LJK/Security Reference Manual
If the master node is not part of the
assessment, violations will be reported as coming from
the first tributary node in the
assessment, based on the limit in the
policy used for that tributary node.
Default policy
The test (USAGE,REMEDIATE,MAXIMUM) is
not used
Customizing
Modify the limit to match your
local policy
Selector
Limits
| Constraint |
Value |
Default |
|
MAXIMUM
|
delta-time
|
+00:00:00.00
|
Exemptions
| Constraint |
Value |
Parameters |
|
MAXIMUM
|
delta-time
|
<node>
|
Practical considerations
For NIST Special Publication 800-53, the
remediation report is called a "Plan of Action and
Milestones" or "POA&M".
�
SETTIME
Ensure time is set or synchronized sufficiently often.
Violation reports
| Constraint |
Nature of the violation |
|
MAXIMUM
|
Assessment-wide time setting interval exceeds policy maximum
|
Description
The tests within this element
determine whether time is coordinated between multiple systems being
assessed.
Note
Violations of this test are actually reported from the
master node based on the most restrictive interval set
for this test on any policy in the
assessment.
|
Default policy
The test (USAGE,SETTIME,MAXIMUM) is not
used because VMS auditing shortcomings (at least through VMS Version
8.3)
require additional discipline to cause auditing of setting time
Customizing
Modify the limit to match your local
policy.
Setting an interval of "0 00:00:00.00" means there is no
restriction in the policy
Selector
Limits
| Constraint |
Value |
Default |
|
MAXIMUM
|
delta-time
|
+00:00:00.00
|
Exemptions
| Constraint |
Value |
Parameters |
|
MAXIMUM
|
delta-time
|
<node>
|
Practical considerations
Due to VMS auditing shortcomings (at least
through VMS Version 8.3)
the coordinated setting of time on multiple tributary
nodes covered by a single assessment can only be assured by doing
separate coordinated SET TIME commands on each node. Using the /CLUSTER
qualifier to the VMS command SET TIME does not create
an audit trail suitable for measuring compliance. �
SYSTEMUSER
Ensure restrictions on SYSTEM username conform to policy.
Violation reports
| Constraint |
Nature of the violation |
|
NOBATCH
|
Batch process for username SYSTEM in violation of policy
|
|
NOINTERACT
|
Interactive process for username SYSTEM in violation of policy
|
|
NONETWORK
|
Network process for username SYSTEM in violation of policy
|
Description
The tests within this element
determine whether proper restrictions are in place for the SYSTEM
username.
Default policy
Only BATCH access is allowed for username SYSTEM
Customizing
Adding exemptions based on earliest-time
may be appropriate for situations where use of LJK/Security is
introduced late in the game. The earliest-time specified cannot be
later than the time at which the exemption is added
Selector
Limits
| Constraint |
Value |
Default |
|
NOBATCH
|
FALSE or TRUE
|
FALSE
|
|
NOINTERACT
|
FALSE or TRUE
|
TRUE
|
|
NONETWORK
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
NOBATCH
|
FALSE or TRUE
|
<node>, <absolute-time> or <earliest-time>
|
|
NOINTERACT
|
FALSE or TRUE
|
<node>, <absolute-time> or <earliest-time>
|
|
NONETWORK
|
FALSE or TRUE
|
<node>, <absolute-time> or <earliest-time>
|
Practical considerations
The tests for this
element are for usage, while those in the UAF
facility are for access control. Thus absolute-time
exemptions should be added for the constraint
NOINTERACT when the SYSTEM username is used on the console to recover
from breakin evasion. �
UAFMODIFY
Ensure modification user authorization is done from the proper type of
process.
Violation reports
| Constraint |
Nature of the violation |
|
DISUNUSED
|
Unused username was disabled by a prohibited process type
|
|
PROHIBITED
|
Privileged changes were made by a prohibited process type
|
|
REQUIRED
|
Privileged changes were not made by a required process type
|
Description
The history of user authorization changes is examined for proper
process type.
Unprivileged changes like password and last login date due to logging
in are not considered.
Default policy
By default (USAGE,UAFMODIFY,*) tests are not enabled
Customizing
Enabling more than one process type for
(USAGE,UAFMODIFY,REQUIRED) is not helpful, since each modification is
done by only one process type. selector
Limits for this test can take a
selector consisting of a login type: LOCAL, DIALUP,
REMOTE, NETWORK or BATCH.
Thus, each can be set once for each possible login type. If you do not
specify a selector when changing
limits, your change applies to all login types.
Note
The availability of separate selector values for LOCAL
and DIALUP should not be taken as a suggestion that the DIALUP
indication associated with terminals be trusted to accurately represent
whether or not a dialup line is actually in use. It is provided,
however, for sites which use the DIALUP indication to denote some
aspect of a terminal which can be determined with certainty,
such as whether or not a given terminal connection is via an X.25
circuit.
|
Limits
| Constraint |
Value |
Default |
|
DISUNUSED
|
FALSE or TRUE
|
FALSE
|
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
DISUNUSED
|
FALSE or TRUE
|
<node>,<filespec>
|
|
PROHIBITED
|
FALSE or TRUE
|
<node>,<filespec>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>,<filespec>
|
Practical considerations
These tests are for ensuring actions are taken
by automated mechanisms. �
VALID
Ensure that preservation of past user identification conform to policy.
Violation reports
| Constraint |
Nature of the violation |
|
UIC
|
UIC found in audit logs is no longer valid
|
|
USERNAME
|
Username found in audit logs is no longer valid
|
Description
The tests within this element
determine whether UIC and Username values are retained (even if
disabled) as long as needed to analyze audit logs and potentially to
retain file ownership.
Default policy
UICs and usernames must be retained when usernames are
disabled
Customizing
The most obvious reason to modify the
limits of this element would be for
constraint UIC on systems which intentionally have no
Rights Database (RIGHTSLIST.DAT).
selector Limits
| Constraint |
Value |
Default |
|
UIC
|
FALSE or TRUE
|
TRUE
|
|
USERNAME
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
UIC
|
FALSE or TRUE
|
<node>, <absolute-time> or <earliest-time>
|
|
USERNAME
|
FALSE or TRUE
|
<node>, <absolute-time> or <earliest-time>
|
Practical considerations
Adding exemptions based on
earliest-time may be appropriate
for situations where use of product is introduced late
in the game. The earliest-time specified cannot be later than the time
at which the exemption is added.
Certain versions of VMS will fabricate UICs like [1,1], [1,3], [1,6]
and Usernames like AUDIT$SERVER and DECNET, that have never existed in
the Rights Database (RIGHTSLIST.DAT) or User Authorization File
respectively.
Since exemptions for the USAGE
facility are based on time of incidents rather than on
username, you may wish to have the system manager add UIC identifiers
and (disabled) User Authorization File
entries until you are running some future version of VMS that resolves
this discrepancy. �
6.10 VMS Tests
Tests in the VMS facility deal with system parameters
and other system-wide security considerations which are not readily
categorized otherwise.
Exemptions are based on node name.
The node name in an exemption for the VMS facility can
include standard VMS wildcard characters (% and *).
More than in other facilities many VMS tests have to
do with denial of service issues.
�
ACME
Ensure the set of enabled ACME Agents conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
MATCH
|
Ordered list of ACME Agents does not exactly match policy
|
|
MUSTHAVE
|
Set of ACME Agents does not include one required by policy
|
|
MUSTLACK
|
Set of ACME Agents includes one prohibited by policy
|
|
NOMORETHAN
|
Set of ACME Agents includes more than those permitted by policy
|
|
NOTJUST
|
Set of ACME Agents does not include any beyond set declared inadequate
by by policy
|
Description
The tests within the ACME element
determine whether the set of enabled ACME agents conforms to policy.
Test (VMS, ACME, MATCH) treats the names of ACME
agents as an ordered list in a specific order, while the other
tests treat the names of ACME agents as a set in no
particular order.
Default policy
There are no restrictions
Customizing
Since the test
might be considerably longer than a typical DCL command line, these
tests allow a command line user to progressively
specify text, starting each subsequent value with the character
"+".
When adding an agent to the NOMORETHAN list, also add it to MUSTHAVE
Selector
Limits
| Constraint |
Value |
Default |
|
MATCH
|
0-511 characters
|
none
|
|
MUSTHAVE
|
0-510 characters
|
none
|
|
MUSTLACK
|
0-510 characters
|
none
|
|
NOMORETHAN
|
0-510 characters
|
none
|
|
NOTJUST
|
0-510 characters
|
none
|
Exemptions
| Constraint |
Value |
Parameters |
|
MATCH
|
0-511 characters
|
<node>
|
|
MUSTHAVE
|
0-510 characters
|
<node>
|
|
MUSTLACK
|
0-510 characters
|
<node>
|
|
NOMORETHAN
|
0-510 characters
|
<node>
|
|
NOTJUST
|
0-510 characters
|
<node>
|
Practical considerations
The MATCH constraint is
different than the others in that the order in which names appears is
significant.
Typically a site policy will be implemented using only a few of the
constraints within this element. �
ACMEORLGI
Ensure the set of enabled ACME Agents and LGI callout providers
conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
MATCH
|
Ordered list of ACME Agents and LGI-callout modules does not exactly
match policy
|
|
MUSTHAVE
|
Set of ACME Agents and LGI-callout modules does not include one
required by policy
|
|
MUSTLACK
|
Set of ACME Agents and LGI-callout modules includes one prohibited by
policy
|
|
NOMORETHAN
|
Set of ACME Agents and LGI-callout modules includes more than those
permitted by policy
|
|
NOTJUST
|
Set of ACME Agents and LGI-callout modules does not include any beyond
set declared inadequate by by policy
|
Description
The tests within the ACMEORLGI
element determine whether the set of enabled ACME agents and LGI
callout providers conforms to policy. Test (VMS,
ACMEORLGI, MATCH) treats the names of ACME agents and LGI-callout
modules as an ordered list in a specific order (with ACME agents
first), while the other tests treat the names of ACME
agents and LGI-callout modules as a set in no particular order.
Default policy
There are no restrictions
Customizing
Since the test
might be considerably longer than a typical DCL command line, these
tests allow a command line user to progressively
specify text, starting each subsequent value with the character
"+".
When adding an agent to the NOMORETHAN list, also add it to MUSTHAVE
Selector
Limits
| Constraint |
Value |
Default |
|
MATCH
|
0-511 characters
|
none
|
|
MUSTHAVE
|
0-510 characters
|
none
|
|
MUSTLACK
|
0-510 characters
|
none
|
|
NOMORETHAN
|
0-510 characters
|
none
|
|
NOTJUST
|
0-510 characters
|
none
|
Exemptions
| Constraint |
Value |
Parameters |
|
MATCH
|
0-511 characters
|
<node>
|
|
MUSTHAVE
|
0-510 characters
|
<node>
|
|
MUSTLACK
|
0-510 characters
|
<node>
|
|
NOMORETHAN
|
0-510 characters
|
<node>
|
|
NOTJUST
|
0-510 characters
|
<node>
|
Practical considerations
The MATCH constraint is
different than the others in that the order in which names appears is
significant.
Typically a site policy will be implemented using only a few of the
constraints within this element. �
ANNOUNCE
See if the contents of the SYS$ANNOUNCE message conform to policy.
Violation reports
| Constraint |
Nature of the violation |
|
CONTAINED
|
SYS$ANNOUNCE message must be contained within the specified text
|
|
CONTAINS
|
SYS$ANNOUNCE message must contain the specified text
|
|
MATCH
|
SYS$ANNOUNCE message must match the specified text
|
Description
Compare the value of SYS$ANNOUNCE (or the file to which it points) to
the specified policy text.
Default policy
There is no required text
Customizing
Since the message
might be considerably longer than a typical DCL command line, these
tests allow a command line user to progressively
specify text, starting each subsequent value with the character
"+".
selector Limits
| Constraint |
Value |
Default |
|
CONTAINED
|
0-511 characters
|
none
|
|
CONTAINS
|
0-511 characters
|
none
|
|
MATCH
|
0-511 characters
|
none
|
Exemptions
| Constraint |
Value |
Parameters |
|
CONTAINED
|
0-511 characters
|
<node>
|
|
CONTAINS
|
0-511 characters
|
<node>
|
|
MATCH
|
0-511 characters
|
<node>
|
Practical considerations
The MATCH constraint is
equivalent to including the same text in both the CONTAINED
constraint and the MATCH constraint.
Comparison treats line-feed, carriage-return, line-feed and form-feed
as equivalent to space. It also treats multiple spaces as equivalent to
a single space and artifically inserts a space before and after any
punctuation characters.
While the SYS$WELCOME logical name mechanism (measured by
WELCOME) can be customized on a per-username basis, the
SYS$ANNOUNCE logical name mechanism (measured by
ANNOUNCE) lends itself better to requirements that the message
stay on a screen until explicit action is taken by the user. (The
explicit action being the entering of a username.) �
BRKDISUSER
Determine whether the setting to disable usernames on attempted breakin
conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
System parameter LGI_BRK_DISUSER is 1 in violation of policy
|
|
REQUIRED
|
System parameter LGI_BRK_DISUSER is 0 in violation of policy
|
Description
System parameter LGI_BRK_DISUSER controls whether a breakin attempt
causes a username to be disabled until manually reset.
Default policy
By default LGI_BRK_DISUSER is prohibited
Customizing
Allowing LGI_BRK_DISUSER should be done only with careful consideration
of organizational politics
Selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>
|
Practical considerations
End users will be hostile to disabling
accounts on breakin attempts
unless there are adequate provisions for restoring an account to
service promptly when the end user follows appropriate procedures.
Therefore, before requiring that system parameter LGI_BRK_DISUSER be
set to 1, be sure that you have established these procedures and that
they are secure and widely published in your organization. �
BUGCHKFATL
Determine whether decisions regarding crashing on Executive Mode
bugchecks conform to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
System parameter BUGCHECKFATAL is enabled [1] in violation of policy
|
|
REQUIRED
|
System parameter BUGCHECKFATAL is disabled [0] in violation of policy
|
Description
All Kernel Mode bugchecks crash the system, but the outcome of
Executive Mode
bugchecks is settable.
Default policy
BUGCHECKFATAL is neither prohibited nor required
Customizing
Prohibit BUGCHECKFATAL to avoid immediate denial of service
in spite of
bugchecks.