LJK/Security Reference Manual
INTERACT
Determine whether generation of interactive process termination
accounting records conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Interactive accounting is enabled in violation of policy
|
|
REQUIRED
|
Interactive accounting is disabled in violation of policy
|
Description
Use of the qualifier /ENABLE=INTERACT with the SET ACCOUNTING command
causes
process or image termination records for interactive jobs to be written
to the VMS accounting file (only if /ENABLE=IMAGE or /ENABLE=PROCESS
has also been specified).
Default policy
Enabling of interactive accounting is required
Customizing
Set limit REQUIRED to be FALSE to remove
the general requirement that interactive accounting be enabled
Selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>
|
Practical considerations
Accounting records provide more information
regarding resource usage that logout security alarms. �
LOGFAIL
Determine whether generation of login failure accounting records
conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Logfail accounting is enabled in violation of policy
|
|
REQUIRED
|
Logfail accounting is disabled in violation of policy
|
Description
Use of the qualifier /ENABLE=LOGFAIL with the SET ACCOUNTING command
causes
login failure records to be written to the VMS accounting file.
Default policy
Enabling of logfail accounting is required
Customizing
Set limit REQUIRED to be FALSE to remove the general
requirement that logfail accounting be enabled
Selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>
|
Practical considerations
Login failure accounting records do not
provide any more information than login failure security alarms. �
MESSAGE
Determine whether generation of user message accounting records
conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Message accounting is enabled in violation of policy
|
|
REQUIRED
|
Message accounting is disabled in violation of policy
|
Description
Use of the qualifier /ENABLE=MESSAGE with the SET ACCOUNTING command
causes
user message records to be written to the VMS accounting file.
Default policy
Enabling of message accounting is required
Customizing
Set limit REQUIRED to be FALSE to remove the general
requirement that message accounting be enabled
Selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>
|
Practical considerations
User message records are used to record
application-specific information in the accounting file. �
NETWORK
Determine whether generation of network process termination accounting
records conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Network accounting is enabled in violation of policy
|
|
REQUIRED
|
Network accounting is disabled in violation of policy
|
Description
Use of the qualifier /ENABLE=NETWORK with the SET ACCOUNTING command
causes
process or image termination records for network jobs to be written to
the VMS accounting file (only if /ENABLE=IMAGE or /ENABLE=PROCESS has
also been specified).
Default policy
Enabling of network accounting is required
Customizing
Set limit REQUIRED to be FALSE to remove the general
requirement that network accounting be enabled
Selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>
|
Practical considerations
Accounting records provide more information
regarding resource usage that logout security alarms. �
PRINT
Determine whether generation of print job accounting records conforms
to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Print accounting is enabled in violation of policy
|
|
REQUIRED
|
Print accounting is disabled in violation of policy
|
Description
Use of the qualifier /ENABLE=PRINT with the SET ACCOUNTING command
causes
print job records to be written to the VMS accounting file.
Default policy
Enabling of print accounting is required
Customizing
Set limit REQUIRED to be FALSE to remove the general
requirement that print accounting be enabled
Selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>
|
Practical considerations
Information regarding individual print jobs is
not otherwise recorded by VMS. �
PROCESS
Determine whether generation of process termination accounting records
conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Process accounting is enabled in violation of policy
|
|
REQUIRED
|
Process accounting is disabled in violation of policy
|
Description
Use of the qualifier /ENABLE=PROCESS with the SET ACCOUNTING command
causes
process termination records to be written to the VMS accounting file.
Default policy
Enabling of process accounting is required
Customizing
Set limit REQUIRED to be FALSE to remove the
requirement that process accounting be enabled
Selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>
|
Practical considerations
Recording process termination accounting
records is generally accepted as a minimum requirement in cases where
accounting is being used at all. �
SUBPROCESS
Determine whether generation of subprocess process termination
accounting records conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Subprocess accounting is enabled in violation of policy
|
|
REQUIRED
|
Subprocess accounting is disabled in violation of policy
|
Description
Use of the qualifier /ENABLE=SUBPROCESS with the SET ACCOUNTING command
causes
process or image termination records for subprocess jobs to be written
to the VMS accounting file (only if /ENABLE=IMAGE or /ENABLE=PROCESS
has also been specified).
Default policy
Enabling of subprocess accounting is required
Customizing
Set limit REQUIRED to be FALSE to remove
the general requirement that subprocess accounting be enabled
Selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>
|
Practical considerations
Accounting records provide more information
regarding resource usage that logout security alarms. �
6.2 AUDIT Tests
Tests in the AUDIT facility deal with parameters used to control the
use of VMS security auditing features on a machine.
Exemptions are based on node name.
VMS Treatment of Alarms vs. Audits
Starting with VMS V5.4 there have been separate controls for Alarms and
Audits provided by the operating system. Prior to that, the only
mechanism for retaining a record of security events on disk was the
Operator Log File (SYS$MANAGER:OPERATOR.LOG). While the data related to
security events could be extracted with the Audit Reduction Facility
command procedure (SYS$MANAGER:SECAUDIT.COM), VMS still recorded all
data as Alarms (not Audits) and there was no way to separate which
security events called for immediate human attention (Alarms) versus
those which only needed to be recorded for possible later review
(Audits).
LJK/Security Treatment of Alarms vs. Audits
Elements described in this chapter often have separate
Constraints for Alarm controls and Audit controls. For example, a
typical list of Constraints might be:
- ALPROHIBIT - Security alarms are enabled in violation of policy
- ALREQUIRE - Security alarms are disabled in violation of policy
- AUPROHIBIT - Security audits are enabled in violation of policy
- AUREQUIRE - Security audits are disabled in violation of policy
But since only alarms (not audits) were supported under VMS versions
prior to V5.4, the AUREQUIRE constraint will often provide three
choices for your security assessment requirements:
The TRY value will require the control be enabled for VMS versions
where it exists (V5.4 and above), but not report a violation for VMS
versions where it does not exist.
The TRY value is also available for certain alarms (not audits) that
were provided only in particular versions of VMS.
The node name in an exemption for the AUDIT facility
can include standard VMS wildcard characters (% and *). �
ACL
Determine whether auditing for events requested by access control list
entries conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ALPROHIBIT
|
ACL security alarms are enabled in violation of policy
|
|
ALREQUIRE
|
ACL security alarms are disabled in violation of policy
|
|
AUPROHIBIT
|
ACL security audits are enabled in violation of policy
|
|
AUREQUIRE
|
ACL security audits are disabled in violation of policy
|
Description
Use of the qualifier /ENABLE=ACL with the SET AUDIT/ALARM
or SET AUDIT/AUDIT command causes
the corresponding reporting when any user has requested them. Users
make that request by placing a Security Alarm Access Control Entry in
the Access Control List of some object (file, global section, etc.).
Default policy
Enabling of ACL security alarms and audits is neither
prohibited nor required
Customizing
Set limits TRUE
to establish a general prohibition of or requirement for the enabling
of ACL security auditing. Then establish exemptions
for any individual nodes which are not to be subjected to the general
rule.
selector Limits
| Constraint |
Value |
Default |
|
ALPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
ALREQUIRE
|
FALSE or TRUE
|
FALSE
|
|
AUPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
ALPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
ALREQUIRE
|
FALSE or TRUE
|
<node>
|
|
AUPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
<node>
|
Practical considerations
Enabling ACL security alarms allows individual
users the power to cause the generation of unlimited alarms,
potentially swamping more significant alarms from other sources.
Enabling ACL security audits allows individual users the power
consume unlimited disk space in the audit logs, but typically does not
cause extra work for the security officer. �
ALARM
Determine whether operator settings and responsiveness conform to
policy.
Violation reports
| Constraint |
Nature of the violation |
|
REPORT
|
No operator terminal is enabled in violation of policy
|
|
RESPONSE
|
No operator for the specified class responded, violating policy
|
Description
Use of the qualifier /ENABLE or /ENABLE=(keyword,...) with the REPLY
command
enables a terminal for operator interaction for one or more of 24
operator classes.
Tests for this element determine in a slightly
invasive manner whether any terminal is enabled for selected operator
classes and whether operator responses are received within an
acceptable time interval.
For the REPORT constraint "ignore this
message" text is sent to the relevant operator. This
test will report if the OPCOM process is not set up to
send those message to operators. The test (AUDIT,
ALARM, REPORT) is quite similar to the test (VMS,
OPCOM, REQUIRED) with the following differences:
- test (AUDIT, ALARM, REPORT) uses a supported VMS
interface
- test (VMS, OPCOM, REQUIRED) does not send any
message to an operator
When using test (AUDIT, ALARM, REPORT) one should
choose a selector corresponding to an operator class
not
in use at the local site.
For the RESPONSE constraint text is sent to the
operator designated by the selector and requires an
operator response. The response from the target operator shows:
- at least one terminal is enabled for the target operator class
- an operator with a terminal enabled was present to respond to the
message
Default policy
Enabling of terminals for operator interaction is not
required
Customizing
Set limit REPORT to be TRUE for
the selectors corresponding to the types of operator
messages your policy requires to be received. For those
selectors on which you wish to also test operator
responsiveness, set limit RESPONSE to the maximum
number of seconds allowed for a response.
If limit REPORT is set to FALSE, no testing for
limit RESPONSE is performed, since no response is
possible for a type of operator message that is not enabled at any
terminal.
selector
Limits for this element can take a
selector consisting of an operator message type:
CENTRAL, PRINTER, TAPES, DISKS, DEVICES, CARDS, NETWORK, CLUSTER,
SECURITY, LICENSE, USER1, USER2, USER3, USER4, USER5, USER6, USER7,
USER8, USER9, USER10, USER11, USER12.
Thus, each limit can be set once for each possible
operator message type. If you do not specify a
selector when changing limits, your
change applies to all operator message types.
Of the operator message types listed above, the REPLY and SOFTWARE
types are not documented (as late as VMS Version 8.3). By default they
are not enabled by REPLY/ENABLE command or disabled by the
REPLY/DISABLE command.
Of the operator message types listed above, the LICENSE type is not
documented (as late as VMS Version 8.3). By default it is enabled by
REPLY/ENABLE command and disabled by the REPLY/DISABLE command.
Limits
| Constraint |
Value |
Default |
|
REPORT
|
FALSE or TRUE
|
FALSE
|
|
RESPONSE
|
0---n
|
0
|
Exemptions
| Constraint |
Value |
Parameters |
|
REPORT
|
FALSE or TRUE
|
<node>
|
|
RESPONSE
|
0---n
|
<node>
|
Practical considerations
Test (AUDIT, ALARM, RESPONSE) interrupts an
enabled operator with a message to which they must respond, so it
should be used judiciously.
If one wanted to use test (AUDIT, ALARM, RESPONSE) in support of
certain external rule sets (such as NIST 800-53 control AU-5(2)) that
are aimed at security functions, it is better to specify only
the SECURITY selector, providing a single message to which the SECURITY
operator must respond, rather than multiple messages to which 24
separate operator responses are required. �