The DELUSER program is used to delete userids when Safeguard software is not in use. How this program is secured depends on the Security Policy and whether or not Safeguard software is in use.
RISK If the DELUSER utility is not controlled, the SUPER.SUPER user or other important userids could be deleted from the system.
Deleting users from the system is recommended when that userid is no longer needed. Deleting a userid stops that user from logging on to the system. Who is allowed to delete users should be controlled at the maximum level.
RISK When a userid is deleted from the system, the files that are owned by the userid are orphaned. These files should be located and ownership changed to a valid userid.
If Safeguard software is not in use on the system, then the DELUSER program is used to delete userids.
How the DELUSER program is secured depends on who is allowed to perform this function as defined by the Corporate Security Policy.
If only SUPER.SUPER is allowed to delete users, then the DELUSER program must be secured to SUPER access only. The DELUSER object file need not be licensed. This is the most secure methodology to control the function of deleting users from the system.
BP-FILE-DELUSER-01 DELUSER should be secured "- - - -".
BP-OPSYS-LICENSE-01 DELUSER must NOT be LICENSED.
BP-OPSYS-OWNER-01 DELUSER should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-01 DELUSER must reside in $SYSTEM.SYSnn
If the policy authorizes Group Managers to DELETE userids from their own groups, then all groups will have to be granted EXECUTE access. Guardian will prevent users other than the 255 member of any group from deleting users to existing groups. Only SUPER.SUPER will be able delete userids from other groups. To allow Group Managers the right to delete userids, the DELUSER object file must be licensed.
BP*-FILE-DELUSER-01 DELUSER should be secured "- - A -".
BP*-OPSYS-LICENSE-01 DELUSER must be LICENSED.
BP*-OPSYS-OWNER-01 DELUSER should be owned by SUPER.SUPER.
BP*-OPSYS-FILELOC-01 DELUSER must reside in $SYSTEM.SYSnn
RISK Because of DELUSER's unique function, any old SYSnn locations that may be present on the system must be secured from unauthorized use.
BP-FILE-DELUSER-02 DELUSER in old $SYSTEM.SYSnn locations must be secured "- - - -".
Discovery Questions | Look here: | |
---|---|---|
FILE-POLICY | Are Group Managers allowed to delete users? | Policy |
OPSYS-OWNER-01 | Is DELUSER owned by SUPER.SUPER? | Fileinfo |
OPSYS-LICENSE-01 | Is the DELUSER object file licensed? | Fileinfo |
FILE-POLICY | Does the security of the DELUSER object file conform to the Security Policy? | Policy |
FILE-DELUSER-01 | Is the DELUSER object file secured correctly? | Fileinfo |
FILE-DELUSER-02 | Are old SYSnn copies of DELUSER secured? | Fileinfo |
If Safeguard software is in use on the system, then DELUSER will not run. Instead it will display a warning that Safeguard should be used to delete users.
44> deluser oper.bryan SAFEGUARD IS RUNNING; USE SAFECOM TO DELETE USERS
Groups and Users will be deleted through the Safeguard interface. See chapter titled Safeguard Subsystem for more information.
AP-ADVICE-DELUSER-01 The DELUSER object file's Guardian security string and/or a Safeguard Protection Record should prevent any user other than SUPER.SUPER from executing it, in the case that Safeguard software is not running.
BP-FILE-DELUSER-01 DELUSER should be secured "- - - -".
BP-OPSYS-LICENSE-01 DELUSER must NOT be LICENSED.
BP-OPSYS-OWNER-01 DELUSER should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-01 DELUSER must reside in $SYSTEM.SYSnn
BP-SAFE-DELUSER-01 Add a Safeguard Protection Record to prevent execution of the DELUSER object file directly by any user.
Discovery Questions | Look here: | |
---|---|---|
OPSYS-OWNER-01 | Is DELUSER owned by SUPER.SUPER? | Fileinfo |
OPSYS-LICENSE-01 | Is the DELUSER object file licensed? | Fileinfo |
FILE-POLICY | Does the security of the DELUSER object file conform to the Security Policy? | Policy |
FILE-DELUSER-01 | SAFE-DELUSER-01 Is the DELUSER object file correctly secured with the Guardian or Safeguard system? | Fileinfo Safecom |
Related Topics
Users
Safeguard