Device Security
Until a device or subdevice is added to the Safeguard database, any process can open the device for input or output. Once added to Safeguard, only processes executing on behalf of users included in the Protection Record can access the device or subdevice.
Identifying Devices
Devices are identified by either a Device Name or a Logical Device Number. The Sub- device name , or Qualifier, is optional.
Device Name
The DEVICE NAME identifies the device. It can be up to eight characters long. The first character must be a dollar sign ($). The second character must be a letter. The remaining six characters can be numbers or letters .
Qualifier
The QUALIFIER is the optional Subdevice name. It can be up to eight characters long, including the required leading pound or hash sign (#). The first character following the # must be a letter.
Subqualifier
The SUBQUALIFIER is the optional specifier , subordinate to Qualifier. It can be up to eight alphanumeric characters long. The first character must be a letter.
LDEV-Number
The LDEV-NUMBER is the Logical Device Number. Logical Device Numbers consist of a dollar sign ($) followed by one to five numbers.
Without the Safeguard Subsystem
In the Guardian environment, any process can open any device for input or output.
With the Safeguard Subsystem
Safeguard software extends device security beyond simple ownership. It allows creation of Protection Records that grant or deny access to devices.
Safeguard software makes its rulings on DEVICE access attempts, based on the following Safeguard Global Parameters and the individual DEVICE and SUBDEVICE records.
The following items may affect Safeguard DEVICE security:
Device- related Safeguard OBJECTTYPES
Device-related Safeguard Global Parameters
DEVICE Protection Records
SUBDEVICE Protection Records
Safeguard software distinguishes between local and remote open requests . A remote open request is defined as a request made by a process that was started by a network user logged onto a remote system. When a process is remote, with respect to the device or subdevice that it is attempting to open, the network user must also be granted remote access . Otherwise , Safeguard software rejects the open request with a security violation error.
DEVICE-Related Safeguard OBJECTTYPES
Safeguard OBJECTTYPEs determine who is allowed to ADD DEVICE or SUBDEVICE Protection Records. Two OBJECTTYPEs affect DEVICE security:
OBJECTTYPE DEVICE
OBJECTTYPE SUBDEVICE
Please refer to the Safeguard Subsystem in Part Three for more information on OBJECTTYPES.
RISK Without DEVICE OBJECTTYPE or SUBDEVICE OBJECTTYPE records, any local member of the SUPER group can add a Safeguard Protection Record for a device name, thereby gaining control of the device.
BP-DEVICE-OBJTYPE-01 The DEVICE OBJECTTYPE should be created.
BP-SUBDEV-OBJTYPE-01 The SUBDEVICE OBJECTTYPE should be created.
BP-DEVICE-OBJTYPE-02 The DEVICE OBJECTTYPE should be owned by the Security-Administrator.
BP-SUBDEV-OBJTYPE-02 The SUBDEVICE OBJECTTYPE should be owned by the Security-Administrator.
BP-DEVICE-OBJTYPE-03 The DEVICE OBJECTTYPE should be audited for Access; AUDIT-ACCESS-PASS & AUDIT-ACCESS-FAIL
BP-SUBDEV-OBJTYPE-03 The SUBDEVICE OBJECTTYPE should be audited for Access; AUDIT-ACCESS-PASS & AUDIT-ACCESS-FAIL
BP-DEVICE-OBJTYPE-04 The DEVICE OBJECTTYPE should be audited for Manage; AUDIT-MANAGE-PASS & AUDIT-MANAGE-FAIL
BP-SUBDEV-OBJTYPE-04 The SUBDEVICE OBJECTTYPE should be audited for Manage; AUDIT-MANAGE-PASS & AUDIT-MANAGE-FAIL
DEVICE-Related Safeguard Global Parameters
The following Global parameters determine whether or not Safeguard software will rule on attempts to access DEVICES and how it will make its ruling :
ACL-REQUIRED-DEVICE
CHECK-DEVICE
CHECK-SUBDEVICE
COMBINATION-DEVICE
DIRECTION-DEVICE
Devices can be protected by two levels of Safeguard Protection Records: DEVICE rules and SUBDEVICE rules. A device may be protected by any combination of DEVICE and SUBDEVICE rules.
ACL-REQUIRED-DEVICE
The ACL-REQUIRED-DEVICE parameter determines whether of not all DEVICES on the system must have a Safeguard Protection Record.
If ACL-REQUIRED-DEVICE is OFF, and no Protection Record is found, Guardian rules apply.
If ACL-REQUIRED-DEVICE is ON, Safeguard software will deny access to any DEVICE that does not have a Safeguard Protection Record.
The default value is OFF.
RISK If ACL-REQUIRED-DEVICE is ON, Safeguard software will deny access to any DEVICE that does not have a Safeguard Protection Record.
BP-SAFEGARD-GLOBAL-16 ACL-REQUIRED-DEVICE should be OFF unless required by the Corporate Security Policy.
CHECK-DEVICE
The CHECK-DEVICE parameter determines whether or not Safeguard software will check to see if there is a DEVICE Protection Record when a DEVICE access attempt is made.
If CHECK-DEVICE is ON, Safeguard software will refer to DEVICE Protection Records to evaluate DEVICE access requests.
If CHECK-DEVICE is OFF, DEVICE Protection Records will not be checked.
The default value is ON.
BP-SAFEGARD-GLOBAL-13 CHECK-DEVICE should be ON.
CHECK-SUBDEVICE
The CHECK-SUBDEVICE parameter determines whether or not Safeguard software will check to see if there is a SUBDEVICE Protection Record when a SUBDEVICE access attempt is made.
If CHECK-SUBDEVICE is ON, Safeguard software will refer to SUBDEVICE Protection Records to evaluate SUBDEVICE access requests.
If CHECK-SUBDEVICE is OFF, SUBDEVICE Protection Records will not be checked.
The default value is ON.
BP-SAFEGARD-GLOBAL-15 CHECK-SUBDEVICE should be ON.
COMBINATION-DEVICE
COMBINATION-DEVICE tells Safeguard software how to resolve conflicts when both DEVICE and SUBDEVICE Protection Records exist for the target DEVICE, but the records don't grant equal access authority for the user and the attempted operation. The value can be:
| FIRST-ACL | The first Protection Record found (based on DIRECTION-DEVICE) determines the access, whether or not the user and the attempted operation are included in the record. |
| FIRST-RULE | Protection Records are searched until both the user and the access requested is explicitly granted or denied . |
| ALL | Both the DEVICE and SUBDEVICE rules must grant the requested access. |
The default value is FIRST-ACL.
BP-SAFEGARD-GLOBAL-14 COMBINATION-DEVICE should be FIRST-ACL.
DIRECTION-DEVICE
DIRECTION-DEVICE determines which direction Safeguard software will search for a Protection Record when both CHECK-DEVICE and CHECK-SUBDEVICE are ON. This attribute is used in conjunction with COMBINATION-DEVICE. The valid entries are:
DEVICE-FIRST Safeguard software searches for a DEVICE record first.
SUBDEVICE-FIRST Safeguard software searches for a SUBDEVICE record first.
The default value is DEVICE-FIRST.
BP-SAFEGARD-GLOBAL-12 DIRECTION-DEVICE should be SUBDEVICE-FIRST.
Device And Subdevice Protection Records
Devices can be protected by two levels of Safeguard Rules: DEVICE and SUBDEVICE Protection Records. One or both levels can exist.
Each Safeguard device and subdevice Protection Record has three parts :
| PRIMARY OWNER | By default the userid that created the protection record. Can be altered . |
| Access Control List (ACL) | The list of Userids that are allowed to access the device and the operations they are allowed to perform on the object. |
| Audit Settings | Determines whether Safeguard software will audit attempts to access the device. |
Each DEVICE and SUBDEVICE Protection Record Access Control List (ACL) specifies the users allowed to access the device or subdevice and the operations these users are allowed to perform. The valid operations are:
| READ, WRITE | refers to authority to open a device/subdevice for input/ output |
| OWNER | refers to authority to ALTER or PURGE the DEVICE or SUBDEVICE Protection Record |
Only userids or File-Sharing Groups, not aliases, can be included in DEVICE and SUBDEVICE Protection Records. Safeguard aliases gain all the access authority of their underlying userid.
If remote access, defined as an OPEN attempt made by a user authenticated on a different node, is appropriate for a given device or subdevice, the users must be defined as network users (\*.), when granting privileges in the DEVICE or SUBDEVICE Protection Record, otherwise, Safeguard software will deny the OPEN access requests from another node. Users defined as network users are automatically granted the appropriate local access privileges as well.
Device Protection Record Ownership
A device has no owner until a Safeguard Protection Record is created. Every Safeguard Protection Record contains an OWNER attribute. The OWNER attribute contains the userid of the user who can manage the Safeguard access controls for the device.
The user who adds the record can set the OWNER attribute to the userid of any user (by including an OWNER specification in a SET DEVICE or ADD DEVICE command). The owner of a DEVICE Protection Record, the owner's group manager, and SUPER.SUPER can transfer ownership to another user by changing the OWNER attribute through the ALTER DEVICE command.
In addition, the initial owner can add owners to a Protection Record. Additional ownership is defined by the OWNER authority code in the Protection Record. Additional owners can do anything that the initial owner is permitted to do. They are equal, in every way, to the initial owner. For example, they can modify the Safeguard Protection Records for any device they own, and they can access any device they own when that device has been FROZEN. The OWNER authority may be used to deny explicitly a local SUPER.SUPER any of the authorities implicitly granted to SUPER.SUPER, including OWNER. The OWNER authority can always be specified for all devices protected by Safeguard software.
Auditing Device And Subdevice Access and Management
The following Safeguard Global parameters are discussed in Safeguard Configuration in Part Two.
AUDIT-DEVICE-ACCESS-PASS
AUDIT-DEVICE-ACCESS-FAIL
AUDIT-DEVICE-MANAGE-PASS
AUDIT-DEVICE-MANAGE-FAIL
AUDIT-DEVICE-ACCESS{ -PASS -FAIL }
The AUDIT-DEVICE-ACCESS-PASS/FAIL parameters determine whether or not successful attempts to access all devices or subdevices on the system are audited. The value can be ALL, NONE, LOCAL, or REMOTE.
If the AUDIT-DEVICE-ACCESS-PASS value is configured to anything other than NONE, then the appropriate successful DEVICE access attempts will be audited.
If the AUDIT-DEVICE-ACCESS-FAIL value is configured to anything other than NONE, then the appropriate unsuccessful DEVICE access attempts will be audited.
This setting supplements the audit settings for individual devices or subdevices.
If an individual DEVICE or SUBDEVICE Protection Record is configured to audit only LOCAL access attempts, but the Global parameter is REMOTE, then both LOCAL and REMOTE access attempts will be audited.
However, if an individual DEVICE or SUBDEVICE Protection Record is configured to audit only NONE and the Global parameter is ALL, then Safeguard software will not audit either successful or unsuccessful DEVICE access attempts.
The default is NONE.
BP-DEVICE-POLICY-01 Whether or not DEVICE access attempts are audited depends on the Corporate Security Policy.
AUDIT-DEVICE-MANAGE { -PASS -FAIL }
The AUDIT-DEVICE-MANAGE-PASS/FAIL parameters determine whether or not attempts to CREATE, ALTER or DELETE a DEVICE or SUBDEVICE Protection Record will be audited. This setting supplements the audit settings for individual devices or subdevices. The value can be ALL, NONE, LOCAL, or REMOTE.
If an individual DEVICE or SUBDEVICE Protection Record is configured to audit only LOCAL access attempts, but the Global parameter is REMOTE, then both LOCAL and REMOTE access attempts will be audited.
However, if an individual DEVICE or SUBDEVICE Protection Record is configured to audit only NONE and the Global parameter is ALL, then Safeguard software will not audit either successful or unsuccessful DEVICE access attempts.
The default is NONE.
BP-DEVICE-AUDIT-01 AUDIT-DEVICE-MANAGE-PASS should be ALL.
BP-DEVICE-AUDIT-02 AUDIT-DEVICE-MANAGE-FAIL should be ALL.
| Identifier | Question | Look in |
|---|---|---|
| DEVICE -OBJTYPE-01 | Does the DEVICE OBJECTTYPE exist? | Safecom |
| SUBDEV -OBJTYPE-01 | Does the SUBDEVICE OBJECTTYPE exist? | Safecom |
| DEVICE -OBJTYPE-02 | Is the DEVICE OBJECTTYPE owned by the SECURITY ADMINISTRATOR? | Safecom |
| SUBDEV -OBJTYPE-02 | Is the SUBDEVICE OBJECTTYPE owned by the SECURITY ADMINISTRATOR? | Safecom |
| DEVICE -OBJTYPE-03 | Is the DEVICE OBJECTTYPE set to audit accesses ? | Safecom |
| SUBDEV -OBJTYPE-03 | Is the SUBDEVICE OBJECTTYPE set to audit accesses? | Safecom |
| DEVICE -OBJTYPE-04 | Is the DEVICE OBJECTTYPE set to audit manage attempts? | Safecom |
| SUBDEV -OBJTYPE-04 | Is the SUBDEVICE OBJECTTYPE set to manage attempts? | Safecom |
| SAFEGARD-GLOBAL-16 | Is the Safeguard Global parameter ACL-REQUIRED-DEVICE value OFF? | Safecom |
| SAFEGARD-GLOBAL-13 | Is the Safeguard Global parameter CHECK-DEVICE value ON? | Safecom |
| SAFEGARD-GLOBAL-15 | Is the Safeguard Global parameter CHECK-SUBDEVICE value ON? | Safecom |
| SAFEGARD-GLOBAL-14 | Is the Safeguard Global parameter COMBINATION-DEVICE value FIRST-ACL? | Safecom |
| SAFEGARD-GLOBAL-12 | Is the Safeguard Global parameter DIRECTION-DEVICE value SUBDEVICE-FIRST? | Safecom |
| DEVICE-POLICY-01 | Does the Corporate Security Policy mandate auditing of attempts to access DEVICES? | Policy |
| DEVICE-POLICY-01 | Are all attempts to access DEVICES Protection Records audited? | Safecom |
| DEVICE-POLICY-02 | Does the Corporate Security Policy mandate auditing of attempts to manage DEVICES? | Policy |
| DEVICE-AUDIT-01 | Are all attempts to manage DEVICES Protection Records audited? | Safecom |
