LJK/Security Reference Manual
Previous Contents Index

SECONDARY

Ensure an appropriate percentage of usernames require secondary passwords.

Violation reports

Constraint Nature of the violation
PERCENTLO Fewer usernames require secondary passwords than permitted by policy
PERCENTHI More usernames require secondary passwords than permitted by policy

Description

These tests determine whether an appropriate percentage of usernames require secondary passwords.

Default policy

There is no requirement for a particular percentage of usernames to require secondary passwords

Customizing

These tests are primarily of interest to sites which have a need for secondary passwords unrelated to VMS privilege levels. When the need is related to VMS privilege levels, use the (UAF,PWDNULL,SECMAXPRIV) test

Selector

Limits

Constraint Value Default
PERCENTLO 0-100 0
PERCENTHI 0-100 100

Exemptions

Constraint Value Parameters
PERCENTLO 0-100 <node>, <device-name>
PERCENTHI 0-100 <node>, <device-name>

Practical considerations

The VMS secondary password mechanism is only effective if the primary and secondary passwords are held by different individuals, and that aspect of usage cannot be automatically verified.

SETTIME

Determine whether VMS will delay on boot for the time to be entered.

Violation reports

Constraint Nature of the violation
PROHIBITED System parameter SETTIME is 1 in violation of policy
REQUIRED System parameter SETTIME is 0 in violation of policy

Description

If system parameter SETTIME is 1, VMS will wait for the time to be entered on each boot.

Default policy

Prompting on every boot is prohibited

Customizing

LJK Software recommends that you leave the limits for these tests at their default value.

If you have particular systems which are supposed to have system parameter SETTIME set to 1, you can add exemptions for those nodes to the PROHIBITED constraint.

A more thorough approach in situations where some nodes must have the system parameter SETTIME set to 1 would be to set both the PROHIBITED and the REQUIRED limits to TRUE and then establish exemptions for all nodes

Selector

Limits

Constraint Value Default
PROHIBITED FALSE or TRUE TRUE
REQUIRED FALSE or TRUE FALSE

Exemptions

Constraint Value Parameters
PROHIBITED FALSE or TRUE <node>
REQUIRED FALSE or TRUE <node>

Practical considerations

Except for the MicroVAX I and the VAX 11/730, systems which run VMS have built-in time-of-year clocks. With such a clock, system parameter SETTIME should be 0, and the default values for these tests will be sufficient.

While waiting for time to be input on boot is a threat to continuity of service, running with the software clock incorrectly set can lead to improper operation of applications, also an undesirable condition.

STARTUP

See if the list of system startup modules conforms to policy.

Violation reports

Constraint Nature of the violation
MATCH Ordered list of Startup modules does not exactly match policy
MUSTHAVE Set of Startup modules does not include one required by policy
MUSTLACK Set of Startup modules includes one prohibited by policy
NOMORETHAN Set of Startup modules includes more than those permitted by policy
NOTJUST Set of Startup modules does not include any beyond set declared inadequate by by policy

Description

The tests within this element determine whether the list of system startup modules conforms to policy. Test (VMS, STARTUP, MATCH) treats the names of Startup modules as an ordered list in a specific order, while the other tests treat the names of Startup modules as a set in no particular order.

Default policy

There are no requirements regarding startup modules

Customizing

Modify these constraints for any required or forbidden startup modules being enabled via MCR SYSMAN STARTUP commands

Selector

Limits

Constraint Value Default
MATCH 0-511 characters none
MUSTHAVE 0-510 characters none
MUSTLACK 0-510 characters none
NOMORETHAN 0-510 characters none
NOTJUST 0-510 characters none

Exemptions

Constraint Value Parameters
MATCH 0-511 characters <node>
MUSTHAVE 0-510 characters <node>
MUSTLACK 0-510 characters <node>
NOMORETHAN 0-510 characters <node>
NOTJUST 0-510 characters <node>

Practical considerations

This element is useful for assessing multiple distinct nodes that are alleged to be configured the same.

SYSTEMLGI

Ensure that ability to log into the SYSTEM account conforms to policy.

Violation reports

Constraint Nature of the violation
PROHIBITED allowed in violation of policy
REQUIRED prevented in violation of policy

Description

For reasons of accountability it is generally best to allow username SYSTEM to log in only via Batch. System administrative tasks are then performed in privileged accounts which can be traced to individuals.

Default policy

Username SYSTEM is required to be able to log in for batch and prohibited all other login methods

Customizing

Exemptions for individual nodes are generally better than an organization-wide relaxation of limits, so that over time nodes can be converted back one-by-one. selector Limits for this test can take a selector consisting of a login type: LOCAL, DIALUP, REMOTE, NETWORK or BATCH.

Thus, each can be set once for each possible login type. If you do not specify a selector when changing limits, your change applies to all login types.

Note
The availability of separate selector values for LOCAL and DIALUP should not be taken as a suggestion that the DIALUP indication associated with terminals be trusted to accurately represent whether or not a dialup line is actually in use. It is provided, however, for sites which use the DIALUP indication to denote some aspect of a terminal which can be determined with certainty, such as whether or not a given terminal connection is via an X.25 circuit.

Limits

Constraint Value Default
PROHIBITED FALSE or TRUE TRUE*
REQUIRED FALSE or TRUE FALSE*

* except for BATCH selection.

Exemptions

Constraint Value Parameters
PROHIBITED FALSE or TRUE <node>
REQUIRED FALSE or TRUE <node>

Practical considerations

In certain failure modes, such as the absence of an authorization file or a denial-of-service attack via breakin evasion, the username SYSTEM is uniquely allowed to log in from the system console. This special capability of username SYSTEM indicates it should be available to system managers, while general accountability goals indicate that system managers should each use their own separate usernames.

The best resolution of this conundrum is to implement the equivalent of a "break the glass" fire alarm, with a generated password for the SYSTEM username stored inside a tamper-evident container physically bolted inside the protected computer room. Covering such a container with video surveillance would be ideal.

SYSUAF

Determine the location of the user authorization file.

Violation reports

Constraint Nature of the violation
LOCATION File is in an improper location

Description

Putting the system authorization file in a non-default location can be a valuable administrative tool, particularly in clusters. If this is done in an uncoordinated fashion, however, authorization changes might be made to the wrong file.

Default policy

The default location is SYS$COMMON:[SYSEXE]SYSUAF.DAT;, which is the VMS default

Customizing

Since alternate locations will be on a system-specific basis, you should leave the limit at its default value and use per-system exemptions to permit deviations. The expression of values should be phrased based on canonical mount logical names if the files are not in SYS$COMMON.

A limit or exemption with a value of the null string means there is no value which is considered unacceptable

Selector

Limits

Constraint Value Default
LOCATION Any filespec SYS$COMMON:[SYSEXE]SYSUAF.DAT;

Exemptions

Constraint Value Parameters
LOCATION Any filespec <node>

Practical considerations

If particular systems have varying locations for the authorization file, you can nullify this test through the use of wildcards in the value.

Note that system parameter UAFALT can be used to affect the filespec which is used.

The test (VMS, SYSUAF, LOCATION) is an older special-purpose test. Starting with LJK/Security V3.0 the more general test (DISK, CHECKPROT, LOCATION) can be used for multiple files.

TIME

See if the relative times of master and tributary nodes conforms to policy.

Violation reports

Constraint Nature of the violation
OFFSET Time offset between tributary and master node does not conform to policy

Description

The test within this element determines whether the time offset between the master and tributary nodes conforms to policy.

Default policy

Time offset must be less than 15 seconds

Customizing

A common use is to check synchronization between tributary nodes covered by a single assessment. The fact that the comparison is against the master node is just an artifact of implementation

Selector

Limits

Constraint Value Default
OFFSET signed offset with deviation -0-00:00:00.00/0-00:00:15.00

Exemptions

Constraint Value Parameters
OFFSET signed offset with deviation <node>

Practical considerations

The value for the OFFSET constraint may require periodic adjustment if some of the tributary nodes change their times due to Daylight Savings Time, British Summer Time and the like.

Comparison across the network only works over DECnet because that is when LJK/Security has direct control.

TIMEPROMPT

Determine interval VMS will delay on boot for time to be entered.

Violation reports

Constraint Nature of the violation
ABSOLUTLO System parameter TIMEPROMPTWAIT is lower than allowed by policy
ABSOLUTHI System parameter TIMEPROMPTWAIT is higher than allowed by policy

Description

If system parameter SETTIME is 1, VMS will prompt for the time on each boot. The length of time VMS will wait for time to be input is set by system parameter TIMEPROMPTWAIT, which is monitored by these tests. (These tests are not performed, however, if system parameter SETTIME is 0).

Values for TIMEPROMPTWAIT from 1 to 32768 specify that a single prompt should be issued with a wait of the specified number of seconds. After that wait, if no response has been received, the system boots using the time of the last system boot.

Values from 32768 through 65535 indicate that prompting is to be repeated indefinitely until a response is given.

The VMS parameter TIMEPROMPTWAIT has no effect if there is a time-of-year clock containing a valid time when the system is booted.

Default policy

The default limits are both set to the VMS default value for system parameter TIMEPROMPTWAIT

Customizing

If you have VMS systems which have system parameter SETTIME set to 1, and have a non-standard interval specified in system parameter TIMEPROMPTWAIT, you will have to alter these limits or establish exemptions for the affected nodes.

A limit or exemption with a value of zero means there is no value which is considered unacceptable

Selector

Limits

Constraint Value Default
ABSOLUTLO 0---n 65535
ABSOLUTHI 0---n 65535

Exemptions

Constraint Value Parameters
ABSOLUTLO 0---n <node>
ABSOLUTHI 0---n <node>

Practical considerations

Except for the MicroVAX I and the VAX 11/730, VAX processors have built-in time-of-year clocks. With a clock, test (VMS, SETTIME, PROHIBITED) can be set to TRUE, and this test can be ignored.

While an overly long delay on boot is a threat to continuity of service, running with the software clock incorrectly set can lead to improper application operation, also an undesirable condition.

TRIBUTARY

Ensure an appropriate number of tributary nodes are tested from this master node.

Violation reports

Constraint Nature of the violation
TOTALMIN Fewer nodes tested from this master node than permitted by policy

Description

This test measures against requirements that security assessment be centralized.

Note
This test is performed on the master node rather than on the tributary nodes, regardless of whether or not the master node is part of the assessment.

If the master node is not part of the assessment, violations will be reported as coming from the first tributary node in the assessment, based on the limit in the policy used for that tributary node.

Default policy

There is no requirement for a particular number of tributary nodes

Customizing

This test is primarily of interest to sites which have a requirement that security assessment be centralized

Selector

Limits

Constraint Value Default
TOTALMIN 0-n 0

Exemptions

Constraint Value Parameters
TOTALMIN 0-n <node>

Practical considerations

These tests are not helpful on specialized assessments done to investigate particular tributaries.

TTYTIMEOUT

See if the value of the TTY_TIMEOUT parameter conforms to policy.

Violation reports

Constraint Nature of the violation
ABSOLUTHI Interval for terminating a detached terminal process is higher than allowed by policy
ABSOLUTLO Interval for terminating a detached terminal process is lower than allowed by policy

Description

The tests within this element determine whether the value of the TTY_TIMEOUT parameter conforms to policy.

Default policy

TTY_TIMEOUT must specify between 15 and 60 minutes

Customizing

Wider range for TTY_TIMEOUT is rarely required

Selector

Limits

Constraint Value Default
ABSOLUTHI 0-n 3600
ABSOLUTLO 0-n 900

Exemptions

Constraint Value Parameters
ABSOLUTHI 0-n <node>
ABSOLUTLO 0-n <node>

Practical considerations

The MATCH constraint is equivalent to including the same text in both the CONTAINED constraint and the MATCH constraint.

Comparison treats line-feed, carriage-return, line-feed and form-feed as equivalent to space. It also treats multiple spaces as equivalent to a single space and artifically inserts a space before and after any punctuation characters.

Previous Next Contents Index