LJK/Security Reference Manual
Previous Contents Index

INSTPRIV

Ensure that unauthorized images are not installed with privilege.

Violation reports

Constraint Nature of the violation
CHECKSUM Image installed with privilege not checksummed in violation of policy
PRIVPROHIB Image installation with privilege in violation of policy
ABSOLUTHI Image installation at higher level than maximum in the policy

Description

Installation of an executable image with privilege allows unprivileged users to perform privileged operations when running the program. Such programs must be carefully constructed to ensure that only the designed functions can be performed. Installation of a program with privilege when it was not designed to be installed with privilege is a major security hazard. This test can be used to ensure that only authorized programs are installed with privilege.

Exemptions within the (DISK, CHECKSUM) element specify checksum values for particular files on disk. The test for the CHECKSUM constraint within this facility determines whether such an exemption has been established for all files on the system that are installed with privilege.

Default policy

Installing images with privilege is not prohibited

Customizing

Setting limits should be accompanied by establishment of corresponding exemptions for images whose installation with privilege is acceptable (many of which are supplied by VMS and layered products). selector Limits and exemptions for test PRIVPROHIB can take a selector consisting of a privilege name.

Thus, it can be set once for each possible privilege. When using the Command Interface if you do not specify a selector when changing the limit or exemptions your change applies to all privileges.

Limits

Constraint Value Default
CHECKSUM FALSE or TRUE FALSE
PRIVPROHIB FALSE or TRUE FALSE
ABSOLUTHI Category-None---Category-All Category-All

Exemptions

Constraint Value Parameters
CHECKSUM FALSE or TRUE <node>,<filespec>
PRIVPROHIB FALSE or TRUE <node>,<filespec>
ABSOLUTHI Category-None---Category-All <node>,<filespec>

Practical considerations

Tracking all images allowed to be installed with privilege can be a considerable effort.

The test ABSOLUTHI is sufficient to express simpler limitations based on privilege level.

If a more complicated selection of privileges is required, it may be necessary to use the test PRIVPROHIB.

INSTPROT

Ensure that unauthorized images are not installed as protected.

Violation reports

Constraint Nature of the violation
CHECKSUM Image installed as protected not checksummed in violation of policy
PROHIBITED Image installation as protected in violation of policy

Description

Installation of a shareable image as protected enables any user-written system services it contains so they can execute in Executive or Kernel mode and thus gain access to privileges. This test can be used to ensure that only authorized programs are installed as protected.

Exemptions within the (DISK, CHECKSUM) element specify checksum values for particular files on disk. The test for the CHECKSUM constraint within this facility determines whether such an exemption has been established for all files on the system that are installed as protected.

Default policy

Installation of images as protected is not prohibited

Customizing

Setting the DISK_INSTPROT_PROHIBITED limit TRUE should be accompanied by establishment of corresponding exemptions for images whose installation as protected is acceptable (many of which are supplied by VMS and layered products)

Selector

Limits

Constraint Value Default
CHECKSUM FALSE or TRUE FALSE
PROHIBITED FALSE or TRUE FALSE

Exemptions

Constraint Value Parameters
CHECKSUM FALSE or TRUE <node>,<filespec>
PROHIBITED FALSE or TRUE <node>,<filespec>

Practical considerations

These images are also known as "privileged shareable images". Tracking all images allowed to be installed as protected can be a considerable effort.

INSTUSRDIR

Ensure that images are not installed from directories writable by unprivileged users.

Violation reports

Constraint Nature of the violation
PROHIBITED Image Installation from user directory in violation of policy

Description

Installation of an image from a directory tree which can be written by an unprivileged user (that is, one without the privileges required to install images) allows that user to subvert the installation process by substituting a different image before the next system boot (since installation is generally done automatically on boot).

Default policy

Installation of images from user directories is prohibited

Customizing

Customizing to permit certain images to be installed from user directories is generally inappropriate

Selector

Limits

Constraint Value Default
PROHIBITED FALSE or TRUE TRUE

Exemptions

Constraint Value Parameters
PROHIBITED FALSE or TRUE <node>,<filespec>

Practical considerations

There may be complaints for cases where certain images are being installed only for performance reasons. In such cases, a mechanism for turning those programs over to system administrators when they are revised should be devised. Such mechanism should obviously include code review for security purposes. This is an unfortunate situation, but VMS does not distinguish between images installed for performance purposes and images installed for security purposes.

INSTUSRFIL

Ensure that images which can be written by unprivileged users are not installed.

Violation reports

Constraint Nature of the violation
PROHIBITED Installation of user image in violation of policy

Description

Installation of an image which can be written by an unprivileged user (that is, one without the privileges required to install images) allows that user to subvert the installation process by substituting a different image before the next system boot (since installation is generally done automatically on boot).

Default policy

Installation of images writable by unprivileged users is prohibited

Customizing

Customizing to permit certain images to be installed when writable by unprivileged users is generally inappropriate

Selector

Limits

Constraint Value Default
PROHIBITED FALSE or TRUE TRUE

Exemptions

Constraint Value Parameters
PROHIBITED FALSE or TRUE <node>,<filespec>

Practical considerations

There may be complaints for cases where certain images are being installed only for performance reasons. In such cases, a mechanism for turning those programs over to system administrators when they are revised should be devised. Such mechanism should obviously include code review for security purposes. This is an unfortunate situation, but VMS does not distinguish between images installed for performance purposes and images installed for security purposes.

MAILPROT

Ensure that protections on all mail files fall within the restrictions set by policy.

Violation reports

Constraint Nature of the violation
ABSOLUTLO Access is narrower than permitted by policy
ABSOLUTHI Access is wider than permitted by policy
NOSYSOWNER File is owned by a system UIC in violation of policy
PERCENTLO Fewer users can access than permitted by policy
PERCENTHI More users can access than permitted by policy
SYSOWNER File is not owned by a system UIC in violation of policy
VERSIONMAX File version number is higher than allowed by policy

Description

If a mail file's protection setting is not restrictive enough, unauthorized users will be able to read, write, execute, or delete the mail file in question. If the setting is too restrictive, users generally find a less acceptable way of sharing information to get their job done. Typically, they share their password or make an unauthorized copy of the mail file somewhere else.

The purpose of this test is to ensure that mail file protection settings are within the limits set by the security manager.

The ABSOLUTLO and ABSOLUTHI tests measure the UIC-based protection mask directly. The PERCENTLO and PERCENTHI tests measure the result of protection (including ACL protection) in terms of the percentage of usernames given access (ignoring usernames that have been disabled).

Violations for protection-related DISK facility elements are not reported regarding only the writeability of CDROM disks since the apparent writeability is just an illusion.

Default policy

Mail files do not have a system user.

The mail file protection setting must allow at least the system to read and write the file. By default, the weakest acceptable mail file setting allows the system and owner to read and write the mail file. By default, other users are allowed NO access to the mail file.

By default, a minimum of 0 percent of user must have access and a maximum of 1 percent of users may have access

Customizing

Limits for constraints ABSOLUTLO and ABSOLUTHI take the same form as a standard VMS file protection setting. The syntax for this is explained in some detail in VMS documentation. The default settings shown in the limits table below are good examples of how to specify which class of users are allowed which type of access. These are the codes involved: selector Limits for constraints PERCENTLO and PERCENTHI can take a selector consisting of a VMS file access type: READ, WRITE, EXECUTE, DELETE or CONTROL. If no selector is specified, customization commands apply to all possible selector values.

Limits

Constraint Value Default
ABSOLUTLO Any Protection (S:RW,O:RW,G,W)
ABSOLUTHI Any Protection (S:RW,O:RW,G,W)
NOSYSOWNER FALSE or TRUE TRUE
PERCENTLO 0-100 0
PERCENTHI 0-100 1
SYSOWNER FALSE or TRUE FALSE
VERSIONMAX 0-32767 0

Exemptions

Constraint Value Parameters
ABSOLUTLO Any Protection <node>, <volume-name>
ABSOLUTHI Any Protection <node>, <volume-name>
NOSYSOWNER FALSE or TRUE <node>,<filespec>
PERCENTLO Percent/0-n <node>, <device-name>
PERCENTHI Percent/0-n <node>, <device-name>
SYSOWNER FALSE or TRUE <node>,<filespec>
VERSIONMAX 0-32767 <node>,<filespec>

Practical considerations

There is generally no need for sharing access to mail files, but in certain cases an exemption may be in order.

NOTESPROT

Ensure that DECnotes conference files are protected within the limits set by the security policy.

Violation reports

Constraint Nature of the violation
ABSOLUTLO Access is narrower than permitted by policy
ABSOLUTHI Access is wider than permitted by policy
NOSYSOWNER File is owned by a system UIC in violation of policy
PERCENTLO Fewer users can access than permitted by policy
PERCENTHI More users can access than permitted by policy
SYSOWNER File is not owned by a system UIC in violation of policy
VERSIONMAX File version number is higher than allowed by policy

Description

DECnotes conferences have special protection setting requirements in order to remain secure. Although nominally such conferences can be written to by multiple users, the secure method of using DECnotes involves forcing use of the DECnotes server so that modification of conference files is only done through the DECnotes software rather than some other program possible written for the purpose.

The purpose of this test is to ensure that DECnotes server use is required in order to write to conferences.

The ABSOLUTLO and ABSOLUTHI tests measure the UIC-based protection mask directly. The PERCENTLO and PERCENTHI tests measure the result of protection (including ACL protection) in terms of the percentage of usernames given access (ignoring usernames that have been disabled).

Violations for protection-related DISK facility elements are not reported regarding only the writeability of CDROM disks since the apparent writeability is just an illusion.

Notes files are owned by a system UIC.

Default policy

The most restrictive permitted setting will allow only users with SYSPRV privilege to Read, Write, Execute, or Delete the conference. Also, by default, the least restrictive permitted setting will allow the owner and users with SYSPRV privilege to Read, Write, Execute, or Delete the conference. Access by other users to DECnotes conferences is done by invocation of the DECnotes server image, in accordance with internal DECnotes data regarding which users are allowed access. The DECnotes server runs in an account which has Access Control List entries associated with properly protected DECnotes conference files.

By default, a minimum of 0 percent of users must have access and a maximum of 10 percent of users may have access

Customizing

Minimum and maximum settings (i.e., least protective and most protective settings) can be set by using the same syntax as that used for file protection. See the default settings in the limits table below for examples of the syntax used in these settings. For details, see the VMS documentation set. selector Limits for constraints PERCENTLO and PERCENTHI can take a selector consisting of a VMS file access type: READ, WRITE, EXECUTE, DELETE or CONTROL. If no selector is specified, customization commands apply to all possible selector values.

Limits

Constraint Value Default
ABSOLUTLO Any Protection (S:RW,O,G,W)
ABSOLUTHI Any Protection (S:RWED,O:RWED,G,W)
NOSYSOWNER FALSE or TRUE FALSE
PERCENTLO 0-100 0
PERCENTHI 0-100 10
SYSOWNER FALSE or TRUE TRUE
VERSIONMAX 0-32767 0

Exemptions

Constraint Value Parameters
ABSOLUTLO Any Protection <node>, <filespec>
ABSOLUTHI Any Protection <node>, <filespec>
NOSYSOWNER FALSE or TRUE <node>,<filespec>
PERCENTLO 0-100 <node>, <filespec>
PERCENTHI 0-100 <node>, <filespec>
SYSOWNER FALSE or TRUE <node>,<filespec>
VERSIONMAX 0-32767 <node>,<filespec>

Practical considerations

Access Control Lists are required for granting access through the DECnotes server. See the DECnotes documentation for details.

OWNER

Ensure that the ownership of each disk volume complies with the security policy.

Violation reports

Constraint Nature of the violation
WRONG Owner of the disk volume is not the system

Description

If an individual user is the owner of a disk volume, he can make it unavailable to other users, which is not the usual arrangement in timesharing systems. On the other hand, he can make it available to other users to store their data, but the owner of the disk is the de facto owner of that data, regardless of whether its creators are aware of that. To meet special needs, this can be a desirable situation, but the security manager should be aware of it.

The purpose of this test is to make sure that the security manager is aware of any disks that have non-system ownership.

For limits only (not exemptions), owner matching string of [SYSTEM] will match (as a special case) against UIC's which are represented as [1,4] (due, for instance, to absence of a Rights Database (RIGHTSLIST.DAT)).

Default policy

The owner of every disk volume must be the system

Customizing

An alternative owner can be specified for any disk volume by setting an exemption. It is also possible to change the standard owner to be some account other than the system, by changing the limit for this test

Selector

Limits

Constraint Value Default
WRONG Any Identifier [SYSTEM]

Exemptions

Constraint Value Parameters
WRONG Any Identifier <node>, <volume-name>

Practical considerations

In most cases, system ownership for disk volumes is quite sufficient. Individual users can still be owners of particular files on that disk.

Previous Next Contents Index