MPE/iX implements a discretionary access control (DAC) mechanism
that is consistent with the guidelines laid down by the National
Computer Security Center.
The MPE/iX implementation, access control definitions (ACD),
is a subset of the DAC mechanism. ACDs maintain a list of users
and the access modes that each user has to files and devices.
An ACD that is associated with a file overrides the classic MPE file access
matrix and lockwords, which are described later in Chapter
13 "Maintaining File Security"
By associating an ACD with a file or a device, the owner of
the file or device may define which users have access to that file
or device and which modes of access are available to other users.
When a file is associated with an ACD, the ACD is put into its file
label extension. The ACD contains a list of access modes
paired with users.
When a user attempts to access a file or to acquire a device, HPFOPEN
or FOPEN is called, and the system makes the following checks:
Is the user an owner of the file or device; that is, is the user
the creator of the file, the account manager (AM capability), where
the file resides or the system manager (SM capability)?
If so, permission is granted, and the checking ends.
If not, is there an ACD associated with the file or device?
If there is no ACD, the system looks for
authorization in the traditional MPE/iX file access matrix and
lockwords.
If there is an ACD, the system searches, in this order,
for the user:
specific names
(username.accountname)
account groupings (@.accountname)
system groupings (@.@)
If a match is found, the user can access the device or
file--as authorized (read, write, execute, and so on)--and no
further checking is done.
If there is no match, the user is denied entry, and no
further checking is done.
It is important to note that if an ACD exists, the MPE/iX
file access matrix and lockwords are never consulted.
Any device or a file can be paired with an ACD.
An ACD is associated with a file or a device by pairing access
modes with users. A user is any username.accountname specification.
The modes of access are:
The users MGR.ACCTING and DENNIS.LEE can read and write to
the file associated with this example ACD. Anyone in the PAYROLL
account can read it, and anyone on the system can append to it. For example,
no one but DENNIS.LEE and the owners can overwrite the file, and only
the owners can lock it.
NOTE: If an ACD exists and if you are not explicitly given
permission to access a file or a device, you do not have access.
Use MPE/iX commands to manage ACDs interactively, through
the command interpreter. Use MPE/iX intrinsics to manage ACDs in a program.
Commands
These MPE/iX commands accept ACD-related parameters or incorporate
ACD associations in their operation:
ALTSECT
Permits the addition, creation, deletion, modification, copying, and
listing of ACD attributes.
COPY
Always copies the ACD associated with the source
file to the target file, if an ACD is present.
FCOPY
Permits copying ACD attributes.
FILE
Permits the equation of one file/device-ACD specification
to another file/device-ACD specification.
LISTFILE
Permits the listing of the ACD attributes associated
with a file or device.
RELEASE
Returns a warning when an ACD is associated with a file.
RESTORE
Accomodates ACDs.
SECURE
Returns a warning when an ACD is associated with a file.
SHOWDEV
Permits the listing of ACD attributes associated with a
device.
STORE
Accomodates ACDs.
Detailed discussions of these commands are found in the MPE/iX
Commands Reference Manual.
Intrinsics
HPACDPUT
Permits the addition, creation, deletion, modification,
copying, and listing of ACD attributes.
HPACDINFO
Returns security attributes.
HPFOPEN
Permits the creation of of an ACD.
The intrinsic FOPEN cannot be modified to give it the option of
creating an ACD. You must use HPFOPEN.
Detailed discussions of these intrinsics are found in the MPE/iX Intrinsics
Reference Manual.
Device ACDs are not permanent objects; you must redefine them every
time that the system is rebooted. The easiest way to do this is to put
ALTSEC commands into the SYSSTART file, either directly
or in a command file.
File ACDs are permanent objects; they do survive a reboot. When you
store files to tape, FCOPY and STORE save the files' ACDs,
too-unless you specify otherwise. If you are not an owner of the file and you
do not have RACD permission, you get an error if you try to copy the
ACD. Instead, choose the NOACD parameter.
You may manage ACDs interactively through MPE/iX commands
or programmatically through MPE/iX intrinsics.
Creating ACDs
Command
Intrinsic
Purpose
ALTSEC
Create an ACD for an existing device or file
HPACDPUT
Create an ACD for an existing device or file
Examples
To assign Read access to user SAM.DOE, Write access to
JOE.DOE, no access (None) to all users in the DESIGN account,
and Execute access to all users in all accounts (except those users in the
DESIGN account, enter this:
To add an ACD that prevents any user except OPERATOR.SYS from
accessing LDEV 7 (a tape drive), enter this:
ALTSEC 7,LDEV;NEWACD=(R,W:OPERATOR.SYS)
The user must have SM capability to do this.
This short program uses HPACDPUT in creating an ACD for a file called
TARGET:
program acdput(input, output);
var
status : integer;
filename : packed array [1..28] of char;
ACD : packed array [1..256] of char;
procedure HPACDPUT;intrinsic;
begin
filename := 'TARGET';
ACD := '(x:@.@;r,w:mgr.sys)'
ACD[20] := #m;
HPACDPUT(status, 1, filename, 20, ACD);
if status <> 0 then
writeln('HPACDPUT failed. Status = ', status);
end.
When you create a new file with the COPY, FCOPY,
STORE, or RESTORE commands, you can use the command
parameters to create the ACDs for the new file.
COPY
The COPY command automatically copies any ACD attributes
from the source file to the target file, provided that the user is an
owner of the source file or has RACD access to that file.
COPY FILEA,FILEB
FCOPY
The ;COPYACD parameter of the FCOPY command permits
the user to copy a file and its ACD, provided that the user is an
owner or has RACD permission.
FCOPY <;fcopycommand>;COPYACD
STORE
To store all of the files on a system to tape, including their ACDs,
enter this:
FILE T;DEV=TAPE
STORE @.@.@;*T;COPYACD
COPYACD is the default. You must have access to any
ACD-protected files being stored.
SM and OP can store any ACD-protected file on the
system.
AM can store any ACD-protected file in the manager's
account.
Users can store any ACD-protected files that they own,
provided that they have Read access to the file and RACD access
to the file if ;COPYACD is specified.
Others can store ACD-protected files for which they have RACD
permission, provided that they have Read access to the file and
RACD access to the file if ;COPYACD is
specified.
You must have PM access to a PM file in order to store
it.
RESTORE
To restore all of the files on tape and copies the ACD attributes of
the file to disk, enter this:
FILE T;DEV=TAPERESTORE *T;@;KEEP;SHOW;COPYACD
COPYACD is the default. NOACD prevents the copying
of the ACD attributes.
SM and OP can restore any ACD-protected file on the
system.
AM can restore any ACD-protected file in the manager's
account.
Users can restore any ACD-protected files that they own,
provided that they have Read access to the file and RACD access
to the file if ;COPYACD is specified.
Others can restore ACD-protected file for which they have RACD
permission, provided that they have Read access to the file and
RACD access to the file if ;COPYACD is
specified.
You must have PM access to a PM file in order to store
it.
Listing ACDs
Command
Intrinsic
Purpose
LISTFILE
Show ACDs for files
SHOWDEV
Show ACDs for devices
HPACDINFO
Show ACDs for files and devices
HPACDPUT
Show ACDs for files and devices
Examples
The LISTFILE command with option 4 shows the ACD status of a
file in this fashion:
LISTFILE FILEA,4
****************************
FILEA.XX.DESIGN
SYSTEM READ: ANY
SECURITY--WRITE: AC
(ACCT) APPEND: AC
LOCK: AC
EXECUTE: ANY
SYSTEM READ: GU
SECURITY--WRITE: GU
(GROUP) APPEND: GU
LOCK: GU
EXECUTE: GU
SYSTEM READ: ANY FCODE: 0
SECURITY--WRITE: ANY CREATOR: **
(FILE) APPEND: ANY LOCKWORD: **
LOCK: ANY **SECURITY IS ON
EXECUTE: ANY **ACD EXISTS
FOR XX.DESIGN: NONE
(Other ACD status reports are NO ACD and ACD CORRUPTED.)
The LISTFILE command with option -2 gives a detailed ACD
report on a file in this fashion:
LISTFILE FILEA,-2
FILE = FILEA ************** ACD ENTRIES **************
SAM.DOE : R
JOE.DOE : W
@.DESIGN : NONE
@.@ : X
The SHOWDEV command displays the ACD attributes of a device
in this fashion:
SHOWDEV 14;ACD
LDEV AVAIL OWNERSHIP VOLID DEN ASSOCIATION
14 SPOOLED SPOOLER OUT
ACD ENTRIES: @.@ : R,W,X
This short program uses HPACDINFO to retrieve the number of entries
and first user in the ACD of a file called TARGET:
program acdinfo(input, output);
type
shortint = -32768..32767;
var
status : integer;
filename : packed array [1..28] of char;
numentry : shortint;
firstuser : packed array [1..18] of char;
procedure HPACDINFO;intrinsic;
begin
filename := 'TARGET';
HPACDINFO(status, 1, filename, 21, numentry, firstuser);
if status = 0 then
begin
writeln('Number of Entires: ', numentry:1);
writeln('First UserSpec : ', firstuser);
end;
end.
Copying ACDs
Command
Intrinsic
Purpose
;COPYACD parameter of the ALTSEC command
Copy an ACD from one file to another
Examples
To copy the ACD associated with FILEB to FILEA, enter this:
ALTSEC FILEA.XX.DESIGN;COPYACD=FILEB.XX.DESIGN
Only an owner, or a user granted RACD (read ACD) authorization,
can copy the ACD from FILEB.
To copy the ACD attributes of LDEV 7 to LDEV 23, enter this:
ALTSEC 23,LDEV;COPYACD=7,LDEV
Only users with SM capability may do this. By definition,
users having SM capability are owners of all the files and devices
on a system. Those users may give themselves access to any file
or device on the system.
Modifying ACDs
Command
Intrinsic
Purpose
ALTSEC
To change an ACD
HPACDPUT
To change an ACD
Adding ACD pairs
To confer Read access on JOE.DESIGN for FILEA, enter this:
ALTSECT FILEA.XX.DESIGN;ADDPAIR=(R:JOE.DESIGN)
Replacing ACDs
To change the (previous) Read access for SAM.DOE to Write access
enter this:
ALTSECT FILEA.XX.DESIGN;REPPAIR(W:SAM.DOE)
To assign Read and Write access to SAM.DOE, do this:
ALTSEC FILEA.XX.DESIGN;REPPAIR(W,R:SAM.DOE)
Deleting ACDs
Command
Intrinsic
Purpose
ALTSEC
To delete an ACD
HPACDPUT
To delete an ACD
To remove @.DESIGN from the ACD attributes of FILEA, enter this:
ALTSEC FILEA.XX.DESIGN;DELPAIR(NONE:@.DESIGN)
To deny OPERATOR.SYS any access to LDEV 7, enter this:
ALTSEC 7,LDEV;DELPAIR=(R,W:OPERATOR.SYS)
Only an owner can delete an ACD associated with a file. Only
the system manager can delete an ACD associated with a device.
Migrating ACDs
Device ACDs should not be migrated, because they are tied
to their system's configuration.
You can move file ACDs between MPE V/E and MPE/iX by using the STORE
and RESTORE commands, where COPYACD is the default.
These are the steps CM RESTORE takes during forward migration:
reads the MPE V/E store format.
calls a routine to convert it to MPE/iX internal format.
calls the file label extension write routine, which puts the ACD
into effect.
These are the steps CM STORE takes during backward migration:
reads the ACD from the security file label extension.
calls a routine to convert it into MPE V/E format.
writes it out to the STORE tape.
Be aware that MPE/iX allows more user-mode pairs than MPE V/E
does.
You must have authorization to use the ;COPYACD parameter of the
STORE and RESTORE commands. If you are not an owner of the
file or do not have RACD permission, you get an error. The STORE
command checks the ACD on disk for permission. RESTORE checks the ACD
from the tape.
For more details, refer to the MPE/iX Commands Reference Manual and the
MPE/iX Intrinsics Reference Manual.
The following list shows the types of logs that you can request.
Table 13-1 SYSGEN System Logging
System Log Events
Event Type
System logging enabled
100
System up record
101
Job initiation record
102
Job termination record
103
Process termination record
104
File close record
105
System shutdown record
106
Power failure record
107
Spooling log record
108
I/O error record
111
Physical mount/dismount
112
Logical mount/dismount
113
Tape labels record
114
Console log record
115
Program file event
116
New commercial spooling
120
Architected interface
130
Password changes
134
System logging configuration
135
Restore logging
136
Printer access failure
137
ACD changes
138
Stream initiation logging
139
User logging
140
Process creation
141
Chgroup record
143
File open record
144
Maintenance request log
146
Diagnostic information record
150
High priority machine check
152
Low priority machine check
152
CM file close record
160
All log information is kept in records. Each record begins
with a standard header and ends with identification information.
The information between is different for each log type. The LOGTOOL
utility has a standard format to display information.
Log of system logging configuration
This log gives you an audit trail of changes to the logging
configuration. This log is initially enabled (ON). The following
is the log record format:
Table 13-2 Type 135 Record Format
Length, in 16-bit words
Record Content
1
Record type (135)
1
Record length
1
Process identification number
3
Time stamp
2
Job type/job number
1
(Reserved)
1
LDEV number
4
System logging masking words
8
User name
8
Group name
8
Account name
8
job or session name
Log of restore
This log traces file restorations. Files can be restored from tape or serial
disk to the system. This log type is initially disabled (OFF). It can be
enabled by SYSGEN followed by a START command. The following is the
log record format:
Table 13-3 Type 136 Record Format
Length, in 16-bit words
Record Content
1
Record type (136)
1
Record length
1
Process identification number
3
Time stamp
2
Job type/job number
8
File name
8
File group
8
File account
8
Creator
17
Volume identification
1
Access type
8
User name
8
Group name
8
Account name
8
job or session name
Log of printer access failure
This log keeps track of failed attempts attaching spool files to printers. New
spool files, which are logged by FOPEN as event #144, are not logged
here.
This log is initially disabled, but can be enabled by SYSGEN followed
by a START command.
Table 13-4 Type 137 Record
Length, in 16-bit words
Record Content
1
record type (137)
1
record length
1
process identification number
3
time stamp
2
job type/job number
2
creator job number
8
creator job name
8
creator user name
8
creator account name
25
spool file name
8
target device name/class
1
(reserved)
2
file size
1
status
8
user name
8
group name
8
account name
8
job or session name
Log of stream initiation
This log records the name of a streamed job, its number, the
user that initiates it (and the logon), and the scheduled date and time.
This log is initially disabled, but can be enabled by SYSGEN
followed by a START command.
Table 13-5 Type 139 Record
Length, in 16-bit words
Record Content
1
Record type (139)
1
record length
1
process identification number
3
time stamp
2
job type/job number
1
input LDEV
25
job file name
2
job logon job or session number
8
job logon user
8
job logon group
8
job logon account
8
job name
2
input spool file id
1
scheduled date
2
scheduled time
8
user name
8
group name
8
account name
8
job or session name
Log of user logging
This log keeps a record of all OPENLOG and CLOSELOG intrinsic
calls. The system manager can use it to see who accesses, or tries to access,
the user logging facility.
This log is initially disabled, but can be enabled by SYSGEN
followed by a START command.
Table 13-6 Type 140 Record Format
Length, in 16-bit words
Record Content
1
record type (140)
1
record length
1
process identification number
3
time stamp
2
job type/job number
25
program file name
4
intrinsic
2
index
4
log id
1
mode
1
status
8
user name
8
group name
8
account name
8
job or session name
The LOG ID field in the log record is "XXXXXX" for CLOSELOG intrinsic
when the index is bad.
Log of process creation
You can use this log to record all process creations. This
log is initially disabled, but can be enabled by SYSGEN followed
by a START command.
Table 13-7 Type 141 Record
length, in 16-bit words
Record Content
1
record type (141)
1
record length
1
process identification number
3
time stamp
2
job type/job number
25
file name
1
(reserved)
2
priority
2
process space id
4
parent PID
2
NM_Heap_Size
2
capabilities mask*
8
(reserved)
8
user name
8
group name
8
account name
8
job or session name
* The capabilities mask is read as follows:
User File access Program/group
bit capability bit capability bit capability
0 SM 6 CV 23 BA
1 AM 7 UV 24 IA
2 AL 8 LG 25 PM
3 GL 9 SP 28 MR
4 DI 10 PS 30 DS
5 OP 11 NA 31 PH
12 NM
13 CS
14 ND
15 SF
The LOGTOOL utility command LIST shows you the output of log records
in a standard format. If you like, you can filter the output of LOGTOOL utility
to show you information about only a specific user or users. The syntax
for this is shown below.
LIST {LOG=log_name}[;JSNAME=job or session_name
;USER=user_name
;ACCOUNT=account_name ][...]
The input for these commands should be no longer than 80 characters.
Default for all parameters is the wildcard @.
For example, to select log records from log files 1 through 5, with log
information about password changes (log type 134), and user identification
JTEST,MARIA.PAYROLL, you would enter the following.
MPE/iX permits logging of system and user events. The events
that relate directly to file security are:
password changes (event type 134)
printer access failure (event type 137)
ACD changes (event type 138)
Logging begins whenever the system is rebooted; however, not all events are
automatically enabled. Some, including those listed above, are initially
disabled. You can, however, request that a new file be started.
To keep a certain type of log, the system operator or system manager must
change its status to ON (configure it) in SYSDIAG. To see log records
displayed, call the LOGTOOL utility from SYSGEN.
For a discussion of these and other logging facilities, consult these topics in
Performing System Operator Tasks: SYSDIAG, the LOGTOOL
utility, and SYSGEN System Logging.
Log of password changes
System logging records when a user, group, or account password
is changed by an MPE/iX command or a utility program. This log is
initially disabled (OFF).
The information recorded in this logging includes
header
record type
record length
time stamp
job or session number
PIN
Log information
the identification of the user who changed a password: job or
session name, user name, group name, and account name
the identification of a user whose password was changed: user
name, group name, and account name whenever the affected password
changes
input logical device number from which the password was
changed
program file name from which password change was
executed
type changed: 1 = user, 2 = group, 4 = account
In this example, JOHN.PAYROLL,DOE, job or session name
JREPORT, successfully changed the account password for
PAYROLL through the command excutor. The change was made from LDEV 21.
The LOGTOOL utility formats the following layout after the
standard header:
TARGET USER: TARGET GROUP:
TARGET ACCOUNT: PAYROLL TYPE CHANGED: ACCOUNT
LDEV: 21
EXECUTED FROM: CI.PUB.SYS
USER: JOHN GROUP: DOE
ACCOUNT: PAYROLL JSNAME: JREPORT
The following is the log record format:
Table 13-8 Type 134 Record Format
length, in 16-bit words
Record Content
1
record type (134)
1
record length
1
process identification number
3
time stamp
2
job type/job number
8
target user name
8
target group name
8
target account name
1
type changed
1
input LDEV number
25
executed from
3
(reserved)
8
user name
8
group name
8
account name
8
job or session name
NOTE: The PASSWORD command, allows all users to change their
own passwords. In the past, only system managers and account managers
could change any passwords.
Log of ACD changes
This log type is activated when ACDs are changed (created,
deleted, copied, or modified) with MPE/iX commands or intrinsics.
The log is initially disabled (OFF).
The information recorded in this logging includes
header
record type
record length
time stamp
job or session number
PIN
log information
the identification of the user who changed the ACD: job or
session name, user name, group name, and account name
the object type and object name whose ACD was changed
the object type and object name from which the ACD was
copied
the type of change to the ACD: create, add pair, replace pair,
copy, delete pair, delete
the program file name from which the ACD change was
executed.
status returned (HPE status)
In this example, user JOHN.PAYROLL,DOE, with job or session name JREPORT,
successfully created an ACD for a file called FTEST.TESTGP.PAYROLL, using the
command executor.
The LOGTOOL formats the following layout after the standard header:
TARGET OBJECT: FTEST.TESTGP.PAYROLL
SOURCE OBJECT:
FUNCTION: CREATE
EXECUTED FROM: CI.PUB.SYS
STATUS SUCCESSFUL
USER JOHN GROUP: DOE
ACCOUNT: PAYROLL JSNAME: JREPORT
The following is the log record format:
Table 13-9 Type 138 Record Format