HP 3000 Manuals HP 3000 Manuals
Access Control Definition Security (ACD)
MPE/iX implements a discretionary access control (DAC) mechanism that is
consistent with the guidelines laid down by the National Computer
Security Center.
The MPE/iX implementation, access control definitions (ACD), is a subset
of the DAC mechanism. ACDs maintain a list of users and the access modes
that each user has to files and devices.
ACD scope
An ACD that is associated with a file overrides the classic MPE file
access matrix and lockwords, which are described later in this chapter in
"Traditional Mechanism for File Security" .
By associating an ACD with a file or a device, the owner of the file or
device may define which users have access to that file or device and
which modes of access are available to other users. When a file is
associated with an ACD, the ACD is put into its file label extension.
The ACD contains a list of access modes paired with users.
Owners
Only those who own a file or a device may associate it with an ACD.
Files.
the owner of a file is any one of these three users:
* The creator of the file with which an ACD is associated
* The user who as am capability in the account in which the file
resides
* The user who has sm capability on the system in which the file
resides
Devices.
The System Manager (SM) is the owner of all of the devices on a system.
How acds work
When a user attempts to access a file or to acquire a device, HPFOPEN or
FOPEN is called, and the system makes the following checks:
* Is the user an owner of the file or device; that is, is the user
the creator of the file, the account manager (AM capability),
where the file resides or the system manager (SM capability)?
If so, permission is granted, and the checking ends.
* If not, is there an ACD associated with the file or device?
* If there is no ACD, the system looks for authorization in
the traditional MPE/iX file access matrix and lockwords.
* If there is an ACD, the system searches, in this order, for
the user:
1. specific names (username.accountname)
2. account groupings (@.accountname)
3. system groupings (@.@)
If a match is found, the user can access the device
or file--as authorized (read, write, execute, and so
on)--and no further checking is done.
If there is no match, the user is denied entry, and
no further checking is done.
It is important to note that if an ACD exists, the MPE/iX file access
matrix and lockwords are never consulted.
ACD modes
Any device or a file can be paired with an ACD.
An ACD is associated with a file or a device by pairing access modes with
users. A user is any username.accountname specification.
The modes of access are:
R Read
W Write
A Append
L Lock
X Execute
NONE None
RACD Read and copy the ACD permission file
You could define an ACD as follows:
ACD = (R,W:MGR.ACCTING, DENNIS.LEE; R:@.PAYROLL; A:@.@)
The users MGR.ACCTING and DENNIS.LEE can read and write to the file
associated with this example ACD. Anyone in the PAYROLL account can read
it, and anyone on the system can append to it. For example, no one but
DENNIS.LEE and the owners can overwrite the file, and only the owners can
lock it.
NOTE If an ACD exists and if you are not explicitly given permission to
access a file or a device, you do not have access.
Managing ACDs with commands and intrinsics
Use MPE/iX commands to manage ACDs interactively, through the command
interpreter. Use MPE/iX intrinsics to manage ACDs in a program.
Commands.
These MPE/iX commands accept ACD-related parameters or incorporate ACD
associations in their operation:
ALTSECT Permits the addition, creation, deletion,
modification, copying, and listing of ACD
attributes.
COPY Always copies the ACD associated with the source
file to the target file, if an ACD is present.
FCOPY Permits copying ACD attributes.
FILE Permits the equation of one file/device-ACD
specification to another file/device-ACD
specification.
LISTFILE Permits the listing of the ACD attributes
associated with a file or device.
RELEASE Returns a warning when an ACD is associated with a
file.
RESTORE Accomodates ACDs.
SECURE Returns a warning when an ACD is associated with a
file.
SHOWDEV Permits the listing of ACD attributes associated
with a device.
STORE Accomodates ACDs.
Detailed discussions of these commands are found in the MPE/iX Commands
Reference Manual (32650-90003).
Intrinsics.
HPACDPUT Permits the addition, creation, deletion,
modification, copying, and listing of ACD
attributes.
HPACDINFO Returns security attributes.
HPFOPEN Permits the creation of of an ACD.
The intrinsic FOPEN cannot be modified to give it the option of creating
an ACD. You must use HPFOPEN.
Detailed discussions of these intrinsics are found in the MPE/iX
Intrinsics Reference Manual (32650-90028).
Preserving ACDs
Device ACDs are not permanent objects; you must redefine them every time
that the system is rebooted. The easiest way to do this is to put ALTSEC
commands into the SYSSTART file, either directly or in a command file.
File ACDs are permanent objects; they do survive a reboot. When you
store files to tape, FCOPY and STORE save the files' ACDs, too--unless
you specify otherwise. If you are not an owner of the file and you do
not have RACD permission, you get an error if you try to copy the ACD.
Instead, choose the NOACD parameter.
Managing ACDs
You may manage ACDs interactively through MPE/iX commands or
programmatically through MPE/iX intrinsics.
Creating ACDs.
-------------------------------------------------------------------------------------------
| |
| Command Intrinsic Purpose |
| |
-------------------------------------------------------------------------------------------
| |
| ALTSEC Create an ACD for an existing device or file |
| |
| HPACDPUT Create an ACD for an existing device or file |
| |
-------------------------------------------------------------------------------------------
Examples.
To assign Read access to user SAM.DOE, Write access to JOE.DOE, no access
(None) to all users in the DESIGN account, and Execute access to all
users in all accounts (except those users in the DESIGN account, enter
this:.
ALTSEC FILEA.XX.DESIGN;NEWACD=(R:SAM.DOE;W:JOE.DOE;NONE:@.DESIGN;X:@.@)
To add an ACD that prevents any user except OPERATOR.SYS from accessing
LDEV 7 (a tape drive), enter this:
ALTSEC 7,LDEV;NEWACD=(R,W:OPERATOR.SYS)
The user must have SM capability to do this.
This short program uses HPACDPUT in creating an ACD for a file called
TARGET:
program acdput(input, output);
var
status : integer;
filename : packed array [1..28] of char;
ACD : packed array [1..256] of char;
procedure HPACDPUT;intrinsic;
begin
filename := 'TARGET';
ACD := '(x:@.@;r,w:mgr.sys)'
ACD[20] := #m;
HPACDPUT(status, 1, filename, 20, ACD);
if status <> 0 then
writeln('HPACDPUT failed. Status = ', status);
end.
When you create a new file with the COPY, FCOPY, STORE, or RESTORE
commands, you can use the command parameters to create the ACDs for the
new file.
* COPY
The COPY command automatically copies any ACD attributes from the
source file to the target file, provided that the user is an owner
of the source file or has RACD access to that file.
COPY FILEA,FILEB
* FCOPY
The ;COPYACD parameter of the FCOPY command permits the user to
copy a file and its ACD, provided that the user is an owner or has
RACD permission.
FCOPY <fcopycommand>;COPYACD
* STORE
To store all of the files on a system to tape, including their
ACDs, enter this:
FILE T;DEV=TAPE
STORE @.@.@;*T;COPYACD
COPYACD is the default. You must have access to any ACD-protected
files being stored.
* SM and OP can store any ACD-protected file on the system.
* AM can store any ACD-protected file in the manager's
account.[REV END]
* Users can store any ACD-protected files that they own,
provided that they have Read access to the file and RACD
access to the file if ;COPYACD is specified.
* Others can store ACD-protected files for which they have
RACD permission, provided that they have Read access to the
file and RACD access to the file if ;COPYACD is specified.
* You must have PM access to a PM file in order to store it.
* RESTORE
To restore all of the files on tape and copies the ACD attributes
of the file to disk, enter this:
FILE T;DEV=TAPE
RESTORE *T;@;KEEP;SHOW;COPYACD
COPYACD is the default. NOACD prevents the copying of the ACD
attributes.
[REV BEG]
* SM and OP can restore any ACD-protected file on the system.
* AM can restore any ACD-protected file in the manager's
account.
* Users can restore any ACD-protected files that they own,
provided that they have Read access to the file and RACD
access to the file if ;COPYACD is specified.
* Others can restore ACD-protected file for which they have
RACD permission, provided that they have Read access to the
file and RACD access to the file if ;COPYACD is specified.
* You must have PM access to a PM file in order to store it.
[REV END]
Listing ACDs.
-------------------------------------------------------------------------------------------
| |
| Command Intrinsic Purpose |
| |
-------------------------------------------------------------------------------------------
| |
| LISTFILE Show ACDs for files |
| |
| SHOWDEV Show ACDs for devices |
| |
| HPACDINFO Show ACDs for files and devices |
| |
| HPACDPUT Show ACDs for files and devices |
| |
-------------------------------------------------------------------------------------------
Examples.
The LISTFILE command with option 4 shows the ACD status of a file in this
fashion:
LISTFILE FILEA,4
****************************
FILEA.XX.DESIGN
SYSTEM READ: ANY
SECURITY--WRITE: AC
(ACCT) APPEND: AC
LOCK: AC
EXECUTE: ANY
SYSTEM READ: GU
SECURITY--WRITE: GU
(GROUP) APPEND: GU
LOCK: GU
EXECUTE: GU
SYSTEM READ: ANY FCODE: 0
SECURITY--WRITE: ANY CREATOR: **
(FILE) APPEND: ANY LOCKWORD: **
LOCK: ANY **SECURITY IS ON
EXECUTE: ANY **ACD EXISTS
FOR XX.DESIGN: NONE
(Other ACD status reports are NO ACD and ACD CORRUPTED.)
The LISTFILE command with option -2 gives a detailed ACD report on a file
in this fashion:
LISTFILE FILEA,-2
FILE = FILEA ************** ACD ENTRIES **************
SAM.DOE : R
JOE.DOE : W
@.DESIGN : NONE
@.@ : X
The SHOWDEV command displays the ACD attributes of a device in this
fashion:
SHOWDEV 14;ACD
LDEV AVAIL OWNERSHIP VOLID DEN ASSOCIATION
14 SPOOLED SPOOLER OUT
ACD ENTRIES: @.@ : R,W,X
This short program uses HPACDINDFO to retrieve the number of entries and
first user in the ACD of a file called TARGET:
program acdinfo(input, output);
type
shortint = -32768..32767;
var
status : integer;
filename : packed array [1..28] of char;
numentry : shortint;
firstuser : packed array [1..18] of char;
procedure HPACDINFO;intrinsic;
begin
filename := 'TARGET';
HPACDINFO(status, 1, filename, 21, numentry, firstuser);
if status = 0 then
begin
writeln('Number of Entires: ', numentry:1);
writeln('First UserSpec : ', firstuser);
end;
end.
Copying ACDs.
-------------------------------------------------------------------------------------------
| |
| Command Intrinsic Purpose |
| |
-------------------------------------------------------------------------------------------
| |
| ;COPYACD parameter of Copy an ACD from one file to another |
| the ALTSEC command |
| |
-------------------------------------------------------------------------------------------
Examples.
To copy the ACD associated with FILEB to FILEA, enter this:
ALTSEC FILEA.XX.DESIGN;COPYACD=FILEB.XX.DESIGN
Only an owner, or a user granted RACD (read ACD) authorization, can copy
the ACD from FILEB.
To copy the ACD attributes of LDEV 7 to LDEV 23, enter this:
ALTSEC 23,LDEV;COPYACD=7,LDEV
[REV BEG]
Only users with SM capability may do this. By definition, users having
SM capability are owners of all the files and devices on a system. Those
users may give themselves access to any file or device on the system.[REV
END]
Modifying ACDs.
-------------------------------------------------------------------------------------------
| |
| Command Intrinsic Purpose |
| |
-------------------------------------------------------------------------------------------
| |
| ALTSEC To change an ACD |
| |
| HPACDPUT To change an ACD |
| |
-------------------------------------------------------------------------------------------
Adding ACD pairs.
To confer Read access on JOE.DESIGN for FILEA, enter this:.
ALTSECT FILEA.XX.DESIGN;ADDPAIR=(R:JOE.DESIGN)
Replacing ACDs.
To change the (previous) Read access for SAM.DOE to Write access enter
this:
ALTSECT FILEA.XX.DESIGN;REPPAIR(W:SAM.DOE)
To assign Read and Write access to SAM.DOE, do this:
ALTSEC FILEA.XX.DESIGN;REPPAIR(W,R:SAM.DOE)
Deleting ACDs.
-------------------------------------------------------------------------------------------
| |
| Command Intrinsic Purpose |
| |
-------------------------------------------------------------------------------------------
| |
| ALTSEC To delete an ACD |
| |
| HPACDPUT To delete an ACD |
| |
-------------------------------------------------------------------------------------------
To remove @.DESIGN from the ACD attributes of FILEA, enter this:
ALTSEC FILEA.XX.DESIGN;DELPAIR(NONE:@.DESIGN)
To deny OPERATOR.SYS any access to LDEV 7, enter this:
ALTSEC 7,LDEV;DELPAIR=(R,W:OPERATOR.SYS)
Only an owner can delete an ACD associated with a file. Only the system
manager can delete an ACD associated with a device..
Migrating ACDs.
Device ACDs should not be migrated, because they are tied to their
system's configuration.
You can move file ACDs between MPE V/E and MPE/iX by using the STORE and
RESTORE commands, where COPYACD is the default.
These are the steps CM RESTORE takes during forward migration:
1. reads the MPE V/E store format.
2. calls a routine to convert it to MPE/iX internal format.
3. calls the file label extension write routine, which puts the ACD
into effect.
These are the steps CM STORE takes during backward migration:
1. reads the ACD from the security file label extension.
2. calls a routine to convert it into MPE V/E format.
3. writes it out to the STORE tape.
Be aware that MPE/iX allows more user-mode pairs than MPE V/E does.
You must have authorization to use the ;COPYACD parameter of the STORE
and RESTORE commands. If you are not an owner of the file or do not have
RACD permission, you get an error. The STORE command checks the ACD on
disk for permission. RESTORE checks the ACD from the tape.
For more details, refer to the MPE/iX Commands Reference Manual
(32650-90003) and the MPE/iX Intrinsics Reference Manual (32650-90028).
Logging system events
[REV BEG]
The following list shows the types of logs that you can request.
SYSGEN System Logging
System Log Events Event Type
System logging enabled 100
System up record 101
Job initiation record 102
Job termination record 103
Process termination record 104
File close record 105
System shutdown record 106
Power failure record 107
Spooling log record 108
I/O error record 111
Physical mount/dismount 112
Logical mount/dismount 113
Tape labels record 114
Console log record 115
Program file event 116
New commercial spooling 120
Architected interface 130
Password changes 134
System logging configuration 135
Restore logging 136
Printer access failure 137
ACD changes 138
Stream initiation logging 139
User logging 140
Process creation 141
Chgroup record 143
File open record 144
Maintenance request log 146
Diagnostic information record 150
High priority machine check 152
Low priority machine check 152
CM file close record 160
All log information is kept in records. Each record begins with a
standard header and ends with identification information. The
information between is different for each log type. The LOGTOOL utility
has a standard format to display information.
Log of system logging configuration.
This log gives you an audit trail of changes to the logging
configuration. This log is initially enabled (ON). The following is the
log record format:
Type 135 Record Format
---------------------------------------------------------------------------------------------
| Length, | Record Content |
| in 16-bit | |
| words | |
---------------------------------------------------------------------------------------------
- 1 - Record type (135) -
---------------------------------------------------------------------------------------------
- 1 - Record length -
---------------------------------------------------------------------------------------------
- 1 - Process identification number -
---------------------------------------------------------------------------------------------
- 3 - Time stamp -
---------------------------------------------------------------------------------------------
- 2 - Job type/job number -
---------------------------------------------------------------------------------------------
- 1 - (Reserved) -
---------------------------------------------------------------------------------------------
- 1 - LDEV number -
---------------------------------------------------------------------------------------------
- 4 - System logging masking words -
---------------------------------------------------------------------------------------------
- 8 - User name -
---------------------------------------------------------------------------------------------
- 8 - Group name -
---------------------------------------------------------------------------------------------
- 8 - Account name -
---------------------------------------------------------------------------------------------
- 8 - job or session name -
---------------------------------------------------------------------------------------------
Log of restore.
This log traces file restorations. Files can be restored from tape or
serial disk to the system. This log type is initially disabled (OFF). It
can be enabled by SYSGEN followed by a START command. The following is
the log record format:
Type 136 Record Format
---------------------------------------------------------------------------------------------
| Length, | Record Content |
| in 16-bit | |
| words | |
---------------------------------------------------------------------------------------------
- 1 - Record type (136) -
---------------------------------------------------------------------------------------------
- 1 - Record length -
---------------------------------------------------------------------------------------------
- 1 - Process identification number -
---------------------------------------------------------------------------------------------
- 3 - Time stamp -
---------------------------------------------------------------------------------------------
- 2 - Job type/job number -
---------------------------------------------------------------------------------------------
- 8 - File name -
---------------------------------------------------------------------------------------------
- 8 - File group -
---------------------------------------------------------------------------------------------
- 8 - File account -
---------------------------------------------------------------------------------------------
- 8 - Creator -
---------------------------------------------------------------------------------------------
- 17 - Volume identification -
---------------------------------------------------------------------------------------------
- 1 - Access type -
---------------------------------------------------------------------------------------------
- 8 - User name -
---------------------------------------------------------------------------------------------
- 8 - Group name -
---------------------------------------------------------------------------------------------
- 8 - Account name -
---------------------------------------------------------------------------------------------
- 8 - job or session name -
---------------------------------------------------------------------------------------------
Log of printer access failure.
This log keeps track of failed attempts attaching spool files to
printers. New spool files, which are logged by FOPEN as event #144, are
not logged here.
This log is initially disabled, but can be enabled by SYSGEN followed by
a START command.
Type 137 Record
---------------------------------------------------------------------------------------------
| Length, | Record Content |
| in 16-bit | |
| words | |
---------------------------------------------------------------------------------------------
- 1 - record type (137) -
---------------------------------------------------------------------------------------------
- 1 - record length -
---------------------------------------------------------------------------------------------
- 1 - process identification number -
---------------------------------------------------------------------------------------------
- 3 - time stamp -
---------------------------------------------------------------------------------------------
- 2 - job type/job number -
---------------------------------------------------------------------------------------------
- 2 - creator job number -
---------------------------------------------------------------------------------------------
- 8 - creator job name -
---------------------------------------------------------------------------------------------
- 8 - creator user name -
---------------------------------------------------------------------------------------------
- 8 - creator account name -
---------------------------------------------------------------------------------------------
- 25 - spool file name -
---------------------------------------------------------------------------------------------
- 8 - target device name/class -
---------------------------------------------------------------------------------------------
- 1 - (reserved) -
---------------------------------------------------------------------------------------------
- 2 - file size -
---------------------------------------------------------------------------------------------
- 1 - status -
---------------------------------------------------------------------------------------------
- 8 - user name -
---------------------------------------------------------------------------------------------
- 8 - group name -
---------------------------------------------------------------------------------------------
- 8 - account name -
---------------------------------------------------------------------------------------------
- 8 - job or session name -
---------------------------------------------------------------------------------------------
Log of stream initiation.
This log records the name of a streamed job, its number, the user that
initiates it (and the logon), and the scheduled date and time.
This log is initially disabled, but can be enabled by SYSGEN followed by
a START command.
Type 139 Record
---------------------------------------------------------------------------------------------
| Length, | Record Content |
| in 16-bit | |
| words | |
---------------------------------------------------------------------------------------------
- 1 - Record type (139) -
---------------------------------------------------------------------------------------------
- 1 - record length -
---------------------------------------------------------------------------------------------
- 1 - process identification number -
---------------------------------------------------------------------------------------------
- 3 - time stamp -
---------------------------------------------------------------------------------------------
- 2 - job type/job number -
---------------------------------------------------------------------------------------------
- 1 - input LDEV -
---------------------------------------------------------------------------------------------
- 25 - job file name -
---------------------------------------------------------------------------------------------
- 2 - job logon job or session number -
---------------------------------------------------------------------------------------------
- 8 - job logon user -
---------------------------------------------------------------------------------------------
- 8 - job logon group -
---------------------------------------------------------------------------------------------
- 8 - job logon account -
---------------------------------------------------------------------------------------------
- 8 - job name -
---------------------------------------------------------------------------------------------
- 2 - input spool file id -
---------------------------------------------------------------------------------------------
- 1 - scheduled date -
---------------------------------------------------------------------------------------------
- 2 - scheduled time -
---------------------------------------------------------------------------------------------
- 8 - user name -
---------------------------------------------------------------------------------------------
- 8 - group name -
---------------------------------------------------------------------------------------------
- 8 - account name -
---------------------------------------------------------------------------------------------
- 8 - job or session name -
---------------------------------------------------------------------------------------------
Log of user logging.
This log keeps a record of all OPENLOG and CLOSELOG intrinsic calls. The
system manager can use it to see who accesses, or tries to access, the
user logging facility.
This log is initially disabled, but can be enabled by SYSGEN followed by
a START command.
Type 140 Record
---------------------------------------------------------------------------------------------
| Length, | Record Content |
| in 16-bit | |
| words | |
---------------------------------------------------------------------------------------------
- 1 - record type (140) -
---------------------------------------------------------------------------------------------
- 1 - record length -
---------------------------------------------------------------------------------------------
- 1 - process identification number -
---------------------------------------------------------------------------------------------
- 3 - time stamp -
---------------------------------------------------------------------------------------------
- 2 - job type/job number -
---------------------------------------------------------------------------------------------
- 25 - program file name -
---------------------------------------------------------------------------------------------
- 4 - intrinsic -
---------------------------------------------------------------------------------------------
- 2 - index -
---------------------------------------------------------------------------------------------
- 4 - log id -
---------------------------------------------------------------------------------------------
- 1 - mode -
---------------------------------------------------------------------------------------------
- 1 - status -
---------------------------------------------------------------------------------------------
- 8 - user name -
---------------------------------------------------------------------------------------------
- 8 - group name -
---------------------------------------------------------------------------------------------
- 8 - account name -
---------------------------------------------------------------------------------------------
- 8 - job or session name -
---------------------------------------------------------------------------------------------
The LOG ID field in the log record is "XXXXXX" for CLOSELOG intrinsic
when the index is bad.
Log of process creation.
You can use this log to record all process creations. This log is
initially disabled, but can be enabled by SYSGEN followed by a START
command.
Type 141 Record
---------------------------------------------------------------------------------------------
| length, in | Record Content |
| 16-bit words | |
---------------------------------------------------------------------------------------------
- 1 - record type (141) -
---------------------------------------------------------------------------------------------
- 1 - record length -
---------------------------------------------------------------------------------------------
- 1 - process identification number -
---------------------------------------------------------------------------------------------
- 3 - time stamp -
---------------------------------------------------------------------------------------------
- 2 - job type/job number -
---------------------------------------------------------------------------------------------
- 25 - file name -
---------------------------------------------------------------------------------------------
- 1 - (reserved) -
---------------------------------------------------------------------------------------------
- 2 - priority -
---------------------------------------------------------------------------------------------
- 2 - process space id -
---------------------------------------------------------------------------------------------
- 4 - parent PID -
---------------------------------------------------------------------------------------------
- 2 - NM_Heap_Size -
---------------------------------------------------------------------------------------------
- 2 - capabilities mask* -
---------------------------------------------------------------------------------------------
- 8 - (reserved) -
---------------------------------------------------------------------------------------------
- 8 - user name -
---------------------------------------------------------------------------------------------
- 8 - group name -
---------------------------------------------------------------------------------------------
- 8 - account name -
---------------------------------------------------------------------------------------------
- 8 - job or session name -
---------------------------------------------------------------------------------------------
*The capabilities mask is read as follows:
User File access Program/group
bit capability bit capability bit capability
0 SM 6 CV 23 BA
1 AM 7 UV 24 IA
2 AL 8 LG 25 PM
3 GL 9 SP 28 MR
4 DI 10 PS 30 DS
5 OP 11 NA 31 PH
12 NM
13 CS
14 ND
15 SF
Logging a specific user
The LOGTOOL utility command LIST shows you the output of log records in a
standard format. If you like, you can filter the output of LOGTOOL
utility to show you information about only a specific user or users. The
syntax for this is shown below.
[;JSNAME=job or session_name]
LIST {LOG=log_name}[;USER=user_name ][...]
[;ACCOUNT=account_name ]
The input for these commands should be no longer than 80 characters.
Default for all parameters is the wildcard @.
For example, to select log records from log files 1 through 5, with
log information about password changes (log type 134), and user
identification JTEST,MARIA.PAYROLL, you would enter the following.
>LIST LOG=1/5;TYPE=134;JSNAME=JTEST;USER=MARIA;ACCOUNT=PAYROLL
This selection option is valid for the log types listed below:
102, job initiation
103, job termination
104, process termination
105, file close (also 160)
108, spooling log
112, physical mount/dismount
113, logical mount/dismount
114, tape labels
115, console log
116, program file event
120, new commercial spooling
130, architecture interface
134, password change
135, system logging configuration
136, restore
137, printer access failure
138, ACD changes
139, stream initiation
140, user logging access
141, process initiation
143, change group
144, file open
Logging file security related events
MPE/iX permits logging of system and user events. The events that relate
directly to file security are:
* password changes (event type 134)
* printer access failure (event type 137)
* ACD changes (event type 138)
Logging begins whenever the system is rebooted; however, not all events
are automatically enabled. Some, including those listed above, are
initially disabled. You can, however, request that a new file be
started.
To keep a certain type of log, the system operator or system manager must
change its status to ON (configure it) in SYSDIAG. To see log records
displayed, call the LOGTOOL utility from SYSGEN.
For a discussion of these and other logging facilities, consult these
topics in Performing System Operator Tasks (32650-90137): SYSDIAG, the
LOGTOOL utility, and SYSGEN System Logging.
Log of password changes.
System logging records when a user, group, or account password is changed
by an MPE/iX command or a utility program. This log is initially
disabled (OFF).
The information recorded in this
logging includes
* header
* record type
* record length
* time stamp
* job or session number
* PIN
* Log information
* the identification of the user who changed a password: job
or session name, user name, group name, and account name
* the identification of a user whose password was changed:
user name, group name, and account name whenever the
affected password changes
* input logical device number from which the password was
changed
* program file name from which password change was executed
* type changed: 1 = user, 2 = group, 4 = account
In this example, JOHN.PAYROLL,DOE, job or session name JREPORT,
successfully changed the account password for PAYROLL through the command
excutor. The change was made from LDEV 21.
The LOGTOOL utility formats the following layout after the standard
header:
TARGET USER: TARGET GROUP:
TARGET ACCOUNT: PAYROLL TYPE CHANGED: ACCOUNT
LDEV: 21
EXECUTED FROM: CI.PUB.SYS
USER: JOHN GROUP: DOE
ACCOUNT: PAYROLL JSNAME: JREPORT
The following is the log record format:
Table 13-1. Type 134 Record Format
---------------------------------------------------------------------------------------------
| Length, | Record Content |
| in 16-bit | |
| words | |
---------------------------------------------------------------------------------------------
- 1 - record type (134) -
---------------------------------------------------------------------------------------------
- 1 - record length -
---------------------------------------------------------------------------------------------
- 1 - process identification number -
---------------------------------------------------------------------------------------------
- 3 - time stamp -
---------------------------------------------------------------------------------------------
- 2 - job type/job number -
---------------------------------------------------------------------------------------------
- 8 - target user name -
---------------------------------------------------------------------------------------------
- 8 - target group name -
---------------------------------------------------------------------------------------------
- 8 - target account name -
---------------------------------------------------------------------------------------------
- 1 - type changed -
---------------------------------------------------------------------------------------------
- 1 - input LDEV number -
---------------------------------------------------------------------------------------------
- 25 - executed from -
---------------------------------------------------------------------------------------------
- 3 - (reserved) -
---------------------------------------------------------------------------------------------
- 8 - user name -
---------------------------------------------------------------------------------------------
- 8 - group name -
---------------------------------------------------------------------------------------------
- 8 - account name -
---------------------------------------------------------------------------------------------
- 8 - job or session name -
---------------------------------------------------------------------------------------------
NOTE The PASSWORD command, allows all users to change their own
passwords. In the past, only system managers and account managers
could change any passwords.
[REV END][REV BEG]
Log of ACD changes.
This log type is activated when ACDs are changed (created, deleted,
copied, or modified) with MPE/iX commands or intrinsics. The log is
initially disabled (OFF).
The information recorded in this logging includes
* header
* record type
* record length
* time stamp
* job or session number
* PIN
* log information
* the identification of the user who changed the ACD: job or
session name, user name, group name, and account name
* the object type and object name whose ACD was changed
* the object type and object name from which the ACD was
copied
* the type of change to the ACD: create, add pair, replace
pair, copy, delete pair, delete
* the program file name from which the ACD change was
executed.
* status returned (HPE status)
In this example, user JOHN.PAYROLL,DOE, with job or session name JREPORT,
successfully created an ACD for a file called FTEST.TESTGP.PAYROLL, using
the command executor.
The LOGTOOL formats the following layout after the standard header:
TARGET OBJECT: FTEST.TESTGP.PAYROLL
SOURCE OBJECT:
FUNCTION: CREATE
EXECUTED FROM: CI.PUB.SYS
STATUS SUCCESSFUL
USER JOHN GROUP: DOE
ACCOUNT: PAYROLL JSNAME: JREPORT
The following is the log record format:
Table 13-2. Type 138 Record Format
---------------------------------------------------------------------------------------------
| Length, | Record Content |
| in 16-bit | |
| words | |
---------------------------------------------------------------------------------------------
- 1 - Record type (138) -
---------------------------------------------------------------------------------------------
- 1 - Record length -
---------------------------------------------------------------------------------------------
- 1 - Process identification number -
---------------------------------------------------------------------------------------------
- 3 - Time stamp -
---------------------------------------------------------------------------------------------
- 2 - Job type/job number -
---------------------------------------------------------------------------------------------
- 25 - Target object name -
---------------------------------------------------------------------------------------------
- 25 - Source object name -
---------------------------------------------------------------------------------------------
- 4 - Function -
---------------------------------------------------------------------------------------------
- 25 - Executed from -
---------------------------------------------------------------------------------------------
- 2 - Status -
---------------------------------------------------------------------------------------------
- 8 - User name -
---------------------------------------------------------------------------------------------
- 8 - Group name -
---------------------------------------------------------------------------------------------
- 8 - Account name -
---------------------------------------------------------------------------------------------
- 8 - job or session name -
---------------------------------------------------------------------------------------------
[REV END]