NSKCOM System Utility
NSKCOM is the command interface to manage the Kernel-Managed Swap Facility (KMSF).
The KMSF manages virtual memory. When all physical memory has been allocated and more memory is needed, data that is not currently in use is stored on disk. Pages of memory are "swapped," or copied , to disk when there is a shortage of available physical memory and are swapped back to physical memory when the data is accessed. When swapped to disk, the data is stored in "swap files."
The HP NonStop operating system opens one or more swap files for each processor and manages the files for all the processes needing them. A kernel-managed swap file is only opened once and is then available to all the processes running in the processor. Conventional swap files, which are defined by the calling process rather than the system, must be opened and closed by the system monitor on each process creation and deletion.
The components of the KMSF subsystem are:
NSKCOM
ZSYSCFG
Managed Swap Files
NSKCOM
Internal security to NSKCOM allows only SUPER Group members to change the KMSF configuration by adding, stopping use of, or deleting swap space through the NSKCOM interface.
ADD
ALTER
DELETE
START
STOP
RISK If managed space is used, it should be monitored on a regular basis to ensure appropriate amounts of swap space are made available to processes.
3P-OBJSEC-NSKCOM-01 If a third party product is used to grant access to NSKCOM running as a SUPER Group userid , these commands should be denied to all users other than the system managers.
ZSYSCFG File
The swap files names and characteristics are stored in the ZSYSCFG file. This file is updated using the NSKCOM interface.
Information in the ZSYSCFG file is stored for the volumes that use managed swap space.
RISK The ZSYSCFG file must be accessible to the users that have the ability to run the NSKCOM program for management purposes. If other users have access to update or delete the ZSYSCFG file the file could be corrupted or deleted.
 |
KMS.SWAPFILE = 0 $SYSTEM.ZSYSSWAP.CPU0A KMS.SWAPFILE = 1 $SYSTEM.ZSYSSWAP.CPU1A KMS.SWAPFILE = 1 $DSMSCM.SYSPRSWP.CPU01 KMS.SWAPFILE = 0 $DSMSCM.SYSPRSWP.CPU00
| |
Managed SWAP Files
The swap files named in the ZSYSCFG file are created by NSKCOM. Kernel- managed swap files are created with file code of 405.
AP-ADVICE-NSKCOM-01 Any managed swap files should only be accessible to the SUPER Group who manages KMSF.
Securing NSKCOM
BP-FILE-NSKCOM-01 NSKCOM should be secured "UUCU".
BP-OPSYS-LICENSE-01 NSKCOM must be LICENSED.
BP-OPSYS-OWNER-01 NSKCOM should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-01 NSKCOM must reside in $SYSTEM.SYSnn.
BP-FILE-NSKCOM-02 ZSYSCFG should be secured "NUCU".
BP-OPSYS-OWNER-02 ZSYSCFG should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-02 ZSYSCFG must reside in $SYSTEM.SYSTEM.
BP-FILE-NSKCOM-03 Files of file code 405 should be secured "OOOO".
BP-OPSYS-OWNER-03 Files of file code 405 should be owned by SUPER.SUPER.
If available, use Safeguard software or a third party object security product to grant access to NSKCOM object files only to users who require access in order to perform their jobs.
BP-SAFE-NSKCOM-01 Add a Safeguard Protection Record to grant appropriate access to the NSKCOM object file.
| Discovery Questions | Look here: | |
|---|---|---|
| OPSYS-OWNER-01 | Who owns the NSKCOM object file? | Fileinfo |
| OPSYS-OWNER-03 | Who owns the ZSYSCFG file? | Fileinfo |
| OPSYS-LICENSE-01 | Is the NSKCOM object file licensed? | Fileinfo |
| FILE-POLICY | Who is allowed to execute NSKCOM on the system? | Policy |
| FILE-NSKCOM-01 | Is the NSKCOM object file correctly secured with the Guardian or Safeguard system? | Fileinfo Safecom |
| FILE-NSKCOM-02 | Is the ZSYSCFG file secured correctly? | Fileinfo |
| FILE-NSKCOM-03 | Are the swap files referenced in the ZSYSCFG secured correctly? | Fileinfo |
