Pathway Subsystem


This section describes securing the components of the Pathway Subsystem itself. Please refer to the chapters on Application Security for a discussion on securing Pathway Applications.

Pathway is an application platform, under which many NonStop server applications run. It is often the pivotal production platform, therefore requiring a wide range of access throughout a company's enterprise.

The Pathway application is the gateway to many production applications, which:

Provides the interface to the company's database

Is the foundation for the availability of the company's enterprise applications

Determines the security methodology for the enterprise databases

Provides multi-threading and configurable components based upon the application

Pathway is a client-server application model. The Pathway monitor provides the interface for the communication layer and the management layer between the client and server. A Pathway application has two major components:

Requestors A screen program or GUI client component that interacts directly with the terminal. The screen part of the application is written in SCOBOLX or in a GUI language.

Servers The user program running on the host system that interacts with the databases and performs user calculations, etc. The server part of the application can be written in any available language that functions on the HP NonStop server.

The Pathway subsystem components are:

PATHCOM

PATHMON

PATHTCP2

PATHCTL

PATHTCPL

LINKMON

Components of each Pathway Application:

PATHCTL

POBJDIR/POBJCOD

Server Programs

Assigned files and Databases

PATHCOM

PATHCOM is the interactive interface into a Pathway environment for starting, stopping, and modifying the environment. The designated Pathway owner and security controls the ability to perform commands, via PATHCOM or programmatically to affect the environment.

The owner can perform management commands; start and stop the Pathway objects, alter configuration settings, freeze and thaw terminals, etc.

The designated security attribute specifies the users, relative to the Pathway owner, who can perform management commands. Set the SECURITY parameter using the Guardian security values A, G, O, -, N, C, and U. The internal security attribute does not control the security at which the requestor or server programs run. For instance:

Setting the value to "C", allows anyone in the owner's network group to alter the Pathway or start and stop servers.

Setting the value to "O", allows only the local owner to alter the Pathway or start and stop servers.

Non-dedicated terminals are started via the PATHCOM interface, therefore users responsible for stopping and starting Pathway terminals need EXECUTE access to the PATHCOM object file.

AP-FILE-PATHCOM-01 Starting a terminal through the PATHCOM interface is the method used for non-dedicated terminals, therefore users need EXECUTE access to the PATHCOM object file.

RISK The PROGRAM security of "N" allows anyone in the network to start the program. Likewise, the security of "A" allows any local user these privileges.

BP-PATHWAY-CONFIG-01 Pathway security should not allow general access or "N" or "A".

3P-ACCESS-PATHWAY-01 Access to PATHCOM commands can be controlled via a third party product that can secure at the command level.

PATHMON

A Pathway monitor program process pair is started for each Pathway system. A Pathway application is started and then configured with the PATHCOM program. PATHCOM commands are used to configure the Pathway application. Each Pathway Monitor has a unique process name , which has been defined during the start of the PATHMON process.

RISK The Pathway owner is set to the user who starts the Pathway, unless otherwise explicitly set during configuration. Allowing the internal Pathway owner to be defaulted upon startup can configure a Pathway environment to the wrong user.

All TCPs and server processes started by a PATHMON process are run using the PAID of the PATHMON process.

Since the server processes run as the Pathway owner, all databases must be secured to allow appropriate access.

The owner can perform management commands; start and stop the Pathway objects, alter configuration settings, freeze and thaw terminals, etc.

RISK The default for Pathway security is 'N" unless explicitly set after the START Pathway command is issued, which allows network access by default.

AP-FILE-PATHWAY-02 Ensure that application Pathways have adequate internal security. Internal Pathway security should be set to "O" or "U".

RISK Pathway reconfiguration may not be successful if the Pathway owner is not also the userid that restarts the Pathway.

RISK Because PATHCOM defaults to a Pathway named $PM when no other Pathway name is specified, never name a Pathway $PM. Commands from a PATHCOM accidentally started with no name could be applied to the wrong Pathway.

RISK Running application Pathway systems under SUPER.SUPER is not recommended. It allows access to the system as SUPER.SUPER without the need for a password.

RISK Pathway does not interact with CMON when starting server processes for authorization, priority, CPU, etc. CPU selection and priority can be set on the Server configuration within Pathway.

RISK CPU selection and priority can be configured for servers within Pathway. Inappropriate values can harm system performance.

AP-FILE-PATHWAY-03 The Pathway owner should be the same user that started the Pathway environment. PATHMON should not be running as SUPER.SUPER.

AP-FILE-PATHWAY-04 The Pathway owner should always be explicitly set and not defaulted. This does not prevent another user from trying to start the Pathway, but prevents that user from configuring the Pathway after the PATHMON is started. Set the Pathway owner to the user who is designated to start and own the Pathway.

LINKMON

For Pathway applications running via GUI client applications that are remote to the Pathway, Pathway performs the communication via a process called LINKMON. LINKMON establishes communications from the client to the server class. Several methods are in use to perform the communication layer for this function:

Remote Server Call (RSC) software enables personal computers (PCs) and workstations to communicate with Pathway servers and other processes on an HP NonStop server. The security of the access link is not covered in this chapter.

TCP/IP communication channels allow personal computers (PCs) and workstations to communicate with Pathway servers and other processes on an HP NonStop server. The security of the access link is not covered in this chapter.

A typical LINKMON request to Pathway is initiated from a GUI client or Web application via a communication methodology to a PATHMON. Configuration parameters in the PATHMON setup determine accessibility of Pathway to remote clients .

The operating system starts the LINKMON processes (the ROUT program) and names them automatically in each CPU conforming to the name $ZLnn, where nn is the number of the CPU; i.e. $ZL05 is the Linkmon for CPU 5.

LINKMON extended memory is supported by a disk swap file named $SYSTEM.ZLINKMON.ZZLMnn, where nn is the CPU number of the LINKMON process. For example, the LINKMON process $ZL01 in CPU 1 uses the swap file $SYSTEM. ZLINKMON.ZZLM01.

AP-FILE-PATHWAY-05 It is the responsibility of the GUI application and the Pathway server program to successfully handle authorization of the incoming request, both from a security standpoint and a format standpoint.

PATHTCP2

The PATHTCP2 is the terminal control component of the Pathway. This program interprets the POBJCOD and POBJDIR files to run the screen interface. PATHTCP2 is the program for the TCP entity of the Pathway application.

The PATHTCP2 component is often referred to as the TCP. A GUI interface to Pathway does not utilize this component of Pathway. The screen interaction is performed by the GUI application.

The PATHTCPL library is attached to the PATHTCP2 process when it is started. If the PATHTCPL library will be modified for the application, the PATHTCP2 and PATHTCPL files are usually duplicated to an application-specific location so that any other Pathways on the system that use the PATHTCP2 and PATHTCPL code do not get the application-specific code.

AP-FILE-PATHWAY-06 If an application makes extensive use of custom code in the PATHTCPL library, a duplication of PATHTCP2 and PATHTCPL should be made and permit custom changes only to the duplicate, which will then be used solely for the application.

RISK Because duplicated PATHTCP2 and PATHTCPL programs are not stored on the $SYSTEM.SYSnn subvolume, they will not automatically be updated when the sysgen process loads new HP NonStop server software.

PATHCTL

PATHCTL stores the configuration information for the Pathway environment. The Pathway can be shutdown and restarted in a WARM state to return the environment to the previous state. A COLD start initializes the PATHCTL files and it is reconfigured from the PATHCOM commands used.

RISK The Guardian user that starts the Pathway environment must have PURGE access to the PATHCTL and log files that are created during a cold start.

AP-FILE-PATHWAY-07 PATHCTL file should have the same owner and security as the userid running the Pathway.

PATHTCPL

PATHTCPL is a run-time library that is attached to the PATHTCP2 to which user- customized code can be added that will be invoked by SCOBOL routines.

RISK Code entered into the PATHTCPL library will be invoked by the Pathway requestor. If this file is not secured, unauthorized code modifications can occur.

AP-FILE-PATHWAY-08 PATHTCPL file should have the same owner and security as the userid running the Pathway.

POBJDIR / POBJCOD

For Pathway applications running TCP terminal programs, program object files are stored in Pathway managed component files, by default called POBJCOD and POBJDIR.

SCOBOL is an interpretive language. The POBJCOD and POBJDIR contain the interpretive code. Collectively, these files are called the requestor program. The reques-tor object configuration is defined to Pathway as a TCLPROG parameter of the TCP entity.

Caution

The prefix for the Pathway terminal programs can be user-defined, but the suffix is always 'COD' and 'DIR'.

The naming convention is <prefix>COD and <prefix>DIR as a matched pair. The name used for the Pathway is defined in the TCP configuration as:

Example:
start example
  TCLPROG \<node>.$vol.subvolume.POBJT  
end example
 

In the example above, the prefix is POBJT, so the files would be created as the POBJTCOD and POBJTDIR files.

The requestor program is accessed by the PROGRAM entity. The PROGRAM entity maintains an OWNER and SECURITY attribute. The SECURITY attribute determines whether a user running the Pathway can run the program.

AP-FILE-PATHWAY-09 The program owner should be the same as the Pathway owner.

AP-FILE-PATHWAY-10 The program security should be set as required by the application.

Server Programs

The Pathway configuration will point to user-written application server programs. Generally these programs need to be secured in relationship to the overall application security. Additional information is discussed about application in Securing Applications.

Securing Pathway Components

BP-FILE-PATHWAY-01 PATHMON should be secured "UUNU".

BP-OPSYS-OWNER-02 PATHMON should be owned by SUPER.SUPER.

BP-OPSYS-FILELOC-02 PATHMON must reside in $SYSTEM.SYSTEM.

BP-FILE-PATHWAY-02 PATHCOM should be secured "UUNU".

BP-OPSYS-OWNER-02 PATHCOM should be owned by SUPER.SUPER.

BP-OPSYS-FILELOC-02 PATHCOM must reside in $SYSTEM.SYSTEM.

BP-FILE-PATHWAY-03 PATHTCP2 should be secured "UUNU".

BP-OPSYS-OWNER-02 PATHTCP2 should be owned by SUPER.SUPER.

BP-OPSYS-FILELOC-02 PATHTCP2 must reside in $SYSTEM.SYSTEM.

BP-FILE-PATHWAY-04 PATHCTL should be secured "NUUU".

BP-OPSYS-OWNER-02 PATHCTL should be owned by the Pathway owner.

BP-OPSYS-FILELOC-02 PATHCTL should reside in $SYSTEM.SYSTEM.

BP-FILE-PATHWAY-09 PATHTCPL should be secured "UUNU".

BP-OPSYS-OWNER-02 PATHTCPL should be owned by SUPER.SUPER.

BP-PROCESS-ROUT-01 $ZLnn processes should be running.

BP-FILE-PATHWAY-05 ROUT should be secured "UUNU".

BP-OPSYS-OWNER-01 ROUT should be owned by SUPER.SUPER.

BP-OPSYS-FILELOC-01 ROUT must reside in $SYSTEM.SYSnn

If available, use Safeguard software or a third party object security product to grant access to Pathway object files to necessary personnel, and deny access to all other users.

BP-SAFE-PATHCOM-01 Add a Safeguard Protection Record to grant appropriate access to the PATHMON object file.

BP-SAFE-PATHCOM-02 Add a Safeguard Protection Record to grant appropriate access to the PATHCOM object file.

BP-SAFE-PATHCOM-03 Add a Safeguard Protection Record to grant appropriate access to the PATHTCP2 object file.

BP-SAFE-PATHCOM-04 Add a Safeguard Protection Record to grant appropriate access to the PATHCTL object file.

BP-SAFE-PATHCOM-05 Add a Safeguard Protection Record to grant appropriate access to the PATHTCPL object file.

BP-SAFE-PATHCOM-06 Update the sysgen process to duplicate PATHTCP2 and PATHTCPL to application specific locations as needed.

Discovery Questions

Look Here:

FILE-POLICY

Is Pathway used for application interfaces?

Policy

FILE-POLICY

Are GUI Pathways requiring LINKMON run on this system?

Policy

PROCESS-ROUT-01

Are $ZLnn processes running?

Status

OPSYS-OWNER-01

Who owns the ROUT object file?

Fileinfo

OPSYS-OWNER-02

Who owns the PATHMON object file?

Fileinfo

OPSYS-OWNER-02

Who owns the PATHCOM object file?

Fileinfo

OPSYS-OWNER-02

Who owns the PATHTCP2 object file?

Fileinfo

OPSYS-OWNER-02

Who owns the PATHCTL file?

Fileinfo

OPSYS-OWNER-02

Who owns the PATHTCPL object file?

Fileinfo

FILE-POLICY

Who is allowed to execute PATHMON on secure systems to start a Pathway system?

Policy

FILE-PATHWAY-01 SAFE-PATHWAY-01

Is the PATHMON object file correctly secured with the Guardian or Safeguard system?

Fileinfo Safecom

FILE-PATHWAY-02 SAFE-PATHWAY-02

Is the PATHCOM object file correctly secured with the Guardian or Safeguard system?

Fileinfo Safecom

FILE-PATHWAY-03

Is the PATHTCP2 object file secured correctly?

Fileinfo

FILE-PATHWAY-04

Is the PATHTCP2 object file duplicated to an application-specific location?

Fileinfo

FILE-PATHWAY-05

Is the PATHCTL object file secured correctly?

Fileinfo

FILE-PATHWAY-06

Is the PATHTCPL object file secured correctly?

Fileinfo

FILE-PATHWAY-07

Is the PATHTCPL object file duplicated to an application-specific location?

Fileinfo

FILE-PATHWAY-08

Is the ROUT object file secured correctly?

Fileinfo

Related Topics

User Administration

Securing Applications




HP NonStop Server Security 2004
HP NonStop Server Security 2004
ISBN: 159059035X
EAN: N/A
Year: 2004
Pages: 157

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net