LJK/Security Reference Manual

MAXACCTJOB

Determine whether specification of maximum jobs for account conforms to policy.

Violation reports

Constraint	Nature of the violation
ABSOLUTLO	Maximum jobs for account is lower than allowed by policy
ABSOLUTHI	Maximum jobs for account is higher than allowed by policy

Description

User authorization field MAXACCTJOBS limits the number of simultaneous batch, interactive and detached jobs which may be active on behalf of users who share a single ACCOUNT value in their authorization file records.

Default policy

No limit is enforced

Customizing

Customize if you feel a need to enforce such a limit

Selector

Limits

Constraint	Value	Default
ABSOLUTLO	0---n	0
ABSOLUTHI	0---n	0

Exemptions

Constraint	Value	Parameters
ABSOLUTLO	0---n	<node>, <username>
ABSOLUTHI	0---n	<node>, <username>

Practical considerations

Most sites do not use this limitation capability except for particular chargeback reasons.

MAXDETACH

Determine whether specification of maximum detached jobs conforms to policy.

Violation reports

Constraint	Nature of the violation
ABSOLUTLO	Maximum detached jobs is lower than allowed by policy
ABSOLUTHI	Maximum detached jobs is lower than allowed by policy

Description

User authorization field MAXDETACH limits the number of simultaneous detached jobs which may be active on behalf of users who share a single ACCOUNT value in their authorization file records.

Default policy

No limit is enforced

Customizing

Customize if you feel a need to enforce such a limit.

A limit or exemption with a value of zero means there is no value which is considered unacceptable

Selector

Limits

Constraint	Value	Default
ABSOLUTLO	0---n	0
ABSOLUTHI	0---n	0

Exemptions

Constraint	Value	Parameters
ABSOLUTLO	0---n	<node>, <username>
ABSOLUTHI	0---n	<node>, <username>

Practical considerations

Most sites do not use this limitation capability except for particular chargeback reasons.

MAXJOBS

Determine whether specification of maximum jobs for username conforms to policy.

Violation reports

Constraint	Nature of the violation
ABSOLUTLO	Maximum jobs for username is lower than allowed by policy
ABSOLUTHI	Maximum jobs for username is higher than allowed by policy

Description

User authorization field MAXJOBS limits the number of simultaneous batch, interactive, network and detached jobs which may be active on behalf of a single username. The first 4 network jobs are not counted.

Default policy

No limit is enforced

Customizing

Customize if you feel a need to enforce such a limit.

A limit or exemption with a value of zero means there is no value which is considered unacceptable

Selector

Limits

Constraint	Value	Default
ABSOLUTLO	0---n	0
ABSOLUTHI	0---n	0

Exemptions

Constraint	Value	Parameters
ABSOLUTLO	0---n	<node>, <username>
ABSOLUTHI	0---n	<node>, <username>

Practical considerations

Most sites do not use this limitation capability except for particular chargeback reasons.

MIGRATEPWD

Determine whether sharing password changes conforms to policy.

Violation reports

Constraint	Nature of the violation
PROHIBITED	Sharing password changes is enabled in violation of policy
REQUIRED	Sharing password changes is disabled in violation of policy

Description

The MIGRATEPWD authorization flag indicates that the passwords changes made to one ACME agent are shared with others.
Tests from this element are not conducted on Usernames allowed only Batch access, since passwords are not meaningful.

Default policy

Password sharing is neither required nor prohibited

Customizing

Use these tests to match how you use external authentication

Selector

Limits

Constraint	Value	Default
PROHIBITED	FALSE or TRUE	FALSE
REQUIRED	FALSE or TRUE	FALSE

Exemptions

Constraint	Value	Parameters
PROHIBITED	FALSE or TRUE	<node>, <username>
REQUIRED	FALSE or TRUE	<node>, <username>

Practical considerations

If you do not use external authentication, ignore this element.

NOMAIL

Determine whether disabling of Mail delivery conforms to policy.

Violation reports

Constraint	Nature of the violation
PROHIBITED	Mail delivery is disabled in violation of policy
REQUIRED	Mail delivery is enabled in violation of policy

Description

If local practice is to use VMSmail to distribute security-related notices, prohibiting mail delivery to certain usernames is counter to security interests.
The PROHIBITED test from this element is not conducted on Usernames allowed only Batch access, since mail is not useful.

Default policy

Disabling of mail delivery is prohibited

Customizing

Customize here if you have users who are not permitted access to the VMSmail program

Selector

Limits

Constraint	Value	Default
PROHIBITED	FALSE or TRUE	TRUE
REQUIRED	FALSE or TRUE	FALSE

Exemptions

Constraint	Value	Parameters
PROHIBITED	FALSE or TRUE	<node>, <username>
REQUIRED	FALSE or TRUE	<node>, <username>

Practical considerations

If some usernames are arranged so the user cannot read VMSmail, disabling delivery is the best way to indicate to would-be mail senders that other communications means should be used.

Mail delivery should also be disabled for any users who have unlimited disk quota on their login disk.

OPERATOR

Determine whether the number of Usernames with OPER (but no higher) privilege conforms to policy.

Violation reports

Constraint	Nature of the violation
TOOFEW	The number of simple operators compared to other privileged users is lower than policy maximum

Description

The test associated with the TOOFEW constraint determines whether the number of Usernames with OPER (but no higher) privilege conforms to policy.

Default policy

The minimum ratio of usernames with only OPER to those with higher privilege is 2

Customizing

Adjust this number higher for heavy production environments

Selector

Limits

Constraint	Value	Default
TOOFEW	0-n	2

Exemptions

Constraint	Value	Parameters
TOOFEW	0-n	<node>, <username>

Practical considerations

The goal is to avoid situations where routine operator actions are handled by overprivileged individuals, or where those with operator duties are granted excessive privilege.

OWNER

Determine whether the allocation of Usernames to various owners conforms to policy.

Violation reports

Constraint	Nature of the violation
DIGITSPACE	Owner of a username has neither a space between adjacent letters nor 4 consecutive digits in violation of policy
MAINTAINED	Owner of a username is blank in violation of policy
NONPRIVMAX	Number of nonprivileged usernames for a single owner exceeds maximum
NONPRIVMIN	Number of nonprivileged usernames for a single owner is less than minimum
PRIVMAX	Number of privileged usernames for a single owner exceeds maximum
PRIVMIN	Number of privileged usernames for a single owner is less than minimum

Description

Tests in this element determine whether the maintenance of the "owner" field in the SYSUAF file and the assignment of usernames to distinct owners conforms to policy.
The tests NONPRIVMAX and PRIVMAX only count username for which non-batch access (LOCAL, REMOTE, DIALUP or NETWORK) access is permitted.
The limit for the test MAINTAINED has an additional effect of controlling whether the Owner field is considered as binding together multiple Usernames for the tests:

test (UAF, IMPARTIAL, CERTIFY)
test (UAF, IMPARTIAL, CONTINUING)
test (UAF, IMPARTIAL, PERIODIC)
test (USAGE, DO*, *)
test (USAGE, PRIVILEGE, UAFSELF)

Default policy

Owner names are maintained and each owner can have at most one privileged Username and ten non-privileged usernames

Customizing

Reduce the limit for constraint NONPRIVMAX where possible.

Set the limit for constraint NONPRIVMIN to 1 to require that users with privileged usernames also have non-privileged usernames

Selector

Limits

Constraint	Value	Default
DIGITSPACE	FALSE or TRUE	TRUE
MAINTAINED	FALSE or TRUE	TRUE
NONPRIVMAX	0-n	10
NONPRIVMIN	0-n	0
PRIVMAX	0-n	1
PRIVMIN	0-n	0

Exemptions

Constraint	Value	Parameters
DIGITSPACE	FALSE or TRUE	<node>, <username>
MAINTAINED	FALSE or TRUE	<node>, <username>
NONPRIVMAX	0-n	<node>, <username>
NONPRIVMIN	0-n	<node>, <username>
PRIVMAX	0-n	<node>, <username>
PRIVMIN	0-n	<node>, <username>

Practical considerations

LJK/Security can only detect innocent error in this area, not deliberate malfeasance.

For the numeric constraints in this element, tests ignore usernames that allowed no more than Batch access. This should take care of usernames created by layered products.

PRIO

Determine whether base process priority conforms to policy.

Violation reports

Constraint	Nature of the violation
ABSOLUTLO	Base process priority is lower than allowed by policy
ABSOLUTHI	Base process priority is lower than allowed by policy

Description

If base process priority for a username is higher or lower than that for other usernames (generally 4), denial of service hazards are created.

Default policy

Base process priority must be 4

Customizing

Different base priorities for different users can lead to severe performance problems. selector

Limits

Constraint	Value	Default
ABSOLUTLO	0---31	4
ABSOLUTHI	0---31	4

Exemptions

Constraint	Value	Parameters
ABSOLUTLO	0---31	<node>, <username>
ABSOLUTHI	0---31	<node>, <username>

Practical considerations

Authorization file base process priority does not affect batch jobs. The process priority in that case is controlled by batch queue parameters.

PRIVILEGE

Ensure that privileges held by individual usernames are acceptable.

Violation reports

Constraint	Nature of the violation
AUTHAUDIT	Username with a particular authorized privilege is not set to audit all action in violation of policy
AUTHREQUIR	Username lacks authorization for privilege
AUTHPROHIB	Username has authorization for privilege
DEFAUDIT	Username with a particular default privilege is not set to audit all action in violation of policy
DEFREQUIR	Username lacks default privilege
DEFPROHIB	Username has default privilege
NOIMPLICIT	No username allowed Interactive or Network access has a UIC less than MAXSYSGROUP

Description

Privileged users can disrupt system operations in may ways. The system User Authorization File (SYSUAF) specifies any privileges granted to usernames.
Even if a user is authorized to use privileges, they generally should not be enabled by default. The system User Authorization File contains two lists of privileges for each username, those which are enabled by default and those which the user is entitled to enable by use of the SET PROCESS/PRIVILEGE= command.
The purpose of this test is to ensure that the default and authorized privileges for each user complies with organization-wide security policy.
Implicit SYSPRV (due to a low UIC group) is not considered as SYSPRV under element UAF_PRIVILEGE, but is considered such under element UAF_PRIVLEVEL.

Default policy

No privileges are required or prohibited by this test element, because equivalent tests are performed under test element PRIVLEVEL

Customizing

The tests under element PRIVLEVEL are sufficient to express simpler limitations based on privilege level.

If a more complicated selection of privileges is required, it may be necessary to use the tests under element PRIVILEGE.

You should add exemptions for usernames which are supposed to have privilege, such as SYSTEM. selector Limits and exemptions for this element can take a selector consisting of a privilege name.

Thus, each can be set once for each possible privilege. Using the Command Interface, if you do not specify a selector when changing limits or exemptions, your change applies to all privileges.

Limits

Constraint	Value	Default
AUTHAUDIT	FALSE or TRUE	FALSE
AUTHREQUIR	FALSE or TRUE	FALSE
AUTHPROHIB	FALSE or TRUE	FALSE
DEFAUDIT	FALSE or TRUE	FALSE
DEFREQUIR	FALSE or TRUE	FALSE
DEFPROHIB	FALSE or TRUE	FALSE
NOIMPLICIT	FALSE or TRUE	TRUE

Exemptions

Constraint	Value	Parameters
AUTHAUDIT	FALSE or TRUE	<node>, <username>
AUTHREQUIR	FALSE or TRUE	<node>, <username>
AUTHPROHIB	FALSE or TRUE	<node>, <username>
DEFAUDIT	FALSE or TRUE	<node>, <username>
DEFREQUIR	FALSE or TRUE	<node>, <username>
DEFPROHIB	FALSE or TRUE	<node>, <username>
NOIMPLICIT	FALSE or TRUE	<node>, <username>

Practical considerations

TMPMBX privilege is required for most users, so they can run common utility programs which use mailboxes. NETMBX privileges is required for users to access DECnet.

PRIVLEVEL

Ensure that privilege levels of individual usernames are acceptable.

Violation reports

Constraint	Nature of the violation
ABSOLUTLO	Lower than minimum in the policy
ABSOLUTHI	Higher than maximum in the policy
ACCESSMAX	Higher than allowed for a permitted process type
ACCESSMIN	Lower than required for a permitted process type

Description

Privilege levels (categories) provide a simple codification as to the level of power granted by various VMS privileges.
The purpose of these tests is to ensure that the privilege level granted to each user complies with organization-wide security policy. This test compares the level for each authorized username against limit set in the policy in two ways:

directly under constraints ABSOLUTLO and ABSOLUTHI
according to access granted under constraints ACCESSMAX and ACCESSMIN

Implicit SYSPRV (due to a low UIC group) is not considered as SYSPRV under element UAF_PRIVILEGE, but is considered such under element UAF_PRIVLEVEL.

Default policy

By default, the privilege level NONE is the minimum allowed (meaning no restriction) and the privilege level NORMAL is the maximum allowed (allowing the holding of TMPMBX and NETMBX). Customizing The tests under element PRIVLEVEL are sufficient to express simpler limitations based on privilege level.

If a more complicated selection of privileges is required, it may be necessary to use the tests under element PRIVILEGE.

You should establish exemptions for usernames which are authorized higher levels of privilege, such as SYSTEM. selector Tests (UAF, PRIVLEVEL, ACCESSMAX) and (UAF, PRIVLEVEL, ACCESSMAX) take a selector consisting of a login type: LOCAL, DIALUP, REMOTE, NETWORK or BATCH.

Limits

Constraint	Value	Default
ABSOLUTLO	Category-None---Category-All	Category-None
ABSOLUTHI	Category-None---Category-All	Category-Normal
ACCESSMAX	Category-None---Category-All	Category-Normal
ACCESSMIN	Category-None---Category-All	Category-Normal

Contents

Index