LJK/Security Reference Manual
PSBCREATE
Determine whether enabling of alarms or audits for persona creation
conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ALPROHIBIT
|
Persona creation security alarms are enabled in violation of policy
|
|
ALREQUIRE
|
Persona creation security alarms are disabled in violation of policy
|
|
AUPROHIBIT
|
Persona creation security audits are enabled in violation of policy
|
|
AUREQUIRE
|
Persona creation security audits are disabled in violation of policy
|
Description
Use of the qualifier /ENABLE=PERSONA=CREATE with the SET AUDIT/ALARM
or SET AUDIT/AUDIT command causes
the corresponding reporting when a persona is created.
Default policy Enabling of Persona creation security alarms and audits
is neither prohibited nor required. Customizing Set
limits TRUE to establish a general prohibition of or
requirement for the enabling of Persona creation security alarms or
audits. Then establish exemptions for any individual
nodes which are not to be subjected to the general rule.
selector Limits
| Constraint |
Value |
Default |
|
ALPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
ALREQUIRE
|
FALSE, TRUE or TRY
|
FALSE
|
|
AUPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
ALPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
ALREQUIRE
|
FALSE, TRUE or TRY
|
<node>
|
|
AUPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
<node>
|
Practical considerations Concern about this event is typically only for
specialized environments or for troubleshooting. �
PSBDELETE
Determine whether enabling of alarms or audits for persona deletion
conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ALPROHIBIT
|
Persona deletion security alarms are enabled in violation of policy
|
|
ALREQUIRE
|
Persona deletion security alarms are disabled in violation of policy
|
|
AUPROHIBIT
|
Persona deletion security audits are enabled in violation of policy
|
|
AUREQUIRE
|
Persona deletion security audits are disabled in violation of policy
|
Description
Use of the qualifier /ENABLE=PERSONA=DELETE with the SET AUDIT/ALARM
or SET AUDIT/AUDIT command causes
the corresponding reporting when a persona is deleted.
Default policy Enabling of Persona deletion security alarms and audits
is neither prohibited nor required. Customizing Set
limits TRUE to establish a general prohibition of or
requirement for the enabling of Persona deletion security alarms or
audits. Then establish exemptions for any individual
nodes which are not to be subjected to the general rule.
selector Limits
| Constraint |
Value |
Default |
|
ALPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
ALREQUIRE
|
FALSE, TRUE or TRY
|
FALSE
|
|
AUPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
ALPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
ALREQUIRE
|
FALSE, TRUE or TRY
|
<node>
|
|
AUPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
<node>
|
Practical considerations Concern about this event is typically only for
specialized environments or for troubleshooting. �
PSBMODIFY
Determine whether enabling of alarms or audits for persona modification
conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ALPROHIBIT
|
Persona modification security alarms are enabled in violation of policy
|
|
ALREQUIRE
|
Persona modification security alarms are disabled in violation of policy
|
|
AUPROHIBIT
|
Persona modification security audits are enabled in violation of policy
|
|
AUREQUIRE
|
Persona modification security audits are disabled in violation of policy
|
Description
Use of the qualifier /ENABLE=PERSONA=MODIFY with the SET AUDIT/ALARM
or SET AUDIT/AUDIT command causes
the corresponding reporting when a persona is modified.
Default policy Enabling of Persona modification security alarms and
audits is neither prohibited nor required. Customizing Set
limits TRUE to establish a general prohibition of or
requirement for the enabling of Persona modification security alarms or
audits. Then establish exemptions for any individual
nodes which are not to be subjected to the general rule.
selector Limits
| Constraint |
Value |
Default |
|
ALPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
ALREQUIRE
|
FALSE, TRUE or TRY
|
FALSE
|
|
AUPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
ALPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
ALREQUIRE
|
FALSE, TRUE or TRY
|
<node>
|
|
AUPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
<node>
|
Practical considerations Concern about this event is typically only for
specialized environments or for troubleshooting. �
READALL
Determine whether auditing for events involving the use of READALL
privilege conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ALPROHIBIT
|
READALL security alarms are enabled in violation of policy
|
|
ALREQUIRE
|
READALL security alarms are disabled in violation of policy
|
|
AUPROHIBIT
|
READALL security audits are enabled in violation of policy
|
|
AUREQUIRE
|
READALL security audits are disabled in violation of policy
|
Description
Use of the qualifiers /CLASS=FILE and
/ENABLE=ACCESS=READALL=(access,...) with the SET AUDIT/ALARM
or SET AUDIT/AUDIT command causes
the corresponding reporting when READALL
privilege is used to obtain the specified type of access to files.
Tests for this element determine whether those alarms
are enabled or not.
Default policy Enabling of READALL security alarms and audits is
neither prohibited nor required. Customizing Set
limits TRUE to establish a general prohibition of or
requirement for the enabling of READALL security auditing. Then
establish exemptions for any individual nodes which
are not to be subjected to the general rule.
selector
Limits for this element can take a
selector consisting of a VMS access type: READ, WRITE,
EXECUTE, DELETE or CONTROL. LOGICAL and PHYSICAL access to devices are
indicated by EXECUTE and DELETE respectively.
Thus, each limit can be set once for each possible
access type. If you do not specify a selector when
changing limits, your change applies to all access
types.
Limits
| Constraint |
Value |
Default |
|
ALPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
ALREQUIRE
|
FALSE or TRUE
|
FALSE
|
|
AUPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
AUREQUIRE
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
ALPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
ALREQUIRE
|
FALSE or TRUE
|
<node>
|
|
AUPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
AUREQUIRE
|
FALSE or TRUE
|
<node>
|
Practical considerations Use of the BYPASS or READALL privilege is
required for successful disk volume backups. Enabling these alarms
during the time period when full volume backups are done can cause a
large number of security alarms to be generated.
READALL audits on the other hand, provide a silent record of
the activities of privileged users. �
SERVER
Determine whether audit processing state conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
LOSTALARM
|
Maximum number of lost alarm messages permitted
|
|
PROHIBITED
|
Audit processing is started in violation of policy
|
|
REQUIRED
|
Audit processing is stopped in violation of policy
|
Description
Effective with VMS V5.2, audit processing must be started separately
from the OPCOM process. The PROHIBITED and REQUIRED tests determine
whether audit processing is started.
Since audit processing need not be separately started prior to VMS
V5.2, violations of these tests are never reported for such earlier
versions of VMS.
The LOSTALARM test determines whether any audit messages have been lost
only for limited versions of VMS (version 5.2 through 5.5) where that
is possible. For all other versions of VMS, the count of lost messages
is always zero.
Default policy Audit processing must be started, and no lost alarms are
permitted. Customizing Add an exemption to the
REQUIRED test for any node which you wish to exempt from requirements
to run the audit server. selector Limits
| Constraint |
Value |
Default |
|
LOSTALARM
|
0---n
|
0
|
|
PROHIBITED
|
FALSE, TRUE or TRY
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
LOSTALARM
|
0---n
|
<node>
|
|
PROHIBITED
|
FALSE, TRUE or TRY
|
<node>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>
|
Practical considerations The commands for startup and shutdown of audit
processing vary depending upon the version of VMS being used. Effective
with VMS V4.0, audit processing was always started (whether or not
specific audit messages where enabled) and required only that the OPCOM
process be running (see the separate OPCOM test in the VMS facility).
Effective with VMS V5.2, separate commands for starting and stopping
the audit server were provided, as outlined in section 2.1.2.1 of the
VMS V5.2 New Features manual. �
SUCCESS
Determine whether auditing for successful object access conforms to
policy.
Violation reports
| Constraint |
Nature of the violation |
|
ALPROHIBIT
|
Success security alarms are enabled in violation of policy
|
|
ALREQUIRE
|
Success security alarms are disabled in violation of policy
|
|
AUPROHIBIT
|
Success security audits are enabled in violation of policy
|
|
AUREQUIRE
|
Success security audits are disabled in violation of policy
|
Description
Use of the qualifiers /CLASS=FILE and
/ENABLE=ACCESS=SUCCESS=(access,...) with the SET AUDIT/ALARM
or SET AUDIT/AUDIT command causes
the corresponding reporting when
there is successful access to files. Tests for this
element determine whether those audits or alarms are
enabled or not.
Default policy Enabling of SUCCESS security alarms or audits is neither
prohibited nor required. Customizing Set limits TRUE
to establish a general prohibition of or requirement for the enabling
of SUCCESS security auditing. Then establish
exemptions for any individual nodes which are not to
be subjected to the general rule.
selector
Limits for this element can take a
selector consisting of a VMS access type: READ, WRITE,
EXECUTE, DELETE or CONTROL. LOGICAL and PHYSICAL access to devices are
indicated by EXECUTE and DELETE respectively.
Thus, each limit can be set once for each possible
access type. If you do not specify a selector when
changing limits, your change applies to all access
types.
Limits
| Constraint |
Value |
Default |
|
ALPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
ALREQUIRE
|
FALSE or TRUE
|
FALSE
|
|
AUPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
AUREQUIRE
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
ALPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
ALREQUIRE
|
FALSE or TRUE
|
<node>
|
|
AUPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
AUREQUIRE
|
FALSE or TRUE
|
<node>
|
Practical considerations Enabling successful file access will cause an
enormous number of alarms or audits to be generated. �
SYSGEN
Determine whether enabling of alarms or audits for modification of
system parameters conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ALPROHIBIT
|
SYSGEN security alarms are enabled in violation of policy
|
|
ALREQUIRE
|
SYSGEN security alarms are disabled in violation of policy
|
|
AUPROHIBIT
|
SYSGEN security audits are enabled in violation of policy
|
|
AUREQUIRE
|
SYSGEN security audits are disabled in violation of policy
|
Description
Use of the qualifier /ENABLE=SYSGEN with the SET AUDIT/ALARM
or SET AUDIT/AUDIT command causes
the corresponding reporting when a system parameter is modified.
Default policy Enabling of SYSGEN security alarms and audits is neither
prohibited nor required. Customizing Set limits TRUE
to establish a general prohibition of or requirement for the enabling
of SYSGEN security alarms or audits. Then establish
exemptions for any individual nodes which are not to
be subjected to the general rule.
selector Limits
| Constraint |
Value |
Default |
|
ALPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
ALREQUIRE
|
FALSE, TRUE or TRY
|
FALSE
|
|
AUPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
ALPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
ALREQUIRE
|
FALSE, TRUE or TRY
|
<node>
|
|
AUPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
<node>
|
Practical considerations Such access can represent a significant change
to system configuration, and audits or alarms are appropriate in most
settings where security is taken seriously. �