LJK/Security Reference Manual
INSTALL
Determine whether auditing for INSTALL operations conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ALPROHIBIT
|
INSTALL security alarms are enabled in violation of policy
|
|
ALREQUIRE
|
INSTALL security alarms are disabled in violation of policy
|
|
AUPROHIBIT
|
INSTALL security audits are enabled in violation of policy
|
|
AUREQUIRE
|
INSTALL security audits are disabled in violation of policy
|
Description
Use of the qualifier /ENABLE=INSTALL with the SET AUDIT/ALARM
or SET AUDIT/AUDIT command causes
the corresponding reporting when the INSTALL utility is used.
Default policy
Enabling of INSTALL security alarms and audits is
neither prohibited nor required
Customizing
Set
limits TRUE to establish a general prohibition of or
requirement for the enabling of INSTALL security auditing. Then
establish exemptions for any individual nodes which
are not to be subjected to the general rule
Selector
Limits
| Constraint |
Value |
Default |
|
ALPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
ALREQUIRE
|
FALSE or TRUE
|
FALSE
|
|
AUPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
ALPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
ALREQUIRE
|
FALSE or TRUE
|
<node>
|
|
AUPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
<node>
|
Practical considerations
A large number of INSTALL operations are
performed as part of system startup and system shutdown. Some sites
choose to disable Install security alarms during startup and shutdown.
That is still consistent with an LJK/Security policy requiring that
Install security alarms be enabled so long as the startup of
LJK/Security during system startup is done after all other uses of the
Install utility. Enabling Install security alarms immediately after
starting LJK/Security will typically be sufficiently quick that any
pending assessment will not yet have tested the Install security alarm
setting. �
LOG
Determine whether audit log settings conform to policy.
Violation reports
| Constraint |
Nature of the violation |
|
FLUSH
|
Audit log flush interval exceeds policy maximum
|
|
RETENTION
|
Audit log retention is less than policy minimum
|
|
SPACEDAYS
|
Space available for audit log is less than required for planned number
of days
|
|
SPACEWARN
|
Warning when percentage of available audit log space consumed is too
high
|
Description
The command SET AUDIT/INTERVAL=JOURNAL_FLUSH=time specifies
how frequently the audit server will flush audit messages to the audit
log.
Local command procedures control how long older versions of audit logs
are retained on the system.
Local management practices determine how much space is available for
audit logs.
The command SET AUDIT/JOURNAL=SECURITY/THRESHOLD=WARNING=value
specifies when the audit server will warn security operators about a
lack of audit space, based either on a number of records or a
percentage of disk space available.
Tests for this element determine
whether all those settings conform to policy.
Default policy
No particular audit log behavior is required
Customizing
Set the limits for these
constraints to require particular audit log behavior
Selector
Limits
| Constraint |
Value |
Default |
|
FLUSH
|
delta-time
|
+00:00:00.00
|
|
RETENTION
|
number-of-days
|
0
|
|
SPACEDAYS
|
number-of-days
|
0
|
|
SPACEWARN
|
0-100
|
100
|
Exemptions
| Constraint |
Value |
Parameters |
|
FLUSH
|
delta-time
|
<node>
|
|
RETENTION
|
number-of-days
|
<node>
|
|
SPACEDAYS
|
number-of-days
|
<node>
|
|
SPACEWARN
|
0-100
|
<node>
|
Practical considerations
While the command SET
AUDIT/JOURNAL=SECURITY/THRESHOLD=WARNING=value value is expressed in
terms of a block count or a percentage of disk space, the
limit and any exemptions for the
SPACEDAYS constraint is expressed in the number of
days worth of audit records that can be accommodated in the available
space, based on recent audit record generation rates and audit file
retention policy. This approach is aimed at matching the terminology
used by external requirements such as NIST 800-53 or DoD Instruction
8500.2.
�
LOGFAIL
Determine whether auditing for failed login attempts conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ALPROHIBIT
|
Logfail security alarms are enabled in violation of policy
|
|
ALREQUIRE
|
Logfail security alarms are disabled in violation of policy
|
|
AUPROHIBIT
|
Logfail security audits are enabled in violation of policy
|
|
AUREQUIRE
|
Logfail security audits are disabled in violation of policy
|
Description
Use of the qualifier /ENABLE=LOGFAIL=(keyword,...) with the SET
AUDIT/ALARM
or SET AUDIT/AUDIT command causes
the corresponding reporting when a
failed login attempt is detected. Tests for this
element determine whether those audits or alarms are
enabled or not.
Default policy
Enabling of Logfail security alarms and audits is
neither prohibited nor required
Customizing
Set
limits FALSE to establish a general prohibition of or
requirement for the enabling of failed login attempt security alarms.
Then establish exemptions for any individual nodes
which are not to be subjected to the general requirement.
selector
Limits for this element can take a
selector consisting of a VMS process type: BATCH,
DIALUP, LOCAL, REMOTE, NETWORK, SUBPROCESS or DETACHED.
Thus, each limit can be set once for each possible
process type. If you do not specify a selector when
changing limits, your change applies to all process
types.
Limits
| Constraint |
Value |
Default |
|
ALPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
ALREQUIRE
|
FALSE or TRUE
|
FALSE
|
|
AUPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
AUREQUIRE
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
ALPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
ALREQUIRE
|
FALSE or TRUE
|
<node>
|
|
AUPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
AUREQUIRE
|
FALSE or TRUE
|
<node>
|
Practical considerations
For most sites, security alarms in the case of
failed login attempts are not appropriate since they will be triggered
by any password typing error. Protection against repeated login
failures which are part of a concerted attack are generally reported
via the breakin attempt security alarm.
Failed login security alarms are appropriate for high-security
situations where avoiding investigation of false alarms is less
important than catching sophisticated attackers who will wait
sufficiently long after each attempt to avoid triggering the breakin
detection threshold.
Failed login audits are appropriate in most environments,
allowing investigation after an incident. �
LOGIN
Determine whether auditing for successful logins conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ALPROHIBIT
|
Login security alarms are enabled in violation of policy
|
|
ALREQUIRE
|
Login security alarms are disabled in violation of policy
|
|
AUPROHIBIT
|
Login security audits are enabled in violation of policy
|
|
AUREQUIRE
|
Login security audits are disabled in violation of policy
|
Description
Use of the qualifier /ENABLE=LOGIN=(keyword,...) with the SET
AUDIT/ALARM
or SET AUDIT/AUDIT command causes
the corresponding reporting when a
successful login is accomplished. Tests for this
element determine whether those audits or alarms are
enabled or not.
Default policy
Enabling of LOGIN security alarms is neither prohibited
nor required.
Enabling of LOGIN security audits is nrequired
Customizing
Set
limits TRUE to establish a general prohibition of or
requirement for the enabling of ACL security auditing. Then establish
exemptions for any individual nodes which are not to
be subjected to the general requirement. selector
Limits for this element can take a
selector consisting of a VMS process type: BATCH,
DIALUP, LOCAL, REMOTE, NETWORK, SUBPROCESS or DETACHED.
Thus, each limit can be set once for each possible
process type. If you do not specify a selector when
changing limits, your change applies to all process
types.
Limits
| Constraint |
Value |
Default |
|
ALPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
ALREQUIRE
|
FALSE or TRUE
|
FALSE
|
|
AUPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
AUREQUIRE
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
ALPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
ALREQUIRE
|
FALSE or TRUE
|
<node>
|
|
AUPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
AUREQUIRE
|
FALSE or TRUE
|
<node>
|
Practical considerations
Login security alarms are used in
high-security environments where it is essential that a record be kept
of all logins. In order to guard against the scenario of someone
logging into a privileged account and then destroying the record of
that login, it is essential that security alarms be sent to a
non-erasable medium. Console paper is easiest for most sites, but
requires human search of the output. Write-Once-Read-Many disks allow
for
computer-assisted search, but up through VMS V7.3 are not directly
supported for this purpose by the VMS security auditing software.
�
LOGOUT
Determine whether auditing for logouts conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ALPROHIBIT
|
Logout security alarms are enabled in violation of policy
|
|
ALREQUIRE
|
Logout security alarms are disabled in violation of policy
|
|
AUPROHIBIT
|
Logout security audits are enabled in violation of policy
|
|
AUREQUIRE
|
Logout security audits are disabled in violation of policy
|
Description
Use of the qualifier /ENABLE=LOGOUT=(keyword,...) with the SET
AUDIT/ALARM
or SET AUDIT/AUDIT command causes
the corresponding reporting when a
logout is detected. Tests for this element determine
whether those audits or alarms are enabled or not.
Default policy
Enabling of LOGOUT security alarms is neither prohibited
nor required.
Enabling of LOGOUT security audits is required
Customizing
Set
limits TRUE to establish a general prohibition of or
requirement for the enabling of logout security auditing. Then
establish exemptions for any individual nodes which
are not to be subjected to the general requirement. selector
Limits for this element can take a
selector consisting of a VMS process type: BATCH,
DIALUP, LOCAL, REMOTE, NETWORK, SUBPROCESS or DETACHED.
Thus, each limit can be set once for each possible
process type. If you do not specify a selector when
changing limits, your change applies to all process
types.
Limits
| Constraint |
Value |
Default |
|
ALPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
ALREQUIRE
|
FALSE or TRUE
|
FALSE
|
|
AUPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
AUREQUIRE
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
ALPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
ALREQUIRE
|
FALSE or TRUE
|
<node>
|
|
AUPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
AUREQUIRE
|
FALSE or TRUE
|
<node>
|
Practical considerations
Sites which have enabled auditing of
successful logins will generally want to enable auditing of logouts as
well, to establish a window of activity. �
LP
Determine whether enabling of alarms or audits for layered product
conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ALPROHIBIT
|
Layered Product security alarms are enabled in violation of policy
|
|
ALREQUIRE
|
Layered Product security alarms are disabled in violation of policy
|
|
AUPROHIBIT
|
Layered Product security audits are enabled in violation of policy
|
|
AUREQUIRE
|
Layered Product security audits are disabled in violation of policy
|
Description
As of V7.3 VMS does not provide a method to enable auditing or alarms
for these events.
Default policy
Enabling of Layered Product security alarms and audits
is neither prohibited nor required
Customizing
Set
limits TRUE to establish a general prohibition of or
requirement for the enabling of Layered Product security alarms or
audits. Then establish exemptions for any individual
nodes which are not to be subjected to the general rule.
selector Limits
| Constraint |
Value |
Default |
|
ALPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
ALREQUIRE
|
FALSE, TRUE or TRY
|
FALSE
|
|
AUPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
ALPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
ALREQUIRE
|
FALSE, TRUE or TRY
|
<node>
|
|
AUPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
<node>
|
Practical considerations
As of V7.3 VMS does not provide a method to
enable auditing or alarms for these events. �
MOUNT
Determine whether auditing for issuance of MOUNT or DISMOUNT requests
conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ALPROHIBIT
|
MOUNT security alarms are enabled in violation of policy
|
|
ALREQUIRE
|
MOUNT security alarms are disabled in violation of policy
|
|
AUPROHIBIT
|
MOUNT security audits are enabled in violation of policy
|
|
AUREQUIRE
|
MOUNT security audits are disabled in violation of policy
|
Description
Use of the qualifier /ENABLE=MOUNT with the SET AUDIT/ALARM
or SET AUDIT/AUDIT command causes
the corresponding reporting when mount or dismount requests are issued.
Default policy
Enabling of MOUNT security alarms and audits is neither
prohibited nor required
Customizing
Set limits TRUE
to establish a general prohibition of or requirement for the enabling
of MOUNT security auditing. Then establish exemptions
for any individual nodes which are not to be subjected to the general
rule.
selector Limits
| Constraint |
Value |
Default |
|
ALPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
ALREQUIRE
|
FALSE or TRUE
|
FALSE
|
|
AUPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
ALPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
ALREQUIRE
|
FALSE or TRUE
|
<node>
|
|
AUPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
<node>
|
Practical considerations
Some sites choose to disable MOUNT security
alarms during system startup and system shutdown. Such actions will not
be detected by LJK/Security if it is done outside the period when
LJK/Security is running.
Note that LJK/Security may issue MOUNT requests in the course of its
own operations, causing additional alarms. �