Security Uses of the FILEDATA Utility

The FILEDATA utility is used to report information about files.

The following security-related information can be requested from FILEDATA:

  • A report on code files

  • A report on the values of the security-related attributes of files

  • A report of all the files that are guarded by a specified guard file

FILEDATA can be executed in a number of ways; perhaps the simplest is from the Menu-Assisted Resource Control (MARC) interface or CANDE.

The following examples assume that

  • FILEDATA is executed from CANDE.

  • SYSTEM/FILEDATA is accessible through the family substitution designated for the user executing the program.

In each case, the resulting report is sent to the terminal of the user requesting the report.

Identifying Potentially Hazardous Files

The FILEDATA option CODEVERSION returns information about code files. Use this information to identify potentially hazardous files. The report indicates when the file has any of the following characteristics.

This information can also be seen by the “Disk File Privileges” report of Locum SafeSurvey.

Report Information

Meaning

COMPILER

The file is a compiler code file, enabled by an MP (Mark Program) system command.

CONTROL

The file is a control program, enabled by an MP (Mark Program) system command.

PRIVILEGES: PU, SECADMIN, TASKING

The file is privileged with the indicated privileges (PU, SECADMIN, or TASKING).

PRIVILEGES: PU TRANSPARENT, SECADMIN TRANSPARENT, TASKING TRANSPARENT

The file is privileged-transparent for the indicated privileges and inherits those privileges from the code file calling the current file.

TADS-CAPABLE

The execution of the file can be analyzed by the Test and Debug System (TADS).

EXECUTABLE

The file can be executed in a normal fashion.

NON-EXECUTABLE:UNSAFE

The file contains unsafe code and can be executed only if it is first made executable with the MP (Mark Program) system command or if it is made a support library with the SL (Support Library) system command. If the file is a master control program (MCP) file, the CM (Change MCP) system command must enable the file as an MCP.

A simple form of FILEDATA with this modifier is

RUN $SYSTEM/FILEDATA
    ("CODEFILEINFO: FAM = <family name> CODEVERSION SCREEN")

In place of <family name>, enter the family name designating the disk on which the files for which CODEVERSION information is of interest reside. Include the keyword SCREEN if you want the report to appear at your terminal; otherwise, the report appears on a line printer.

The resulting report contains CODEVERSION information for every code file on the specified family name.

The FILEDATA request ALGOLCHECK compares the version of ALGOL code files to the recommended minimum version and produces a report based on a specified <relation> and <release>. The version check includes ALGOL, DCALGOL, DMALGOL, and BDMSALGOL code files in a given directory or family. The resulting report enables you to identify code files from the release that you specify that might need to be recompiled by a newer compiler. For example, 

RUN $SYSTEM/FILEDATA 
    ("ALGOLCHECK LSS 60.0 : DIR=SYSTEM FILEKIND CODEVERSION")

For more information about potentially hazardous files, see Protecting Potentially Hazardous Files.

Obtaining the Security-Attribute Values of Files

The SECURITY modifier returns the values of the SECURITYTYPE and SECURITYUSE attributes of files. The value of the SECURITYGUARD attribute identifies the guard file of a file.

A simple form of FILEDATA with this modifier is

RUN $SYSTEM/FILEDATA
    ("ATTRIBUTES: DIR = (<usercode>) SECURITY SCREEN")

In place of <usercode>, enter the usercode directory containing the files of interest.

The resulting report contains the values of the SECURITYMODE, GROUP, SECURITYTYPE, SECURITYUSE, and (when applicable) the SECURITYGUARD and ALTERNATEGROUPS attributes for every code file stored under the designated usercode directory.

Obtaining the Names of Guarded Files

The GUARDFILE modifier returns the names of all files that are guarded by the designated file. This information can be useful for tracking file access rights when guard files are used to grant groups of users common access to certain files.

This information can also be seen by the “Guardfile Activity” report of Locum SafeSurvey.

A simple form of FILEDATA with this modifier is

RUN $SYSTEM/FILEDATA
    ("FILENAMES: DIR = (<usercode>) GUARDFILE = <file title>")

In place of <file title>, enter the file title, including usercode and family name, of the guard file on which you want a report. In place of <usercode>, enter the usercode directory of the files that might be guarded.

The resulting report contains a list of every file name in the specified usercode directory that is guarded by the specified guard file.

Prev  Up  Next
Controlling Remote-File Printing Through CANDE and Transaction Server  Home  Controlling Tape File Access