Manualshelf

Security Management Guide (G06.29+, H06.08+, J06.03+)

ManualsBrandsHP ManualsServerHP NonStop G-Series
81828384858687888990
Safeguard System Security
Security Management Guide 522283-021
3 - 21
Special Considerations
requests. Your security policy should guide you in deciding which recovery actions are
appropriate.
Special Considerations
Consider the following issues when using the Safeguard software to secure your
system.
The Safeguard Bit
Disk-file labels contain a bit to indicate whether a file is protected by a Safeguard
authorization record. The bit is set to 1 when the Safeguard protection record is
created. Utilities and programs such as FUP, TACL, BACKUP, and RESTORE consult
this bit for display purposes. When the bit is set to 1, the Guardian security string
appears as four asterisks, ****.
If a disk file does not have its own authorization record but is instead protected by a
volume or subvolume authorization record, the Safeguard bit is not set to 1. Therefore,
even though the file’s Guardian security string does not indicate Safeguard protection,
the file might still have Safeguard protection at the volume or subvolume level. The
Safeguard software must be properly configured to check volume or subvolume
authorization records.
If the Safeguard subsystem is stopped for any reason, disk files with Safeguard
authorization records are accessible only by the primary owner, the primary owner’s
group manager, and the super ID. The security string still appears as ****. The super
ID can return the file to Guardian protection by issuing the FUP SECURE command
with a desired security string.
Default Protection for Users Files
If you specify DEFAULT-PROTECTION for a user’s Guardian disk files, Safeguard
authorization records are created automatically for any files the user creates even if the
user does not have CREATE authority on the OBJECTTYPE DISKFILE access control
list. Default protection has no effect on OSS disk files.
The ACL-REQUIRED-DISKFILE Attribute
If the Safeguard configuration attribute ACL-REQUIRED-DISKFILE is set ON, access
to any disk file is denied unless that disk file has an access control list that grants the
requested access. If your policy requires ACL-REQUIRED-DISKFILE, be sure all files,
especially those necessary for day-to-day operation, have appropriate access control
lists. Otherwise, critical files needed for system operation might be inaccessible.