HP NonStop Server Security 2004
The HP TACL command language is the standard command interface to the Guardian operating system. TACL is also a high level programming language capable of generating program components . TACL programs can be used as server processes to Pathway and GUI applications.
However, TACL is most commonly used for interactive work while the built-in functions are used in TACL programs, also called macros. TACL is fundamental to initiating many of the programs and subsystems discussed in this book.
RISK TACL has so many possible risks associated with it that this discussion will focus on the components and the basic risks that are associated with TACL basic usage.
Each company should develop a security policy for TACL usage.
RISK Logged on TACL sessions that are left running on unsecured terminals are at risk. This is an open door to an unauthorized user . Logged on TACL sessions running as SUPER.SUPER put the system at extreme risk.
For a detailed explanation of the logging on process, please refer to Part Four, Granting Access to the HP NonStop server.
TACL reads four files (TACLINIT, TACLSEGF, TACLLOCL and TACLCSTM) before it issues its first prompt. This allows for the creation of a customized TACL environment before any commands can be issued. All of these files contain text and valid TACL commands except the TACLSEGF, which is a compiled segment file.
TACL Subsystem Components
The TACL Subsystem Components are:
TACL
TACLBASE
TACLCOLD
TACLCSTM
TACLINIT
TACLLOCL
TACLSEGF
CPRULES0
CPRULES1
Other TACL-Related Utilities
TACL Built-in commands
TACL Sessions
TACL Configuration
The following parameters can be bound to the TACL object file using BIND, depending on the Operating System version running on the HP NonStop server:
| Parameter | Definition | ||||
|---|---|---|---|---|---|
| Positive Value | NegValue | Default | Risk | ||
| AUTOLOGOFFDELAY | Determines whether or not a TACL session will be logged off automatically (after a period of inactivity) | ||||
| # of min inactivity | -1 Never logoff | 30 MIN | Sessions that remain open and can be used by another user. Lose accountability. | ||
| BLINDLOGON | Can include the password as part of the LOGON command (displayed in the clear) | ||||
| ok | 1 Not ok | 1 | If passwords are displayed at logon, someone can read it. | ||
| CMONREQUIRED | CMON must rule on all requests | ||||
| 1 Required | Not Required |
| If $CMON isn't running or is running too slow, can cause denial of service. | ||
| REMOTECMONREQUIRED | A Remote CMON must rule on all requests | ||||
| 1 Required | Not Required |
| If $CMON isn't running or is running too slow, can cause denial of service | ||
| LOGOFFSCREENCLEAR | Blanks the screen when TACL session is logged off | ||||
| 1 Blanks | Doesn't | 1 | Another user can't review old session | ||
| NAMELOGON | Can logon using user number | ||||
| Yes | 1 No | 1 | Harder for hacker to guess userid when using names rather than numbers, because there are a finite number of user numbers . | ||
| NOCHANGEUSER | The ability to log on from one user to another? | ||||
| Can | 1 Cannot |
| Limited risk if passwords enforced | ||
| CMONTIMEOUT | Number of seconds to wait for $CMON response? | ||||
| # secs to Wait | -1 Wait forever | -1 | Denial of service risk if waiting forever | ||
| REMOTECMONTIMEOUT | Number of seconds to wait for remote $CMON response? | ||||
| # secs to Wait | -1 Wait forever | -1 | Denial of service risk if waiting forever | ||
| REMOTESUPERID | Remote SUPER access allowed? | ||||
| No | -1 Y es | -1 | Super access from one system allows Super to another. | ||
| STOPONFEMODEMERR | Will session end when a modem error occurs? | ||||
| Stop | 1 Don't stop |
| Prevent another user dialing up and picking up an old session | ||
BP-TACL-TACLCONF-01 AUTOLOGOFFDELAY should be 15 minutes or less.
BP-TACL-TACLCONF-02 BLINDLOGON should be set to .
BP-TACL-TACLCONF-03 CMONREQUIRED should be set to 0.
BP-TACL-TACLCONF-04 REMOTECMONREQUIRED should be 0.
BP-TACL-TACLCONF-05 LOGOFFSCREENCLEAR should be 1.
BP-TACL-TACLCONF-06 NAMELOGON should be 1 to force a name logon only.
BP-TACL-TACLCONF-07 NOCHANGEUSER can be 0 to allow logon from another userid.
BP-TACL-TACLCONF-08 CMONTIMEOUT should be 30 seconds or less.
BP-TACL-TACLCONF-09 REMOTECMONTIMEOUT should be 30 seconds or less.
BP-TACL-TACLCONF-10 REMOTESUPERID can be 0 to allow remote Super if its password is controlled.
BP-TACL-TACLCONF-11 STOPONFEMODEMERR should be 0.
RISK The TACL program resides in the $SYSTEM.SYSnn subvolume and is replaced upon each operating system upgrade. The bound parameters will not be retained.
BP-TACL-TACLCONF-12 The parameters must be bound after each operating system upgrade.
TACLBASE File
An edit file that contains the same functionality as TACLSEGF. It must reside on the same subvolume as the TACL object file. The TACLBASE file is read by the install program and is used as the source for TACLSEGF.
RISK If TACLBASE and TACLSEGF are not present, TACL can operate , but will provide only built-in functions and variables .
TACLCOLD
A segment file that TACL uses when running as the Coldload Command-Interpreter. TACL creates this file or reuses it as a way of reducing the chance that the coldload TACL will fail due to lack of disk space at startup.
TACLCSTM Files
Please refer to the Gazette section on *CSTM Configuration Files.
TACLINIT File
Edit file that resides on the same subvolume as the TACL file and is executed whenever a new TACL is initiated.
TACLLOCL File
The TACLLOCL program is a global startup file that is executed during the logon of every user at a TACL. It is intended to be used to configure the environment that should be uniform for all users.
RISK If the security of the TACLLOCL file permits a user other than the owner WRITE or PURGE access, they could modify the file or purge it and replace it with a new one.
| Caution | If a macro is executed within a TACLCSTM, the macro file must be also secured so that only authorized users can WRITE or PURGE it, otherwise someone could rename it and then install another file with the same name or simply insert commands that execute a Trojan horse program by invoking the macro via the TACLCSTM file. |
TACL Segment Files
Segment files are compiled macros that can be loaded into an extended memory segment. When a segment file is attached to a TACL, it is loaded into memory, giving TACL immediate access to the macros, routines, and other variables the segment contains.
RISK If TACLBASE and TACLSEGF are not present, TACL can operate, but will provide only built-in functions and variables.
Segment files provide efficient storage for commonly used macros and routines.
The Default TACL Segment File
When each TACL session is started, TACL creates a private segment file to hold the variables in the root (:) directory. This segment is called the 'default segment file'. Next, TACL creates the directory UTILS and attaches the segment file TACLSEGF to it for shared access.
The TACLSEGF contains directories for all HP products on the system that have TACL programs. Each TACL command is stored as a :UTILS:TACL: command.
User-Defined Segment Files
To create a segment file, load a library file into a segment. After the contents of the file are in the segment file, the ATTACHSEG and USE commands establish access to the variables in the segment.
CPRULES0 and CPRULES1
Files that define the character set in use by TACL. CPRULES0 is the default set.
Other TACL-Related Utilities
In addition to the preceding list of files, there are utility programs that assist TACL in performing certain operations. Each program is in a separate program file in $SYSTEM.SYSnn or $SYSTEM.SYSTEM. These programs:
Perform privileged operations, such as adding users or reloading processors
Must be licensed for use by nonprivileged users
Can run only on the local system
The utility programs [*] are:
ADDUSER
ALARMOFF
BUSCMD
COPYDUMP
DEFAULT
DELUSER
LIGHTS
PASSWORD
RCVDUMP
RELOAD
RPASSWRD
USERS
Built-in TACL Variables with Security Issues
The built-in TACL variables are:
#PMSEARCHLIST
#TACLSECURITY
#PMSEACHLIST
A Search List is a list of subvolumes that the TACL software uses to find a program file when the program is invoked using a file name that is not fully qualified. By
default $SYSTEM.SYSTEM is always searched first and $SYSTEM.SYSnn is searched second.
#PMSEARCHLIST is a built-in TACL variable that specifies the subvolumes to be searched for program and macro files and the order in which the subvolumes will be searched.
Programs and macros residing in the subvolumes included in the PMSEARCHLIST need not be fully qualified when they are invoked.
Example 1:
| |
19> fileinfo $system.sys*.fup $SYSTEM.SYS01 CODE EOF LAST MODIFIED OWNER RWEP PExt SExt FUP 100L 2772160 02JUL2002 4:12 255,255 NUNU 252 64 20> fup File Utility Program - T6553G07 - (01AUG2002) System \MEXICO Copyright Tandem Computers Incorporated 1981, 1983, 1985-2001 -
| |
This example shows that because FUP resides in $SYSTEM.SYSnn, it can be invoked by simply typing FUP rather than $SYSTEM.SYS01.FUP.
In addition to specific subvolume names, the Search List can include the #DEFAULTS built-in TACL variable, which designates the user's current subvolume. However, including #DEFAULTS in the Search List can lead a user to accidentally execute a Trojan horse program, especially if #DEFAULTS appears before $SYSTEM.SYSTEM in the Search List. If #DEFAULTS must be used in the search list, put it after $SYSTEM.SYSTEM to ensure that users invoke only the distributed versions when they run trusted system programs such as FUP.
RISK A potential breach of security exists if a TACL user can open another user's TACL process.
#TACLSECURITY
Returns a pair of characters , enclosed in quotes, that represent the current TACL security. The first character represents the criterion that determines whether or not to allow a process to open the TACL process's $RECEIVE for writing. The second character determines whether to allow an opener with a qualifying name to transfer data to or from a #SERVER.
Example 2:
| |
13> #TACLSECURITY #TACLSECURITY expanded to: "NN"
| |
The characters in the security string displayed are the same as the Guardian file security string. In the example above, 'NN' means all users, local or remote, can open the TACLPROCESS in question.
AP-ADVICE-TACL-01 To limit access to TACL process, use the #TACLSECURITY built-in variable to set the current TACL security, which indicates who can open this TACL process.
AP-FILE-TACL-01 To secure the TACL process from $RECEIVE access, set the #TACLSECURITY to "UU".
TACL sessions
TACL sessions can be configured in many ways:
ASSIGNs
DEFINEs
PARAMs
Built-in Variables
See Securing Applications Chapter for more information on ASSIGNs, DEFINEs, and PARAMs.
See HP Documentation for more information about additional Built-ins and other TACL capabilities.
Securing TACL Components
BP-FILE-TACL-01 TACL should be secured "UUNU".
BP-OPSYS-OWNER-01 TACL should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-01 TACL must reside in $SYSTEM.SYSnn.
BP-FILE-TACL-02 TACLBASE should be secured "NUUU".
BP-OPSYS-OWNER-01 TACLBASE should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-01 TACLBASE must reside in $SYSTEM.SYSnn.
BP-FILE-TACL-03 TACLCOLD should be secured "NUUU".
BP-OPSYS-OWNER-01 TACLCOLD should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-01 TACLCOLD must reside in $SYSTEM.SYSnn.
BP-FILE-TACL-04 TACLINIT should be secured "NUUU".
BP-OPSYS-OWNER-01 TACLINIT should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-01 TACLINIT must reside in $SYSTEM.SYSnn.
BP-FILE-TACL-05 TACLLOCL should be secured "NUUU".
BP-OPSYS-OWNER-02 TACLLOCL should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-02 TACLLOCL must reside in $SYSTEM.SYSTEM.
BP-FILE-TACL-06 TACLSEGF should be secured "NUUU".
BP-OPSYS-OWNER-01 TACLSEGF should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-01 TACLSEGF must reside in $SYSTEM.SYSnn.
BP-FILE-TACL-07 CPRULES0 should be secured "NUUU".
BP-OPSYS-OWNER-01 CPRULES0 should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-01 CPRULES0 must reside in $SYSTEM.SYSnn.
BP-FILE-TACL-08 CPRULES1 should be secured "NUUU".
BP-OPSYS-OWNER-01 CPRULES1 should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-01 CPRULES1 must reside in $SYSTEM.SYSnn.
If a third party access control product is used to grant selected users access to TACL, only the commands listed should be granted to general users. All other commands should be restricted.
3P-ACCESS-TACL-01 Use a third party access control product to allow the users responsible for using TACL commands and functions as SUPER.SUPER.
3P-ACCESS-TACL-02 Use a third party access control product to give the use of certain TACL commands and functions to a limited group of users only.
If available, use Safeguard software or a third party product to grant access to the TACL object file only to users who require it in order to perform their jobs.
BP-SAFE-TACL-01 Add a Safeguard Protection Record to grant appropriate access to the TACL object file.
| Discovery Questions | Look here: | |
|---|---|---|
| OPSYS-OWNER-01 | Who owns the TACL object file? | Fileinfo |
| OPSYS-OWNER-01 | Who owns the TACLBASE file? | Fileinfo |
| OPSYS-OWNER-01 | Who owns the TACLCOLD file? | Fileinfo |
| OPSYS-OWNER-01 | Who owns the TACLINIT file? | Fileinfo |
| OPSYS-OWNER-01 | Who owns the TACLSEGF file? | Fileinfo |
| OPSYS-OWNER-01 | Who owns the CPRULES0 file? | Fileinfo |
| OPSYS-OWNER-01 | Who owns the CPRULES1 file? | Fileinfo |
| OPSYS-OWNER-02 | Who owns the TACLLOCL file? | Fileinfo |
| FILE-POLICY | What is the security policy concerning TACL? | Policy |
| FILE-TACL-01 SAFE-TACL-01 | Is the TACL object file correctly secured with the Guardian or Safeguard system? | Fileinfo Safecom |
| FILE-TACL-02 | Is the TACLBASE file secured correctly? | Fileinfo |
| FILE-TACL-03 | Is the TACLCOLD file secured correctly? | Fileinfo |
| FILE-TACL-04 | Is the TACLINIT file secured correctly? | Fileinfo |
| FILE-TACL-05 | Is the TACLLOCL file secured correctly? | Fileinfo |
| FILE-TACL-06 | Is the TACLSEGF file secured correctly? | Fileinfo |
| FILE-TACL-07 | Is the CPRULES0 file secured correctly? | Fileinfo |
| FILE-TACL-08 | Is the CPRULES1 file secured correctly? | Fileinfo |
Related Topics
Operating System
TACL Tools
[*] These utility programs are discussed separately, in other sections of the Gazette.