Discovery Questions Look here:
Are the RDF Image files secured correctly using
the Guardian or Safeguard system?
Related Topics
NonStop TMF software
Securing Applications
RESTORE User Program
The RESTORE user program copies files from a tape created by BACKUP to disk and
displays tape file information. This utility is essential after a disk failure or human error
causes disk data to be lost.
AP-RESTORE-POLICY-01 The Corporate Security Policy and Standards
should detail procedures for securing and tracking tapes in a tape library.
RISK The security of BACKUP tapes is always based on physical possession of
the tape.
AP-RESTORE-POLICY-02 Each organization must have procedures to con-
trol access to BACKUP tapes that contain confidential information.
RISK If the RESTORE program is accessible to general users, files containing
sensitive data could be retrieved from a tape and restored under their userid.
AP-RESTORE-POLICY-03 Since tapes can contain sensitive data, protection
of the tapes and the utilities that can read or copy the data is a security risk.
RISK RESTORE is a privileged program and must be licensed to be runnable.
Only SUPER.SUPER can run the program if it isn’t licensed.
The RESTORE utility has three modes of operation:
File Mode
Volume Mode
File Mode
In File Mode, RESTORE copies individual files to disk from a tape created by file-
mode BACKUP.
RESTORE User Program 403
Part 6
RISK This mode selectively restores files to the disk. Files can be redirected to
new locations and using the MYID option can secure the new files as the userid
running RESTORE. Files restored using the userid’s security could make acces-
sible sensitive data to unauthorized users.
Listonly Mode
In LISTONLY mode, RESTORE displays information about the files on a backup
tape without restoring the files to disk.
RISK This mode has no risk to the data on the tape or files on the system.
Volume Mode
In Volume Mode, RESTORE re-creates an entire disk volume from a tape that was
created by a Volume Mode BACKUP. Only SUPER.SUPER can initiate a Volume
AP-RESTORE-POLICY-03 This mode is usually performed for disaster
recovery only. Only SUPER.SUPER can perform a volume mode restore.
How RESTORE Interacts With NonStop TMF Software
TMF has its own recovery mechanisms for audited files. However, BACKUP and
RESTORE might be used to:
Transport audited files to another system
Archive files and retrieve files that are used infrequently
Keep old versions of files
How RESTORE treats audited files depends on whether or not NonStop TMF
software was running when the BACKUP was made and when the RESTORE is per-
formed. It also depends on whether or not the file being restored was an audited file
and whether or not the file existed before the RESTORE.
RESTORE Command Used Conditions What RESTORE Does
No AUDITED option Audited file is skipped
AUDITED NonStop TMF software
File is restored as an audited file.
AUDITED NonStop TMF not software
If file with same name already exists,
RESTORE issues Purge Error 82. Otherwise,
the file is restored non-audited, and
RESTORE issues a warning message.
404 RESTORE User Program
RESTORE Command Used Conditions What RESTORE Does
AUDITED and TURNOFFAUDIT File does not already exist File is restored non-audited.
AUDITED and TURNOFFAUDIT File exists but is not audited File is restored non-audited.
AUDITED and TURNOFFAUDIT File exists and is audited If NonStop TMF software is running, the file
is restored non-audited. Otherwise,
RESTORE issues Purge Error 82 and does not
restore the file.
Securing RESTORE
RESTORE Commands With Security Implications
This list includes only the RESTORE commands, which pose security risks.
RISK If the KEEP option is omitted, and the file on the disk has the same
name as the restoring file, the disk file is purged during the RESTORE process-
ing and replaced. For this to happen, the userid running the RESTORE must
have purge authority to the file.
RISK The MYID option sets the ownerid of all of the files that are being
restored to that of the userid who is running RESTORE. As each file is restored,
it is given the default security of the current user. Applications and operating
system utilities may stop functioning because of the change of ownership and
Protection Records in Safeguard software may grant or deny based upon the
new ownership.
RISK If the NOSAFEGUARD option is used, files with Safeguard security
information are restored but do not retain Safeguard protection. If the option is
omitted, the files retain Safeguard protection.
If a third party access control product is used to grant selected users access to
RESTORE running as a privileged userid such as SUPER.SUPER or
SUPER.OPERATOR, the sensitive commands should only be granted to the appro-
priate users and denied to all others.
BP-FILE-RESTORE-01 RESTORE should be secured “UUNU”.
RESTORE User Program 405
Part 6

Get HP NonStop Server Security now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.