LJK/Security Reference Manual

Except for test PRESENT, if the specified file cannot be found (status codes RMS$_FNF, RMS$_NMF, RMS$_DNF and RMS$_DEV) it is not considered a violation. This eases the task of maintaining policies to cover multiple nodes.

Default policy

The default value for the limits is meaningless since testing is driven by the exemptions

Customizing

Without customization, this element has no effect. Add an exemption for each file which you want tested, specifying the proper value as the value for the exemption

Selector

Exemptions for constraints:

ALFPROHIB
ALFREQUIRE
ALSPROHIB
ALSREQUIRE
AUFPROHIB
AUFREQUIRE
AUSPROHIB
AUSREQUIRE
PERCENTLO
PERCENTHI

can take a selector consisting of a VMS file access type: READ, WRITE, EXECUTE, DELETE or CONTROL.

Thus, each such exemption can be set once for each possible access type. If no selector is specified with the command interface, customization commands apply to all possible selector values.

Limits

Constraint	Value	Default
ABSENT	Any Protection	(S,O,G,W)
ABSOLUTLO	Any Protection	(S,O,G,W)
ABSOLUTHI	Any Protection	(S:RWED,O:RWED,G:RWED,W:RWED)
ACLNOGEN	FALSE or TRUE	FALSE
ACLNOSYS	FALSE or TRUE	FALSE
ACLNOUIC	FALSE or TRUE	FALSE
ALFPROHIB	FALSE or TRUE	FALSE
ALFREQUIRE	FALSE or TRUE	FALSE
ALSPROHIB	FALSE or TRUE	FALSE
ALSREQUIRE	FALSE or TRUE	FALSE
AUFPROHIB	FALSE or TRUE	FALSE
AUFREQUIRE	FALSE or TRUE	FALSE
AUSPROHIB	FALSE or TRUE	FALSE
AUSREQUIRE	FALSE or TRUE	FALSE
BACKUPABS	delta-time	+00:00:00.00
BACKUPMOD	delta-time	+00:00:00.00
LOCATION	resultant-filespec	none
LOGPROHIB	FALSE or TRUE	FALSE
LOGREQUIRE	FALSE or TRUE	FALSE
MODBEFORE	absolute-time	+00:00:00.00
PERCENTLO	0-100	R:0,W:0,E:0,D:0,C:0
PERCENTHI	0-100	R:100,W:100,E:100,D:100,C:100
OWNER	Identifier	[SYSTEM]
SHRPROHIB	FALSE or TRUE	FALSE
SHRREQUIRE	FALSE or TRUE	FALSE
SUBSYSNO	FALSE or TRUE	FALSE
SUBSYSYES	FALSE or TRUE	FALSE
VERSIONMAX	0-32767	0

Exemptions

Constraint	Value	Parameters
ABSENT	Any Protection	<node>,<filespec>
ABSOLUTLO	Any Protection	<node>,<filespec>
ABSOLUTHI	Any Protection	<node>,<filespec>
ACLNOGEN	FALSE or TRUE	<node>, <filespec>
ACLNOSYS	FALSE or TRUE	<node>, <filespec>
ACLNOUIC	FALSE or TRUE	<node>, <filespec>
ALFPROHIB	FALSE or TRUE	<node>,<filespec>
ALFREQUIRE	FALSE or TRUE	<node>,<filespec>
ALSPROHIB	FALSE or TRUE	<node>,<filespec>
ALSREQUIRE	FALSE or TRUE	<node>,<filespec>
AUFPROHIB	FALSE or TRUE	<node>,<filespec>
AUFREQUIRE	FALSE or TRUE	<node>,<filespec>
AUSPROHIB	FALSE or TRUE	<node>,<filespec>
AUSREQUIRE	FALSE or TRUE	<node>,<filespec>
BACKUPABS	delta-time	<node>,<filespec>
BACKUPMOD	delta-time	<node>,<filespec>
LOCATION	resultant-filespec	<node>,<file-expression>
LOGPROHIB	FALSE or TRUE	<node>,<logical-name>
LOGREQUIRE	FALSE or TRUE	<node>,<logical-name>
MODBEFORE	absolute-time	<node>,<filespec>
OWNER	Identifier	<node>,<filespec>
PERCENTLO	0-100	<node>,<filespec>
PERCENTHI	0-100	<node>,<filespec>
SHRPROHIB	FALSE or TRUE	<node>,<file-expression>
SHRREQUIRE	FALSE or TRUE	<node>,<file-expression>
SUBSYSNO	FALSE or TRUE	<node>,<filespec>
SUBSYSYES	FALSE or TRUE	<node>,<filespec>
VERSIONMAX	0-32767	<node>,<filespec>

Practical considerations

The values for limits within the CHECKPROT element are immaterial, since all testing is based on exemptions. The default values above are set merely to demonstrate the "do not care" value.

CHECKSUM

Test the integrity of specified files.

Violation reports

Constraint	Nature of the violation
SHA1	SHA-1 checksum value does not match
SIMPLE	Simple checksum value does not match
SITE	Site-specific checksum value does not match

Description

This element uses limits and exemptions in a different fashion than most. Each file to be tested must be specified in an exemption, where the value associated with the exemption is a string of hexadecimal characters representing the proper checksum value. The value associated with the limit can be used as an initialization vector for the checksum algorithm. No such use is made for the SHA1 or SIMPLE tests, so this capability is only presently meaningful for the SITE test.
If the specified file cannot be found (status codes RMS$_FNF, RMS$_NMF, RMS$_DNF and RMS$_DEV) it is not considered a violation. This eases the task of maintaining policies to cover multiple nodes.
Test SIMPLE provides a very simple checksum routine which could be fooled by a skilled attacker who crafted their file modifications so as not to change the resulting checksum value.
Test SHA-1 provides a true cryptographic checksum, giving detection of not only inadvertent but also malicious manipulation of images by a skilled attacker. There is a price to be paid in execution time, however, since on a fast VAX running the SHA1 test across all images provided as part of VMS takes about 2 hours, while doing the same thing with the SIMPLE test takes about 2 minutes.
In special circumstances, some sites prefer to use a cryptographic checksum of their own design. Test SITE provides for a site-specified checksum algorithm. For information on how to provide a site-specific checksum algorithm, refer to Section 9.3.3,LJK$SECURITY_SITE_CHECKSUM callout.

Default policy

The default value for the limit is the null string

Customizing

Without customization, this element has no effect. Add an exemption for each file which you want checksummed, specifying the proper value as the value for the exemption.

When the tests

(DISK, ALLCOM, CHECKSUM)
(DISK, ALLEXE, CHECKSUM)
(DISK, INSTALLED, CHECKSUM)
(DISK, INSTPRIV, CHECKSUM)
(DISK, INSTPROT, CHECKSUM)
(DISK, SUBSYSTEM, CHECKSUM)
(DISK, SYSCOM, CHECKSUM)
(DISK, SYSEXE, CHECKSUM)

are performed, they will report a violation for files they encounter that are not specified in a (DISK, CHECKSUM, *) exemption

Selector

Limits

Constraint	Value	Default
SHA1	0-254 hexadecimal characters (even number)	null string
SIMPLE	0-254 hexadecimal characters (even number)	null string
SITE	0-254 hexadecimal characters (even number)	null string

Exemptions

Constraint	Value	Parameters
SHA1	0-254 hexadecimal characters (even number)	<node>,filespec
SIMPLE	0-254 hexadecimal characters (even number)	<node>,filespec
SITE	0-254 hexadecimal characters (even number)	<node>,filespec

Practical considerations

Updating exemptions to correspond to changes caused by authorized updates is a considerable effort, which should only be undertaken by sites which are willing to invest the time required.

For sites which are interested in such a high level of security, the list of installed images is a good starting list, since they are declared "trusted" by installing them. For those images that come as part of VMS, command procedures to set a policy up are described in Appendix K, Creating Policies Based on Examples. Added to that list should be any other programs run by privileged users.

LJK Software makes no claims regarding the stability of executable images on a typical VMS system. In the past, some VMS images have undergone regular modification as a part of normal operation. In particular, this is true of the SYS.EXE image on VAX.

CLUSTER

Ensure that cluster configuration conforms to local policy.

Violation reports

Constraint	Nature of the violation
MINLATENCY	Latency between nodes handling disk volumes is so low that disaster tolerance is undercut

Description

This is a per-disk test regarding cluster configuration.

Default policy

Use of Shadowing or separation is not required

Customizing

Set the limit for (DISK, CLUSTER, SHADOWDATA) to TRUE in order to require all non-system disk volumes to be shadowed.

Set the limit for (DISK, CLUSTER, MINLATENCY) to specify how far away members of the shadow set must be from each other

Selector

Limits

Constraint	Value	Default
MINLATENCY	0-n milliseconds

Exemptions

Constraint	Value	Parameters
MINLATENCY	0-n milliseconds	<node>,<volume-name>

Practical considerations

Latency may vary with transmission facilities, but it will never be less than constrained by the speed of light to travel that distance.

DBMSPROT

Ensure that protections on all DEC DBMS files fall within the restrictions set by policy. DEC DBMS files in this context are all of those with the following file types:

.ROO
.DBS
.AIJ

Violation reports

Constraint	Nature of the violation
ABSOLUTLO	Access is narrower than permitted by policy
ABSOLUTHI	Access is wider than permitted by policy
NOSYSOWNER	File is owned by a system UIC in violation of policy
PERCENTLO	Fewer users can access than permitted by policy
PERCENTHI	More users can access than permitted by policy
SYSOWNER	File is not owned by a system UIC in violation of policy
VERSIONMAX	File version number is higher than allowed by policy

Description

DEC DBMS files are normally protected to allow only SYSTEM access, so that even the owner of the database must use DBMS access methods.
The ABSOLUTLO and ABSOLUTHI tests measure the UIC-based protection mask directly. The PERCENTLO and PERCENTHI tests measure the result of protection (including ACL protection) in terms of the percentage of usernames given access (ignoring usernames that have been disabled).
Violations for protection-related DISK facility elements are not reported regarding only the writeability of CDROM disks since the apparent writeability is just an illusion.

Default policy

The DEC DBMS file protection setting must allow only the system to read and write the DEC DBMS files.

By default, a minimum of 0 percent of users must have access and a maximum of 1 percent of users may have READ, WRITE and CONTROL access, and a maximum of 0 percent of users may have other forms of access

Customizing

DEC DBMS access is normally granted only through access control lists within the database, so there should be no need to customize the default limits for this element. selector Limits for constraints PERCENTLO and PERCENTHI can take a selector consisting of a VMS file access type: READ, WRITE, EXECUTE, DELETE or CONTROL. If no selector is specified, customization commands apply to all possible selector values.

Limits

Constraint	Value	Default
ABSOLUTLO	Any Protection	(S:RW,O,G,W)
ABSOLUTHI	Any Protection	(S:RW,O,G,W)
NOSYSOWNER	FALSE or TRUE	FALSE
PERCENTLO	0-100	0
PERCENTHI	0-100	R:1,W:1,E:0,D:0,C:1
SYSOWNER	FALSE or TRUE	FALSE
VERSIONMAX	0-32767	0

Exemptions

Constraint	Value	Parameters
ABSOLUTLO	Any Protection	<node>,<filespec>
ABSOLUTHI	Any Protection	<node>,<filespec>
NOSYSOWNER	FALSE or TRUE	<node>,<filespec>
PERCENTLO	0-100	<node>,<filespec>
PERCENTHI	0-100	<node>,<filespec>
SYSOWNER	FALSE or TRUE	<node>,<filespec>
VERSIONMAX	0-32767	<node>,<filespec>

Practical considerations

Some file types overlap between DEC DBMS and Rdb/VMS, but the default limits for the two elements (DISK, DBMSPROT and DISK, RDBVMSPROT) also match, so except for the unlikely event that customization is required there should be no conflict.

DIRPROT

Ensure that protections on all directories fall within the restrictions set by policy.

Violation reports

Constraint	Nature of the violation
ABSOLUTLO	Access is narrower than permitted by policy
ABSOLUTHI	Access is wider than permitted by policy
NOSYSOWNER	File is owned by a system UIC in violation of policy
PERCENTLO	Fewer users can access than permitted by policy
PERCENTHI	More users can access than permitted by policy
SYSOWNER	File is not owned by a system UIC in violation of policy
VERSIONMAX	File version number is higher than allowed by policy

Description

If a directory's protection setting is not restrictive enough, unauthorized users will be able to read, write, execute, or delete the directory in question. If the setting is too restrictive, users generally find a less acceptable way of sharing information to get their job done. Typically, they share their password or make an unauthorized copy of the files within the directory somewhere else.
The purpose of this test is to ensure that directory protection settings are within the limits set by the security manager.
The ABSOLUTLO and ABSOLUTHI tests measure the UIC-based protection mask directly. The PERCENTLO and PERCENTHI tests measure the result of protection (including ACL protection) in terms of the percentage of usernames given access (ignoring usernames that have been disabled).
Violations for protection-related DISK facility elements are not reported regarding only the writeability of CDROM disks since the apparent writeability is just an illusion.

Default policy

The directory protection setting must allow at least the system to read, write, and execute the directory. By default, the weakest acceptable directory setting allows the system and owner to read, write, execute, and delete the directory, and also allows other users in the owner's UIC group to read and execute the directory. By default, other users outside the owner's group are allowed only execute access to the directory.

By default, a minimum of 0 percent of users must have access and a maximum of 10 percent of users may have READ, WRITE, DELETE and CONTROL access while a maximum of 100 percent may have EXECUTE access

Customizing

Limits for constraints ABSOLUTLO and ABSOLUTHI take the same form as a standard VMS file protection setting. The syntax for this is explained in some detail in VMS documentation. The default settings shown in the limits table below are good examples of how to specify which class of users are allowed which type of access. These are the codes involved:

S=System account (or users with the SYSPRV privilege)
O=Owner of the file
G=Group (i.e., other users in the same UIC group as the owner)
W=World (i.e., all other users)

R=Read
W=Write
E=Execute
D=Delete

selector Limits for constraints PERCENTLO and PERCENTHI can take a selector consisting of a VMS file access type: READ, WRITE, EXECUTE, DELETE or CONTROL. If no selector is specified, customization commands apply to all possible selector values.

Limits

Constraint	Value	Default
ABSOLUTLO	Any Protection	(S:RWE,O,G,W)
ABSOLUTHI	Any Protection	(S:RWED,O:RWED,G:RE,W)
NOSYSOWNER	FALSE or TRUE	FALSE
PERCENTLO	0-100	0
PERCENTHI	0-100	R:10,W:10,E:100,D:10,C:10
SYSOWNER	FALSE or TRUE	FALSE
VERSIONMAX	0-32767	0

Exemptions

Constraint	Value	Parameters
ABSOLUTLO	Any Protection	<node>,<filespec>
ABSOLUTHI	Any Protection	<node>,<filespec>
NOSYSOWNER	FALSE or TRUE	<node>,<filespec>
PERCENTLO	0-100	<node>,<filespec>
PERCENTHI	0-100	<node>,<filespec>
SYSOWNER	FALSE or TRUE	<node>,<filespec>
VERSIONMAX	0-32767	<node>,<filespec>

Practical considerations

File protection is an area which usually cannot be managed at arm's length from individual users and applications. Departments or people who depend on each other for data frequently will need some assistance in working out a protection scheme that allows this to take place without opening the files up to all users. Be sure to consider Access Control Lists (which explicitly name the users who can access a given file) if you find yourself getting painted into a corner with simple file protection settings. See the VMS system manager's documentation for details.

DISKMOUNT

Ensure that only authorized disks have been mounted.

Violation reports

Constraint	Nature of the violation
GRPFORBID	Unauthorized disk was mounted /GROUP
SYSFORBID	Unauthorized disk was mounted /SYSTEM
USERFORBID	Unauthorized disk was mounted privately

Description

These tests ensure than any previously mounted disks had authorized names (as indicated by the presence of an exemption).

Default policy

By default (USAGE,DISKMOUNT,*) tests are not enabled

Customizing

Exemptions for (DISK,DISKMOUNT,*) tests are also honored for (USAGE,DISKMOUNT,*) tests.

Contents

Index