LJK/Security Reference Manual
CONNECT
Determine whether enabling of alarms or audits for connection events
through DECnet Phase IV, DECwindows, $IPC and SYSMAN conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ALPROHIBIT
|
Connection security alarms are enabled in violation of policy
|
|
ALREQUIRE
|
Connection security alarms are disabled in violation of policy
|
|
AUPROHIBIT
|
Connection security audits are enabled in violation of policy
|
|
AUREQUIRE
|
Connection security audits are disabled in violation of policy
|
Description
Use of the qualifier /ENABLE=CONNECTION with the SET AUDIT/ALARM
or SET AUDIT/AUDIT command causes
the corresponding reporting when a connection takes place.
Default policy Enabling of Connection security alarms and audits is
neither prohibited nor required. Customizing Set
limits TRUE to establish a general prohibition of or
requirement for the enabling of Connection security alarms or audits.
Then establish exemptions for any individual nodes
which are not to be subjected to the general rule.
selector Limits
| Constraint |
Value |
Default |
|
ALPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
ALREQUIRE
|
FALSE, TRUE or TRY
|
FALSE
|
|
AUPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
ALPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
ALREQUIRE
|
FALSE, TRUE or TRY
|
<node>
|
|
AUPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
<node>
|
Practical considerations Enabling this for alarms would be
burdensome in most environments. �
CSS
Determine whether enabling of alarms or audits for CSS event conforms
to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ALPROHIBIT
|
CSS security alarms are enabled in violation of policy
|
|
ALREQUIRE
|
CSS security alarms are disabled in violation of policy
|
|
AUPROHIBIT
|
CSS security audits are enabled in violation of policy
|
|
AUREQUIRE
|
CSS security audits are disabled in violation of policy
|
Description
As of V7.3 VMS does not provide a method to enable auditing or alarms
for these events.
Default policy Enabling of CSS security alarms and audits is neither
prohibited nor required. Customizing Set limits TRUE
to establish a general prohibition of or requirement for the enabling
of CSS security alarms or audits. Then establish
exemptions for any individual nodes which are not to
be subjected to the general rule.
selector Limits
| Constraint |
Value |
Default |
|
ALPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
ALREQUIRE
|
FALSE, TRUE or TRY
|
FALSE
|
|
AUPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
ALPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
ALREQUIRE
|
FALSE, TRUE or TRY
|
<node>
|
|
AUPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
<node>
|
Practical considerations As of V7.3 VMS does not provide a method to
enable auditing or alarms for these events. �
CUSTOMER
Determine whether enabling of alarms or audits for customer event
conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ALPROHIBIT
|
Customer security alarms are enabled in violation of policy
|
|
ALREQUIRE
|
Customer security alarms are disabled in violation of policy
|
|
AUPROHIBIT
|
Customer security audits are enabled in violation of policy
|
|
AUREQUIRE
|
Customer security audits are disabled in violation of policy
|
Description
As of V7.3 VMS does not provide a method to enable auditing or alarms
for these events.
Default policy Enabling of Customer security alarms and audits is
neither prohibited nor required. Customizing Set
limits TRUE to establish a general prohibition of or
requirement for the enabling of Customer security alarms or audits.
Then establish exemptions for any individual nodes
which are not to be subjected to the general rule.
selector Limits
| Constraint |
Value |
Default |
|
ALPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
ALREQUIRE
|
FALSE, TRUE or TRY
|
FALSE
|
|
AUPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
ALPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
ALREQUIRE
|
FALSE, TRUE or TRY
|
<node>
|
|
AUPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
<node>
|
Practical considerations As of V7.3 VMS does not provide a method to
enable auditing or alarms for these events. �
DOWNGRADE
Determine whether auditing for events involving the use of DOWNGRADE
privilege conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ALPROHIBIT
|
DOWNGRADE security alarms are enabled in violation of policy
|
|
ALREQUIRE
|
DOWNGRADE security alarms are disabled in violation of policy
|
|
AUPROHIBIT
|
DOWNGRADE security audits are enabled in violation of policy
|
|
AUREQUIRE
|
DOWNGRADE security audits are disabled in violation of policy
|
Description
Use of the qualifiers /CLASS=FILE and
/ENABLE=ACCESS=DOWNGRADE=(access,...) with the SET AUDIT/ALARM
or SET AUDIT/AUDIT command causes
the corresponding reporting when DOWNGRADE
privilege is used to obtain the specified type of access to files.
Tests for this element determine whether those audits
or alarms are enabled or not.
SEVMS
required
The (AUDIT, DOWNGRADE, ALREQUIRE) and ((AUDIT, DOWNGRADE, AUREQUIRE)
tests will never report an error on systems that do
not have the CLASS_PROT system parameter enabled.
When the CLASS_PROT system parameter is not enabled, audits and alarms
for use of the DOWNGRADE privilege cannot be enabled.
If the policy covering a number of systems is to require that the SEVMS
product be used, the test (VMS, CLASSPROT, REQUIRED)
should be used.
|
Default policy Enabling of DOWNGRADE security alarms or audits is
neither prohibited nor required. Customizing Set
limits TRUE to establish a general prohibition of or
requirement for the enabling of DOWNGRADE security auditing. Then
establish exemptions for any individual nodes which
are not to be subjected to the general rule.
selector
Limits for this element can take a
selector consisting of a VMS access type: READ, WRITE,
EXECUTE, DELETE or CONTROL. LOGICAL and PHYSICAL access to devices are
indicated by EXECUTE and DELETE respectively.
Thus, each limit can be set once for each possible
access type. If you do not specify a selector when
changing limits, your change applies to all access
types.
Limits
| Constraint |
Value |
Default |
|
ALPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
ALREQUIRE
|
FALSE or TRUE
|
FALSE
|
|
AUPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
AUREQUIRE
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
ALPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
ALREQUIRE
|
FALSE or TRUE
|
<node>
|
|
AUPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
AUREQUIRE
|
FALSE or TRUE
|
<node>
|
Practical considerations The DOWNGRADE privilege is only relevant to
systems running Mandatory Access Controls, as implemented with the
SEVMS (Security Enhanced VMS)
software available from DEC.
DOWNGRADE audits and alarms may both be quite appropriate in
such environments since such activities are rare and worthy of note. �
FAILCRASH
Determine whether specification of system crash when security alarms
cannot be generated conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Crash on failure is specified in violation of policy
|
|
REQUIRED
|
Crash on failure is not specified in violation of policy
|
Description
Use of the qualifier /FAILURE_MODE=CRASH with the SET AUDIT command
causes the system to crash when security alarms cannot be written to
the OPCOM mailbox (only in VMS V5.4 through V5.5).
Default policy Specification of CRASH as the failure mode is neither
prohibited nor required. Customizing Set limits TRUE
to establish a general prohibition of or requirement for system crash
as the failure mode for security alarms. Then establish
exemptions for any individual nodes which are not to
be subjected to the general rule.
Set limit REQUIRED TRY to establish a requirement for
system crash as the failure mode only for those versions of VMS
(version 5.4 through 5.5) where such failure modes are supported.
selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE, TRUE or TRY
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE, TRUE or TRY
|
<node>
|
Practical considerations If individual users have sufficient disk quota
to exhaust disk space on the volume where OPCOM logs are written, they
can force a system crash if CRASH is the failure mode for security
alarms.
Likewise, if the amount of disk space available for writing OPCOM logs
is small, individual users could force a system crash by maliciously
generating a large number of security alarms.
These possibilities for malicious interference increase the importance
of ensuring that all usernames established on VMS systems are assigned
to known individual users, rather than being shared. �
FAILIGNORE
Determine whether specification of no action when security alarms
cannot be generated conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
No action on failure is specified in violation of policy
|
|
REQUIRED
|
No action on failure is not specified in violation of policy
|
Description
Use of the qualifier /FAILURE_MODE=IGNORE with the SET AUDIT command
causes no action to be taken when security alarms cannot be written to
the OPCOM mailbox (only in VMS V5.4 through V5.5).
Default policy Specification of IGNORE as the failure mode is neither
prohibited nor required. Customizing Set limits TRUE
to establish a general prohibition of or requirement for no action as
the failure mode for security alarms. Then establish
exemptions for any individual nodes which are not to
be subjected to the general rule.
Set limit PROHIBITED TRY to establish a prohibition
against ignoring as the failure mode only for those versions of VMS
(version 5.4 through 5.5) where other failure modes are supported.
selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE, TRUE or TRY
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE, TRUE or TRY
|
<node>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>
|
Practical considerations IGNORE provides the best continuity of service
in the event that disk space is exhausted on the volume where the OPCOM
logs are written. �
FAILURE
Determine whether auditing for access failure events conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ALPROHIBIT
|
FAILURE security alarms are enabled in violation of policy
|
|
ALREQUIRE
|
FAILURE security alarms are disabled in violation of policy
|
|
AUPROHIBIT
|
FAILURE security audits are enabled in violation of policy
|
|
AUREQUIRE
|
FAILURE security audits are disabled in violation of policy
|
Description
Use of the qualifiers /CLASS=FILE and
/ENABLE=ACCESS=FAILURE=(access,...) with the SET AUDIT/ALARM
or SET AUDIT/AUDIT command causes
the corresponding reporting when
access attempts to files fail. Tests for this element
determine whether those audits or alarms are enabled or not.
Default policy Enabling of FAILURE security alarms or audits is neither
prohibited nor required. Customizing Set limits TRUE
to establish a general prohibition of or requirement for the enabling
of FAILURE security auditing. Then establish
exemptions for any individual nodes which are not to
be subjected to the general rule.
selector
Limits for this element can take a
selector consisting of a VMS access type: READ, WRITE,
EXECUTE, DELETE or CONTROL. LOGICAL and PHYSICAL access to devices are
indicated by EXECUTE and DELETE respectively.
Thus, each limit can be set once for each possible
access type. If you do not specify a selector when
changing limits, your change applies to all access
types.
Limits
| Constraint |
Value |
Default |
|
ALPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
ALREQUIRE
|
FALSE or TRUE
|
FALSE
|
|
AUPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
AUREQUIRE
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
ALPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
ALREQUIRE
|
FALSE or TRUE
|
<node>
|
|
AUPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
AUREQUIRE
|
FALSE or TRUE
|
<node>
|
Practical considerations Enabling FAILURE security alarms and audits
will cause a certain number of false alarms due to typing errors and
similar mistakes. Making effective use of FAILURE security alarms and
audits requires a willingness to sort through the incidental errors
looking for those errors which represent a coordinated attack. �