MPE V/E Operating System Review Following was contributed to AuditNet LLC by (Rey LeClerc) rey@mass-usa.net General Description The MPE V/E operating system is the operating system which is used in the HP 3000 environment. System security is provided by security features built into MPE V/E, by the ways in which the account structure of the system is organized, and the roles various types of users play. System security features fall into these six categories: o identification of users - every user must have a unique logon identity by which that person is identified into the system o authentication of users - the system checks its directory for the existence of the user id, then verifies the user identity by checking its password. o authorization of users - when users are created, account structure facilities are used to assign codes that identify the level of access to which each is permitted. o user roles - a user access to system resources and information is directly related to the user's role. In general, user roles fall in one of the following categories: o system administrator - responsible for system operations: SM System Manager OP System Supervisor AM Account Manager AL Account Librarian BA Batch Access CS Communications Software User DI Diagnosticians Attribute DS Extra Data Segment GL Group Librarian IA Interactive Access MR Multiple RIN NA Network Administrator NM Node Manager ND Nonsharable Device User UV Private Volume User PM Privileged Mode PH Process Handling PS Programmatic Sessions SF Save User Files Permanently LG Use Logging Facility CV Volume Set Create o general users. o controlling of access to system resources - the system manager can set limits on the number of jobs or sessions that can run concurrently, thus protecting the system from inadvertent or deliberate attempts to degrade its performance. o auditing system usage - when activated the system logging facility maintains log records of system use. The MPE V/E account structure organizes users and information in the system. The account structure is managed by the System Manager (SM capability) and Account Managers (AM capability). SM and AM use the account structure to create accounts, groups and users, assign users to accounts and groups, define user role, and control user access to system resources. The system directory is the system's internal list of accounts, groups, users, and files. It keeps track of their characteristics and their relationships. Passwords are the key defense against unauthorized system access. The MPE V/E account structure provides for the assignment of passwords at the account, group, and user level. User passwords prevent unauthorized access to the system. Account and group passwords protect files and special capabilities from other system users who are not members of a particular account and/or group. Passwords may be set to passwords not required. This could present a security risk. Another possible concern are embedded passwords. That is, when you type your User-ID, you include the password. The disadvantage to this is that your password is displayed on the screen as you type it. A User Defined Command (UDC) is a file that contains a set of command that execute when the command name is invoked. A logon UDC is one that executes automatically whenever a user logs on. A logon UDC is used to limit system access to a user for a particular purpose. Access Control Definition (ACD) is a means of controlling user access to files and devices. Its supersedes other forms of access protection (such as file access restriction). An ACD consists of a user name and a set of access modes that define who has access to an object, and what modes of access that the user has to that object. An ACD also can define the type of permission a user has to access and manipulate the ACD itself. Access modes are: o R Read o W Write o L Lock o A Append o X Execute o None No Access Allowed o RACD Permission to Read, List and Copy an ACD A file can be assigned a negative file code when it is created. A file so protected can be accessed only by a user or program that has Privilege Mode (PM capability). PM should be adequately secured as it permits access to all system capabilities. In addition, when a file is created, the system assigns it file security attributes. The attributes assign depend on the account or group to which the file belongs. The attributes READ, APPEND, WRITE, LOCK and EXECUTE define the types of access a user may have to a file. When initially configuring the system, the System Manager or System Supervisor can set a limit to the number of jobs and sessions that can run concurrently. Limiting the number of jobs and sessions prevents degradation of system performance due to excessive system loading, and it helps the System Operator track user activity because less activity is easier to monitor. Audit Program 1. Obtain a copy of the account structure system directory. Review the account structure to ensure that passwords are used, have been assigned and are not easily guessed. Ensure that embedded passwords are not used. Verify that user capabilities are in-line with their job responsibilities and that adequate segregation of duties is maintained. 2. Review the usage of logon UDC. Ensure that they provide adequate protection to general user access. 3. Ensure that ACD are used to define adequate user access. Verify that ACDs do not overwrite the established access level in the account structure. 4. Ensure that PM capability has been assigned to system administrators only. Ensure that critical system files are protected by privilege mode. 5. Ensure that the logging facility has been activated and is reviewed on a regular basis. 6. Review system configuration parameters. Particular attention should be paid to the setting of number of concurrent sessions on the system. Ensure that it is adequate according the needs and monitoring capabilities of the location. 7. Conclude.