The ADDUSER program is used to create userids when Safeguard software is not in use. How this program is secured depends on the Corporate Security Policy and whether or not Safeguard is in use.
RISK Adding users to the system is a primary gateway through which unauthorized users could gain access.
AP-ADVICE-ADDUSER-01 Control who is allowed to add or delete users at the maximum level.
If Safeguard software is not in use on the system, then the ADDUSER program is used to create userids.
How the ADDUSER program is secured depends on who is allowed to perform this function as defined by the Corporate Security Policy and Standards.
If only SUPER.SUPER is allowed to ADD users, the ADDUSER program must be secured for SUPER.SUPER access only and the ADDUSER object file need not be LICENSED. This is the most secure methodology to control the function of adding and deleting users.
BP-FILE-ADDUSER-01 ADDUSER should be secured "- - - -".
BP-OPSYS-LICENSE-01 ADDUSER must NOT be LICENSED.
BP-OPSYS-OWNER-01 ADDUSER should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-01 ADDUSER must reside in $SYSTEM.SYSnn
If the policy authorizes Group Managers to ADD users to their own groups, then all local groups need to be granted EXECUTE access. The Guardian environment will prevent users other than the 255 member of any group from adding users to existing groups. Only SUPER.SUPER will be able to add to a new group or add users to groups other than their own. To grant Group Managers the right to add userids, the ADDUSER object file must be LICENSED.
BP-FILE-ADDUSER-01 ADDUSER should be secured "- - A -".
BP-OPSYS-LICENSE-01 ADDUSER must be LICENSED.
BP-OPSYS-OWNER-01 ADDUSER should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-01 ADDUSER must reside in $SYSTEM.SYSnn
RISK Because of ADDUSER's unique function, any old SYSnn locations must be secured so that users cannot use the old program.
BP-FILE-ADDUSER-02 ADDUSER in old $SYSTEM.SYSnn locations must be secured "- - - -"
Discovery Questions | Look here: | |
---|---|---|
FILE-POLICY | Are Group Managers allowed to add users? | Policy |
OPSYS-OWNER-01 | Is ADDUSER owned by SUPER.SUPER? | Fileinfo |
OPSYS-LICENSE-01 | Is the ADDUSER object file licensed? | Fileinfo |
FILE-POLICY | Does the security of the ADDUSER object file conform to the Security Policy? | Policy |
FILE-ADDUSER-01 | Is the ADDUSER object file secured correctly? | Fileinf |
FILE-ADDUSER-02 | Are old SYSnn copies of ADDUSER secured? | Fileinfo |
If Safeguard software is in use on the system, then ADDUSER will not run. Instead it will display a warning that Safeguard software should be used to add users.
44> ADDUSER oper.bryan
SAFEGUARD IS RUNNING; USE SAFECOM TO ADD NEW USERS
Groups and Users will be added through the Safeguard interface. Reference the Gazette section on the Safeguard Subsystem for more information.
AP-ADVICE-ADDUSER-02 If Safeguard software is not running, the ADDUSER object file's Guardian security string should allow only SUPER.SUPER to execute it.
BP-FILE-ADDUSER-01 ADDUSER should be secured "- - - -".
BP-OPSYS-LICENSE-01 ADDUSER must NOT be LICENSED.
BP-OPSYS-OWNER-01 ADDUSER should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-01 ADDUSER must reside in $SYSTEM.SYSnn
BP-SAFE-ADDUSER-01 If Safeguard software is installed, add a Safeguard Protection Record to prevent execution of the ADDUSER program.
Discovery Questions | Look here: | |
---|---|---|
OPSYS-OWNER-01 | Is ADDUSER owned by SUPER.SUPER? | Fileinfo |
OPSYS-LICENSE-01 | Is the ADDUSER object file licensed? | Fileinfo |
FILE-POLICY | Does the security of the ADDUSER object file conform to the Security Policy? | Policy |
FILE-ADDUSER-01 SAFE-ADDUSER-01 | Is the ADDUSER object file correctly secured with the Guardian or Safeguard system? | Fileinfo Safecom |
Related Topics
User Administration
Safeguard subsystem