PAKUNPAK User Programs
PAK/ UNPAK User Programs
The PAK and UNPAK utilities perform compression and decompression on HP NonStop server files. Once the data is compressed it can be archived, moved, or downloaded to a remote system.
PAK
PAK compresses files into a single unstructured file of File Code 1729. It can also compress into a self-extracting file and the resultant file is a File Code 700.
BACKUP and PAK require READ access to perform the file read function.
PAK uses the BACKUP program to read and process the files, so the options are similar to BACKUP. Likewise, the risks are similar to BACKUP.
RISK If the BACKUP program is accessible to general users, files containing sensitive data could be backed up and restored under their userid .
RISK Compressed files, especially those using the self-extracting option (File Code = 700), are very difficult to distinguish from normal native object files. Therefore, the security of these files is difficult to control.
UNPAK
UNPAK decompresses a paked file or self-extracting file into a subvolume.
UNPAK uses the RESTORE program to read the Paked file and process the file, so the options are similar to RESTORE. Likewise, the risks are similar to RESTORE.
RISK Compressed files can be moved to a system with less security and uncompressed to allow unauthorized access to the data.
RISK Compressed files can be restored, overwriting existing files using RESTORE parameters.
RISK Since Paked files can contain sensitive data, protection of the utilities that can read or copy the data is a security risk.
AP-UNPAK-ADVICE-01 Unpaking should only be done by authorized personnel.
RISK The RESTORE MYID parameter can be used to change the security of the unpaking files to the userid running UNPAK. This gives that userid full access to the unpaked files.
RISK If the UNPAK and RESTORE programs are accessible to general users, files containing sensitive data could be retrieved from a tape and restored under their userid.
Securing PAK/UNPAK
BP-FILE-PAK-01 PAK should be secured "UUNU".
BP-OPSYS-OWNER-02 PAK should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-02 PAK resides in $SYSTEM.SYSTEM.
BP-FILE-PAK-02 UNPAK should be secured "UUNU".
BP-OPSYS-OWNER-02 UNPAK should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-02 UNPAK must reside in $SYSTEM.SYSTEM.
BP-FILE-PAK-03 File Code 1729 PAK archives should be secured "OOOO".
BP-FILE-PAK-04 File Code 700 PAKed executables should be secured "OOOO".
If available, use Safeguard software or a third party object security product to grant access to PAK/UNPAK object files to necessary personnel, and deny access to all other users.
BP-SAFE-PAK-01 Add a Safeguard Protection Record to grant appropriate access to the PAK object file.
BP-SAFE-PAK-02 Add a Safeguard Protection Record to grant appropriate access to the UNPAK object file.
| Discovery Questions | Look here: | |
|---|---|---|
| FILE-POLICY | Is there any need to use PAK conversions? | Policy |
| OPSYS-OWNER-02 | Who owns the PAK object file? | Fileinfo |
| OPSYS-OWNER-02 | Who owns the UNPAK object file? | Fileinfo |
| FILE-POLICY | Who is allowed to execute PAK/UNPAK on the system? | Policy |
| FILE-PAK-01 | Is the PAK object file correctly secured with the Guardian or Safeguard system? | Fileinfo Safecom |
| FILE-PAK-02 | Is the UNPAK object file correctly secured with the Guardian or Safeguard system? | Fileinfo Safecom |
| FILE-PAK-03 | Are the File Code 1729 files secured correctly? | Fileinfo |
| FILE-PAK-04 | Are the File Code 700 PAKed executable files secured correctly? | Fileinfo |
Related Topics
BACKUP
RESTORE
