Securing Disk Files With the Safeguard Subsystem


Safeguard software provides more versatile disk file security than the Guardian environment. It allows creation of rules, called Protection Records, which grant or deny access to files independent of a file's ownership or Guardian security vector.

Safeguard protection replaces Guardian protection; while an object is under Safeguard control, the Guardian security setting becomes inactive.

The following parameters may affect Safeguard DISKFILE security:

DISKFILE- related User Record Settings

DISKFILE-related Safeguard OBJECTTYPES

DISKFILE-related Safeguard Global Parameters

VOLUME Protection Records

SUBVOLUME Protection Records

DISKFILE Protection Records

Diskfile-Related User Record Settings

There are three fields in Safeguard User Records that affect file security.

Guardian Default Volume

The VOLUME and SUBVOLUME where the user's TACL session will begin. This is the equivalent of the Guardian volume and subvolume set using the DEFAULT program.

Guardian Default Security

The Guardian security vector that will automatically be assigned to every file that the user creates. This is the equivalent of the Guardian security vector set using the DEFAULT program. Please refer to the chapter Managing Userids in the Safeguard Subsystem.

Subject Default-Protection

Defines the Safeguard Diskfile Protection Record that will be created for each file the user creates. Please see the chapter on User Administration for the detailed auditing information relating to this field in Safeguard User Records.

The default Protection Record is defined like any other diskfile Protection Record, specifying an owner and the Access Control List .

Please refer to the chapter Managing Userids in the Safeguard Subsystem.

Disk-Related Safeguard OBJECTTYPES

Safeguard OBJECTTYPEs determine who is allowed to ADD disk file Protection Records. Three OBJECTTYPEs affect disk file security:

OBJECTTYPE VOLUME

OBJECTTYPE SUBVOLUME

OBJECTTYPE DISKFILE

Please refer to the chapter on the Safeguard Subsystem for more information on OBJECTTYPES.

RISK Without VOLUME or SUBVOLUME and DISKFILE OBJECTTYPE records, any local member of the SUPER group can add a Safeguard Protection Record for a device name , thereby gaining control of diskfiles.

BP-VOLUME-OBJTYPE-01 The VOLUME OBJECTTYPE should be created.

BP-SUBVOL-OBJTYPE-01 The SUBVOLUME OBJECTTYPE should be created.

BP-DISKFILE-OBJTYPE-01 The DISKFILE OBJECTTYPE should be created.

BP-VOLUME-OBJTYPE-02 The VOLUME OBJECTTYPE should be owned by the Security-Administrator.

BP-SUBVOL-OBJTYPE-02 The SUBVOLUME OBJECTTYPE should be owned by the Security-Administrator.

BP-DISKFILE-OBJTYPE-02 The DISKFILE OBJECTTYPE should be owned by the Security-Administrator.

BP-VOLUME-OBJTYPE-03 The VOLUME OBJECTTYPE should be audited for Access; AUDIT-ACCESS-PASS & AUDIT-ACCESS-FAIL

BP-SUBVOL-OBJTYPE-03 The SUBVOLUME OBJECTTYPE should be audited for Access; AUDIT-ACCESS-PASS & AUDIT-ACCESS-FAIL

BP-DISKFILE-OBJTYPE-03 The DISKFILE OBJECTTYPE should be audited for Access; AUDIT-ACCESS-PASS & AUDIT-ACCESS-FAIL

BP-VOLUME-OBJTYPE-04 The VOLUME OBJECTTYPE should be audited for Manage; AUDIT-MANAGE-PASS & AUDIT-MANAGE-FAIL

BP-SUBVOL-OBJTYPE-04 The SUBVOLUME OBJECTTYPE should be audited for Manage; AUDIT-MANAGE-PASS & AUDIT-MANAGE-FAIL

BP-DISKFILE-OBJTYPE-04 The DISKFILE OBJECTTYPE should be audited for Manage; AUDIT-MANAGE-PASS & AUDIT-MANAGE-FAIL

Disk-Related Safeguard Global Settings

Disk files can be protected by three levels of Safeguard Protection Records: VOLUME rules, SUBVOLUME rules and DISKFILE rules. Any combination of VOLUME, SUBVOLUME and DISKFILE rules can exist. The following Safeguard Globals are related to DISKFILEs:

ACL-REQUIRED-DISKFILE

CHECK VOLUME

CHECK SUBVOLUME

CHECK-FILENAME

DIRECTION-DISKFILE

COMBINATION-DISKFILE

CLEARONPURGE-DISKFILE

RISK Any attempt to CREATE a disk file is subject to access checking at all levels, regardless if whether or not CHECK-VOLUME and CHECK- SUBVOLUME are OFF.

ACL-REQUIRED-DISKFILE

The ACL-REQUIRED-DISKFILE parameter determines whether or not Safeguard software will grant access to a file that doesn't have a Protection Record.

If ACL-REQUIRED-DISKFILE is OFF and no Protection Record is found, access is allowed based on Guardian security.

If ACL-REQUIRED-DISKFILE is ON, Safeguard software will deny access to any file that does not have a Safeguard Protection Record.

The default value is OFF.

RISK Use caution in setting the ACL-REQUIRED Safeguard Global attributes. With these attributes set, access is normally denied for any object that does not have a Protection Record, but in warning mode, access to all such objects is granted.

RISK When the ACL-REQUIRED-DISKFILE parameter is changed to ON, a Protection Record for the SAFECOM object file granting EXECUTE authority to the necessary users (including the user making the change) must be created. Otherwise, when the session used to make the change ends, no one will be able to control Safeguard software through the SAFECOM Command Interpreter because they will be unable to run SAFECOM.

BP-SAFEGARD-GLOBAL-26 ACL-REQUIRED-DISKFILE = OFF

CHECK-VOLUME

The CHECK-VOLUME Global Parameter enables or disables the checking of Protection Records at a VOLUME level.

If CHECK-VOLUME is OFF, Safeguard software does not check volume Protection Records for attempts to access a disk file.

If CHECK-VOLUME is ON, Safeguard software enforces any VOLUME Protection Records.

Having CHECK-VOLUME OFF the access result is the same as if that level had No Record

Note

Safeguard software reads the Safeguard files three times, once for VOLUME, once for SUBVOLUME and once for DISKFILE Protection Records, before evaluating the CHECK-VOLUME setting.

RISK Any attempt to CREATE a disk file is subject to access checking at all levels, regardless if whether or not CHECK-VOLUME and CHECK-SUBVOLUME are OFF.

BP-SAFEGARD-GLOBAL-23 CHECK-VOLUME should be OFF.

CHECK-SUBVOLUME

The CHECK-SUBVOLUME Global Parameter enables or disables the checking of Protection Records at a SUBVOLUME level.

If CHECK-SUBVOLUME is OFF, Safeguard software does not check SUB- VOLUME Protection Records for attempts to access a disk file.

If CHECK-SUBVOLUME is ON, Safeguard software enforces any SUB- VOLUME Protection Records.

Note

Safeguard software reads the Safeguard files three times, once for VOLUME, once for SUBVOLUME and once for DISKFILE Protection Records, before evaluating the CHECK-SUBVOLUME setting.

RISK Any attempt to CREATE a disk file is subject to access checking at all levels, regardless of whether or not CHECK-VOLUME and CHECK-SUBVOLUME are OFF.

If the VOLUME Protection Record grants the user the authority to create a disk file, Safeguard software then checks for a SUBVOLUME Protection Record for the subvolume on which the disk file is to be created. If found, the Safeguard software checks whether the subvolume Protection Record grants the user the authority to create a disk file. If the subvolume Protection Record grants the user the authority to create a disk file, the user's file-creation request succeeds. However, when the user lacks the authority to create a disk file on the subvolume, the file-creation request is rejected with a security violation error (file error 48).

If no Protection Record exists for the volume, a user's file-creation request is rejected only if both a Protection Record for the subvolume exists and the subvolume Protection Record does not grant the user CREATE authority. If no Protection Record exists for either the volume or subvolume, any user can create a disk file on the sub- volume.

The Safeguard software does not restrict the creation of temporary files, such as swap files. Volume and subvolume Protection Records are not checked when a temporary file is created.

BP-SAFEGARD-GLOBAL-25 CHECK-SUBVOLUME = ON

CHECK-FILENAME

The CHECK-FILENAME Global Parameter enables or disables the checking of Protection Records at a DISKFILE level.

If CHECK-FILENAME is OFF, Safeguard software does not rule based on DISKFILE Protection Records for attempts to access a disk file.

If CHECK-FILENAME is ON, Safeguard software enforces any DISKFILE Protection Records.

Note

Safeguard software reads the Safeguard files three times, once for VOLUME, once for SUBVOLUME and once for DISKFILE Protection Records, before evaluating the CHECK-DISKFILE setting.

BP-SAFEGARD-GLOBAL-27 CHECK-FILENAME should be ON.

CLEARONPURGE-DISKFILE

The CLEARONPURGE-DISKFILE parameter determines whether or not file data space is overwritten with zeros when a file is deleted.

If CLEARONPURGE-DISKFILE is ON, then when diskfiles are deleted, the data is overwritten with zeros.

If CLEARONPURGE-DISKFILE is OFF, the disk space is de-allocated when purged, but the data is not set to zeros.

The default value is OFF.

RISK If CLEARONPURGE is OFF then sensitive data can be left on the disk and another program could read the data.

RISK If CLEARONPURGE is ON then very large file deletes could take a long time.

BP-SAFEGARD-GLOBAL-28 CLEARONPURGE-DISKFILE should be OFF.

COMBINATION-DISKFILE

COMBINATION-DISKFILE tells Safeguard software how to resolve conflicts when VOLUME, SUBVOLUME and DISKFILE Protection Records exist for the target DISKFILE. The value can be:

FIRST-ACL

The first record found (based on DIRECTION-DISKFILE) determines the access, whether or not the user and attempted operation is included in the record.

FIRST-RULE

Records are searched until both the user and the access requested is explicitly granted or denied,

ALL

The VOLUME, SUBVOLUME and DISKFILE rules must all grant the requested access.

If ALL is selected, Safeguard software grants access only if it is granted by all the rules that exist. If VOLUME, SUBVOLUME and DISKFILE rules exist, then all three rules must agree on both the userid and the attempted operation or the request will be denied.

If FIRST-ACL is selected, Safeguard software uses the first rule it finds, regardless of whether the rule contains the specified userid. If the user is included in the rule, the operations allowed by the rule will be allowed and operations either denied or omitted will be denied. If the user is not included in the rule, access will be denied, Safeguard software will not look for any other rules protecting the file being accessed. The direction that Safeguard software searches for rules depends on the DIRECTION- DISKFILE parameter.

If FIRST-RULE is selected, Safeguard software searches until it finds a Protection Record (Rule) that contains the specified user and operation.

If both the user and the attempted operation are found on the first level rule, Safeguard software bases its ruling on the first rule.

If either the user or the attempted operation is missing from the first level rule found, Safeguard software will look for a rule at the next level.

If there is no second level rule, the access will be denied.

If a second level rule exists and both the user and the attempted operation are found on the second level rule, Safeguard software bases its ruling on the second level rule.

If either the user or the attempted operation is missing from the second level rule found, Safeguard software will look for a rule at the next level.

If no third level rule exists, access is denied.

If a third level rule exists and both the user and the attempted operation are found on third level rule, Safeguard software bases its ruling on the third level rule.

If either the user or the attempted operation is missing from the third level rule, Safeguard software denies access.

BP-SAFEGARD-GLOBAL-24 COMBINATION-DISKFILE should be FIRST-ACL.

DIRECTION-DISKFILE

The DIRECTION-DISKFILE setting determines the direction that Safeguard searches for Protection Records if more than one of the CHECK parameters is "ON". The value is FILENAME-FIRST or VOLUME-FIRST.

If DIRECTION-DISKFILE is FILENAME-FIRST, Safeguard looks first for a DISKFILE Protection Record when evaluating access to a disk file, then for a SUBVOLUME Protection Record and, finally, for a VOLUME Protection Record.

If DIRECTION-DISKFILE is VOLUME-FIRST, Safeguard looks first for a VOLUME Protection Record when evaluating access to a disk file, then for a SUBVOLUME Protection Record and, finally, for a DISKFILE Protection Record.

BP-SAFEGARD-GLOBAL-22 DIRECTION-DISKFILE should be FILENAME-FIRST

RISK If CHECK-SUBVOLUME ON is set and DIRECTION-DISKFILE is set to VOLUME-FIRST and there is no OBJECTTYPE SUBVOLUME record, it is possible for any user to gain access to someone else's files. All files that are in subvolumes that have not been added to the Safeguard database are vulnerable. This situation occurs because any user can add the SUBVOLUME to the database and thereby own it.

Diskfile-related Protection Records

Diskfiles can be protected by rules at any or all of the following three 'levels':

Volume

Subvolume

Diskfile

VOLUME Protection Records

Each Safeguard VOLUME Protection Record has the following parts :

PRIMARY OWNER

By default the userid that created the ACL. Can be altered .

Access Control List (ACL)

The list of userids that are allowed to access the object and the operations they are allowed to perform on the object.

Audit Settings

Determines whether Safeguard software will audit attempts to access the object.

VOLUME Protection Record ACL

Each VOLUME Protection Record Access Control List (ACL) specifies the users allowed to access the volume and the operations these users are allowed to perform. The valid operations are:

READ (R)

refers to the authority to read any file on the VOLUME.

WRITE (W)

refers to the authority to alter any file on the VOLUME.

EXECUTE (E)

refers to the authority to execute any object file on the VOLUME.

PURGE (P)

refers to the authority to purge any file on the VOLUME.

CREATE (C)

refers to the authority to create a SUBVOLUME and/or file on the volume.

OWN (O)

refers to the authority to ALTER or DELETE the VOLUME Protection Record.

If remote access, defined as an access attempt made by a user authenticated on a different node, is appropriate for a given volume, the users must be defined as network users (\*.) when granting privileges in the VOLUME Protection Record, or Safeguard software will deny the access requests from another node. Users defined as network users are automatically granted the appropriate local access privileges as well.

VOLUME Protection Record Ownership

A VOLUME has no owner until it is placed under Safeguard control. Then, by default, the user who added the Protection Record becomes its OWNER. Also by default, the OWNER of the Protection Record, the OWNER'S Group Manager, and SUPER.SUPER can ALTER or DELETE the Protection Record.

The OWNER of the Protection Record can 'give' ownership to another userid.

The OWNER can grant ownership privileges with the OWNER (O) authority. The OWNER attribute grants the ability to ALTER or DELETE the Protection Record to the specified users. These additional owners can do anything that the initial owner is permitted to do. They are equal, in every way, to the initial owner.

By denying the OWNER authority, SUPER.SUPER or Group Managers can be explicitly denied any of the authorities implicitly granted to them.

SUBVOLUME Protection Records

Each Safeguard VOLUME Protection Record has the following parts:

PRIMARY OWNER

By default the userid that created the ACL. Can be altered.

Access Control List (ACL)

The list of Userids that are allowed to access the object and the operations they are allowed to perform on the object.

Audit Settings

Determines whether Safeguard software will audit attempts to access the object.

SUBVOLUME Protection Record ACL

Each SUBVOLUME Protection Record's Access Control List (ACL) specifies the users allowed to access the subvolume and the operations these users are allowed to perform. The valid operations are:

READ (R)

refers to the authority to READ any file in the SUBVOLUME.

WRITE (W)

refers to the authority to alter any file in the SUBVOLUME.

EXECUTE (E)

refers to the authority to execute any object file in the SUBVOLUME.

PURGE (P)

refers to the authority to purge any file in the SUBVOLUME.

CREATE (C)

refers to the authority to create a file in the SUBVOLUME.

OWN (O)

refers to the authority to ALTER or DELETE theSUBVOLUME Protection Record.

If remote access, defined as an access attempt made by a user authenticated on a different node, is appropriate for a given subvolume, the users must be defined as network users (\*.) when granting privileges in the SUBVOLUME ACL, or Safeguard will deny the access requests from another node. Users defined as network users are automatically granted the appropriate local access privileges as well.

SUBVOLUME Protection Record Ownership

A SUBVOLUME has no owner until it is placed under Safeguard control. Then, by default, the user who added the Protection Record becomes its OWNER. Also by default, the OWNER of the Protection Record, the OWNER'S Group Manager, and SUPER.SUPER can ALTER or DELETE the Protection Record.

The OWNER of the Protection Record can 'give' ownership to another userid.

The OWNER can grant ownership privileges with the OWNER (O) authority. The OWNER attribute grants the ability to ALTER or DELETE the Protection Record to the specified users. These additional owners can do anything that the initial owner is permitted to do. They are equal, in every way, to the initial owner.

By denying the OWNER authority, SUPER.SUPER or Group Managers can be explicitly denied any of the authorities implicitly granted to them.

DISKFILE Protection Records

Each Safeguard Protection Record has the following parameters:

PRIMARY OWNER

By default the userid that created the Protection Record. Primary owner can be altered.

Access Control List (ACL)

The list of Userids that are allowed to access the object and the operations they are allowed to perform on the object.

Audit Settings

Determines whether Safeguard software will audit attempts to access the object.

Disk file Protection Records have four additional parameters:

LICENSE

Sets the LICENSED bit on the disk file protected by the Protection Record

PROGID

Sets the PROGID bit on the disk file protected by the Protection Record

PERSISTENT

Determines whether or not the Protection Record will remain after the disk file the Protection Record is protecting is deleted.

CLEARONPURGE

Fills the file with zeros when purged. If a file with persistent protection is purged, CLEARONPURGE retains its current setting. Deleting a file Protection Record does not change the clearonpurge flag.
For disk files not under Safeguard protection, CLEARONPURGE can be set through the FUP SECURE command or by a program using a SETMODE or SETMODENOWAIT procedure call

RISK For userids other than SUPER.SUPER, the FUP GIVE, SECURE, LICENSE, and REVOKE commands no longer work for the disk file that has a Safeguard Protection Record, the equivalent Safeguard commands must be used.

DISKFILE Protection Record ACL

Each DISKFILE Protection Record's Access Control List (ACL) specifies the users allowed to access the file and the operations these users are allowed to perform. The valid operations are:

READ (R)

refers to the authority to read the file.

WRITE (W)

refers to the authority to alter the file.

EXECUTE (E)

refers to the authority to execute the file. Applies only if the file is an object file.

PURGE (P)

refers to the authority to purge the file.

OWNER (O)

refers to the authority to ALTER or DELETE the DISKFILE Protection Record.

Note

Copies of a file (such as a copy created with the FUP DUP command) are not protected by Safeguard software, unless DEFAULT-PROTECTION has been established for the user copying the file.

If remote access, defined as an access attempt made by a user authenticated on a different node, is appropriate for a given disk file, the users must be defined as network users (\*), when granting privileges in the DISKFILE Protection Record, or Safeguard software will deny the OPEN access requests from another node. Users defined as network users are automatically granted the appropriate local access privileges as well.

DISKFILE Protection Record Ownership

By default, the user who added the Protection Record becomes its owner. Also by default, the OWNER of the Protection Record, the OWNER'S Group Manager, and SUPER.SUPER can ALTER or DELETE the Protection Record.

The OWNER of the Protection Record can 'give' ownership to another userid.

The OWNER can grant ownership privileges with the OWNER (O) authority. The OWNER authority grants the ability to ALTER or DELETE the Protection Record to the specified users. These additional owners can do anything that the initial owner is permitted to do. They are equal, in every way, to the initial owner.

Note

By denying the OWNER authority, SUPER.SUPER or Group Managers can be explicitly denied any of the authorities implicitly granted to them.

Guardian File Ownership Is Affected by Safeguard Protection Records

RISK Creating DISKFILE Protection Records changes the Guardian ownership of the file. If the Protection Record is deleted, but not the file, the Protection Record's Primary Owner becomes the Guardian owner of the file.

RISK If a Protection Record for a LICENSED file is created, the LICENSE is automatically revoked . It must be re-LICENSED using SAFECOM.

RISK If a Protection Record for a PROGID'd file is created, the PROGID is automatically removed. It must be re-PROGID'd using SAFECOM.

PROGID'd object files still run as the appropriate userid when they are EXECUTED.

How the Safeguard Subsystem Evaluates Diskfile CREATE Attempts

If the VOLUME Protection Record grants the user the authority to CREATE a disk file, Safeguard software checks for a SUBVOLUME Protection Record for the subvolume on which the disk file is to be created. If a Protection Record exists for the subvolume, its Protection Record is checked to see if the user has CREATE authority.

If the SUBVOLUME Protection Record grants the user the authority to CREATE a disk file, the user's file-creation request succeeds.

If the user lacks the authority to CREATE a disk file on the subvolume, the request is rejected with a security violation error(file error 48).

If no VOLUME Protection Record exists for the volume, the CREATE request is rejected only if a SUBVOLUME Protection Record for the subvolume exists and does not grant the user CREATE authority.

If no Protection Records exists for either the VOLUME or SUBVOLUME, any user can create a disk file on the subvolume.

Caution

The Safeguard software does not restrict the creation of temporary files, such as swap files. Volume and subvolume authorization records are not checked when a temporary file is created.

How the Safeguard Subsytem Evaluates File Access Attempts

For DISKFILE access attempts, the DIRECTION-DISKFILE Global Parameter determines the direction that Safeguard software searches for Protection Records if more than one of the CHECK parameters is "ON". The choices are FILENAME- FIRST and VOLUME-FIRST.

Whether or not Protection Records at the remaining 'levels' are checked depends on the COMBINATION-DISKFILE value.

At each level checked, Safeguard software returns one of four results when it evaluates access:

No Record

No Protection Record exists.

No Mention

A Protection Record exists, but the user or operation is not included in the Protection Record

Deny

Access is denied. There are two types of DENIALS:

EXPLICIT ”The user is included on the Protection Record and the attempted operation is denied.

IMPLICIT ”The user is included in the Protection Record, but the attempted operation is not, or teh user is not icluded.

Permit

Access is granted. The user is included in the Protection Record and the attempted operation is authorized.

Once Safeguard software has determined if the user (identified by the PAID) has the required authority to access the object the requested access is allowed or denied.

The table below shows how disk file access rules are evaluated depending on how Safeguard software applies the Protection Records in DISKFILE, VOLUME, and SUB-VOLUME Protection Records based on DIRECTION-DISKFILE and COMBINATION-DISKFILE.

DISKFILE ACCESS EVALUATION PAGE (PAGE 1 OF 2)

DIRECTION-DISKFILE

COMBINATION_DISKFILE

1ST

2ND

3RD

1ST-ACL

1ST-RULE

ALL

Y

Y

Y

Permit

Permit

Permit

Y

Y

N

Permit

Permit

Deny

Y

Y

NM

Permit

Permit

Deny

Y

Y

NR

Permit

Permit

Permit

Y

N

Y

Permit

Permit

Deny

Y

N

N

Permit

Permit

Deny

Y

N

NM

Permit

Permit

Deny

Y

N

NR

Permit

Permit

Deny

Y

NM

Y

Permit

Permit

Deny

Y

NM

N

Permit

Permit

Deny

Y

NM

NM

Permit

Permit

Deny

Y

NM

NR

Permit

Permit

Deny

Y

NR

Y

Permit

Permit

Permit

Y

NR

N

Permit

Permit

Deny

Y

NR

NM

Permit

Permit

Deny

Y

NR

NR

Permit

Permit

Permit

N

Y

Y

Deny

Deny

Deny

N

Y

N

Deny

Deny

Deny

N

Y

NM

Deny

Deny

Deny

N

Y

NR

Deny

Deny

Deny

N

N

Y

Deny

Deny

Deny

N

N

N

Deny

Deny

Deny

N

N

NM

Deny

Deny

Deny

N

N

NR

Deny

Deny

Deny

N

NM

Y

Deny

Deny

Deny

N

NM

N

Deny

Deny

Deny

N

NM

NM

Deny

Deny

Deny

N

NM

NR

Deny

Deny

Deny

N

NR

N

Deny

Deny

Deny

N

NR

NR

Deny

Deny

Deny

[*] Indicates that access is denied if ACL-REQUIRED

DISKFILE ACCESS EVALUATION PAGE (PAGE 2 OF 2)

DIRECTION-DISKFILE

COMBINATION_DISKFILE

1ST

2ND

3RD

1ST-ACL

1ST-RULE

ALL

NM

Y

Y

Deny

Permit

Deny

NM

Y

N

Deny

Permit

Deny

NM

Y

NM

Deny

Permit

Deny

NM

Y

NR

Deny

Permit

Deny

NM

N

Y

Deny

Deny

Deny

NM

N

N

Deny

Deny

Deny

NM

N

NM

Deny

Deny

Deny

NM

N

NR

Deny

Deny

Deny

NM

NM

Y

Deny

Permit

Deny

NM

NM

N

Deny

Deny

Deny

NM

NM

NM

Deny

Deny

Deny

NM

NM

NR

Deny

Deny

Deny

NM

NR

Y

Deny

Permit

Deny

NM

NR

N

Deny

Deny

Deny

NM

NR

NM

Deny

Deny

Deny

NM

NR

NR

Deny

Deny

Deny

NR

Y

Y

Permit

Permit

Permit

NR

Y

N

Permit

Permit

Deny

NR

Y

NM

Permit

Permit

Deny

NR

Y

NR

Permit

Permit

Permit

NR

N

Y

Deny

Deny

Deny

NR

N

N

Deny

Deny

Deny

NR

N

NM

Deny

Deny

Deny

NR

N

NR

Deny

Deny

Deny

NR

NM

Y

Deny

Permit

Deny

NR

NM

N

Deny

Deny

Deny

NR

NM

NM

Deny

Deny

Deny

NR

NM

NR

Deny

Deny

Deny

NR

NR

Y

Permit

Permit

Permit

NR

NR

N

Deny

Deny

Deny

NR

NR

NM

Deny

Deny

Deny

NR

NR

NR

Guardian [*]

Guardian [*]

Guardian [*]

[*] Indicates that access is denied if ACL-REQUIRED

Auditing Disk File Access and Management Attempts

Caution

An open request that passes the Safeguard authorization check can still fail for another reason. For example, if a process attempts to open a file that is already open with exclusive access, the open attempt fails with file error 12 (file in use). Safeguard software records these events in its audit trail with an outcome of FAILED. FAILED means that the access attempt failed but not because of a Safeguard ruling.

Disk File-Related Global Audit Parameters

The following Global parameters are discussed in Part Four, User Administration.

AUDIT-DISKFILE-ACCESS-PASS

AUDIT-DISKFILE-ACCESS-FAIL

AUDIT-DISKFILE-MANAGE-PASS

AUDIT-DISKFILE-MANAGE-FAIL

AUDIT-DISKFILE-ACCESS{ -PASS -FAIL }

The AUDIT-DISKFILE-ACCESS-PASS/FAIL parameters determine whether or not successful or unsuccessful attempts to access all disk files on the system are audited. The conditions can be ALL, NONE, LOCAL, or REMOTE.

If AUDIT-DISKFILE-ACCESS-PASS value is configured to anything other than NONE, then the appropriate successful disk file access attempts will be audited.

If AUDIT-DISKFILE-ACCESS-FAIL value is configured to anything other than NONE, then the appropriate unsuccessful disk file access attempts will be audited.

This setting supplements the audit settings for individual disk files.

If an individual DISKFILE Protection Record is configured to audit only LOCAL access attempts, but the Global parameter is REMOTE, then both LOCAL and REMOTE access attempts will be audited.

However, if an individual DISKFILE Protection Record is configured to audit only NONE and the Global parameter is ALL, then Safeguard software will not audit either successful or unsuccessful disk file access attempts.

The default is NONE.

AUDIT-DISKFILE-MANAGE { -PASS -FAIL }

The AUDIT-DISKFILE-MANAGE-PASS/FAIL parameters determine whether or not attempts to CREATE, ALTER or DELETE DISKFILE Protection Record will be audited. This setting supplements the audit settings for individual disk files. The conditions can be ALL, NONE, LOCAL, or REMOTE.

If an individual DISKFILE Protection Record is configured to audit only LOCAL access attempts, but the Global parameter is REMOTE, then both LOCAL and REMOTE access attempts will be audited.

However, if an individual DISKFILE Protection Record is configured to audit only NONE and the Global parameter is ALL, then Safeguard software will not audit either successful or unsuccessful DISKFILE access attempts.

The default is NONE.

BP-DISKFILE-AUDIT-01 AUDIT-DISKFILE-MANAGE-PASS should be ALL

BP-DISKFILE-AUDIT-02 AUDIT-DISKFILE-MANAGE-FAIL should be ALL

Certain sensitive files, such as TANDUMP, should have successful manage audited.

Disk File-Related Protection Record Audit Parameters

The following Protection Record parameters determine the amount of auditing for individual VOLUMES , SUBVOLUMES and DISKFILES.

AUDIT-ACCESS-PASS

AUDIT-ACCESS-FAIL

AUDIT-MANAGE-PASS

AUDIT-MANAGE-FAIL

AUDIT-ACCESS{ -PASS -FAIL }

VOLUME, SUBVOLUME and DISKFILE Protection Records each have these two audit parameters.

The AUDIT-ACCESS-PASS/FAIL parameters determine whether or not successful or unsuccessful attempts to access all disk files on the system are audited. The conditions can be ALL, NONE, LOCAL, or REMOTE.

If AUDIT-ACCESS-PASS value is configured to anything other than NONE, then the appropriate successful disk file access attempts will be audited.

If AUDIT-ACCESS-FAIL value is configured to anything other than NONE, then the appropriate unsuccessful disk file access attempts will be audited.

This setting supplements the audit settings for individual disk files.

If an individual DISKFILE Protection Record is configured to audit only LOCAL access attempts, but the Global parameter is REMOTE, then both LOCAL and REMOTE access attempts will be audited.

However, if an individual DISKFILE Protection Record is configured to audit only NONE and the Global parameter is ALL, then Safeguard software will not audit either successful or unsuccessful disk file access attempts.

The default is NONE.

BP-VOLUME-AUDIT-01 AUDIT-ACCESS-PASS should be NONE

BP-VOLUME-AUDIT-02 AUDIT-ACCESS-FAIL should be ALL

BP-SUBVOL-AUDIT-01 AUDIT-ACCESS-PASS should be NONE

BP-SUBVOL-AUDIT-02 AUDIT-ACCESS-FAIL should be ALL

BP-DISKFILE-AUDIT-01 AUDIT-ACCESS-PASS should be NONE

BP-DISKFILE-AUDIT-02 AUDIT-ACCESS-FAIL should be ALL

AUDIT-MANAGE { -PASS -FAIL }

VOLUME, SUBVOLUME and DISKFILE Protection Records each have these two audit parameters.

The AUDIT-MANAGE-PASS/FAIL parameters determine whether or not attempts to CREATE, ALTER or DELETE Protection Record will be audited. This setting supplements the audit settings for individual disk files. The conditions can be ALL, NONE, LOCAL, or REMOTE.

If an individual DISKFILE or VOLUME or SUBVOLUME Protection Record is configured to audit only LOCAL access attempts, but the Global parameter is REMOTE, then both LOCAL and REMOTE access attempts will be audited.

However, if an individual DISKFILE or VOLUME or SUBVOLUME Protection Record is configured to audit only NONE and the Global parameter is ALL, then Safeguard software will not audit either successful or unsuccessful DISKFILE access attempts.

The default is NONE.

BP-VOLUME-AUDIT-03 AUDIT-MANAGE-PASS should be ALL

BP-VOLUME-AUDIT-04 AUDIT-MANAGE-FAIL should be ALL

BP-SUBVOL-AUDIT-03 AUDIT-MANAGE-PASS should be ALL

BP-SUBVOL-AUDIT-04 AUDIT-MANAGE-FAIL should be ALL

BP-DISKFILE-AUDIT-03 AUDIT-MANAGE-PASS should be ALL

BP-DISKFILE-AUDIT-04 AUDIT-MANAGE-FAIL should be ALL

Certain sensitive files, such as TANDUMP, should have successful manage audited.

Identifier

Question

Look in

VOLUME-OBJTYPE-01

Does the VOLUME OBJECTTYPE exist?

Safecom

SUBVOL-OBJTYPE-01

Does the SUBVOLUME OBJECTTYPE exist?

Safecom

DISKFILE-OBJTYPE-01

Does the DISKFILE OBJECTTYPE exist?

Safecom

VOLUME-OBJTYPE-02

Is the VOLUME OBJECTTYPE owned by the SECURITY ADMINISTRATOR?

Safecom

SUBDEV-OBJTYPE-02

Is the SUBVOLUME OBJECTTYPE owned by the SECURITY ADMINISTRATOR?

Safecom

DISKFILE-OBJTYPE-02

Is the DISKFILE OBJECTTYPE owned by the SECURITY ADMINISTRATOR?

Safecom

VOLUME-OBJTYPE-03

Is the VOLUME OBJECTTYPE set to audit accesses ?

Safecom

SUBVOL-OBJTYPE-03

Is the SUBVOLUME OBJECTTYPE set to audit accesses?

Safecom

DISKFILE-OBJTYPE-03

Is the DISKFILE OBJECTTYPE set to audit accesses?

Safecom

VOLUME-OBJTYPE-04

Is the VOLUME OBJECTTYPE set to audit manage attempts?

Safecom

SUBVOL-OBJTYPE-04

Is the SUBVOLUME OBJECTTYPE set to audit manage attempts?

Safecom

DISKFILE -OBJTYPE-04

Is the DISKFILE OBJECTTYPE set to audit manage attempts?

Safecom

SAFEGARD-GLOBAL-26

Is the Safeguard Global parameter ACL-REQUIRED-DISKFILE value OFF?

Safecom

SAFEGARD-GLOBAL-23

Is the Safeguard Global parameter CHECK-VOLUME value OFF?

Safecom

SAFEGARD-GLOBAL-25

Is the Safeguard Global parameter CHECK-SUBVOLUME value ON?

Safecom

SAFEGARD-GLOBAL-27

Is the Safeguard Global parameter CHECK-FILENAME value ON?

Safecom

SAFEGARD-GLOBAL-24

Is the Safeguard Global parameter COMBINATION-DISKFILE value FIRST-ACL?

Safecom

SAFEGARD-GLOBAL-22

Is the Safeguard Global parameter DIRECTION-DISKFILE value DISKFILE-FIRST?

Safecom

DISKFILE-POLICY

Does the Corporate Security Policy mandate auditing of attempts to access Files?

Policy

VOLUME-AUDIT-01

Are all attempts to successful accesses to VOLUMEs Protection Records audited?

Safecom

SUBVOL-AUDIT-01

Are all attempts to successful accesses to SUBVOLs Protection Records audited?

Safecom

DISKFILE-AUDIT-01

Are all attempts to successful accesses to DISKFILEs Protection Records audited?

Safecom

VOLUME-AUDIT-02

Are all attempts to failed accesses to VOLUMEs Protection Records audited?

Safecom

SUBVOL-AUDIT-02

Are all attempts to failed accesses to SUBVOLs Protection Records audited?

Safecom

DISKFILE-AUDIT-02

Are all attempts to failed accesses to DISKFILEs Protection Records audited?

Safecom

VOLUME-AUDIT-03

Are all attempts to manage VOLUME Protection Records audited?

Safecom

SUBVOL-AUDIT-03

SUBVOL-AUDIT-04 Are all attempts to manage SUBVOLUME Protection Records audited?

Safecom

DISKFILE-AUDIT-03

DISKFILE-AUDIT-04 Are all attempts to manage DISKFILES Protection Records audited?

Safecom

DEVICE-AUDIT-01

DEVICE-AUDIT-02 Are all attempts to manage DEVICES Protection Records audited?

Safecom




HP NonStop Server Security 2004
HP NonStop Server Security 2004
ISBN: 159059035X
EAN: N/A
Year: 2004
Pages: 157

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net