LJK/Security Reference Manual
FAILWAIT
Determine whether specification of WAIT when security alarms cannot be
generated conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
WAIT on failure is specified in violation of policy
|
|
REQUIRED
|
WAIT on failure is not specified in violation of policy
|
Description
Use of the qualifier /FAILURE_MODE=WAIT with the SET AUDIT command
causes the system to wait for resources when security event information
cannot be written to the OPCOM mailbox (only in VMS V5.4 through V5.5).
Default policy Specification of WAIT as the failure mode is neither
prohibited nor required. Customizing Set limits TRUE
to establish a general prohibition of or requirement for WAIT as the
failure mode for security alarms. Then establish
exemptions for any individual nodes which are not to
be subjected to the general rule.
Set limit REQUIRED TRY to establish a requirement for
wait as the failure mode only for those versions of VMS (version 5.4
through 5.5) where such failure modes are supported.
selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE, TRUE or TRY
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE, TRUE or TRY
|
<node>
|
Practical considerations If individual users have sufficient disk quota
to exhaust disk space on the volume where OPCOM logs are written, they
can force others into MWAIT if WAIT is the failure mode for security
alarms.
Likewise, if the amount of disk space available for writing OPCOM logs
is small, individual users could force a WAIT by maliciously generating
a large number of security alarms.
These possibilities for malicious interference increase the importance
of ensuring that all usernames established on VMS systems are assigned
to known individual users, rather than being shared. �
FINCRASH
Determine whether specification of an Audit Server final action of
crashing the system when it runs out of buffer space conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
CRASH action is specified in violation of policy
|
|
REQUIRED
|
CRASH action is not specified in violation of policy
|
Description
Use of the value FINAL_ACTION=CRASH with the SET AUDIT/SERVER= command
causes the system to crash when the Audit Server runs out of buffer
space.
Default policy Specification of CRASH as the final action is neither
prohibited nor required. Customizing Set limits TRUE
to establish a general prohibition of or requirement for CRASH as the
final action for the Audit Server. Then establish
exemptions for any individual nodes which are not to
be subjected to the general rule.
Set limit REQUIRED TRY to establish a requirement for
CRASH as the final action only for those versions of VMS (version 6.0
and above) where such final actions are supported.
selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE, TRUE or TRY
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE, TRUE or TRY
|
<node>
|
Practical considerations Specifying CRASH as the final action for the
Audit Server is only appropriate where the need for auditing is more
crucial than the need for continuity of service. �
FINIGNORE
Determine whether specification of an Audit Server final action of
ignoring new events when it runs out of buffer space conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
IGNORE_NEW action is specified in violation of policy
|
|
REQUIRED
|
IGNORE_NEW action is not specified in violation of policy
|
Description
Use of the value FINAL_ACTION=IGNORE_NEW with the SET AUDIT/SERVER=
command
causes the Audit Server to ignore new events when it runs out of buffer
space.
Default policy Specification of IGNORE_NEW as the final action is
neither prohibited nor required. Customizing Set
limits TRUE to establish a general prohibition of or
requirement for IGNORE_NEW as the final action for the Audit Server.
Then establish exemptions for any individual nodes
which are not to be subjected to the general rule.
Set limit REQUIRED TRY to establish a requirement for
IGNORE_NEW as the final action only for those versions of VMS (version
6.0 and above) where such final actions are supported.
selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE, TRUE or TRY
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE, TRUE or TRY
|
<node>
|
Practical considerations If a particular factor caused the overflow of
audit events, some initial events from that factor will probably
already be processed, so all knowledge of a repeating event will not be
lost if IGNORE_NEW is specified as the final action for the Audit
Server. �
FINPURGE
Determine whether specification of an Audit Server final action of
ignoring new events when it runs out of buffer space conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
PURGE_OLD action is specified in violation of policy
|
|
REQUIRED
|
PURGE_OLD action is not specified in violation of policy
|
Description
Use of the value FINAL_ACTION=PURGE_OLD with the SET AUDIT/SERVER=
command
causes the Audit Server to purge old events when it runs out of buffer
space.
Default policy Specification of PURGE_OLD as the final action is
neither prohibited nor required. Customizing Set
limits TRUE to establish a general prohibition of or
requirement for PURGE_OLD as the final action for the Audit Server.
Then establish exemptions for any individual nodes
which are not to be subjected to the general rule.
Set limit REQUIRED TRY to establish a requirement for
PURGE_OLD as the final action only for those versions of VMS (version
6.0 and above) where such final actions are supported.
selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE, TRUE or TRY
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE, TRUE or TRY
|
<node>
|
Practical considerations PURGE_OLD is the default Audit Server final
action as VMS ships. �
FINRESTART
Determine whether specification of an Audit Server final action of
restarting the Audit Server when it runs out of buffer space conforms
to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
RESTART action is specified in violation of policy
|
|
REQUIRED
|
RESTART action is not specified in violation of policy
|
Description
Use of the value FINAL_ACTION=RESTART with the SET AUDIT/SERVER= command
causes the Audit Server to restart the audit server when it runs out of
buffer space.
Default policy Specification of RESTART as the final action is neither
prohibited nor required. Customizing Set limits TRUE
to establish a general prohibition of or requirement for RESTART as the
final action for the Audit Server. Then establish
exemptions for any individual nodes which are not to
be subjected to the general rule.
Set limit REQUIRED TRY to establish a requirement for
RESTART as the final action only for those versions of VMS (version 6.0
and above) where such final actions are supported.
selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE, TRUE or TRY
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE, TRUE or TRY
|
<node>
|
Practical considerations The RESTART action is not recommended in the
VMS Documentation. �
GRPPRV
Determine whether auditing for events involving the use of GRPPRV
privilege conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ALPROHIBIT
|
GRPPRV security alarms are enabled in violation of policy
|
|
ALREQUIRE
|
GRPPRV security alarms are disabled in violation of policy
|
|
AUPROHIBIT
|
GRPPRV security audits are enabled in violation of policy
|
|
AUREQUIRE
|
GRPPRV security audits are disabled in violation of policy
|
Description
Use of the qualifiers /CLASS=FILE and
/ENABLE=ACCESS=GRPPRV=(access,...) with the SET AUDIT/ALARM
or SET AUDIT/AUDIT command causes
the corresponding reporting when GRPPRV
privilege is used to obtain the specified type of access to files.
Tests for this element determine whether those audits
or alarms are enabled or not.
Default policy Enabling of GRPPRV security alarms or audits is neither
prohibited nor required. Customizing Set limits TRUE
to establish a general prohibition of or requirement for the enabling
of GRPPRV security auditing. Then establish exemptions
for any individual nodes which are not to be subjected to the general
rule.
selector
Limits for this element can take a
selector consisting of a VMS access type: READ, WRITE,
EXECUTE, DELETE or CONTROL. LOGICAL and PHYSICAL access to devices are
indicated by EXECUTE and DELETE respectively.
Thus, each limit can be set once for each possible
access type. If you do not specify a selector when
changing limits, your change applies to all access
types.
Limits
| Constraint |
Value |
Default |
|
ALPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
ALREQUIRE
|
FALSE or TRUE
|
FALSE
|
|
AUPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
AUREQUIRE
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
ALPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
ALREQUIRE
|
FALSE or TRUE
|
<node>
|
|
AUPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
AUREQUIRE
|
FALSE or TRUE
|
<node>
|
Practical considerations Before enabling GRPPRV alarms, it is wise to
consult with those holding the privilege to determine it's frequency of
use. Although proper operations should be based on regular protection
mechanism for day-to-day use, some users may have developed a habit of
using GRPPRV for normal production purposes. GRPPRV audits on
the other hand, provide a silent record of the activities of privileged
users. �
IDENT
Determine whether enabling of alarms or audits for use of identifier as
privilege event conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ALPROHIBIT
|
Identifier security alarms are enabled in violation of policy
|
|
ALREQUIRE
|
Identifier security alarms are disabled in violation of policy
|
|
AUPROHIBIT
|
Identifier security audits are enabled in violation of policy
|
|
AUREQUIRE
|
Identifier security audits are disabled in violation of policy
|
Description
Use of the qualifier /ENABLE=IDENTIFIER with the SET AUDIT/ALARM
or SET AUDIT/AUDIT command causes
the corresponding reporting when an identifier is used as privilege in
a call to the $CHECK_PRIVILEGE system service (available in VMS V6.0
and above only).
Default policy Enabling of Identifier security alarms and audits is
neither prohibited nor required. Customizing Set
limits TRUE to establish a general prohibition of or
requirement for the enabling of Identifier security alarms or audits.
Then establish exemptions for any individual nodes
which are not to be subjected to the general rule.
selector Limits
| Constraint |
Value |
Default |
|
ALPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
ALREQUIRE
|
FALSE, TRUE or TRY
|
FALSE
|
|
AUPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
ALPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
ALREQUIRE
|
FALSE, TRUE or TRY
|
<node>
|
|
AUPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
<node>
|
Practical considerations Identifiers are used as privilege, for
instance, in DECnet Plus and in LJK/Security itself. �
INSTALL
Determine whether auditing for INSTALL operations conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ALPROHIBIT
|
INSTALL security alarms are enabled in violation of policy
|
|
ALREQUIRE
|
INSTALL security alarms are disabled in violation of policy
|
|
AUPROHIBIT
|
INSTALL security audits are enabled in violation of policy
|
|
AUREQUIRE
|
INSTALL security audits are disabled in violation of policy
|
Description
Use of the qualifier /ENABLE=INSTALL with the SET AUDIT/ALARM
or SET AUDIT/AUDIT command causes
the corresponding reporting when the INSTALL utility is used.
Default policy Enabling of INSTALL security alarms and audits is
neither prohibited nor required. Customizing Set
limits TRUE to establish a general prohibition of or
requirement for the enabling of INSTALL security auditing. Then
establish exemptions for any individual nodes which
are not to be subjected to the general rule. selector Limits
| Constraint |
Value |
Default |
|
ALPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
ALREQUIRE
|
FALSE or TRUE
|
FALSE
|
|
AUPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
ALPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
ALREQUIRE
|
FALSE or TRUE
|
<node>
|
|
AUPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
<node>
|
Practical considerations A large number of INSTALL operations are
performed as part of system startup and system shutdown. Some sites
choose to disable Install security alarms during startup and shutdown.
That is still consistent with an LJK/Security policy requiring that
Install security alarms be enabled so long as the startup of
LJK/Security during system startup is done after all other uses of the
Install utility. Enabling Install security alarms immediately after
starting LJK/Security will typically be sufficiently quick that any
pending assessment will not yet have tested the Install security alarm
setting. �