LJK/Security Reference Manual
DOMOUNT
Ensure that separation of Mount from other privileged duties conforms
to policy.
Violation reports
| Constraint |
Nature of the violation |
|
DOASSESS
|
Intervening Security Assessment actions
|
|
DOAUDIT
|
Intervening Audit Control actions
|
|
DOCONNECT
|
Intervening Connect actions
|
|
DOINSTALL
|
Intervening image install activities
|
|
DONCP
|
Intervening Network Management actions
|
|
DOPROCESS
|
Intervening privileged process control actions
|
|
DOSYSGEN
|
Intervening System Parameter changes
|
|
DOTIME
|
Intervening SET TIME actions
|
|
DOUAF
|
Intervening Authorization actions
|
|
DOUSEPRIV
|
Intervening use of privilege for some other purpose
|
Description
The tests for this element determine
separation of duties between Mount and other privileged security
relevant activities conforms to policy.
Each test will detect any case where one of the other
privileged security relevant activities intervenes between two Mount
activities by the same user that are less that a specified interval
apart in time.
These separation of duties tests do not apply to
actions performed by the VMS system startup process.
Default policy
By default, none of the separation of duties tests are
enabled
Customizing
Make minor adjustments to suit your environment
Selector
Limits
| Constraint |
Value |
Default |
|
DOASSESS
|
time interval
|
none
|
|
DOAUDIT
|
time interval
|
none
|
|
DOCONNECT
|
time interval
|
none
|
|
DOINSTALL
|
time interval
|
none
|
|
DONCP
|
time interval
|
none
|
|
DOPROCESS
|
time interval
|
none
|
|
DOSYSGEN
|
time interval
|
none
|
|
DOTIME
|
time interval
|
none
|
|
DOUAF
|
time interval
|
none
|
|
DOUSEPRIV
|
time interval
|
none
|
Exemptions
| Constraint |
Value |
Parameters |
|
DOASSESS
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOAUDIT
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOCONNECT
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOINSTALL
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DONCP
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOPROCESS
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOSYSGEN
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOTIME
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOUAF
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOUSEPRIV
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
Practical considerations
The (USAGE, DO*) tests are
intended to detect inadequate separation of duties. Do not shoot the
messenger. �
DONCP
Ensure that separation of Network Management from other privileged
duties conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
DOASSESS
|
Intervening Security Assessment actions
|
|
DOAUDIT
|
Intervening Audit Control actions
|
|
DOCONNECT
|
Intervening Connect actions
|
|
DOINSTALL
|
Intervening image install activities
|
|
DOMOUNT
|
Intervening mount actions
|
|
DOPROCESS
|
Intervening privileged process control actions
|
|
DOSYSGEN
|
Intervening System Parameter changes
|
|
DOTIME
|
Intervening SET TIME actions
|
|
DOUAF
|
Intervening Authorization actions
|
|
DOUSEPRIV
|
Intervening use of privilege for some other purpose
|
Description
The tests for this element determine
separation of duties between Network Management and other privileged
security relevant activities conforms to policy.
Each test will detect any case where one of the other
privileged security relevant activities intervenes between two Network
Management activities by the same user that are less that a specified
interval apart in time.
These separation of duties tests do not apply to
actions performed by the VMS system startup process.
Default policy
By default, none of the separation of duties tests are
enabled
Customizing
Make minor adjustments to suit your environment
Selector
Limits
| Constraint |
Value |
Default |
|
DOASSESS
|
time interval
|
none
|
|
DOAUDIT
|
time interval
|
none
|
|
DOCONNECT
|
time interval
|
none
|
|
DOINSTALL
|
time interval
|
none
|
|
DOMOUNT
|
time interval
|
none
|
|
DOPROCESS
|
time interval
|
none
|
|
DOSYSGEN
|
time interval
|
none
|
|
DOTIME
|
time interval
|
none
|
|
DOUAF
|
time interval
|
none
|
|
DOUSEPRIV
|
time interval
|
none
|
Exemptions
| Constraint |
Value |
Parameters |
|
DOASSESS
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOAUDIT
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOCONNECT
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOINSTALL
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOMOUNT
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOPROCESS
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOSYSGEN
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOTIME
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOUAF
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOUSEPRIV
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
Practical considerations
The (USAGE, DO*) tests are
intended to detect inadequate separation of duties. Do not shoot the
messenger. �
DOPROCESS
Ensure that separation of Privileged Process Control from other
privileged duties conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
DOASSESS
|
Intervening Security Assessment actions
|
|
DOAUDIT
|
Intervening Audit Control actions
|
|
DOCONNECT
|
Intervening Connect actions
|
|
DOINSTALL
|
Intervening image install activities
|
|
DOMOUNT
|
Intervening mount actions
|
|
DONCP
|
Intervening Network Management actions
|
|
DOSYSGEN
|
Intervening System Parameter changes
|
|
DOTIME
|
Intervening SET TIME actions
|
|
DOUAF
|
Intervening Authorization actions
|
|
DOUSEPRIV
|
Intervening use of privilege for some other purpose
|
Description
The tests for this element determine
separation of duties between Privileged Process Control and other
privileged security relevant activities conforms to policy.
Each test will detect any case where one of the other
privileged security relevant activities intervenes between two
Privileged Process Control activities by the same user that are less
that a specified interval apart in time.
These separation of duties tests do not apply to
actions performed by the VMS system startup process.
Default policy
By default, none of the separation of duties tests are
enabled
Customizing
Make minor adjustments to suit your environment
Selector
Limits
| Constraint |
Value |
Default |
|
DOASSESS
|
time interval
|
none
|
|
DOAUDIT
|
time interval
|
none
|
|
DOCONNECT
|
time interval
|
none
|
|
DOINSTALL
|
time interval
|
none
|
|
DOMOUNT
|
time interval
|
none
|
|
DONCP
|
time interval
|
none
|
|
DOSYSGEN
|
time interval
|
none
|
|
DOTIME
|
time interval
|
none
|
|
DOUAF
|
time interval
|
none
|
|
DOUSEPRIV
|
time interval
|
none
|
Exemptions
| Constraint |
Value |
Parameters |
|
DOASSESS
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOAUDIT
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOCONNECT
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOINSTALL
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOMOUNT
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DONCP
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOSYSGEN
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOTIME
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOUAF
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOUSEPRIV
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
Practical considerations
The (USAGE, DO*) tests are
intended to detect inadequate separation of duties. Do not shoot the
messenger. �
DOSYSGEN
Ensure that separation of System Parameter Modification from other
privileged duties conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
DOASSESS
|
Intervening Security Assessment actions
|
|
DOAUDIT
|
Intervening Audit Control actions
|
|
DOCONNECT
|
Intervening Connect actions
|
|
DOINSTALL
|
Intervening image install activities
|
|
DOMOUNT
|
Intervening mount actions
|
|
DONCP
|
Intervening Network Management actions
|
|
DOPROCESS
|
Intervening privileged process control actions
|
|
DOTIME
|
Intervening SET TIME actions
|
|
DOUAF
|
Intervening Authorization actions
|
|
DOUSEPRIV
|
Intervening use of privilege for some other purpose
|
Description
The tests for this element determine
separation of duties between System Parameter Modification and other
privileged security relevant activities conforms to policy.
Each test will detect any case where one of the other
privileged security relevant activities intervenes between two System
Parameter Modification activities by the same user that are less that a
specified interval apart in time.
These separation of duties tests do not apply to
actions performed by the VMS system startup process.
Default policy
By default, none of the separation of duties tests are
enabled
Customizing
Make minor adjustments to suit your environment
Selector
Limits
| Constraint |
Value |
Default |
|
DOASSESS
|
time interval
|
none
|
|
DOAUDIT
|
time interval
|
none
|
|
DOCONNECT
|
time interval
|
none
|
|
DOINSTALL
|
time interval
|
none
|
|
DOMOUNT
|
time interval
|
none
|
|
DONCP
|
time interval
|
none
|
|
DOPROCESS
|
time interval
|
none
|
|
DOTIME
|
time interval
|
none
|
|
DOUAF
|
time interval
|
none
|
|
DOUSEPRIV
|
time interval
|
none
|
Exemptions
| Constraint |
Value |
Parameters |
|
DOASSESS
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOAUDIT
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOCONNECT
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOINSTALL
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOMOUNT
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DONCP
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOPROCESS
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOTIME
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOUAF
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOUSEPRIV
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
Practical considerations
The (USAGE, DO*) tests are
intended to detect inadequate separation of duties. Do not shoot the
messenger. �
DOTIME
Ensure that separation of Time Setting from other privileged duties
conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
DOASSESS
|
Intervening Security Assessment actions
|
|
DOAUDIT
|
Intervening Audit Control actions
|
|
DOCONNECT
|
Intervening Connect actions
|
|
DOINSTALL
|
Intervening image install activities
|
|
DOMOUNT
|
Intervening mount actions
|
|
DONCP
|
Intervening Network Management actions
|
|
DOPROCESS
|
Intervening privileged process control actions
|
|
DOSYSGEN
|
Intervening System Parameter changes
|
|
DOUAF
|
Intervening Authorization actions
|
|
DOUSEPRIV
|
Intervening use of privilege for some other purpose
|
Description
The tests for this element determine
separation of duties between Time Setting and other privileged security
relevant activities conforms to policy.
Each test will detect any case where one of the other
privileged security relevant activities intervenes between two Time
Setting activities by the same user that are less that a specified
interval apart in time.
These separation of duties tests do not apply to
actions performed by the VMS system startup process.
Default policy
By default, none of the separation of duties tests are
enabled
Customizing
Make minor adjustments to suit your environment
Selector
Limits
| Constraint |
Value |
Default |
|
DOASSESS
|
time interval
|
none
|
|
DOAUDIT
|
time interval
|
none
|
|
DOCONNECT
|
time interval
|
none
|
|
DOINSTALL
|
time interval
|
none
|
|
DOMOUNT
|
time interval
|
none
|
|
DONCP
|
time interval
|
none
|
|
DOPROCESS
|
time interval
|
none
|
|
DOSYSGEN
|
time interval
|
none
|
|
DOUAF
|
time interval
|
none
|
|
DOUSEPRIV
|
time interval
|
none
|
Exemptions
| Constraint |
Value |
Parameters |
|
DOASSESS
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOAUDIT
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOCONNECT
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOINSTALL
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOMOUNT
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DONCP
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOPROCESS
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOSYSGEN
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOUAF
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOUSEPRIV
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
Practical considerations
The (USAGE, DO*) tests are
intended to detect inadequate separation of duties. Do not shoot the
messenger. �