LJK/Security Reference Manual
SYSPRV
Determine whether auditing for events involving the use of SYSPRV
privilege conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ALPROHIBIT
|
SYSPRV security alarms are enabled in violation of policy
|
|
ALREQUIRE
|
SYSPRV security alarms are disabled in violation of policy
|
|
AUPROHIBIT
|
SYSPRV security audits are enabled in violation of policy
|
|
AUREQUIRE
|
SYSPRV security audits are disabled in violation of policy
|
Description
Use of the qualifiers /CLASS=FILE and
/ENABLE=ACCESS=SYSPRV=(access,...) with the SET AUDIT/ALARM
or SET AUDIT/AUDIT command causes
the corresponding reporting when SYSPRV
privilege is used to obtain the specified type of access to files.
Tests for this element determine whether those audits
or alarms are enabled or not.
Default policy Enabling of SYSPRV security alarms or audits is neither
prohibited nor required. Customizing Set limits TRUE
to establish a general prohibition of or requirement for the enabling
of SYSPRV security auditing. Then establish exemptions
for any individual nodes which are not to be subjected to the general
rule.
selector
Limits for this element can take a
selector consisting of a VMS access type: READ, WRITE,
EXECUTE, DELETE or CONTROL. LOGICAL and PHYSICAL access to devices are
indicated by EXECUTE and DELETE respectively.
Thus, each limit can be set once for each possible
access type. If you do not specify a selector when
changing limits, your change applies to all access
types.
Limits
| Constraint |
Value |
Default |
|
ALPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
ALREQUIRE
|
FALSE or TRUE
|
FALSE
|
|
AUPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
AUREQUIRE
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
ALPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
ALREQUIRE
|
FALSE or TRUE
|
<node>
|
|
AUPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
AUREQUIRE
|
FALSE or TRUE
|
<node>
|
Practical considerations If individuals have been granted the SYSPRV
privilege, they may be using it for routine operations which would
result in a large number of security alarms if SYSPRV security alarms
were to be enabled. Even though routine use of SYSPRV should be
discouraged, caution should be exercised before committing to keeping
SYSPRV alarms enabled, so as to ensure such activities do not swamp
other alarms.
SYSPRV audits on the other hand, provide a silent record of
the activities of privileged users. �
SYSTIME
Determine whether enabling of alarms or audits for setting system time
conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ALPROHIBIT
|
TIME security alarms are enabled in violation of policy
|
|
ALREQUIRE
|
TIME security alarms are disabled in violation of policy
|
|
AUPROHIBIT
|
TIME security audits are enabled in violation of policy
|
|
AUREQUIRE
|
TIME security audits are disabled in violation of policy
|
Description
Use of the qualifier /ENABLE=TIME with the SET AUDIT/ALARM
or SET AUDIT/AUDIT command causes
the corresponding reporting when the system time is changed.
Default policy Enabling of TIME security alarms and audits is neither
prohibited nor required. Customizing Set limits TRUE
to establish a general prohibition of or requirement for the enabling
of TIME security alarms or audits. Then establish
exemptions for any individual nodes which are not to
be subjected to the general rule.
selector Limits
| Constraint |
Value |
Default |
|
ALPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
ALREQUIRE
|
FALSE, TRUE or TRY
|
FALSE
|
|
AUPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
ALPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
ALREQUIRE
|
FALSE, TRUE or TRY
|
<node>
|
|
AUPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
<node>
|
Practical considerations Such access can represent a significant change
to system configuration, and audits or alarms are appropriate in most
settings where security is taken seriously. �
UPGRADE
Determine whether auditing for events involving the use of UPGRADE
privilege conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ALPROHIBIT
|
UPGRADE security alarms are enabled in violation of policy
|
|
ALREQUIRE
|
UPGRADE security alarms are disabled in violation of policy
|
|
AUPROHIBIT
|
UPGRADE security audits are enabled in violation of policy
|
|
AUREQUIRE
|
UPGRADE security audits are disabled in violation of policy
|
Description
Use of the qualifiers /CLASS=FILE and
/ENABLE=ACCESS=UPGRADE=(access,...) with the SET AUDIT/ALARM
or SET AUDIT/AUDIT command causes
the corresponding reporting when UPGRADE
privilege is used to obtain the specified type of access to files.
Tests for this element determine whether those audits
or alarms are enabled or not.
SEVMS
required
The (AUDIT, UPGRADE, ALREQUIRE) and ((AUDIT, UPGRADE, AUREQUIRE)
tests will never report an error on systems that do
not have the CLASS_PROT system parameter enabled.
When the CLASS_PROT system parameter is not enabled, audits and alarms
for use of the UPGRADE privilege cannot be enabled.
If the policy covering a number of systems is to require that the SEVMS
product be used, the test (VMS, CLASSPROT, REQUIRED)
should be used.
|
Default policy Enabling of UPGRADE security alarms or audits is neither
prohibited nor required. Customizing Set limits TRUE
to establish a general prohibition of or requirement for the enabling
of UPGRADE security auditing. Then establish
exemptions for any individual nodes which are not to
be subjected to the general rule.
selector
Limits for this element can take a
selector consisting of a VMS access type: READ, WRITE,
EXECUTE, DELETE or CONTROL. LOGICAL and PHYSICAL access to devices are
indicated by EXECUTE and DELETE respectively.
Thus, each limit can be set once for each possible
access type. If you do not specify a selector when
changing limits, your change applies to all access
types.
Limits
| Constraint |
Value |
Default |
|
ALPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
ALREQUIRE
|
FALSE or TRUE
|
FALSE
|
|
AUPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
AUREQUIRE
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
ALPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
ALREQUIRE
|
FALSE or TRUE
|
<node>
|
|
AUPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
AUREQUIRE
|
FALSE or TRUE
|
<node>
|
Practical considerations The UPGRADE privilege is only relevant to
systems running Mandatory Access Controls, as implemented with the
SEVMS (Security Enhanced VMS)
software available from DEC.
UPGRADE audits and alarms may both be quite appropriate in
such environments since such activities are rare and worthy of note. �
6.3 DECNET Tests
Tests in the DECNET facility deal with parameters used to set up DECnet
on a machine, as well as the nature of individual usernames involved in
DECnet operations.
Exemptions are based on node name.
�
DEFACCINC
Determine whether Executor Default Incoming Access conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Default Incoming Access is enabled in violation of policy
|
|
REQUIRED
|
Default Incoming Access is disabled in violation of policy
|
Description
The DECnet executor default access parameter controls whether DECnet
communication is permitted to unknown nodes not explicitly listed in
the local DECnet database.
Possible values of the DECnet executor default access parameter are:
- NONE
- INCOMING
- OUTGOING
- BOTH
Default policy Default incoming access is prohibited. Customizing Add
exemptions for cases where administrators do not have information
regarding nodes with which access is required. After a month or so of
aggressive DECnet logging, an administrator should be able to remove the
default access. selector Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
TRUE
|
|
REQUIRED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>
|
Practical considerations If your organization is not able to provide
system administrators with
up-to-date information about node name additions, removals and changes,
you will have to live with default access. Efforts should be made,
however,
to solve the information availability problem. �
DEFACCOUT
Determine whether Executor Default Outgoing Access conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Default Outgoing Access is enabled in violation of policy
|
|
REQUIRED
|
Default Outgoing Access is disabled in violation of policy
|
Description
The DECnet executor default access parameter controls whether DECnet
communication is permitted to unknown nodes not explicitly listed in
the local DECnet database.
Possible values of the DECnet executor default access parameter are:
- NONE
- INCOMING
- OUTGOING
- BOTH
Default policy Default outgoing access is prohibited. Customizing Add
exemptions for cases where administrators do not have information
regarding nodes with which access is required. After a month or so of
aggressive DECnet logging, an administrator should be able to remove the
default access. selector Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
TRUE
|
|
REQUIRED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>
|
Practical considerations If your organization is not able to provide
system administrators with up-to-date information about node name
additions, removals and changes,
you will have to live with default access. Efforts should be made,
however, to solve the information availability problem. �
DEFINCACC
Determine whether presence of DECnet Default Incoming Account conforms
to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
DECnet Default Incoming Account is present in violation of policy
|
|
REQUIRED
|
DECnet Default Incoming Account is absent in violation of policy
|
Description
A DECnet default incoming account is the simple "default DECnet account"
which is a prime tool used by attackers to work their way through a
DECnet network from a node where they already have (authorized or
unauthorized) access.
Default policy Use of a DECnet default incoming account is prohibited.
Customizing Add exemptions if administrators insist they need default
DECnet accounts, but consider such exemptions to be action items to get
the nodes (and possibly particular applications) converted.
selector Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
TRUE
|
|
REQUIRED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>
|
Practical considerations In almost all cases, use of proxy logins or
object-specific accounts
can remove the need for general default DECnet accounts.
�
DEFINCNAME
Determine whether the name of a default incoming DECnet account is
acceptable.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBIT
|
Name is on prohibited list
|
|
REQUIRE
|
Name is not on required list
|
Description
The values for limits and
exemptions are character strings of comma-separated
usernames. If a default incoming DECnet account is present, the
username must match one of those on the REQUIRE list and may not match
any of those on the PROHIBIT list.
Default policy The default is to allow anything but DECNET as the name
of a default incoming DECnet account. Customizing In addition to
prohibiting DECNET (a commonly used name), you may wish to prohibit
other username specific to your organization. selector Limits
| Constraint |
Value |
Default |
|
PROHIBIT
|
comma-separated list
|
DECNET
|
|
REQUIRE
|
comma-separated list
|
*
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBIT
|
comma-separated list
|
<node>
|
|
REQUIRE
|
comma-separated list
|
<node>
|
Practical considerations Although default incoming DECnet accounts are
generally unsafe, in some situations their use has become so ingrained
in an organization that they cannot be readily displaced. As an interim
measure, steps should be taken to ensure that such accounts do not have
easily guessed usernames. �
DEFINCPRIV
Ensure the privileges for any default incoming DECnet account are
acceptable.
Violation reports
| Constraint |
Nature of the violation |
|
AUTHREQUIR
|
Username lacks authorization for privilege
|
|
AUTHPROHIB
|
Username has authorization for privilege
|
|
DEFREQUIR
|
Username lacks default privilege
|
|
DEFPROHIB
|
Username has default privilege
|
|
ABSOLUTLO
|
Lower level than minimum in the policy
|
|
ABSOLUTHI
|
Higher level than maximum in the policy
|
Description
Default incoming DECnet accounts are a considerable security hazard by
themselves, but authorizing privilege (other than NETMBX and TMPMBX)
for a default incoming DECnet account increases the risk a great deal.
If a default incoming DECnet account is present, this test compares the
privilege mask it has to the limit set in the policy.
Default policy The privileges NETMBX and TMPMBX are required
and all others are prohibited. Customizing Relaxation of the default
limits or establishment of exemptions
for these tests should be done only after an
extremely thorough security review. selector
Limits and exemptions for
tests AUTHREQUIR, AUTHPROHIB, DEFREQUIR and DEFPROHIB
can take a selector consisting of a privilege name.
Thus, each can be set once for each possible privilege. With the
Command Interface, if you do not specify a selector
when changing limits, your change applies to all
privileges.
Limits
| Constraint |
Value |
Default |
|
AUTHREQUIR
|
FALSE or TRUE
|
FALSE
|
|
AUTHPROHIB
|
FALSE or TRUE
|
FALSE
|
|
DEFREQUIR
|
FALSE or TRUE
|
FALSE
|
|
DEFPROHIB
|
FALSE or TRUE
|
FALSE
|
|
ABSOLUTLO
|
Category-None---Category-All
|
Category-Normal
|
|
ABSOLUTHI
|
Category-None---Category-All
|
Category-Normal
|
* except for NETMBX and TMPMBX selections.
Exemptions
| Constraint |
Value |
Parameters |
|
AUTHREQUIR
|
FALSE or TRUE
|
<node>
|
|
AUTHPROHIB
|
FALSE or TRUE
|
<node>
|
|
DEFREQUIR
|
FALSE or TRUE
|
<node>
|
|
DEFPROHIB
|
FALSE or TRUE
|
<node>
|
|
ABSOLUTLO
|
Category-None---Category-All
|
<node>
|
|
ABSOLUTHI
|
Category-None---Category-All
|
<node>
|
Practical considerations TMPMBX privilege is required for most users,
so they can run common utility programs which use mailboxes. NETMBX
privileges is required for
users to access DECnet.
The tests ABSOLUTLO and ABSOLUTHI are sufficient to
express the default policy which prohibits all but NETMBX and TMPMBX
but requires those two privileges.
If a more complicated selection of privileges is required, it may be
necessary to use the tests AUTHREQUIR, AUTHPROHIB,
DEFREQUIR and DEFPROHIB. �