| Previous | Contents | Index |
Except for test PRESENT, if the specified file cannot be found (status codes RMS$_FNF, RMS$_NMF, RMS$_DNF and RMS$_DEV) it is not considered a violation. This eases the task of maintaining policies to cover multiple nodes. Default policy The default value for the limit is the null string. Customizing Without customization, this element has no effect. Add an exemption for each file which you want tested, specifying the proper value as the value for the exemption. selector Exemptions for constraints:
Thus, each such exemption can be set once for each possible access type. If no selector is specified with the command interface, customization commands apply to all possible selector values.
| Constraint | Value | Default |
|---|---|---|
| ABSENT | Any Protection | (S,O,G,W) |
| ABSOLUTLO | Any Protection | (S,O,G,W) |
| ABSOLUTHI | Any Protection | (S:RWED,O:RWED,G:RWED,W:RWED) |
| ACLNOGEN | FALSE or TRUE | FALSE |
| ACLNOSYS | FALSE or TRUE | FALSE |
| ACLNOUIC | FALSE or TRUE | FALSE |
| ALFPROHIB | FALSE or TRUE | FALSE |
| ALFREQUIRE | FALSE or TRUE | FALSE |
| ALSPROHIB | FALSE or TRUE | FALSE |
| ALSREQUIRE | FALSE or TRUE | FALSE |
| AUFPROHIB | FALSE or TRUE | FALSE |
| AUFREQUIRE | FALSE or TRUE | FALSE |
| AUSPROHIB | FALSE or TRUE | FALSE |
| AUSREQUIRE | FALSE or TRUE | FALSE |
| BACKUPABS | delta-time | +00:00:00.00 |
| BACKUPMOD | delta-time | +00:00:00.00 |
| MODBEFORE | absolute-time | +00:00:00.00 |
| PERCENTLO | 0-100 | R:0,W:0,E:0,D:0,C:0 |
| PERCENTHI | 0-100 | R:100,W:100,E:100,D:100,C:100 |
| OWNER | Identifier | [SYSTEM] |
| SUBSYSNO | FALSE or TRUE | FALSE |
| SUBSYSYES | FALSE or TRUE | FALSE |
| VERSIONMAX | 0-32767 | 0 |
| Constraint | Value | Parameters |
|---|---|---|
| ABSENT | Any Protection | <node>,<filespec> |
| ABSOLUTLO | Any Protection | <node>,<filespec> |
| ABSOLUTHI | Any Protection | <node>,<filespec> |
| ACLNOGEN | FALSE or TRUE | <node>, <filespec> |
| ACLNOSYS | FALSE or TRUE | <node>, <filespec> |
| ACLNOUIC | FALSE or TRUE | <node>, <filespec> |
| ALFPROHIB | FALSE or TRUE | <node>,<filespec> |
| ALFREQUIRE | FALSE or TRUE | <node>,<filespec> |
| ALSPROHIB | FALSE or TRUE | <node>,<filespec> |
| ALSREQUIRE | FALSE or TRUE | <node>,<filespec> |
| AUFPROHIB | FALSE or TRUE | <node>,<filespec> |
| AUFREQUIRE | FALSE or TRUE | <node>,<filespec> |
| AUSPROHIB | FALSE or TRUE | <node>,<filespec> |
| AUSREQUIRE | FALSE or TRUE | <node>,<filespec> |
| BACKUPABS | delta-time | <node>,<filespec> |
| BACKUPMOD | delta-time | <node>,<filespec> |
| MODBEFORE | absolute-time | <node>,<filespec> |
| OWNER | Identifier | <node>,<filespec> |
| PERCENTLO | 0-100 | <node>,<filespec> |
| PERCENTHI | 0-100 | <node>,<filespec> |
| SUBSYSNO | FALSE or TRUE | <node>,<filespec> |
| SUBSYSYES | FALSE or TRUE | <node>,<filespec> |
| VERSIONMAX | 0-32767 | <node>,<filespec> |
There is not much point in establishing an exemption with a value of FALSE for one of the ACL-related constraints.
Test the integrity of specified files.
| Constraint | Nature of the violation |
|---|---|
| SHA1 | SHA-1 checksum value does not match |
| SIMPLE | Simple checksum value does not match |
| SITE | Site-specific checksum value does not match |
This element uses limits and exemptions in a different fashion than most. Each file to be tested must be specified in an exemption, where the value associated with the exemption is a string of hexadecimal characters representing the proper checksum value. The value associated with the limit can be used as an initialization vector for the checksum algorithm. No such use is made for the SHA1 or SIMPLE tests, so this capability is only meaningful for the SITE test.Default policy The default value for the limit is the null string. Customizing Without customization, this element has no effect. Add an exemption for each file which you want checksummed, specifying the proper value as the value for the exemption. selectorIf the specified file cannot be found (status codes RMS$_FNF, RMS$_NMF, RMS$_DNF and RMS$_DEV) it is not considered a violation. This eases the task of maintaining policies to cover multiple nodes.
Test SIMPLE provides a very simple checksum routine which could be fooled by a skilled attacker who crafted their file modifications so as not to change the resulting checksum value.
Test SHA-1 provides a true cryptographic checksum, giving detection of not only inadvertent but also malicious manipulation of images by a skilled attacker. There is a price to be paid in execution time, however, since on a fast VAX running the SHA1 test across all images provided as part of VMS takes about 2 hours, while doing the same thing with the SIMPLE test takes about 2 minutes.
In special circumstances, some sites prefer to use a cryptographic checksum of their own design. Test SITE provides for a site-specified checksum algorithm.
For information on how to provide a site-specific checksum algorithm, refer to Section 9.2.3,LJK$SECURITY_SITE_CHECKSUM callback.
| Constraint | Value | Default |
|---|---|---|
| SHA1 | 0-254 hexadecimal characters (even number) | null string |
| SIMPLE | 0-254 hexadecimal characters (even number) | null string |
| SITE | 0-254 hexadecimal characters (even number) | null string |
| Constraint | Value | Parameters |
|---|---|---|
| SHA1 | 0-254 hexadecimal characters (even number) | <node>,filespec |
| SIMPLE | 0-254 hexadecimal characters (even number) | <node>,filespec |
| SITE | 0-254 hexadecimal characters (even number) | <node>,filespec |
For sites which are interested in such a high level of security, the list of installed images is a good starting list, since they are declared "trusted" by installing them. For those images that come as part of VMS, command procedures to set a policy up are described in Appendix K, Creating Policies Based on Examples. Added to that list should be any other programs run by privileged users.
LJK Software makes no claims regarding the stability of executable images on a typical VMS system. In the past, some VMS images have undergone regular modification as a part of normal operation. In particular, this is true of the SYS.EXE image on VAX.
Ensure that cluster configuration conforms to local policy.
| Constraint | Nature of the violation |
|---|---|
| MINLATENCY | Latency between nodes handling disk volumes is so low that disaster tolerance is undercut |
This is a per-disk test regarding cluster configuration.Default policy Use of Erase On Delete is neither prohibited nor required. Customizing Set the limit for (DISK, CLUSTER, SHADOWDATA) to TRUE in order to require all non-system disk volumes to be shadowed.
Set the limit for (DISK, CLUSTER, MINLATENCY) to specify how far away members of the shadow set must be from each other. selector
| Constraint | Value | Default |
|---|---|---|
| MINLATENCY | 0-n milliseconds |
| Constraint | Value | Parameters |
|---|---|---|
| MINLATENCY | 0-n milliseconds | <node>,<volume-name> |
Ensure that protections on all DEC DBMS files fall within the restrictions set by policy. DEC DBMS files in this context are all of those with the following file types:
- .ROO
- .DBS
- .AIJ
| Constraint | Nature of the violation |
|---|---|
| ABSOLUTLO | Access is narrower than permitted by policy |
| ABSOLUTHI | Access is wider than permitted by policy |
| NOSYSOWNER | File is owned by a system UIC in violation of policy |
| PERCENTLO | Fewer users can access than permitted by policy |
| PERCENTHI | More users can access than permitted by policy |
| SYSOWNER | File is not owned by a system UIC in violation of policy |
| VERSIONMAX | File version number is higher than allowed by policy |
DEC DBMS files are normally protected to allow only SYSTEM access, so that even the owner of the database must use DBMS access methods.Default policy The DEC DBMS file protection setting must allow only the system to read and write the DEC DBMS files.The ABSOLUTLO and ABSOLUTHI tests measure the UIC-based protection mask directly. The PERCENTLO and PERCENTHI tests measure the result of protection (including ACL protection) in terms of the percentage of usernames given access.
Violations for protection-related DISK facility elements are not reported regarding only the writeability of CDROM disks since the apparent writeability is just an illusion.
By default, a minimum of 0 percent of users must have access and a maximum of 1 percent of users may have READ, WRITE and CONTROL access, and a maximum of 0 percent of users may have other forms of access. Customizing DEC DBMS access is normally granted only through access control lists within the database, so there should be no need to customize the default limits for this element. selector Limits for constraints PERCENTLO and PERCENTHI can take a selector consisting of a VMS file access type: READ, WRITE, EXECUTE, DELETE or CONTROL. If no selector is specified, customization commands apply to all possible selector values.
| Constraint | Value | Default |
|---|---|---|
| ABSOLUTLO | Any Protection | (S:RW,O,G,W) |
| ABSOLUTHI | Any Protection | (S:RW,O,G,W) |
| NOSYSOWNER | FALSE or TRUE | FALSE |
| PERCENTLO | 0-100 | 0 |
| PERCENTHI | 0-100 | R:1,W:1,E:0,D:0,C:1 |
| SYSOWNER | FALSE or TRUE | FALSE |
| VERSIONMAX | 0-32767 | 0 |
| Constraint | Value | Parameters |
|---|---|---|
| ABSOLUTLO | Any Protection | <node>,<filespec> |
| ABSOLUTHI | Any Protection | <node>,<filespec> |
| NOSYSOWNER | FALSE or TRUE | <node>,<filespec> |
| PERCENTLO | 0-100 | <node>,<filespec> |
| PERCENTHI | 0-100 | <node>,<filespec> |
| SYSOWNER | FALSE or TRUE | <node>,<filespec> |
| VERSIONMAX | 0-32767 | <node>,<filespec> |
Ensure that protections on all directories fall within the restrictions set by policy.
| Constraint | Nature of the violation |
|---|---|
| ABSOLUTLO | Access is narrower than permitted by policy |
| ABSOLUTHI | Access is wider than permitted by policy |
| NOSYSOWNER | File is owned by a system UIC in violation of policy |
| PERCENTLO | Fewer users can access than permitted by policy |
| PERCENTHI | More users can access than permitted by policy |
| SYSOWNER | File is not owned by a system UIC in violation of policy |
| VERSIONMAX | File version number is higher than allowed by policy |
If a directory's protection setting is not restrictive enough, unauthorized users will be able to read, write, execute, or delete the directory in question. If the setting is too restrictive, users generally find a less acceptable way of sharing information to get their job done. Typically, they share their password or make an unauthorized copy of the files within the directory somewhere else.Default policy The directory protection setting must allow at least the system to read, write, and execute the directory. By default, the weakest acceptable directory setting allows the system and owner to read, write, execute, and delete the directory, and also allows other users in the owner's UIC group to read and execute the directory. By default, other users outside the owner's group are allowed only execute access to the directory.The purpose of this test is to ensure that directory protection settings are within the limits set by the security manager.
The ABSOLUTLO and ABSOLUTHI tests measure the UIC-based protection mask directly. The PERCENTLO and PERCENTHI tests measure the result of protection (including ACL protection) in terms of the percentage of usernames given access.
Violations for protection-related DISK facility elements are not reported regarding only the writeability of CDROM disks since the apparent writeability is just an illusion.
By default, a minimum of 0 percent of users must have access and a maximum of 10 percent of users may have READ, WRITE, DELETE and CONTROL access while a maximum of 100 percent may have EXECUTE access. Customizing Limits for constraints ABSOLUTLO and ABSOLUTHI take the same form as a standard VMS file protection setting. The syntax for this is explained in some detail in VMS documentation. The default settings shown in the limits table below are good examples of how to specify which class of users are allowed which type of access. These are the codes involved:
| Constraint | Value | Default |
|---|---|---|
| ABSOLUTLO | Any Protection | (S:RWE,O,G,W) |
| ABSOLUTHI | Any Protection | (S:RWED,O:RWED,G:RE,W) |
| NOSYSOWNER | FALSE or TRUE | FALSE |
| PERCENTLO | 0-100 | 0 |
| PERCENTHI | 0-100 | R:10,W:10,E:100,D:10,C:10 |
| SYSOWNER | FALSE or TRUE | FALSE |
| VERSIONMAX | 0-32767 | 0 |
| Constraint | Value | Parameters |
|---|---|---|
| ABSOLUTLO | Any Protection | <node>,<filespec> |
| ABSOLUTHI | Any Protection | <node>,<filespec> |
| NOSYSOWNER | FALSE or TRUE | <node>,<filespec> |
| PERCENTLO | 0-100 | <node>,<filespec> |
| PERCENTHI | 0-100 | <node>,<filespec> |
| SYSOWNER | FALSE or TRUE | <node>,<filespec> |
| VERSIONMAX | 0-32767 | <node>,<filespec> |
Ensure that specification of Erase On Delete for disk volumes conforms to local policy.
| Constraint | Nature of the violation |
|---|---|
| PROHIBITED | Erase On Delete is enabled in violation of policy |
| REQUIRED | Erase On Delete is disabled in violation of policy |
When Erase On Delete is specified for a disk volume, all files deleted from that volume will have their disk space overwritten with a system-specified pattern.
Previous Next Contents Index