LJK/Security Reference Manual
MVTIMEOUT
Determine how long VMS will wait for mount verification in case of a
device error.
Violation reports
| Constraint |
Nature of the violation |
|
ABSOLUTLO
|
Timeout period is shorter than policy allows.
|
|
ABSOLUTHI
|
Timeout period is longer than policy allows.
|
Description
System parameter MVTIMEOUT controls how long VMS will stall a process
while waiting for a device error to be cleared. After that time period,
an error is returned to the user.
Default policy
The default limits are set to widely bracket the VMS
default value of 3600 for system parameter MVTIMEOUT
Customizing
If
local policy is to change the VMS defaults, it should be reflected in
limits or exemptions
A limit or exemption with a value of zero means there is no value which
is considered unacceptable
Selector
Limits
| Constraint |
Value |
Default |
|
ABSOLUTLO
|
0---64,000 (seconds)
|
300
|
|
ABSOLUTHI
|
0---64,000 (seconds)
|
64,000
|
Exemptions
| Constraint |
Value |
Parameters |
|
ABSOLUTLO
|
0---64,000 (seconds)
|
<node>
|
|
ABSOLUTHI
|
0---64,000 (seconds)
|
<node>
|
Practical considerations
Excessively long timeout periods delay
detection of errors and leave user processes hung with no indication of
the problem.
Excessively short timeout periods reduce the chance that a device error
can be corrected without aborting user transactions.
�
OPCOM
Determine whether OPCOM state conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
OPCOM is started in violation of policy
|
|
REQUIRED
|
OPCOM is stopped in violation of policy
|
Description
Security alarm transmission to operators uses the OPCOM process, and if
that process is not running there will be no notification. In addition,
for versions of VMS prior to V5.2, the OPCOM process is required in
order to record security alarms on disk.
Default policy
The OPCOM process must be running
Customizing
Add an
exemption to the REQUIRED test for any node which you
wish to exempt from requirements to run the OPCOM process
Selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>
|
Practical considerations
Future versions of VMS (after V5.4) may
provide an alternative method of operator notification without
requiring the OPCOM process. �
POLICY
See if LJK/Security policy modification history
conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
AUDEVTDAYS
|
The last LJK/Security
policy modification of auditable events was longer ago
than the maximum allowed
|
|
MODIFYDAYS
|
The last LJK/Security
policy modification was longer ago than the maximum
allowed
|
Description
The tests within this element
determines whether the LJK/Security policy used in
this assessment has been changed recently enough.
Default policy
No particular policy modification schedule is required
Customizing
Some external requirements require ongoing modification of
policy values
Selector
Limits
| Constraint |
Value |
Default |
|
AUDEVTDAYS
|
number of days
|
0
|
|
MODIFYDAYS
|
number of days
|
0
|
Exemptions
| Constraint |
Value |
Parameters |
|
AUDEVTDAYS
|
number of days
|
<node>
|
|
MODIFYDAYS
|
number of days
|
<node>
|
Practical considerations
While LJK/Security can detect policy
modification dates, it cannot determine whether they were based on
sound judgement. �
PWDHISTORY
Determine whether password history parameters conform to policy.
Violation reports
| Constraint |
Nature of the violation |
|
MINLIFE
|
Password history lifetime is shorter than policy allows.
|
|
MAXLIFE
|
Password history lifetime is longer than policy allows.
|
|
MINLIMIT
|
Password history entry limit is less than policy allows.
|
|
MAXLIMIT
|
Password history entry limit is more than policy allows.
|
Description
Logical names SYS$PASSWORD_HISTORY_LIFETIME and
SYS$PASSWORD_HISTORY_LIMIT can be used to alter the VMS defaults of 365
days and 60 entries respectively.
Regardless of whether those logical names are used or not,
tests for this element will determine
if the values in effect on the system conform to policy.
Default policy
The VMS default values of 365 days and 60 entries is
required
Customizing
Add exemptions or modify limits in your policy if
you want to permit deviations from the VMS default.
A limit or exemption with a value of zero means there is no value which
is considered unacceptable
Selector
Limits
| Constraint |
Value |
Default |
|
MINLIFE
|
0---3650
|
365
|
|
MAXLIFE
|
0---3650
|
365
|
|
MINLIMIT
|
2---255
|
60
|
|
MAXLIMIT
|
2---255
|
60
|
Exemptions
| Constraint |
Value |
Parameters |
|
MINLIFE
|
0---3650
|
<node>
|
|
MAXLIFE
|
0---3650
|
<node>
|
|
MINLIMIT
|
2---255
|
<node>
|
|
MAXLIMIT
|
2---255
|
<node>
|
Practical considerations
In most cases, the VMS defaults are adequate
and this test merely ensure there are no local deviations. �
PWDPOLICY
Determine whether site-specific password policy on disk conforms to
policy.
Violation reports
| Constraint |
Nature of the violation |
|
LOADPWDPRO
|
Loading site code is enabled in violation of policy.
|
|
LOADPWDREQ
|
Loading site code is disabled in violation of policy.
|
|
PWDEXEPRO
|
Site-specific password policy is provided in violation of policy.
|
|
PWDEXEREQ
|
Site-specific password policy is absent in violation of policy.
|
|
HASHPWDPRO
|
Site-specific password algorithm is provided in violation of policy.
|
|
HASHPWDREQ
|
Site-specific password algorithm is absent in violation of policy.
|
Description
Tests VMS_LOADPWDPRO and VMS_LOADPWDREQ test whether
system parameter LOAD_PWD_POLICY is set.
Tests VMS_PWDEXEPRO and VMS_PWDEXEREQ test whether the
image SYS$LIBRARY:VMS$PASSWORD_POLICY.EXE is provided.
Tests VMS_HASHPWDPRO and VMS_HASHPWDREQ test whether
the image SYS$LOADABLE_IMAGES:SYS$HASH_PASSWORD.EXE is provided. This
capability is provided only on VMS V5.4 or greater.
System parameter LOAD_PWD_POLICY is only available on VMS V5.4 or
greater.
Default policy
Password policy options are prohibited, since they could
be used as the basis for further efforts by a successful attacker
Customizing
Limits and exemptions for
tests VMS_LOADPWD* and VMS_PWDEXE* should be set in
concert, since the parameter setting and image presence must be
coordinated to have the desired effect
Selector
Limits
| Constraint |
Value |
Default |
|
LOADPWDPRO
|
FALSE or TRUE
|
TRUE
|
|
LOADPWDREQ
|
FALSE, TRUE or TRY
|
FALSE
|
|
PWDEXEPRO
|
FALSE or TRUE
|
TRUE
|
|
PWDEXEREQ
|
FALSE, TRUE or TRY
|
FALSE
|
|
HASHPWDPRO
|
FALSE or TRUE
|
TRUE
|
|
HASHPWDREQ
|
FALSE, TRUE or TRY
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
LOADPWDPRO
|
FALSE or TRUE
|
<node>
|
|
LOADPWDREQ
|
FALSE, TRUE or TRY
|
<node>
|
|
PWDEXEPRO
|
FALSE or TRUE
|
<node>
|
|
PWDEXEREQ
|
FALSE, TRUE or TRY
|
<node>
|
|
HASHPWDPRO
|
FALSE or TRUE
|
<node>
|
|
HASHPWDREQ
|
FALSE, TRUE or TRY
|
<node>
|
Practical considerations
The tests in the
element do nothing to test whether the site-specific
code provided is the correct code.
It is important that no unauthorized site specific password policy be
in use, since it might have been left as a back door into the system by
an attacker who successfully gained privileged access. Attackers in the
past have gone so far as to patch the LOGINOUT image, and this
mechanism, though useful for its stated purpose, could be hazardous if
an attacker gains control. Among other tactics used in the past,
collecting the cleartext passwords of individual users has sometimes
given attackers some help in guessing what passwords were chosen by the
same users on systems in the same network which have not yet been
compromised. �
REBLDSYS
Determine whether the system disk will be rebuilt after a system crash.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
System parameter ACP_REBLDSYSD is 1 in violation of policy
|
|
REQUIRED
|
System parameter ACP_REBLDSYSD is 0 in violation of policy
|
Description
Free space bit maps on various disks may be incorrect after a system
crash. For most disks, this is corrected by the (default) MOUNT/REBUILD
qualifier. For the system disk, however, rebuilding is controlled by
the system parameter ACP_REBLDSYSD.
Default policy
Rebuilding is required
Customizing
To ensure that
system disks are rebuilt, you should set REQUIRED to TRUE. Setting
PROHIBITED to TRUE will allow faster reboots. Setting both limits to
FALSE will allow local discretion
Selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>
|
Practical considerations
Rebuilding the system disk can be
time-consuming, denying service to
some extent, depending on local standards.
Generally, the worst outcome of failing to rebuild the system disk (or
any other disk, in fact) is just the unavailability of some free space
on the disk. This is due to
the "careful write" methods of the VMS file system. If denial of
service time is more onerous than denial of disk space at your site,
you might prefer to set PROHIBITED to TRUE and REQUIRED to FALSE. �
REMEDIATE
Specify times required for generation of remediation reports.
Violation reports
| Constraint |
Nature of the violation |
|
CHANGES
|
The number of days required to implement an application change
|
|
CONFIGURE
|
The number of days required to implement a parameter change
|
|
INITIALIZE
|
The number of days required to propagate assessment results
|
|
MAXIMUM
|
The number of days required for all applications to be exercised at
least once
|
|
MEDIAN
|
The number of days required for half of the applications to be
exercised at least once
|
|
VERIFY
|
The number of days required to verify a violation has been corrected
|
|
Y01DAYS
|
Spare Constraint
|
|
Y02DAYS
|
Spare Constraint
|
|
Y03DAYS
|
Spare Constraint
|
|
Y04DAYS
|
Spare Constraint
|
|
Y05DAYS
|
Spare Constraint
|
|
Y06DAYS
|
Spare Constraint
|
Description
The constraints within this element
are not really tests, but provide organization latency used to generate
remediation plans.
The constraints labeled "Spare Constraint"
are for site specific definition and can be used within non-automated
assessment definitions.
The other constraints are used by LJK Software in
both the automated assessment definitions built into LJK/Security and
also the non-automated assessment definitions included in template
policy command procedures.
Default policy
Most applications run every month.
All applications run every year.
It takes 7 days to propagate violation reports.
It takes 90 days to change an application
Customizing
Change these
constraints freely to match reality within your
organization
Selector
Limits
| Constraint |
Value |
Default |
|
CHANGES
|
number of days
|
90
|
|
CONFIGURE
|
number of days
|
7
|
|
INITIALIZE
|
number of days
|
7
|
|
MAXIMUM
|
number of days
|
366
|
|
MEDIAN
|
number of days
|
31
|
|
VERIFY
|
number of days
|
7
|
|
Y01DAYS
|
number of days
|
0
|
|
Y02DAYS
|
number of days
|
0
|
|
Y03DAYS
|
number of days
|
0
|
|
Y04DAYS
|
number of days
|
0
|
|
Y05DAYS
|
number of days
|
0
|
|
Y06DAYS
|
number of days
|
0
|
Exemptions
| Constraint |
Value |
Parameters |
|
CHANGES
|
number of days
|
<node>
|
|
CONFIGURE
|
number of days
|
<node>
|
|
INITIALIZE
|
number of days
|
<node>
|
|
MAXIMUM
|
number of days
|
<node>
|
|
MEDIAN
|
number of days
|
<node>
|
|
VERIFY
|
number of days
|
<node>
|
|
Y01DAYS
|
number of days
|
<node>
|
|
Y02DAYS
|
number of days
|
<node>
|
|
Y03DAYS
|
number of days
|
<node>
|
|
Y04DAYS
|
number of days
|
<node>
|
|
Y05DAYS
|
number of days
|
<node>
|
|
Y06DAYS
|
number of days
|
<node>
|
Practical considerations
These tests do not really
test any controls, they are used only to generate remediation
schedules. �