Security Management Guide (G06.29+, H06.08+, J06.03+)
Concerns for the System Administration Team
Security Management Guide — 522283-021
6 - 7
Managing Passwords
Terminated Employees
Your security policy should address terminated employees. For example, an employee
who can add users to the system might add a new user ID and then continue using the
system under this new ID after being otherwise removed.
To find and eliminate a terminated employee’
s Guardian files, run DSAP with the
USER option for each volume on your system. For example, if your system has
volumes named $SYSTEM and $DATA, and you plan to remove CLERK.CHRIS from
the system, you can find Chris’s files by entering these commands:
1> DSAP $SYSTEM, USER CLERK.CHRIS, DETAIL
.
(output from DSAP)
.
2> DSAP $DATA, USER CLERK.CHRIS, DETAIL
.
(output from DSAP)
.
To find OSS files owned by a specific user
, use the find / -user command.
Reusing the User Name or User ID
After you remove a user ID from the system, do not reuse it immediately, especially if
user IDs that have never been used are available. A new user might inherit a previous
user’s privileges if these items remain in the system:
The old user ID as set up for network access, complete with matching remote
passwords
Files owned by the previous user
References to the old user ID in Safeguard access control lists
References to the old user ID in automated procedures (such as TACL macros or
command files)
Managing Passwords
A password prevents an intruder from using the system and allows the system to verify
that someone claiming to be a user is really that user. Password management
responsibilities, discussed in this subsection, include:
Requiring strong passwords (forbidding blank passwords)
Limiting the reuse passwords
Setting initial passwords
Enforcing routine password changes