CSTM Customization Files
*CSTM Customization Files
Many HP NonStop server utilities create a user -specific custom (CSTM) file. Users can include any of the commands available within the utility in this file. When the user invokes one of these utilities, the utility reads this file before presenting the user with the first prompt.
Some of these utilities also have LOCL files, which reside in the object file's sub- volume or in $SYSTEM.SYSTEM. The *LOCL file is read before the CSTM file. The *LOCL file for each utility is addressed in the Gazette section on the specific utility.
The utilities with custom files are: DSAP
EMSA
FTP **
FUP **
INSPECT
SEEVIEW
SCF **
TACL ** VHS
RISK The utilities marked by a '**' in the list above pose a higher security risk for their associated *CSTM files, especially if the users are in the SUPER Group and can execute any of the utility's destructive commands within the *CSTM file.
Depending on the utility, the *CSTM files may or not be created automatically:
| Automatic | Manual |
|---|---|
| DSAP | EMSA |
| FUP | FTP |
| SCF | INSPECT |
| TACL | SEEVIEW |
Depending on the utility, the commands in the files may or not be displayed to the user as they are executing.
RISK *CSTM files do not automatically move or get removed when a userid is deleted or a user's default subvolume is changed; the old files will remain on the system.
RISK One command that is allowed within a *CSTM is an assign statement. The assign statement can point to another *CSTM file.
If *CSTM files are shared, then the target *CSTM file must be READ accessible to the referring user.
 |
ASSIGN SCFCSTM, [[[\ system.]$ volume.] subvolume.]SCFCSTM
| |
DSAPCSTM Configuration File
DSAP provides the ability to automatically access a command file containing a set of personalized DSAP commands before the start of a DSAP session. DSAP does not use a DSAPLOCL file.
The user can specify any DSAP option(s) in the DSAPCSTM file. Any DSAP options specified in the DSAPCSTM file will be appended to the DSAP command typed at the TACL prompt.
| Caution | This file is created automatically the first time the user runs the DSAP program. |
RISK DSAP is a reporting program only and has no commands that modify files. There are no inherent risks in having DSAPCSTM files. If the files are not secured to the owner, however, another user could alter the file, changing the default information and format of the owner's DSAP reports .
If users are allowed to manage their own DSAPCSTM files, these controls are suggested:
BP-FILE-DSAPCSTM-01 DSAPCSTMs should be owned by the user.
BP-FILE-DSAPCSTM-02 DSAPCSTMs should be secured "UUUU".
If available, use Safeguard software or a third party object security product to grant access to DSAPCSTM only to users who require access in order to perform their jobs.
BP-SAFE-DSAPCSTM-01 If required by policy, add a Safeguard Protection Record to grant appropriate access to the DSAPCSTM disk files.
| Discovery Questions | Look here: | |
|---|---|---|
| FILE-POLICY | Does the Security Policy require limiting access to the DSAPCSTM files? | Policy |
| FILE-DSAPCSTM-01 | Are all DSAPCSTM files owned by the appropriate user in their default subvolume? | Fileinfo |
| FILE-DSAPCSTM-02 FILE-DSAPCSTM-01 | Are the DSAPCSTM file correctly secured with the Guardian or Safeguard system? | Fileinfo Safecom |
EMSACSTM Configuration File
EMSA provides the ability to automatically access a command file containing a set of personalized EMSA commands before the start of an EMSA session. EMSA does not use an EMSALOCL file.
The user can specify any EMSA option(s) in the EMSACSTM file. Any EMSA options specified in the EMSACSTM file will be appended to the EMSA command typed at the TACL prompt.
| Caution | This file is not automatically created. It must be manually created. |
RISK EMSA is a reporting program only and has no commands that modify files.
There are no inherent risks in having EMSACSTM files.
RISK If the files are not secured against unwanted alterations, another user could add a RUN command to the EMSACSTM. The program started would run as the owner of the altered EMSACSTM file.
If users are allowed to manage their own EMSACSTM files, these controls are suggested:
BP-FILE-EMSACSTM-01 EMSACSTMs should be owned by the user.
BP-FILE-EMSACSTM-02 EMSACSTMs should be secured "UUUU".
If available, use Safeguard or a third party object security product to grant access to EMSACSTM only to users who require access in order to perform their jobs.
BP-SAFE-EMSACSTM-01 If required by policy, add a Safeguard Protection Record to grant appropriate access to the EMSACSTM disk files.
| Discovery Questions | Look here: | |
|---|---|---|
| FILE-POLICY | Does the Security Policy require limiting access to the EMSACSTM files? | Policy |
| FILE-EMSACSTM-01 | Are all EMSACSTM files owned by the appropriate user in their default subvolume? | Fileinfo |
| FILE-EMSACSTM-02 | Are the EMSACSTM file correctly secured with the Guardian or Safeguard system? | Fileinfo Safecom |
FTPCSTM Configuration File
FTP provides the ability to automatically access a command file containing a set of personalized FTP commands before the start of an FTP session. FTP does not use an FTPLOCL file.
The user can specify any FTP option(s) in the FTPCSTM file. Any FTP options specified in the FTPCSTM file will be appended to the FTP command typed at the TACL prompt.
| Caution | This file is not automatically created. It must be manually created. |
RISK If the security of the FTPCSTM file permits a user WRITE or PURGE access, other than the owner, they could modify the file or PURGE it and replace it with a new one.
RISK Users often set account passwords to be used to log on to various hosts in the FTPCSTM as a convenience. Passwords appear in the clear in the FTPCSTM files. Anyone with READ access to the files can read the passwords.
BP-FILE-FTPCSTM-03 Passwords should not be included in the FTPCSTM files.
If users are allowed to manage their own FTPCSTM files, these controls are suggested:
BP-FILE-FTPCSTM-01 FTPCSTMs should be owned by the user.
BP-FILE-FTPCSTM-02 FTPCSTMs should be secured "UUUU".
If FTPCSTM files are used to manage the environment, a more stringent control over these files is suggested to mitigate the risks:
FTPCSTMs should be owned by the FTP administrator ID.
Secure the FTPCSTMs files "NUUU"
If available, use Safeguard software or a third party object security product to grant access to FTPCSTM only to users who require access in order to perform their jobs
BP-SAFE-FTPCSTM-01 If required by policy, add a Safeguard Protection Record to grant appropriate access to the FTPCSTM disk files.
| Discovery Questions | Look here: | |
|---|---|---|
| FILE-POLICY | Does the Security Policy require limiting access to the FTPCSTM files? | Policy |
| FILE-POLICY | Does the Security Policy restrict users from embedding passwords in the FTPCSTM files? | Policy |
| FILE-FTPCSTM-01 | Are all FTPCSTM files owned by the appropriate user in their default subvolume? | Fileinfo |
| FILE-FTPCSTM-02 | Are the FTPCSTM files correctly secured with the Guardian or Safeguard system? | Fileinfo Safecom |
| FILE-FTPCSTM-03 | Are embedded passwords accessible in FTPCSTM files? | Review text |
FUPCSTM Configuration File
FUP provides the ability to automatically access a command file containing a set of personalized FUP commands before the start of a FUP session. FUP reads two files, if available, FUPLOCL and FUPCSTM before issuing its first prompt. Both files can contain valid FUP commands
The FUPLOCL file resides in the FUP object file's subvolume. This file enables the system manager to customize the system-wide FUP environment. FUPCSTM is located on the user's default volume and subvolume. This file enables the user to customize personal preferences and environments.
| Caution | These files are created automatically the first time the user runs the FUP program. |
When FUP is run on a remote node, the FUPCSTM in the appropriate sub- volume on the remote node is used.
RISK If the security of the FUPCSTM file permits a user other than the owner WRITE or PURGE access, they could modify the file or PURGE it and replace it with a new one.
RISK The FUPCSTM commands will override the similar commands in the global FUPLOCL commands.
RISK The FUPCSTM file is created using the user's default security. The default security may not adequately secure these files.
RISK SUPER Group members should not be able to alter their FUPCSTM files. They could put destructive commands, such as SECURE, PROGID, in the file that will execute prior to FUP's first prompt.
If users are allowed to manage their own FUPCSTM files, these controls are suggested:
BP-FILE-FUPCSTM-01 FUPCSTMs should be owned by the user.
BP-FILE-FUPCSTM-02 FUPCSTMs should be secured "UUUU".
If FUPCSTM files are used to manage the environment, a more stringent control over these files is suggested to mitigate the risks:
FUPCSTMs should be owned by the FUP administrator ID.
Secure the FTPCSTMs files "NUUU"
If available, use Safeguard software or a third party object security product to grant access to FUPCSTM only to users who require access in order to perform their jobs.
BP-SAFE-FUPCSTM-01 If required by policy, add a Safeguard Protection Record to grant appropriate access to the FUPCSTM disk files.
| Discovery Questions | Look here: | |
|---|---|---|
| FILE-POLICY | Does the Security Policy require limiting access to the FUPCSTM files? | Policy |
| FILE-FUPCSTM-01 | Are all FUPCSTM files owned by the appropriate user in their default subvolume? | Fileinfo |
| FILE-FUPCSTM-02 | Are the FUPCSTM files correctly secured with the Guardian or Safeguard system? | Fileinfo Safecom |
INSPCSTM Configuration File
INSPECT provides the ability to automatically access a command file containing a set of personalized INSPECT commands before the start of an INSPECT session. INSPECT reads two files, if available, INSPLOCL and INSPCSTM before issuing its first prompt. Both files can contain valid INSPECT commands
The INSPLOCL file resides in the INSPECT object file's subvolume. This file enables the system manager to customize the system-wide INSPECT environment. INSPCSTM is located on the user's default volume and subvolume. This file enables the user to customize personal preferences and environments.
| Caution | This file is not automatically created. It must be manually created. |
The user can specify any INSPECT option(s) in the INSPCSTM file. Any INSPECT options specified in the INSPCSTM file will be executed before INSPECT prompts for input.
RISK INSPECT can be used to change data in memory before that data is written to a file. With INSPECT, users can view sensitive data.
There are no inherent risks in having INSPCSTM files. If the files are not secured to the owner, however, another user could alter the file, changing the default information and format of the owner's INSPECT reports.
RISK The INSPCSTM commands will override the similar commands in the global INSPLOCL commands.
If users are allowed to manage their own INSPCSTM files, these controls are suggested:
BP-FILE-INSPCSTM-01 INSPCSTMs should be owned by the user.
BP-FILE-INSPCSTM-02 INSPCSTMs should be secured "UUUU".
If available, use Safeguard software or a third party object security product to grant access to INSPCSTM only to users who require access in order to perform their jobs.
BP-SAFE-INSPCSTM-01 If required by policy, add a Safeguard Protection Record to grant appropriate access to the INSPCSTM disk files.
| Discovery Questions | Look here: | |
|---|---|---|
| FILE-POLICY | Does the Security Policy require limiting access to the INSPCSTM files? | Policy |
| FILE-INSPCSTM-01 | Are all INSPCSTM files owned by the appropriate user in their default subvolume? | Fileinfo |
| FILE-INSPCSTM-02 | Are the INSPCSTM file correctly secured with the Guardian or Safeguard system? | Fileinfo Safecom |
SCFCSTM Configuration File
SCFCSTM resides in each user's default subvolume. The file is created automatically in the user's default subvolume the first time the user invokes SCF. The user can then place any SCF commands in the SCFCSTM file.
| Caution | The file is created automatically in the user's default subvolume the first time the user invokes SCF. |
When SCF is run on a remote node, the SCFCSTM in the appropriate subvolume on the remote node is used.
RISK If the security of the SCFCSTM file permits a user other than the owner WRITE or PURGE access, they could modify the file or PURGE it and replace it with a new one.
RISK The SCFCSTM commands will override the similar commands in the global SCFLOCL commands.
RISK The SCFCSTM file is created using the user's default security. The default security may not adequately secure these files.
RISK SUPER Group members should not be able to alter their SCFCSTM files. They could put destructive commands in the file that will execute prior to SCF's first prompt.
If users are allowed to manage their own SCFCSTM files, these controls are suggested:
BP-FILE-SCFCSTM-01 SCFCSTMs should be owned by the user.
BP-FILE-SCFCSTM-02 SCFCSTMs should be secured "UUUU".
If SCFCSTM files are used to manage the environment, a more stringent control over these files is suggested to mitigate the risks:
SCFCSTMs should be owned by the SCF administrator ID.
Secure the SCFCSTMs files "NUUU"
If available, use Safeguard software or a third party object security product to grant access to SCFCSTM only to users who require access in order to perform their jobs.
BP-SAFE-SCFCSTM-01 Add a Safeguard Protection Record to grant appropriate access to the SCFCSTM disk files.
| Discovery Questions | Look here: | |
|---|---|---|
| FILE-POLICY | Does the Security Policy require limiting access to the SCFCSTM files? | Policy |
| FILE-SCFCSTM-01 | Are all SCFCSTM files owned by the appropriate user in their default subvolume? | Fileinfo |
| FILE-SCFCSTM-02 | Are the SCFCSTM files correctly secured with the Guardian or Safeguard system? | Fileinfo Safecom |
SEECSTM Configuration File
SEEVIEW provides the ability to automatically access a command file containing a set of personalized SEEVIEW commands before the start of an SEEVIEW session.
The user can specify any SEEVIEW commands in the SEECSTM file to customize their environment.
| Caution | This file is not automatically created. It must be manually created. |
RISK There are no inherent risks in having SEECSTM files. If the files are not secured to the owner, however, another user could alter the file, changing the programs or macros that are run from the user's menus .
If users are allowed to manage their own SEECSTM files, these controls are suggested:
BP-FILE-SEECSTM-01 SEECSTMs should be owned by the user.
BP-FILE-SEECSTM-02 SEECSTMs should be secured "UUUU".
If available, use Safeguard software or a third party object security product to grant access to SEECSTM only to users who require access in order to perform their jobs.
BP-SAFE-SEECSTM-01 If required by policy, add a Safeguard Protection Record to grant appropriate access to the SEECSTM disk files.
| Discovery Questions | Look here: | |
|---|---|---|
| FILE-POLICY | Does the Security Policy require limiting access to the SEECSTM files? | Policy |
| FILE-SEECSTM-01 | Are all SEECSTM files owned by the appropriate user in their default subvolume? | Fileinfo |
| FILE-SEECSTM- | Are the SEECSTM file correctly secured with the Guardian or Safeguard system? | Fileinfo Safecom |
TACLCSTM Configuration File
TACLCSTM resides in each user's default subvolume.
RISK If no Guardian DEFAULT VOLUME is entered when a user record is added, Safeguard software assigns the default value of $SYSTEM.NOSUBVOL.
AP-ADVICE-TACLCSTM-01 Each user should have a unique Guardian DEFAULT VOLUME to prevent the sharing of TACLCSTM and other *CSTM files.
| Caution | The file is created automatically in the user's default subvolume when the user first logs onto the system. |
RISK If the security of the TACLCSTM file permits a user other than the owner WRITE or PURGE access, they could modify the file or PURGE it and replace it with a new one.
RISK The TACLCSTM commands will override the similar commands in the global TACLLOCL commands.
RISK The TACLCSTM file is created using the user's default security. The default security may not adequately secure these files.
RISK The TACLCSTM file can contain PMSEARCHLIST commands to alter the location that the TACL software uses to find a program file when a
RUN command is issued in which the file name is not fully qualified, which is the common practice.
RISK SUPER Group members should not be able to alter their TACLCSTM files. They could put destructive commands in the file that will execute prior to TACL's first prompt.
| Note | If a macro is executed within a TACLCSTM, the macro file must also be secured so that only authorized users can WRITE or PURGE it. Otherwise, someone could rename it and then install another file with the same name or simply insert commands that execute a Trojan horse program by invoking the macro via the TACLCSTM file. |
Sharing TACLCSTM Files
It is sometimes desirable to share macros and functions defined in a particular TACLCSTM. To do so and still meet the requirement that all users have their own TACLCSTM, simply insert the line "RUN $vol.subvol.TACLCSTM" in an individual user's TACLCSTM file, making sure the "secondary" TACLCSTM is secured against WRITE access. READ access is required on the referenced TACLCSTM file.
The Corporate Security Policy should include a written explanation, approved and signed by the appropriate authority, for this type of TACLCSTM sharing.
Some reasons this method might be used are:
The technique of running a "secondary" TACLCSTM can be used to allow different default macros and references to be set by a user for his/her different roles or projects. In this case the "secondary" TACLCSTM should contain a volume command to change the current volume default to the correct volume and sub- volume location for the work being done.
If all users in a particular Guardian User Group never have personal files and must share a particular environment, it may be more practical to maintain a single TACLCSTM file rather than propagating required changes to numerous TACLCSTM files in numerous user subvolumes .
Securing TACLCSTM Files
If users are allowed to manage their own TACLCSTM files, these controls are suggested:
BP-FILE-TACLCSTM-01 TACLCSTMs should be owned by the user.
BP-FILE-TACLCSTM-02 TACLCSTMs should be secured "UUUU".
If TACLCSTM files are used to manage the environment, a more stringent control over these files is suggested to mitigate the risks:
TACLCSTMs should be owned by the System Administrator
Secure the TACLCSTMs files "NUUU"
If available, use Safeguard software or a third party object security product to grant access to TACLCSTM only to users who require access in order to perform their jobs.
BP-SAFE-TACLCSTM-01 If required by policy, add a Safeguard Protection Record to grant appropriate access to the TACLCSTM disk files.
| Discovery Questions | Look here: | |
|---|---|---|
| FILE-POLICY | Does the Security Policy require limiting access to the TACLCSTM files? | Policy |
| FILE-POLICY | Does the Security Policy allow TACLCSTM file sharing? | Policy |
| FILE-TACLCSTM-01 | Are all TACLCSTM files owned by the appropriate user in their default subvolume? | Fileinfo |
| FILE-TACLCSTM-02 | Are the TACLCSTM file correctly secured with the Guardian or Safeguard system? | Fileinfo Safecom |
VHSCSTM Configuration File
VHS provides the ability to automatically access a command file containing a set of personalized VHS commands before the start of a VHSCI session.
The VHSCSTM file is used to customize each user's VHSCI session.
| Caution | This file is not automatically created. It must be manually created. |
RISK VHS is a reporting program only and has no commands that modify files. There are no inherent risks in having VHS files. If the files are not secured to the owner, however, another user could alter the file, changing the default information and format of the owner's VHS reports.
If users are allowed to manage their own VHS files, these controls are suggested:
BP-FILE-VHSCSTM-01 VHSCSTMs should be owned by the user.
BP-FILE-VHSCSTM-02 VHSCSTMs should be secured "UUUU".
If available, use Safeguard software or a third party object security product to grant access to VHSCSTM only to users who require access in order to perform their jobs.
BP-SAFE-VHSCSTM-01 If required by policy, add a Safeguard Protection Record to grant appropriate access to the VHSCSTM disk files.
| Discovery Questions | Look here: | |
|---|---|---|
| FILE-POLICY | Does the Security Policy require limiting access to the VHSCSTM files? | Policy |
| FILE-VHSCSTM-01 | Are all VHSCSTM files owned by the appropriate user in their default subvolume? | Fileinfo |
| FILE-VHSCSTM-02 | Are the VHSCSTM file correctly secured with the Guardian or Safeguard system? | Fileinfo Safecom |
Related Topics
Related System Utility
