HP 3000 Manuals HP 3000 Manuals
Enhanced System Security
by Dennis Lee/Tho Le/Bill Taylor/Brian O'Connor/Thomas Shem/Marian
Cochran
Commercial Systems Division
This release of MPE XL includes enhanced system security equivalent to
features available on MPE V/E (G.03.04). The features are in the areas
of file and device access control, logon access and batch submission, and
system auditing.
File and Device Access Control:
* Access Control Definitions (ACDs) on files.
* ACDs on configured devices (terminal, tape drive,
Logon and Batch Submission:
* PASSWORD command.
* Password prompting for needed passwords.
* Better batch submission audit trail.
System Auditing:
* New record types (stream job, password change, process initiation,
user logging, restore, ACD changes, printer access failure, system
configuration).
* Added user identification fields in some existing
FILE AND DEVICE ACCESS CONTROL
Access Control Definitions (ACDs) have been implemented on MPE XL for
securing files and devices. Each file or device can optionally have an
attached ACD that specifies who can or cannot access the file or device.
Different parts of MPE XL have changed with the introduction of ACDs.
Some commands have been enhanced to allow manipulation or listing of ACDs
(ALTSEC, LISTF and SHOWDEV). There are two new intrinsics that can be
used to manipulate ACDs programmatically (HPACDPUT and HPACDINFO). The
following subsystems have also been enhanced to recognize ACDs:
STORE/RESTORE, FCOPY, and SPFXFER. These changes are very similar to the
enhancements made in MPE V/E V-Delta-4 (G.03.04).
ACD Overview
ACDs can be associated with files and devices. An ACD consists of a list
of users and the access modes those users are granted for that file or
device. Each entry in the list is termed the userspec/mode pair.
If you are the creator of the file MYFILE, you may create an ACD for that
file that could look like the following:
(W : JOHN.FINANCE; R : @.FINANCE)
This ACD would grant write access to JOHN.FINANCE and read access to
everyone in the FINANCE account. No other user can access the file
except the owner (file creator, account manager, and system manager).
Besides the file creator, the Account Manager (AM of the account where
the file resides) and System Manager (SM) can also create, modify or
delete file ACDs. The System Manager can create and manipulate ACDs for
devices.
A new type of access mode has been introduced to support ACDs. RACD
(Read ACD) access allows a user to read and copy the ACD. This access
mode can be included in the ACD (e.g., R,RACD:@.TECHACCT).
ACD Security Policy
Only the owner of a file or device can create and change the ACD for that
file or device. For a file, the owners are the file creator, the account
manager (AM) of the account where the file resides, and the system
manager (SM). For devices, the owner of all devices is the system manager
(SM). The owners, by definition, have all access to the object.
When an ACD is attached to an object, it solely determines the access to
the object. In other words, the ACD override existing file security
mechanisms such as release/secure, file lockwords, and account, group and
file level attributes. For devices, ACDs override ND capability check.
Manipulating ACDs through Commands
ACDs can be created, modified, and deleted using the ALTSEC command.
This command can also be used to copy an ACD from one object to another.
To see the content of an ACD, the LISTF and LISTFILE commands can be used
for files, the SHOWDEV command can be used for devices.
Manipulating ACDs through Intrinsics
Programmatic query and manipulation of ACDs is accomplished through the
use of the HPACDINFO, HPACDPUT, and HPFOPEN intrinsics.
HPACDINFO allows a program to obtain information regarding an ACD's
number of entries, version identification, and identity of the first user
in the access list. For each individual entry, information that can be
obtained includes the specified user's access modes and the next user
identity in the list.
HPACDPUT allows a program to create, delete and copy entire ACDs for
specified objects. Additionally, user specification/mode pairs can be
added, replaced or deleted.
Additionally, a new option, HOP_OPTION_ACD (= 64), has been added to the
list of options for the HPFOPEN intrinsic. This option allows the caller
to specify an ACD specification to be applied to the new file which is
created by the HPFOPEN call. This option is only legal for new files.
STORE/RESTORE Changes to Support ACDs
STORE/RESTORE has been enhanced to allow files to be stored or restored
with their ACDS. Two new optional keywords ;COPYACD and ;NOACD have been
added. These keywords apply to both STORE and RESTORE. The default is
;COPYACD. (Note that it is different from MPE V/E, where the default is
to store/restore the files without ACDs). Unless ;NOACD is specified,
ACDs will be stored or restored with the files, and the operation will
fail if the user is not allowed RACD access.
The ;TRANSPORT option, used in conjunction with ;COPYACD, allows files
and their ACDs to be transported from MPE V/E to MPE XL and vice versa.
This option is fully compatible with MPE V/E STORE/RESTORE, where only
one ACD keyword ;COPYACD is recognized, and the default is no ACDs.
FCOPY Changes to Support ACDs
FCOPY is also enhanced to allow copying of the ACD together with the
content of the file. Two new keywords ;COPYACD and ;NOACD are available
for this purpose. ;COPYACD is the default for FCOPY. When ;NOACD is
specified, only the content of the from file is copied to the file.
Warnings for ;COPYACD operation will be generated only if the user has
specified ;COPYACD.
ACDs on MPE XL versus MPE V/E: Key Differences
Although ACDs are the same in MPE XL as those in MPE V/E, there are some
differences between the two version as noted below:
* The maximum number of ACD entries (pairs) has been increased to 40
in MPE XL. In MPE V/E, this number is 20.
* Unlike in MPE V/E where device ACDs are permanent until changed,
device ACDs in MPE XL do not survive across system startups. This
is because configuration may change at any startup. To keep the
same device ACDs, ALTSEC command can be used in the SYSSTART file
to create the ACDs at every startup.
* Internally, MPE XL ACDs are kept in the File Label Table, a disk
data structure of MPE XL. However, while in MPE V/E, an ACD is
physically part of the file (kept in the file's pseudo extent).
REPORT and LISTF do not show the ACD disk space as being
associated with the files or group which the ACD is attached to.
* File wildcards can be used with the ALTSEC command in MPE XL to
manipulate the ACDs for multiple files. This feature is not
implemented on MPE V/E (only one file at the time).
* HPACDPUT and HPACDINFO intrinsics are fully compatible with those
in MPE V/E. However, additional options are added to allow users
to specify a file by the Unique File Descriptor (UFID), and to
specify a device by device name.
* When spoolfiles are transferred from MPE V/E to MPE XL using
SPFXFER program, if the file creator does not have access to the
printer device, the spoolfile is put in defer state.
LOGON AND BATCH SUBMISSION
Three new FOS logon and batch submission features are now available:
* A new PASSWORD command.
* Enhanced password prompting.
* Job submitter banner.
These new MPE XL features are similar to features already available in
MPE V/E.
Password Command
A new PASSWORD command allows users to change their user passwords.
Before the introduction of this FOS command, only account or system
managers could manipulate user passwords. The PASSWORD command conducts
a prompted dialogue to re-authenticate a user's identity, requests the
new user password, requests verification of this new password. Character
echo is disabled during this prompted dialogue so that passwords are not
compromised by being displayed as users enter them. A user's identity is
re-authenticated only if the current user password is non-blank.
Programs may execute the PASSWORD command programmatically as long as the
program is executing within an interactive session whose $STDIN and
$STDOUT have not been redirected.
The MPE XL PASSWORD command is upwardly compatible with the MPE V/E
PASSWORD command. The MPE XL PASSWORD command differs from the V/E
command in three ways. User passwords are changed only when the new
password is different than the old password. Secondly, the MPE XL
PASSWORD command is programmatically executable. Thirdly, the MPE XL
Command Interpreter's HPTIMEOUT value is enforced while waiting for user
input.
Enhanced Logon Password Prompting
Logon password prompting has been enhanced in two ways. The first
enhancement is all password prompts will contain the account, user, or
group name. For example, the logon prompt requesting the user password
associated with the MANAGER.SYS user ID will be ENTER USER (MANAGER)
PASSWORD:. The second enhancement is password prompting that currently
occurs for the HELLO and CHGROUP commands will be extended to the
* STARTSESS commands within sessions
* STARTSESS intrinsic calls in program executing within sessions
* STREAM commands within sessions -, prompting will occur for each
first level JOB and DATA
Allowing passwords to be omitted from job files will help reduce the risk
of password compromise.
Job Submitter Banner
The job submitter banner information displayed to $STDLIST is the date
and time the job was submitted, the job submitter's user identity
(user.account), job/session number, and logon device number. This banner
is displayed between the logon banner and the welcome message in the
format:
STREAMED BY jsname,user.account (#jsnum) on LDEV# ...
STREAM DATE: day, mmm dd, yyyy, hh:mm AM/PM
An example of this banner format is:
STREAMED BY BACKUP,OPERATOR.SYS (#S73) ON LDEV# 20
STREAM DATE: MON, JUN 29, 1989, 12:35 PM
The job submitter information is kept in a new data segment (DST #61).
The file that preserves this DST on disk is called DSTJSEC.PUB.SYS.
SYSTEM LOGGING
The enhancements to the system logging function on MPE XL will provide
system managers with more latitude when conducting system audits on their
system. System logging includes the following enhancements in the
following areas: new logging events, a new 'auditability by named user'
function, and new data appended to some existing logging events
New Logging Events
Eight new logtypes provide additional auditing information. The new
system logging events are:
* Logging of password changes is added as log type 134. It can be
activated torecord USER, GROUP, and ACCOUNT password change
events.
* Logging of system logging configuration is added as log type 135.
It recordsthe current system logging configuration.
* Logging of restore is added as log type 136. It records
restoration of files onto the HP 3000.
* Logging of printer access failures is added as log type 137. It
allows the system manager to audit failures in attaching
spoolfiles to printers.
* Logging of ACD changes is added as log type 138. It records all
ACD creations, alterations, and deletions.
* Logging of stream initiation is added as log type 139. It allows
the system manager to know who streams or tries to stream a job.
* Logging of user logging is added as log type 140. It records all
OPENLOG and CLOSELOG intrinsic calls.
* Logging of process initiation is added as log type 141. It
provides information for tracing the creation of processes on the
system.
Auditability by Named User
The "auditability by named user" feature enables a system manager to
selectively audit the actions of one or more users based on individual
identity. To do this the LOGTOOL utility has been modified to select
security relevant log records from the system log files. System managers
define a named user by specifying (via the LIST command) a job/session
name, user name, and/or account name. Security relevant events are then
selected from the following logging events:
* job initiation (type 102)
* job termination (type 103)
* process termination (type 104)
* file close (type 105, 160)
* spooling log (type 108)
* physical mount/dismount (type 112)
* logical mount/dismount (type 113)
* tape labels (type 114)
* console log (type 115)
* program file event (type 116)
* New Commercial Spooling (type 120)
* architecture interface (type 130)
* password change (type 134)
* system logging configuration (type 135)
* restore (type 136)
* printer access failure (type 137)
* ACD change (type 138)
* stream initiation (type 139)
* user logging access (type 140)
* process initiation (type 141)
* change group (type 143)
* file open (type 144)
* command logging (type 145)
Enhancements to Existing Logging Events
As part of the "auditability by named user" feature several existing log
record types have had additional information appended to them. The
appended data contains an eight word USER name, an eight word GROUP name,
an eight word ACCOUNT name, and an eight word JOB/SESSION name. Affected
logging record types are:
* job termination (type 103)
* process termination (type 104)
* physical mount/dismount (type 112)
* tape labels (type 114)
* console log (type 115)
* program file event (type 116)
* New Commercial Spooling (type 120)
* change group (type 143)
DOCUMENTATION CHANGES
These security changes have been documented in a Technical Addendum
called MPE XL FOS Security Features (P/N 32650-90297), which you will
receive when you order XL Release 3.0.
These changes have also been included in new editions of the following
manuals:
* Performing System Operation Tasks (P/N 32650-90137)
* XL Error Message Manual Vol 1 (P/N 32650-90152)
* Performing Sytem Management Tasks (P/N 32650-90004)
* XL Commands Reference Manual (P/N 32650-90003)
* XL Intrinsics Reference Manual (P/N 32650-90028)