Safety Review of a NonStop Data Center


Published on

Lessons learned from a safety review last year are combined with some new ideas on how to protect NonStop applications against malware and spyware - presented at the International GTUG/Connect Conference April 2014

Published in: Technology
1 Like
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Safety Review of a NonStop Data Center

  1. 1. Safety Review of a NonStop Data Center by Peter Haase
  2. 2. Summary  Lessons learned from a safety review last year are combined with some new ideas on how to protect NonStop applications against malware and spyware.
  3. 3. “Safety Review of a NonStop Data Center”  „NonStop Data Center“  „Review“  „Safety“  Review Procedure  Review Checklist  Audit Trail Analysis  Risk: Denial of Service  Risk: Malware  Risk: Spyware  References
  4. 4. NonStop Data Center  Unit with several NonStop Systems  Guardian, Pathway, TMF, Enscribe, SQL/MP  Operated by an infrastructue-as-a-service supplier
  5. 5. Review  Part of an Audit on a banking application  Control of outsourced data processing  8 Items to control according to German Law  Access control on building and rooms  Access control on hardware and operating system  Access rights  Data transmission and transport  Data entry  Contractor  Availability  Data Separation
  6. 6. Safety  Availability  NonStop and RDF  Replication tools for non-audited files  Emergency planning  The Denial-of-Service problem  Integrity  TMF and audited files  Audit trail analysis  Confidentiality  Guardian Security and SAFEGUARD  SECOM ID mapping and command level security  Protection against Malware and Spyware
  7. 7. Review Procedures  Project Management  Before Start of Review  Guidelines for Documentation  Tools for Checking and Auditing  Checklists and Standards  Start of Review  Charts of involved organisations  Available Documentation  Past issues / Special risks  Review  Design  Operation
  8. 8. Review Checklists Availability Integrity Confidentiality Emergency Planning Inventory HW, SW, Subsystems, Data files SW version, Data Dictionary PROGID, LICENSE, system interfaces Planning Monitoring HW, SW, critical events Audited DB, Audit Trail Analysis, Runtime Lib, ENSCRIBE data Session log, 4-eyes, SAFEGUARD audit, SECOM log Tests and Training Control Performance and Tuning, DoS Risk System and subsystem configuration, Malware Risk Deleted data files, Backup data, Users: super.* and *.super, Spyware Risk Confidential data
  9. 9. Audit Trail Analysis  Find Long-running transactions  Find transactions that have damaged a database  Locate specific data field/column changes  Detect bugs in applications  Search for unauthorized transactions
  10. 10. Risk: Denial of Service  Compiler, Binder, Debugger on Production System  TAL examples:  corrupting a cpu  ?Source $system.system.extdecs0 (alter_priority_) Proc Test Main; Begin While 1 do begin alter_priority_(199); End;  corrupting a volume  ?Source $system.system.extdecs0 (file_create_) Proc Test Main; Begin String .system[0:35] := „$system“; Int Len := 7; While 1 do begin file_Create_(SYSTEM:36,Len); End  But, same effects possible by TACL programming
  11. 11. Risk: Malware  Security for files belonging to functional user  Data and program files  Especially: *CSTM and *LOCL and *CTL files  Default: no echo from FUP  Command „Password“ in TACLCSTM deletes current password  User and security setting for PATHWAY Management  SET PATHWAY OWNER <group>, <user>  SET PATHWAY SECURITY “<O or U>"
  12. 12. Risk: Spyware  LINKMON server class access security SET SERVER OWNER <group>, <user> SET SERVER SECURITY “<O or U>"  But, access to server processes is still possible.  Default: Any process can open a process and send a message.  Possible Solutions  Adding logic to server program for checking requestors  SAFEGUARD ACLs on the process name  SAFEGUARD active and tool PS-Shell
  13. 13. References  Product CS-TP-SPY (Audit Trail Analysis) of CS-Software Gmbh Dr. Werner Alexi Schiersteiner Straße 31, 65187 Wiesbaden, Germany E-Mail:  Ideas and Tools of GreenHouse Software & Consulting Ingenieurbuero Karl-Heinz Weber Heinrichstrasse 12, 45711 Datteln-Horneburg, Germany E-Mail:  My list of 117 Greenhouse Tools as a give-away
  14. 14. Peter Haase  Peter Haase Programmer, Trainer, Consultant for HP NonStop since 1981  D-56820 Mesenich/Moselle , Kirchstr. 12  +49-2673-98600  +49-171-8442242  