® XYGATE Access Control Reference Manual HP Part Number: 657928-002 Published: September 2013 Edition: J06.03 and subsequent J-series RVUs. H06.03 and subsequent J-series RVUs. G06.10 and subsequent G-series RVUs.
© Copyright 2013 Hewlett-Packard Development Company, L.P Legal Notice Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s standard commercial license. The information contained herein is subject to change without notice.
Publication History Software Ver. 5.60 Description Date Reformatted for new template, re-arranged chapters and appendices. May 2011 5.65 Refer to the Softdoc; added “Publ. History” page; updated address. Mar. 2012 5.70 Added list of ACCONF file keywords in App. A1: added OSSXAC macro in App. E2: updated ACL IDs limit to 20,000 from 10,000 in App. C2: updated descriptions for the USER_SWITCH keyword in Apps. A33:and C91: Jul. 2012 5.
CONTENTS Introduction ............................................................................................. xv Security on the HP NonStop Platform ................................................. xv The XYGATE Access Control Solution ................................................. xv Vocabulary ...............................................................................xvii XAC Installation Design Philosophy ...................................................
XYGATE® Access Control Reference Manual Contents Chapter 2. Chapter 3. Chapter 4. Chapter 5. Configuring XAC .........................................................................29 2.1 Creating 2.1.1 2.1.2 2.1.3 2.1.4 New Command Entries ............................................... 29 ACCONF................................................................ 29 ACACL.................................................................. 29 ACACL Command Entries in the ACACL File ......................
XYGATE® Access Control Reference Manual Contents Chapter 6. EMS Message Format Templates .....................................................59 6.1 Chapter 7. Chapter 8. Procedure ......................................................................... 59 XAC Auditing and Audit Reports......................................................63 7.1 AUDIT File Considerations ...................................................... 63 7.1.1 AUDIT File Creation...............................................
XYGATE® Access Control Reference Manual Contents A13: EMS_CRITICAL_IF_DENIED ......................................................103 A14: HIGHPIN ..........................................................................103 A15: HOMETERM .......................................................................104 A16: IPMAP .............................................................................104 A17: MACRO_NAME ....................................................................104 A18: MONITOR ...
XYGATE® Access Control Reference Manual Contents C5: ALIAS ..............................................................................149 C6: ALIAS_ALL_PROCESSES..........................................................150 C7: ALIAS_OSS_PROCESSES .........................................................150 C8: ALIAS_XYGATEAC_PROCESSES .................................................151 C9: ALLOWCMD .......................................................................
XYGATE® Access Control Reference Manual Contents C40: IGNORECONNECT ................................................................181 C41: INPUT .............................................................................182 C42: JOBID .............................................................................183 C43: LOWPIN ...........................................................................183 C44: MAP_B_FKEY .....................................................................
XYGATE® Access Control Reference Manual Contents C75: SHUTDOWN_MESSAGES .........................................................207 C76: SISO ...............................................................................207 C77: STARTUP ..........................................................................208 C78: START_LOGGED_OFF............................................................210 C79: START_LOGGED_ON.............................................................211 C80: STOPIFAUDITERROR ..
XYGATE® Access Control Reference Manual Contents D15: <XAC_AUDIT_OUTPUT ..........................................................244 D18: >XAC_CHANGE_VOLUME ........................................................245 Appendix E: XAC Host Macros ......................................................................
XYGATE® Access Control Reference Manual Contents Appendix F: XAC Obey and Command File Use and Token Replacement .................. 277 Appendix G: XAC Error Messages ................................................................... 279 Index ...........................................................................................
XYGATE® Access Control Reference Manual Contents XYPRO Technology Corporation xiv Proprietary and Confidential
Introduction Welcome to the XYGATE Access Control product security software from XYPRO Technology Corporation for the HP NonStop™ server. Security on the HP NonStop Platform System and application security on the HP NonStop platform has evolved over the years. In 1977, when the NonStop operating system was introduced, security was based totally on logons (with unencrypted passwords!), crude diskfile permissions and privileges inherent in specific userids such as SUPER.SUPER and *.MGR.
XYGATE® Access Control Reference Manual Introduction XAC functions with or without Safeguard. If Safeguard is used, XAC interfaces with it for all security features implemented in Safeguard. If Safeguard is not present, XAC just as easily uses NSK basic security. With XAC, you can do the following: • Audit all user activity on the NonStop server in Guardian or OSS modes or just pre-defined sensitive actions. • Eliminate all shared userid use. • Eliminate SUPER.SUPER as a shared userid.
XYGATE® Access Control Reference Manual Introduction Vocabulary XAC is the name of the XYGATE Access Control software package. XYGATEAC is the name of the object file that runs as a process to manage an XAC session. XAC by itself is the name of the macro that is run to perform two functions: (1) attach the XAC_SEG compiled TACLSEG library of macros, and (2) invoke XYGATEAC to start an XAC session. DBSO is the name of the object file that runs as the database server.
XYGATE® Access Control Reference Manual Introduction Most XAC installations chart a course between the two extremes described above, with a mix of secured, audited TACLs for some situations, and XAC Command Entries for individual commands to be secured. The following sections describe some of the elements of these two endpoints of the XAC installation spectrum.
XYGATE® Access Control Reference Manual Introduction PASSONTIMEOUT OFF DONOTSTOP $SYSTEM.SYSTEM.PATHTCP2 OPENSBYOBJECTS \*.$*.*.* TRACKUSERID START_LOGGED_OFF COMMAND SAFEGUARD-TACL OBJECT $SYSTEM.SYSNN.TACL USER GROUP,USER ACL \*.*,* ALIAS:"\*.*" START_LOGGED_ON PERCENT OFF NULLNULLSTOP EXECUTEHANGUP CHECKCONNECTION 750 350 STOPONERROR 60,66,140,190,191 PASSONTIMEOUT OFF OPENSBYOBJECTS \*.$*.*.
XYGATE® Access Control Reference Manual Introduction *Type................... *Display................ *Owner.................. *CPU.................... *Swap................... *Program................ *Lib.................... *Resilient.............. *Param.................. *Assigned Window........ *Default Service........ LINE $ZTNP2 5-> CONVERSATION *Subtype................ ON *Autodelete............. N/A *Access................. N/A *Pri....................
XYGATE® Access Control Reference Manual Introduction PARAM-TEXT = * NONE * (255,255)-3 = ALTER TERMINAL $MYTERM,PROG $SYSTEM.XYGATEAC.XYGATEAC,PARAM-TEXT SAFEGUARD-TACL (255,255)-4 = INFO TERMINAL $MYTERM TERMINAL $MYTERM STATUS FROZEN PROG = $SYSTEM.XYGATEAC.
XYGATE® Access Control Reference Manual Introduction *Type................... CONVERSATION *Subtype................ DYNAMIC *Display................ ON *Autodelete............. OFF *Owner.................. SUPER.SUPER *Access................. SYSTEM *CPU.................... 1 *Pri.................... 150 *Swap................... $DISCA *Program................ $SYSTEM.SYSTEM.OSH *Lib.................... N/A *Resilient.............. OFF *Param.................. N/A *Assigned Window........
XYGATE® Access Control Reference Manual Introduction Special Purpose TACLs There are two kinds of special purpose TACLs. The first permits users to execute all their functions under a TACL running as a different userid without the user having any knowledge of the password to that userid. This approach is most commonly used when the operating environment requires a single defined userid to perform all the tasks. One example of this might be an environment that has been built assuming that PROD.
XYGATE® Access Control Reference Manual Introduction Individual XAC Command Entry An individual XAC Command Entry is designed to start a Guardian utility, third-party application or user-supplied program with a PAID of a specified userid. There is an object file to be executed and there are restrictions on who can execute the Command Entry. Additional keywords can be used to control other aspects such as subcommands that can be executed, timeouts and auditing. Example: COMMAND SCF-255 OBJECT $SYSTEM.
XYGATE® Access Control Reference Manual Introduction ALLOWCMD "INFO " ALLOWCMD "EXIT " ALLOWCMD ">" ALLOWCMD RE:".*$DEV1|$DEV2.*" DENYCMD * The additional keywords that control FC are required by the ALLOWCMD and DENYCMD. The ALLOWCMD/DENYCMD set permits only INFO, EXIT, XAC Internal Commands and any other command that has $DEV1 or $DEV2 in it, thereby denying commands that access any other line. ACACL Command Entries are described in more detail in Appendix C: starting on page 138.
XYGATE® Access Control Reference Manual Introduction • New – ACACL keyword ALIAS_XYGATEAC_PROCESSES in Appendix C8: on page 151. • New – ACACL keyword BREAK_DISABLE_RETURN in Appendix C20: on page 162. • New – ACACL keyword USER_IGNORED in Appendix C89: on page 218. • New – ACACL keyword WRITEREAD_ALWAYS in Appendix C93: on page 228.
XYGATE® Access Control Reference Manual Introduction [ ] Brackets. Brackets enclose optional syntax items. For example: TERM [\.]$ INT[ERRUPTS] A group of items enclosed in brackets is a list from which you can choose one item or none. The items in the list may be arranged either vertically, with aligned brackets on each side of the list, or horizontally, enclosed in a pair of brackets and separated by vertical lines.
XYGATE® Access Control Reference Manual Introduction Item Spacing. Spaces shown between items are required unless one of the items is a punctuation symbol such as a parenthesis or a comma. For example: CALL STEPMOM ( ) ; If there is no space between two items, spaces are not permitted. In the following example, there are no spaces permitted between the period and any other items: $.
Chapter 1. Installing XAC This chapter describes installing or upgrading the XYGATE XAC files, updating the XYGATE licenses and then guides you through the process of securing your installation. Running the AutoInstall script is a guided installation with minimal SUPER command line input except where noted. 1.1 Before You Begin Ensure that you have the following information ready before you begin the installation procedures: 1.2 • Administrator privileges for your PC.
XYGATE® Access Control Reference Manual Chapter 1. Installing XAC User-Defined Configuration Values Required for AutoInstall You have the option of specifying the user-defined values shown in Table 1 when using the AutoInstall script. If you do not specify a value, AutoInstall will use default values given in Table 2. If necessary, contact your system manager for input to these questions.
XYGATE® Access Control Reference Manual Chapter 1. Installing XAC Table 3 defines default configuration values and file locations that will be generated automatically by the AutoInstall script. Table 3: AutoInstall-Assigned Default Values or Locations Config File Configuration Settings Default Values Assigned by AutoInstall Script or Locations A staging subvolume for installation only. May be removed after installation has been completed.
XYGATE® Access Control Reference Manual Chapter 1. Installing XAC Config File Configuration Settings Default Values Assigned by AutoInstall Script or Locations TRCONF XTR option TR_MASTER_SUBVOL $VOL.XYGATETR TRCONF XTR encryption options OFF TRCONF XTR SSL options OFF TRCONF XTR monitor/debug options OFF TRACL XTR/XAC $OWNER Authorized users OWNER running the script + SUPER.SUPER TRACL XTR option TR_INSTALLATION IP address and Port Number 1.2.
XYGATE® Access Control Reference Manual Chapter 1. Installing XAC In the above example, $DAT90 is accepted as the default XTR volume. Script prompts will return an error to the screen if the entered value is not valid. You can then change your response to a valid entry. Example: Enter XTR volume <$DAT90>? Zmywrk Invalid volume entry, try again Invalid response You can end the script by pressing Ctrl+Y at any prompt. Stopping the script will end the install or upgrade prematurely.
XYGATE® Access Control Reference Manual Chapter 1. Installing XAC 5. Obey the file IXYBIN to unpack program files and prepare them for the automated install script. Syntax: $MYVOL ZXYPROAC 4> OBEY IXYBIN Example: $MYVOL ZXYPROAC 4> OBEY IXYBIN The installation begins by unpacking the self-extracting IXYBIN file containing the files and programs distributed in the DSV. Note that the three vertical dots inserted below indicate that output is omitted for brevity in this manual only.
XYGATE® Access Control Reference Manual Chapter 1. Installing XAC IWIZARD, the installation process will continue from the point where it was stopped. Are you ready to continue ? Y The AutoInstall script will attempt to locate any installed XTR environments and will display these located environments as shown below. If you are running this script to upgrade one of these environments, refer to section 1.3, “Upgrading XAC and/or XTR Using the AutoInstall Script” starting on page 11.
XYGATE® Access Control Reference Manual Chapter 1. Installing XAC Discovering XAC ($*.*) ... Discovery complete. SEL --1) LOCATION VERSION OWNER AVAILABILITY ----------------- ------- ----------------- -----------$VOL.JIM XYPRO.JAMES Available P) Prompt for new location Available Press BREAK or -Y to exit. Enter available selection: If this is a first-time installation, one of the following will be true: • No existing installed environments will be displayed.
XYGATE® Access Control Reference Manual Chapter 1. Installing XAC If this is a new install, you will be asked for any additional users/aliases (90-characters max.) that you may want to have access to this environment. The AutoInstall script will add any additional users to the access list for this environment. Enter user id's, separated by spaces <>? Enter aliases, separated by spaces <>? If this is a new install, you will be asked for a port number.
XYGATE® Access Control Reference Manual Chapter 1. Installing XAC Are you ready to continue ? Y Establishing product locations ... Product locations established. Performing verifications ... Verifications complete. Installing products: Install of products complete. Performing products syntax check ... Products syntax check complete. Verifying XAC is listed in XTR TRACL file ... Done verifying XAC is listed in XTR TRACL file. XYGATE GUIs use a LISTNER process to connect to the host.
XYGATE® Access Control Reference Manual Chapter 1. Installing XAC ----------------------------------------------------------------Validation finished. If no errors were reported, and the information shown was as expected, the installation was validated. ----------------------------------------------------------------- This ends the AutoInstall installation of the XAC files. 1.
XYGATE® Access Control Reference Manual Chapter 1. Installing XAC If you know the location of the initial installation staging subvolume, overwrite that using the PURGE option of FUP. This will ensure that the installed environments are correctly upgraded to the most current product. Syntax: $MYVOL IXYPROAC 3> FUP DUP <$VOL>.ZXYPROAC.* EXCLUDE Z*,<$VOL>..*,PURGE,SAVEALL Example: $MYVOL IXYPROAC 3> FUP DUP $DSCSCM.ZXYPROAC.* EXCLUDE Z*,$MYVOL.IXYPROAC.
XYGATE® Access Control Reference Manual Chapter 1. Installing XAC Initializing config file ... Done initializing config file. Warning: Access to SUPER.SUPER (or an alias to SUPER.SUPER) may be required to complete the installation of each XYGATE product. During the installation, if the need for SUPER.SUPER arises, the installation will be paused and the user will be asked to issue specific commands from another TACL prompt while logged on as SUPER.SUPER (or an alias to SUPER.
XYGATE® Access Control Reference Manual Chapter 1. Installing XAC The AutoInstall script will attempt to locate any already installed XAC environments and display these located environments as shown below. Discovering XAC ($*.*) ... Discovery complete. SEL --1) 2) LOCATION VERSION OWNER AVAILABILITY ----------------- ------- ----------------- -----------$VOL.JIM XYPRO.JAMES Available $VOL.XYGATEAC 5.65 XYPRO.JAMES Available P) Prompt for new location Available Press BREAK or -Y to exit.
XYGATE® Access Control Reference Manual Chapter 1. Installing XAC go to another TACL session, logon as SUPER.SUPER or an alias of SUPER.SUPER, and license these files. You may continue when this has been done. If you decide not to continue, the next time the wizard is run, the wizard will continue where you last stopped. To license these files, enter the following commands: FUP LICENSE $VOL.P46DSDST.IADOPTN4 Are you ready to continue ? Do not answer the above prompt yet.
XYGATE® Access Control Reference Manual Chapter 1. Installing XAC Start another TACL session using a SUPER.SUPER logon, and perform the licensing tasks as directed by the script. The specific licensing instructions vary depending on which products were installed or upgraded. Licensing requirements are to be performed by a SUPER.SUPER logon for XTR only: Example: TACL> RUN $VOL.XYGATETR.XTR INSTALL TACL> XTR_FINISH_INSTALL Licensing $VOL.XYGATETR.ADOPT Licensing $VOL.XYGATETR.
XYGATE® Access Control Reference Manual Chapter 1. Installing XAC 1.3.3 Running AutoInstall to Upgrade XAC Only Access to SUPER.SUPER (or an alias to SUPER.SUPER) will be required during the upgrade to perform necessary licensing tasks in a separate TACL session. This requirement will be indicated by the AutoInstall script and is also documented in this procedure. Note: The AutoInstall script waits on a prompt while the user starts a separate TACL session when requested to perform specific actions.
XYGATE® Access Control Reference Manual Chapter 1. Installing XAC SEL --1) LOCATION VERSION OWNER AVAILABILITY ----------------- ------- ----------------- -----------$VOL.XYGATETR 1.56 XYPRO.JAMES Available P) Prompt for new location Available Enter available selection: Select an existing XTR installation by providing the selection number. Only environments that are owned by your userid are available to be upgraded. Other environments are shown for information only.
XYGATE® Access Control Reference Manual Chapter 1. Installing XAC Verifications complete. Installing products: If the installed software is older than the current version, the script will notify you and perform the upgrade. Upgrading the XAC software requires licensing of one of the installation programs to perform this function. Comparing installed version of XAC to available version ... A higher version of XAC was found. XAC will be upgraded. Installing XAC from \N1.$VOL.ZXYPROAC ...
XYGATE® Access Control Reference Manual Chapter 1. Installing XAC Installing products: Install of products complete. Verifying XAC is listed in XTR TRACL file ... Done verifying XAC is listed in XTR TRACL file. Taking inventory ... Taking inventory complete. Validating the installation ... A final status screen will display the current XAC environment. Product -------XAC XTR Distribution Version -------------------5.65 1.56 Installed Version ----------------5.65 1.
XYGATE® Access Control Reference Manual Chapter 1. Installing XAC IWIZARD, the installation process will continue from the point where it was stopped. Are you ready to continue ? Y The AutoInstall script will attempt to locate any already installed XTR environments and display these located environments as shown below. Establishing product locations ...
XYGATE® Access Control Reference Manual Chapter 1. Installing XAC Press BREAK or -Y to exit. Enter available selection: Choose the number (under the SEL heading) of an existing environment. Only environments that are owned by your userid are available for selection. Other environments are shown for information only. Enter available selection: 2 Updating config ... Config updated. Product locations established. Performing verifications ...
XYGATE® Access Control Reference Manual Chapter 1. Installing XAC FUP LICENSE $VOL.P46DSDST.IADOPTN4 Are you ready to continue ? Do not answer the above prompt yet. Start a separate TACL session using a SUPER.SUPER logon, and perform the necessary licensing tasks as shown in the Example below. Example: TACL> FUP LICENSE $VOL.P46DSDST.IADOPTN4 TACL> Logoff as the SUPER.SUPER or SUPER alias When you complete the licensing tasks, answer Y to the prompt below to continue.
XYGATE® Access Control Reference Manual Chapter 1. Installing XAC When you complete the licensing tasks, answer Y to the prompt below to continue. Are you ready to continue ? Y Establishing product locations ... Product locations established. Performing verifications ... Verifications complete. Installing products: If the installed software is older than the current version, the script will notify you and perform the upgrade.
XYGATE® Access Control Reference Manual Chapter 1. Installing XAC 1.4.1 Preparing for the Auto Uninstall Script The Auto Uninstall script will attempt to uninstall all modules that are running on the server as follows: • Uninstall the XYGATEAC installed product software. • Uninstall the XYGATETR installed product software. • Stop the LISTNER process for the connection of GUI products to XYGATETR. 1. Locate the installation subvolume where the XAC product AutoInstall script was executed.
XYGATE® Access Control Reference Manual Chapter 1. Installing XAC If you wish to uninstall these XAC and XTR environments, enter Y to continue. The uninstall process takes a few minutes to complete. Are you ready to continue ? Y Working ... Detaching segment ... Removing XTR Installed files Removing XAC Installed files Checking results ... Done. 1.5 on \N1.$VOL.XYGATETR ... on \N1.$VOL.XYGATEAC ...
XYGATE® Access Control Reference Manual Chapter 1. Installing XAC You can also check your current license using the XAC_VERSION macro described in Appendix E23: on page 273 as shown in the abbreviated output below. Example: $VNEO1 XYGATEAC 62> xac_version This is version 5.
XYGATE® Access Control Reference Manual Chapter 1. Installing XAC 1.7 Securing XYGATEAC This section describes how to secure the XYGATE XAC module. Note that the SECURITY.ADMIN userid is assumed to be the “owner” of the XYGATE XAC software. If a different userid is used, then adjust these security settings accordingly. Also note that the XYGATE XAC software is assumed to be installed on $SYSTEM.XYGATEAC. Adjust these security settings if different values are used.
Chapter 2. Configuring XAC This chapter describes the procedures for configuring XAC by creating new command entries and modifying the ACCONF and ACACL files. 2.1 Creating New Command Entries XAC is delivered with a sample ACCONF and ACACL fileset that provides a minimum level of functionality. This chapter describes how to change these two files and how you can develop your own commands. 2.1.1 ACCONF The ACCONF file configures how XAC functions.
XYGATE® Access Control Reference Manual Chapter 2. Configuring XAC 2.1.3 ACACL Command Entries in the ACACL File This table describes some of the commands included in the initial ACACL file. Command Name Purpose TACL-255 Starts a copy of TACL that runs under the userid 255,255. The users that are permitted to use this TACL are listed in the ACLGROUP profile for $SUPER. TACL-ASYNCH Starts a copy of TACL that the user must logon to using a valid userid and password.
XYGATE® Access Control Reference Manual Chapter 2. Configuring XAC 2.1.4 How to Build an ACACL Command Entry This section describes how to build an ACACL Command Entry. 2.2 1. Determine which program you will be executing. 2. Determine if you want the program to run as the userid of the user who starts the session or if you want it to run as a specific userid. 3. Make a list of which users and aliases will need access to this XAC command. 4.
XYGATE® Access Control Reference Manual Chapter 2. Configuring XAC Network users can also use XAC with the simple addition of a node name on the ACACL Command Entry name: \XYPRO.$SYSTEM.MYSUBVOL 28> XAC \XYS7000.SPOOLCOM-254 JOB 1265,START This invocation of the XAC macro will execute the XYGATEAC program on the \XYS7000 node with results similar to that which a user would get if a TACL was started on \XYS7000, logged on as the “254” user, and then SPOOLCOM JOB 1265,START, was executed at the TACL prompt.
XYGATE® Access Control Reference Manual Chapter 2. Configuring XAC Important! The process (usually the User’s TACL) which executes the XYGATEAC program, must be a named process in order for XYGATEAC to validate that a NonStop Kernel level authentication was accomplished by the user.
XYGATE® Access Control Reference Manual Chapter 2. Configuring XAC USER 255,255 OBJECT $SYSTEM.SYSNN.FUP ACL $SUPER FC? FCPROMPT "-" TIMEOUT 900 PASSWORDTIMEOUT 600 PROMPT "'(',PAID,')',FC#" COMMAND SPOOLCOM-255-DP ! This command is used to execute SPOOLCOM as SUPER.SUPER via DP DESCRIPTION "SPOOLCOM as SUPER.SUPER via DP" USER 255,255 ! Execute as SUPER.SUPER OBJECT $SYSTEM.SYSTEM.SPOOLCOM ! ACL QA.IK ! Only the privileged user QA.
XYGATE® Access Control Reference Manual Chapter 2. Configuring XAC sp255 JOB (LOC #XAC) ^ *ERROR* Name of variable, builtin, or file needed $VIK IK 61> $VIK IK 61> Example 5: XAC timeout $VIK IK 61> pshow fp255 XAC - $VIK IK 62> $VIK IK 62> pinfo /detail/ fp255 Name Program Process File Input Output Ready Wait History Prompt FP255 XYGATEAC STOPPED EMPTY 1 NO YES YES NO $VIK IK 63> $VIK IK 63> fp255 info tacl* pstart: starting $VIK.XAC575.
XYGATE® Access Control Reference Manual Chapter 2. Configuring XAC 2.6.2 –A Option The -A option will cause the ancestor chain to be searched for the most recent process in the ancestor chain that was authenticated by the entry of a password during logon. This is used with nested XAC sessions where the userid authentication has to be against the original user’s logon rather than the userid of any XYGATEAC session that the user might be using at the moment.
XYGATE® Access Control Reference Manual Chapter 2. Configuring XAC 2.7 Configuring XAC Userids and Aliases All XYGATE modules use standard Guardian userids and Safeguard aliases. No XYGATE module requires that you create a new user database. XAC allows you to enter userids as either user names or user numbers, but the two are treated somewhat differently according to the following: • If a user number is entered, XAC will not check for the presence of the userid on that node.
XYGATE® Access Control Reference Manual Chapter 2. Configuring XAC You can use an asterisk ( * ) in either the GROUP position or the MEMBER position. And userids can include node names (or an asterisk to represent all nodes) when appropriate, as follows: *.* represents all local userids. \*.*.* represents all network userids. \NODEA.*.* represents all userids on \NODEA.
XYGATE® Access Control Reference Manual Chapter 2. Configuring XAC 2.7.2 Aliases Aliases are specified as follows: Syntax: ALIAS:"[\NODE.]" The ALIAS:" " syntax tells XYGATE (and the HP NonStop server) that the string is an alias. The quotation marks are necessary to prevent the string from being upshifted or TACL trying to interpret any special characters. You may use wildcarding to specify both nodes and alias names when appropriate. ALIAS:"*" represents all local aliases. ALIAS:"\*.
XYGATE® Access Control Reference Manual Chapter 2.
XYGATE® Access Control Reference Manual Chapter 2. Configuring XAC 2.7.4 The Concept of the Current Invoking User You need a way to tell XAC to use the current user’s userid or alias regardless of who it is at the moment, when it evaluates access to processes, utilities. Otherwise, you would be unable to grant any user access to his or her own objects without creating a separate rule for every user. Obviously, this is unworkable; hence, the keyword GROUP.USER.
XYGATE® Access Control Reference Manual Chapter 2.
Chapter 3. Node-Conditional Processing in the ACACL File All XYGATE products have a file that defines the security rules supported by the product. There is an ACACL file per product per node. In many HP NonStop server networks, the ACACL file for any given product will almost be the same for every or almost every NonStop server in the network. Rather than maintain many individual files, it is more convenient to maintain one master file and then duplicate that master file to every installation.
XYGATE® Access Control Reference Manual Chapter 3. Node-Conditional Processing in the ACACL File LIKE Use LIKE when you wish to wildcard the names of nodes to include. You must use regular expression style wildcarding. Refer to the XYGATE Regular Expressions manual (refer to “Additional XYPRO Reference Manuals” in the “Introduction” for the instructions on how to get this and other XYPRO manuals).
XYGATE® Access Control Reference Manual Chapter 3. Node-Conditional Processing in the ACACL File 3.2 Node Names or Patterns The node name can be specified as an exact node name (including the leading backslash), or as a wildcarded pattern, using simple NonStop server-supported wildcards or regular expressions.
XYGATE® Access Control Reference Manual Chapter 3. Node-Conditional Processing in the ACACL File Example 1 shows how to simplify things if, due to a merger, the ID used to administer security is different on some nodes. In this situation, you can use an ACLGROUP with node-conditionals to designate the appropriate IDs on each node. If you then use the ACLGROUPs in FOGROUPs, PCGROUPs, HEGROUPs, etc.
XYGATE® Access Control Reference Manual Chapter 3. Node-Conditional Processing in the ACACL File !Selection Criteria: USER $DBA !\*.200,* (DBA's) #IF @NODE LIKE "\\PROD.*" MASK RE:"^\$S1D[0-9][0-9]\.DAT[RPB]064\..*" RE:"^\$S1D[0-9][0-9]\.EG.*\..*" #ENDIF #IF @NODE LIKE "\\DEV.*" MASK RE:"^\$D1V[0-9][0-9]\.DAT[RPB]064\..*" RE:"^\$D1V[0-9][0-9]\.EG.*\..
XYGATE® Access Control Reference Manual Chapter 3.
Chapter 4. DBSO – The Database Server The DBSO Database server serves two functions in the XAC installation. As a running process, it provides command information to each new XAC session. Run with an ACACL filename or an ACCONF filename and keywords, it is limited to a single pass through these files, performing a variety of syntax and statistic checks. Every time DBSO reads the ACCONF, ACCONFCO or ACACL files, it generates a cryptographic checksum of the file. 4.
XYGATE® Access Control Reference Manual Chapter 4. DBSO – The Database Server 4.2 DBSO for Syntax and Statistics When DBSO is run with any of the optional keywords or with an alternative ACACL or ACCONF filename, it runs in a single pass, displaying any syntax errors found and optionally displaying a variety of statistics.
XYGATE® Access Control Reference Manual Chapter 4. DBSO – The Database Server The XAC macro XAC_SYNTAX_CHECK in the following example performs the same syntax check: Example: $SYSTEM.XYGATEAC 20> xac_syntax_check XYGATEAC 5.75 XYPRO \N1 20991231 (see >CONFIG for Copyright) ACCONF CHECKSUM 1651907125 ($SYSTEM.P06QA.ACCONF) ACACL CHECKSUM 995061119 ($SYSTEM.P06QA.ACACL1) No syntax errors found 4.2.
XYGATE® Access Control Reference Manual Chapter 4. DBSO – The Database Server The XAC macro XAC_STATS performs the same check as in the following example: Example: $VDEL DENNIS 2> XAC_STATS XYGATEAC 5.75 XYPRO \N1 20991231 (see >CONFIG for Copyright) ACCONF CHECKSUM 393627197 ($VNEO2.XAC570.ACCONF) ACACL CHECKSUM 843002451 ($VNEO2.XAC570.
XYGATE® Access Control Reference Manual Chapter 4. DBSO – The Database Server 4.2.3 DSTATS The DSTATS command displays the overall counts for the ACACL file and the individual message size for each individual entry as in the following example: Example: $VNEO2 XAC575 5> RUN DBSO DSTATS XYGATEAC 5.75 XYPRO \N1 20991231 (see >CONFIG for Copyright) ACCONF CHECKSUM 393627197 ($VNEO2.XAC570.ACCONF) ACACL CHECKSUM 843002451 ($VNEO2.XAC570.
XYGATE® Access Control Reference Manual Chapter 4. DBSO – The Database Server There are 10 individual command entries in the ACACL file. Three have a message length of 3766 bytes. The largest message size in the file is 4076 bytes. The maximum size of the message allowed is 16K bytes. The XAC macro XAC_DSTATS displays the same information as in the following example: Example: $VNEO2 XAC575 7> XAC6_DSTATS XYGATEAC 5.75 XYPRO \N1 20991231 (see >CONFIG for Copyright) ACCONF CHECKSUM 393627197 ($VNEO2.XAC570.
XYGATE® Access Control Reference Manual Chapter 4. DBSO – The Database Server You can also specify an alternative ACACL file to process as in the following example: Example: $SYSTEM.XGYATEAC 34> RUN DBSO DSTATS NEWACL XYGATEAC 5.75 XYPRO \N1 20991231 (see <
XYGATE® Access Control Reference Manual Chapter 4. DBSO – The Database Server The XAC macro XAC_COMMANDS displays the same information as in the following example: Example: 16> XAC_COMMANDS XYGATEP.TEST1 Checking commands for user XYGATEP.
Chapter 5. Command/User Access Matrix For many audit investigations, it is important to be able to show which users have access to which COMMANDS. Use the XAC_ACCESS_MAP macro to generate this information. (Refer to Appendix E7: on page 251.) 5.1 Procedure The following is the syntax for the XAC_ACCESS_MAP macro. Syntax: XAC_ACCESS_MAP
XYGATE® Access Control Reference Manual Chapter 5. Command/User Access Matrix Sample output file: TACL-STATIC-IP ,$SYSTEM.SYSNN.TACL,GROUP,USER,"Keystroke audited TACL",user,255,255,SUPER.SUPER UPDATE-XAC-ACL ,$SYSTEM.SYSNN.TACL,222,233,"Updates the ACACL file",alias,222,233,ROBIN UPDATE-XAC-ACL ,$SYSTEM.SYSNN.TACL,222,233,"Updates the ACACL file",alias,222,233,Robin UPDATE-XAC-ACL ,$SYSTEM.SYSNN.TACL,222,233,"Updates the ACACL file",alias,222,233,SEC.LAURENTO9 UPDATE-XAC-ACL ,$SYSTEM.SYSNN.
Chapter 6. EMS Message Format Templates A template is supplied on the installation subvolume to allow the audit lines written to EMS to be tokenized and organized as desired by the customer. Three files are supplied at installation to allow this customization. The three files are: 6.1 EMSBUILD A macro to build the template file based on the system templates and the EMSTEMP file. EMSDDL A DDL layout for the EMS message. EMSTEMP The TEMPLATE layout for the XYGATEAC messages.
XYGATE® Access Control Reference Manual Chapter 6. EMS Message Format Templates Do you want the installation performed ? Y Building Dictionary with the following input file, please wait ?dictn $SYSTEM.XYGATEEM ! ?source $SYSTEM.ZSPIDEF.zspiddl ?source $SYSTEM.ZSPIDEF.zemsddl ?source $SYSTEM.XYGATEAC.EMSDDL Constant XAC-EVENT-COMMAND PAGE 176 $SYSTEM.XYGATEAC.EMSDDL [4] (16DEC94) SYSTEM \XYPRO DATE - TIME : 5/27/97 DICTIONARY SUBVOL: $SYSTEM.
XYGATE® Access Control Reference Manual Chapter 6. EMS Message Format Templates 1:ssid ( zems-val-ssid,zems-tkn-text) DSM TEMPLATE COMPILER - T9633D30 - (31OCT94) COPYRIGHT TANDEM COMPUTERS INCORPORATED 1989-1994 End of compilation Object file: $SYSTEM.XYGATEEM.EMSTEMPO Format templates: Override templates: Special templates: 4 0 2 Errors: Warnings: 0 0 Running TEMPLI with following input file: FILE $SYSTEM.SYS04.TEMPLATE FILE $SYSTEM.XYGATEEM.EMSTEMPO TANDEM.
XYGATE® Access Control Reference Manual Chapter 6.
Chapter 7. XAC Auditing and Audit Reports Up to nine audit locations can be defined for XAC. The audit information can be written to diskfiles, processes and IP addresses. The XAC software includes two macros (XAC_AUDIT_REPORT and XAC_REPORT) that will generate reports from audit information that is written to an ENSCRIBE file. 7.1 AUDIT File Considerations This section explains Audit file creation and rollover behavior in XAC. 7.1.
XYGATE® Access Control Reference Manual Chapter 7. XAC Auditing and Audit Reports message will be written to the EMS log from each running XYGATEAC process that encounters the error. The audit file check will also be tried after a timeout occurs, if a timeout is defined, or after 5 minutes.
XYGATE® Access Control Reference Manual Chapter 7. XAC Auditing and Audit Reports fi XYGAUDIT.ACL* $VIK.XYGAUDIT CODE EOF LAST MODIFIED OWNER RWEP PExt Sext ACL00015 3333 266240 30JUL2013 16:48 232,52 NNNC 300 300 ACL00016 3333 266240 25AUG2013 16:23 232,52 NNNC 300 300 $SYSTEM XYGATEAC 6> VOLUME $VIK.XYGATEAC $VIK XYGATEAC 7> RUN XAC INSTALL $VIK XYGATEAC 8> #OUTPUT [XAC_NEXTGEN XYGAUDIT.ACL] XYGAUDIT.
XYGATE® Access Control Reference Manual Chapter 7. XAC Auditing and Audit Reports The default ENFORM temporary work file location is the <$vol.subvol> from which ENFORM is executed. This volume portion of the ENFORM temporary work file location can be changed via assigns, but the subvol portion cannot be changed. Therefore, the users must have Create and Write access to these files in the <$vol.subvol> from which the report macro is executed.
XYGATE® Access Control Reference Manual Chapter 7. XAC Auditing and Audit Reports yyyy-mm-dd hh:mm XAC-O [ggg,uuu] Examples: 2001-04-02 11:08:53.362360XAC-C 00134A6C0AFD \XYS7000 [222,233] $ZTNP2.#PT7N8Y1 FUP-255 XYPRO.LAUREN 000001license $system.xygateac.xygateac 2001-04-02 11:32:06.141432XAC-O 00134A6DEDFE \XYS7000 [222,233] $ZTNP2.#PT7N8Y3 CALC-TEST-AUDITOUTPUT XYPRO.
XYGATE® Access Control Reference Manual Chapter 7. XAC Auditing and Audit Reports This field contains the group number of the user ID of the user executing the command. When the user ID is an alias, this number is the group number of the underlying userid. 03 GROUP-NUMBER PIC 9(3). This field contains the user number of the user ID of the user executing the command. When the user ID is an alias, this number is the group number of the underlying user. 03 USER-NUMBER PIC 9(3).
XYGATE® Access Control Reference Manual Chapter 7. XAC Auditing and Audit Reports This field contains the group number of the userid that was named in TARGETLOGIN-NAME. If TARGET-LOGIN-NAME is a Safeguard alias, then this field contains the group number of the userid that underlies the alias. 03 TARGET-GROUP-NUMBER PIC 9(3). This field contains the user number of the userid that was named in TARGET-LOGINNAME.
XYGATE® Access Control Reference Manual Chapter 7. XAC Auditing and Audit Reports o Command failed because the user attempted to open a file prohibited by OPENSBYOBJECTS. p Command failed because an incorrect password was entered at the PASSWORDTIMEOUT prompt. r Command failed because the RUNCHECK keyword prohibited the use of the RUN xxx /IN .../ syntax. s Command failed because there is a syntax error in the ACACL Command Entry. t Command failed because the PORT check failed.
XYGATE® Access Control Reference Manual Chapter 7. XAC Auditing and Audit Reports This field contains the command that was entered by the user. 03 USER-COMMAND 7.5 PIC X(500). XAC Report Formats There are four ways to display detailed information from the XAC audit files. Another report called COUNTS allows you to display information about which XAC Command Entries are being used and how often.
XYGATE® Access Control Reference Manual Chapter 7. XAC Auditing and Audit Reports SESSION When the SESSION format is chosen, the information is sorted by session number. Each session is shown in order by the time of the first record of the session. Each set of XAC-C and, if output is displayed, XAC-O records is displayed together, regardless of userid.
XYGATE® Access Control Reference Manual Chapter 7. XAC Auditing and Audit Reports LOGINNAME When the LOGINNAME format is chosen, the information is sorted by the LOGIN NAME of the user. LOGIN NAME can be a standard NSK userid or it can be an alias. Sample Audit Report Sorted by Loginname : XYPRO Technology Corporation \N1 Date produced: 29-APR-2010 XAC Activity by Login NameCLASS.USER8 Page: 1 Criteria: 2010-04-29 00:00 to 2010-04-29 23:59 File:\N1.$SYSTEM.XYGATEAC.
XYGATE® Access Control Reference Manual Chapter 7. XAC Auditing and Audit Reports TIME When the TIME format is chosen, the information is sorted by the TIME at which the audit record was written. Sample Audit Report Sorted by TIME : XYPRO Technology Corporation \N1 Date produced: 29-APR-2010 XAC Activity by Time Page: 1 Criteria: 2010-04-29 00:00 to 2010-04-29 23:59 File:\N1.$SYSTEM.XYGATEAC.
XYGATE® Access Control Reference Manual Chapter 7. XAC Auditing and Audit Reports COUNTS The COUNTS report summarizes the number of times each entry in the ACACL file is used. Sample Audit Report Sorted by COUNTS : XYPRO Technology Corporation \N1 XAC Date produced: 29-APR-2010 Criteria: 2010-04-10 00:00 to 2010-04-29 23:59 File:\N1.$SYSTEM.XYGATEAC.
XYGATE® Access Control Reference Manual Chapter 7. XAC Auditing and Audit Reports 7.6 Interactive XAC_REPORTs Ad-hoc reports can be obtained from the audit files by using the XAC-supplied report macro. The report macro is named based on the name selected for invoking XYGATEAC ACACL Command Entries. For example, if XAC was selected as the TACL Macro to invoke XYGATEAC commands, the invocation for the ad-hoc report macro would be XAC_REPORT.
XYGATE® Access Control Reference Manual Chapter 7. XAC Auditing and Audit Reports If you press ZP, the XAC_REPORT macro will generate the report and put you into PERUSE. When you have examined, printed or written the report to an edit file, and type EXIT, you will be returned to the Report Selection screen where you may resume report selection. To CLOSE the Report Selection screen, select X to return to your TACL prompt. A: Audit File Enter the name of the audit file you want to use to generate the report.
XYGATE® Access Control Reference Manual Chapter 7. XAC Auditing and Audit Reports To choose a date range, select B. Example: Selection? B If the leading portion of a date is omitted it will default to today's date, I.E.
XYGATE® Access Control Reference Manual Chapter 7. XAC Auditing and Audit Reports E: Subject Terminal You may limit your report to processing done from a selected terminal or group of terminals. You may enter a valid terminal name or an asterisk ( * ) to include all terminals. If you enter a portion of a terminal name, all terminals containing the entry will be included in the report. For example, if you enter ZTNP, any TCP/IP terminals identified by those letters will be included in the report.
XYGATE® Access Control Reference Manual Chapter 7. XAC Auditing and Audit Reports H: Violations Only You may choose to have only audit records where the COMMAND-STATUS field is not blank displayed. A non-blank status means that an error of some sort occurred. Example: Selection? H Do you want to only see Violations ? YES Only records with an error will be printed. I: Output File The XAC_REPORT macro puts a job in the spooler called $S.#XYGATE.ACCESS. To change the spooler location, select I.
XYGATE® Access Control Reference Manual Chapter 7. XAC Auditing and Audit Reports K: User Specified Title You can assign a custom title to your report. To enter the title, select K and enter the desired information.
XYGATE® Access Control Reference Manual Chapter 7. XAC Auditing and Audit Reports If you put an asterisk ( * ) at the end of the string, XAC will include any IP address that begin with the entry will be included in the report. Example IP Address: 123* finds all IPAddresses starting with 123. 205* finds all IPAddresses starting with 250. If you enter an IP addresses without either a leading or trailing asterisk, then XAC will only include the IP addresses that exactly match the IP address you have entered.
XYGATE® Access Control Reference Manual Chapter 7. XAC Auditing and Audit Reports ZP: Run the Report and Go Directly into Peruse When you select ZP to create the report, the XAC_REPORT macro will generate the report and put you directly into PERUSE. When you have examined, printed, or written the report to an edit file, and typed EXIT, you will be returned to the XAC Report Selection screen where you may change your selections and create another report.
XYGATE® Access Control Reference Manual Chapter 7. XAC Auditing and Audit Reports 7.7 Batch XAC_AUDIT_REPORTs The XAC_AUDIT_REPORT macro is used to generate the same report in a batch manner as XAC_REPORT does interactively. With the addition of the XAC_DATETIME_MAKE macro, a batch report can be written to provide periodic reports.
Chapter 8. OSS Auditing XAC can audit OSS activity. 8.1 Configuring ACACL Command Entries for OSS The keyword AUTHENTICATE_USER is required to force the login prompt to be displayed. XAC processes the login and then starts the OSS shell. Example: COMMAND OSS-AUDITED-SHELL !The command starts an OSS shell for a regular user. The user !must enter the user's own OSS space userid. !XYGATE/OA is used to mediate OSS access.
XYGATE® Access Control Reference Manual Chapter 8. OSS Auditing 8.2 Starting Audited OSS Sessions Once the ACACL Command Entry has been defined, it can be added to the TELNET services list so the user can enter it at the TELNET service prompt. A sample TELNET definition is the following: Example: 4> xac scf-255 XYGATEAC 5.75 XYPRO \N1 20991231 (see <
XYGATE® Access Control Reference Manual Chapter 8. OSS Auditing When XYGATEOA, which is the OBJECT program of the OSS-AUDITED-SHELL (shown in the Example of section 8.1 above) is started, XYGATEAC will start auditing the activities on the XYGATEOA session. Welcome to the XYPRO Technology Corporation Computing Facility \N1. Last Logon: 25 AUG 2013, 07:42 Last Unsuccessful Attempt: 25 AUG 2013, 06:42 Total Failures: 115 XYGATEAC 5.
XYGATE® Access Control Reference Manual Chapter 8. OSS Auditing K: L: M: N: X: Z: ZP: User specified title :* User Input :* IP Address :* Display all characters:No Exit the report macro Run the audit report Run the audit report and go into PERUSE and return here Hit Break or Control-Y to terminate Selection?b If the leading portion of a date is omitted it will default to today's date, I.E.
XYGATE® Access Control Reference Manual Chapter 8. OSS Auditing Criteria: 2013-08-25 07:41 to 2013-08-25 23:59 File:$VIK.XAC575.AUDIT MM-DD-YYYY HH:MM Login name SeqNum ---------- ----- -------------------------------- ------ XAC Command=OSS-AUDITED-SHELL Session=001C66323DF8 System= 08-25-2013 07:42 QA.IK 1 Cmd: LOGON qa.ik 08-25-2013 07:42 QA.IK 2 Cmd: Good password at authenticate prompt 08-25-2013 07:42 QA.IK 3 Cmd: -xac 08-25-2013 07:42 QA.IK 4 Out: /G/VIK/IK: 08-25-2013 07:42 QA.
XYGATE® Access Control Reference Manual Chapter 8. OSS Auditing MM-DD-YYYY HH:MM Login name SeqNum ---------- ----- -------------------------------- -----08-25-2013 07:42 QA.IK Out: Sun Aug 25 07:42:42 PDT 2013 08-25-2013 07:42 QA.IK Out: /G/VIK/IK: 08-25-2013 07:43 QA.IK Cmd: 08-25-2013 07:43 QA.IK Out: /G/VIK/IK: 08-25-2013 07:43 QA.IK Cmd: 08-25-2013 07:43 QA.
Appendix A: The ACCONF File The ACCONF file is an edit file that configures global values and is kept in the same volume and subvolume as the XYGATEAC object file. The ACCONF file contains the keywords that define the external functionality of the XAC process. Important! Many of the keywords in the ACCONF file set the general condition of the software execution and can be overridden at the ACACL level for individual groups of userids.
XYGATE® Access Control Reference Manual Appendix A: The ACCONF File MONITOR_DEFINE_ALLOWED { ON | OFF } OBEYFILES $.
XYGATE® Access Control Reference Manual Appendix A: The ACCONF File A2: Sample ACCONF File The ACCONF file configures global values. The following is a sample ACCONF file. !Audit File Definitions AUDIT $0 EMS CONSOLEPRINT AUDIT \MASTER.$LOGS.NODE1.ACCRITCL CRITICAL AUDIT $WORK.XYLOGS.XACAUDIT AUDIT $ZTC0 IP 208.999.151.70:514 DETAIL INVOKE AUDIT $ZTC0 IP 10.1.1.
XYGATE® Access Control Reference Manual Appendix A: The ACCONF File A3: AUDIT (Filename) This keyword determines the audit file specifications when a filename is defined. Refer to Chapter 7, “XAC Auditing and Audit Reports” for more information. Syntax: AUDIT [DETAIL] [INVOKE] [CRITICAL] [EXT(pri,sec,max)] [NO_ROLL_MSGS] DETAIL The optional DETAIL sub-keyword includes audit of specific tasks or commands that were performed by the user in this session.
XYGATE® Access Control Reference Manual Appendix A: The ACCONF File Example 4: EMS error 45 message on $VIK.XYLOGS.XAC, but no Error 45 on $VIK.XYLOG.XAC 13-08-25 17:13:10 \N1.0,840 13-08-25 17:13:10 \N1.0,840 13-08-25 17:13:10 \N1.0,840 13-08-25 17:13:10 \N1.0,840 13-08-25 17:13:10 \N1.0,840 XYPRO Technology Corporation TANDEM.EMS.H01 000512 XYGATEAC Error 0045 on audit file $VIK.XYLOGS.XAC, retrying TANDEM.EMS.H01 000512 XYGATEAC Audit file renamed from $VIK.XYLOGS.XAC to $VIK.XYLOGS.XAC00003 TANDEM.
XYGATE® Access Control Reference Manual Appendix A: The ACCONF File A4: AUDIT (Process Name) Any one of the nine available AUDIT keyword entries can be defined as a process audit trail. The most common process audits are EMS and printing to the CONSOLE. Refer to Chapter 7, “XAC Auditing and Audit Reports” for more information.
XYGATE® Access Control Reference Manual Appendix A: The ACCONF File Example 3: Print XAC Audit log through EMS distributor $VIK IK 13> EMSDIST TYPE p, COLLECTOR $IKXAC, TEXTOUT [#MYTERM] 13-08-25 18:06:27 \N1.$Y0MV XYPRO.6.B00 000002 2013-08-25 18:06:27.754816XAC-I 001C666B65F2 [232,052] $VIK.IK $IKTEL.#PTT7BDE FUP-255 \N1.$X99N:514445249 \N1.$Y0MV:522246849 \N1.$Y0M W:522247105 QA.IK SUPER.SUPER 255255 13-08-25 18:06:27 \N1.$Y0MV XYPRO.6.B00 000003 2013-08-25 18:06:27.
XYGATE® Access Control Reference Manual Appendix A: The ACCONF File A5: AUDIT (IP Process Name) Any one of the nine available AUDIT keyword entries can be defined as an IP address. This section deals with the IP address form of the AUDIT specification. Refer to Chapter 7, “XAC Auditing and Audit Reports” for more information.
XYGATE® Access Control Reference Manual Appendix A: The ACCONF File < AUDIT message > <134>NonStop \N1 2013-09-04 17:30:50.106469XAC-I 001C6B8E7EE5 $VIK.XAC575 $IKTEL.#PTT7BF0 FUP-255 \N1.$Z8TQ:617356225 \N1.$X26K:627766721 \N1.$X26L:627766977 QA.IK 255255 [232,052] SUPER.SUPER SYSLOG_CRITICAL_PREFIX The optional SYSLOG_CRITICAL_PREFIX sub-keyword is used to specify text that will be prepended at the front of any denied audit message being written to the IP address.
XYGATE® Access Control Reference Manual Appendix A: The ACCONF File A6: BLOCKMODE_AUDIT This keyword determines whether the individual function keys pressed by the XYGATEAC session user will be audited. If BLOCKMODE_AUDIT is set to ON, the individual function keys will be audited. If it is set to OFF, they will not. Hidden fields will not be audited so that user names and passwords will not appear in XAC’s audit trail.
XYGATE® Access Control Reference Manual Appendix A: The ACCONF File A8: COLLECTOR This keyword sets the name of the default spooler collector to use for report generation using the XAC_REPORT macro. Syntax: COLLECTOR Example: COLLECTOR $S2 If this keyword is omitted from the ACCONF file, the $S collector will be used as the default. A9: COMMANDESCAPE This keyword sets the command escape lead-in character(s).
XYGATE® Access Control Reference Manual Appendix A: The ACCONF File A11: DEVICEINFO_LINE_REPLY This keyword controls the value that is returned when a DEVICEINFO call is made against the XAC process. This is similar to the DEVICEINFO_REPLY keyword in the ACACL that deals with DEVICEINFO calls made to the XAC .#IN subdevice.
XYGATE® Access Control Reference Manual Appendix A: The ACCONF File A13: EMS_CRITICAL_IF_DENIED This keyword causes XAC to set the critical flag on an EMS audit message that reports an attempt by a user to execute an unauthorized ACACL Command Entry. This keyword only applies when at least one of the AUDIT entries points to EMS. Having the critical flag set can affect the behavior of some EMS management products.
XYGATE® Access Control Reference Manual Appendix A: The ACCONF File A15: HOMETERM This keyword causes the database server (DBSO) to set its hometerm to the specified . Syntax: HOMETERM Example: HOMETERM $MYOPS.#CLI A16: IPMAP In order for XAC to be able to capture the IP address in a session encrypted via XHE, XAC must query the IPMAP file in XYGATEHE’s subvolume. The IPMAP keyword specifies the XYGATEHE subvolume. The IPMAP file is maintained by XYGATEHE. Syntax: IPMAP <$vol.
XYGATE® Access Control Reference Manual Appendix A: The ACCONF File A18: MONITOR This keyword defines the output file for the detailed internal trace information generated by a XYGATEAC process that is executing an ACACL Command Entry which has the MONITOR keyword set. The parameters are defined as: Syntax: MONITOR { HOMETERMINAL | } The HOMETERMINAL parameter causes the monitor information to be written to the current terminal. The parameter is an existing HP NonStop filename.
XYGATE® Access Control Reference Manual Appendix A: The ACCONF File A20: OBEYFILES This keyword sets the default volume and subvolume to be used in expanding filenames referenced by the FILE or OBEY keywords in an ACACL Command Entry. Syntax: OBEYFILES $. Example: OBEYFILES $SYSTEM.
XYGATE® Access Control Reference Manual Appendix A: The ACCONF File A21: OBEY_PROMPT This keyword suppresses the prefixing of an obey file input line(s) with the current prompt when the input files are displayed. Syntax: OBEY_PROMPT {ON | OFF} Example 1: OBEY_PROMPT ON Input lines display: $SYSTEM.XYGATEAC 1> OBEY obeytst $SYSTEM.XYGATEAC 1> fileinfo acacl $SYSTEM.XYGATEAC CODE EOF LAST MODIFIED OWNER RWEP ACACL 101 39374 01JUL2004 7:54 222,212 CCCC PExt 16 SExt 16 $SYSTEM.
XYGATE® Access Control Reference Manual Appendix A: The ACCONF File A22: PASSONTIMEOUT This keyword controls whether the creator process is informed when a XYGATEAC process times out. If PASSONTIMEOUT is ON and XAC was invoked from a TACL via the XAC macro and the XYGATEAC process times out, then the invoking TACL will be logged off. Execution of the XYGATEAC object file without the XAC macro will receive a timeout message from XYGATEAC and may process the timeout information differently.
XYGATE® Access Control Reference Manual Appendix A: The ACCONF File A25: PRIORITY This keyword sets the priority at which each XYGATEAC process runs. If the XYGATEAC process starts the DBSO object file (Database Server process), then the priority of the Database Server process is one greater than this value. Syntax: PRIORITY Example: PRI 150 The priority of individual processes is set using the ACACL keyword PRI.
XYGATE® Access Control Reference Manual Appendix A: The ACCONF File A28: SHUTDOWN_MESSAGES This keyword determines whether the extra messages that XYGATEAC receives after the OBJECT program and its subordinates have terminated are displayed.
XYGATE® Access Control Reference Manual Appendix A: The ACCONF File A31: TIMEOUT This entry configures the XYGATEAC process to use this value as a user input TIMEOUT (in seconds) for any programs run under its control. When the timeout occurs in conversational mode, an error 1 (end-of-file) is returned to the application. When the timeout occurs in block mode, an error 60 (device is down) is returned to the application.
XYGATE® Access Control Reference Manual Appendix A: The ACCONF File A33: USER_SWITCH By default, when a process creates another process, the created process inherits the PAID and LOGONNAME of the creator. On the other hand, XYGATEAC uses the userid specified next to the USER keyword when XYGATEAC creates a process, but it may not use the userid as LOGONNAME. This depends on the USER_SWITCH values. The USER_SWITCH keyword modifies the manner in which XYGATEAC changes userids.
XYGATE® Access Control Reference Manual Appendix A: The ACCONF File • If you need the USER in an XAC command to be an alias, you must use SWITCH, LOGON, or SAFEGUARD_PRIVLOGON. If you choose SWITCH and enter an alias as the USER, then the command will actually run as the alias’ underlying userid. • If your site uses Safeguard FILE-SHARING GROUPS, you must use LOGON, PRIVLOGON or SAFEGUARD_PRIVLOGON.
XYGATE® Access Control Reference Manual Appendix A: The ACCONF File Example 1: XAC Command Entry where USER argument is an alias COMMAND test USER ALIAS:”super-super-alias” ! underlying userid is 255,255 ACL $EVERYONE OBJECT $SYSTEM.SYSNN.
XYGATE® Access Control Reference Manual Appendix A: The ACCONF File 2. LOGON When USER_SWITCH is set to LOGON, file sharing groups are completely supported. PASSWORD-REQUIRED must be set to OFF in Safeguard. The USER keyword in the ACACL entry can be set to a userid or a Safeguard alias. If it is set to an alias, the COMMAND will actually run as the alias.
XYGATE® Access Control Reference Manual Appendix A: The ACCONF File 3. PRIVLOGON When USER_SWITCH is set to PRIVLOGON, file sharing groups are supported for Guardian userids, but not Safeguard aliases. PASSWORD-REQUIRED does not have to be set to OFF. The USER keyword in the ACACL COMMAND can be set to a userid but not to a Safeguard alias.
XYGATE® Access Control Reference Manual Appendix A: The ACCONF File Example 1: XAC Command Entry - USER argument is an alias COMMAND test USER ALIAS: "ROLE" ! underlying userid is 223,24 ACL $EVERYONE OBJECT $SYSTEM.SYSNN.
XYGATE® Access Control Reference Manual Appendix A: The ACCONF File In order to use the SAFEGUARD_PRIVLOGON option, create a Safeguard DISKFILE Protection Record for the XYGATEAC object file and set attribute PRIV-LOGON to ON as shown below. Example 5: The DISKFILE Protection Record for the XAC Object File LAST-MODIFIED OWNER STATUS WARNING-MODE $SYSTEM.XYGATEAC XYGATEAC 10AUG08, 1:01 \*.253,1 THAWED OFF \*.253,1 \*.
XYGATE® Access Control Reference Manual Appendix A: The ACCONF File AUDIT_ACCESS_PASS AUDIT_ACCESS_FAIL OFF ON The default value of USER_SWITCH is SWITCH, which does not change the previous functionality of XYGATEAC. The value of this keyword can be overridden by the USER_SWITCH keyword in the ACACL Command entry. This keyword can be used in the ACCONF or in individual COMMANDs in the ACACL file. The value set in the ACACL Command entry will always override the value set in the ACCONF file.
XYGATE® Access Control Reference Manual Appendix A: The ACCONF File XYPRO Technology Corporation 120 Proprietary and Confidential
Appendix B: The ACCONFCO File The ACCONFCO (XYGATEAC Company Configuration) is an optional edit file and is kept in the same volume and subvolume as the XYGATEAC object file. The ACCONFCO file contains the configuration options that determine what userid limitations will be enforced on the USER keyword in the ACACL file. The ACCONFCO file can be used to allow the delegation of XAC maintenance to subordinate security administrators.
XYGATE® Access Control Reference Manual Appendix B: The ACCONFCO File B4: AUDIT (IP Address Form) This keyword determines the audit file specifications when a IP address is defined. Refer to Appendix A5: “AUDIT (IP Process Name).” B5: USER_ACL The USER_ACL list is specified as a set of userids or aliases that are valid arguments for the USER keyword in all of the entries in the ACACL file. Syntax: USER_ACL Example: USER_ACL *.* NOT SUPER.
Appendix C: The ACACL File The ACACL file is an edit file located in the same volume and subvolume as the XYGATEAC object file. The ACACL file contains ACLGROUP definitions (refer to section 2.7.3, “ACLGROUPs” on page 40) and ACACL Command Entries (starting on page 138). These two types of entries contain all the information necessary for XAC to execute commands for a NonStop Kernel user.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File NULLNULLSTOP !When the logoff happens, stop. !Ensure that anyone using this command re-enters the user's !password for userid validation. VERIFYUSER $EVERYONE !Replace the word that follows a PASSWORD command or subcommand !with 8 pound signs in the audit. BLANKPASSWORD !If V or VOLUME is used to change volume, change XYGATE/AC's obey !file default too. TRACKVOLUME FC !Use simple FC !FC is valid at commands that end with this prompt.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File ACL $SUPER START_LOGGED_ON !Ensure the segment of macros is there INPUT "RUN $VIK.XAC575.X575 INSTALL" !Start macro to record information INPUT "XAC_RUN_MACRO -PLAIN -BREAK $VIK.XAC575.PRMPTMAC" ALIAS_ALL_PROCESSES ALIAS "O " ">OBEY " ALIAS "OBEY " ">OBEY " ALIAS "O$" ">OBEY $" ALIAS "O\" ">OBEY \" NULLNULLSTOP VERIFYUSER $EVERYONE BLANKPASSWORD TRACKVOLUME FC FCPROMPT "> " OPENSBYOBJECTS \*.$*.*.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File FC FCPROMPT "> " OPENSBYOBJECTS \*.$*.*.* TIMEOUT 1800 !Use simple FC !FC is valid at a prompt ending in this !Allow all subordinate programs !Terminate after 30 minutes of inactivity COMMAND TACL-ASYNCH !This command is used to put a keystroke audited TACL on an asynchronous !terminal. It should be started as part of the system startup. No !other TACL should be started for a terminal that is using this one.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File COMMAND TACL-STATIC-IP ! !This command is designed to be used as the standard startup for TACLs !attached to a static IP port. ! DESCRIPTION "Keystroke audited TACL" USER 255,255 ACL $EVERYONE OBJECT $SYSTEM.SYSNN.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File COMMAND EDIT-255 !This command starts EDIT as the SUPER.SUPER userid. DESCRIPTION "Edit as SUPER.SUPER" USER 255,255 OBJECT $SYSTEM.SYSTEM.EDIT ACL $SUPER FC? FCPROMPT "*" TIMEOUT 900 OPENSBYOBJECTS $SYSTEM.SYSTEM.VS $SYSTEM.SYSTEM.TEDIT COMMAND FUP-255 ! This command is used to execute FUP as SUPER.SUPER DESCRIPTION "FUP as SUPER.SUPER" USER 255,255 OBJECT $SYSTEM.SYSNN.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File !*** NOTE **** This disables SQLCI's internal FC !All commands will be audited BUT only ONE-LINE commands are permitted. !Comment-out FC and FCPROMPT to return to SQLCI's internal FC. FC? FCPROMPT ">>" COMMAND MEDIACOM-255 !This command is designed to let privileged users have access to !an audited MEDIACOM running as SUPER.SUPER DESCRIPTION "MEDIACOM as SUPER.SUPER" USER 255,255 OBJECT $SYSTEM.SYSNN.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File COMMAND XMA-PWSTOP !This command is designed to set up a macro for users that !administer XYGATE/MA. DESCRIPTION "Stops the XMA pathway" USER 232,52 !This should be XYGATE/MA owner OBJECT $SYSTEM.SYSNN.TACL ACL $SECURITY SUPPRESSUNTILPROMPT NOCOPYRIGHT QUIET START_LOGGED_ON INPUT "#SET #BREAKMODE DISABLE" !Disable break key !Fix the line below to point to your XYGATE/MA installation subvol INPUT "RUN $SYSTEM.XYGATEMA.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File INPUT "XYGATEAC_RUN_MACRO -EXIT -PLAIN -BREAK XMA_PWCOLD" !If macro times out, do not send timeout to starting process PASSONTIMEOUT OFF OPENSBYOBJECTS \*.$*.*.* !Allow all subordinate to be started VERIFYUSER $EVERYONE TRACKVOLUME PASSWORDTIMEOUT 60 COMMAND OSS-AUDITED-SHELL !The command starts an OSS shell for a regular user. The user !must enter the user's own OSS space userid. !XYGATE/OA is used to mediate OSS access.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File COMMAND CMDINFO ! Security can list all cmds for a given user." DESCRIPTION "Usage: X575 cmdinfo " OBJECT $VIK.XAC575.DBSO USER SUPER.SUPER ! fill in appropriate SEC.ADMIN ID here ACL $SECURITY STARTUP "commands %*" PERCENT ON PASSONTIMEOUT OFF NOAUDIT COMMAND MYCMDS ! Users can an list all cmds for a given user." DESCRIPTION "Each user's XAC COMMANDS" OBJECT $VIK.XAC575.DBSO USER GROUP.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File PERCENT ON INPUT "#SET #BREAKMODE DISABLE" !Fix the line below to point to your XYGATEOS installation subvol INPUT "RUN $SYSTEM.XYGATEOS.XOS INSTALL" INPUT "RUN $VIK.XAC575.X575 INSTALL" INPUT "XYGATEAC_RUN_MACRO -exit -plain -break XOS_OSSSEEP_ADD_MULTI %*" PASSONTIMEOUT OFF OPENSBYOBJECTS \*.$*.*.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File SUPPRESSUNTILPROMPT NOCOPYRIGHT QUIET START_LOGGED_ON PERCENT ON INPUT "#SET #BREAKMODE DISABLE" !Fix the line below to point to your XYGATEOS installation subvol INPUT "RUN $SYSTEM.XYGATEOS.XOS INSTALL" INPUT "RUN $VIK.XAC575.X575 INSTALL" INPUT "XYGATEAC_RUN_MACRO -exit -plain -break XOS_FILESET_ENABLE %1" PASSONTIMEOUT OFF OPENSBYOBJECTS \*.$*.*.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File COMMAND STATUS-OSS-SEEP !Does Status on XOS's OSS Environment DESCRIPTION "Usage: X575 STATUS-OSS-SEEP" USER 255,1 !Must be in SUPER gp but cannot be SUPER.SUPER OBJECT $SYSTEM.SYSNN.TACL ACL $SECURITY SUPPRESSUNTILPROMPT NOCOPYRIGHT QUIET START_LOGGED_ON INPUT "#SET #BREAKMODE DISABLE" !Fix the line below to point to your XYGATEOS installation subvol INPUT "RUN $SYSTEM.XYGATEOS.XOS INSTALL" INPUT "RUN $VIK.XAC575.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C2: ACACL Command File Limits The ACACL Command File is loaded into the memory of DBSO. Limits on the individual keywords and overall command limits depend on the size of the message between XYGATEAC and DBSO. Single Command Limits The total size of the message sent from DBSO to XYGATEAC to define an ACACL entry can be a maximum of 16384 characters.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File Limits on ACACL File Command Entries Various keywords have limits on the number of times they can occur in an ACACL file. The following list shows the keywords for which there are limits and the current limit. Keyword Limit COMMAND 2,000 Command Entries in an ACACL file. ACLGROUP 200 ACL / VERIFYUSER / AUDITUSER Userid specification is limited to 32,767 users, with a completely specified userid (PROD.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C3: ACACL Command Entries The COMMAND keyword defines the name of an XAC ACACL Command Entry and must be the first line of the entry. Three more keywords are required to minimally define an ACACL Command Entry: USER, OBJECT and ACL (starting on page 141). The DESCRIPTION keyword is optional but highly recommended.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File One or more of the optional keywords listed in Appendix C4: starting on page 146. A list of valid userids that will be able to execute the ACACL Command Entry. Note that for security reasons XYGATEAC will declare this ACACL command invalid with a syntax error if any non-valid userid is used or if a userid is deleted which is part of an ACL keyword of an ACACL Command Entry.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File The above COMMAND will execute TACL as the user who invokes the COMMAND. When this TACL is started, it runs the SETVIIP macro which sets a variable with the TCP/IP address that is needed for Visual Inspect. If you prefer, users who will run Visual Inspect can also run the SETVIIP macro within their TACLCSTM files by adding the following line: Run $..SETVIIP Where $. represents the XYGATEAC location on your system.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File The ACACL Command Entry for TACLs started by MLRM can be: COMMAND SYSTEM-SYSNN-MLRM DESCRIPTION "TACL for Multilan" USER GROUP,USER OBJECT $SYSTEM.SYSNN.TACL ACL \*.*.* NOT PROD.APPL START_LOGGED_OFF TRACKUSERID EXECUTEHANGUP NULLNULLNOCMDESC BLANKPASSWORD AUDITUSER \*.*.* TIMEOUT 900 OPENSBYOBJECTS \*.$*.*.* STOPONERROR 140,190,191 DONOTSTOP $SYSTEM.SYSTEM.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File Note: Due to current operating system restrictions, if user is specified as ALIAS:"", the actual PAID of the process will be the underlying userid to which the alias was assigned when it was created in Safeguard. In the Example below, this XAC ACACL Command Entry runs as SUPER.OPERATOR. Only users in group 10 can execute this command. Example: COMMAND TCPIPUP DESCRIPTION "Uses SCF to INITIATE TCPIP processes" USER SUPER.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File The Example below starts a TACL with a PAID equal to the userid that the Safeguard Alias MailMgr is assigned to. It can be used by any user logged on using a Safeguard Alias that begins with Oper. Example: COMMAND MAIL-UP USER ALIAS:"MailMgr" OBJECT $SYSTEM.SYSNN.TACL ACL ALIAS:"Oper*" OBJECT OBJECT specifies the name of a HP NonStop object file to be executed.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File ACL The ACL keyword specifies the list of users who can execute this ACACL Command entry. Each userid in a list is specified as follows: . -or, -or<\Node>., -or<\Node>., -orALIAS:"" -orALIAS:"<\Node>." -orUNDERLYING:, -orUNDERLYING:, -orNETUNDERLYING:<\Node.>.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File Node names in the ACL keyword can be specified with wildcarding components. The wildcard characters are: ? match letter or number * match rest of string @ match any ALPHA character + match any NUMERIC character Example: COMMAND CHECK-SPOOL USER 255,255 OBJECT $SYSTEM.SYSNN.TACL ACL \N1*.255,* ALIAS:"\N1*.Super-*" FILE $SYSTEM.OBEY.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C4: Optional ACACL Command Entry Keywords The following are optional ACACL Command Entry keywords for XAC: ALIAS "" "" ALIAS_ALL_PROCESSES ALIAS_OSS_PROCESSES ALIAS_XYGATEAC_PROCESSES { ON | OFF } ALLOWCMD "" ALLOW_CHECK_ALIASES ALLOWDENY_ALL_PROCESSES AUDIT_OUTPUT_COUNT AUDITPROG AUDITUSER AUTHENTICATE_USER { ON | OFF } BANNER_CONNECT BANNER_FIRSTIO
XYGATE® Access Control Reference Manual Appendix C: The ACACL File FC# FC? FCPROMPT "" FILE FILE_SECURITY { PAID | CAID | XXXX } HIGHPIN IGNOREBREAKUNTILPROMPT IGNORECONNECT INPUT "" JOBID LOWPIN MAP_B_FKEY MAP_C_FKEY MAP_FKEY_ALL_PROCESSES MONITOR MONITORAUDIT MULTIPLECOMMANDSEP NOASSIGNS NOAUDIT NOBREAK NOCOMMANDAUDIT NOCOMMANDESCAPE NOCOPYRIGHT NULLNULLNOCMDESC NULLNULLSTOP OBEY OBORUNCHECK OPENSBYOBJ
XYGATE® Access Control Reference Manual Appendix C: The ACACL File PASSTHRU_ABEND { ON | OFF } PASSWORDTIMEOUT PERCENT { ON | OFF } PORT PRI PROMPT "[,,...]" QUIET RESTART REXP_ALLOWDENY RUN_UNTIL_CLOSED RUNCHECK SHUTDOWN_MESSAGES { ON | OFF } SISO STARTUP "" START_LOGGED_OFF START_LOGGED_ON STOPIFAUDITERROR STOPONERROR [,,...
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C5: ALIAS This keyword is used to convert a command input by an user or an input-file ("from") to a different command ("to"). This allows the XYGATEAC manager to define abbreviations for a subsystem or change a subsystem’s internal OBEY command to XAC’s <
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C6: ALIAS_ALL_PROCESSES This keyword extends the ALIAS checking to any process that communicates with XAC, not just the initial OBJECT program the XYGATEAC process was configured to start. For instance, if the initially executed ACACL Command Entry contained ALIAS "OBEY" ">OBEY" and the initial OBJECT was SCF, then the SCF obey would be mapped to XAC’s internal obey command.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C8: ALIAS_XYGATEAC_PROCESSES This keyword prevents an XYGATEAC process from extending the ALIAS to any process whose object program file is in the XYGATEAC-installed subvolume by setting the ALIAS_XYGATEAC_PROCESSES to OFF. Syntax: ALIAS_XYGATEAC_PROCESSES {ON|OFF} ON The user input string will always be converted to the defined alias string.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File In Example 2 below, the user input does not get converted to the ALIAS text string because the object is in the XAC-installed subvolume. Example 2: Object in XAC-installed subvolume (ALIAS_XYGATEAC_PROCESSES OFF) COMMAND XYGATE-ALIAS USER XYPRO.IK OBJECT $VIK.XYGATEAC.XYGATEAC ! Object in XAC volume ACL $EVERYONE OPENSBYOBJECTS \*.$*.*.* START_LOGGED_ON ALIAS "F1" "#OUTPUT /COLUMN 10/ XYGATE-ALIAS; OBJ:$VIK.XYGATEAC.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C9: ALLOWCMD This keyword allows an XAC-controlled OBJECT program to be limited to a subset of user commands by specifying the commands that are permitted. ALLOWCMD also controls XAC internal commands such as <CONFIG") commands as well as the object program commands.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File <
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C10: ALLOW_CHECK_ALIASES The keyword ALLOW_CHECK_ALIASES changes the order in which ALLOWCMD/DENYCMD and command ALIAS entries are evaluated. Without this keyword, XAC behaves as it always has. ALIAS entries are evaluated before ALLOWCMD/DENYCMD evaluation because it is assumed that the security administrator has set up the command ALIAS entries specifically for the environment.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C12: AUDIT_OUTPUT_COUNT This keyword defines the number of output lines that should be written to the audit logs configured to receive DETAIL audits after each command is processed. Syntax: AUDIT_OUTPUT_COUNT The Example below will log up to 14 lines of output after each command to any audit file configured for DETAIL audits. Example: COMMAND NIGHTLY-BALANCE DESCRIPTION "Generate balance, record balance, date info" USER PROD.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C14: AUDITUSER This keyword is followed by the list of users whose commands will be audited, assuming at least one audit file has been specified in the ACCONF file with the DETAIL sub-keyword, and the NOCOMMANDAUDIT keyword in the ACACL file has not been specified. If AUDITUSER keyword is omitted, all users will be audited. Syntax: AUDITUSER Example: COMMAND SPOOLCOM-255 DESCRIPTION "SPOOLCOM as SUPER.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C15: AUTHENTICATE_USER This keyword causes XAC to prompt for the userid and password and perform the user authentication. It is designed to be used with programs that do not prompt for userid and password before executing, such as PATHCOM, or with OSS audited XAC sessions. Syntax: AUTHENTICATE_USER { ON | OFF } Example: COMMAND SECURE-OSS-AUDITED-SHELL USER GROUP,USER OBJECT $SYSTEM.XYGATEAC.XYGATEOA ACL $EVERYONE OPENSBYOBJECTS \*.$*.*.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C16: BANNER_CONNECT This keyword displays a custom banner immediately upon a modem connect. This keyword and the BANNER_FIRSTIO keyword are mutually exclusive. The banner to display must be placed in an edit file that can be opened Read only by the userid that runs the XYGATEAC object file. Syntax: BANNER_CONNECT The Example below shows the banner displayed before the first TACL prompt is written.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C17: BANNER_FIRSTIO This keyword displays a custom banner before the OBJECT program’s first I/O. The banner to display must be placed in an edit file that can be opened Read only by the userid that runs the XYGATEAC object file. This keyword and the BANNER_CONNECT keyword are mutually exclusive. Syntax: BANNER_FIRSTIO The Example below shows the banner is prepended to the first prompt written to the terminal.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C18: BLANKPASSWORD This keyword causes all OBJECT program input to be scanned for the word PASSWORD. If PASSWORD is found, the first word (or token) following it is replaced by the number (#) symbol when written to any audit trail. Example: COMMAND SAFECOM DESCRIPTION "Safecom as SECURITY.ADMIN" USER 100,255 OBJECT $SYSTEM.SYSNN.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C20: BREAK_DISABLE_RETURN This keyword enables users to return to the previous process that was created XYGATEAC which is an ancestor of the BREAK Disabled process. Syntax: BREAK_DISABLE_RETURN {ON|OFF} ON If BREAK is disabled by an underlying process, it is returned to the previous process. OFF If BREAK is disabled by an underlying process, it remains disabled.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File INPUT "#PROCESSINFO /PROCESSID, PROGRAMFILE/" INPUT "#XPPD [#PROCESSINFO /PROCESSID/]" INPUT "FUP /NAME $QA452/" DONOTSTOP $*.*.PATHTCP2 BREAK_DISABLE_RETURN ON Example 1: Back to outer TACL($X37Q) from BREAK-Disabled process($QA451) $VIK IK 18> #PROCESSINFO /PROCESSID, PROGRAMFILE / #PROCESSINFO /PROCESSID, PROGRAMFILE / expanded to: $X37Q $SYSTEM.SYS45.TACL $VIK IK 19> == $X37Q is the outer TACL $VIK IK 20> $VIK IK 20> XAC575.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File Example 2: Back to inner TACL($X382) from non-BREAK-Disabled process($QA452) $VIK IK 28> #PROCESSINFO /PROCESSID, PROGRAMFILE / #PROCESSINFO /PROCESSID, PROGRAMFILE/ expanded to: $X37Q $SYSTEM.SYS45.TACL $VIK IK 29>xac575.xygateac br-ret-on-2 $VIK IK 1> #PROCESSINFO /PROCESSID, PROGRAMFILE/ XYGATEAC 5.75 XYPRO \N1 20991231 (see <
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C21: CHANGEUSER_FROM and CHANGEUSER_TO The CHANGEUSER_FROM and CHANGEUSER_TO keyword pair are used to specify a list of users that can switch from the source userid to the destination userid without specifying a password for the destination userid. This operation is enabled by using the VULIB library which is supplied with XAC. The VULIB is attached to a copy of the object code program, usually TACL, using the XAC macro XAC_LIB_INSTALL.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File The VULIB library essentially extends the NSK intrinsic *.255 Userid privilege of crosslogon within the group without a password to any XAC authorized userid. However, the feature is more powerful with XAC because what the authorized userid gets is access to the destination userid(s) with a full audit trail (if configured).
XYGATE® Access Control Reference Manual Appendix C: The ACACL File 4. You logon as SUPER.SUPER without using a password. 5. You finish your work as SUPER.SUPER and log back into TECH.RALPH. 6. You logon as SUPER.SUPER again and then logon as SUPER.OPER, which is permitted because SUPER.OPER and SUPER.SUPER are both on the same CHANGEUSER_TO line. 7. You execute a logoff, terminating the TACL.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C22: CHECKCONNECTION This keyword ensures modem cleanup by checking for the occurrence of a disconnect (modem hangup, Telnet disconnect, or Multilan disconnect) on a periodic basis, but only when no other I/O from another process running through XAC is pending to the device. Using this keyword will prevent a ‘PAUSED’ TACL from staying connected and logged on when a disconnect occurs.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C23: CMONIGNORECPU This keyword tells XAC to ignore the CPU selected by $CMON, and use the CPU in which the XYGATEAC process is running. Example: COMMAND TACL-255 DESCRIPTION "TACL as SUPER.SUPER" USER 255,255 OBJECT $SYSTEM.SYSNN.TACL ACL TECH.* START_LOGGED_ON NULLNULLSTOP TRACKUSERID OPENSBYOBJECTS $*.*.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File The above example would keep the "License" command from being executed by anyone using the FUP-SUPER ACACL Command Entry. Example: COMMAND SCF-DEV DESCRIPTION "SCF that doesn't allow you to touch production lines" USER 255,255 OBJECT $SYSTEM.SYSNN.SCF ACL $DEV FC# FCPROMPT "> " OPENSBYOBJECTS $SYSTEM.SYS*.SCF* REXP_ALLOWDENY DENYCMD ".*\$ATL[A-Z0-9]{1,3}.*" DENYCMD ".*\$ATM[A-Z0-9]{1,3}.*" ALLOWCMD ".
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C26: DISCONNECT_ALL_PROCESSES This keyword causes XAC to process a modem disconnect request that has been received from any process that has been started during a session. Without this keyword, XAC only processes modem disconnect requests that have been received from the program named as the OBJECT in the ACACL entry. Example: ACACL Entry COMMAND STATIC-PATHWAY DESCRIPTION "STATIC Pathway Service" USER GROUP,USER OBJECT $SYSTEM.SYSTEM.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C27: DONOTSTOP This keyword allows the specification of object files that are exempt from being stopped by XAC when the STOPONERROR keyword is specified and the error occurs or when a logoff occurs. A list of wildcarded object files may be specified, separated by spaces. Syntax: DONOTSTOP
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C29: ECHOINPUT This keyword will echo the input sent to a program to the output file. This command is useful for batch XAC commands where you want the complete input file on the output record. Example: COMMAND BIG-BATCH-FILE DESCRIPTION "EXECUTES EVENING BATCH RUN" USER APP.OWNER OBJECT $SYSTEM.SYSNN.TACL ACL $OPERS ECHOINPUT INPUT "XAC_RUN_MACRO $WORK.OPER.STRTBTCH %1 %2 %3" INPUT "XAC_RUN_MACRO $WORK.OPER.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C31: EXECUTEHANGUP This keyword will pass on a modem hangup request from the OBJECT program to the terminal. This allows an audited TACL to be used on modem ports and have it hangup after logoff. Without this keyword, modem hangup requests are ignored. Example: COMMAND DIALUP-TACL DESCRIPTION "TACL FOR DIAL ACCESS" USER GROUP,USER OBJECT $SYSTEM.SYSNN.TACL ACL TECH.* START_LOGGED_OFF RESTART TRACKUSERID BANNER_CONNECT $SYSTEM.XYGATEAC.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C33: FC# This keyword implements a Fix Command capability with history for the OBJECT program. The FC# keyword displays the current command number with each prompt and permits the FC commands of ?,! and FC to be specified with either a numeric argument or a context "begins with" comparison. The FCPROMPT keyword should be used with FC# for proper operation.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C34: FC? This keyword implements a Fix Command capability with history for the OBJECT program. The FC? keyword displays the current command number with each prompt and permits content limitations on FC queries. The FCPROMPT keyword should be used with FC? for proper operation. Example: COMMAND FUP USER GROUP,USER OBJECT $SYSTEM.SYSNN.FUP ACL *,* FCPROMPT "-" FC? This XAC ACACL Command Entry starts FUP as the current user.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C35: FCPROMPT This keyword tells the XYGATEAC process what character or characters constitutes a prompt from the OBJECT program where the FC command can be entered, such as PATHCOM’s prompt of "=". FCPROMPT does not affect prompting itself; it only indicates to XAC the fixed character(s) found at the end of the OBJECT programs prompt so that XAC can properly recognize prompts.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C36: FILE This keyword names a file to be used as “batch” input to the running OBJECT program; one line of input at a time is retrieved from the file and is passed to the OBJECT program. It also causes "PERCENT ON" (token replacement) to be set. FILE and OBEY cannot be used at the same time. The OBEY keyword should be used if you want the input to appear as if coming from a terminal.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C37: FILE_SECURITY The FILE_SECURITY keyword is used to set the default file security for files created during the XYGATEAC session. There are three options available: PAID, CAID and a specific security vector represented as XXXX. Syntax: FILE_SECURITY { PAID | CAID | XXXX } The PAID option sets the file creation security to the OBJECT program userid’s security.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C38: HIGHPIN The XYPRO keyword HIGHPIN is used to specify that the XYGATEAC process should start the object file named in this ACACL Command Entry as an HP NonStopHIGHPIN Process; that is, with a Process Identifier Number (PIN) greater than 255. Note: There is no method available for XAC to determine whether or not an object file can execute as a NonStop-HIGHPIN process.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C39: IGNOREBREAKUNTILPROMPT This keyword, when added to an ACACL Command Entry that runs TACL, ensures that the Pause/Break key cannot interrupt the execution of TACLCSTM. Instead, control is returned to the process from which the XAC ACACL Command Entry was executed. Example: COMMAND START-SYSWAY USER 255,255 OBJECT $SYSTEM.SYSNN.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C41: INPUT This keyword defines the initial commands to send to the OBJECT program, removing the need to create small obey files. Up to 20 INPUT entries can be specified for a single entry. These entries are sent to the OBJECT program in the order defined. The user may be left interacting with the invoked program or, as in the example below, the input may terminate the program. The 20 INPUT entries can contain to up to 1,000 characters.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C42: JOBID This keyword used with the OBEY or FILE options causes a NetBatch JOBID to be assigned to the programs started via the execution of the OBEY or FILE. Example: COMMAND AM-START USER PROD.OWNER OBJECT $SYSTEM.SYSNN.TACL ACL OPER.* ALIAS:"Oper-*" FILE $WORK.OPER.AMSTART OPENSBYOBJECTS $*.*.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C44: MAP_B_FKEY This keyword causes XAC to map the original function key to the specified new function key. The program being executed using XAC receives the new function key as input. The new function key is logged as the command. This keyword applies only to BLOCK MODE programs. In BLOCK MODE, the following function keys may be used: [S]F1, [S]F2, [S]F3, ...
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C45: MAP_C_FKEY This keyword causes XAC to map the original function key to the specified new function key. The program being executed under XAC’s control receives the new function key as input. The new function key is logged as the command. This keyword applies only to CONVERSATIONAL MODE programs. In CONVERSATIONAL MODE, the following function keys may be used: [S]F1, [S]F2, [S]F3, ...
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C46: MAP_FKEY_ALL_PROCESSES This keyword causes the function key mapping to be extended to all processes started by the program executed by the XAC ACACL Command Entry. Without this keyword, function key mapping applies only to the program directly executed by the XAC ACACL entry. This is especially useful when there are Fkey restrictions to be placed on VS.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C47: MONITOR This keyword can be used to produce a comprehensive debugging dump of all interactions between the XYGATEAC process and the programs run under its control. The output file for the monitor dump is controlled by the MONITOR entry in the ACCONF file or by the define =XAC-MONITOR-FILENAME. When the RESTART keyword is specified, the MONITOR file will be closed and reopened during a RESTART occurrence.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File Note: The define =XAC-MONITOR-FILENAME, CLASS MAP, FILE overrides both the MONITOR keyword in the ACCONF that specifies where the monitor dump should be written and the presence or absence of the MONITOR keyword in the ACACL, causing a monitor dump regardless of the states of the other keywords.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C49: MULTIPLECOMMANDSEP This keyword is used to specify to XAC the character used by the OBJECT program to separate multiple commands on a single line. MULTIPLECOMMANDSEP (no quotation marks) allows the correct performance of command scanning for those utility programs that allow multiple commands per line. This keyword should be used with the FC, FC#, FC?, ALIAS, ALLOWCMD, and DENYCMD keywords.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C51: NOAUDIT This keyword suppresses XAC INVOKE auditing (as opposed to DETAIL auditing); it causes the invocation of an XAC ACACL Command Entry to not be logged. This can be used for “inquiry-only” type commands where use of such ACACL Command Entries are frequent and trivial. Invocation auditing is assumed ON unless NOAUDIT is specified to turn it OFF.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C53: NOCOMMANDAUDIT This keyword suppresses DETAIL audits (as opposed to INVOKE audits) of all interactive commands entered including commands from input files. This can be used if the XAC ACACL Command Entry has user interaction that does not require auditing, such as inquiry-only type commands, or a command which executes a secured input stream via INPUT, FILE or OBEY. User command auditing is assumed unless NOCOMMANDAUDIT is specified.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C55: NOCOPYRIGHT The keyword NOCOPYRIGHT will suppress display of the XAC copyright message when beginning execution. The main usage for this keyword would be to prevent the banner from affecting TACL macros that use the output from XAC commands or to minimize information available on a dialup port to someone who does not have a valid logon. The XAC software is still copyrighted nonetheless.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C57: NULLNULLSTOP This keyword causes the XYGATEAC process to stop the OBJECT program when the NonStop Kernel userid for the process goes to 0,0. This is used when a TACL is executed by XAC in interactive mode.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C58: OBEY This keyword names a file to be used as input to the OBJECT program and switches to the userid of the OBJECT program before trying to open it. A line at a time is read from the file by XYGATEAC and sent to the program named in OBJECT just as if a person were typing the line. PERCENT OFF is assumed. OBEY and FILE are mutually exclusive.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C60: OPENSBYOBJECTS This keyword controls what object files XAC will allow to be opened in addition to the OBJECT program. Filenames can be up to 40-characters in length, including node specifications; wildcards are permitted. Up to 100 OPENSBYOBJECTS per ACACL Command Entry are allowed, with a maximum of 800 for all ACACL Command Entries. If OPENSBYOBJECTS is not specified, then no objects can be opened; that is, no programs can be run.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C61: OPENSBYUSERID This keyword allows XAC to start any new process running as the invoker’s userid without being subject to the limitations imposed by OPENSBYOBJECTS. Hence, the user is allowed to utilize the >Run command to run any object as his/her own userid. This does not represent a security lapse because the objects are run under the user’s own logon. Example: COMMAND EDIT-255 DESCRIPTION "SUPER.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C63: PASSONTIMEOUT The PASSONTIMEOUT keyword in the ACACL Command Entry overrides the value of the PASSONTIMEOUT keyword in the ACCONF file. When this keyword is OFF, a timeout stops the executing process but does not cause any other process started prior to the XYAGTE XAC session to stop.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C65: PASSWORDTIMEOUT This keyword causes the XYGATEAC process to prompt the user for the password for the XAC session’s originating NonStop Kernel userid or alias when activity occurs after the specified timeout period. After the correct password is entered, execution resumes. The normal program termination TIMEOUT still applies and can occur even at the password prompt.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C66: PERCENT This keyword gives XAC the ability to use tokens from the invocation command line. The default is ON for ACL Command Entries with a FILE specification and OFF for an OBEY or interactive specification. Syntax: PERCENT { ON | OFF } In the Example below, the user executing the XAC STOPDISK $DATA1 would accomplish the same thing as someone being logged in to 255,253 and typing SCF STOP DISK $DATA1.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C67: PORT The PORT keyword can be used to limit the range of devices that can use a specific ACACL Command Entry. For example, if the Himalaya system is on the Internet to permit specific customers to access the system, the ACACL Command Entry can be limited to only users from the incoming IP address.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C68: PRI This keyword defines the priority at which the program named in the OBJECT keyword will execute. The priority value must be between 1 and 199. If the PRI keyword is not included in the ACACL Command entry, the keyword CMONIGNORECPU is not set and $CMON is present on the system, the program will start at the priority returned by $CMON.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C69: PROMPT This keyword defines a configurable prompt for the running OBJECT program. Up to 10 tokens may be specified inside the double-quotation marks. This string of tokens will be prepended to the normal prompt generated by the object file. Any token can be a string enclosed by single-quotation marks that can be no longer than 19 characters, or a pre-defined token from the list below.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File $SYSTEM.SECURITY 142> XAC PROMPT-TEST XYGATEAC 5.60 (c) 1990-2010 XYPRO Xypro Technology \XY1 20001231 PERIPHERAL UTILITY PROGRAM - T6539D23 - (29APR94) SYSTEM \XY1 ... PROMPT-TEST User=222,222 System=\XYPRO FC#=1 # A different and perhaps more typical example is: Example: COMMAND EDIT DESCRIPTION "CONVENIENT EDIT" OBJECT $SYSTEM.SYSTEM.EDIT USER GROUP,USER OPENSBYOBJECTS \*.$*.*.* ACL *.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C71: RESTART This keyword is used for an OBJECT program that must be restarted whenever it stops. RESTART closes the IN, OUT, HOMETERM and all audit files before restarting to ensure a clean session. If the object program is a TACL which has BREAK ownership, then after the RESTART, the new TACL also will have BREAK ownership.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C72: REXP_ALLOWDENY This keyword permits the use of regular expressions in ALLOWCMD and DENYCMD arguments. Without this keyword, the arguments to ALLOWCMD and DENYCMD must conform to "begins with" rules. Example: COMMAND SCF-DEV-LINES DESCRIPTION "SCF COMMAND TO MANAGE DEV. ATMS" USER SUPER.COMLINES OBJECT $SYSTEM.SYSTEM.SCF ACL $DEVEL OPENSBYOBJECTS \*.$*.*.* REXP_ALLOWDENY ALLOWCMD "ABORT.*$DEV[0-9]{1,2}" ALLOWCMD "STATUS.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C74: RUNCHECK This keyword invokes a routine that prevents the execution of commands with a "/IN.../" file specified. This prevents a user from going around XAC’s inherent security by using a subsidiary RUN from within the program being executed.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C75: SHUTDOWN_MESSAGES This keyword determines whether or not the extra messages that XYGATEAC receives after the OBJECT program and its subordinates have terminated are displayed. It overrides the value of this keyword in the ACCONF file.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C77: STARTUP This keyword specifies the initial startup string for a process. Refer to Appendix F: “XAC Obey and Command File Use and Token Replacement” for percent parameters that may be included as part of the startup string. If no percent parameters are defined, this will override any user specified startup.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File STOPONERROR 60,66,140,190,191 DONOTSTOP $*.*.PATHTCP2 AUDITPROG \*.$*.*.* AUDIT_OUTPUT_COUNT 14 STARTUP "-xac -c /G/VIK/IK/RUNME" Example: copy of RUNME /G/VIK/IK: cat runme ps ls –al a* pwd whoami /G/VIK/IK: Example: Execute XAC command $VIK IK 37> xac startup-oss XYGATEAC 5.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C78: START_LOGGED_OFF This keyword is used with TACL only. It causes the TACL started by the XYGATEAC process to be started logged off. It also allows XYGATEAC to respond to TACL DEVICEINFO calls with the true device type of the terminal which XYGATEAC has opened.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C79: START_LOGGED_ON This keyword is used with TACL only and causes the TACL started by XAC to be started logged on to the userid specified in the USER entry for the ACACL Command Entry being executed. It also allows the XYGATEAC process to respond to TACL DEVICEINFO calls with the true device type of the terminal which XYGATEAC has opened. This keyword cannot be used with the START_LOGGED_OFF keyword.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C81: STOPONERROR This keyword can be used to terminate on specified I/O errors all processes running that were started by the XYGATEAC process. STOPONERROR can be used with dialup and TCP/IP ports. By specifying the list of common TCP/IP or dialup errors, you can be assured that the session and all its components will be stopped.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C83: TACLPROCESS TACLPROCESS is used to inform XAC that the object file should be treated as a TACL even though the object filename does not begin with "TACL". Example: COMMAND CMON-MESSAGES-TACL DESCRIPTION "TACL WITH XYGATE CM LIBRARIES" USER 255,253 OBJECT $SYSTEM.XYGATECM.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C84: TIMEOUT This keyword specifies a timeout in seconds to apply to any program running under XAC control. TIMEOUT specifies the number of seconds that the OBJECT program can be idle (that is, without user input) at a prompt before it is stopped. Syntax: TIMEOUT Example: COMMAND SCF-SUPEROPER DESCRIPTION "SCF AS SUPER.OPER" USER 255,253 OBJECT $SYSTEM.SYSNN.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C85: TRACKUSERID This keyword specifies that when an interprocess message, such as a prompt, CONTROL, SETMODE, or write is received from the OBJECT program, the XYGATEAC process will switch its userid to that of the OBJECT program’s process. This is to track the userid (CAID) of the object program (usually a TACL) so that commands such as <
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C86: TRACKUSER_OBJECT This keyword extends the functionality of TRACKUSERID to subordinate programs started within a session. The TRACKUSERID keyword tracks userid changes for the object specified in the ACACL entry. Unfortunately, when XAC is used to secure a dynamic TCP/IP Safeguard session, the program started is “LOGON,” which terminates as soon as it starts the TACL.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C87: TRACKVOLUME This keyword causes the XYGATEAC process to change its internal system, volume and subvolume (used for <
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C88: UNNAMED This keyword specifies that the OBJECT program is to be started as an unnamed process. By default, all processes started by XAC are named. If this causes a problem for some programs, the UNNAMED keyword can be used. Example: COMMAND SBB003A-UNNAMED DESCRIPTION "START APP BATCH PROGRAM UNNAMED" USER GROUP,USER OBJECT $DATA5.BATCH.SBB003A ACL $OPERATORS OPENSBYOBJECTS $DATA*.DATA.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C90: USER_USES_CAID This keyword can be used when a start up flag is specified. USER_USES_CAID keyword implements an option that uses the CAID of the current XYGATE process instead of the authenticated userid. It can be used for replacing a user group,user with the proper number. Example: COMMAND MGR-TACL DESCRIPTION "RUN USERS PROGRAM" USER GROUP.MGR ACL \*.SECURITY.* OBJECT $SYSTEM.SYSNN.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C91: USER_SWITCH By default, when a process creates another process, the created process inherits the PAID and LOGONNAME of the creator. On the other hand, XYGATEAC uses the userid specified next to the USER keyword when XYGATEAC creates a process, but it may not use the userid as LOGONNAME. This depends on the USER_SWITCH values. The USER_SWITCH keyword modifies the manner in which XYGATEAC changes userids.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File • If you need the USER in an XAC command to be an alias, you must use SWITCH, LOGON, or SAFEGUARD_PRIVLOGON. If you choose SWITCH and enter an alias as the USER, then the command will actually run as the alias’ underlying userid. • If your site uses Safeguard FILE-SHARING GROUPS, you must use LOGON, PRIVLOGON or SAFEGUARD_PRIVLOGON.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File Example 1: XAC Command Entry where USER argument is an alias COMMAND test USER ALIAS:”super-super-alias” ! underlying userid is 255,255 ACL $EVERYONE OBJECT $SYSTEM.SYSNN.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File 2. LOGON When USER_SWITCH is set to LOGON, file sharing groups are completely supported. PASSWORD-REQUIRED must be set to OFF in Safeguard. The USER keyword in the ACACL entry can be set to a userid or a Safeguard alias. If it is set to an alias, the COMMAND will actually run as the alias.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File 3. PRIVLOGON When USER_SWITCH is set to PRIVLOGON, file sharing groups are supported for Guardian userids, but not Safeguard aliases. PASSWORD-REQUIRED does not have to be set to OFF. The USER keyword in the ACACL COMMAND can be set to a userid but not to a Safeguard alias.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File Example 1: XAC Command Entry - USER argument is an alias COMMAND test USER ALIAS: "ROLE" ! underlying userid is 223,24 ACL $EVERYONE OBJECT $SYSTEM.SYSNN.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File In order to use the SAFEGUARD_PRIVLOGON option, create a Safeguard DISKFILE Protection Record for the XYGATEAC object file and set attribute PRIV-LOGON to ON as shown below. Example 5: The DISKFILE Protection Record for the XAC Object File LAST-MODIFIED OWNER STATUS WARNING-MODE $SYSTEM.XYGATEAC XYGATEAC 10AUG08, 1:01 \*.253,1 THAWED OFF \*.253,1 \*.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File UAGROUP Example: UAGROUP SAFEGUARD-PRIVLOGON DESCRIPTION "Safeguard Privlogon feature" FROM_USER $EVERYONE-NET TO_USER $EVERYONE REQUESTOR $SYSTEM.XYGATEAC.XYGATEAC SAFEGUARD_PRIVLOGON ON AUDIT_ACCESS_PASS OFF AUDIT_ACCESS_FAIL ON The default value of USER_SWITCH is SWITCH, which does not change the previous functionality of XYGATEAC. The value of this keyword can be overridden by the USER_SWITCH keyword in the ACACL Command entry.
XYGATE® Access Control Reference Manual Appendix C: The ACACL File C93: WRITEREAD_ALWAYS This keyword forces XYGATEAC to use WRITEREAD and to not do the WRITEREADto-WRITE conversion. Note: Prior to version 5.75, XAC converted a WRITEREAD to WRITE with a zero read count. It caused an issue with the PCFILE program of CAIL in some instances. Syntax: WRITEREAD_ALWAYS Example: COMMAND TACL-WRITEREAD DESCRIPTION "Keystroke audited TACL" USER GROUP,USER ACL $EVERYONE OBJECT $SYSTEM.SYSNN.
Appendix D: XAC Interactive Commands XAC has internal commands that may be invoked during a session by preceding the input with the string defined by the COMMANDESCAPE keyword in the ACCONF file. The following sections document these commands.
XYGATE® Access Control Reference Manual Appendix D: XAC Interactive Commands D1: <
XYGATE® Access Control Reference Manual Appendix D: XAC Interactive Commands D2: < xac fup-255 XYGATEAC 5.65 XYPRO \N1 20991231 (see <config XYGATEAC 5.
XYGATE® Access Control Reference Manual Appendix D: XAC Interactive Commands D3: <
XYGATE® Access Control Reference Manual Appendix D: XAC Interactive Commands D4: <][][] Example: 21 $SYSTEM.XYGATEAC 21> XAC FUP-255 XYGATEAC 5.
XYGATE® Access Control Reference Manual Appendix D: XAC Interactive Commands D5: < XAC FUP-255 XYGATEAC 5.
XYGATE® Access Control Reference Manual Appendix D: XAC Interactive Commands D6: <
XYGATE® Access Control Reference Manual Appendix D: XAC Interactive Commands D7: < Start logging to the file named <] Example: $SYSTEM.SECURITY 12> XAC FUP-255 XYGATEAC 5.
XYGATE® Access Control Reference Manual Appendix D: XAC Interactive Commands D8: < are executed as if they were entered by the invoking user. Syntax: < –or– < Note: can be any file that contains text to execute. >OBEY opens as the userid of the invoking user unless the keyword TRACKUSERID is specified.
XYGATE® Access Control Reference Manual Appendix D: XAC Interactive Commands D9: < Example: $SYSTEM.SECURITY 12> XAC SAFECOM-255 XYGATEAC 5.75 XYPRO \N1 20991231 (see <
XYGATE® Access Control Reference Manual Appendix D: XAC Interactive Commands D11: < and % inputs with their corresponding values. Refer to Appendix F: “XAC Obey and Command File Use and Token Replacement” for more information. Syntax: <
XYGATE® Access Control Reference Manual Appendix D: XAC Interactive Commands D13: <
XYGATE® Access Control Reference Manual Appendix D: XAC Interactive Commands D14: < XAC SAFECOM-ADMIN XYGATEAC 5.75 XYPRO \N1 20991231 (see <VERSION XYGATEAC 5.
XYGATE® Access Control Reference Manual Appendix D: XAC Interactive Commands D15: <][][] Example: $VIK XYGATEAC 16> XAC FUP-255 XYGATEAC 5.75 XYPRO \N1 20991231 (see <
XYGATE® Access Control Reference Manual Appendix D: XAC Interactive Commands AUD00003 3333 AUD00004 3333 AUD00005 3333 AUD00006 3333 AUD00007 3333 AUD00008 3333 AUD00009 3333 AUDIT O 3333 (255,255)2- EXIT 4096 4096 2490368 4096 495616 638976 4096 135168 31Jul2013 31Jul2013 25Aug2013 25Aug2013 25Aug2013 26Aug2013 26Aug2013 04:00 05:02 16:31 17:00 17:12 23:46 23:50 16:46 232,52 232,52 232,52 232,52 232,52 232,52 232,52 232,52 NUUU NUUU NUUU NUUU NUUU NUUU NUUU NUUU E E E E E E E E 4000 4000 4000 4000
XYGATE® Access Control Reference Manual Appendix D: XAC Interactive Commands D17: >XAC_AUDIT_OUTPUT This command, unlike <XAC_AUDIT_OUTPUT Example: Contents of file $SYSTEM.XYGATEQA.GTXACOUT ?TACL MACRO #OUTPUT This will send the following two lines to the audit #OUTPUT files, but not to the terminal.
XYGATE® Access Control Reference Manual Appendix D: XAC Interactive Commands D18: >XAC_CHANGE_VOLUME This command, can only be used within a macro, and the command must be entirely in uppercase or entirely in lowercase type. It causes XAC’s internal volume and subvolume to be changed to the specified values.
XYGATE® Access Control Reference Manual Appendix D: XAC Interactive Commands XYPRO Technology Corporation 246 Proprietary and Confidential
Appendix E: XAC Host Macros Several macros are supplied with the XAC software. These macros provide extra functionality or convenient methods of performing common tasks. Note: Throughout this manual, it is assumed that XAC is the name assigned to XYGATEAC at the time of installation. If your installation uses another name, the macro names will change to match the name at your installation. The XAC macros are stored in the XAC_SEG TACL segment that is attached when the user executes XAC INSTALL.
XYGATE® Access Control Reference Manual Appendix E: XAC Host Macros E3: SETVIIP The SETVIIP macro sets a variable with the TCP/IP address that is needed for Visual Inspect. This macro should be loaded in any COMMAND that starts an interactive TACL that users might use to start Visual Inspect. Users who will be running Visual Inspect should add the SETVIIP macro to their TACLCSTM file by adding the following line: Run $..SETVIIP Where $.
XYGATE® Access Control Reference Manual Appendix E: XAC Host Macros E5: XAC The XAC macro invokes a XYGATEAC session. It is also used to attach the XAC_SEG TACL segment that contains all the XYGATEAC macros. Syntax: XAC {INSTALL | [ // ] [-N] [-A] } XAC INSTALL attaches the XAC_SEG TACL segment to the user’s TACL. If the user already has the XAC_SEG TACL segment installed, it has no other effect.
XYGATE® Access Control Reference Manual Appendix E: XAC Host Macros E6: XACHELP The XACHELP macro displays help information about entries in the ACACL file. Syntax: XACHELP [] XACHELP with no argument displays a list of all the ACACL Command Entries in the ACACL file. XACHELP with an ACACL Command Entry Name will display the entry for that command.
XYGATE® Access Control Reference Manual Appendix E: XAC Host Macros E7: XAC_ACCESS_MAP XAC_ACCESS_MAP builds a file that cross-references users to the commands that the users can execute. Syntax: XAC_ACCESS_MAP
XYGATE® Access Control Reference Manual Appendix E: XAC Host Macros E8: XAC_AUDIT_REPORT XAC_AUDIT_REPORT is a single line, batch-oriented method of generating an audit report.
XYGATE® Access Control Reference Manual Appendix E: XAC Host Macros Report title Title of the report (use %20 if you want a space in the title – Collection%20Report). User input A selection criteria that searches the XAC-C record for the specified text. IP Address Selection criteria for IP addresses to display or * for all. Custom Columns Used only when SORTORDER is set to CUSTOM.
XYGATE® Access Control Reference Manual Appendix E: XAC Host Macros If desired, the TACL & can be used to separate command lines for legibility.
XYGATE® Access Control Reference Manual Appendix E: XAC Host Macros REPMAC Example: the copy of REPMAC ?tacl macro #frame [#push t_t1 t_t2 ] XAC_datetime_make 1 == put date computed and time of 00:00 into t_t1 #set t_t1 [XAC_dt_year4]-[XAC_dt_month]-[XAC_dt_day] 00:00 XAC_datetime_make 1 == put date computed and end time of 23:59 into t_t2 #set t_t2 [XAC_dt_year4]-[XAC_dt_month]-[XAC_dt_day] 23:59 == invoke XAC_audit_report macro with computed date range for first four params.
XYGATE® Access Control Reference Manual Appendix E: XAC Host Macros The following is the output of the produced report output. XYPRO \N1 Failed_command Date produced: 04-SEP-2013 Criteria: 2013-09-04 00:00 to 2013-09-04 23:59 Violations File:$VIK.XYLOGS.XAC MM-DD-YYYY HH:MM Grp Usr Login name SeqNum ---------- ----- --- --- -------------------------------- ------ -------------Command=TACL-SUPER-1 09-04-2013 18:06 222,052 XYPRO.IK Cmd: Session=001C6B91C7F5 Sys= Term= 1 10.1.1.
XYGATE® Access Control Reference Manual Appendix E: XAC Host Macros E9: XAC_COMMANDS The XAC_COMMANDS macro displays the list of ACACL Command Entries available for a user. The owner of the XAC installation can specify the user for which commands are to be displayed; all other users get only their own list. Syntax: XAC_COMMANDS [ | alias:""] XAC_COMMANDS can be used with or without the argument.
XYGATE® Access Control Reference Manual Appendix E: XAC Host Macros Example 4 – Starting the macro using an alias as the argument: $VDEL DENNIS 3> xac_commands alias:"dennis" Checking commands for user dennis (alias) 232,043 CMD:AUDITED-TCPIP-TACL CMD:BATCHCOM BATCH WITH XYGATE/AC AUDITING CMD:ETACL Keystroke audited TACL CMD:FUP FUP as SUPER.
XYGATE® Access Control Reference Manual Appendix E: XAC Host Macros E10: XAC_DATETIME_MAKE XAC_DATETIME_MAKE allows relative dates to be included when other macros, such as XAC_AUDIT_REPORT, are used. This macro will calculate dates to establish a range of dates in the past equal to the entered. The macro can be run on the command line or used in a TACL macro to create batch jobs.
XYGATE® Access Control Reference Manual Appendix E: XAC Host Macros E11: XAC_DSTATS The XAC_DSTATS macro is the equivalent of running the DBSO program with the DSTATS command. A syntax check is performed, the overall counts for all the entries in the ACACL file is displayed and finally a list of the entries in the ACACL file followed by the size of the DBSO -> XAC message generated by that entry is displayed.
XYGATE® Access Control Reference Manual Appendix E: XAC Host Macros MY-TACL-222 MY-TACL-255 OSS-255 OSS-AUDITED-SHELL OSS-CHOWN-HOME OSS-SHELL OSS-SUPER-SHELL RUN-OBEY SAFECOM-255 SAFECOM-FOR-AUDIT-TEST SAFEGUARD-TACL SCF-255 SCF-RESTRICT SPASSCHK SPOOLCOM-255 SQLCI SQLCI-255 SQLCI-XOS STN-SSH SUPERTCL-TACL TACL-253 TACL-255 TACL-255-REASON TACL-3 TACL-ASYNCH TACL-DYNAMIC-IP TACL-HINSCH TACL-ITUG TACL-ITUG-DEMO TACL-OPMGR TACL-ROLE-SECMGR TACL-SAFEGUARD TACL-STATIC-IP TACL-SUPER-SERVICES TACL-XMA-OWNER TAC
XYGATE® Access Control Reference Manual Appendix E: XAC Host Macros E12: XAC_EDIT_ACL The XAC_EDIT_ACL macro automates the recommended method of changing the ACACL file. First, the macro makes a duplicate of the current ACACL file. Then it presents the duplicate for editing. After all the editing changes are done, the duplicate is checked for syntax errors. If no errors are found, the security administrator can choose to rename the current ACACL and put the new one in its place.
XYGATE® Access Control Reference Manual Appendix E: XAC Host Macros This file edits the current XYGATE-USER-AUTHENTICATION list. It will create a file named $SYSTEM.XYGATEAC.NEWACACL from the current $SYSTEM.XYGATEAC.ACACL file. These are your old $SYSTEM.XYGATEAC.ACACL files: $SYSTEM.
XYGATE® Access Control Reference Manual Appendix E: XAC Host Macros Example 4: $SYSTEM.XYGATEAC 8> XAC_EDIT_ACL This file edits the current XYGATE-USER-AUTHENTICATION list. It will create a file named $SYSTEM.XYGATEAC.NEWACACL from the current $SYSTEM.XYGATEAC.ACACL file. These are your old $SYSTEM.XYGATEAC.ACACL files: $SYSTEM.
XYGATE® Access Control Reference Manual Appendix E: XAC Host Macros E13: XAC_INSTALL_LICENSE The XAC_INSTALL_LICENSE macro moves the P06F001 license from a temporary location into the XAC subvolume. It also stops the DBSO process so the next time XAC is used, the DBSO will restart with the correct license. The old license is renamed rather than deleted so it can be recovered if necessary. Example: 20> xac_install_license $dataa.work.
XYGATE® Access Control Reference Manual Appendix E: XAC Host Macros E14: XAC_LIB_INSTALL XAC_LIB_INSTALL is used to attach the VULIB module supplied in the XAC distribution subvolume to an object file. The VULIB module is attached to the object file when the CHANGEUSER_FROM and CHANGEUSER_TO keywords are used with an ACACL Command Entry. Syntax: XAC_LIB_INSTALL Where can be: 1. Attach as a RunTime Library to the specified file. 2. Bind into the specified file. 3.
XYGATE® Access Control Reference Manual Appendix E: XAC Host Macros E15: XAC_LIB_UNINSTALL XAC_LIB_UNINSTALL removes the VULIB module from the specified object file when the XYGATEAC CHANGEUSER_FROM or CHANGEUSER_TO feature is no longer desired. Syntax: XAC_LIB_UNINSTALL where is the name of a file that was previously built using XAC_LIB_INSTALL. Example: 54> XAC_LIB_UNINSTALL $SYSTEM.SYS00.TACLCU Restored $SYSTEM.SYS00.TACLCU from $SYSTEM.SYS00.
XYGATE® Access Control Reference Manual Appendix E: XAC Host Macros E16: XAC_NEXTGEN The XAC_NEXTGEN macro allows users to check what the name of the next Audit file should be when the current Audit file is going to be rolled over when it reaches its size, or when the XAC_ROLL_AUDIT macro is executed manually. Syntax: XAC_NEXTGEN [] Where: is an audit filename that must be provided as an input to this macro.
XYGATE® Access Control Reference Manual Appendix E: XAC Host Macros E17: XAC_REPORT XAC_REPORT generates an audit report using the XAC audit file. The macro prompts for information to use in generating the report. Refer to Appendix 7.6, “Interactive XAC_REPORTs” on page 76 for more information.
XYGATE® Access Control Reference Manual Appendix E: XAC Host Macros 02-01-2001 11:12 XYPRO.LAUREN Out: CODE 02-01-2001 11:12 XYPRO.LAUREN Out: $SYSTEM.XYGATE 02-01-2001 11:12 XYPRO.LAUREN Out: AUD00002 3333 02-01-2001 11:12 XYPRO.LAUREN Out: AUD00003 3333 02-01-2001 11:12 XYPRO.LAUREN Out: AUDIT O 3333 02-01-2001 11:12 XYPRO.
XYGATE® Access Control Reference Manual Appendix E: XAC Host Macros E19: XAC_RUN_MACRO XAC_RUN_MACRO is used to execute macros from an ACACL Command Entry. This provides error recovery within the command execution; thus, a macro that encounters errors does not terminate execution and return to an unsecured TACL prompt running as a privileged Userid.
XYGATE® Access Control Reference Manual Appendix E: XAC Host Macros E20: XAC_STATS The XAC_STATS macro performs RUN DBSO STATS, which performs a syntax check and then displays the overall statistics of the ACACL file. By default, the ACACL file on the volume and subvolume where XAC is installed is used, but another ACACL file can be specified. Syntax: XAC_STATS [] Example: 15> XAC_STATS XYGATEAC 5.
XYGATE® Access Control Reference Manual Appendix E: XAC Host Macros E22: XAC_SYNTAX_CHECK XAC_SYNTAX_CHECK runs the DBSO program to perform a syntax check on the ACACL, ACCONF, and ACCONFCO files. If errors are found, the line number where the error occurred and a description of the error are displayed.
XYGATE® Access Control Reference Manual Appendix E: XAC Host Macros E23: XAC_VERSION XAC_VERSION displays VPROC information for the DBSO, VULIB and XYGATEAC objects. This information may be requested by XYPRO Technical Support during support calls. Example: $VNEO1 XYGATEAC 62> xac_version This is version 5.
XYGATE® Access Control Reference Manual Appendix E: XAC Host Macros $SYSTEM.XYGATEAC.XYGATEAC Binder timestamp: 01AUG2013 22:59:16 Version procedure: T1306V01_30SEP2013 Version procedure: T9999D30^P06^XAC^575 Target CPU: UNSPECIFIED AXCEL timestamp: 08AUG2013 14:41:56 OCA timestamp: 08AUG2013 14:48:22 Privileged code: YES VPROC - T9617H01 - (01 FEB 2009) SYSTEM \N1 Date 24 AUG 2013, 22:01:25 Copyright 2004 Hewlett-Packard Development Company, L.P. $SYSTEM.XYGATEAC.
XYGATE® Access Control Reference Manual Appendix E: XAC Host Macros XYPRO Technology Corporation 276 Proprietary and Confidential
Appendix F: XAC Obey and Command File Use and Token Replacement When an XAC session is started, certain parameters are set based on the run parameters, startup message and various other runtime parameters. These values are assigned to a series of “percent parameters” that begin with a percent sign. These parameters can be referenced within the XAC ACACL Command Entry. The PERCENT keyword in the ACACL entry can be set to ON or OFF to explicitly enable or disable this feature.
XYGATE® Access Control Reference Manual Appendix F: XAC Obey and Command File Use and Token Replacement %N The NonStop Kernel user name such as SUPER.OPERATOR % are numbers from 1 to 9. These tokens represent the corresponding tokens from the startup message included on XYGATEAC command line that followed . %% Use a double percent sign if a single percent sign is needed in the file somewhere.
Appendix G: XAC Error Messages The XAC module displays two types of errors. The first type are parsing errors encountered when the XAC DBSO program is attempting to read entries from the ACACL file. The second type are execution errors when the XAC process executes the entry. The following table describes these errors: Error Message Description ##### closing stdio An error occurred closing the stdio routines. Please call XYPRO Technology for assistance.
XYGATE® Access Control Reference Manual Appendix G: XAC Error Messages Error Message Description USER_AUTHENTICATE_ failed, reason #####,##### This message is printed if errors have been found after DBSO has finished checking for syntax in the ACCONF and ACACL files. XAC - not available, continuing The NSK procedure USER_AUTHENTICATE_ failed for the reason specified. Please call XYPRO Technology for assistance.
XYGATE® Access Control Reference Manual Appendix G: XAC Error Messages Error Message Description XAC – ACACL syntax error at line ## - COMMAND has too many ALIAS entries, max is 20 If you have specified the START_LOGGED_OFF keyword, you cannot subsequently specify the START_LOGGED_ON keyword.
XYGATE® Access Control Reference Manual Appendix G: XAC Error Messages Error Message Description XAC – ACACL syntax error at line ## - Command Missing CHANGERUSER FROM or TO specification No more than a total of 10,000 bytes of arguments can be used with all the INPUT keywords used in a single ACACL entry XAC – ACACL syntax error at line ## - COMMAND Too many entries for PROMPT The CHANGEUSER_FROM and CHANGEUSER_TO keywords must be used together; both must be present
XYGATE® Access Control Reference Manual Appendix G: XAC Error Messages Error Message Description XAC – ACACL syntax error at line ## - Missing USER specification The ACLGROUP keyword requires a name for the ACLGROUP to follow the keyword.
XYGATE® Access Control Reference Manual Appendix G: XAC Error Messages Error Message Description XAC – ACACL syntax error at line ##, COMMAND , TOKEN Invalid BANNER filename The FILENAME specified with the OBEY keyword is invalid in format. XAC – ACACL syntax error at line ##, COMMAND , TOKEN - Unbalanced quotes in argument The filename specified by BANNER_CONNECT or BANNER_FIRSTIO is invalid.
XYGATE® Access Control Reference Manual Appendix G: XAC Error Messages Error Message XAC – ALIAS table data overflow, ignoring excess data. Description This error can be caused by several conditions: 1) The argument to the FILE keyword is not a legal filename. 2) The argument to the OBEY keyword is not a legal filename. 3) The argument to the BANNER_CONNECT or BANNER_FIRSTIO keyword is not a legal filename. 4) FCPROMPT requires a quoted string as an argument.
XYGATE® Access Control Reference Manual Appendix G: XAC Error Messages Error Message Description XAC – Command has syntax error in ACACL file The name of a command in the ACACL file must be less than or equal to 32 characters. XAC – Command is not allowed There is a syntax error in the text of this command in the ACACL file. XAC – Command not found The command is not permitted because it has been prohibited using ALLOWCMD and DENYCMD.
XYGATE® Access Control Reference Manual Appendix G: XAC Error Messages Error Message Description XAC – In a licensed copy of XYGATEAC would run as user The function key specified has been disabled using the MAP_C_FKEY or MAP_B_FKEY keywords in the ACACL entry. XAC – Input file error ##### on This message is from the Demonstration Version of XYGATEAC. It details how the licensed version of XYGATEAC would start the object file named in .
XYGATE® Access Control Reference Manual Appendix G: XAC Error Messages Error Message Description XAC – process_create_ complete error #####:##### XYGATEAC could not start the object file because the object file is secured so that the user specified in the USER keyword of the ACACL Command entry cannot execute the object file. XAC – Process_create_ error #####:##### .
XYGATE® Access Control Reference Manual Appendix G: XAC Error Messages Error Message Description XAC – You cannot use the RUN command from this prompt. Your userid is not on the list of userids that is the argument to the ACACL keyword in this ACACL Command Entry. XAC – You have too many processes running already. Usage of the key has caused TACL to take exclusive control of the terminal. XYGATE cannot execute RUN commands at this point.
XYGATE® Access Control Reference Manual Appendix G: XAC Error Messages XYPRO Technology Corporation 290 Proprietary and Confidential
Index A E ACACL Command Entries for OSS Auditing ............................. 85 Initial ACACL Commands ............... 30 EMS Message Format Templates ......59 EMSBUILD Macro ..............................59 ACCONF File Keywords ........................................ 91 Sample File..................................... 93 Error 45 ..............................................64 AUDIT File Creation and Rollover ...... 63 I AUDIT File Resizing ...........................
XYGATE® Access Control Reference Manual Index XAC_ACCESS_MAP ......................57 XAC_AUDIT_REPORT .................252 XAC_COMMANDS........................257 XAC_DATETIME_MAKE ...............259 XAC_DSTATS...............................260 XAC_EDIT_ACL............................262 XAC_INSTALL_LICENSE .............265 XAC_LIB_INSTALL .......................266 XAC_LIB_UNINSTALL ..................267 XAC_NEXTGEN ...........................268 XAC_REPORT ..............................
