Since its earliest design, the NonStop system has had an interface to a user -supplied Command Monitoring Process. This process, named $CMON, has never been supplied by the NonStop operating systems development groups. Several versions are available, however, such as the one provided by the ITUG user group , that monitor and control different aspects of the system usage.
3P-CMON-PROCESS-01 There are several supported third party CMON products available.
The original CMON specification allows the CMON process to mediate LOGONs , LOGOFFs, NEW PROCESS RUNs, ALTER PRIORITY commands, USER ADDs and USER DELETEs. Since the advent of Safeguard software with the C20 series operating system releases, the USER ADD and USER DELETE functions have become superfluous. Most third party packages allow the security administrator to set rules controlling:
The CPU of a new process
The priority of a new process
Changes to the priority of a running process
User logons based on user's logical port (IP address)
When a CMON process is present on the system and any of the actions above occur, a message is sent to the CMON process. The sending process waits until either CMON responds or the time spent waiting for CMON's response exceeds the timeout parameter defined by the system manager in the TACLCONF or Safeguard software , generally 15 “30 seconds. If the CMON message does not block the action or the wait for CMON does not exceed the timeout parameter, processing continues. If the CMON process returns a message blocking the action, the action is denied and an error is returned to the user who originated the action.
If the environment makes it necessary to logon as SUPER.SUPER, users should be forced to logon to the system using their own ID before logging up to SUPER.SUPER. This can be accomplished with a CMON that can force stepped logons.
BP-USER-PRIVLEGE-01 Users should not be able to logon directly as a Privileged ID except for emergencies. They must first logon using their personal userid .
AP-ADVICE-CMON-01 If the Corporate Security Policy or Standards mandates that access to the HP NonStop server be controlled via IP address or PORT, install a CMON product.
AP-ADVICE-CMON-02 If the Corporate Security Policy or Standards mandates that users can only run certain utilities when logged on from specific PORTs, CMON can restrict the utilities and programs that can be run when a user logs on to a given port.
AP-ADVICE-CMON-03 CMON can be configured to manage which CPU and priority new processes will use.
In a Guardian environment, TACL communicates with CMON. The extent of CMON's control is determined by parameters bound into TACL. This is referred to as the TACL configuration or TACLCONF.
The parameters are:
CMONREQUIRED
CMONTIMEOUT
REMOTECMONREQUIRED
REMOTECMONTIMEOUT
The CMONREQUIRED parameter determines whether or not CMON must rule on all process requests . The valid entries are:
0 (zero) | A response from CMON is not required. If the CMON-REQUIRED value is 0 (zero) and CMON doesn't respond, TACL will act on the process request. |
-1 | A response from CMON is required. If the CMONREQUIRED value is -1 and CMON does not respond, TACL will wait for the number of seconds defined by the CMONTIMEOUT value. If the timeout occurs, the action will be denied. |
RISK If the CMONREQUIRED value is - 1, the system is at risk for denial of service.
With or without Safeguard software:
BP-TACL-TACLCONF-03 If CMON is running, CMONREQUIRED should be 0, a response is not required.
The CMONTIMEOUT parameter determines how long TACL will wait for a response from CMON. A value of -1 will disable timeouts.
-1 | If the CMONTIMEOUT is - 1, TACL will wait forever for a response from CMON. |
<n> | If the CMONTIMEOUT is nn <seconds>, TACL will wait n seconds for CMON to respond. If the CMON doesn't respond, TACL will act on the process request. The number of seconds chosen should depend on the speed of the system and the network. |
RISK If the CMONTIMEOUT value is -1, TACL will wait forever for a response. A CMON that isn't running or is running too slow can cause denial of service.
With or without Safeguard software :
BP-TACL-TACLCONF-08 If CMON is running, CMONTIMEOUT should be set to a value that will not seriously inconvenience the user population. (seconds).
The REMOTECMONREQUIRED parameter determines whether or not CMON must rule on all remote process requests. The valid entries are:
0 (zero) | A response from CMON is not required. If the REMOTECMON-REQUIRED value is 0 (zero) and CMON doesn't respond, TACL will act on the process request. |
-1 | A response from CMON is required. If the REMOTECMON-REQUIRED value is - 1 and CMON does not respond, TACL will wait for the number of seconds defined by the REMOTECMON- TIMEOUT value. If the timeout occurs, the action will be denied. |
RISK If the REMOTECMONREQUIRED value is - 1, the system is at risk for denial of service.
With or without Safeguard software:
BP-TACL-TACLCONF-04 If CMON is running,REMOTECMONREQUIRED should be 0 (off), a response is not required.
Number of seconds to wait for a response from a remote CMON.
The REMOTECMONTIMEOUT parameter determines how long TACL will wait for the remote CMON to respond:
-1 | If the REMOTECMONTIMEOUT is -1, TACL will wait forever for a response from the remote CMON. |
<nn> | If the REMOTECMONTIMEOUT is n <seconds>, TACL will wait n seconds for the remote CMON to respond. If the CMON doesn't respond, TACL will act on the process request. The number of seconds chosen should depend on the speed of the system and the network. |
RISK If the REMOTECMONTIMEOUT value is - 1, TACL will wait forever for a response. A CMON that isn't running or is running too slow can cause denial of service.
With or without Safeguard software:
BP-TACL-TACLCONF-09 If CMON is running,REMOTECMONTIMEOUT should be set to a value that will not seriously inconvenience the user population.
Safeguard software, if configured to do so, will communicate with CMON during the following events:
Logons
Process creates of a Command Interpreter at a Safeguard Controlled
Terminal
The CMON Global Parameter determines whether or not Safeguard will communicate with CMON in the following events:
If CMON is ON Safeguard software will communicate with CMON.
If CMON is OFF, Safeguard software will not communicate with CMON.
The default value is OFF.
BP-SAFEGARD-GLOBAL-50 If CMON is running, the CMON parameter should be ON
The CMONERROR parameter determines how Safeguard software will respond when CMON doesn't respond to Safeguard's communications, for whatever reason.
If CMONERROR is ACCEPT, failures to communicate with CMON will be ignored.
If CMONERROR is DENY, Safeguard software will deny access requests when CMON fails to respond.
The default value is ACCEPT.
BP-SAFEGARDGLOBAL-51 If CMON is running, the CMONERROR parameter should be ACCEPT.
Specifies the number of seconds that Safeguard software is to wait for any CMON response. The default is 30 seconds.
BP-SAFEGARDGLOBAL-52 If CMON is running, the CMONTIMEOUT parameter value depends on the speed of the system; recommended value is 30 seconds.
Identifier | Questions | Discovery |
---|---|---|
CMON-PROCESS-01 | Is a CMON process running on the system? | Process status |
CMON-POLICY-01 | Is CMON being used to enforce 'stepped' authentications? | Code review |
CMON-POLICY-02 | Is CMON being used to control remote access to the system? | Code review |
CMON-POLICY-03 | Is CMON being used to control access to system resources? | Code review |
CMON-POLICY-04 | Is CMON being used for load balancing? | Code review |
CMON-TACLCONF-03 | If CMON is running, is TACL configured CMONREQUIRED 0 (off)? | TACLCONF |
CMON-TACLCONF-04 | If CMON is running, is TACL configured REMOTECMONREQUIRED 0 (off)? | TACLCONF |
CMON-TACLCONF-08 | If CMON is running, is TACL configured CMONTIMEOUT <seconds>? | TACLCONF |
CMON-TACLCONF-09 | If CMON is running, is TACL configured REMOTECMONTIMEOUT <seconds>? | TACLCONF |
USER-PRIVLEGE-01 | If users are allowed to logon as any Privileged ID, are 'stepped' authentications enforced with CMON? | CMON config |