⇑ Updated
![[3khat16.ico]](../../../img/3khat16.ico)
HP3000
3kMail
![[archive16.gif]](../../../img/archive16.gif "Wayback Archive")
------------------------------------------------------------
WIPEDISK Copyright (c) 2002 Allegro Consultants, Inc.
support@allegro.com www.allegro.com
------------------------------------------------------------
WipeDisk is a dangerous utility that is designed to erase
(or "wipe") a disk drive!
Allegro Consultants, Inc. is *NOT* responsible for any data
loss you might incur as a result of running this program.
This program is *DESIGNED* to erase disk drive(s)!
************
* CAUTION! *
************
Once we have started erasing a disk drive, that drive's data
will be GONE!
The first-time user may want do issue these help commands:
help security
help startup
------------------------------------------------------------
There are three usual ways of using WipeDisk/iX:
1. Erasing (wiping) a single disk drive
You can do this via the WipeDisk command: WIPEDISK <ldev>
For example, to erase ldev 44: WIPEDISK 44
or: WIPEDISK 44 HIPAA
2. Erasing all disks on the system
You can do this via the WipeDisk command: WIPEDISK ALL
Note: by default, the system will be aborted at the end.
3. Erasing a single disk file
You can do this via the WipeDisk command: WIPEFILE filename
For example, to erase file FOO.FUM: WIPEFILE FOO.FUM
or: WIPEFILE FOO.FUM NOPURGE
------------------------------------------------------------
You can verify that WipeDisk has erased a disk drive either by
looking at the drive online (via WipeDisk's READDISK command,
or via Debug/iX's DSEC command), or offline (via ODE,
(Offline Diagnostic Environment)).
The WipeDisk command you might use is:
READDISK <ldev> SOMETHING INTERESTING
"SOMETHING" tells WipeDisk to stop reading the disk drive
when something is worth displaying is found. INTERESTING
defined "worth displaying" as a page that has not been erased.
------------------------------------------------------------
If you want to produce a printer listing with a trace of the
WipeDisk run (to show auditors), issue the command:
SET COPYLP
------------------------------------------------------------
Examples of using ODE (Offline Diagnostic Environment) to
verify that a disk has been wiped are in:
ODEWIPE.WIPEDISK.ALLEGRO ... example of DISKUTIL
ODEEXPT.WIPEDISK.ALLEGRO ... example of DISKEXPT
And, an example of booting up in single-disc single-user mode and
then running WipeDisk is in
SNGLDISC.WIPEDISK.ALLEGRO
------------------------------------------------------------
Commands:
DIRectory <ldev_or_class> [FORCE] [noCHECK] [noPAGEMODE]
If a disk is a LIF disk (like LDEV 1 on MPE), the DIR
command will list the LIF (Logical Interchange Format)
directory.
DISABLEDISK [<ldev_or_class> | NONE]*
DISABLEDISK tells WipeDisk to ignore the specified disks.
If a positive LDEV is specified, that specific disk is
"disabled". If a negative LDEV is specified, that specific
disk is "enabled".
Since DISABLEDISK ALL disables all disks, you could do
DISABLEDISK ALL -1 -2 to have just LDEVs 1 and 2 enabled.
Typical usage:
DISABLEDISK 1
WIPEDISK ALL (wipes all disks except LDEV 1)
DISKSIZEs <ldev_or_class> [CHECK] [QUIET | VERBOSE]
Calculates (or asks MPE) the size of the disk drive(s).
QUIET, the default, suppresses messages about
non-responding disk drives.
DSTAT <ldev_or_class> [noVSET] [noQUIET] [noCHECK]
Searches for, and lists, some/all of the disks on the
system. Note: configured, but non-mounted, disk drives
might cause DSTAT to pause for several seconds.
DSTAT ALL selects all disks, <ldev> selects the specified
disk, MOST selects all disks except LDEV 1, SYSTEM selects
all disks in $SYS (MPEXL_SYSTEM_VOLUME_SET), and USERS
selects just the "user" disk (i.e., all disks other than
those belonging to MPEXL_SYSTEM_VOLUME_SET).
VSET, the default, reports the volume set each disk
is a member of (if any).
QUIET, the default, suppresses messages about
non-responding disk drives.
WIPEDISK <ldev_or_class> [<wipemode>] [ <options> ]
or
ERASEDISK <ldev_or_class> [<wipemode>] [ <options> ]
<wipemode> ::= <nispomc |="" nispomd="" hipaa="" acsi33="">
<options> ::= <password xxxxx="" |="" seed="" #="" [no]halt=""> [ <options> ]
ERASEDISK will *** ERASE *** your choice of:
ldev --- the disk at that LDEV (e.g.: ERASEDISK 2)
ALL --- all disks, including LDEV 1
MOST --- all disks, except LDEV 1
SYSTEM --- all disks in MPEXL_SYSTEM_VOLUME_SET
USERS --- all disks outside MPEXL_SYSTEM_VOLUME_SET
For BATCH runs, the password (which is RUBBER) must be
specified! (This ensures that you have read this text.)
The <wipemode> tells WipeDisk what method it should use to
erase the disk:
NISPOMC (the default) one pass over the disk
NISPOMD four passes (3 write, 1 read)
HIPAA six passes (3 of (write, read))
ACSI33 nine passes (W,r,W,r,W,W,W,W,W)
Enter: HELP WIPEMODE for documentation about each mode,
or: HELP <modename> for documentation about a specific mode.
The HALT option, which defaults to true when LDEV 1
is erased (either via ERASEDISK 1 or via ERASEDISK ALL)
tells WipeDisk to abort the system when it finishes.
(The HALT is accomplished by calling sudden_death.)
You can globally specify NOHALT by doing: RESET SYSABORT
For information about running WipeDisk in batch, type:
help batch
Error handling
Some wipemodes have "read" passes, where WipeDisk reads the
disk and compares the data to the previously written
"write" data to check that the writes have succeeded.
If the newly read data does not match the previously
written data, an error is reported like the following:
Data at page 2222080 @ byte 3 is 9, expected 0
(3 bytes differed from what we expected)
Only the first nine such mismatches are listed, but the
total number of mismatches is reported. If every one
of the first 20 blocks written and read have mismatches,
WIPEDISK will stop trying to erase the current disk drive.
(The "nine" is configurable, the "20" is not.)
Why should mismatches ever occur? If MPE/iX is updating
disk drives as WipeDisk does a "write" pass, then that can
change the data on the disk. This can happen if you are
wiping a disk that has not been properly idled (e.g.,
VSCLOSE, or START SINGLE-DISC SINGLE-USER was not done).
If a disk error is encountered during a write operation,
WipeDisk will report it ... up to nine errors.
After nine errors, WipeDisk will stop.
The number (nine) and the stop are both configurable:
SET MAXERRORS 19 NOSTOPONMAXERRORS
will report up to 19 errors, and will not stop
erasing at error 19.
ERASEFILE <filename> [ <wipemode> ] [<options>*]
<wipemode> ::= <nispomc |="" nispomd="" hipaa="" acsi33="">
<options> ::= <eof |="" limit=""> | <fwrite |="" virtual=""> |
noPURGE | SEED # | <deq |="" feq=""> | noDB
ERASEFILE will *** ERASE *** the specified file, and then
purge it from disk.
The <wipemode> tells WipeDisk what method it should use to
erase the disk, and is the same set of modes as the
ERASEDISK command.
Enter: HELP WIPEMODE for documentation about each mode,
or: HELP <modename> for documentation about a specific mode.
By default (PURGE), WipeDisk will purge the file after
erasing it. NOPURGE tells WipeDisk not to purge the file
after erasing it. (KEEP and SAVE are synonyms for NOPURGE.)
By default (LIMIT), WipeDisk will erase from the start of
the file to the limit of the file. Specifying "EOF" will
tell WipeDisk to just erase to the current EOF, not the
LIMIT.
By default (VIRTUAL), WipeDisk will use virtual access
(mapped file access) to erase the file. By specifying
"FWRITE", file system access will be used instead of mapped
access.
By default (DEQ), WipeDisk will disallow file equations
when trying to FOPEN the specified file. The FEQ option
allows file equates.
By default (DB), WipeDisk will erase all files associated
with the IMAGE database if the file is an IMAGE rootfile.
The NODB option disables this. DB/NODB can be specified on
each WIPEFILE command, or may be set globally via "SET DB"
or "SET NODB". (If a global set has been done, DB or NODB
on a WIPEFILE command will override the global setting.)
If WIPEDISK.PUB.ALLEGRO is copied to WIPEFILE.PUB.ALLEGRO,
then the WIPEFILE command is assumed for any run with
an INFO= string. This means (assuming PUB.ALLEGRO is
in your HPPATH):
:wipefile "foo hipaa"
is equivalent to:
:wipedisk
wipefile foo hipaa
exit
and to:
:wipedisk "wipefile foo hipaa"
Exit (or: //)
Help [keyword] (or: ? [keyword])
Displays the help information. If a keyword is specified,
displays only those sections of the help file that match
the keyword. (e.g.: HELP PAGE)
LOGGING [<all |="" none="" original="" show="">]
LOGGING ALL enables all possible system logging types.
LOGGING NONE disables all possible system logging types.
LOGGING ORIGINAL restores the system logging mask to
the value at WipeDisk startup.
LOGGING SHOW (the default) displays the current status.
READDISK ldev [start] [len_each] [stop] [interest] [options]*
start ::= <pagenum #="" |="" sector="" mb="" gb="">
len_each ::= <numpages #="" |="" numsectors="">
stop ::= <for #pages="" |="" something="" toend="">
interest ::= <dump |="" ids="" interesting="" none="" nonzero="" word="" #="">
options ::= <nocheck |="" nopagemode="" verbose="" dump_mode="">
dump_mode::= <both |="" decimal="" hex="" octal="" s="">
note: the dump_mode options all imply DUMP.
note: SOMETHING implies an interest of NONZERO.
READDISK allows the user to look at data on a disk drive.
This can be useful to confirm that the disk has been
erased, or to determine what kind of data is currently on
the drive.
start: Tells READDISK where to start on the disk.
PAGE # (or SECTOR #, or GB # or MB #) tells READDISK the
"address" on the drive to read. If not specified, PAGE
0 is the default.
len_each: Tells READDISK how much to read in a single
read request.
NUMPAGES and NUMSECTOR specifies the number of pages or
sectors to read. The default is NUMPAGES 1. Note: most
modern disk drives can only read an even number of
sectors at a time. Only the most recently specified is
used.
interest:
DUMP (default) displays the data read from disk in both
hex and ASCII.
IDS tells READDISK to display (DUMP) the results of a
given read operation only if there is at least one byte
that is a letter or a digit.
INTERESTING tells READDISK to display (DUMP) the results
of a given read operation only if there is at least one
byte of data that is not 0 and is not -1 (all bits off
or all bits on).
NONE tells READDISK not to display the data.
NONZERO tells READDISK to display (DUMP) the results of
a given read operation only if there is at least one
non-zero byte of data.
WORD # tells READDISK to display (DUMP) the results of a
given read operation only if there is at least one
instance of the specified 32-bit word. (Checking is
done only at word boundaries.) E.g.: WORD $ffff0008
stop Tells READDISK when to stop reading.
By default, READDISK will do a single read.
"FOR #pages" will loop, reading (of size len_each) until
#pages has been read.
SOMETHING will cause READDISK to read until something
interesting is found. (If not specified in this case,
"interesting" is NONZERO.)
TOEND will cause READDISK to read until the end of the
disk.
options: Tells READDISK miscellaneous things
CHECK tells READDISK to check that the specified ldev is
a disk before trying to read it. (Default: CHECK)
PAGEMODE tells READDISK to try to read the disk in a
page-oriented manner instead of a sector-oriented
manner. (Default: NOPAGEMODE)
Verbose tells READDISK to report the location and size
of each read, even if the data isn't interesting.
dump_mode Tells READDISK that you want to dump
data, and in what mode to dump it
BOTH ... both HEX and ASCII
DECimal... as 32-bit decimal numbers
HEX ... in hexadecimal
OCTal ... in octal
S ... as text
Thus, a command like: READDISK 4 SOMETHING will read the
entire disk, displaying the first section that has any
non-zero data, and then will stop.
DO [prefix]
REDO [prefix]
CLEARREDO
LISTREDO
SET / RESET [flag ...]
[no]CHECK
[no]CHECKSYSGEN ...
[no]COPYLP ... enable copying of all output to LP.
[no]DEBUG1 ... enables debugging code.
[no]DB ... affects WIPEFILE of IMAGE rootfiles.
[no]DUMMY ... disables all writes to disk.
LINES # ... specify # of lines on your screen.
MAXERRORS # ... maximum number of errors to report.
[no]MPE5 ... [dis]allow looking for MPE 5 volume labels.
OP ... require user to have OP capability.
[no]PAGEMODE... turns on/off page vs. sector read mode.
[no]PAGING ... turns on/off output pagination.
QUIET ... don't list the options at end-of-command.
SEED # ... set random number generator seed.
SM ... require user to have SM capability.
SMOP ... require user to have SM *or* OP capability.
[no]STOPONMAXERRORS ... stops if we hit MAXERRORS errors.
[no]SYSABORT... specifies the default setting of the HALT
option of the ERASEDISK command.
TERMWIDTH # ... tells WipeDisk your terminal width.
[no]TIMES ... tells WipeDisk to report timing information.
[no]TOTPERCENT ... TOTPERCENT reports overall progress,
NOTOTPERCENT reports per-pass progress.
Default: SET MAXERRORS 9 MPE5 STOPONMAXERRORS NOTOTPERCENT
SET TERMWIDTH 80
(and, for sessions, PAGING)
(and, SEED is set to TIMER() value)
TERMWIDTH is initially set from the value of the CI
variable "COLUMNS", if it exists.
LINES is initially set from the value of the CI variable
"LINES" if it exists, otherwise from the value of the CI
variable "ROWS" if it exists, otherwise it is set to 24.
NOTE: "SETQ ..." is equivalent to "SET QUIET ...".
SYStem <ldev_or_class>
(internal R&D; command)
VERSION
VERSION reports the version# of WipeDisk.
: MPEcommand
The command following the colon is passed to the HPCICOMMAND
intrinsic. Example: :showdev
------------------------------------------------------------
Many WipeDisk commands are described as taking a
parameter of: <ldev_or_class>
That means you can use any one of: ldev#, ALL, MOST, SYSTEM, USERS
ldev# An LDEV. Example: 1
ALL All disk drives
MOST All disk drives except LDEV 1
SYSTEM All disk drives that are part of $SYS
($SYS is shorthand for MPEXL_SYSTEM_VOLUME_SET)
USERS All disk drives that are not part of $SYS.
------------------------------------------------------------
Disk wiping is also known as disk erasing and as disk sanitizing.
WipeDisk has four disk erasing modes that you can select from:
Mode Number of passes over the disk
------- -------------------------------
NISPOMC One pass over the disk (write) <-- default mode
(write all zeros)
NISPOMD Four passes (3 write, 1 read)
(write all zeros;
write all ones;
write a random byte, read to verify)
HIPAA Six passes (3 of (write, read))
(write all zeros, read to verify;
write all ones, read to verify;
write a random byte, read to verify)
ACSI33 Nine passes (W,r,W,r,W,W,W,W,W)
(write all ones, read to verify;
write all zeros, read to verify;
write all ones;
write all zeros;
write all ones;
write all zeros;
write a random byte)
The default mode used by WipeDisk is NISPOMC.
This raises some obvious questions...
1. What is NISPOM, and where can I find documents about it?
NISPOM (National Industrial Security Program Operating Manual,
is a U.S.A. government standard documented in DoD 5220-22.M
at:
http://www.dss.mil/isec/nispom.htm.
Note: On that page, you want the link (at the top) to the 1995
version, because the disk drive sanitization definition was
removed in later versions. The sanitization definition is
also at:
http://www.dss.mil/isec/chapter8.htm
<wipemode>: NISPOMC
1a. What does our NISPOMC erasure do?
NISPOMC tells WipeDisk to write binary zeros over every
byte of the disk drive.
This mode is the "option c" choice in NISPOM section 8-305:
"Overwrite all addressable locations with a single
character."
<wipemode>: NISPOMD
1b. What does our NISPOMD erasure do?
NISPOMD tells WipeDisk to write multiple patterns over every
byte of the disk drive, in an effort to make data recovery
even harder, in case you are worried about people with an
electron microscope and years of spare time. WipeDisk makes
four passes over the disk drive: first writing all zeros,
then all ones, then a random character, and then verifies that
the random character can be read back from the drive.
This mode is the "option d" choice in NISPOM section 8-305:
"Overwrite all addressable locations with a
character, its complement, then a random character
and verify."
2. What is HIPAA, and where can I find documents about it?
HIPAA is the Health Insurance Portability and Accountability
Act of 1996 (in the U.S.A.).
One provision in HIPAA is that of data security, which
includes disk sanitizing. This is somewhat documented at the
following URL (note wrap):
www.cms.hhs.gov/manuals/117_systems_security/
117_systems_security_AtchA.pdf
However, the HIPAA documents do not specify an actual
sanitizing method, but simply:
"System Owners/Managers have the responsibility to:
Formulate and publish CMS E-Mail, FAX, and Other Media
policies."
Many parts of the health industry have accepted NISPOM section
8-305 option "d" as a standard (this is WipeDisk's NISPOMD
mode). WipeDisk's HIPAA mode is a superset of NISPOMD,
because every write operation is followed by a verify
operation.
<wipemode>: HIPAA
2a. What does our HIPAA erasure do?
The HIPAA mode tells WipeDisk to use a draconian
interpretation of NISPOM section 8-305 option d, resulting in
six passes over the disk drive: write binary zeros, verify,
write all ones, verify, write a random character, verify.
(The standard interpretation of NISPOM section 8-305, requires
only write/write/write/verify, for a total of four passes over
the disk ... which is our NISPOMD mode.)
3. What is ACSI33, and where can I find documents about it?
ACSI33 is the the Australian Government's Department of
Defence's Information Technology Security Manual ACSI 33, from
the Defence Signals Directorate (updated 24 February 2004).
Chapter 4 of the manual is "Security of Hardware". In that
chapter is a section "Methods of Sanitising Media", which
consists of paragraphs 423 to 432. (Note: at least one
vendor mislabels this as "Sec 605".)
The document outlines four methods of sanitizing a disk,
with increasing thoroughness. We chose to implement the
most severe (which allows the most classified disk drive to
be transferred to an unclassified recipient, or P to U in
ACSI33 terms).
<wipemode>: ACSI33
3a. What does our ACSI33 erasure do?
Overwrite the entire media with all ones. ("C = 0xff")
Verify that all areas of the media have been overwritten with
all ones.
Overwrite the entire media with all zeros ("C = 0x00").
Verify that all areas of the media have been overwritten with
all zeros.
If any media error occured, we note them and suggest media
destruction.
Overwrite the entire media with all ones. ("C = 0xff")
Overwrite the entire media with all zeros ("C = 0x00").
Overwrite the entire media with all ones. ("C = 0xff")
Overwrite the entire media with all zeros ("C = 0x00").
Overwrite the entire media with a random data.
This is a total of 7 writes and 2 reads of every byte.
------------------------------------------------------------
Units
A megabyte is 1,048,576 bytes (or 4096 sectors, or 256 pages).
A page is 4096 bytes (or 16 sectors).
A sector is 256 bytes.
------------------------------------------------------------
Full system backup
Prior to erasing LDEV 1, you may want to create a full backup
of your system. A "full" backup would include an SLT (System
Load Tape), the accounting directory, and all disk files.
Here is one method of creating such a backup.
1. logoff most users and jobs
2. logon as MANAGER.SYS
3. issue the following commands:
purge foo
echo / > foo
echo ;directory; partialdb; progress >> foo
sysgen
tape verbose; store=^foo
(at this point, you may have to REPLY to
tell MPE/iX which tape drive to use)
exit
bye
If you have TurboSTORE, you might change the above's
";progress" to ";progress; compress".
------------------------------------------------------------
HALT (aka SYSABORT)
If you are erasing LDEV 1, then you are erasing the disk
containing most of the MPE/iX operating system.
When you ask WipeDisk to erase LDEV 1, WipeDisk usually
assumes that you want to halt the system after the erasing
is done, to prevent the operating system from then writing
data back onto the disk. You can prevent the halt by
specifying NOHALT on an ERASEDISK command, or by
issuing a "RESET SYSABORT" command in WipeDisk prior to
issuing an ERASEDISK command.
------------------------------------------------------------
Security (Operator vs. System Manger vs. ?)
WipeDisk does not impose any security restraints upon who
can run it. This is because we have found that most WipeDisk
users intend to wipe every disk on the system ... security
becomes meaningless at that point.
WipeDisk may be secured via standard MPE file system security.
For example, to prevent anyone other than MGR.ALLEGRO or
MANAGER.SYS (or other users with SM capability) from running
WipeDisk, secure the program file:
ALTSEC WIPEDISK.PUB.ALLEGRO;ACCESS=(R,X:CR)
WipeDisk may also be told to require SM or OP capability
before letting a user erase data:
SET SM ... require user to have SM capability.
SET SMOP ... require user to have SM *or* OP capability.
SET OP ... require user to have OP capability.
(Since an SM user can easily get OP capability, it doesn't
make sense to be able to require both SM *and* OP.)
Such SET commands may be placed in the STARTUP.WIPEDISK.ALLEGRO
file. Note: "SETQ SM" will quietly require SM capability.
"SET SM" will require SM capability *and* will list the
current option settings.
------------------------------------------------------------
STARTUP.WIPEDISK.ALLEGRO
At startup, WipeDisk will look for the file
STARTUP.WIPEDISK.ALLEGRO and read commands from it. (If the
file does not exist, no error or warning is generated.)
Typical commands that might be found in that file are:
SETQ SM
:tellop someone is running WipeDisk
which would tell WipeDisk that any command that erases data
requires SM capability, and would send a message to the system
operator that someone is running WipeDisk.
Blank lines in STARTUP.WIPEDISK.ALLEGRO are ignored.
Lines beginning with "#" are treated as comments and are
ignored.
------------------------------------------------------------
Running WipeDisk in batch
WipeDisk requires a "password" before it will erase a
disk from a batch job. This precaution is intended to
help prevent accidental erasures of unintended disk drives.
The following sample jobstream will erase LDEV 123:
!job manager.sys
!run wipedisk.pub.allegro
wipedisk 123 password rubber
exit
!eoj
The following sample jobstream will erase LDEV 1
*AND* abort the system:
!job manager.sys
!run wipedisk.pub.allegro
wipedisk 1 password rubber
exit
!eoj
Why would the system be aborted? Because that's the
default action after erasing LDEV 1. (To minimize the
possibility that any user data will be written to LDEV 1
after erasing it.)
------------------------------------------------------------
//