Securing Processes With the Safeguard Subsystem
Safeguard software extends process security beyond simple ownership. Using PROCESS or SUBPROCESS Protection Records, it is possible to grant or deny access to processes independent of their ownership.
Safeguard protection replaces Guardian protection. While an object is under Safeguard control, the Guardian security setting becomes inactive.
Safeguard software makes its rulings on PROCESS access attempts based on the Safeguard Global Parameters and the individual PROCESS and SUBPROCESS records.
The following items may affect Safeguard PROCESS security:
Process- related Safeguard OBJECTTYPES
Process-related Safeguard Global Parameters
PROCESS Protection Records
SUBPROCESS Protection Records
Process-Related Safeguard OBJECTTYPES
Safeguard OBJECTTYPEs determine who is allowed to ADD Protection Records for each type of object. Two OBJECTTYPEs affect process security:
PROCESS OBJECTTYPE
SUBPROCESS OBJECTTYPE
Please refer to Safeguard Subsystem in Part One for the complete discussion of Safeguard OBJECTTYPE Records.
Securing NAMED and UNNAMED Processes
Safeguard software provides two special Safeguard Protection Records that can be used to control who can CREATE or STOP any NAMED or UNNAMED process, whether or not the process is otherwise protected by Safeguard software. The PROCESS OBJECTTYPE controls who can create the special Protection Records for NAMED and UNNAMED processes.
This feature is intended to allow a specified group of users, such as system operators, the ability to CREATE or STOP any process on the system.
For NAMED and UNNAMED records, READ and WRITE authorities are not valid; the only valid access authorities are:
CREATE (run)
PURGE (stop)
OWNER
The Safeguard Global parameter COMBINATION-PROCESS must be set to FIRST-RULE for the NAMED and UNNAMED feature to function as intended.
RISK Without PROCESS OBJECTTYPE or SUBPROCESS OBJECTTYPE records, any user can add a Safeguard Protection Record for a process name (regardless of ownership), thereby gaining control of the process.
RISK The PROCESS OBJECTTYPE also controls who can create the special Protection Records for NAMED and UNNAMED processes. This is very important because any user granted PURGE authority on both the NAMED and UNNAMED Protection Records can stop any process on the system.
BP-PROCESS-OBJTYPE-01 The PROCESS OBJECTTYPE should be created.
BP-SUBPROC-OBJTYPE-01 The SUBPROCESS OBJECTTYPE should be created.
BP-PROCESS-OBJTYPE-02 The PROCESS OBJECTTYPE should be owned by the Security-Administrator.
BP-SUBPROC-OBJTYPE-02 The SUBPROCESS OBJECTTYPE should be owned by the Security-Administrator.
BP-PROCESS-OBJTYPE-03 The PROCESS OBJECTTYPE should be audited for Access; AUDIT-ACCESS-PASS & AUDIT-ACCESS-FAIL
BP-SUBPROC-OBJTYPE-03 The SUBPROCESS OBJECTTYPE should be audited for Access; AUDIT-ACCESS-PASS & AUDIT-ACCESS-FAIL
BP-PROCESS-OBJTYPE-04 The PROCESS OBJECTTYPE should be audited for Manage; AUDIT-MANAGE-PASS & AUDIT-MANAGE-FAIL
BP-SUBPROC-OBJTYPE-04 The SUBPROCESS OBJECTTYPE should be audited for Manage; AUDIT-MANAGE-PASS & AUDIT-MANAGE-FAIL
UNNAMED Protection Record
RISK When a Protection Record specifying UNNAMED as the process name is created, that record applies to all unnamed processes .
In the case of the UNNAMED Protection Record, only those users specified on the UNNAMED Protection Record will be able to CREATE and STOP unnamed processes.
RISK Whoever is granted PURGE authority on the UNNAMED Protection Record can stop any UNNAMED process on the system.
Safeguard software can only have one Protection Record for UNNAMED processes, so the same Safeguard security will be applied to all UNNAMED processes.
AP-ADVICE-UNNAMED-01 Avoid UNNAMED processes.
BP-POLICY-PROCESS-02 Application programs should not run UNNAMED.
NAMED Protection Record
When a Protection Record specifying NAMED as the process name is created, that record applies to all NAMED processes.
RISK In NAMED Protection Records, only those users specified on the NAMED Protection Record will be able to create and stop named processes. If no other Protection Records exist for processes, no users will be able to CREATE and STOP named processes except users specified on the NAMED Protection Record.
For NAMED and UNNAMED records, the only valid access authorities are CREATE, PURGE, and OWNER.
BP-POLICY-PROCESS-03 If the company security policy requires that a Protection Record for NAMED processes be created, then create Protection Records for all the named processes on the system, to ensure that the appropriate users can manage them.
The user who CREATES a process is allowed to STOP the process even if a Protection Record prevents it.
How the Safeguard Subsystem Evaluates Process Management Requests
A User Creating a Protected Process
Access to PROCESSES or SUBPROCESSES with protected names is controlled by the Protection Record defined for the name. When a user attempts to CREATE a process with a protected name, Safeguard software checks for a Protection Record for the name.
If the user has CREATE authority, Safeguard software allows the process to be created.
If the user doesn't have CREATE authority, the request is rejected with a security violation error (Error 48).
A Process Opening a Protected Process or Subprocess
When a process attempts to open another process or subprocess with a protected name, Safeguard software checks the record to see if the user identified by the PAID of the requesting process is authorized to open the protected process.
If the open request is for READ/WRITE and the user has READ/WRITE authority, the request is allowed to complete successfully.
If the user does not have the proper authority, Safeguard software rejects the open request with a security violation error (Error 48).
| Note | If the process is opened for READ, the file system will allow both READ and WRITE operations. Therefore, the process itself must enforce the distinction between an open for READ and an open for WRITE . |
Stopping a Protected Process
If a user attempts to stop a process with a protected name, Safeguard software checks the Protection Record for the process name to determine whether the user has PURGE authority.
If the user has PURGE authority, Safeguard software allows the process to be stopped .
If the user does not have PURGE authority, the stop request is rejected with a security violation error (Error 48).
Process-Related Safeguard Global Parameters
The following global parameters determine whether or not Safeguard software will rule on attempts to manage PROCESSES and how it will make its ruling :
ACL-REQUIRED-PROCESS
CHECK-PROCESS
CHECK-SUBPROCESS
COMBINATION-PROCESS
DIRECTION-PROCESS
ACL-REQUIRED-PROCESS
The ACL-REQUIRED-PROCESS parameter determines whether or not all processes on the system must have a Safeguard Protection Record.
If ACL-REQUIRED-PROCESS is OFF, and no Protection Record is found, Guardian rules apply.
If ACL-REQUIRED-PROCESS is ON, Safeguard software will deny access to any PROCESS that does not have a Safeguard Protection Record.
The default value is OFF.
RISK If ACL-REQUIRED-PROCESS is ON, Safeguard will deny access to any PROCESS that does not have a Safeguard Protection Record.
BP-SAFEGARD-GLOBAL-21 ACL-REQUIRED-PROCESS should be OFF unless required by the Corporate Security Policy.
CHECK-PROCESS
The CHECK-PROCESS parameter determines whether or not Safeguard software will check to see if there is a PROCESS Protection Record when a process access attempt is made.
If CHECK-PROCESS is ON, Safeguard software will refer to PROCESS Protection Records to evaluate PROCESS access requests.
If CHECK-PROCESS is OFF, PROCESS Protection Records will not be checked.
The default value is ON.
Safeguard software does not check Safeguard Protection Records for PROCESSes unless it is configured to check them.
BP-SAFEGARD-GLOBAL-18 CHECK-PROCESS should be set to ON.
CHECK-SUBPROCESS
The CHECK-SUBPROCESS parameter determines whether or not Safeguard software will check to see if there is a SUBPROCESS Protection Record when a subprocess access attempt is made.
If CHECK-SUBPROCESS is ON, Safeguard will refer to SUBPROCESS Protection Records to evaluate SUBPROCESS access requests.
If CHECK-SUBPROCESS is OFF, PROCESS Protection Records will not be checked.
The default value is ON.
BP-SAFEGARD-GLOBAL-20 CHECK-SUBPROCESS should be set to ON.
COMBINATION-PROCESS
COMBINATION-PROCESS tells Safeguard how to resolve conflicts when both PROCESS and SUBPROCESS Protection Records exist for the target process, but the records don't grant equal access authority for the user and the attempted operation. The value can be:
| FIRST-ACL | The first Protection Record found (based on DIRECTION-PROCESS) determines the access, and whether or not the user and the attempted operation are included in the record. |
| FIRST-RULE | Protection Records are searched until both the user and the access requested is explicitly granted or denied . |
| ALL | Both the PROCESS and SUBPROCESS rules must grant the requested access. |
The default value is FIRST-ACL.
BP-SAFEGARD-GLOBAL-19 COMBINATION-PROCESS should be FIRST-ACL
RISK The Safeguard Global parameter COMBINATION-PROCESS must be set to FIRST-RULE for the special NAMED and UNNAMED Process Protection Records to function correctly.
AP-SAFEGARD-GLOBAL-19 If the NAMED and UNNAMED Protection Records do not exist, then the COMBINATION-PROCESS parameter should be set according to the Corporate Security Policy.
DIRECTION-PROCESS
DIRECTION-PROCESS determines which direction Safeguard software will search for Protection Records when both CHECK-PROCESS and CHECK-SUBPROCESS are ON. This attribute is used in conjunction with COMBINATION-PROCESS. The valid entries are:
| PROCESS-FIRST | Safeguard software searches for a PROCESS record first. |
| SUBPROCESS-FIRST | Safeguard software searches for a SUBPROCESS record first. |
The default value is PROCESS-FIRST.
BP-SAFEGARD-GLOBAL-17 DIRECTION-PROCESS should be SUBPROCESS-FIRST.
Process And Subprocess Protection Records
Processes can be protected by two levels of Safeguard Rules: PROCESS and SUBPROCESS. Rules for one or both levels can exist.
Each Safeguard PROCESS Protection Record has three parts :
| PRIMARY | OWNER By default the userid that created the Protection Record. Can be altered . |
| Access Control List (ACL) | The list of Userids that are allowed to access the object and the operations they are allowed to perform on the object. |
| Audit Settings | Determines whether Safeguard software will audit attempts to access the object. |
Each PROCESS and SUBPROCESS Protection Record specifies the users allowed to access the process or subprocess and the operations these users are allowed to perform. The valid operations are:
| READ | Refers to the authority to open a PROCESS or SUBPROCESS for input/output |
| WRITE | Refers to the authority to open a PROCESS or SUBPROCESS for input/output |
| CREATE | Refers to the authority to CREATE a process with a protected name.(A user must also have Execute authority for the program object file.) Create does not apply to subprocesses. |
| PURGE | Refers to the authority to STOP a process with a protected name. Does not apply to subprocesses . |
| OWNER | Has authority to ALTER the Protection Record. |
Only userids or File-Sharing Groups, not aliases, can be included in PROCESS and SUBPROCESS Protection Records. Safeguard aliases gain all the access authority of their underlying userid. See User Administration in Part Three.
If remote access is appropriate for a given process or subprocess, the users must be defined as network users (\*.) when granting privileges in the PROCESS or SUBPROCESS ACL, or Safeguard software will deny the OPEN access requests from another node. Users defined as network users are automatically granted the appropriate local access privileges as well.
Process Protection Record Ownership
Every Safeguard Protection Record has an owner. The record owner is the Primary Owner. By default, the owner is the user who created the Protection Record, but that user can give ownership to another userid.
By default, only the Primary Owner of a Protection Record, the owner's group manager, and SUPER.SUPER can manage (ALTER or DELETE) a Protection Record.
In addition, the initial owner can add owners to a Protection Record. Additional ownership is defined by the OWNER authority code for Protection Record entries and is an independent extension of the initial owner. Additional owners can do anything that the initial owner is permitted to do. They are equal, in every way, to the initial owner. For example, they can modify the Safeguard Protection Records for any process they own, and they can access any process they own when that process has been FROZEN. The OWNER authority may be used to deny explicitly a local SUPER.SUPER any of the authorities implicitly granted to SUPER.SUPER, including OWNER. The OWNER authority can always be specified for all processes protected by Safeguard software .
Auditing Process And Subprocess Access and Management
The following Global parameters can be used to configure system-wide process auditing.
AUDIT-PROCESS-ACCESS-PASS
AUDIT-PROCESS-ACCESS-FAIL
AUDIT-PROCESS-MANAGE-PASS
AUDIT-PROCESS-MANAGE-FAIL
AUDIT-PROCESS-ACCESS{ -PASS -FAIL }
The AUDIT-PROCESS-ACCESS-PASS/FAIL parameters determine whether or not successful attempts to access all processes or subprocesses on the system are audited. The value can be ALL, NONE, LOCAL, or REMOTE.
If AUDIT-PROCESS-ACCESS-PASS value is configured to anything other than NONE, then the appropriate successful process access attempts will be audited.
If AUDIT-PROCESS-ACCESS-FAIL value is configured to anything other than NONE, then the appropriate unsuccessful process access attempts will be audited.
This setting supplements the audit settings for individual processes and subprocesses.
If an individual PROCESS or SUBPROCESS Protection Record is configured to audit only LOCAL access attempts, but the Global parameter is REMOTE, then both LOCAL and REMOTE access attempts will be audited.
However, if an individual PROCESS or SUBPROCESS Protection Record is configured to audit only NONE and the Global parameter is ALL, then Safeguard software will not audit either successful or unsuccessful process access attempts.
The default is NONE.
BP-PROCESS-POLICY-04 Whether or not PROCESS access attempts are audited depends on the Corporate Security Policy.
AUDIT-PROCESS-MANAGE { -PASS -FAIL }
The AUDIT-PROCESS-MANAGE-PASS/FAIL parameters determine whether or not attempts to CREATE, ALTER or DELETE Process Protection Record will be audited. This setting supplements the audit settings for individual processes or subprocesses. The value can be ALL, NONE, LOCAL, or REMOTE.
If an individual PROCESS or SUBPROCESS Protection Record is configured to audit only LOCAL management attempts, but the Global parameter is REMOTE, then both LOCAL and REMOTE management attempts will be audited.
However, if an individual PROCESS or SUBPROCESS Protection Record is configured to audit only NONE and the Global parameter is ALL, then Safeguard software will not audit either successful or unsuccessful process management attempts.
The default is NONE.
BP-PROCESS-AUDIT-01 AUDIT-PROCESS-MANAGE-PASS should be ALL.
BP-PROCESS-AUDIT-02 AUDIT-PROCESS-MANAGE-FAIL should be ALL.
| Identifier | Question | Look in |
|---|---|---|
| POLICY-PROCESS-01 | Do any processes run PROGID'd that are not authorized? | Process Status |
| POLICY-PROCESS-02 | Do any application processes run UNNAMED? | Process Status |
| POLICY-PROCESS-03 | Does the Corporate Security Policy require Protection Records for NAMED processes? | Policy |
| PROCESS-OBJTYPE-01 | Does the PROCESS OBJECTTYPE exist? | Safecom |
| SUBPROC-OBJTYPE-01 | Does the SUBPROCESS OBJECTTYPE exist? | Safecom |
| PROCESS-OBJTYPE-02 | Is the PROCESS OBJECTTYPE owned by the SECURITY ADMINISTRATOR? | Safecom |
| SUBPROC-OBJTYPE-02 | Is the SUBPROCESS OBJECTTYPE owned by the SECURITY ADMINISTRATOR? | Safecom |
| PROCESS-OBJTYPE-03 | Is the PROCESS OBJECTTYPE set to audit accesses ? | Safecom |
| SUBPROC-OBJTYPE-03 | Is the SUBPROCESS OBJECTTYPE set to audit accesses? | Safecom |
| PROCESS-OBJTYPE-04 | Is the PROCESS OBJECTTYPE set to audit manage attempts? | Safecom |
| SUBPROC-OBJTYPE-04 | Is the SUBPROCESS OBJECTTYPE set to manage attempts? | Safecom |
| SAFEGARD-GLOBAL-21 | Is the Safeguard Global parameter ACL-REQUIRED-PROCESS value OFF? | Safecom |
| SAFEGARD-GLOBAL-18 | Is the Safeguard Global parameter CHECK-PROCESS value ON? | Safecom |
| SAFEGARD-GLOBAL-20 | Is the Safeguard Global parameter CHECK=-SUBPROCESS value ON? | Safecom |
| SAFEGARD-GLOBAL-19 | Is the Safeguard Global parameter COMBINATION-PROCESS value FIRST-ACL? | Safecom |
| SAFEGARD-GLOBAL-17 | Is the Safeguard Global parameter DIRECTION-PROCESS value SUBPROCESS-FIRST? | Safecom |
| PROCESS-POLICY-04 | Does the Corporate Security Policy mandate auditing of attempts to access PROCESSES? | Policy |
| PROCESS-POLICY-04 | Are all attempts to access PROCESS Protection Records audited? | Safecom |
| PROCESS-POLICY-05 | Does the Corporate Security Policy mandate auditing of attempts to manage PROCESSES? | Policy |
| PROCESS-AUDIT-01 PROCESS-AUDIT-02 | Are all attempts to manage PROCESS Protection Records audited? | Safecom |
