NonStop TMF Subsystem
NonStop Transaction Management Facility (TMF) software is the primary component of the Transaction Manager/MP (TM/MP) product.
NonStop TMF software monitors database transactions. The databases can be distributed among many disks on one or more nodes. NonStop TMF software monitors transactions for SQL catalogs, SQL databases and Enscribe files.
Files and tables must be defined as NonStop TMF audited files to be protected. Only audited files have change records logged to the NonStop TMF audit trails. Files that are not protected by NonStop TMF software are referred to as 'non- audited ' files and do not have changes logged by NonStop TMF software.
AP-ADVICE-TMF-01 NonStop TMF software is a complex subsystem, which is integrated into many parts of the operating system and other subsystems. It must be configured and managed by knowledgeable personnel in order to avoid filling up disks or impacting application and system performance.
RISK NonStop TMF software itself is a security product. Relying upon NonStop TMF software to provide recovery of data files is essential to many environments. If NonStop TMF software is not functional or transactions have been suspended , programs, subsystems etc, relying upon NonStop TMF software will not function, thus suspending the production application.
NonStop TMF Software and Database Recovery
The NonStop TMF subsystem protects transactions and performs database recovery in several ways:
Provides database consistency by transitioning a database from one consistent state to another, despite concurrent transactions.
Provides a mechanism whereby transactions on data stored within distinct files can be collectively linked as a single transaction.
Provides the necessary lock management for transactions.
Provides database consistency by protecting transactions from many potential hazards, including program failures, system component failures, and communication failures. Any incomplete transaction is backed out to the last consistent state.
Provides database recovery from its transaction-audit information.
Provides disaster rollback to a consistent state from retained periodic dump files.
RISK NonStop TMF software's transaction protection is only performed on audited files and SQL objects. If the files are not set for NonStop TMF auditing, none of the recovery functions apply.
AP-ADVICE-TMF-02 It is important that critical data files be audited.
RISK If files are audited and NonStop TMF is unavailable for some reason, transactions are halted and the application will not be functional.
NonStop TMF software is generally required on every system. Certain subsystems, such as NonStop SQL database rely upon NonStop TMF software to protect SQL catalog tables. Whether NonStop TMF software is used to protect application databases and at what level this protection is used should be part of the Corporate Security Policy and Standards.
NonStop TMF Configuration
NonStop TMF software has numerous configuration parameters. In order for files to be audited, they must reside on audited disk volumes . Normally, the volume on which the NonStop TMF audit trails reside is not audited.
RISK Not all volumes may be audited. The Corporate Security Policy should determine if any volumes are not audited and which files, other than the NonStop TMF audit trails, can reside on these volumes.
AP-ADVICE-TMF-01 Volumes that are not audited should be reserved for authorized non-audited activity and for storing NonStop TMF audit trails.
The NonStop TMF configuration also defines the parameters that govern audit trail retention, timeouts, audit dump configuration and other parameters that directly affect the level of NonStop TMF security over data.
BP-TMF-CONFIG-01 The NonStop TMF audit trails should not be located on $SYSTEM to avoid contention . Configure the audit trails on another, less busy, volume.
NonStop TMF Auditing
Transaction control is supported by NonStop TMF auditing of before and after images of the data records. Before any I/O is performed, NonStop TMF software saves the before image of the record. When the I/O is successful, NonStop TMF software saves an after image of the record.
Transaction backout reapplies before-images to database records to undo the effects of an aborted transaction.
Take, for example, an ATM transaction. Such a transaction includes the operation of adding the transaction to the bank's database, adding the transaction to the ATM's audit trail, dispensing the cash or accepting the deposit, adding or subtracting the dollars from the customer's account and adjusting the ATM's cash balance if cash was dispensed. If, for example, the money is subtracted from the customer's account but not dispensed, neither the customer's account nor the cash balance of the ATM machine will reflect the correct balances . If the money is dispensed but not subtracted from the ATM's cash balance, then the ATM and audit trail will not balance. The only way to retain the accuracy and consistency of the bank's databases when errors occur is to back out the entire transaction so that the database returns to its pre-failed transaction state, as if the transaction's changes had never occurred.
Before and After Audit Images
Audit images are stored in NonStop TMF's audit trails. Audit trails are configured to NonStop TMF software during the cold load process. Audit trails are cycled automatically as they become full. They may be deleted or dumped to tape or disk, depending upon NonStop TMF's configuration.
Multiple audit trail files will be resident on the system, controlled by the parameter FILESPERVOLUME for each audit trail defined to NonStop TMF software.
RISK NonStop TMF audit trails contain data from the production files and can, therefore, be used as source of obtaining sensitive information.
AP-ADVICE-TMF-01 NonStop TMF audit trails should be as well secured as the databases being audited.
Database Recovery Methods
NonStop TMF software incorporates several methods of recovery:
ROLLBACK
ROLLFORWARD
ON-LINE DUMPS
ROLLBACK
Transaction rollback (backout) recovers the database after an application or transaction failure. This is an automated function of NonStop TMF software which uses the before images stored in the audit trails. Any audit trail necessary for this function is by default available on the system.
ROLLFORWARD
Transaction rollforward is initiated by a person to recover a file from a given consistent point, reapplying before and after images up to the most recent consistent control point.
Audit trails may be configured for dumping to tape or disk and are cataloged by NonStop TMF software. On-line dumps of data must be performed periodically.
RISK Audit trail dumping does not need to be configured for ROLLBACK functionality, but must be configured to perform NonStop TMF ROLLFOR- WARD functionality, if there is a possibility that an audit trail will be "rolled" and purged from disk.
RISK Tape or disk management of on-line dumps and audit trails dumps is mandatory for the ability to recover files in this method.
RISK If a needed Audit trail is not available, disaster recovery may not be able to be accomplished.
AP-ADVICE-TMF-02 If Audit trails are not configured for dumping to tape, care must be taken to insure that all of the audit trail files are retained on disk between one on-line dump to the next .
RISK If a dump tape is unreadable, for any reason, disaster recovery may not be able to be accomplished.
AP-ADVICE-TMF-03 The COPIES "n" and VERIFYTAPE ON features of audit trail dumps should be configured to minimize the risk of a bad tape.
ON-LINE DUMPS
Periodic snapshots of the audited files are called on-line dumps. These snapshots are stored on cataloged tapes to provide a consistent point from which files can be recovered. The frequency of on-line dumps is determined by the NonStop TMF manager and the Corporate Security Policy and Standards. Dumps can alternatively be output to disk instead of tape media.
RISK If an on-line dump is not available, not readable, or is not current, disaster recovery may not be able to be accomplished.
AP-ADVICE-TMF-03 The COPIES "n" and VERIFYTAPE ON features of the DUMP FILES command should be used to minimize the risk of a bad tape.
RISK Tape or disk management of on-line dumps and audit trails dumps is mandatory for the ability to recover files by this method.
RISK If dumps are made to disk, the dump subvolumes must be secured at least at the same level as the audit trails.
NonStop TMF Subsystem Components
NonStop TMF software is a complex product with many components. The basic component or interfaces are:
NonStop TMF programs residing in $SYSTEM.SYSnn
TMFCOM conversational interface
NonStop TMF Audit Trails
NonStop TMF Tapes
TM View optional GUI application
Programmatic Transaction commands (library calls from programs)
SNOOP audit trail reading utility
Subsystem Programmatic Interface (SPI) to NonStop TMF software
There are three primary areas of the TMF subsystem that must be protected:
NonStop TMF Audit Trails
NonStop TMF Configuration
TMFCOM
NonStop TMF Audit Trails
The NonStop TMF audit trails contain before and after images of the sensitive data.
RISK NonStop TMF audit trails contain data from the production files and, as such, can be used as a backdoor for obtaining sensitive information.
AP-ADVICE-TMF-04 NonStop TMF audit trails should be as well secured as the databases being audited.
SNOOP Utility
The SNOOP utility is a tool that can read and manipulate NonStop TMF audit records.
RISK The SNOOP utility can be used to manipulate NonStop TMF audit records.
AP-ADVICE-TMF-05 The SNOOP utility should only be available to the NonStop TMF manager and only used in disaster or problem resolution. General users should never have access to SNOOP or the NonStop TMF audit trails.
NonStop TMF Configuration
NonStop TMF software has numerous configuration parameters. In order for files to be audited, they must reside on audited disk volumes. Normally, the volume on which the TMF audit trails reside is not audited.
RISK Because generally not all volumes are audited, it is possible that critical files might reside on non-audited volumes.
AP-ADVICE-TMF-06 The Corporate Security policy and Standards should determine if any volumes are not audited and which files, other than the TMF audit trails, should reside on these volumes.
AP-ADVICE-TMF-07 Volumes that are not audited should be reserved for authorized, non-audited activity and for storing NonStop TMF audit trails.
The NonStop TMF configuration also defines the parameters that govern audit trail retention, timeouts, audit dump configuration and other parameters that directly affect the level of NonStop TMF security over data.
TMFCOM
TMFCOM is the program through which NonStop TMF software is configured and managed. Generally, NonStop TMF software runs transparently without the need for the general user to have access to the TMFCOM program.
AP-ADVICE-TMF-08 The NonStop TMF configuration and control should only be accessible by persons responsible for the maintenance of the NonStop TMF subsystem.
TMFCOM Commands With Security Implications
TMFCOM has internal security that protects commands with security implications to SUPER Group members only. The following commands can be made available to any user without risk:
ENV
EXIT
FC
HELP
INFO
OUT
STATUS
VOLUME
?
If a third party access control product is used to grant selected users access to TMFCOM, only the commands listed should be granted to general users. All other commands should be restricted.
With a third party access control product
3P-ACCESS-TMF-01 Use a third party access control product to allow the users responsible for using TMFCOM commands access as SUPER.SUPER.
3P-ACCESS-TMF-02 Use a third party access control product to give the use of certain TMFCOM commands to a limited group of users only.
Without a third party access control product
AP-SAFE-TMF-01 Add a Safeguard Protection Record to grant appropriate access to the TMFCOM object file.
Securing NonStop TMF Components
BP-FILE-TMF-01 TMFBOUT should be secured "UUNU".
BP-PROCESS-TMFBOUT-01 $XBXn processes should be running.
BP-OPSYS-LICENSE-01 TMFBOUT must be LICENSED.
BP-OPSYS-OWNER-01 TMFBOUT should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-01 TMFBOUT must reside in $SYSTEM.SYSnn
BP-FILE-TMF-02 TMFCMMSG should be secured "NUNU".
BP-OPSYS-OWNER-01 TMFCMMSG should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-01 TMFCMMSG must reside in $SYSTEM.SYSnn
BP-FILE-TMF-03 TMFCOM should be secured "UUNU".
BP-OPSYS-OWNER-01 TMFCOM should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-01 TMFCOM must reside in $SYSTEM.SYSnn
BP-FILE-TMF-04 TMFCOM1 should be secured "UUNU".
BP-OPSYS-OWNER-01 TMFCOM1 should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-01 TMFCOM1 must reside in $SYSTEM.SYSnn
BP-PROCESS-TMFCTLG-01 $XCAT process should be running.
BP-FILE-TMF-05 TMFCTLG should be secured "UUNU".
BP-OPSYS-LICENSE-01 TMFCTLG must be LICENSED.
BP-OPSYS-OWNER-01 TMFCTLG should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-01 TMFCTLG must reside in $SYSTEM.SYSnn
BP-FILE-TMF-06 TMFDFLT should be secured "UUNU".
BP-OPSYS-OWNER-01 TMFDFLT should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-01 TMFDFLT must reside in $SYSTEM.SYSnn
BP-FILE-TMF-07 TMFDR should be secured "UUNU".
BP-OPSYS-LICENSE-01 TMFDR must be LICENSED.
BP-OPSYS-OWNER-01 TMFDR should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-01 TMFDR must reside in $SYSTEM.SYSnn
BP-FILE-TMF-08 TMFEXCPL should be secured "NUUU".
BP-OPSYS-OWNER-01 TMFEXCPL should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-01 TMFEXCPL must reside in $SYSTEM.SYSnn
BP-FILE-TMF-09 TMFFRCV should be secured "UUNU".
BP-OPSYS-LICENSE-01 TMFFRCV must be LICENSED.
BP-OPSYS-OWNER-01 TMFFRCV should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-01 TMFFRCV must reside in $SYSTEM.SYSnn
BP-FILE-TMF-10 TMFFRLS should be secured "UUNU".
BP-OPSYS-LICENSE-01 TMFFRLS must be LICENSED.
BP-OPSYS-OWNER-01 TMFFRLS should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-01 TMFFRLS must reside in $SYSTEM.SYSnn
BP-FILE-TMF-11 TMFMESG should be secured "NUNU".
BP-OPSYS-OWNER-01 TMFMESG should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-01 TMFMESG must reside in $SYSTEM.SYSnn
BP-PROCESS-TMFMON2-01 $ZTMnnn processes should be running.
BP-FILE-TMF-12 TMFMON2 should be secured "UUNU".
BP-OPSYS-LICENSE-01 TMFMON2 must be LICENSED.
BP-OPSYS-OWNER-01 TMFMON2 should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-01 TMFMON2 must reside in $SYSTEM.SYSnn
BP-FILE-TMF-13 TMFQRY should be secured "UUNU".
BP-OPSYS-OWNER-01 TMFQRY should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-01 TMFQRY must reside in $SYSTEM.SYSnn
BP-FILE-TMF-14 TMFSERVE should be secured "UUNU".
BP-OPSYS-LICENSE-01 TMFSERVE must be LICENSED.
BP-OPSYS-OWNER-01 TMFSERVE should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-01 TMFSERVE must reside in $SYSTEM.SYSnn
BP-FILE-TMF-15 TMFTIFIN should be secured "UUNU".
BP-OPSYS-OWNER-01 TMFTIFIN should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-01 TMFTIFIN must reside in $SYSTEM.SYSnn
BP-PROCESS-TMFTMP-01 $TMP process should be running.
BP-FILE-TMF-16 TMFTMP should be secured "UUNU".
BP-OPSYS-LICENSE-01 TMFTMP must be LICENSED.
BP-OPSYS-OWNER-01 TMFTMP should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-01 TMFTMP must reside in $SYSTEM.SYSnn
BP-FILE-TMF-17 TMFVRCV should be secured "UUNU".
BP-OPSYS-LICENSE-01 TMFVRCV must be LICENSED.
BP-OPSYS-OWNER-01 TMFVRCV should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-01 TMFVRCV must reside in $SYSTEM.SYSnn
BP-FILE-SNOOP-01 SNOOP should be secured "OOOO".
BP-OPSYS-LICENSE-01 SNOOP must be LICENSED.
BP-OPSYS-OWNER-01 SNOOP should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-01 SNOOP must reside in $SYSTEM.SYSnn
BP-FILE-SNOOP-02 SNOOPDOC should be secured "NOOO".
BP-OPSYS-OWNER-01 SNOOP should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-01 SNOOP must reside in $SYSTEM.SYSnn
BP-FILE-SNOOP-03 SNOOPDR should be secured "OOOO".
BP-OPSYS-LICENSE-01 SNOOPDR must be LICENSED.
BP-OPSYS-OWNER-01 SNOOPDR should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-01 SNOOPDR must reside in $SYSTEM.SYSnn
The NonStop TMF audit trails contain all the same data as the production databases. Anyone with read access to the NonStop TMF audit trails has access to production data.
AP-FILE-TMF-01 To prevent unwanted access to production data, the NonStop TMF audit trails must be secured at least as tightly as the database files being audited, or as a default the following:
BP-FILE-TMFAUDIT-19 AUDIT TRAILS should be secured "GGGG".
BP-OPSYS-OWNER-03 AUDIT TRAILS should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-03 AUDIT TRAILS resides in $<audit vol.<ztmfat>
If available, use Safeguard software or a third party object security product to grant access to TMFCOM components only to users who require it in order to perform their jobs.
BP-SAFE-TMF-01 Add a Safeguard Protection Record to grant appropriate access to the TMFCOM/TMFCOM1 object files.
BP-SAFE-SNOOP-01 Add a Safeguard Protection Record to grant appropriate access to the SNOOP object file.
| Discovery Questions | Look here: | |
|---|---|---|
| FILE-POLICY | Is NonStop TMF software used on the system for protection of application databases? | Policy |
| PROCESS-TMFBOUT-01 | Are the $XBKn processes running? | Status |
| PROCESS-TMFCTLG-01 | Is the $XCAT process running? | Status |
| PROCESS-TMFMON2-01 | Are the $ZTMnn processes running? | Status |
| PROCESS-TMFTMP-01 | Is the $TMP process running? | Status |
| OPSYS-OWNER-01 | Who owns the TMFBOUT object file? | Fileinfo |
| OPSYS-OWNER-01 | Who owns the TMFCMMSG object file? | Fileinfo |
| OPSYS-OWNER-01 | Who owns the TMFCOM object file? | Fileinfo |
| OPSYS-OWNER-01 | Who owns the TMFCOM1 object file? | Fileinfo |
| OPSYS-OWNER-01 | Who owns the TMFCTLG object file? | Fileinfo |
| OPSYS-OWNER-01 | Who owns the TMFDFLT object file? | Fileinfo |
| OPSYS-OWNER-01 | Who owns the TMFDR object file? | Fileinfo |
| OPSYS-OWNER-01 | Who owns the TMFEXCPL object file? | Fileinfo |
| OPSYS-OWNER-01 | Who owns the TMFFRCV object file? | Fileinfo |
| OPSYS-OWNER-01 | Who owns the TMFFRLS object file? | Fileinfo |
| OPSYS-OWNER-01 | Who owns the TMFMESG object file? | Fileinfo |
| OPSYS-OWNER-01 | Who owns the TMFMON2 object file? | Fileinfo |
| OPSYS-OWNER-01 | Who owns the TMFQRY object file? | Fileinfo |
| OPSYS-OWNER-01 | Who owns the TMFSERVE object file? | Fileinfo |
| OPSYS-OWNER-01 | Who owns the TMFTIFIN object file? | Fileinfo |
| OPSYS-OWNER-01 | Who owns the TMFTMP object file? | Fileinfo |
| OPSYS-OWNER-01 | Who owns the TMFVRCV object file? | Fileinfo |
| OPSYS-OWNER-01 | Who owns the SNOOP object file? | Fileinfo |
| OPSYS-OWNER-01 | Who owns the SNOOPDR object file? | Fileinfo |
| OPSYS-OWNER-03 | Who owns the AUDIT TRAILS files? | Fileinfo |
| OPSYS-LICENSE-01 | Is TMFBOUT licensed? | Fileinfo |
| OPSYS-LICENSE-01 | Is TMFCTLG licensed? | Fileinfo |
| OPSYS-LICENSE-01 | Is TMFDR licensed? | Fileinfo |
| OPSYS-LICENSE-01 | Is TMFFRCV licensed? | Fileinfo |
| OPSYS-LICENSE-01 | Is TMFFRLS licensed? | Fileinfo |
| OPSYS-LICENSE-01 | Is TMFMON2 licensed? | Fileinfo |
| OPSYS-LICENSE-01 | Is TMFSERVE licensed? | Fileinfo |
| OPSYS-LICENSE-01 | Is TMFTMP licensed? | Fileinfo |
| OPSYS-LICENSE-01 | Is TMFVRCV licensed? | Fileinfo |
| OPSYS-LICENSE-01 | Is SNOOP licensed? | Fileinfo |
| OPSYS-LICENSE-01 | Is SNOOPDR licensed? | Fileinfo |
| FILE-TMF-01 | Is the TMFBOUT object file secured correctly? | Fileinfo |
| FILE-TMF-02 | Is the TMFCMMSG object file secured correctly? | Fileinfo |
| FILE-TMF-03 | Is the TMFCOM object file correctly secured with the Guardian or Safeguard system? | Fileinfo Safecom |
| FILE-TMF-04 | Is the TMFCOM1 object file correctly secured with the Guardian or Safeguard system? | Fileinfo Safecom |
| FILE-TMF-05 | Is the TMFCTLG object file secured correctly? | Fileinfo |
| FILE-TMF-06 | Is the TMFDFLT object file secured correctly? | Fileinfo |
| FILE-TMF-07 | Is the TMFDR object file secured correctly? | Fileinfo |
| FILE-TMF-08 | Is the TMFEXCPL object file secured correctly? | Fileinfo |
| FILE-TMF-09 | Is the TMFFRCV object file secured correctly? | Fileinfo |
| FILE-TMF-10 | Is the TMFFRLS object file secured correctly? | Fileinfo |
| FILE-TMF-11 | Is the TMFMESG object file secured correctly? | Fileinfo |
| FILE-TMF-12 | Is TMFMON2 object file secured correctly? | Fileinfo |
| FILE-TMF-13 | Is the TMFQRY object file secured correctly? | Fileinfo |
| FILE-TMF-14 | Is the TMFSERVE object file secured correctly? | Fileinfo |
| FILE-TMF-15 | Is the TMFTIFIN object file secured correctly? | Fileinfo |
| FILE-TMF-16 | Is the TMFTMP object file secured correctly? | Fileinfo |
| FILE-TMF-17 | Is the TMFVRCV object file secured correctly? | Fileinfo |
| FILE-SNOOP-01 | Is the SNOOP object file correctly secured with the Guardian or Safeguard system? | Fileinfo Safecom |
| FILE-SNOOP-02 | Is the SNOOPDOC file secured correctly? | Fileinfo |
| FILE-SNOOP-03 | Is the SNOOPDR object file secured correctly? | Fileinfo |
| FILE-TMFAUDIT-01 | Are the AUDIT TRAIL files secured correctly? | Fileinfo |
Related Topics
DSM/SCM
DDL/Enscribe software
Guardian Operating System procedure calls.
NonStop SQL/MP database
Pathway
NonStop SQL database
