Manualshelf

Security Management Guide (G06.29+, H06.08+, J06.03+)

ManualsBrandsHP ManualsServerHP NonStop G-Series
71727374757677787980
Safeguard System Security
Security Management Guide 522283-021
3 - 15
Securing Critical Objects
should own the record for the frozen user, which should be thawed only in
emergencies.
Always secure the object code files for utilities and applications. Grant EXECUTE
authority to users who need to run the program, and grant READ and WRITE
authorities to those users who need to maintain the code.
Secure all data files used by applications and system programs. These files need to be
accessible by the user ID under which the programs run.
Secure OBEY command files and TACL macro files so only authorized users have
READ authority.
What Processes Should Be Secured?
Secure process names used by the operating system and the Safeguard software.
Also secure process names or subprocess names used by your applications.
The following list includes some process names you should secure:
$CMON (Command Monitor)
Pathway Monitor (usually $PM)
Spooler Supervisor (usually $SPLS)
Spooler Collector Names (usually $S, $S1, $S2 and so on)
In general, you should grant READ and WRITE authority to any users who need to
open a process. For some processes, this might include most users on the system.
Grant CREATE, PURGE, and OWNER authorities to a small set of trusted users. For
example, you might need to grant CREATE and PURGE authority to the operations
staff and grant OWNER authority to a few members of the security staff.
Additionally, create an authorization record for OBJECTTYPE PROCESS. This record
is used to control who can protect process names with Safeguard access control list
s.
Without an OBJECTTYPE PROCESS record, any user can add a Safeguard record for
a process name (regardless of ownership), thereby gaining control of the process.
OBJECTTYPE PROCESS also controls who can create the special records NAMED
and UNNAMED. This feature is important because whoever is granted PURGE
authority on the access control lists for these two records can stop any process on the
system.
Securing Subvolumes
The advantages of subvolume security follow. If you use subvolume security, consider
securing the following subvolumes:
Subvolumes used by your applications
Note. The process names $ZSMP and $ZSMP. #ZSPI should not be secured. Also, you
cannot secure the process name $0 with the Safeguard software