HP3000/HP 3000 FAQ
Last Updated: Thursday, February 01, 2007 02:38 PM
HP3000 Security Issues
Access to a logged on system console gives the perpetrator access to all the capabilities and data that the owner of the logon has. Many shops often leave the console logged on as OPERATOR.SYS (or equivalent) OP capability user. For this reason alone, securing physical access to the system console is important.
Anyone with physical access to the "logical" system console (which need not be ldev 20 -- the logical console can be pointed to any physical terminal or logged on network session) can at a minimum shut down the system. =SHUTDOWN cannot be disabled via the logical console.
Anyone with physical access to the "physical" system console device has access (by hitting control-B) to the ISL prompt on MPE/iX PA-RISC HP3000s. Shutting down or restarting the system, as well as other destructive tasks can be accomplished.
Anyone with physical access to an HP3000 system backup tape can at a minimum display/access the stored data on the tape. If the system contains confidential, classified, or sensitive data, the backup tapes must be treated the same. In addition, while a normal system user may have only restricted access to data on the system, someone with access to backup media can access/view ALL data on the system.
Finally, if the system backup used the ";DIRECTORY" parameter, all system accounts, users, groups, AND their passwords are accessible by reading the proper area of the tape. Directory password data on backup media is NOT encrypted in any way.
Anyone with physical access to the HP3000 front panel can physically interrupt power to the system -- which can be a data-damaging incident to a running system. In addition any backup media left in accessible tape drives is accessible.
HP3000s do not encrypt their network traffic (no SSH terminal access is available); so a packet sniffer or similar network tap device on the same subnet as the HP3000 will be able to view all data coming from or going to the HP3000. All commands/responses and logon information will be viewable (it is NOT encrypted in any way).
Biggies to look for when securing your system:
See http://www.3kassociates.com in the vendor directory (by category; security software)