Security Management Guide (G06.29+, H06.08+, J06.03+)
Guardian System Security
Security Management Guide — 522283-021
2 - 8
Owning System Files
Referring to the recommended settings in the first column of Table 2-4, set the position
marked x to A, N, G, or C:
The following subsections discuss the security of the different types of system files.
The security settings of these files depend on your security policy and how your
system is used.
Owning System Files
Unless your security policy states otherwise, the super ID (255,255) should own
system files. The special files shown in Table 2-4 on page 2-8 (TANDUMP, DIVER,
USERID, and USERIDAK) should be secured “----”, thus prohibiting access to all but
the super ID.
Reading System Files
Allow read access to system files only where there is a genuine need. For example,
allow read access to microcode files and general library files (runtime libraries, source
files, error message files). To prevent an intruder from copying and inspecting sensitive
system programs, do not allow read access to executable user tools (editors,
compilers) or system tools (DSAP, FUP, TACL, and so forth).
Preventing Writes to System Files
No one should have write access to any system file.
Purging System Files
Generally, no user should be able to purge system files. This rule protects against the
disruption that might result from accidentally purging a system file and the substitution
A All local users can access the file.
N All network users can access the file.
G Only local group members can access the file.
C
Only network group members can access the file.
Table 2-4. Recommended Security of System Files
Security Description
xOOO General libraries (including runtime libraries, source files, error message files)
OOxO User tools (including editors and compilers)
OOxO System tools (including FUP, NETMON, DSAP
, TACL, BACKUP, RESTORE,
PATHWAY, TMFCOM, TRANSFER, MAIL)
xOOO Microcode files
---- Special files (including TANDUMP, DIVER, USERID, and USERIDAK)