PROGID and system files 2-9 audit consequences of 2-30, 8-5 detecting 2-31, 8-5 enabling and disabling 2-29 for backups 2-22, 2-29 for database control 2-29 for super ID programs 2-24 hazards of 2-30, 8-5 Protecting key definitions 7-19 Protecting printouts 7-
T Index for Safeguard protected files 3-21, 7-15 SECURITY-ADMINISTRATOR security group capabilities of 3-4, 3-20 specifying members 3-4 SECURITY-OSS-ADMINISTRSTOR security group 3-4 Segregation of duties 1-2, 8-2 set 4-12 SETTIME 2-23 Set-group-ID permission bit 4-12 Set-user-ID permission bit 4-12 Sharing group resources 7-9 Software installation controls 6-17 trusted 2-7 Specifying audit pools 3-20 Specifying audit recovery actions 3-20 Specifying security groups 3-20 Spooler, controlling 2-22 STATIC-FA
U Index defined 7-17 detection of 7-17 Trusted software 2-7 USER-EXPIRES attribute 3-7 USER_AUTHENTICATE_ procedure call 5-1, 5-2, 7-11 Utility programs 8-1 U umask command 4-7, 7-22 User aliases 3-11, 6-4 User attributes DEFAULT-PROTECTION 3-8 INITIAL-DIRECTORY 4-1 USER-EXPIRES 3-7 User community and Safeguard 3-7 verifying validity of 8-2 User education 1-1 User expiration example 3-7 verifying existence of 8-4 User IDs and authentication 7-5 maintenance of 5-3 removing 3-10, 6-6 reusing 6-7 syntax of
Special Characters Index Security Management Guide — 522283-021 Index - 8
