HP NonStop Basics

Overview

Since 1976, HP NonStop (Originally introduced by Tandem Computers Inc. before being owned by Compaq and finally HP) has been a widely used integrated hardware/software stack to support critical services such as Automated Teller Machines (ATMs), stock exchanges and the airline industry. The HP NonStop system is a highly fault-tolerant and highly scalable process-oriented hardware platform used mainly to support and sustain very large amounts of transactions. It is different from IBM Z-Series mainframe systems, which are batch oriented.

Process orientated systems rely on jobs that are started manually and there is no concept of a queue. Batch orientated systems rely on batch jobs, a suite of instructions that are scheduled and executed automatically from a queue.

During a recent assessment, it became apparent that the level of knowledge on HP NonStop systems is relatively low and that they are quite different to more familiar OS’s such as Windows and Linux/Unix. This means that the first few days of testing are usually spent just trying to learn about the system using online resources that are scarce. We thought a research blog post on the fundamentals of HP NonStop systems would reduce the initial time taken to gain a familiarity with the system and increase the amount of time that can be utilised for testing.

The Operating System (OS) includes the Guardian interface and the Open System Services (OSS) subsystem, which provides a UNIX-like interface.

Security services within an HP NonStop server are provided by two environments: Guardian and Safeguard. Guardian is a part of the HP NonStop OS, while Safeguard is an optional software component that requires separate installation. Guardian security is supplemented by Safeguard as the latter extends the OS’s security features by adding auditing and extended authentication and authorisation capabilities.

Applications can be deployed in one or both of the two HP NonStop OS’s environments: Guardian or OSS. Some of the security features from Guardian and Safeguard apply to the OSS environment. Safeguard can be configured to let users log in to the OSS environment directly without going through Guardian authentication. Safeguard must be used to manage users and groups within the OSS.

Additional third-party software can be used to extend the capabilities of Safeguard. XYGATE is a suite of programs that can be used for this purpose. XYGATE software provides the option of setting stronger password and auditing policies. A combination of XYGATE Pro and CyberArk is commonly used with HP NonStop servers. CyberArk is essentially an external password vault. CyberArk can be used to store the credentials of the administrative accounts for the HP NonStop systems, only being released when requested by the company. Once credentials are released they are kept open for the requested time limit. After the requested time, the password for the credentials change and any active administrative session gets terminated.

A 6530 terminal emulator can be used to connect to HP NonStop systems. Common 6530 terminal emulators are HP TeemTalk (free) and Reflection (3rd party paid software). TeemTalk does not support encrypted communication, so a 3rd party tool called SecureCS is often used to encrypt the communication when using TeemTalk.

Common languages for HP NonStop are COBOL, TACL (Tandem Advanced Command Language) and TAL (Transaction Application Language):

TACL can be used in a similar fashion to a bash shell in a UNIX environment;
TAL is used as a procedural language for scripting and programming, similar to bash scripts.
COBOL is a programming language that is commonly utilised within HP NonStop and IBM Z-Series systems for large-scale batch and transaction processing jobs.

Users and Group Management

Each Guardian user has a unique username and user ID, which are formatted as follows:

Username: group-name.member-name
User ID: group-number,member-number (from 0-255)

Groups are used to bundle user IDs into clusters of users with similar privilege levels. This simplifies access management and enables the use of access control lists (ACLs), which can be configured to grant or deny access to a specific group. A particular difference between HP NonStop and other OS’s is that a user ID can be a member of only one group. This creates situations where end users have to use several user IDs to undertake their work.

The following are special user IDs used across HP NonStop in the context of access management:

Group manager with user ID n,255 (where n is an integer from 1-255 indicating the number of the group) has additional privileges over the group membership and has the ability to add and remove users from the group.
User ID 255,n is called the super group user and has special privileges, for instance, to administer volumes, diskfiles and peripheral devices.
The group manager of the super group (user ID 255,255) is called SUPER.SUPER. This is the most privileged user on the platform and is equivalent to root for UNIX systems. SUPER.SUPER has unrestricted access to the entire HP NonStop environment. The SUPER.SUPER account is often kept in the password vault (commonly CyberArk) and is only accessible in emergencies.
Security Administrators (user ID 250,254) and operators (user ID 255,254) can be used to manage the security features of HP NonStop.
The NULL.NULL (user ID 0,0) is active during the OS installation. Usually the NULL.NULL user ID is either frozen or removed as part of the system security configuration.

Aliases are secondary user IDs that inherit the full set of privileges from the underlying user ID. All accounts can have aliases and this is used to improve accountability for access when several individuals need to use a particular user ID. To enforce accountability, the powerful generic account can be frozen with only aliases allowed to use its privileges in an accountable manner. When logging on using an alias, there is no need to type the group membership. By writing the alias, the system recognises the underlying user ID.

File Structure and Guardian File Security

HP NonStop systems use a flat file structure. The file structure is:

$volume - Equivalent to the drive in windows systems (C:, D:\ etc)
Subvolume - Equivalent to a folder in windows systems
Diskfile - Equivalent to files
$VOLUME.SUBVOLUME.DISKFILE - An example of a file structure

Note: It is not possible to have nested subvolumes (i.e. A subvolume inside an already existing subvolume).

Under Guardian, every file has an owner and a file security string:

R - Read the file
W - Write to the file
E - Execute the file
P - Purge the file

Each security string can be associated to a type of user, such as user (O/U), group (G/C), any level (A/N) and SUPER.SUPER only (-).

Access Control

Access to data and objects (e.g. volumes, devices, processes, terminals) is controlled using ACLs. These are used by the HP NonStop OS to determine whether a user ID can be granted access to a particular diskfile. The system checks whether the user ID or group has been included in the relevant ACL and then grants or denies access accordingly.

The access options available for ACLs are read, write, execute, purge, create, deny and own (R,W,E,P,C,D,O). These letters representing these privileges are in front of the user ID or group linked to the object (volume, subvolume and diskfile). Each object can have an allocated ACL, and user IDs can be added into groups to simplify access management.

The SUPER.SUPER user ID should be specifically denied access to customer files as the customer files can inherit access if this is not done.

Useful Commands for Audits

SYSINFO - Gets the system information and software release version.
SAFECOM; INFO SAFEGUARD, DETAIL - Gives an overview of the login, password and audit policies.
SAFECOM; INFO VOLUME $* - This command displays all of the volumes and their respective ACL configurations.
SAFECOM; INFO SUBVOL $. - This command displays all of the subvolumes and their respective ACL configurations.
SAFECOM; INFO DISKFILE $..* - This command displays all of the diskfiles and their respective ACL configurations.
SAFECOM; INFO USER . - This command displays all of the users. It provides their user IDs, owners, last login dates and account status.
SAFECOM; INFO ALIAS * - This command displays all of the aliases for the users.

Particular settings to look for in the output are as follows:

AUTHENTICATE-FAIL-FREEZE = ON. This should be set to OFF. This causes the account to be locked out after the AUTHENTICATE-MAXIMUM-ATTEMPTS value is reached. If this setting is enabled, then a user could maliciously lock out all of the accounts by entering an incorrect password. This could lead to a DoS where no one has access to manage the system until the accounts are reset, which requires change requests and would take time.
PASSWORD-ENCRYPT = OFF. This should be set to ON.Passwords stored on the system should be encrypted with an algorithm that is strong and current.
PASSWORD-MAXIMUM-LENGTH = 8. The maximum password length appears to be an area of contention in the documentation for HP NonStop. Most found documentation states that the maximum is 8 characters. However, most of the documentation is from 2003/2004. The more recent resources suggest that the HP NonStop OS now natively supports 64 character passwords. If the maximum length is set to 8 then this should be reviewed and changed.
PASSWORD-UPPERCASE-REQUIRED = OFF. This setting should be enabled to enforce password complexity.
PASSWORD-LOWERCASE-REQUIRED = OFF. This setting should be enabled to enforce password complexity.
PASSWORD-NUMERIC-REQUIRED = OFF. This setting should be enabled to enforce password complexity.
PASSWORD-SPECIALCHAR-REQUIRED = OFF. This setting should be enabled to enforce password complexity.
PASSWORD-SPACES-ALLOWED = OFF. This setting should be enabled to enforce password complexity.
AUDIT… = NONE. Settings starting with AUDIT should be set to ALL to gain greater visibility of the system and to increase the chances of detecting a compromise.
CMON = OFF. If this is enabled, then specific settings need to be in place to ensure that the CMON process cannot be overwritten and used as a privilege escalation vector.
BLINDLOGON = ON. This setting prevents shoulder-surfing on the login screen.

Useful Resources

Most resources for HP NonStop are outdated. This posed a significant problem during our testing and we ended up reading a lot of books and manuals trying to find the information we need. Below are some of the most useful ones, and any recent ones that could be found. In brackets is the date of publishing so that this can be taken into account.