LJK/Security Reference Manual
LOG
Determine whether audit log settings conform to policy.
Violation reports
| Constraint |
Nature of the violation |
|
FLUSH
|
Audit log flush interval exceeds policy maximum
|
|
RETENTION
|
Audit log retention is less than policy minimum
|
|
SPACEDAYS
|
Space available for audit log is less than required for planned number
of days
|
|
SPACEWARN
|
Warning for low audit log space gives less than number of days
specified in policy
|
Description
The command SET AUDIT/INTERVAL=JOURNAL_FLUSH=time specifies
how frequently the audit server will flush audit messages to the audit
log.
Local command procedures control how long older versions of audit logs
are retained on the system.
Local management practices determine how much space is available for
audit logs.
The command SET AUDIT/JOURNAL=SECURITY/THRESHOLD=WARNING=value
specifies when the audit server will warn security operators about a
lack of audit space, based either on a number of records or a
percentage of disk space available.
Tests for this element determine
whether all those settings conform to policy.
Default policy No particular audit log behavior is required.
Customizing Set the limits for these
constraints to require particular audit log behavior.
selector Limits
| Constraint |
Value |
Default |
|
FLUSH
|
delta-time
|
+00:00:00.00
|
|
RETENTION
|
number-of-days
|
0
|
|
SPACEDAYS
|
number-of-days
|
0
|
|
SPACEWARN
|
0-100
|
100
|
Exemptions
| Constraint |
Value |
Parameters |
|
FLUSH
|
delta-time
|
<node>
|
|
RETENTION
|
number-of-days
|
<node>
|
|
SPACEDAYS
|
number-of-days
|
<node>
|
|
SPACEWARN
|
0-100
|
<node>
|
Practical considerations While the command SET
AUDIT/JOURNAL=SECURITY/THRESHOLD=WARNING=value value is expressed in
terms of a block count or a percentage of disk space, the
limit and any exemptions for the
SPACEDAYS constraint is expressed in the number of
days worth of audit records that can be accommodated in the available
space, based on recent audit record generation rates and audit file
retention policy. This approach is aimed at matching the terminology
used by external requirements such as FISMA or DoD Instruction 8500.2.
�
LOGFAIL
Determine whether auditing for failed login attempts conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ALPROHIBIT
|
Logfail security alarms are enabled in violation of policy
|
|
ALREQUIRE
|
Logfail security alarms are disabled in violation of policy
|
|
AUPROHIBIT
|
Logfail security audits are enabled in violation of policy
|
|
AUREQUIRE
|
Logfail security audits are disabled in violation of policy
|
Description
Use of the qualifier /ENABLE=LOGFAIL=(keyword,...) with the SET
AUDIT/ALARM
or SET AUDIT/AUDIT command causes
the corresponding reporting when a
failed login attempt is detected. Tests for this
element determine whether those audits or alarms are
enabled or not.
Default policy Enabling of Logfail security alarms and audits is
neither prohibited nor required. Customizing Set
limits FALSE to establish a general prohibition of or
requirement for the enabling of failed login attempt security alarms.
Then establish exemptions for any individual nodes
which are not to be subjected to the general requirement.
selector
Limits for this element can take a
selector consisting of a VMS process type: BATCH,
DIALUP, LOCAL, REMOTE, NETWORK, SUBPROCESS or DETACHED.
Thus, each limit can be set once for each possible
process type. If you do not specify a selector when
changing limits, your change applies to all process
types.
Limits
| Constraint |
Value |
Default |
|
ALPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
ALREQUIRE
|
FALSE or TRUE
|
FALSE
|
|
AUPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
AUREQUIRE
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
ALPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
ALREQUIRE
|
FALSE or TRUE
|
<node>
|
|
AUPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
AUREQUIRE
|
FALSE or TRUE
|
<node>
|
Practical considerations For most sites, security alarms in the case of
failed login attempts are not appropriate since they will be triggered
by any password typing error. Protection against repeated login
failures which are part of a concerted attack are generally reported
via the breakin attempt security alarm.
Failed login security alarms are appropriate for high-security
situations where avoiding investigation of false alarms is less
important than catching sophisticated attackers who will wait
sufficiently long after each attempt to avoid triggering the breakin
detection threshold.
Failed login audits are appropriate in most environments,
allowing investigation after an incident. �
LOGIN
Determine whether auditing for successful logins conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ALPROHIBIT
|
Login security alarms are enabled in violation of policy
|
|
ALREQUIRE
|
Login security alarms are disabled in violation of policy
|
|
AUPROHIBIT
|
Login security audits are enabled in violation of policy
|
|
AUREQUIRE
|
Login security audits are disabled in violation of policy
|
Description
Use of the qualifier /ENABLE=LOGIN=(keyword,...) with the SET
AUDIT/ALARM
or SET AUDIT/AUDIT command causes
the corresponding reporting when a
successful login is accomplished. Tests for this
element determine whether those audits or alarms are
enabled or not.
Default policy Enabling of LOGIN security alarms is neither prohibited
nor required.
Enabling of LOGIN security audits is nrequired. Customizing Set
limits TRUE to establish a general prohibition of or
requirement for the enabling of ACL security auditing. Then establish
exemptions for any individual nodes which are not to
be subjected to the general requirement. selector
Limits for this element can take a
selector consisting of a VMS process type: BATCH,
DIALUP, LOCAL, REMOTE, NETWORK, SUBPROCESS or DETACHED.
Thus, each limit can be set once for each possible
process type. If you do not specify a selector when
changing limits, your change applies to all process
types.
Limits
| Constraint |
Value |
Default |
|
ALPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
ALREQUIRE
|
FALSE or TRUE
|
FALSE
|
|
AUPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
AUREQUIRE
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
ALPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
ALREQUIRE
|
FALSE or TRUE
|
<node>
|
|
AUPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
AUREQUIRE
|
FALSE or TRUE
|
<node>
|
Practical considerations Login security alarms are used in
high-security environments where it is essential that a record be kept
of all logins. In order to guard against the scenario of someone
logging into a privileged account and then destroying the record of
that login, it is essential that security alarms be sent to a
non-erasable medium. Console paper is easiest for most sites, but
requires human search of the output. Write-Once-Read-Many disks allow
for
computer-assisted search, but up through VMS V7.3 are not directly
supported for this purpose by the VMS security auditing software.
�
LOGOUT
Determine whether auditing for logouts conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ALPROHIBIT
|
Logout security alarms are enabled in violation of policy
|
|
ALREQUIRE
|
Logout security alarms are disabled in violation of policy
|
|
AUPROHIBIT
|
Logout security audits are enabled in violation of policy
|
|
AUREQUIRE
|
Logout security audits are disabled in violation of policy
|
Description
Use of the qualifier /ENABLE=LOGOUT=(keyword,...) with the SET
AUDIT/ALARM
or SET AUDIT/AUDIT command causes
the corresponding reporting when a
logout is detected. Tests for this element determine
whether those audits or alarms are enabled or not.
Default policy Enabling of LOGOUT security alarms is neither prohibited
nor required.
Enabling of LOGOUT security audits is nrequired. Customizing Set
limits TRUE to establish a general prohibition of or
requirement for the enabling of logout security auditing. Then
establish exemptions for any individual nodes which
are not to be subjected to the general requirement. selector
Limits for this element can take a
selector consisting of a VMS process type: BATCH,
DIALUP, LOCAL, REMOTE, NETWORK, SUBPROCESS or DETACHED.
Thus, each limit can be set once for each possible
process type. If you do not specify a selector when
changing limits, your change applies to all process
types.
Limits
| Constraint |
Value |
Default |
|
ALPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
ALREQUIRE
|
FALSE or TRUE
|
FALSE
|
|
AUPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
AUREQUIRE
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
ALPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
ALREQUIRE
|
FALSE or TRUE
|
<node>
|
|
AUPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
AUREQUIRE
|
FALSE or TRUE
|
<node>
|
Practical considerations Sites which have enabled auditing of
successful logins will generally want to enable auditing of logouts as
well, to establish a window of activity. �
LP
Determine whether enabling of alarms or audits for layered product
conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ALPROHIBIT
|
Layered Product security alarms are enabled in violation of policy
|
|
ALREQUIRE
|
Layered Product security alarms are disabled in violation of policy
|
|
AUPROHIBIT
|
Layered Product security audits are enabled in violation of policy
|
|
AUREQUIRE
|
Layered Product security audits are disabled in violation of policy
|
Description
As of V7.3 VMS does not provide a method to enable auditing or alarms
for these events.
Default policy Enabling of Layered Product security alarms and audits
is neither prohibited nor required. Customizing Set
limits TRUE to establish a general prohibition of or
requirement for the enabling of Layered Product security alarms or
audits. Then establish exemptions for any individual
nodes which are not to be subjected to the general rule.
selector Limits
| Constraint |
Value |
Default |
|
ALPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
ALREQUIRE
|
FALSE, TRUE or TRY
|
FALSE
|
|
AUPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
ALPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
ALREQUIRE
|
FALSE, TRUE or TRY
|
<node>
|
|
AUPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
<node>
|
Practical considerations As of V7.3 VMS does not provide a method to
enable auditing or alarms for these events. �
MOUNT
Determine whether auditing for issuance of MOUNT or DISMOUNT requests
conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ALPROHIBIT
|
MOUNT security alarms are enabled in violation of policy
|
|
ALREQUIRE
|
MOUNT security alarms are disabled in violation of policy
|
|
AUPROHIBIT
|
MOUNT security audits are enabled in violation of policy
|
|
AUREQUIRE
|
MOUNT security audits are disabled in violation of policy
|
Description
Use of the qualifier /ENABLE=MOUNT with the SET AUDIT/ALARM
or SET AUDIT/AUDIT command causes
the corresponding reporting when mount or dismount requests are issued.
Default policy Enabling of MOUNT security alarms and audits is neither
prohibited nor required. Customizing Set limits TRUE
to establish a general prohibition of or requirement for the enabling
of MOUNT security auditing. Then establish exemptions
for any individual nodes which are not to be subjected to the general
rule.
selector Limits
| Constraint |
Value |
Default |
|
ALPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
ALREQUIRE
|
FALSE or TRUE
|
FALSE
|
|
AUPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
ALPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
ALREQUIRE
|
FALSE or TRUE
|
<node>
|
|
AUPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
<node>
|
Practical considerations Some sites choose to disable MOUNT security
alarms during system startup and system shutdown. Such actions will not
be detected by LJK/Security if it is done outside the period when
LJK/Security is running.
Note that LJK/Security may issue MOUNT requests in the course of its
own operations, causing additional alarms. �
NCP
Determine whether enabling of alarms or audits for NCP event conforms
to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ALPROHIBIT
|
NCP security alarms are enabled in violation of policy
|
|
ALREQUIRE
|
NCP security alarms are disabled in violation of policy
|
|
AUPROHIBIT
|
NCP security audits are enabled in violation of policy
|
|
AUREQUIRE
|
NCP security audits are disabled in violation of policy
|
Description
Use of the qualifier /ENABLE=NCP with the SET AUDIT/ALARM
or SET AUDIT/AUDIT command causes
the corresponding reporting when an NCP change takes place.
Default policy Enabling of NCP security alarms and audits is neither
prohibited nor required. Customizing Set limits TRUE
to establish a general prohibition of or requirement for the enabling
of security alarms or audits on access to the netowrk configuration
database using the NCP utility. Then establish
exemptions for any individual nodes which are not to
be subjected to the general rule.
selector Limits
| Constraint |
Value |
Default |
|
ALPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
ALREQUIRE
|
FALSE, TRUE or TRY
|
FALSE
|
|
AUPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
ALPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
ALREQUIRE
|
FALSE, TRUE or TRY
|
<node>
|
|
AUPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
<node>
|
Practical considerations Such access can represent a significant change
to system configuration, and audits or alarms are appropriate in most
settings where security is taken seriously. If DECnet Phase IV is not
in use, it might be worthwhile to detect if anyone enables it. �