LJK/Security Reference Manual

REPORT

Specify terminology for particular assessment disciplines and local organization for inclusion in reports.

Violation reports

Constraint	Nature of the violation
CONTROL	term used by an outside standard for individual rules
COVERAUTO	coverage for automatic assessment
COVERINTER	coverage for interviews
COVERINVAS	coverage for invasive testing
COVERMANU	coverage for manual examination
DEPTHAUTO	depth for automatic assessment
DEPTHINTER	depth for interviews
DEPTHINVAS	depth for invasive testing
DEPTHMANU	depth for manual examination
FAIL	term used by an outside standard for failed
PASS	term used by an outside standard for passing
PENDING	term used by an outside standard for not yet tested
POLICYNAM	name for the policy
REMEDIATE	term used for remediation section of report
REPORTNAM	name for the report
RIGOR	overall rigor of assessment
WARNING	notice for top and bottom of output pages
ACCSTAFF	individuals managing accounts (usernames)
APPSTAFF	individuals managing applications
ASSSTAFF	individuals conducting security assessments
AUDSTAFF	individuals managing auditing
CFGSTAFF	individuals responsible for configuration control
CTGSTAFF	individuals responsible for contingency planning
FACSTAFF	individuals responsible for the physical facility
HDWSTAFF	individuals responsible for hardware
INCSTAFF	individuals involved in incident response
MEDSTAFF	individuals involved in media handling and storage
NETSTAFF	individuals managing network security
OPRSTAFF	computer operators
PERSTAFF	individuals handling personnel matters
POLSTAFF	individuals responsible for policy
PT3STAFF	individuals employed by third parties
PURSTAFF	individuals handling purchasing matters
SECSTAFF	individuals on the security staff
SYSSTAFF	system managers
TRNSTAFF	individuals devising and performing training
USRSTAFF	users of the system
WARNING	text for the top and bottom of report pages
X01STAFF	Spare Constraint
X02STAFF	Spare Constraint
X03STAFF	Spare Constraint
X04STAFF	Spare Constraint
X05STAFF	Spare Constraint
X06STAFF	Spare Constraint
X07STAFF	Spare Constraint
X08STAFF	Spare Constraint
X09STAFF	Spare Constraint
X10STAFF	Spare Constraint
X11STAFF	Spare Constraint
X12STAFF	Spare Constraint

Description

The constraints within this element are not really tests, but provide naming information used to generate reports.

Default policy

The generic terms should suffice for simple organizations

Customizing

Change these constraints freely to match reality within your organization.

For the xxxSTAFF constraints the text you enter should always be a plural noun phrase to ensure that reports can be read smoothly. For instance, use "individuals who control auditing" rather than "audit control staff". Likewise use "members of group 587" rather than "group 587"

Selector

Limits

Constraint	Value	Default
CONTROL	text string	"Rule"
COVERAUTO	text string	""
COVERINTER	text string	""
COVERINVAS	text string	""
COVERMANU	text string	""
DEPTHAUTO	text string	""
DEPTHINTER	text string	""
DEPTHINVAS	text string	""
DEPTHMANU	text string	""
FAIL	text string	"Fail"
PASS	text string	"Pass"
PENDING	text string	"Untested"
POLICYNAM	text string	""
REMEDIATE	text string	"Remediation"
REPORTNAM	text string	""
RIGOR	text string	""
WARNING	text string	""
ACCSTAFF	text string	"Account Management Staff members"
APPSTAFF	text string	"Application Management Staff members"
ASSSTAFF	text string	"Security Assessment Staff members"
AUDSTAFF	text string	"Auditing Management Staff members"
CFGSTAFF	text string	"Configuration Management Staff members"
CTGSTAFF	text string	"Contingency Planning Staff members"
FACSTAFF	text string	"Facility Staff members"
HDWSTAFF	text string	"Hardware Management Staff members"
INCSTAFF	text string	"Incident Response Staff members"
MEDSTAFF	text string	"Media Storage Staff members"
NETSTAFF	text string	"Network Management Staff members"
OPRSTAFF	text string	"Operations Staff members"
PERSTAFF	text string	"Personnel Staff members"
POLSTAFF	text string	"Policy Management Staff members"
PT3STAFF	text string	"Third Party Provider Representatives"
PURSTAFF	text string	"Purchasing Staff members"
SECSTAFF	text string	"Information Security Staff members"
SYSSTAFF	text string	"System Management Staff members"
TRNSTAFF	text string	"Training Management Staff members"
USRSTAFF	text string	"End Users"
WARNING	text string	""
X01STAFF	text string	"Extra Staff Group 01 members"
X02STAFF	text string	"Extra Staff Group 02 members"
X03STAFF	text string	"Extra Staff Group 03 members"
X04STAFF	text string	"Extra Staff Group 04 members"
X05STAFF	text string	"Extra Staff Group 05 members"
X06STAFF	text string	"Extra Staff Group 06 members"
X07STAFF	text string	"Extra Staff Group 07 members"
X08STAFF	text string	"Extra Staff Group 08 members"
X09STAFF	text string	"Extra Staff Group 09 members"
X10STAFF	text string	"Extra Staff Group 10 members"
X11STAFF	text string	"Extra Staff Group 11 members"
X12STAFF	text string	"Extra Staff Group 12 members"

Exemptions

Constraint	Value	Parameters
CONTROL	text string	<node>
COVERAUTO	text string	<node>
COVERINTER	text string	<node>
COVERINVAS	text string	<node>
COVERMANU	text string	<node>
DEPTHAUTO	text string	<node>
DEPTHINTER	text string	<node>
DEPTHINVAS	text string	<node>
DEPTHMANU	text string	<node>
FAIL	text string	<node>
PASS	text string	<node>
PENDING	text string	<node>
POLICYNAM	text string	<node>
REMEDIATE	text string	<node>
REPORTNAM	text string	<node>
RIGOR	text string	<node>
WARNING	text string	<node>
ACCSTAFF	text string	<node>
APPSTAFF	text string	<node>
ASSSTAFF	text string	<node>
AUDSTAFF	text string	<node>
CFGSTAFF	text string	<node>
CTGSTAFF	text string	<node>
FACSTAFF	text string	<node>
HDWSTAFF	text string	<node>
INCSTAFF	text string	<node>
MEDSTAFF	text string	<node>
NETSTAFF	text string	<node>
OPRSTAFF	text string	<node>
PERSTAFF	text string	<node>
POLSTAFF	text string	<node>
PT3STAFF	text string	<node>
PURSTAFF	text string	<node>
SECSTAFF	text string	<node>
SYSSTAFF	text string	<node>
TRNSTAFF	text string	<node>
USRSTAFF	text string	<node>
WARNING	text string	<node>
X01STAFF	text string	<node>
X02STAFF	text string	<node>
X03STAFF	text string	<node>
X04STAFF	text string	<node>
X05STAFF	text string	<node>
X06STAFF	text string	<node>
X07STAFF	text string	<node>
X08STAFF	text string	<node>
X09STAFF	text string	<node>
X10STAFF	text string	<node>
X11STAFF	text string	<node>
X12STAFF	text string	<node>

Practical considerations

These tests do not really test any controls, they are used only to generate remediation schedules.

Although these tests allow exemptions on a per-node basis, it is actually the limit from the first policy referenced in an assessment that is used in reports.

SECPOLICY

Ensure bit settings in system parameter SECURITY_POLICY conform to policy.

Violation reports

Constraint	Nature of the violation
PROHIBITED	allowed in violation of policy
REQUIRED	prevented in violation of policy

Description

These bits in VMS V6.0 and beyond control overall system security, including whether deviations from C2 evaluated components is allowed.

Default policy

DECwindows access is permitted to allow behavior which was allowed under prior versions of VMS, while other items are prohibited

Customizing

These tests are primarily of interest to government sites which require running under evaluated software. selector Limits for this test can take a selector indicating a security policy bit:

Table 6-1 Selectors for Security Policy Bits
Selector Name VMS Security Policy Bit Meaning

DPS ALLOW_DISPLAY_POSTSCRIPT allow display postscript extensions

MULTIDECW ALLOW_MULTIPLE_DECW_USERS allow multiple username to connect to DECW$SERVER

TRANSPORTS ALLOW_ALTERNATE_TRANSPORTS allow unevaluated transports

CROSSJOB ALLOW_SPAN_JOB_TREES allow $SIGPRC to span job trees

LOCPROFILE LOCAL_UPDATE allow local profile changes

LOCOBJECT LOCAL_PROFILE allow local object creation

CAPTIVESPAWN ALLOW_CAPTIVE_SPAWN allow SPAWN or LIB$SPAWN in CAPTIVE accounts

COMPRESSMAC COMPRESS_MAC_STRINGS compress MAC category strings (SEVMS)

UPPERCASEINPUT UPPERCASE_INPUT as prior to VMS V7.1

GUARDPASSWORDS GUARD_PASSWORDS ACMEs shall not share

DOIAUTHORIZATION DOI_AUTHORIZATION_ONLY prevent feature mixing

IGNOREEXTAUTH IGNORE_EXTAUTH ignore user-specific EXTAUTH and VMSAUTH restrictions

INTRUSIONSLOCAL INTRUSIONS_ARE_LOCAL consider local intrusions onlywhen set

CROSSJOB ALLOW_SPAN_JOB_TREES allow $SIGPRC to span job trees

LOCPROFILE LOCAL_UPDATE allow local profile changes

LOCOBJECT LOCAL_PROFILE allow local object creation

CAPTIVESPAWN ALLOW_CAPTIVE_SPAWN allow SPAWN or LIB$SPAWN in CAPTIVE accounts

COMPRESSMAC COMPRESS_MAC_STRINGS compress MAC category strings (SEVMS)

UPPERCASEINPUT UPPERCASE_INPUT as prior to VMS V7.1

GUARDPASSWORDS GUARD_PASSWORDS ACMEs shall not share

DOIAUTHORIZATION DOI_AUTHORIZATION_ONLY prevent feature mixing

ALLOWSYMLINKACCESS ALLOW_SYMLINK_ACCESS allow symbolic link access

USEPOSIXUIDGID USE_POSIX_UID_GID perform UID/GID lookup in tcpip proxy database

**Table 6-1 Selectors for Security Policy Bits**
Selector Name	VMS Security Policy Bit	Meaning
DPS	ALLOW_DISPLAY_POSTSCRIPT	allow display postscript extensions
MULTIDECW	ALLOW_MULTIPLE_DECW_USERS	allow multiple username to connect to DECW$SERVER
TRANSPORTS	ALLOW_ALTERNATE_TRANSPORTS	allow unevaluated transports
CROSSJOB	ALLOW_SPAN_JOB_TREES	allow $SIGPRC to span job trees
LOCPROFILE	LOCAL_UPDATE	allow local profile changes
LOCOBJECT	LOCAL_PROFILE	allow local object creation
CAPTIVESPAWN	ALLOW_CAPTIVE_SPAWN	allow SPAWN or LIB$SPAWN in CAPTIVE accounts
COMPRESSMAC	COMPRESS_MAC_STRINGS	compress MAC category strings (SEVMS)
UPPERCASEINPUT	UPPERCASE_INPUT	as prior to VMS V7.1
GUARDPASSWORDS	GUARD_PASSWORDS	ACMEs shall not share
DOIAUTHORIZATION	DOI_AUTHORIZATION_ONLY	prevent feature mixing
IGNOREEXTAUTH	IGNORE_EXTAUTH	ignore user-specific EXTAUTH and VMSAUTH restrictions
INTRUSIONSLOCAL	INTRUSIONS_ARE_LOCAL	consider local intrusions onlywhen set
CROSSJOB	ALLOW_SPAN_JOB_TREES	allow $SIGPRC to span job trees
LOCPROFILE	LOCAL_UPDATE	allow local profile changes
LOCOBJECT	LOCAL_PROFILE	allow local object creation
CAPTIVESPAWN	ALLOW_CAPTIVE_SPAWN	allow SPAWN or LIB$SPAWN in CAPTIVE accounts
COMPRESSMAC	COMPRESS_MAC_STRINGS	compress MAC category strings (SEVMS)
UPPERCASEINPUT	UPPERCASE_INPUT	as prior to VMS V7.1
GUARDPASSWORDS	GUARD_PASSWORDS	ACMEs shall not share
DOIAUTHORIZATION	DOI_AUTHORIZATION_ONLY	prevent feature mixing
ALLOWSYMLINKACCESS	ALLOW_SYMLINK_ACCESS	allow symbolic link access
USEPOSIXUIDGID	USE_POSIX_UID_GID	perform UID/GID lookup in tcpip proxy database

Limits

Constraint	Value	Default
PROHIBITED	FALSE or TRUE	TRUE*
REQUIRED	FALSE or TRUE	FALSE*

* except for DPS, MULTIDECW, TRANSPORTS and GUARDPASSWORDS selectors.

Exemptions

Constraint	Value	Parameters
PROHIBITED	FALSE or TRUE	<node>
REQUIRED	FALSE or TRUE	<node>

Practical considerations

The CAPTIVESPAWN bit will be of the most interest to commercial sites.

Contents

Index