Operations reserved for Guardian are called privileged operations. They control access to hardware and software resources. The operating system needs some privileged programs.
Guardian prevents application programs and users from directly performing privileged operations. Applications must 'ask' the operating system to perform privileged operations, rather than performing them themselves , this is done with Guardian procedure calls.
Programs running in the privileged mode have complete access to operating system tables and can execute privileged instructions and procedures. Only SUPER.SUPER can execute these programs if they are unlicensed. However, programs containing privileged code can be licensed to enable someone other than SUPER.SUPER to execute them.
Generally, only HP system code should be licensed, but licensing also allows applications to run privileged programs, while preventing users from running unauthorized privileged programs.
Certain third party products may need to license certain of their programs or library files. The necessary documentation should be provided by the vendor.
RISK Licensing a program has the effect of giving it the privileges of the SUPER.SUPER user . Privileged operations in the program can bypass any ordinary security interface (such as authentication of userids and memory- management protection).
RISK Licensing can allow a program to execute ordinary instructions but using privileged addressing modes that allow references to system global (SG) data space.
RISK Licensing a program that uses privileged operations can seriously compromise both system integrity and security, by granting the program access into system spaces that provide the opportunity to alter system tables and data.
RISK Data and information can be gathered and/or modified anywhere in the system. Execution of privileged instructions can directly access the interprocessor bus and I/O devices. It has the potential to change its PAID in the process control block in order to gain the privileges of other users (including SUPER.SUPER) and then browse and change files or directly manipulate physical hardware resources.
RISK A licensed program has the potential to bypass any ordinary security interface (such as authentication of userids and memory-management protection)
RISK If an intruder's program is licensed, the intruder can execute procedures that have either the PRIV or CALLABLE attribute, making the program capable of modifying protected memory areas, including its own or other programs' instructions and data, without leaving evidence of the change.
Monitoring the licensed programs on the system is fundamental to the Corporate Security Policy. There are four phases necessary to ensure that the system is not vulnerable to unauthorized licensed programs or unauthorized use of approved licensed programs.
Documentation and authorizing of all licensed programs
Securing licensed files
Controlling the license command
Scheduled review for unauthorized licensed programs
AP-ADVICE-LICENSED-01 Creating in-house licensed programs is not recommended. Licensed programs require review with each new HP operating system release. If in-house licensed programs are used, stringent auditing controls should be performed as described below.
Creating and adhering to procedures to review and document all requests to LICENSE programs is basic to sound security.
The company's HP NonStop server security procedures should include the following instructions for managing license requests for in-house user-written programs.
The request for license should include a full explanation of the program's purpose and a justification of the use of privileged procedures.
The system manager or a trusted programmer must review the source code. The reviewer should look for possible security violations wherever the program:
Changes operating system control blocks
Changes the PAID ( especially to 255,255) or effective userid
Management must approve the licensing in writing with approved signature(s).
To assure that the source code matches the actual object program, the system manager, not the developer, should compile and bind the final program.
The program must be tested to ensure that it does not perform or allow any actions that would be considered security violations. This test is usually performed by the Security staff.
The above document should be maintained in a file for future reference by auditors .
Requests for licensing user programs may be allowed if the following conditions are met:
The function is legitimate and necessary.
The function cannot be achieved using non-privileged programming techniques.
Secure LICENSED programs so that only authorized users can execute them.
LICENSED object files should be tightly secured to prevent security breaches. The following tables list the allowable licensed files that may be present on the HP operating system. Each system will have a subset of these files depending upon the products that are sysgened in the operating system. Review the CUSTFILE to view HP's recommendation for the Operating System files on the nodes.
The following tables list the Operating System files that should be licensed on a Release Version Update G06.18.
Program Name | Program Name | Description |
---|---|---|
BP-OPSYS-LICENSE-01 | ADDUSER | Permits the addition of users records outside of Safeguard controls. Should never be executable if Safeguard software is installed |
BACKCOPY | Copies BACKUP tapes | |
BACKUP | Reads every file on the system for backup purposes | |
BUSCMD | Queries operating system bus status | |
COPYDUMP | Compresses tape dumps, should be restricted to system operations | |
DCOM | Compresses disk; severely affects performance. Should be restricted to system manager | |
DEFAULT | Sets user's default subvolume outside of Safeguard software. No execution restriction necessary, but PURGE should be restricted to SUPER.SUPER | |
DELUSER | Deletes user outside of Safeguard software. Should never be executable if Safeguard software is installed | |
DISKGEN | Part of the sysgen process; should only be used by SUPER.SUPER | |
DIVER | Crashes CPU for NonStop system testing. Should never be executable | |
DSAP | Reports on disk resources. No execution restriction necessary, but PURGE should be restricted to SUPER.SUPER | |
DUSL | Dynamic Update of System Library Should only be used by SUPER.SUPER | |
FCHECK | DP2 File Check Program. Should only be used by SUPER.SUPER | |
FILCHECK | Reports on system internal physical data structure of files | |
FILEMGR | Used for SYSGEN operation. Should be restricted to SUPER.SUPER | |
FTAMIOBJ | Part of FTAM (File Transfer) subsystem | |
FTAMROBJ | Part of FTAM (File Transfer) subsystem | |
FUP | File utility program | |
LOGIN | Logon program used by Telnet | |
LTILT | Used for SYSGEN operation | |
MEASCTL | Part of MEASURE subsystem | |
MEASMON | MEASURE subsystem monitor | |
MEDIADBM | Used by DSM/TC subsystem | |
MEDIASRV | Used by DSM/TC subsystem | |
MLSRV | G-series component for NETBIOS communications NSKCOM Manages system swap files | |
OMP | Part of SMS subsystem | |
OPP | Part of SMS subsystem | |
ORSERV | Used for Online File Reloads | |
OSMP | The Safeguard Manager Process | |
OZEXP | The Expand Line Handler | |
OZKRN | Operating System process | |
PASSWORD | User password change program | |
PEEK | CPU Statistics | |
PING | Performs the TCP/IP PING operation | |
RELOAD | Reloads a | |
CPU RESTORE | Restores files from BACKUP tape | |
RPASSWRD | Permits the addition of remote password to users' records outside of Safeguard controls | |
SCP | Part of SCF subsystem | |
SCPTC | Part of SCF subsystem | |
SCPTCOL | Part of SCF subsystem | |
SNOOP | Tool to read NonStop TMF audit trails | |
SNOOPDR | Part of SNOOP SORTPROG Sort program | |
TAPERDR | Component of DSM/TC subsystem | |
TCP/IP | Main interface process for TCP/IP | |
TFDS | Tandem Fault Diagnostic System | |
TFDSCOM | Tandem Fault Diagnostic System | |
TIFSERVE | Part of the GUI NonStop TMF Manager | |
TMFBOUT | TMF Backout Process | |
TMFCTLG | TMF Catalog Process | |
TMFDR | TMF Dump Restore Manager TMFFRCV TMF File Recovery | |
TMFFRLS | TMF File Recovery List | |
TMFMON2 | TMF Monitor Process | |
TMFSERVE | TMF Server for programmatic communication with the TMF subsystem TMFTMP TMF Server Master Program | |
TMFVRCV | TMF Volume Recovery | |
TRACER | Operating system program | |
TSC | SYSGENR system program | |
TSL | SYSGENR system program | |
USERS | Reads user files | |
ZATMSRL | Operating system program | |
ZFB0005H | Operating system program | |
ZLANCSRL | Operating system program | |
ZLANDSRL | Operating system program | |
ZLANMSRL | Operating system program | |
ZSERVER | NonStop Kernel's operating system's labeled tape server process |
Program Name | Description | |
---|---|---|
BP-OPSYS-LICENSE-02 | AUDSERV | System program for SQL reloads |
GOAWAY | Used to remove SQL catalogs that have been corrupted | |
IXF | Communication protocol program | |
NBT | G-series component for NetBIOS communications | |
NBX | G-series component for NetBIOS communications NETBATCH Batch monitor process | |
NSSMON | Network Statistics monitor | |
RELOCSRV | Operating system program | |
SCFLIBOR | Part of SCF subsystem | |
SCFLIBXR | Part of SCF subsystem | |
SMCONVRT | Part of SMS subsystem | |
SMFIXUP | Part of SMS subsystem | |
SMREPAIR | Part of SMS subsystem | |
SMREVERT | Part of SMS subsystem | |
SQLCAT | SQL catalog manager | |
SQLCOMP | SQL compiler | |
SQLUTIL | Part of SQLCI utilities | |
STATSRV | Operating system program | |
SWARCLIB | Operating system program | |
XLLINK | SYSGENR system program |
Program Name | Description | |
---|---|---|
BP-OPSYS-LICENSE-03 ($SYSTEM DISK) | ZNBPLUS.PB0010O | Operating system file |
ZNBPLUS.PB9000O | Operating system file | |
ZNBPLUS.PS0000O | Operating system file | |
ZNBPLUS.PS0130O | Operating system file | |
ZTCPIP.FTPSERV | Operating system file | |
ZUTIL.LKINFO | Operating system file | |
BP-OPSYS-LICENSE-04 (other DISK locations) | GENPROG.GBDASQL | Part of NonStop DBA/M |
ZDSMSCM.CBEXE | DSMSCM object file | |
ZDSMSCM.TAEXE | DSMSCM object file |
When installing third party products, the vendor may require that some of their programs or library files be LICENSED. The necessary documentation should be provided by the vendor.
The vendor of any third party product should provide guidelines for securing the licensed programs included in their software packages as well as the necessary documentation of the program's usage.
RISK Safeguard software does not generate DISKFILE audits based on the LICENSE OPERATION, even when the files are licensed using the Safeguard command. This OPERATION parameter in the Safeguard's Audit Layout is 'reserved for future use'.
In order to audit the LICENSING of a file, all of the following must be true:
The Safeguard ALTER DISKFILE <filename>, LICENSE ON command must be used.
The target file must have a Safeguard DISKFILE ACL
The DISKFILE ACL must have the AUDIT-MANAGE-PASS value set to ALL.
3P-ACCESS-LICENSE-01 Without a third party access control product, there is no way to prevent SUPER.SUPER from using the FUP commands to LICENSE a file.
The Operating System files that require licensing may vary from one release to another. To determine which files need to be licensed, review the CUSTFILE file. The CUSTFILE indicates licensing requirements in section 2 with an "L" in column 62 for modules that must be licensed. (INSTALL uses this information to determine if a module should be licensed when it is moved in the REPSUBSYS phase or restored from a system-image tape (SIT) in the RESTSYS phase.)
Example of CUSTFILE entry:
2 R1085F40 OZKRN ZSYSCFM SYSGEN COPY SYSNN LBP-FILES-LICENSE-01 Routinely monitor the system files, and revoke any unauthorized LICENSES.
BP-FILES-LICENSE-02 Routinely monitor other files, and revoke any unauthorized LICENSES.
BP-FILES-LICENSE-03 Licensed files should be owned by SUPER.SUPER.
BP-FILES-LICENSE-04 Licensed files should be secured correctly. Specific security requirements have been given throughout this section. If not otherwise covered, the security should be "UUUU"
BP-FILES-LICENSE-05 Control the use of the LICENSE command.
Discovery Questions | Look here: | |
---|---|---|
FILE-POLICY | Are all LICENSED files documented? | Policy |
FILES-LICENSE-01 | Are the proper Operating System object files LICENSED? | DSAP CUSTFILE |
FILES-LICENSE-02 | Are the proper third party or user software object files LICENSED? | DSAP CUSTFILE |
FILES-LICENSE-03 | Are the files owned by SUPER.SUPER? | Fileinfo |
FILES-LICENSE-04 | Are all the LICENSED files secured correctly? | Fileinfo |
FILE-POLICY | Is the LICENSE command audited ? | Safecom Third Party |
FILES-LICENSE-05 | Is the LICENSE command secured from unauthorized use? | Guardian Third Party |
FILE-POLICY | Is the system periodically monitored for new or unauthorized LICENSED files? | Policy |
Related Topics
FUP
Operating System