DEFAULT User Program
DEFAULT User Program
The DEFAULT program allows users to set their own default volume/subvolume and default Guardian file security vector.
If users are allowed to run the DEFAULT program, they will be able to set the following parameters:
DEFAULT VOLUME/SUBVOLUME
DEFAULT SECURITY
The Corporate Security Standards should dictate whether or not users are allowed to run the DEFAULT program and the security of the DEFAULT object file required to enforce the standard.
Setting Default Volume
The DEFAULT VOLUME actually determines the subvolume where the user's TACL session will begin. The user's TACLCSTM and FUPCSTM files will be created here.
Notice that the current userid is assumed. The next time the user who invoked DEFAULT enters a VOLUME command with no command options, or logs off and back on, their current volume will be the new volume.
RISK Generally users are allowed to change their default volume. However, their TACLCSTM and other *CSTM, if used to setup default session controls, do not get moved to the new location. Therefore, changing the default logon subvolume could circumvent these *CSTM files.
AP-ADVICE-DEFAULT-01 Users should be prevented from setting their default subvolume on $SYSTEM, thus requiring access to $SYSTEM to logon. The only exception to this may be SUPER Group members .
Setting Default File Security
The security vector will automatically be assigned to every file that the user creates.
Notice that the current userid is assumed. Changing the default security does not alter the security assigned to previously created files. Users can use the FUP SECURE command to change the security vector of existing files.
RISK Each time a user creates a new file, it is assigned its default security 'RWEP,' unless otherwise specified. If users set their default security to something less restrictive like 'AAAA,' then their files may not be adequately secured. If a user sets the default security to something more restrictive like 'OOOO', it is possible that other users will not be able to access files that they need. The default security should be set to a level that ensures newly created files meet minimum standard security.
Securing DEFAULT
BP-FILE-DEFAULT-01 DEFAULT should be secured "UUNU".
BP-OPSYS-LICENSE-01 DEFAULT must be LICENSED.
BP-OPSYS-OWNER-01 DEFAULT should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-01 DEFAULT must reside in $SYSTEM.SYSnn.
BP-USERS-DEFAULT-01 Users should not be allowed to set their default subvolume to the $SYSTEM disk.
BP-USERS-DEFAULT-02 Users must have a default subvolume set.
| Discovery Questions | Look here: | |
|---|---|---|
| FILE-POLICY | Are users in general allowed to change their default volume and default security? | Policy |
| OPSYS-OWNER-01 | Who owns the DEFAULT object file? | Fileinfo |
| OPSYS-LICENSE-01 | Is the DEFAULT object file licensed? | Fileinfo |
| FILE-DEFAULT-01 | Is the DEFAULT object file secured correctly? | Fileinfo |
| USER-DEFAULT-01 | Do users have defaults set to $SYSTEM? | Userinfo Safecom |
| USER-DEFAULT-02 | Do all users have a default set? | Userinfo Safecom |
Related Topics
Users
Safeguard subsytem
