Since HP 3000s work as mission-critical servers, the systems must weather IT and regulatory audits. The 3000 is capable of passing, of course, even in the era of HIPAA and SOX challenges which are more stern than audits of the past.
But establishing a database update procedure can lead to a gap in the security of an MPE/iX system. A discussion this week on the HP 3000 newsgroup identified the problem and searched for a solution. But many HP 3000 managers must take a hard look at how their users employ System Manager (SM) privileges. In the most strict accounting, SM privileges can expose a database.
Privileges can become a neglected aspect of 3000 operations, especially if the system's admin experts have moved on to other companies or duties. Mike Hornsby of Beechglen explained that the SM users which his support company serves have disturbed the integrity of 3000 databases. It's easy to do accidentally. The SM user can also update a 3000 database — a capability that can run afoul of some audits.
The database's security might be compromised through SM privileges, Hornsby explained, but it depends on the meaning of "update."
This term can be construed to be as restrictive as using DBUPDATE to change an entry. It can also refer to UPDATE access DBOPEN MODE 2. Very rarely seen. To get very specific, update can mean that the modify date [has been] changed in the file label of one or more IMAGE related files. To get very general, of course an SM user can ‘update’ the database via a restore from tape.
Auditors sometimes ask broad questions, the sort of inquiry that fits better with the everyday use of HP 3000s in an enterprise. But for an expert like Hornsby — who wrote The TurboIMAGE Handbook — update means any kind of modification capability.
So you can answer "no, SM doesn't permit a user to update a database in another 3000 account." This answer is truthful to the extent that an auditor's concern is changing data, it appears, not just making a minor date change or using DBOPEN MODE 2. Auditors without 3000 expertise, well, they might not go this far in their examinations.
As for the SM user's ability to muck up an IMAGE database, Hornsby said this mistake is not difficult to make.
As we have unfortunately seen, it is not uncommon for an SM user [who has obtained a database password] to corrupt an IMAGE database using the restore command ("Oops, I thought I was signed onto the test account.")