 |
» |
|
|
|
MPE/iX implements a discretionary access control (DAC) mechanism that is
consistent with the guidelines laid down by the National Computer
Security Center. The MPE/iX implementation, access control definitions (ACD), is a
subset of the DAC mechanism. ACDs maintain a list of users and the
access modes that each user has to files and devices. ACD scope | |
An ACD that is associated with a file overrides the
classic MPE file access matrix and lockwords, which are described
later in this chapter in “Traditional Mechanism for File Security”. By associating an ACD with a file or a device, the owner of the file or device may define
which users have access to that file or device and which modes of
access are available to other users. When a file is associated with an ACD, the ACD is put into its file label
extension. The ACD contains a list of access modes paired with
users. Owners | |
Only those who own a file or a device may associate it with an ACD. the owner of a file is any one of these three users: The creator of the file with which an ACD is associated The user who as am capability in the account in which the file resides The user who has sm capability on the system in which the file resides
The System Manager (SM) is the owner of all of the devices on a system. How acds work | |
When a user attempts to access a file or to acquire a device, HPFOPEN
or FOPEN is called, and the system makes the following checks: Is the user an owner of the file or device; that is, is the user the creator of the file, the account manager (AM capability), where the file resides or the system manager (SM capability)? If so, permission is granted, and the checking ends. If not, is there an ACD associated with the file or device?
If there is no ACD, the system looks for authorization in the traditional MPE/iX file access matrix and lockwords. If there is an ACD, the system searches, in this order, for the user:
specific names (username.accountname) account groupings (@.accountname) system groupings (@.@) If a match is found, the user can access the device or file--as authorized (read, write, execute, and so on)--and no further checking is done. If there is no match, the user is denied entry, and no further checking is done.
It is important to note that if an ACD exists, the MPE/iX file access matrix and lockwords are never consulted. ACD modes | |
Any device or a file can be paired with an ACD. An ACD is associated with a file or a device by pairing access modes
with users. A user is any username.accountname specification. The modes of access are: - R
Read - W
Write - A
Append - L
Lock - X
Execute - NONE
None - RACD
Read and copy the ACD permission file
You could define an ACD as follows:
ACD = (R,W:MGR.ACCTING, DENNIS.LEE; R:@.PAYROLL; A:@.@)
|
The users MGR.ACCTING and DENNIS.LEE can read and write to the file associated
with this example ACD. Anyone in the PAYROLL account can read it, and
anyone on the system can append to it. For example, no one but DENNIS.LEE and
the owners can overwrite the file, and only the owners can lock it. | | | |  | NOTE: If an ACD exists and if you are not explicitly given
permission to access a file or a device, you do not have access. | | | | |
Managing ACDs with commands and intrinsics | |
Use MPE/iX commands to manage ACDs interactively, through the command
interpreter. Use MPE/iX intrinsics to manage ACDs in a program. These MPE/iX commands accept ACD-related parameters or incorporate ACD
associations in their operation: - ALTSECT
Permits the addition, creation, deletion, modification, copying, and listing of ACD attributes. - COPY
Always copies the ACD associated with the source file to the target file, if an ACD is present. - FCOPY
Permits copying ACD attributes. - FILE
Permits the equation of one file/device-ACD specification to another file/device-ACD specification. - LISTFILE
Permits the listing of the ACD attributes associated with a file or device. - RELEASE
Returns a warning when an ACD is associated with a file. - RESTORE
Accomodates ACDs. - SECURE
Returns a warning when an ACD is associated with a file. - SHOWDEV
Permits the listing of ACD attributes associated with a device. - STORE
Accomodates ACDs.
Detailed discussions of these commands are found in the MPE/iX Commands Reference Manual (32650-90003). - HPACDPUT
Permits the addition, creation, deletion, modification, copying, and listing of ACD attributes. - HPACDINFO
Returns security attributes. - HPFOPEN
Permits the creation of of an ACD.
The intrinsic FOPEN cannot be modified to give it the option of
creating an ACD. You must use HPFOPEN. Detailed discussions of these intrinsics are found in the MPE/iX Intrinsics Reference Manual (32650-90028). Preserving ACDs | |
Device ACDs are not permanent objects; you must redefine them
every time that the system is rebooted. The easiest way to do
this is to put ALTSEC commands into the SYSSTART file, either
directly or in a command file. File ACDs are permanent objects; they do survive a reboot. When you store files to tape, FCOPY and STORE save the files' ACDs, too-unless you specify otherwise. If you are not an owner of the file and you do not have RACD permission, you get an error if you try to copy the ACD. Instead, choose the NOACD parameter. Managing ACDs | |
You may manage ACDs interactively through MPE/iX commands or programmatically through MPE/iX intrinsics. | Command | Intrinsic | Purpose |
|---|
| ALTSEC | | Create an ACD for an existing device or file | | | HPACDPUT | Create an ACD for an existing device or file |
To assign Read access to user SAM.DOE, Write access to JOE.DOE, no
access (None) to all users in the DESIGN account, and Execute access to
all users in all accounts (except those users in the DESIGN
account, enter this:
ALTSEC FILEA.XX.DESIGN;NEWACD=(R:SAM.DOE;W:JOE.DOE;NONE:@.DESIGN;X:@.@)
|
To add an ACD that prevents any user except OPERATOR.SYS
from accessing LDEV 7 (a tape drive), enter this:
ALTSEC 7,LDEV;NEWACD=(R,W:OPERATOR.SYS)
|
The user must have SM capability to do this. This short program uses HPACDPUT in creating an
ACD for a file called TARGET:
program acdput(input, output);
var
status : integer;
filename : packed array [1..28] of char;
ACD : packed array [1..256] of char;
procedure HPACDPUT;intrinsic;
begin
filename := 'TARGET';
ACD := '(x:@.@;r,w:mgr.sys)'
ACD[20] := #m;
HPACDPUT(status, 1, filename, 20, ACD)
if status <> 0 then
writeln('HPACDPUT failed. Status = ', status);
end.
|
When you create a new file with the COPY, FCOPY, STORE, or
RESTORE commands, you can use the command parameters to create the
ACDs for the new file. COPY The COPY command automatically copies any ACD attributes from the source file to
the target file, provided that the user is an owner of the source file or
has RACD access to that file.
FCOPY The ;COPYACD parameter of the FCOPY command permits the user
to copy a file and its ACD, provided that the user is an owner or has RACD permission.
FCOPY <;fcopycommand>;COPYACD
|
STORE To store all of the files on a system to tape, including their ACDs,
enter this:
FILE T;DEV=TAPE
STORE @.@.@;*T;COPYACD
|
COPYACD is the default. You must have access to any ACD-protected files being stored. SM and OP can store any ACD-protected file on the system. AM can store any ACD-protected file in the manager's account. Users can store any ACD-protected files that they own, provided that they have Read access to the file and RACD access to the file if ;COPYACD is specified. Others can store ACD-protected files for which they have RACD permission, provided that they have Read access to the file and RACD access to the file if ;COPYACD is specified. You must have PM access to a PM file in order to store it.
RESTORE To restore all of the files on tape and copies the ACD attributes of the file to disk, enter this:
FILE T;DEV=TAPE
RESTORE *T;@;KEEP;SHOW;COPYACD
|
COPYACD is the default. NOACD prevents the copying of the ACD attributes. SM and OP can restore any ACD-protected file on the system. AM can restore any ACD-protected file in the manager's account. Users can restore any ACD-protected files that they own, provided that they have Read access to the file and RACD access to the file if ;COPYACD is specified. Others can restore ACD-protected file for which they have RACD permission, provided that they have Read access to the file and RACD access to the file if ;COPYACD is specified. You must have PM access to a PM file in order to store it.
| Command | Intrinsic | Purpose |
|---|
| LISTFILE | | Show ACDs for files | | SHOWDEV | | Show ACDs for devices | | | HPACDINFO | Show ACDs for files and devices | | | HPACDPUT | Show ACDs for files and devices
|
The LISTFILE command with option 4 shows the ACD status of a file
in this fashion:
LISTFILE FILEA,4
****************************
FILEA.XX.DESIGN
SYSTEM READ: ANY
SECURITY--WRITE: AC
(ACCT) APPEND: AC
LOCK: AC
EXECUTE: ANY
SYSTEM READ: GU
SECURITY--WRITE: GU
(GROUP) APPEND: GU
LOCK: GU
EXECUTE: GU
SYSTEM READ: ANY FCODE: 0
SECURITY--WRITE: ANY CREATOR: **
(FILE) APPEND: ANY LOCKWORD: **
LOCK: ANY **SECURITY IS ON
EXECUTE: ANY **ACD EXISTS
FOR XX.DESIGN: NONE
|
(Other ACD status reports are NO ACD and ACD CORRUPTED.) The LISTFILE command with option -2 gives a detailed ACD report on
a file in this fashion:
LISTFILE FILEA,-2
FILE = FILEA ************** ACD ENTRIES **************
SAM.DOE : R
JOE.DOE : W
@.DESIGN : NONE
@.@ : X
|
The SHOWDEV command displays the ACD attributes of a device in this fashion:
SHOWDEV 14;ACD
LDEV AVAIL OWNERSHIP VOLID DEN ASSOCIATION
14 SPOOLED SPOOLER OUT
ACD ENTRIES: @.@ : R,W,X
|
This short program uses HPACDINDFO to retrieve the number of entries and first user in the ACD of a file called TARGET:
program acdinfo(input, output);
type
shortint = -32768..32767;
var
status : integer;
filename : packed array [1..28] of char;
numentry : shortint;
firstuser : packed array [1..18] of char;
procedure HPACDINFO;intrinsic;
begin
filename := 'TARGET';
HPACDINFO(status, 1, filename, 21, numentry, firstuser);
if status = 0 then
begin
writeln('Number of Entires: ', numentry:1);
writeln('First UserSpec : ', firstuser);
end;
end.
|
| Command | Intrinsic | Purpose |
|---|
| ;COPYACD parameter of the ALTSEC command | | Copy an
ACD from one file to another |
To copy the ACD associated with FILEB to FILEA, enter this:
ALTSEC FILEA.XX.DESIGN;COPYACD=FILEB.XX.DESIGN
|
Only an owner, or a user granted RACD (read ACD) authorization, can
copy the ACD from FILEB. To copy the ACD attributes of LDEV 7 to LDEV 23, enter this:
ALTSEC 23,LDEV;COPYACD=7,LDEV
|
Only users with SM capability may do this. By definition, users
having SM capability are owners of all the files and devices on a
system. Those users may give themselves access to any file or device
on the system. | Command | Intrinsic | Purpose |
|---|
| ALTSEC | | To change an ACD | | | HPACDPUT | To change an ACD
|
To confer Read access on JOE.DESIGN for FILEA, enter this:
ALTSECT FILEA.XX.DESIGN;ADDPAIR=(R:JOE.DESIGN)
|
To change the (previous) Read access for SAM.DOE to Write
access enter this:
ALTSECT FILEA.XX.DESIGN;REPPAIR(W:SAM.DOE)
|
To assign Read and Write access to SAM.DOE, do this:
ALTSEC FILEA.XX.DESIGN;REPPAIR(W,R:SAM.DOE)
|
| Command | Intrinsic | Purpose |
|---|
| ALTSEC | | To delete an ACD | | | HPACDPUT | To delete an ACD
|
To remove @.DESIGN from the ACD attributes of FILEA, enter this:
ALTSEC FILEA.XX.DESIGN;DELPAIR(NONE:@.DESIGN)
|
To deny OPERATOR.SYS any access to LDEV 7, enter this:
ALTSEC 7,LDEV;DELPAIR=(R,W:OPERATOR.SYS)
|
Only an owner can delete an ACD associated with a file. Only the
system manager can delete an ACD associated with a device.. Device ACDs should not be migrated, because they are tied to their system's configuration. You can move file ACDs between MPE V/E and MPE/iX by using the STORE and RESTORE commands, where COPYACD is the default. These are the steps CM RESTORE takes during forward migration: reads the MPE V/E store format. calls a routine to convert it to MPE/iX internal format. calls the file label extension write routine, which puts the ACD into effect.
These are the steps CM STORE takes during backward migration: reads the ACD from the security file label extension. calls a routine to convert it into MPE V/E format. writes it out to the STORE tape.
Be aware that MPE/iX allows more user-mode pairs than MPE V/E does. You must have authorization to use the ;COPYACD parameter of the STORE and RESTORE commands. If you are not an owner of the file or do not have RACD permission, you get an error. The STORE command checks the ACD on disk for permission. RESTORE checks the ACD from the tape. For more details, refer to the MPE/iX Commands Reference Manual (32650-90003) and the MPE/iX Intrinsics Reference Manual (32650-90028). Logging system events | |
The following list shows the types of logs that you can request. Table 13-1 SYSGEN System Logging | System Log Events | Event Type |
|---|
| System logging enabled | 100 | | System up record | 101 | | Job initiation record | 102 | | Job termination record | 103 | | Process termination record | 104 | | File close record | 105 | | System shutdown record | 106 | | Power failure record | 107 | | Spooling log record | 108 | | I/O error record | 111 | | Physical mount/dismount | 112 | | Logical mount/dismount | 113 | | Tape labels record | 114 | | Console log record | 115 | | Program file event | 116 | | New commercial spooling | 120 | | Architected interface | 130 | | Password changes | 134 | | System logging configuration | 135 | | Restore logging | 136 | | Printer access failure | 137 | | ACD changes | 138 | | Stream initiation logging | 139 | | User logging | 140 | | Process creation | 141 | | Chgroup record | 143 | | File open record | 144 | | Maintenance request log | 146 | | Diagnostic information record | 150 | | High priority machine check | 152 | | Low priority machine check | 152 | | CM file close record | 160
|
All log information is kept in records. Each record begins with a standard header and ends with identification information. The information between is different for each log type. The LOGTOOL utility has a standard format to display information. Log of system logging configuration This log gives you an audit trail of changes to the logging configuration. This log is initially enabled (ON). The following is the log record format: Table 13-2 Type 135 Record Format | Length, in 16-bit words | Record Content |
|---|
| 1 | Record type (135) | | 1 | Record length | | 1 | Process identification number | | 3 | Time stamp | | 2 | Job type/job number | | 1 | (Reserved) | | 1 | LDEV number | | 4 | System logging masking words | | 8 | User name | | 8 | Group name | | 8 | Account name | | 8 | job or session name |
This log traces file restorations. Files can be restored from tape or serial disk to the system. This log type is initially disabled (OFF). It can be enabled by SYSGEN followed by a START command. The following is the log record format: Table 13-3 Type 136 Record Format | Length, in 16-bit words | Record Content
|
|---|
| 1 | Record type (136) | | 1 | Record length | | 1 | Process identification number | | 3 | Time stamp | | 2 | Job type/job number | | 8 | File name | | 8 | File group | | 8 | File account | | 8 | Creator | | 17 | Volume identification | | 1 | Access type | | 8 | User name | | 8 | Group name | | 8 | Account name | | 8 | job or session name
|
Log of printer access failureThis log keeps track of failed attempts attaching spool files to printers. New spool files, which are logged by FOPEN as event #144, are not logged here. This log is initially disabled, but can be enabled by SYSGEN followed by a START command. Table 13-4 Type 137 Record | Length, in 16-bit words | Record Content |
|---|
| 1 | record type (137) | | 1 | record length | | 1 | process identification number | | 3 | time stamp | | 2 | job type/job number | | 2 | creator job number | | 8 | creator job name | | 8 | creator user name | | 8 | creator account name | | 25 | spool file name | | 8 | target device name/class | | 1 | (reserved) | | 2 | file size | | 1 | status | | 8 | user name | | 8 | group name | | 8 | account name | | 8 | job or session name |
This log records the name of a streamed job, its number, the user that initiates it (and the logon), and the scheduled date and time. This log is initially disabled, but can be enabled by SYSGEN followed by a START command. Table 13-5 Type 139 Record | Length, in 16-bit words | Record Content |
|---|
| 1 | Record type (139) | | 1 | record length | | 1 | process identification number | | 3 | time stamp | | 2 | job type/job number | | 1 | input LDEV | | 25 | job file name | | 2 | job logon job or session number | | 8 | job logon user | | 8 | job logon group | | 8 | job logon account | | 8 | job name | | 2 | input spool file id | | 1 | scheduled date | | 2 | scheduled time | | 8 | user name | | 8 | group name | | 8 | account name | | 8 | job or session name
|
This log keeps a record of all OPENLOG and CLOSELOG intrinsic calls. The system manager can use it to see who accesses, or tries to access, the user logging facility. This log is initially disabled, but can be enabled by SYSGEN followed by a START command. Table 13-6 Type 140 Record Format | Length, in 16-bit words | Record Content |
|---|
| 1 | record type (140) | | 1 | record length | | 1 | process identification number | | 3 | time stamp | | 2 | job type/job number | | 25 | program file name | | 4 | intrinsic | | 2 | index | | 4 | log id | | 1 | mode | | 1 | status | | 8 | user name | | 8 | group name | | 8 | account name | | 8 | job or session name |
The LOG ID field in the log record is "XXXXXX" for CLOSELOG intrinsic when the index is bad. You can use this log to record all process creations. This log is initially disabled, but can be enabled by SYSGEN followed by a START command. Table 13-7 Type 141 Record | length, in 16-bit words | Record Content |
|---|
| 1 | record type (141) | | 1 | record length | | 1 | process identification number | | 3 | time stamp | | 2 | job type/job number | | 25 | file name | | 1 | (reserved) | | 2 | priority | | 2 | process space id | | 4 | parent PID | | 2 | NM_Heap_Size | | 2 | capabilities mask* | | 8 | (reserved) | | 8 | user name | | 8 | group name | | 8 | account name | | 8 | job or session name
|
*The capabilities mask is read as follows:
User File access Program/group
bit capability bit capability bit capability
0 SM 6 CV 23 BA
1 AM 7 UV 24 IA
2 AL 8 LG 25 PM
3 GL 9 SP 28 MR
4 DI 10 PS 30 DS
5 OP 11 NA 31 PH
12 NM
13 CS
14 ND
15 SF
|
Logging a specific user | |
The LOGTOOL utility command LIST shows you the output of log records in a standard format. If you like, you can filter the output of LOGTOOL utility to show you information about only a specific user or users. The syntax for this is shown below.
LIST {LOG=log_name}[;JSNAME=job or session_name
;USER=user_name
;ACCOUNT=account_name ][...]
|
The input for these commands should be no longer than 80 characters. Default for all parameters is the wildcard @. For example, to select log records from log files 1 through 5, with log information about password changes (log type 134), and user identification JTEST,MARIA.PAYROLL, you would enter the following.
>LIST LOG=1/5;TYPE=134;JSNAME=JTEST;USER=MARIA;ACCOUNT=PAYROLL
|
This selection option is valid for the log types listed below: 105, file close (also 160) 112, physical mount/dismount 113, logical mount/dismount 120, new commercial spooling 130, architecture interface 135, system logging configuration 137, printer access failure
Logging file security related events | |
MPE/iX permits logging of system and user events. The events that relate directly to file security are: password changes (event type 134) printer access failure (event type 137) ACD changes (event type 138)
Logging begins whenever the system is rebooted; however, not all
events are automatically enabled. Some, including
those listed above, are initially disabled. You can, however,
request that a new file be started. To keep a certain type of log, the system operator or system manager
must change its status to ON (configure it) in SYSDIAG. To see log
records displayed, call the LOGTOOL utility from SYSGEN. For a discussion of these and other logging facilities,
consult these topics in Performing System Operator Tasks (32650-90137):
SYSDIAG, the LOGTOOL utility, and SYSGEN System Logging. System logging records when a user, group, or account password is
changed by an MPE/iX command or a utility program. This log is initially
disabled (OFF). The information recorded in this logging includes Log information the identification of the user who changed a password: job or session name, user name, group name, and account name the identification of a user whose password was changed: user name, group name, and account name whenever the affected password changes input logical device number from which the password was changed program file name from which password change was executed type changed: 1 = user, 2 = group, 4 = account
In this example, JOHN.PAYROLL,DOE, job or session name JREPORT,
successfully changed the account password for PAYROLL through the
command excutor. The change was made from LDEV 21. The LOGTOOL utility formats the following layout after the standard header:
TARGET USER: TARGET GROUP:
TARGET ACCOUNT: PAYROLL TYPE CHANGED: ACCOUNT
LDEV: 21
EXECUTED FROM: CI.PUB.SYS
USER: JOHN GROUP: DOE
ACCOUNT: PAYROLL JSNAME: JREPORT
|
The following is the log record format: Table 13-8 Type 134 Record Format | length, in 16-bit words | Record Content |
|---|
| 1 | record type (134) | | 1 | record length | | 1 | process identification number | | 3 | time stamp | | 2 | job type/job number | | 8 | target user name | | 8 | target group name | | 8 | target account name | | 1 | type changed | | 1 | input LDEV number | | 25 | executed from | | 3 | (reserved) | | 8 | user name | | 8 | group name | | 8 | account name | | 8 | job or session name |
| | | | | NOTE: The PASSWORD command, allows all users to change their own passwords. In the past, only system managers and account managers could change any passwords. | | | | |
This log type is activated when ACDs are changed (created, deleted,
copied, or modified) with MPE/iX commands or intrinsics. The log is
initially disabled (OFF). The information recorded in this logging includes log information
the identification of the user who changed the ACD: job or session name, user name, group name, and account name the object type and object name whose ACD was changed the object type and object name from which the ACD was copied the type of change to the ACD: create, add pair, replace pair, copy, delete pair, delete the program file name from which the ACD change was executed. status returned (HPE status)
In this example, user JOHN.PAYROLL,DOE, with job or session name JREPORT,
successfully created an ACD for a file called FTEST.TESTGP.PAYROLL,
using the command executor. The LOGTOOL formats the following layout after the standard header:
TARGET OBJECT: FTEST.TESTGP.PAYROLL
SOURCE OBJECT:
FUNCTION: CREATE
EXECUTED FROM: CI.PUB.SYS
STATUS SUCCESSFUL
USER JOHN GROUP: DOE
ACCOUNT: PAYROLL JSNAME: JREPORT
|
The following is the log record format: Table 13-9 Type 138 Record Format | length, in 16-bit words | Record Content |
|---|
| 1 | Record type (138) | | 1 | Record length | | 1 | Process identification number | | 3 | Time stamp | | 2 | Job type/job number | | 25 | Target object name | | 25 | Source object name | | 4 | Function | | 25 | Executed from | | 2 | Status | | 8 | User name | | 8 | Group name | | 8 | Account name | | 8 | job or session name |
|
