RESTORE User Program
RESTORE User Program
The RESTORE user program copies files from a tape created by BACKUP to disk and displays tape file information. This utility is essential after a disk failure or human error causes disk data to be lost.
AP-RESTORE-POLICY-01 The Corporate Security Policy and Standards should detail procedures for securing and tracking tapes in a tape library.
RISK The security of BACKUP tapes is always based on physical possession of the tape.
AP-RESTORE-POLICY-02 Each organization must have procedures to control access to BACKUP tapes that contain confidential information.
RISK If the RESTORE program is accessible to general users, files containing sensitive data could be retrieved from a tape and restored under their userid .
AP-RESTORE-POLICY-03 Since tapes can contain sensitive data, protection of the tapes and the utilities that can read or copy the data is a security risk.
RISK RESTORE is a privileged program and must be licensed to be runnable. Only SUPER.SUPER can run the program if it isn't licensed.
The RESTORE utility has three modes of operation:
File Mode
Listonly
Volume Mode
File Mode
In File Mode, RESTORE copies individual files to disk from a tape created by file- mode BACKUP.
RISK This mode selectively restores files to the disk. Files can be redirected to new locations and using the MYID option can secure the new files as the userid running RESTORE. Files restored using the userid's security could make accessible sensitive data to unauthorized users.
Listonly Mode
In LISTONLY mode, RESTORE displays information about the files on a backup tape without restoring the files to disk.
RISK This mode has no risk to the data on the tape or files on the system.
Volume Mode
In Volume Mode, RESTORE re-creates an entire disk volume from a tape that was created by a Volume Mode BACKUP. Only SUPER.SUPER can initiate a Volume Mode RESTORE.
AP-RESTORE-POLICY-03 This mode is usually performed for disaster recovery only. Only SUPER.SUPER can perform a volume mode restore.
How RESTORE Interacts With NonStop TMF Software
TMF has its own recovery mechanisms for audited files. However, BACKUP and RESTORE might be used to:
Transport audited files to another system
Archive files and retrieve files that are used infrequently
Keep old versions of files
How RESTORE treats audited files depends on whether or not NonStop TMF software was running when the BACKUP was made and when the RESTORE is performed. It also depends on whether or not the file being restored was an audited file and whether or not the file existed before the RESTORE.
| RESTORE Command Used | Conditions | What RESTORE Does |
|---|---|---|
| No AUDITED option | Audited file is skipped | |
| AUDITED | NonStop TMF software running | File is restored as an audited file. |
| AUDITED | NonStop TMF not software running | If file with same name already exists, RESTORE issues Purge Error 82. Otherwise, the file is restored non-audited, and RESTORE issues a warning message. |
| AUDITED and TURNOFFAUDIT | File does not already exist | File is restored non-audited. |
| AUDITED and TURNOFFAUDIT | File exists but is not audited | File is restored non-audited. |
| AUDITED and TURNOFFAUDIT | File exists and is audited | If NonStop TMF software is running, the file is restored non-audited. Otherwise, RESTORE issues Purge Error 82 and does not restore the file. |
Securing RESTORE
RESTORE Commands With Security Implications
This list includes only the RESTORE commands, which pose security risks.
KEEP
MYID
NOSAFEGUARD
RISK If the KEEP option is omitted, and the file on the disk has the same name as the restoring file, the disk file is purged during the RESTORE processing and replaced . For this to happen, the userid running the RESTORE must have purge authority to the file.
RISK The MYID option sets the ownerid of all of the files that are being restored to that of the userid who is running RESTORE. As each file is restored, it is given the default security of the current user. Applications and operating system utilities may stop functioning because of the change of ownership and Protection Records in Safeguard software may grant or deny based upon the new ownership.
RISK If the NOSAFEGUARD option is used, files with Safeguard security information are restored but do not retain Safeguard protection. If the option is omitted, the files retain Safeguard protection.
If a third party access control product is used to grant selected users access to RESTORE running as a privileged userid such as SUPER.SUPER or SUPER.OPERATOR, the sensitive commands should only be granted to the appropriate users and denied to all others.
BP-FILE-RESTORE-01 RESTORE should be secured "UUNU".
BP-OPSYS-LICENSE-01 RESTORE must be LICENSED.
BP-OPSYS-OWNER-01 RESTORE should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-01 RESTORE must reside in $SYSTEM.SYSnn.
If available, use Safeguard software or a third party object security product to grant access to RESTORE only to users who require access in order to perform their jobs.
BP-SAFE-RESTORE-01 Add a Safeguard Protection Record to grant appropriate access to the RESTORE object file.
Because operators frequently 'run' the backups and because operators should not have userids in the SUPER Group, the Corporate Security Policy and Standards should mandate how operators will be granted the ability to backup every file on the system. There are two basic choices: with a third party access control product and without one.
With a third party access control product:
3P-ACCESS-RESTORE-01 Use a third party access control product to allow the users responsible for performing restores the ability to run RESTORE as SUPER.SUPER.
Without a third party access control product:
AP-ADVICE-RESTORE-01 Give those users responsible for running restores EXECUTE access to a PROGID copy of the RESTORE utility owned by SUPER.SUPER.
RISK Object files PROGID'd to SUPER.SUPER are a security risk because anyone executing the program can restore any file.
AP-ADVICE-RESTORE-01A The PROGID copy of RESTORE should not reside in $SYSTEM.SYSTEM, $SYSTEM.SYSnn or any subvolume in the PMSEARCHLIST that is shared by all users so it cannot be used inadvertently.
AP-ADVICE-RESTORE-01B The PROGID copy of RESTORE should be secured so that only users authorized to use backup tapes can execute it.
AP-ADVICE-RESTORE-02 Create a job function userid (such as OPER.BACKUP) that is used only for running BACKUP and RESTORE. Create Safeguard Protection Records to give OPER.BACKUP READ-only access to all files. Give those users responsible for running backups EXECUTE access to a PROGID copy of the RESTORE utility owned by OPER.BACKUP.
RISK Anyone logged on as OPER.BACKUP has read access to every file on the system.
AP-ADVICE-RESTORE-02A OPER.BACKUP must be treated as a privileged userid. Users should not be allowed to logon as OPER.BACKUP.
RISK This method requires a great deal of Safeguard maintenance.
AP-ADVICE-RESTORE-02B To reduce the maintenance overhead, Safeguard Protection Records granting READ access to OPER.BACKUP should be applied at the VOLUME or SUBVOLUME, rather than the DISKFILE level.
| Discovery Questions | Look here: | |
|---|---|---|
| OPSYS-OWNER-01 | Who owns the RESTORE object file? | Fileinfo |
| OPSYS-LICENSE-01 | Is RESTORE licensed? | Fileinfo |
| FILE-POLICY | Who is allowed to initiate tape functions on the system? | Policy |
| FILE-RESTORE-01 SAFE-RESTORE-01 | Is the RESTORE object file correctly secured with the Guardian or Safeguard system? | Fileinfo Safecom |
Related Topics
BACKUP
