LJK/Security Reference Manual
DOUAF
Ensure that separation of Username Authorization from other privileged
duties conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
DOASSESS
|
Intervening Security Assessment actions
|
|
DOAUDIT
|
Intervening Audit Control actions
|
|
DOCONNECT
|
Intervening Connect actions
|
|
DOINSTALL
|
Intervening image install activities
|
|
DOMOUNT
|
Intervening mount actions
|
|
DONCP
|
Intervening Network Management actions
|
|
DOPROCESS
|
Intervening privileged process control actions
|
|
DOSYSGEN
|
Intervening System Parameter changes
|
|
DOTIME
|
Intervening SET TIME actions
|
|
DOUSEPRIV
|
Intervening use of privilege for some other purpose
|
Description
The tests for this element determine
separation of duties between Username Authorization and other
privileged security relevant activities conforms to policy.
Each test will detect any case where one of the other
privileged security relevant activities intervenes between two Username
Authorization activities by the same user that are less that a
specified interval apart in time.
These separation of duties tests do not apply to
actions performed by the VMS system startup process.
Default policy
By default, none of the separation of duties tests are
enabled
Customizing
Make minor adjustments to suit your environment
Selector
Limits
| Constraint |
Value |
Default |
|
DOASSESS
|
time interval
|
none
|
|
DOAUDIT
|
time interval
|
none
|
|
DOCONNECT
|
time interval
|
none
|
|
DOINSTALL
|
time interval
|
none
|
|
DOMOUNT
|
time interval
|
none
|
|
DONCP
|
time interval
|
none
|
|
DOPROCESS
|
time interval
|
none
|
|
DOSYSGEN
|
time interval
|
none
|
|
DOTIME
|
time interval
|
none
|
|
DOUSEPRIV
|
time interval
|
none
|
Exemptions
| Constraint |
Value |
Parameters |
|
DOASSESS
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOAUDIT
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOCONNECT
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOINSTALL
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOMOUNT
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DONCP
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOPROCESS
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOSYSGEN
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOTIME
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOUSEPRIV
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
Practical considerations
The (USAGE, DO*) tests are
intended to detect inadequate separation of duties. Do not shoot the
messenger. �
DOUSEPRIV
Ensure that separation of Use of Privilege from other privileged duties
conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
DOASSESS
|
Intervening Security Assessment actions
|
|
DOAUDIT
|
Intervening Audit Control actions
|
|
DOCONNECT
|
Intervening Connect actions
|
|
DOINSTALL
|
Intervening image install activities
|
|
DOMOUNT
|
Intervening mount actions
|
|
DONCP
|
Intervening Network Management actions
|
|
DOPROCESS
|
Intervening privileged process control actions
|
|
DOSYSGEN
|
Intervening System Parameter changes
|
|
DOTIME
|
Intervening SET TIME actions
|
|
DOUAF
|
Intervening Authorization actions
|
Description
The tests for this element determine
separation of duties between Use of Privilege and other privileged
security relevant activities conforms to policy.
Each test will detect any case where one of the other
privileged security relevant activities intervenes between two Use of
Privilege activities by the same user that are less that a specified
interval apart in time.
These separation of duties tests do not apply to
actions performed by the VMS system startup process.
Default policy
By default, none of the separation of duties tests are
enabled
Customizing
Make minor adjustments to suit your environment
Selector
Limits
| Constraint |
Value |
Default |
|
DOASSESS
|
time interval
|
none
|
|
DOAUDIT
|
time interval
|
none
|
|
DOCONNECT
|
time interval
|
none
|
|
DOINSTALL
|
time interval
|
none
|
|
DOMOUNT
|
time interval
|
none
|
|
DONCP
|
time interval
|
none
|
|
DOPROCESS
|
time interval
|
none
|
|
DOSYSGEN
|
time interval
|
none
|
|
DOTIME
|
time interval
|
none
|
|
DOUAF
|
time interval
|
none
|
Exemptions
| Constraint |
Value |
Parameters |
|
DOASSESS
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOAUDIT
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOCONNECT
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOINSTALL
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOMOUNT
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DONCP
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOPROCESS
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOSYSGEN
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOTIME
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOUAF
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
Practical considerations
The (USAGE, DO*) tests are
intended to detect inadequate separation of duties. Do not shoot the
messenger. �
EVADEPWD
Ensure that uses of privilege that might evade password policy conform
to policy.
Violation reports
| Constraint |
Nature of the violation |
|
DICTIONARY
|
Bypassing password dictionary controls not corrected within interval
|
|
HISTORY
|
Bypassing password history controls not corrected within interval
|
|
PREEXPIRED
|
Bypassing password pre-expiration controls
|
|
SELF
|
Bypassing password change controls for the acting Username
|
Description
The tests for this element detect
evasion of password policy by setting passwords outside the SET
PASSWORD and LOGINOUT rules. Since such changes will legitimately be
made for correcting "lost password" situations, there is a
time interval allowed for the proper resetting of the password with SET
PASSWORD, LOGINOUT or a call to $ACM. There is no such time interval
when such a change is made by the affected (privileged) username.
Default policy
Five minutes are allowed for a subsequent password
change conforming to password policy, except none is allowed when a
user changes their own password
Customizing
Allow more time if your
organization sends password change information via courier or other
slow methods.
There should be no reason to alter the SELF
constraint
Selector
Limits
| Constraint |
Value |
Default |
|
DICTIONARY
|
time interval
|
300 seconds
|
|
HISTORY
|
time interval
|
300 seconds
|
|
PREEXPIRED
|
FALSE or TRUE
|
TRUE
|
|
SELF
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
DICTIONARY
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
HISTORY
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
PREEXPIRED
|
FALSE or TRUE
|
<node>, <absolute-time> or <earliest-time>
|
|
SELF
|
FALSE or TRUE
|
<node>, <absolute-time> or <earliest-time>
|
Practical considerations
It may be necessary to add
exemptions based on earliest-time
to avoid continually reviewing past bad practices. �
OPERATOR
Ensure that separation of simple operator duties from more complex
privileged activities conform to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ACCOUNTING
|
Percentage of accounting activities performed by those with more than
operator privilege exceeds policy maximum
|
|
BROADCAST
|
Percentage of broadcast activities performed by those with more than
operator privilege exceeds policy maximum
|
|
CLUSTER
|
Percentage of cluster activities performed by those with more than
operator privilege exceeds policy maximum
|
|
DEVICE
|
Percentage of device activities performed by those with more than
operator privilege exceeds policy maximum
|
|
LOGIN
|
Percentage of login activities performed by those with more than
operator privilege exceeds policy maximum
|
|
OPERLOGIN
|
Percentage of operlogin activities performed by those with more than
operator privilege exceeds policy maximum
|
|
QUEUE
|
Percentage of queue activities performed by those with more than
operator privilege exceeds policy maximum
|
|
TAPE
|
Percentage of tape activities performed by those with more than
operator privilege exceeds policy maximum
|
|
UNDOC
|
Percentage of undocumented activities performed by those with more than
operator privilege exceeds policy maximum
|
Description
The tests for this element determine
whether more than a specified percentage of operator activities are
made by username with higher privileges than OPER.
Default policy
By default, there are no restrictions on which
privileged users perform operator duties
Customizing
Constraints BROADCAST, QUEUE and TAPE are most
appropriate for limiting the percentage of operations performed by
highly privileged usernames
Selector
Limits
| Constraint |
Value |
Default |
|
ACCOUNTING
|
0-100
|
100
|
|
BROADCAST
|
0-100
|
100
|
|
CLUSTER
|
0-100
|
100
|
|
DEVICE
|
0-100
|
100
|
|
LOGIN
|
0-100
|
100
|
|
OPERLOGIN
|
0-100
|
100
|
|
QUEUE
|
0-100
|
100
|
|
TAPE
|
0-100
|
100
|
|
UNDOC
|
0-100
|
100
|
Exemptions
| Constraint |
Value |
Parameters |
|
ACCOUNTING
|
0-100
|
<node>, <absolute-time> or <earliest-time>
|
|
BROADCAST
|
0-100
|
<node>, <absolute-time> or <earliest-time>
|
|
CLUSTER
|
0-100
|
<node>, <absolute-time> or <earliest-time>
|
|
DEVICE
|
0-100
|
<node>, <absolute-time> or <earliest-time>
|
|
LOGIN
|
0-100
|
<node>, <absolute-time> or <earliest-time>
|
|
OPERLOGIN
|
0-100
|
<node>, <absolute-time> or <earliest-time>
|
|
QUEUE
|
0-100
|
<node>, <absolute-time> or <earliest-time>
|
|
TAPE
|
0-100
|
<node>, <absolute-time> or <earliest-time>
|
|
UNDOC
|
0-100
|
<node>, <absolute-time> or <earliest-time>
|
Practical considerations
The (USAGE, OPERATOR) tests
are intended to detect inadequate separation of duties. Do not shoot
the messenger. �
PRIVILEGE
Ensure privilege assignment and usage characteristics conform to policy.
Violation reports
| Constraint |
Nature of the violation |
|
NEVERUSED
|
Username has privileges that are never used
|
|
NOIMPLICIT
|
Username authorized interactive or network access had implicit
privilege based on UIC group
|
|
UAFSELF
|
User modified authorization data for their own username
|
Description
The tests in this element determine
whether particular inappropriate privilege has been granted.
Default policy
There are no restrictions on IMPLICIT or NEVERUSED
privileges
Customizing
The test for the NEVERUSED
constraint will not produce meaningful results with
inadequate audit logs. selector
Limits and exemptions for
test NEVERUSED can take a selector
consisting of a privilege name.
Thus, each can be set once for each possible privilege. When using the
Command Interface if you do not specify a selector
when changing the limit or exemptions
your change applies to all privileges.
Limits
| Constraint |
Value |
Default |
|
NEVERUSED
|
FALSE or TRUE
|
FALSE for TMPMBX and NETMBX, TRUE for others
|
|
NOIMPLICIT
|
FALSE or TRUE
|
TRUE
|
|
UAFSELF
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
NEVERUSED
|
FALSE or TRUE
|
<node>, <absolute-time> or <earliest-time>
|
|
NOIMPLICIT
|
FALSE or TRUE
|
<node>, <absolute-time> or <earliest-time>
|
|
UAFSELF
|
FALSE or TRUE
|
<node>, <absolute-time> or <earliest-time>
|
Practical considerations
The tests for this
element ignore usernames that allowed no more than
Batch access. This takes care
of usernames created by layered products. �
READAUDIT
Ensure reading of audit logs conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ANY
|
The interval between any reading of the audit data exceeds the policy
minimum
|
|
BATCH
|
The interval between batch reading of the audit data exceeds the policy
minimum
|
|
INTERACT
|
The interval between interactive reading of the audit data exceeds the
policy minimum
|
|
INTERBREAK
|
The number of readings of the audit data does not increase enough in
response to increased breakin attempts
|
|
NETWORK
|
The interval between network reading of the audit data exceeds the
policy minimum
|
Description
The tests within this element measure
the history of reading the audit logs.
Test (USAGE, READAUDIT, INTERBREAK) measures:
- the percentage week-to-week increase in reading of the audit data
- the percentage week-to-week increase in breakin attempts
If the ratio of the first to the second is less than the percentage
specified by the Limit for this test, a violation is
reported.
The other tests specify the maximum number of days
between reading the audit data from various types of processes.
Default policy
Some reading of the audit log is required every 7 days
Customizing
Make changes to match your organization's own plan for
reviewing audit results
Selector
Limits
| Constraint |
Value |
Default |
|
ANY
|
time interval
|
0 (not required)
|
|
BATCH
|
time interval
|
0 (not required)
|
|
INTERACT
|
time interval
|
0 (not required)
|
|
INTERBREAK
|
percentage
|
0 (not required)
|
|
NETWORK
|
time interval
|
0 (not required)
|
Exemptions
| Constraint |
Value |
Parameters |
|
ANY
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
BATCH
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
INTERACT
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
INTERBREAK
|
percentage
|
<node>, <absolute-time> or <earliest-time>
|
|
NETWORK
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
Practical considerations
LJK/Security can only detect innocent error
in this area,
not deliberate malfeasance. �
REMEDIATE
Ensure remediation reports are generated sufficiently often.
Violation reports
| Constraint |
Nature of the violation |
|
MAXIMUM
|
Remediation report generation interval exceeds policy maximum
|
Description
The test within this element
determine whether the command LJK/SECURITY REPORT/REMEDIATION has been
issued for a completed full assessment (/METHOD=ALL) sufficiently often.
Note
This test is performed on the master
node rather than on the tributary nodes,
regardless of whether or not the master node is part of the
assessment.
|