The MCP Security Policy Management snap-in is a major component of Security Center. Its purpose is to help the MCP environment administrator to easily and quickly define, modify, and apply a policy to ClearPath enterprise servers.
The MCP Security Policy Management snap-in enables you to
-
Establish and organize systemwide security settings.
-
Establish and organize user account policies to be used in the MCP User Account Management snap-in.
-
Maintain a history of changes made to the system policy settings.
-
Use the MCP TCP/IP Filtering component to create and update the TCP/IP security rules file.
For more information, see the Security Center Help.
SDASUPPORT and IGSDASUPPORT Support Libraries
The System Data Access Support (SDASUPPORT) and InfoGuard System Data Access Support (IGSDASUPPORT) support libraries provide controlled access to the log files. The IGSDASUPPORT support library provides nonprivileged users with filtered access to the contents of the log files.
| Note: | Filtered access is available only as part of either the Secure Access Control Module security-enhancement software or the Secure Accountability Facility security feature package.security feature packagesSecure Accountability FacilitySecure Accountability Facility security packagefiltered accessSecure Access Control Module andSecure Access Control Modulefiltered access |
The IGSDASUPPORT support library is privileged, and so has complete access to the log files. When the log file is public, the action of the IGSDASUPPORT support library is transparent to the user. When the log file is private, IGSDASUPPORT permits a nonprivileged user to view the following log records but no others:
-
All log records produced by actions the user took on the system except for actions that were security violations, such as an attempt to log-on with an incorrect usercode/password combination
-
Maintenance records, except for those records containing file names
-
Halt/load records
If the Simple Installation (SI) program is used for installation, as long as SYSTEM/IGSDASUPPORT is selected for installation, it will always end up as the target of the SDASUPPORT function.
If a privileged user on a system with Secure Access Control Module or the Secure Accountability Facility security feature package wants LOGANALYZER access to records other than these, he or she uses the LOGANALYZER option USERCODE with the period (.) appended:
USERCODE.
Used alone, this option enables privileged users to access the entire system log. Use this option in conjunction with other LOGANALYZER options to grant privileged users access to all the log records associated with those LOGANALYZER options. For example, entering USERCODE. FILE retrieves all the file open, close, and interval records.
The effect of the filtering done by the SDASUPPORT support library is to grant the nonprivileged user access to log records relating to his or her legitimate work on the system, and access to certain other records that are not considered sensitive.
If a nonprivileged user is to have complete access to the log file—if the security administrator is nonprivileged, for example—attach to SYSTEM/SUMLOG a guard file specifying read access for the appropriate usercode.
Controlling Access to the SDASUPPORT Support Library
Because the SDASUPPORT support library regulates access to the log files, access to log file records can be denied by denying access to the SDASUPPORT support library.
If all users are to be granted access to this library and thereby access to the log files, then assign the following file attribute values.
|
File |
Attribute Value |
|---|---|
|
*SYSTEM/SECURITYLOG |
SECURITYTYPE PRIVATE |
|
*SYSTEM/SUMLOG |
SECURITYTYPE PRIVATE |
|
*SYSTEM/SDASUPPORT |
SECURITYTYPE PUBLIC |
SYSTEM/SDASUPPORT is shipped with these values.
If access to log records is to be granted only to authorized individuals, make the SYSTEM/SUMLOG a private file, and take one of the following steps:
-
If only privileged users and programs are to have access to the log file records, make SYSTEM/SDASUPPORT a private file.
-
If only privileged users and programs, and certain other authorized users and programs, are to have access to the log file records, guard SYSTEM/SDASUPPORT with a guard file that designates those usercodes and programs authorized to access the log files.
System utilities that extract log information all use the SDASUPPORT support library as their interface to the log files. Thus, a user is not able to access any more information through LOGGER and LOGANALYZER.
When the logs are public files, the SDASUPPORT support library has no effect on user access. When the logs are private files, filtering requires no user action.
When a user requests access to the log file, the IGSDASUPPORT support library automatically filters the file and returns only those entries produced by that user. This procedure occurs regardless of whether the user has direct access to the log file.
A user who has direct access to the log file can instruct the IGSDASUPPORT support library to return all log entries by executing a LOG_SELECT procedure with the following argument values.
|
Argument |
Value |
|---|---|
|
STYPE |
3 (USERCODE SET) |
|
SBUFFER |
EBCDIC null (48"00") |
