Manualshelf

XYGATE Access Control Reference Manual

ManualsBrandsHP ManualsServerHP NonStop G-Series
11121314151617181920
XYGATE
®
Access Control Reference Manual
Introduction
XYPRO Technology Corporation xviii Proprietary and Confidential
Most XAC installations chart a course between the two extremes described above,
with a mix of secured, audited TACLs for some situations, and XAC Command Entries
for individual commands to be secured.
The following sections describe some of the elements of these two endpoints of the
XAC installation spectrum. First, the secured TACLs for complete keystroke auditing
are discussed, then special purpose TACLs, and finally, a few individual XAC
Command Entries for secured tasks are shown.
Secured TACLs
One method of securing your NonStop system involves auditing keystrokes within
TACL. You can either audit all keystrokes for all TACLs or only audit all keystrokes for
TACLs which use a sensitive communications medium, such as a dialup line, or logon
to a sensitive userid, such as a TACL that runs as SUPER.SUPER.
In order to audit all TACL commands, you must have XAC control your TACL
environment from the very beginning. You can accomplish this by using XAC to start
all the TACLs on your system at startup time. The steps involved in this change vary
based on communication media, but can be broken down into a few major types:
Asynchronous terminals (hard-wired or dialup)
Static and dynamic TCP/IP ports
Safeguard-controlled terminals.
The changes are made to the startup process appropriate for the medium.
A different Command Entry in the ACACL file is required for each type of TACL. Here
are some examples (these may require modification for your environment):
COMMAND ASYNCH-TACL
OBJECT $SYSTEM.SYSNN.TACL
USER GROUP,USER
ACL \*.*,* ALIAS:"\*.*"
QUIET
PERCENT OFF
EXECUTEHANGUP
STOPONERROR 60,66,140,190,191
OPENSBYOBJECTS \*.$*.*.*
BLANKPASSWORD
TRACKVOLUME
TRACKUSERID
START_LOGGED_OFF
COMMAND AUDITED-TCPIP-TACL
OBJECT $SYSTEM.SYSNN.TACL
USER GROUP,USER
ACL \*.*.* ALIAS:"\*.*"
PERCENT OFF
BANNER_CONNECT $SYSTEM.XYGATE.MODEMBAN
NULLNULLNOCMDESC
EXECUTEHANGUP
CHECKCONNECTION 500 50
STOPONERROR 60,66,140,190,191