Discovery Questions Look here:
OPSYS-OWNER-03 Is CMON owned by the CMON administrator? Fileinfo
FILE-CMON-01 Is the CMON object file secured correctly? Fileinfo
Related Topics
User Administration
Safeguard subsystem
TACL
Compilers
Compilers generate object (executable) files from source code files. There are several
utilities, libraries and objects used by compilers:
Compiler Languages:
C/C++
COBOL85
FORTRAN
NMC/NMCPLUS
NMCOBOL
Pascal
PTAL
SCOBOL
SQL*
TACL*
TAL
Utilities:
AXCEL*
BINDER*
CROSSREF*
Objects:
System libraries
Part 6
Compilers 215
Common run-time libraries
User libraries
The programs and utilities marked with an asterisk (*) are not covered in this sec-
tion. Please refer to the appropriate Gazette section.
Compilers and their related utilities are resources whose security varies depending
on the Corporate Security Policy concerning compilation on secure systems. Many
sites control compilations by enforcing that all compilation be performed on a devel-
opment system. Application change control policy governs the method and security to
update the secure application.
Some sites do not use certain languages, but all sites use at least one language com-
piler for the secure application. Language compilation controls are a fundamental
method that companies can use to control their application.
RISK Compilers can be destructive because code can be inserted or deleted to
circumvent previously implemented controls.
RISK Language compilers might be used to develop test or hacking programs
to access sensitive data.
AP-ADVICE-COMPS-01 On secure systems, languages that are not in active
use should be secured from use and other language compilers should be accessi-
ble only to necessary personnel.
On secure systems, only members of the group (if any) responsible for compiling
programs on the secure system should have access to secure object files.
AP-ADVICE-COMPS-02 To protect applications from inadvertent or mali-
cious changes or outages, compilers and related utilities should be absent or very
tightly locked down on secure systems.
AP-ADVICE-COMPS-03 On secure systems, compilers should not be acces-
sible to prevent unauthorized access to secure data.
On development systems, members of the development group responsible for
compiling programs should have access according to need.
AP-ADVICE-COMPS-04 Compilers and their associated files should be
accessible to the groups needing access.
Securing Compiler Components
C/C++
Access to the C language components is required for compilation. Securing the com-
piler object file controls the use of the language.
216 Compilers
C Compiler Components:
C
CEXTDECS
CFRONT
CPREP
STD* C libraries starting with STD
BP-FILE-C-01 C should be secured “UUNU”.
BP-OPSYS-OWNER-02 C should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-02 C must reside in $SYSTEM.SYSTEM.
BP-FILE-C-02 CFRONT should be secured “UUNU”.
BP-OPSYS-OWNER-02 CFRONT should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-02 CFRONT must reside in $SYSTEM.SYSTEM.
BP-FILE-C-03 CPREP should be secured “UUNU”.
BP-OPSYS-OWNER-02 CPREP should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-02 CPREP must reside in $SYSTEM.SYSTEM.
BP-FILE-C-04 C libraries should be secured “NUNU”.
If available, use Safeguard software or a third party object security product to grant
access to C object files only to users who require access in order to perform their jobs.
BP-SAFE-C-01 Add a Safeguard Protection Record to grant appropriate
access to the C object file.
Discovery Questions Look here:
OPSYS-OWNER-02 Who owns the C object file and associated
libraries?
Fileinfo
OPSYS-OWNER-02 Who owns the CFRONT object file? Fileinfo
OPSYS-OWNER-02 Who owns the CPREP object file? Fileinfo
FILE-POLICY Who is allowed to use the C compiler on the
system?
Policy
FILE-POLICY Who is allowed to use the CPREP compiler on
the system?
Policy
FILE-C-01
SAFE-C-01
Is the C object file correctly secured with the
Guardian or Safeguard system?
Fileinfo
Safecom
Part 6
Compilers 217
Discovery Questions Look here:
FILE-C-02 Is the CFRONT object file secured correctly? Fileinfo
FILE-C-03 Is the CPREP object file secured correctly? Fileinfo
FILE-C-04 Are the C libraries secured correctly? Fileinfo
COBOL85
Access to the COBOL85 language components is required for compilation. Securing
the compiler object file controls the use of the language.
COBOL85 Compiler Components:
COBOL85
COBOLEX0
COBOLEX1
COBOLEXT
COBOLFE
COBOLLIB
CLULIB
CBL85UTL
CBLIBEXT
BP-FILE-COBOL-01 COBOL85 should be secured “UUNU”.
BP-OPSYS-OWNER-02 COBOL85 should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-02 COBOL85 must reside in $SYSTEM.SYSTEM.
BP-FILE-COBOL-02 COBOL85 libraries should be secured “NUNU”.
If available, use Safeguard software or a third party object security product to grant
access to COBOL85 object files only to users who require access in order to perform
their jobs.
BP-SAFE-COBOL-01 Add a Safeguard Protection Record to grant appropri-
ate access to the COBOL85 object file.
Discovery Questions Look here:
OPSYS-OWNER-02 Who owns the COBOL85 object file? Fileinfo
FILE-POLICY Who is allowed to use the COBOL85 compiler
on the system?
Policy
218 Compilers

Get HP NonStop Server Security now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.