LJK/Security Reference Manual
IMAGE
Determine whether generation of image termination accounting records
conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Image accounting is enabled in violation of policy
|
|
REQUIRED
|
Image accounting is disabled in violation of policy
|
Description
Use of the qualifier /ENABLE=IMAGE with the SET ACCOUNTING command
causes
image termination records to be written to the VMS accounting file.
Default policy Enabling of image accounting is neither prohibited nor
required. Customizing Set limit REQUIRED to be TRUE to
add a general requirement that image accounting be enabled. selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>
|
Practical considerations Recording image termination accounting records
greatly increases the disk space needed for the accounting file. �
INTERACT
Determine whether generation of interactive process termination
accounting records conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Interactive accounting is enabled in violation of policy
|
|
REQUIRED
|
Interactive accounting is disabled in violation of policy
|
Description
Use of the qualifier /ENABLE=INTERACT with the SET ACCOUNTING command
causes
process or image termination records for interactive jobs to be written
to the VMS accounting file (only if /ENABLE=IMAGE or /ENABLE=PROCESS
has also been specified).
Default policy Enabling of interactive accounting is required.
Customizing Set limit REQUIRED to be FALSE to remove
the general requirement that interactive accounting be enabled.
selector Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>
|
Practical considerations Accounting records provide more information
regarding resource usage that logout security alarms. �
LOGFAIL
Determine whether generation of login failure accounting records
conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Logfail accounting is enabled in violation of policy
|
|
REQUIRED
|
Logfail accounting is disabled in violation of policy
|
Description
Use of the qualifier /ENABLE=LOGFAIL with the SET ACCOUNTING command
causes
login failure records to be written to the VMS accounting file.
Default policy Enabling of logfail accounting is required. Customizing
Set limit REQUIRED to be FALSE to remove the general
requirement that logfail accounting be enabled. selector Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>
|
Practical considerations Login failure accounting records do not
provide any more information than login failure security alarms. �
MESSAGE
Determine whether generation of user message accounting records
conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Message accounting is enabled in violation of policy
|
|
REQUIRED
|
Message accounting is disabled in violation of policy
|
Description
Use of the qualifier /ENABLE=MESSAGE with the SET ACCOUNTING command
causes
user message records to be written to the VMS accounting file.
Default policy Enabling of message accounting is required. Customizing
Set limit REQUIRED to be FALSE to remove the general
requirement that message accounting be enabled. selector Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>
|
Practical considerations User message records are used to record
application-specific information in the accounting file. �
NETWORK
Determine whether generation of network process termination accounting
records conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Network accounting is enabled in violation of policy
|
|
REQUIRED
|
Network accounting is disabled in violation of policy
|
Description
Use of the qualifier /ENABLE=NETWORK with the SET ACCOUNTING command
causes
process or image termination records for network jobs to be written to
the VMS accounting file (only if /ENABLE=IMAGE or /ENABLE=PROCESS has
also been specified).
Default policy Enabling of network accounting is required. Customizing
Set limit REQUIRED to be FALSE to remove the general
requirement that network accounting be enabled. selector Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>
|
Practical considerations Accounting records provide more information
regarding resource usage that logout security alarms. �
PRINT
Determine whether generation of print job accounting records conforms
to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Print accounting is enabled in violation of policy
|
|
REQUIRED
|
Print accounting is disabled in violation of policy
|
Description
Use of the qualifier /ENABLE=PRINT with the SET ACCOUNTING command
causes
print job records to be written to the VMS accounting file.
Default policy Enabling of print accounting is required. Customizing
Set limit REQUIRED to be FALSE to remove the general
requirement that print accounting be enabled. selector Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>
|
Practical considerations Information regarding individual print jobs is
not otherwise recorded by VMS. �
PROCESS
Determine whether generation of process termination accounting records
conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Process accounting is enabled in violation of policy
|
|
REQUIRED
|
Process accounting is disabled in violation of policy
|
Description
Use of the qualifier /ENABLE=PROCESS with the SET ACCOUNTING command
causes
process termination records to be written to the VMS accounting file.
Default policy Enabling of process accounting is required. Customizing
Set limit REQUIRED to be FALSE to remove the
requirement that process accounting be enabled. selector Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>
|
Practical considerations Recording process termination accounting
records is generally accepted as a minimum requirement in cases where
accounting is being used at all. �
SUBPROCESS
Determine whether generation of subprocess process termination
accounting records conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Subprocess accounting is enabled in violation of policy
|
|
REQUIRED
|
Subprocess accounting is disabled in violation of policy
|
Description
Use of the qualifier /ENABLE=SUBPROCESS with the SET ACCOUNTING command
causes
process or image termination records for subprocess jobs to be written
to the VMS accounting file (only if /ENABLE=IMAGE or /ENABLE=PROCESS
has also been specified).
Default policy Enabling of subprocess accounting is required.
Customizing Set limit REQUIRED to be FALSE to remove
the general requirement that subprocess accounting be enabled. selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>
|
Practical considerations Accounting records provide more information
regarding resource usage that logout security alarms. �
6.2 AUDIT Tests
Tests in the AUDIT facility deal with parameters used to control the
use of VMS security auditing features on a machine.
Exemptions are based on node name.
VMS Treatment of Alarms vs. Audits
Starting with VMS V5.4 there have been separate controls for Alarms and
Audits provided by the operating system. Prior to that, the only
mechanism for retaining a record of security events on disk was the
Operator Log File (SYS$MANAGER:OPERATOR.LOG). While the data related to
security events could be extracted with the Audit Reduction Facility
command procedure (SYS$MANAGER:SECAUDIT.COM), VMS still recorded all
data as Alarms (not Audits) and there was no way to separate which
security events called for immediate human attention (Alarms) versus
those which only needed to be recorded for possible later review
(Audits).
LJK/Security Treatment of Alarms vs. Audits
Elements described in this chapter often have separate
Constraints for Alarm controls and Audit controls. For example, a
typical list of Constraints might be:
- ALPROHIBIT - Security alarms are enabled in violation of policy
- ALREQUIRE - Security alarms are disabled in violation of policy
- AUPROHIBIT - Security audits are enabled in violation of policy
- AUREQUIRE - Security audits are disabled in violation of policy
But since only alarms (not audits) were supported under VMS versions
prior to V5.4, the AUREQUIRE constraint will often provide three
choices for your security assessment requirements:
The TRY value will require the control be enabled for VMS versions
where it exists (V5.4 and above), but not report a violation for VMS
versions where it does not exist.
The TRY value is also available for certain alarms (not audits) that
were provided only in particular versions of VMS. �
ACL
Determine whether auditing for events requested by access control list
entries conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ALPROHIBIT
|
ACL security alarms are enabled in violation of policy
|
|
ALREQUIRE
|
ACL security alarms are disabled in violation of policy
|
|
AUPROHIBIT
|
ACL security audits are enabled in violation of policy
|
|
AUREQUIRE
|
ACL security audits are disabled in violation of policy
|
Description
Use of the qualifier /ENABLE=ACL with the SET AUDIT/ALARM
or SET AUDIT/AUDIT command causes
the corresponding reporting when any user has requested them. Users
make that request by placing a Security Alarm Access Control Entry in
the Access Control List of some object (file, global section, etc.).
Default policy Enabling of ACL security alarms and audits is neither
prohibited nor required. Customizing Set limits TRUE
to establish a general prohibition of or requirement for the enabling
of ACL security auditing. Then establish exemptions
for any individual nodes which are not to be subjected to the general
rule.
selector Limits
| Constraint |
Value |
Default |
|
ALPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
ALREQUIRE
|
FALSE or TRUE
|
FALSE
|
|
AUPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
ALPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
ALREQUIRE
|
FALSE or TRUE
|
<node>
|
|
AUPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
<node>
|
Practical considerations Enabling ACL security alarms allows individual
users the power to cause the generation of unlimited alarms,
potentially swamping more significant alarms from other sources.
Enabling ACL security audits allows individual users the power
consume unlimited disk space in the audit logs, but typically does not
cause extra work for the security officer. �
ALARM
Determine whether operator settings and responsiveness conform to
policy.
Violation reports
| Constraint |
Nature of the violation |
|
REPORT
|
No operator terminal is enabled in violation of policy
|
|
RESPONSE
|
No operator responded in violation of policy
|
Description
Use of the qualifier /ENABLE or /ENABLE=(keyword,...) with the REPLY
command
enables a terminal for operator interaction for one or more of 24
operator classes.
Tests for this element determine in a slightly
invasive manner whether any terminal is enabled for selected operator
classes and whether operator responses are received within an
acceptable time interval.
For the REPORT constraint "ignore this
message" text is sent to the relevant operator.
For the RESPONSE constraint the text sent to the
relevant operator requires an operator response.
Default policy Enabling of terminals for operator interaction is not
required. Customizing Set limit REPORT to be TRUE for
the selectors corresponding to the types of operator
messages your policy requires to be received. For those
selectors on which you wish to also test operator
responsiveness, set limit RESPONSE to the maximum
number of seconds allowed for a response.
If limit REPORT is set to FALSE, no testing for
limit RESPONSE is performed, since no response is
possible for a type of operator message that is not enabled at any
terminal.
selector
Limits for this element can take a
selector consisting of an operator message type:
CENTRAL, PRINTER, TAPES, DISKS, DEVICES, CARDS, NETWORK, CLUSTER,
SECURITY, REPLY, SOFTWARE, LICENSE, USER1, USER2, USER3, USER4, USER5,
USER6, USER7, USER8, USER9, USER10, USER11, USER12.
Thus, each limit can be set once for each possible
operator message type. If you do not specify a
selector when changinglimits, your
change applies to all operator message types.
Of the operator message types listed above, the REPLY and SOFTWARE
types are not documented (as late as VMS Version 8.3) and by default
are not enabled (by REPLY/ENABLE command) or disabled (by the
REPLY/DISABLE command).
Of the operator message types listed above, the LICENSE type is not
documented (as late as VMS Version 8.3) but by default is enabled (by
REPLY/ENABLE command) and disabled (by the REPLY/DISABLE command).
Limits
| Constraint |
Value |
Default |
|
REPORT
|
FALSE or TRUE
|
FALSE
|
|
RESPONSE
|
0---n
|
300
|
Exemptions
| Constraint |
Value |
Parameters |
|
REPORT
|
FALSE or TRUE
|
<node>
|
|
RESPONSE
|
0---n
|
<node>
|
Practical considerations Test (AUDIT, ALARM, REPORT) just determines
whether software has been configured to send a message out a terminal
line. Success with that test does not allow one to infer that there is
a terminal connected to the line or that any human ever notices what is
output from that terminal.
Test (AUDIT, ALARM, RESPONSE) interrupts an enabled operator with a
message to which they must respond, so it should be used judiciously.
Test (AUDIT, ALARM, REPORT) sends a message to the enabled operator
which indicates it can be ignored, but it is still an interruption.
Specifying both test (AUDIT, ALARM, RESPONSE) and test (AUDIT, ALARM,
REPORT) for any particular operator message type results in just a
single message being sent to those terminals, covering both tests.
If one wanted to use test (AUDIT, ALARM, RESPONSE) in support of
certain external rule sets (such as NIST 800-53 control SI-6) that are
aimed at security functions, it is better to specify only the
SECURITY selector, providing a single message to which the SECURITY
operator must respond, rather than multiple messages to which 24
separate operator responses are required. �