Safeguard software enhances control of userids and adds the ability to configure aliases on the HP NonStop server.
Safeguard software considers userids to be objects. Like other objects, the characteristics of individual userids are maintained in USER Protection Records, referred to hereafter as User Records. The following items affect Safeguard user configuration:
User- related Safeguard Global Parameters
An OBJECTTYPE Protection Record controls who is allowed to CREATE Protection Records for individual objects of that particular Object Class. The User OBJECTTYPE, therefore, is used to restrict who is allowed to CREATE User and Alias Records. Please refer to Part Two: Safeguard Subsystem for more information on OBJECTTYPES.
Any local SUPER Group member can create the User OBJECTTYPE record unless a specific list of users has been specified within the Protection Record for the OBJECTTYPE OBJECTTYPE Protection Record.
BP-SAFEGARD-CONFIG-02 The OBJECTTYPE OBJECTTYPE Protection Record should be used to restrict who can create the other OBJECTTYPE Records.
Any user granted create (C) in the Protection Record of the USER OBJECTTYPE record can ADD userids.
Any user granted ownership (O) in the Protection Record of a USER can ALTER or DELETE the user.
BP-SAFEGARD-CONFIG-04 Only members of the Security Group and SUPER.SUPER should be authorized to CREATE, ALTER or DELETE userids.
BP-USER-OBJTYPE-01 The USER OBJECTTYPE should be created.
BP-USER-OBJTYPE-02 Security.Admin should be granted both OWN and CREATE in the OBJECTTYPE User Protection Record.
The User-related Global Parameters not discussed elsewhere in the handbook are:
Command Interpreter Parameters
The following user-related Safeguard Globals are discussed in Part Four under LOGON.
The following user-related Safeguard Globals are discussed in Password Management.
The Command Interpreter (CI) parameter determines the program that Safeguard software will start after it has authenticated the user at a Safeguard-controlled terminal . The remaining CI parameters set specific characteristics of the program. If no entry is made for CI-PROG, the other CI-parameters will be ignored .
CIs can be configured in three places:
Safeguard Terminal Records
Safeguard Global Parameters
Safeguard software searches for a CI specification in the following order: User Record, Terminal Definition Record and, finally, the Safeguard Globals. The first specification found during the search is the CI that is started after user authentication. Therefore, a command interpreter specified in a user authentication record always takes precedence over one specified in a Terminal Definition Record or the Safeguard global record.
If no CI is specified in the user authentication record or in the Terminal Definition Record, the CI defined in the Safeguard Globals is used. If no CI is specified globally, then the CI started is $SYSTEM.SYSTEM.TACL.
The CI-PROG parameter determines the command interpreter that Safeguard software will start after it has authenticated the user at a Safeguard-controlled terminal. The <program-file name> is the name of the command interpreter's object file. It must be a local file. This value is frequently $SYSTEM.SYSTEM.TACL.
If no entry is made for CI-PROG, the rest of the CI parameters will be ignored.
The CI-LIB parameter determines the library file to be used with the command interpreter that is started when this user is authenticated at a Safeguard terminal. The <lib-filename> must be a local file name. If <lib-filename> is omitted, no library file is used.
If no entry is made for CI-PROG, the CI-LIB parameter will be ignored.
Determines the CPU in which Safeguard software will start the command interpreter. If ANY is specified, any available CPU may be used. If <cpu-number> is omitted, any CPU may be used.
If no entry is made for CI-PROG, the CI-CPU parameter will be ignored.
Determines the process name that Safeguard software will apply to the specified command interpreter process. The <process-name> must be a local process name. If the <process-name> is omitted, Safeguard software will generate the process name.
If no entry is made for CI-PROG, the CI-NAME parameter will be ignored.
Determines the name of the volume or file to be used as the swap volume or file for the specified command interpreter. The <volume name> must be a local volume name. If <volume name> is omitted, the configured system volume is used.
If no entry is made for CI-PROG, the CI-SWAP parameter will be ignored.
Determines the priority at which Safeguard software will start the specified command interpreter. If the priority is omitted, the process will run at the same priority as Safeguard, which is determined by the value of the CI-PRI parameter in the Safeguard's configuration record.
RISK If this parameter is not set, or the Safeguard global for CI-PRI is not set, then the process will be started at 199.
BP-SAFEGARD-GLOBAL-60 CI-PRI should be 150 or less
Determines the data to be supplied as the startup message text for the command interpreter specified by CI-PROG. If the CI-PARAM-TEXT attribute is specified, it must be the last attribute in the command string. If <startup-param-text> is omitted, the string is set to null (no text supplied in the startup message).
If no entry is made for CI-PROG, the CI-PARAM-TEXT parameter will be ignored.
Numerous parameters in the User Record have security implications and the settings should be determined by the Corporate Security Policy and Standards. These are:
GUARDIAN DEFAULT VOLUME
GUARDIAN DEFAULT SECURITY
SUBJECT DEFAULT PROTECTION
Command Interpreter Attributes
The following password-related User Parameters are discussed later in Password Administration:
BP-USER-ADMIN-02 All Safeguard User and Alias Records should be owned by a single Security Admin userid. This is the only way to guarantee that the Security Admin userid can view all existing Users and Aliases on the system.
RISK If only Security.Admin is allowed to ALTER userids, there is a risk that the Security.Admin's User Record might be frozen or expired , making it impossible for someone to logon with the userid in an emergency.
BP-SAFEGARD-CONFIG-03 The Security Admin ID itself should be owned by SUPER.SUPER, so that SUPER.SUPER can reset Security.Admin's password, thaw the user record, or alter its expiration date if it should become necessary.
The USER-EXPIRES parameter determines the date that the userid or alias will expire. Once a userid is expired, no one can use it to access the system.
The userid can be reactivated by changing the USER-EXPIRES attribute to a future date.
RISK If both date and time are omitted when the ALTER command is issued, the USER- EXPIRES date is set to NONE, and the userid will never expire.
AP-USER-CONFIG-01 All non- employees should have a value set in the USER-EXPIRES parameter that corresponds with their need.
When a userid or alias is frozen, it cannot be used to logon.
RISK If Safeguard software is down for any reason, FROZEN userids (though still frozen) behave as if they are thawed.
The Guardian Default Volume parameter determines the volume and subvolume where the user's TACL session will begin.
RISK If no GUARDIAN DEFAULT VOLUME is entered when a user record is added, Safeguard software assigns the default value of $SYSTEM.NOSUBVOL.
BP-USER-CONFIG-01 Each user should have a unique GUARDIAN DEFAULT VOLUME to prevent the sharing of TACLCSTM and other *CSTM files.
BP-USER-CONFIG-02 The GUARDIAN DEFAULT VOLUME should not be on the $SYSTEM disk. No personal files should exist on the $SYSTEM disk.
This attribute is used to designate the default security for files created by the user.
Such assignments should be consistent with the organization's policies. The safest (and most restrictive ) approach in the Guardian environment is to set all user defaults to local owner for all permissions (that is, OOOO). Then only deliberate action can make a new file available to users other than the owner, the owner's group manager, or SUPER.SUPER (if SUPER.SUPER is not configured UNDENIABLE).
Often, however, certain groups of users, such as the security staff, developers and system technical support, share many of their files. For these users, the Guardian Default Security might allow their group to read and/or execute (GOGO or NUNU).
AP-USER-CONFIG-02 The Security Policy should include the appropriate Guardian Default Security settings for each user group in the organization.
Whether or not Safeguard software is installed, users can change their default security using the DEFAULT program if they have execute access to the DEFAULT object file. A user's group manager or SUPER.SUPER (if SUPER. SUPER is not configured UNDENIABLE) can also change the user's default security string, by logging onto that user's userid.
AP-USER-CONFIG-03 The Security Policy should dictate whether or not users are allowed to alter their default security.
The DEFAULT PROTECTION parameter defines the Safeguard Diskfile Protection Record that will be automatically created for each file the user creates.
The default Protection Record is defined like any other diskfile Protection Record, specifying the Protection Record owner and the Protection Record .
If no DEFAULT PROTECTION parameter is specified, then any files the user creates will be assigned the Default Security String. There will be no Safeguard Diskfile Protection Record, unless added by an authorized user. The file may, however, be protected under a VOLUME or SUBVOLUME rule.
RISK Not all files that a user creates may need a Protection Record, such as edit files, temporary files, etc.
RISK An excessive number of Protection Records can be automatically created.
RISK If the protection record of the 'auto'-protection record does not give the Security.Admin userid ownership access, Security.Admin will not be able to 'see' these records. This makes it very difficult to research access problems and to clean up orphaned protection records.
BP-USER-CONFIG-03 Do not use SUBJECT DEFAULT PROTECTION in User Records.
The Command Interpreter (CI) parameter determines the program that Safeguard software will start after it has authenticated the user at a Safeguard-controlled terminal.
Please refer to the discussion on Command Interpreter parameters as discussed previously in this section.
Two of the three OSS-specific settings represent the OSS equivalents of Guardian- specific User Record attributes:
INITIAL-DIRECTIORY is the OSS equivalent of GUARDIAN-DEFAULT-VOLUME
INITIAL-PROGRAM is the OSS equivalent of CI-PROG.
The third OSS Specific setting is INITIAL-PROGTYPE.
The INITIAL-PROGRAM and INITIAL-PROGTYPE attributes are not currently implemented; they are reserved for future use.
Determines the user's 'home directory', within the OSS file system. The <directory- path name> is a case-sensitive text string of up to 256 characters . It must be a syntactically valid OSS pathname. The directory must exist or the user will not be permitted to logon.
If the INITIAL-DIRECTORY attribute is specified, it must be the last attribute in the command string.
RISK If directory-path is omitted, the string is set to null (no pathname) and the Guardian default directory is assumed.
Note that this feature is not currently implemented on HP NonStop systems. It is reserved for future use.
This parameter will determine the OSS program that Safeguard software will start after it has authenticated the user at a Safeguard-controlled terminal. The <prog-path > is a case-sensitive text string of up to 256 characters. It must be a syntactically valid OSS pathname. If <prog-path> is omitted, the string is set to null (no pathname).
Note that this feature is not currently implemented on HP NonStop systems. It is reserved for future use.
Determines the type of the initial program within the OSS environment for the user. The valid <prog-types> are:
If <prog-type> is omitted, the initial program type is set to PROGRAM.
Represents the user's PRIMARY GROUP. When a userid is added, the administrative group for the user is also that user's primary group. To change the primary group, use the ALTER USER command to alter the PRIMARY-GROUP attribute.
If a second PRIMARY-GROUP is added, Safeguard software does not implicitly add this group to the user's group list if the user does not already belong to this group. The previous primary group remains on the user's group list, but not as the primary group.
ADDING a PRIMARY-GROUP without <group-name> or <group-num>, PRIMARY GROUP clears the primary group setting, and the user's administrative group becomes the primary group.
Logon sets the group list of a process to contain the user's entire group list, and also copies the user's primary group to the real group ID, effective group ID, and saved set- group-ID of the process. Because a user's primary group may differ from that user's administrative group, the effective group ID of a process may differ from the administrative group of the process as defined by the PAID.