Safeguard Subsystem
This section is concerned with securing the Safeguard subsystem itself. See Part 2, Configuring the Safeguard Subsystem for information on using Safeguard to secure the system.
Security Considerations of Safeguard Software Installation
There are two methods of installing Safeguard . The method determines how Safeguard software can be started and stopped once it is installed.
-
Safeguard is manually started after the system is loaded and can be stopped without stopping the system. This method requires that Safeguard software be configured only in the CONFTEXT file for the current operating system.
Because the Safeguard subsystem is not included in the OSIMAGE file, the SMP must be manually started.
RISK Because Safeguard software is not automatically loaded, it is possible for the system to execute without the security rules being enforced.
-
Safeguard software is started automatically and runs continuously from the time the system is loaded until the time it is stopped. This method requires that Safeguard software be configured in the CONFTEXT file and SYSGEN run to include it in the OSIMAGE file.
RISK If the Safeguard subsystem is included in the OSIMAGE file, it is started automatically when the system is loaded and it cannot be stopped without stopping the system.
If Safeguard software is included in the OSIMAGE file or Safeguard is started as part of the CIIN file, the following precautions must be taken:
AP-SAFE-CONFIG-01 To recover from an inadvertent security lockout without performing a tape load, keep a 'backup' OSIMAGE file in a backup SYSnn subvolume on $SYSTEM. This backup OSIMAGE file must not include either Safeguard software or a CIIN file.
RISK If Safeguard software is included with system generation and AUDIT SERVICE is configured to DENY GRANTS, auditing might be suspended during the cold load and Safeguard software will deny all access attempts.
AP-SAFE-CONFIG-02 To prevent auditing from being suspended during a system load, before shutting the system down, ensure that the current audit pool resides on a disk that is connected to the same CPU as the $SYSTEM disk before shutting down the system. Once the Cold Load is complete, reconfigure Safeguard software to use the correct audit pool.
Please refer to the section in the section on Configuring AUDIT SERVICE RECOVERY Mode.
Safeguard Subsystem Components
The Safeguard Subsystem is made up of:
Safeguard Audit files
Safeguard Configuration Files
Safeguard Object Files
Safeguard Audit Files
Safeguard audit files reside in audit pools ( subvolumes ). These audit pools are managed using the Safeguard AUDIT POOL commands. The filecode of Safeguard audit files is 541.
The Safeguard audit file naming convention is Annnnnnn, where n is an incrementing number between 0 and 999999.
RISK If users have WRITE or PURGE access to Safeguard audit files, they could potentially alter or delete the files to hide malicious activities.
Safeguard Configuration Files
The Safeguard configuration files are:
| File | Filecode | Contents |
|---|---|---|
| CONFIG | 545 | Safeguard global settings |
| CONFIGA | 546 | Safeguard global settings, alternate key file |
| GUARD | 542 | VOLUME, SUBVOLUME and DISKFILE ACLs |
| LUSERID | 540 | Safeguard User File for Aliases |
| LUSERIDG | 540 | Safeguard User File for Aliases, alternate key file |
| USERID | 540 | User Records, for both Safeguard and non-Safeguard environments, located on $SYSTEM.SYSTEM. |
| USERIDAK | 540 | User Records, for both Safeguard and non-Safeguard environments, located on $SYSTEM.SYSTEM. |
| OTHER | 542 | Protection Records for all objecttypes other than VOLUME, SUBVOLUME, and DISKFILE |
RISK Safeguard software and only Safeguard software maintains its configuration files. If other users can alter these files, they can override company security settings.
Safeguard Object Files
The Safeguard object files are:
| File | Process Name | Contents |
|---|---|---|
| OSMON | $ZSnn | Security Monitor ”authorizes access to protected objects and generates audits |
| OSMP | $ZSMP | Safeguard Manager ” manages databases, performs user authentications and manages OSMON processes |
| SAFECOM | Safeguard Command Interpreter for Safeguard software | |
| SAFEART | Audit record reporting tool |
RISK Only SUPER.SUPER should be able to STOP, ALTPRI or START the $ZSMP process. If other users can STOP Safeguard software either the majority of users will be denied access to objects that they should be able to access or the majority of users will be granted access to objects that they should not be able to access.
RISK Only SUPER.SUPER should be able to STOP, ALTPRI or START the $ZS## processes. If other users can STOP Safeguard software either the majority of users will be denied access to objects that they should be able to access or the majority of users will be granted access to objects that should not be able to access.
Securing Safeguard Components
SAFECOM Command Commands With Security Implications
Several SAFECOM commands pose security risks:
ADD
ALTER
DELETE
If a third party access control product is used to grant selected users access to SAFECOM running as SECURITY.ADMIN or SUPER.SUPER, the sensitive commands should only be granted to the appropriate users and denied to all others.
3P-ACCESS-SAFEGUARD-01 Use a third party access control product to grant access to users responsible for using SAFECOM commands as SUPER.SUPER.
BP-FILE-SAFEGARD-01 Safeguard audit files should be secured "? - - -".
BP-OPSYS-OWNER-03 Safeguard audit files should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-03 Safeguard audit files resides in $SYSTEM.SAFE.
BP-FILE-SAFEGARD-02 CONFIG should be secured "UUUU".
BP-OPSYS-OWNER-03 CONFIG should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-03 CONFIG resides in $SYSTEM.SAFE
BP-FILE-SAFEGARD-03 CONFIGA should be secured "UUUU".
BP-OPSYS-OWNER-03 CONFIGA should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-03 CONFIGA resides in $SYSTEM.SAFE
BP-FILE-SAFEGARD-04 GUARD should be secured "UUUU".
BP-OPSYS-OWNER-03 GUARD should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-03 GUARD resides in $<volume>.SAFE
BP-FILE-SAFEGARD-05 LUSERID should be secured "- - - -".
BP-OPSYS-OWNER-03 LUSERID should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-03 LUSERID resides in $SYSTEM.SAFE
BP-FILE-SAFEGARD-06 LUSERIDG should be secured "- - - -".
BP-OPSYS-OWNER-03 LUSERIDG should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-03 LUSERIDG resides in $SYSTEM.SAFE
BP-FILE-SAFEGARD-07 OTHER should be secured "UUUU".
BP-OPSYS-OWNER-03 OTHER should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-03 OTHER resides in $SYSTEM.SAFE
BP-PROCESS-OSMP-01 The processes $ZSnn should be running.
BP-FILE-SAFEGARD-08 OSMON should be secured "UUUU".
BP-OPSYS-OWNER-01 OSMON should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-01 OSMON must reside in $SYSTEM.SYSnn.
BP-PROCESS-OSMP-01 The process $ZSMP should be running.
BP-FILE-SAFEGARD-09 OSMP should be secured "UUUU".
BP-OPSYS-LICENSE-01 OSMP must be LICENSED.
BP-OPSYS-OWNER-01 OSMP should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-01 OSMP must reside in $SYSTEM.SYSnn.
BP-FILE-SAFEGARD-10 SAFEART should be secured "UUNU".
BP-OPSYS-OWNER-01 SAFEART should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-01 SAFEART must reside in $SYSTEM.SYSnn.
BP-FILE-SAFEGARD-11 SAFECOM should be secured "UUNU".
BP-OPSYS-OWNER-01 SAFECOM should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-01 SAFECOM must reside in $SYSTEM.SYSnn.
If available, use Safeguard software or a third party object security product to grant access to Safeguard components only to users who require it in order to perform their jobs.
BP-SAFE-SAFEGARD-01 Add a Safeguard SUBVOLUME Protection Record to grant appropriate access to the $SYSTEM subvolume.
BP-SAFE-SAFEGARD-02 Add a Safeguard Protection Record to grant appropriate access to the SAFEART object file.
BP-SAFE-SAFEGARD-03 Add a Safeguard Protection Record to grant appropriate access to the SAFECOM object file.
| Discovery Questions | Look here: | |
|---|---|---|
| FILE-POLICY | Is Safeguard software used to protect resources? | Policy |
| PROCESS-OSMON-01 | Are the $ZSnn processes running? | Status |
| PROCESS-OSMP-01 | Is the $ZSMP process running? | Status |
| OPSYS-OWNER-03 | Who owns the Safeguard Audit files? | Fileinfo |
| OPSYS-OWNER-03 | Who owns the CONFIG file? | Fileinfo |
| OPSYS-OWNER-03 | Who owns the CONFIGA file? | Fileinfo |
| OPSYS-OWNER-03 | Who owns the GUARD file? | Fileinfo |
| OPSYS-OWNER-03 | Who owns the LUSERID file? | Fileinfo |
| OPSYS-OWNER-03 | Who owns the LUSERIDG file? | Fileinfo |
| OPSYS-OWNER-03 | Who owns the OTHER object file? | Fileinfo |
| OPSYS-OWNER-01 | Who owns the OSMON object file? | Fileinfo |
| OPSYS-OWNER-01 | Who owns the OSMP object file? | Fileinfo |
| OPSYS-OWNER-01 | Who owns the SAFEART object file? | Fileinfo |
| OPSYS-OWNER-01 | Who owns the SAFECOM object file? | Fileinfo |
| OPSYS-LICENSE-01 | Is the OSMP object file licensed? | Fileinfo |
| FILE-SAFEGARD-01 SAFE-SAFEGARD-01 | Are all Safeguard audit files correctly secured with the Guardian or Safeguard system? | Fileinfo |
| FILE-SAFEGARD-02 | Is the CONFIG file correctly secured with the Guardian or Safeguard system? | Fileinfo |
| FILE-SAFEGARD-03 | Is the CONFIGA file correctly secured with the Guardian or Safeguard system? | Fileinfo |
| FILE-SAFEGARD-04 | Is the GUARD file correctly secured with the Guardian or Safeguardsystem? | Fileinfo |
| FILE-SAFEGARD-05 | Is the LUSERID file correctly secured with the Guardian or Safeguard system? | Fileinfo |
| FILE-SAFEGARD-06 | Is the LUSERIDG file correctly secured with the Guardian or Safeguard system? | Fileinfo |
| FILE-SAFEGARD-07 | Is the OTHER file correctly secured with the Guardian or Safeguard system? | Fileinfo |
| FILE-SAFEGARD-08 | Is the OSMON object file secured correctly? | Fileinfo |
| FILE-SAFEGARD-09 | Is the OSMP object file secured correctly? | Fileinfo |
| FILE-SAFEGARD-10 SAFE-SAFEGUARD-02 | Is the SAFEART object file correctly secured with the Guardian or Safeguard system? | Fileinfo |
| FILE-SAFEGARD-11 SAFE-SAFEGUARD-03 | Is the SAFECOM object file correctly secured with the Guardian or Safeguard system? | Fileinfo |
Related Topics
User Administration
Safeguard subsystem
