| Previous | Contents | Index |
Ensure all command procedures are valid.
| Constraint | Nature of the violation |
|---|---|
| CHECKSUM | Some command procedure not checksummed in violation of policy |
Exemptions within the (DISK, CHECKSUM) element specify checksum values for particular files on disk. The test for the CHECKSUM constraint within this facility determines whether such an exemption has been established for all files on the system with a file type of .COM.
| Constraint | Value | Default |
|---|---|---|
| CHECKSUM | FALSE or TRUE | FALSE |
| Constraint | Value | Parameters |
|---|---|---|
| CHECKSUM | FALSE or TRUE | <node>,<filespec> |
Ensure all program images are valid.
| Constraint | Nature of the violation |
|---|---|
| CHECKSUM | Some image not checksummed in violation of policy |
Exemptions within the (DISK, CHECKSUM) element specify checksum values for particular files on disk. The test for the CHECKSUM constraint within this facility determines whether such an exemption has been established for all files on the system with a file type of .EXE.
| Constraint | Value | Default |
|---|---|---|
| CHECKSUM | FALSE or TRUE | FALSE |
| Constraint | Value | Parameters |
|---|---|---|
| CHECKSUM | FALSE or TRUE | <node>,<filespec> |
Ensure that scanning for non-VMS malware is done.
| Constraint | Nature of the violation |
|---|---|
| MISSING | Antivirus definition files are missing |
| NOTRUNNING | Antivirus scanning is not running |
| NOTUNIQUE | Antivirus definition files exist in multiple locations |
| OUTOFDATE | Antivirus definition files are out of date |
While there is no pattern of existing VMS viruses and malware for which one would scan, some disciplines require VMS servers to scan for viruses and malware aimed at lesser operating systems.Currently these tests look for the Sophos Antivirus Scanner.
| Constraint | Value | Default |
|---|---|---|
| MISSING | FALSE or TRUE | FALSE |
| NOTRUNNING | FALSE or TRUE | FALSE |
| NOTUNIQUE | FALSE or TRUE | FALSE |
| OUTOFDATE | delta-time | +00:00:00.00 |
| Constraint | Value | Parameters |
|---|---|---|
| MISSING | FALSE or TRUE | <node>, <filespec> |
| NOTRUNNING | FALSE or TRUE | <node>, <filespec> |
| NOTUNIQUE | FALSE or TRUE | <node>, <filespec> |
| OUTOFDATE | delta-time | <node>, <filespec> |
Ensure that session lock controls conform to policy.
| Constraint | Nature of the violation |
|---|---|
| DECWINDOWS | Workstation screen lock inactivity timeout period is too long |
The test for constraint DECWINDOWS within this element looks at DECwindows control files to see the limit on inactive time before automatic session locking is invoked.
| Constraint | Value | Default |
|---|---|---|
| DECWINDOWS | 0-n (minutes) | 900 |
| Constraint | Value | Parameters |
|---|---|---|
| DECWINDOWS | 0-n (minutes) | <node>, <filespec> |
Ensure that backups are performed on all disks often enough to meet policy requirements.
| Constraint | Nature of the violation |
|---|---|
| ABSOLUTHI | Time since last backup exceeds the policy maximum. |
| MODIFIEDHI | Time since last backup exceeds the policy maximum and file has been modified since backup. |
Backups are a necessary part of most security plans, and this test ensures that they happen at least as frequently as the local policy requires.Violations DISK, BACKUP, ABSOLUTHI and MODIFIEDHI are not reported for files which were created since the beginning of the period during which a backup was required.
Violations DISK, BACKUP, ABSOLUTHI and MODIFIEDHI are not reported for files on CDROM disks, since even if backup were done on CDROM disks, it could not be recorded.
There are three backup-related elements within the DISK facility:
- BACKUP element
for constraints applicable to all disk files- BACKUPDATA element
for constraints applicable to disk files not in SYS$SYSROOT:[*...]- BACKUPSYS element
for constraints applicable to disk files in SYS$SYSROOT:[*...]
The practical upper limit for a precise count of days since the last backup of a file is 9999 (about 27 years). Specification of any larger number is considered to be "forever", or since the earliest date which can be represented in the VMS time format.
If you are only concerned that files get backed up once (as compared with ensuring they are backed up on a regular basis to ensure that entire disk volumes can be restored), raise the limit or add exemptions for ABSOLUTHI).
A limit or exemption with a value of zero means there is no value which is considered unacceptable
| Constraint | Value | Default |
|---|---|---|
| ABSOLUTHI | 0---n | 30 |
| MODIFIEDHI | 0---n | 30 |
| Constraint | Value | Parameters |
|---|---|---|
| ABSOLUTHI | 0---n | <node>, <volume-name> |
| MODIFIEDHI | 0---n | <node>, <volume-name> |
Testing performed for this element is based entirely on the backup date maintained by VMS. The VMS Backup program will only modify that date when the /RECORD qualifier is specified. Some sites use the /RECORD qualifier only for weekly full backups, while other sites use it for incremental backups as well. In order to fully understand the significance of backup dates it is necessary to consult with the system management staff for a particular machine to learn their procedures in this regard.
Ensure that backups are performed on data files often enough to meet policy requirements. (In this context the term "data files" refers to those not in the SYS$SPECIFIC:[*...] or SYS$COMMON:[*...] directory hierarchies.
| Constraint | Nature of the violation |
|---|---|
| ABSOLUTHI | Time since last data disk backup exceeds the policy maximum. |
| MODIFIEDHI | Time since last data disk backup exceeds the policy maximum and at least one file has been modified since last backup. |
Backups are a necessary part of most security plans, and this test ensures that they happen at least as frequently as the local policy requires.Violations DISK, BACKUPDATA, ABSOLUTHI and MODIFIEDHI are not reported for files which were created since the beginning of the period during which a BACKUPDATA was required.
Violations DISK, BACKUPDATA, ABSOLUTHI and MODIFIEDHI are not reported for files on CDROM disks, since even if BACKUPDATA were done on CDROM disks, it could not be recorded.
There are three backup-related elements within the DISK facility:
- BACKUP element
for constraints applicable to all disk files- BACKUPDATA element
for constraints applicable to disk files not in SYS$SYSROOT:[*...]- BACKUPSYS element
for constraints applicable to disk files in SYS$SYSROOT:[*...]
The practical upper limit for a precise count of days since the last backup of a file is 9999 (about 27 years). Specification of any larger number is considered to be "forever", or since the earliest date which can be represented in the VMS time format.
If you are only concerned that files get backed up once (as compared with ensuring they are backed up on a regular basis to ensure that entire disk volumes can be restored), raise the limit or add exemptions for ABSOLUTHI).
A limit or exemption with a value of zero means there is no value which is considered unacceptable
| Constraint | Value | Default |
|---|---|---|
| ABSOLUTHI | 0---n | 0 |
| MODIFIEDHI | 0---n | 0 |
| Constraint | Value | Parameters |
|---|---|---|
| ABSOLUTHI | 0---n | <node>, <volume-name> |
| MODIFIEDHI | 0---n | <node>, <volume-name> |
Testing performed for this element is based entirely on the backup date maintained by VMS. The VMS backup program will only modify that date when the /RECORD qualifier is specified. Some sites use the /RECORD qualifier only for weekly full backups, while other sites use it for incremental backups as well. In order to fully understand the significance of backup dates it is necessary to consult with the system management staff for a particular machine to learn their procedures in this regard.
Ensure that backups are performed on system files often enough to meet policy requirements. (In this context the term "system files" refers to those in the SYS$SPECIFIC:[*...] or SYS$COMMON:[*...] directory hierarchies.
| Constraint | Nature of the violation |
|---|---|
| ABSOLUTHI | Time since last system disk backup exceeds the policy maximum. |
| MODIFIEDHI | Time since last system disk backup exceeds the policy maximum and at least one file has been modified since last backup. |
Backups are a necessary part of most security plans, and this test ensures that they happen at least as frequently as the local policy requires.Violations DISK, BACKUPSYS, ABSOLUTHI and MODIFIEDHI are not reported for files which were created since the beginning of the period during which a BACKUPSYS was required.
Violations DISK, BACKUPSYS, ABSOLUTHI and MODIFIEDHI are not reported for files on CDROM disks, since even if BACKUPSYS were done on CDROM disks, it could not be recorded.
There are three backup-related elements within the DISK facility:
- BACKUP element
for constraints applicable to all disk files- BACKUPDATA element
for constraints applicable to disk files not in SYS$SYSROOT:[*...]- BACKUPSYS element
for constraints applicable to disk files in SYS$SYSROOT:[*...]
The practical upper limit for a precise count of days since the last backup of a file is 9999 (about 27 years). Specification of any larger number is considered to be "forever", or since the earliest date which can be represented in the VMS time format.
If you are only concerned that files get backed up once (as compared with ensuring they are backed up on a regular basis to ensure that entire disk volumes can be restored), raise the limit or add exemptions for ABSOLUTHI).
A limit or exemption with a value of zero means there is no value which is considered unacceptable
| Constraint | Value | Default |
|---|---|---|
| ABSOLUTHI | 0---n | 0 |
| MODIFIEDHI | 0---n | 0 |
| Constraint | Value | Parameters |
|---|---|---|
| ABSOLUTHI | 0---n | <node>, <volume-name> |
| MODIFIEDHI | 0---n | <node>, <volume-name> |
Testing performed for this element is based entirely on the backup date maintained by VMS. The VMS backup program will only modify that date when the /RECORD qualifier is specified. Some sites use the /RECORD qualifier only for weekly full backups, while other sites use it for incremental backups as well. In order to fully understand the significance of backup dates it is necessary to consult with the system management staff for a particular machine to learn their procedures in this regard.
Test the protection of specified files.
| Constraint | Nature of the violation |
|---|---|
| ABSENT | File is absent in violation of policy |
| ABSOLUTLO | Access is narrower than permitted by policy |
| ABSOLUTHI | Access is wider than permitted by policy |
| ACLNOGEN | General identifier used in violation of policy |
| ACLNOSYS | System-defined identifier used in violation of policy |
| ACLNOUIC | UIC identifier used in violation of policy |
| ALFPROHIB | Alarm ACE for failure is present in violation of policy |
| ALFREQUIRE | Alarm ACE for failure is absent in violation of policy |
| ALSPROHIB | Alarm ACE for success is present in violation of policy |
| ALSREQUIRE | Alarm ACE for success is absent in violation of policy |
| AUFPROHIB | Audit ACE for failure is present in violation of policy |
| AUFREQUIRE | Audit ACE for failure is absent in violation of policy |
| AUSPROHIB | Audit ACE for success is present in violation of policy |
| AUSREQUIRE | Audit ACE for success is absent in violation of policy |
| BACKUPABS | Time since last file backup exceeds the policy maximum. |
| BACKUPMOD | Time since last file backup exceeds the policy maximum and the file has been modified since last backup. |
| LOCATION | File is in an improper location |
| LOGPROHIB | System logical name is present in violation of policy |
| LOGREQUIRE | System logical name is absent in violation of policy |
| MODBEFORE | File modification date is later than allowed by policy |
| OWNER | Fewer users can access than permitted by policy |
| PERCENTLO | Fewer users can access than permitted by policy |
| PERCENTHI | More users can access than permitted by policy |
| PRESENT | File is present in violation of policy |
| SHRPROHIB | File is shared between nodes in violation of policy |
| SHRREQUIRE | File is not shared between nodes in violation of policy |
| SUBSYSNO | File is designated as a protected subsystem in violation of policy |
| SUBSYSYES | File is not designated as a protected subsystem in violation of policy |
| VERSIONMAX | File version number is higher than allowed by policy |
This element tests protection of specific files for which you want tighter control than general files on the system. It is also the only element that tests for the presence (or absence) of particular audit or alarm ACEs (access control entries) within an ACL (access control list).There are nine types of tests included:
This element uses limits and exemptions in a different fashion than other elements.
- Basic file protection tests ABSOLUT%% and PERCENT%%
For certain files you may require tighter protection than your general standards.- Identifier ACE tests ACLNO%%%
Use of UIC identifiers directly in access control lists leads to problems if user responsibilities are changed, since control of the access they have been granted is distributed throughout the system. The purpose of this test is to ensure that identifiers used in Identifier Access Control Entries are of acceptable types.
In addition, for certain files you might want to prohibit all forms of ACL-based access.- Alarm and Audit ACE tests AL* and AU* (for failure and success audits)
Auditing is the only defense against access by highly privileged users (coupled with review of the audit logs). But in some cases even for files that are not tightly protected you might want to audit access to ensure you have a record of how they are used.- File presence tests ABSENT and PRESENT
Other CHECKPROT tests only report on files that exist, so if it is crucial that a file exist, also use the PRESENT test- Backup date tests BACKUPABS and BACKUPMOD
Tests (DISK, BACKUP, ABSOLUTHI) and (DISK, BACKUP, MODIFIEDHI) determine whether files meet a general standard, but these CHECKPROT tests can be used for files that must meet a more exacting standard.- File change test MODBEFORE
Test MODBEFORE checks the modification date of specified files.- Ownership test OWNER
Test the ownership of specified files.- Subsystem test SUBSYSNO and SUBSYSYES
Test whether specified files have been granted Subsystem identifiers.- Version test VERSIONMAX
Test whether specified files have a version number too high. Many applications will fail if the version number reaches 32767, so the goal is to catch such problems before then.Limits are ignored for the CHECKPROT element.
- For most tests, each file to be tested must be specified in an exemption, with the desired value.
- For tests LOGPROHIB and LOGREQUIRE, each logical name to be tested must be specified in an exemption, with the desired value.
Previous Next Contents Index