| Previous | Contents | Index |
Note that this is different from setting individual files to be erased on deletion. Default policy Use of Erase On Delete is neither prohibited nor required. Customizing Set the limit for DISK_ERASEDELET_REQUIRED to TRUE in order to require all disk volumes to be set for Erase On Delete. selector
| Constraint | Value | Default |
|---|---|---|
| PROHIBITED | FALSE or TRUE | FALSE |
| REQUIRED | FALSE or TRUE | FALSE |
| Constraint | Value | Parameters |
|---|---|---|
| PROHIBITED | FALSE or TRUE | <node>,<volume-name> |
| REQUIRED | FALSE or TRUE | <node>,<volume-name> |
Ensure that protections on files not covered by other file protection elements fall within the restrictions set by policy.
| Constraint | Nature of the violation |
|---|---|
| ABSOLUTLO | Access is narrower than permitted by policy |
| ABSOLUTHI | Access is wider than permitted by policy |
| NOSYSOWNER | File is owned by a system UIC in violation of policy |
| PERCENTLO | Fewer users can access than permitted by policy |
| PERCENTHI | More users can access than permitted by policy |
| SYSOWNER | File is not owned by a system UIC in violation of policy |
| VERSIONMAX | File version number is higher than allowed by policy |
If a file's protection setting is not restrictive enough, unauthorized users will be able to read, write, execute, or delete the file in question. If the setting is too restrictive, users generally find a less acceptable way of sharing information to get their job done. Typically, they share their password or make an unauthorized copy of the file somewhere else.Default policy The file protection setting must allow at least the system to read, write, access, and delete the file. By default, the weakest acceptable file setting allows the system and owner to read, write, execute, and delete the file, and also allows other users in the owner's UIC group to read and execute the file. By default, other users outside the owner's group are allowed NO access to the file.The purpose of this test is to ensure that file protection settings are within the limits set by the security manager.
The ABSOLUTLO and ABSOLUTHI tests measure the UIC-based protection mask directly. The PERCENTLO and PERCENTHI tests measure the result of protection (including ACL protection) in terms of the percentage of usernames given access.
Violations for protection-related DISK facility elements are not reported regarding only the writeability of CDROM disks since the apparent writeability is just an illusion.
By default, a minimum of 0 percent of users must have access and a maximum of 10 percent of users may have access. Customizing Limits for constraints ABSOLUTLO and ABSOLUTHI take the same form as a standard VMS file protection setting. The syntax for this is explained in some detail in VMS documentation. The default settings shown in the limits table below are good examples of how to specify which class of users are allowed which type of access. These are the codes involved:
| Constraint | Value | Default |
|---|---|---|
| ABSOLUTLO | Any Protection | (S:RWED,O,G,W) |
| ABSOLUTHI | Any Protection | (S:RWED,O:RWED,G:RE,W) |
| NOSYSOWNER | FALSE or TRUE | FALSE |
| PERCENTLO | 0-100 | 0 |
| PERCENTHI | 0-100 | 10 |
| SYSOWNER | FALSE or TRUE | FALSE |
| VERSIONMAX | 0-32767 | 0 |
| Constraint | Value | Parameters |
|---|---|---|
| ABSOLUTLO | Any Protection | <node>, <filespec> |
| ABSOLUTHI | Any Protection | <node>, <filespec> |
| NOSYSOWNER | FALSE or TRUE | <node>,<filespec> |
| PERCENTLO | 0-100 | <node>, <filespec> |
| PERCENTHI | 0-100 | <node>, <filespec> |
| SYSOWNER | FALSE or TRUE | <node>,<filespec> |
| VERSIONMAX | 0-32767 | <node>,<filespec> |
Ensure that protections on files in SYS$HELP and SYS$LIBRARY fall within the restrictions set by policy.
| Constraint | Nature of the violation |
|---|---|
| ABSOLUTLO | Access is narrower than permitted by policy |
| ABSOLUTHI | Access is wider than permitted by policy |
| NOSYSOWNER | File is owned by a system UIC in violation of policy |
| PERCENTLO | Fewer users can access than permitted by policy |
| PERCENTHI | More users can access than permitted by policy |
| SYSOWNER | File is not owned by a system UIC in violation of policy |
| VERSIONMAX | File version number is higher than allowed by policy |
If a file's protection setting is not restrictive enough, unauthorized users will be able to read, write, execute, or delete the file in question. If the setting is too restrictive, users generally find a less acceptable way of sharing information to get their job done. Typically, they share their password or make an unauthorized copy of the file somewhere else.Default policy Files have a system owner.The purpose of this test is to ensure that file protection settings are within the limits set by the security manager.
The ABSOLUTLO and ABSOLUTHI tests measure the UIC-based protection mask directly. The PERCENTLO and PERCENTHI tests measure the result of protection (including ACL protection) in terms of the percentage of usernames given access.
Violations for protection-related DISK facility elements are not reported regarding only the writeability of CDROM disks since the apparent writeability is just an illusion.
The file protection setting must allow at least the system to read, write, access, and delete the file. By default, the weakest acceptable file setting allows the system and owner to read, write, execute, and delete the file, and also allows other users in the owner's UIC group to read and execute the file. By default, other users outside the owner's group are allowed NO access to the file.
By default, a minimum of 0 percent of users must have access and a maximum of 10 percent of users may have access. Customizing Limits for constraints ABSOLUTLO and ABSOLUTHI take the same form as a standard VMS file protection setting. The syntax for this is explained in some detail in VMS documentation. The default settings shown in the limits table below are good examples of how to specify which class of users are allowed which type of access. These are the codes involved:
| Constraint | Value | Default |
|---|---|---|
| ABSOLUTLO | Any Protection | (S:RWED,O,G,W) |
| ABSOLUTHI | Any Protection | (S:RWED,O:RWED,G:RE,W:RE) |
| NOSYSOWNER | FALSE or TRUE | FALSE |
| PERCENTLO | 0-100 | 0 |
| PERCENTHI | 0-100 | 100 |
| SYSOWNER | FALSE or TRUE | TRUE |
| VERSIONMAX | 0-32767 | 0 |
| Constraint | Value | Parameters |
|---|---|---|
| ABSOLUTLO | Any Protection | <node>, <filespec> |
| ABSOLUTHI | Any Protection | <node>, <filespec> |
| NOSYSOWNER | FALSE or TRUE | <node>, <filespec> |
| PERCENTLO | 0-100 | <node>, <filespec> |
| PERCENTHI | 0-100 | <node>, <filespec> |
| SYSOWNER | FALSE or TRUE | <node>, <filespec> |
| VERSIONMAX | 0-32767 | <node>,<filespec> |
Ensure that specification of File Highwater Marking for disk volumes conforms to local policy.
| Constraint | Nature of the violation |
|---|---|
| PROHIBITED | File Highwater Marking is enabled in violation of policy |
| REQUIRED | File Highwater Marking is disabled in violation of policy |
When File Highwater Marking is specified for a disk volume, users are prevented from reading the previous contents of space now allocated to their files.Default policy Use of File Highwater Marking is required. Customizing Change the DISK_HIGHWATER_REQUIRED limit to FALSE or add exemptions if File Highwater Marking causes severe performance problems because systems are still running VMS V4. selector
| Constraint | Value | Default |
|---|---|---|
| PROHIBITED | FALSE or TRUE | FALSE |
| REQUIRED | FALSE or TRUE | TRUE |
| Constraint | Value | Parameters |
|---|---|---|
| PROHIBITED | FALSE or TRUE | <node>,<volume-name> |
| REQUIRED | FALSE or TRUE | <node>,<volume-name> |
Under VMS V5 "erase on extend" implementation is still used for relative and indexed files, but the overhead introduced is not usually noticed because of the overhead already present in creation or extending relative and indexed files.
Ensure that unauthorized images are not installed.
| Constraint | Nature of the violation |
|---|---|
| CHECKSUM | Installed image not checksummed in violation of policy |
| PROHIBITED | Image Installation in violation of policy |
Installation of a shareable image declares it "trusted" and accessible by privileged programs. This test can be used to ensure that only authorized programs are installed.Default policy Image installation is not prohibited. Customizing Setting the DISK_INSTALLED_PROHIBITED limit TRUE should be accompanied by establishment of corresponding exemptions for images whose installation is acceptable (many of which are supplied by VMS and layered products). selectorExemptions within the (DISK, CHECKSUM) element specify checksum values for particular files on disk. The test for the CHECKSUM constraint within this facility determines whether such an exemption has been established for all installed images on the system.
| Constraint | Value | Default |
|---|---|---|
| CHECKSUM | FALSE or TRUE | FALSE |
| PROHIBITED | FALSE or TRUE | FALSE |
| Constraint | Value | Parameters |
|---|---|---|
| CHECKSUM | FALSE or TRUE | <node>,<filespec> |
| PROHIBITED | FALSE or TRUE | <node>,<filespec> |
Ensure that unauthorized images are not installed with privilege.
| Constraint | Nature of the violation |
|---|---|
| CHECKSUM | Image installed with privilege not checksummed in violation of policy |
| PRIVPROHIB | Image installation with privilege in violation of policy |
| ABSOLUTHI | Image installation at higher level than maximum in the policy |
Installation of an executable image with privilege allows unprivileged users to perform privileged operations when running the program. Such programs must be carefully constructed to ensure that only the designed functions can be performed. Installation of a program with privilege when it was not designed to be installed with privilege is a major security hazard. This test can be used to ensure that only authorized programs are installed with privilege.Default policy Installing images with privilege is not prohibited. Customizing Setting limits should be accompanied by establishment of corresponding exemptions for images whose installation with privilege is acceptable (many of which are supplied by VMS and layered products). selector Limits and exemptions for test PRIVPROHIB can take a selector consisting of a privilege name.Exemptions within the (DISK, CHECKSUM) element specify checksum values for particular files on disk. The test for the CHECKSUM constraint within this facility determines whether such an exemption has been established for all files on the system that are installed with privilege.
Thus, it can be set once for each possible privilege. When using the Command Interface if you do not specify a selector when changing the limit or exemptions your change applies to all privileges.
| Constraint | Value | Default |
|---|---|---|
| CHECKSUM | FALSE or TRUE | FALSE |
| PRIVPROHIB | FALSE or TRUE | FALSE |
| ABSOLUTHI | Category-None---Category-All | Category-All |
| Constraint | Value | Parameters |
|---|---|---|
| CHECKSUM | FALSE or TRUE | <node>,<filespec> |
| PRIVPROHIB | FALSE or TRUE | <node>,<filespec> |
| ABSOLUTHI | Category-None---Category-All | <node>,<filespec> |
The test ABSOLUTHI is sufficient to express simpler limitations based on privilege level.
If a more complicated selection of privileges is required, it may be necessary to use the test PRIVPROHIB.
| Previous | Next | Contents | Index |