Expand Subsystem
The Expand subsystem enables one to connect as many as 255 geographically dispersed HP NonStop servers to create a network with the same reliability as a single node (See Figure 6-7).
Figure 6.7: Expand Network
The components of Expand are:
NCPOBJ
OZEXP
$ZNUP
Expand Profile Templates
NCPOBJ
The Expand line handler manager process runs as $NCP and must be running to communicate via Expand. The network control process ($NCP) is responsible for:
Initiating and terminating node-to-node connections
Maintaining the network- related system tables, including routing information
Calculating the most efficient way to transmit data to other nodes in the network
Monitoring and logging changes in the status of the network and its nodes
Informing the network control processes at neighbor nodes of changes in line or Expand line-handler process status (for example, lines UP or DOWN)
Informing Expand line-handler processes when all paths are DOWN
The network control process, $NCP, is a process in each node of an Expand network and is always logical device #1.
RISK The process $NCP must be running for Expand to communicate between systems. Normally it is started when the system is cold loaded and remains running.
AP-ADVICE-EXPAND-01 Only SUPER.SUPER should be allowed to start and stop $NCP.
OZEXP
The Expand line handler manager process runs as $ZEXP and must be running to communicate via Expand software.
The $ZEXP process provides the interface between the Expand subsystem and the Subsystem Control Point (SCP). The Expand manager process directs SCF commands to the appropriate Expand line-handler process and forwards responses from Expand line-handler processes to the appropriate user .
RISK The process $ZEXP must be running for Expand software to communicate between systems. Normally it is started when the system is cold started and remains running.
RISK Only SUPER.SUPER should be allowed to start and stop $ZEXP.
$ZNUP
$NCP uses services provided by the network utility process, $ZNUP. $ZNUP is a part of the NonStop operating system and answers requests for system information, either local or remote. System information may include device, line, processes, traffic and other system status requests .
The network utility process, $ZNUP, is a process in each node of an Expand network and is always logical device #4.
Expand Profile Templates
Expand software stores configuration information in a series of files of named PEXP* and identified by a file code of 832.
RISK Only SUPER.SUPER should be allowed to access these files.
Securing Expand Components
BP-PROCESS-NCPOBJ-01 $NCP process should be running.
BP-FILE-EXPAND-01 NCPOBJ should be secured "UUCU".
BP-OPSYS-OWNER-01 NCPOBJ should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-01 NCPOBJ must reside in $SYSTEM.SYSnn.
BP-PROCESS-OZEXP-01 $ZEXP process should be running.
BP-FILE-EXPAND-02 OZEXP should be secured "UUCU".
BP-OPSYS-LICENSE-01 OZEXP must be LICENSED.
BP-OPSYS-OWNER-01 OZEXP should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-01 OZEXP must reside in $SYSTEM.SYSnn.
BP-FILE-EXPAND-03 Files of file code 832 should be secured "CUCU".
BP-OPSYS-OWNER-01 Files of file code 832 should be owned by SUPER.SUPER.
If available, use Safeguard software or a third party object security product to grant access to Expand object files only to users who require access in order to perform their jobs.
BP-SAFE-EXPAND-01 to 02 Add a Safeguard Protection Record to grant appropriate access to the NCPOBJ object file.
| Discovery Questions | Look Here: | |
|---|---|---|
| FILE-POLICY | Is Expand used to network systems together? | Policy |
| PROCESS-NCPOBJ-01 | Is the $NCP process running? | Status |
| PROCESS-OZEXP-01 I | s the $ZEXP process running? | Status |
| OPSYS-OWNER-01 | Who owns the NCPOBJ object file? | Fileinfo |
| OPSYS-OWNER-01 | Who owns the OZEXP object file? | Fileinfo |
| OPSYS-LICENSE-01 | Is the OZEXP object file licensed? | Fileinfo |
| FILE-POLICY | Who is allowed to manage the Expand network on the system? | Policy |
| FILE-EXPAND-01 | Is the NCPOBJ object file correctly secured with the Guardian or Safeguard system? | Fileinfo Safecom |
| FILE-EXPAND-02 | Is the OZEXP object file correctly secured with the Guardian or Safeguard system? | Fileinfo Safecom |
| FILE-EXPAND-03 | Are the configuration files of file code 832 secured correctly? | Fileinfo |
