LJK/Security Reference Manual
ARCHIVE
Determine whether use of an additional audit file destination conforms
to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ALPROHIBIT
|
Security alarms are archived in violation of policy
|
|
ALREQUIRE
|
Security alarms are not archived in violation of policy
|
|
AUPROHIBIT
|
Security audits are archived in violation of policy
|
|
AUREQUIRE
|
Security audits are not archived violation of policy
|
|
FLUSH
|
Audit archive flush interval exceeds policy maximum
|
|
LOCATION
|
Audit aarchive file is in an improper location
|
Description
The SET AUDIT/ARCHIVE command can be used to establish a secondary
audit log file, such as one on a different node.
Tests in this element determine whether those settings
conform to policy.
Default policy Use of an additional audit log file is neither
prohibited nor required. The flush interval is not tested. Customizing
Set A* limits TRUE to establish a general prohibition
of or requirement for writing records to an additional audit file.
Set limit to specify a particular maximum interval for
flushing those records to the additional (archive) audit file.
selector
Limits
| Constraint |
Value |
Default |
|
ALPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
ALREQUIRE
|
FALSE, TRUE or TRY
|
FALSE
|
|
AUPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
FALSE
|
|
FLUSH
|
delta-time
|
+00:00:00.00
|
|
LOCATION
|
Any filespec
|
*
|
Exemptions
| Constraint |
Value |
Parameters |
|
ALPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
ALREQUIRE
|
FALSE, TRUE or TRY
|
<node>
|
|
AUPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
<node>
|
|
FLUSH
|
delta-time
|
<node>
|
|
LOCATION
|
Any filespec
|
<node>
|
Practical considerations Per-node exemptions are required for off-node
archive files, since the audit server will attempt to open a file in
exclusive mode, which would conflict with any other node set with the
same file specification. �
AUDILLFOR
Determine whether enabling of alarms or audits for ill-formed audit
events conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ALPROHIBIT
|
Ill-formed audit security alarms are enabled in violation of policy
|
|
ALREQUIRE
|
Ill-formed audit security alarms are disabled in violation of policy
|
|
AUPROHIBIT
|
Ill-formed audit security audits are enabled in violation of policy
|
|
AUREQUIRE
|
Ill-formed audit security audits are disabled in violation of policy
|
Description
Use of the qualifier /ENABLE=AUDIT=ILLFORMED with the SET AUDIT/ALARM
or SET AUDIT/AUDIT command causes
the corresponding reporting when an ill-formed call to cause an audit
is made by an internal VMS component.
Default policy Enabling of Ill-formed audit security alarms and audits
is neither prohibited nor required. Customizing Set
limits TRUE to establish a general prohibition of or
requirement for the enabling of Ill-formed audit security alarms or
audits. Then establish exemptions for any individual
nodes which are not to be subjected to the general rule.
selector Limits
| Constraint |
Value |
Default |
|
ALPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
ALREQUIRE
|
FALSE, TRUE or TRY
|
FALSE
|
|
AUPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
ALPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
ALREQUIRE
|
FALSE, TRUE or TRY
|
<node>
|
|
AUPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
<node>
|
Practical considerations The corresponding audits and alarms are
enabled on VMS by default, and cause no extra burden on a properly
running system. �
AUDIT
Determine whether auditing for events resulting from the SET AUDIT
command conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ALPROHIBIT
|
Audit security alarms are enabled in violation of policy
|
|
ALREQUIRE
|
Audit security alarms are disabled in violation of policy
|
|
AUPROHIBIT
|
Audit security audits are enabled in violation of policy
|
|
AUREQUIRE
|
Audit security audits are disabled in violation of policy
|
Description
Use of the qualifier /ENABLE=AUDIT with the SET AUDIT/ALARM
or SET AUDIT/AUDIT command causes
the corresponding reporting when the SET AUDIT command is used.
Default policy Enabling of Audit security alarms and audits is
required. Customizing Set limit ALREQUIRE FALSE to
remove the requirement for the enabling of Audit security alarms.
Set limit ALPROHIBIT TRUE to prohibit the enabling of
Audit security alarms on versions of VMS prior V6.0. On VMS V6.0 and
later
there is no way to disable the auditing of the SET AUDIT command. If
you are running mixed versions of VMS and want to prohibit the auditing
of SET AUDIT on whatever versions where it is possible, set
limit AUPROHIBIT to the value TRY.
selector
Limits
| Constraint |
Value |
Default |
|
ALPROHIBIT
|
FALSE, TRUE or TRY
|
FALSE
|
|
ALREQUIRE
|
FALSE or TRUE
|
TRUE
|
|
AUPROHIBIT
|
FALSE, TRUE or TRY
|
FALSE
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
ALPROHIBIT
|
FALSE, TRUE or TRY
|
<node>
|
|
ALREQUIRE
|
FALSE or TRUE
|
<node>
|
|
AUPROHIBIT
|
FALSE, TRUE or TRY
|
<node>
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
<node>
|
Practical considerations The recording of Audit events is essential to
verify the completeness of other events which are recorded. �
AUTHENT
Determine whether enabling of alarms or audits for authentication
events conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ALPROHIBIT
|
Authentication security alarms are enabled in violation of policy
|
|
ALREQUIRE
|
Authentication security alarms are disabled in violation of policy
|
|
AUPROHIBIT
|
Authentication security audits are enabled in violation of policy
|
|
AUREQUIRE
|
Authentication security audits are disabled in violation of policy
|
Description
The corresponding auditing is not supported as of VMS V7.3.
Default policy Enabling of Authentication security alarms and audits is
neither prohibited nor required. Customizing Set
limits TRUE to establish a general prohibition of or
requirement for the enabling of Authentication security alarms or
audits. Then establish exemptions for any individual
nodes which are not to be subjected to the general rule.
selector Limits
| Constraint |
Value |
Default |
|
ALPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
ALREQUIRE
|
FALSE, TRUE or TRY
|
FALSE
|
|
AUPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
ALPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
ALREQUIRE
|
FALSE, TRUE or TRY
|
<node>
|
|
AUPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
<node>
|
Practical considerations As of V7.3 VMS does not provide a method to
enable auditing or alarms for these events. �
AUTHORIZE
Determine whether auditing for user authorization changes conforms to
policy.
Violation reports
| Constraint |
Nature of the violation |
|
ALPROHIBIT
|
Authorize security alarms are enabled in violation of policy
|
|
ALREQUIRE
|
Authorize security alarms are disabled in violation of policy
|
|
AUPROHIBIT
|
Authorize security audits are enabled in violation of policy
|
|
AUREQUIRE
|
Authorize security audits are disabled in violation of policy
|
Description
Use of the qualifier /ENABLE=AUTHORIZATION with the SET AUDIT/ALARM
or SET AUDIT/AUDIT command causes
the corresponding reporting when standard utilities such as LOGIN,
AUTHORIZE and SET PASSWORD are used to change authorization information.
Default policy Enabling of Authorize security alarms is neither
prohibited nor required.
Enabling of Authorize security audits is required. Customizing Set
limits TRUE to establish a general prohibition of or
requirement for the enabling of Authorize security auditing. Then
establish exemptions for any individual nodes which
are not to be subjected to the general rule.
selector
Limits
| Constraint |
Value |
Default |
|
ALPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
ALREQUIRE
|
FALSE or TRUE
|
FALSE
|
|
AUPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
ALPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
ALREQUIRE
|
FALSE or TRUE
|
<node>
|
|
AUPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
<node>
|
Practical considerations Bear in mind that authorization security
events include password changes by individual users, creating alarms
for events which are typically not controlled by system administrators.
For authorization security events, using audits rather than alarms is
more practical for most situations. �
BREAKIN
Determine whether auditing for attempted breakins conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ALPROHIBIT
|
Breakin security alarms are enabled in violation of policy
|
|
ALREQUIRE
|
Breakin security alarms are disabled in violation of policy
|
|
AUPROHIBIT
|
Breakin security audits are enabled in violation of policy
|
|
AUREQUIRE
|
Breakin security audits are disabled in violation of policy
|
Description
Use of the qualifier /ENABLE=BREAKIN=(keyword,...) with the SET
AUDIT/ALARM
or SET AUDIT/AUDIT command causes
the corresponding reporting when a
breakin attempt is detected. Tests for this element
determine whether those audits or alarms are enabled or not.
Default policy Enabling of Breakin security alarms and audits is
required. Customizing Set limit ALREQUIRED to be FALSE
to remove the general requirement that Breakin security auditing be
enabled. Otherwise establish exemptions for any
individual nodes which are not to be subjected to the general
requirement.
selector
Limits for this element can take a
selector consisting of a VMS process type: DIALUP,
LOCAL, REMOTE, NETWORK or DETACHED. Note that BATCH and SUBPROCESS are
not applicable the BREAKIN element.
Thus, each limit can be set once for each possible
process type. If you do not specify a selector when
changing limits, your change applies to all process
types.
Limits
| Constraint |
Value |
Default |
|
ALPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
ALREQUIRE
|
FALSE or TRUE
|
TRUE
|
|
AUPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
AUREQUIRE
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
ALPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
ALREQUIRE
|
FALSE or TRUE
|
<node>
|
|
AUPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
AUREQUIRE
|
FALSE or TRUE
|
<node>
|
Practical considerations Since a breakin attempt is composed of a
series of login failures which meet threshold criteria set with the
LGI_* system parameters, it constitutes a more significant event than
individual login failures. Breakin attempts are generally the
first priority for security alarms, enabled even on systems
which do not otherwise use security alarms.
In general, security events for which alarms are enabled should also
have audits enabled. �
BYPASS
Determine whether auditing for events involving the use of BYPASS
privilege conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ALPROHIBIT
|
BYPASS security alarms are enabled in violation of policy
|
|
ALREQUIRE
|
BYPASS security alarms are disabled in violation of policy
|
|
AUPROHIBIT
|
BYPASS security audits are enabled in violation of policy
|
|
AUREQUIRE
|
BYPASS security audits are disabled in violation of policy
|
Description
Use of the qualifiers /CLASS=FILE and
/ENABLE=ACCESS=BYPASS=(access,...) with the SET AUDIT/ALARM
or SET AUDIT/AUDIT command causes
the corresponding reporting when BYPASS
privilege is used to obtain the specified type of access to files.
Tests for this element determine whether those audits
or alarms are enabled or not.
Default policy Enabling of BYPASS security alarms or audits is neither
prohibited nor required. Customizing Set limits TRUE
to establish a general prohibition of or requirement for the enabling
of BYPASS security auditing. Then establish exemptions
for any individual nodes which are not to be subjected to the general
rule.
selector
Limits for this element can take a
selector consisting of a VMS access type: READ, WRITE,
EXECUTE, DELETE or CONTROL. LOGICAL and PHYSICAL access to devices are
indicated by EXECUTE and DELETE respectively.
Thus, each limit can be set once for each possible
access type. If you do not specify a selector when
changing limits, your change applies to all access
types.
Limits
| Constraint |
Value |
Default |
|
ALPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
ALREQUIRE
|
FALSE or TRUE
|
FALSE
|
|
AUPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
AUREQUIRE
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
ALPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
ALREQUIRE
|
FALSE or TRUE
|
<node>
|
|
AUPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
AUREQUIRE
|
FALSE or TRUE
|
<node>
|
Practical considerations Use of the BYPASS or READALL privilege is
required for successful disk volume backups. Enabling these alarms
during the time period when full volume backups are done can cause a
large number of security alarms to be generated.
BYPASS audits on the other hand, provide a silent record of
the activities of privileged users. �