LJK/Security Reference Manual
INSTPROT
Ensure that unauthorized images are not installed as protected.
Violation reports
| Constraint |
Nature of the violation |
|
CHECKSUM
|
Image installed as protected not checksummed in violation of policy
|
|
PROHIBITED
|
Image installation as protected in violation of policy
|
Description
Installation of a shareable image as protected enables any user-written
system services it contains so they can execute in Executive or Kernel
mode and thus gain access to privileges. This test can be used to
ensure that only authorized programs are installed as protected.
Exemptions within the (DISK, CHECKSUM)
element specify checksum values for particular files
on disk. The test for the CHECKSUM
constraint within this facility
determines whether such an exemption has been established for all files
on the system that are installed as protected.
Default policy Installation of images as protected is not prohibited.
Customizing Setting the DISK_INSTPROT_PROHIBITED limit
TRUE should be accompanied by establishment of corresponding
exemptions for images whose installation as protected
is acceptable (many of which are supplied by VMS and layered products).
selector Limits
| Constraint |
Value |
Default |
|
CHECKSUM
|
FALSE or TRUE
|
FALSE
|
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
CHECKSUM
|
FALSE or TRUE
|
<node>,<filespec>
|
|
PROHIBITED
|
FALSE or TRUE
|
<node>,<filespec>
|
Practical considerations These images are also known as
"privileged shareable images". Tracking all images allowed to
be installed as protected can be a considerable effort. �
INSTUSRDIR
Ensure that images are not installed from directories writable by
unprivileged users.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Image Installation from user directory in violation of policy
|
Description
Installation of an image from a directory tree which can be written by
an unprivileged user (that is, one without the privileges required to
install images) allows that user to subvert the installation process by
substituting a different image before the next system boot (since
installation is generally done automatically on boot).
Default policy Installation of images from user directories is
prohibited. Customizing Customizing to permit certain images to be
installed from user directories is generally inappropriate. selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>,<filespec>
|
Practical considerations There may be complaints for cases where
certain images are being installed only for performance reasons. In
such cases, a mechanism for turning those programs over to system
administrators when they are revised should be devised. Such mechanism
should obviously include code review for security purposes. This is an
unfortunate situation, but VMS does not distinguish between images
installed for performance purposes and images installed for security
purposes. �
INSTUSRFIL
Ensure that images which can be written by unprivileged users are not
installed.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Installation of user image in violation of policy
|
Description
Installation of an image which can be written by an unprivileged user
(that is, one without the privileges required to install images) allows
that user to subvert the installation process by substituting a
different image before the next system boot (since installation is
generally done automatically on boot).
Default policy Installation of images writable by unprivileged users is
prohibited. Customizing Customizing to permit certain images to be
installed when writable by unprivileged users is generally
inappropriate. selector Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>,<filespec>
|
Practical considerations There may be complaints for cases where
certain images are being installed only for performance reasons. In
such cases, a mechanism for turning those programs over to system
administrators when they are revised should be devised. Such mechanism
should obviously include code review for security purposes. This is an
unfortunate situation, but VMS does not distinguish between images
installed for performance purposes and images installed for security
purposes. �
MAILPROT
Ensure that protections on all mail files fall within the restrictions
set by policy.
Violation reports
| Constraint |
Nature of the violation |
|
ABSOLUTLO
|
Access is narrower than permitted by policy
|
|
ABSOLUTHI
|
Access is wider than permitted by policy
|
|
NOSYSOWNER
|
File is owned by a system UIC in violation of policy
|
|
PERCENTLO
|
Fewer users can access than permitted by policy
|
|
PERCENTHI
|
More users can access than permitted by policy
|
|
SYSOWNER
|
File is not owned by a system UIC in violation of policy
|
|
VERSIONMAX
|
File version number is higher than allowed by policy
|
Description
If a mail file's protection setting is not restrictive enough,
unauthorized users
will be able to read, write, execute, or delete the mail file in
question. If the setting is too restrictive, users generally find a
less acceptable way of sharing information to get their job done.
Typically, they share their password or make an unauthorized copy of
the mail file somewhere else.
The purpose of this test is to ensure that mail file protection
settings are within the limits set by the security manager.
The ABSOLUTLO and ABSOLUTHI tests measure the UIC-based protection mask
directly. The PERCENTLO and PERCENTHI tests measure the result
of protection (including ACL protection) in terms of the percentage of
usernames given access.
Violations for protection-related DISK facility
elements are not reported regarding only the
writeability of CDROM disks since the apparent writeability is just an
illusion.
Default policy Mail files do not have a system user.
The mail file protection setting must allow at least the system to read
and write the file. By default, the weakest acceptable mail file
setting allows the system and owner to read and write the mail file. By
default, other users are allowed NO access to the mail file.
By default, a minimum of 0 percent of user must have access and a
maximum of 1 percent of users may have access. Customizing Limits for
constraints ABSOLUTLO and ABSOLUTHI take the same form
as a standard VMS file protection
setting. The syntax for this is explained in some detail in VMS
documentation. The default settings shown in the limits table below are
good examples of how to specify which class of users are allowed which
type of access. These are the codes involved:
- S=System account (or users with the SYSPRV privilege)
- O=Owner of the file
- G=Group (i.e., other users in the same UIC group as the owner)
- W=World (i.e., all other users)
- R=Read
- W=Write
- E=Execute
- D=Delete
selector
Limits for constraints PERCENTLO and
PERCENTHI can take a selector consisting of a VMS file
access type: READ, WRITE, EXECUTE, DELETE or CONTROL. If no
selector is specified, customization commands apply to
all possible selector values. Limits
| Constraint |
Value |
Default |
|
ABSOLUTLO
|
Any Protection
|
(S:RW,O:RW,G,W)
|
|
ABSOLUTHI
|
Any Protection
|
(S:RW,O:RW,G,W)
|
|
NOSYSOWNER
|
FALSE or TRUE
|
TRUE
|
|
PERCENTLO
|
0-100
|
0
|
|
PERCENTHI
|
0-100
|
1
|
|
SYSOWNER
|
FALSE or TRUE
|
FALSE
|
|
VERSIONMAX
|
0-32767
|
0
|
Exemptions
| Constraint |
Value |
Parameters |
|
ABSOLUTLO
|
Any Protection
|
<node>, <volume-name>
|
|
ABSOLUTHI
|
Any Protection
|
<node>, <volume-name>
|
|
NOSYSOWNER
|
FALSE or TRUE
|
<node>,<filespec>
|
|
PERCENTLO
|
Percent/0-n
|
<node>, <device-name>
|
|
PERCENTHI
|
Percent/0-n
|
<node>, <device-name>
|
|
SYSOWNER
|
FALSE or TRUE
|
<node>,<filespec>
|
|
VERSIONMAX
|
0-32767
|
<node>,<filespec>
|
Practical considerations There is generally no need for sharing access
to mail files, but in certain cases an exemption may be in order. �
DISKMOUNT
Ensure that only authorized disks are currently mounted.
Violation reports
| Constraint |
Nature of the violation |
|
GRPFORBID
|
Unauthorized disk is mounted /GROUP
|
|
SYSFORBID
|
Unauthorized disk is mounted /SYSTEM
|
|
USERFORBID
|
Unauthorized disk is mounted privately
|
Description
These tests ensure than any mounted disks have authorized names (as
indicated by the presence of an exemption).
Default policy By default (DISK,DISKMOUNT,*) tests are not enabled.
Customizing Exemptions for (DISK,DISKMOUNT,*) tests are also honored
for (USAGE,DISKMOUNT,*) tests. selector Limits
| Constraint |
Value |
Default |
|
GRPFORBID
|
FALSE or TRUE
|
FALSE
|
|
SYSFORBID
|
FALSE or TRUE
|
FALSE
|
|
USERFORBID
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
GRPFORBID
|
FALSE or TRUE
|
<node>,<filespec>
|
|
SYSFORBID
|
FALSE or TRUE
|
<node>,<filespec>
|
|
USERFORBID
|
FALSE or TRUE
|
<node>,<filespec>
|
Practical considerations Enable these tests only when also adding
exemptions. �
NOTESPROT
Ensure that DECnotes conference files are protected within the limits
set by the security policy.
Violation reports
| Constraint |
Nature of the violation |
|
ABSOLUTLO
|
Access is narrower than permitted by policy
|
|
ABSOLUTHI
|
Access is wider than permitted by policy
|
|
NOSYSOWNER
|
File is owned by a system UIC in violation of policy
|
|
PERCENTLO
|
Fewer users can access than permitted by policy
|
|
PERCENTHI
|
More users can access than permitted by policy
|
|
SYSOWNER
|
File is not owned by a system UIC in violation of policy
|
|
VERSIONMAX
|
File version number is higher than allowed by policy
|
Description
DECnotes conferences have special protection setting requirements in
order to remain secure. Although nominally such conferences can be
written to by multiple users, the secure method of using DECnotes
involves forcing use of the DECnotes server so that modification of
conference
files is only done through the DECnotes software rather than some other
program possible written for the purpose.
The purpose of this test is to ensure that DECnotes
server use is required in order to write to conferences.
The ABSOLUTLO and ABSOLUTHI tests measure the UIC-based protection mask
directly. The PERCENTLO and PERCENTHI tests measure the result
of protection (including ACL protection) in terms of the percentage of
usernames given access.
Violations for protection-related DISK facility
elements are not reported regarding only the
writeability of CDROM disks since the apparent writeability is just an
illusion.
Notes files are owned by a system UIC.
Default policy The most restrictive permitted setting will allow only
users with SYSPRV privilege to Read, Write, Execute, or Delete the
conference.
Also, by default, the least restrictive permitted setting will allow
the owner and users with SYSPRV privilege to Read, Write, Execute, or
Delete the conference. Access by other users to DECnotes conferences is
done by invocation of the DECnotes server image, in accordance with
internal DECnotes data regarding which users are allowed access. The
DECnotes server runs in an account which has Access Control List
entries associated with properly protected DECnotes conference files.
By default, a minimum of 0 percent of users must have access and a
maximum of 10 percent of users may have access. Customizing Minimum and
maximum settings (i.e., least protective and most protective settings)
can be set by using the same syntax as that used for file protection.
See the default settings in the limits table below for examples of the
syntax used in these settings. For details, see the VMS documentation
set. selector
Limits for constraints PERCENTLO and
PERCENTHI can take a selector consisting of a VMS file
access type: READ, WRITE, EXECUTE, DELETE or CONTROL. If no
selector is specified, customization commands apply to
all possible selector values.
Limits
| Constraint |
Value |
Default |
|
ABSOLUTLO
|
Any Protection
|
(S:RW,O,G,W)
|
|
ABSOLUTHI
|
Any Protection
|
(S:RWED,O:RWED,G,W)
|
|
NOSYSOWNER
|
FALSE or TRUE
|
FALSE
|
|
PERCENTLO
|
0-100
|
0
|
|
PERCENTHI
|
0-100
|
10
|
|
SYSOWNER
|
FALSE or TRUE
|
TRUE
|
|
VERSIONMAX
|
0-32767
|
0
|
Exemptions
| Constraint |
Value |
Parameters |
|
ABSOLUTLO
|
Any Protection
|
<node>, <filespec>
|
|
ABSOLUTHI
|
Any Protection
|
<node>, <filespec>
|
|
NOSYSOWNER
|
FALSE or TRUE
|
<node>,<filespec>
|
|
PERCENTLO
|
0-100
|
<node>, <filespec>
|
|
PERCENTHI
|
0-100
|
<node>, <filespec>
|
|
SYSOWNER
|
FALSE or TRUE
|
<node>,<filespec>
|
|
VERSIONMAX
|
0-32767
|
<node>,<filespec>
|
Practical considerations Access Control Lists are required for granting
access through the DECnotes server.
See the DECnotes documentation for details. �
OWNER
Ensure that the ownership of each disk volume complies with the
security policy.
Violation reports
| Constraint |
Nature of the violation |
|
WRONG
|
Owner of the disk volume is not the system
|
Description
If an individual user is the owner of a disk volume, he can make it
unavailable to other users, which is not the usual arrangement in
timesharing systems. On the other hand, he can make it available to
other users
to store their data, but the owner of the disk is the de facto owner of
that data, regardless of whether its creators are aware of that. To
meet special needs, this can be a desirable situation, but the security
manager should be aware of it.
The purpose of this test is to make sure that the security manager is
aware of any disks that have non-system ownership.
For limits only (not exemptions), owner matching string of [SYSTEM]
will match (as a special case) against UIC's which are represented as
[1,4] (due, for instance, to absence of a Rights Database
(RIGHTSLIST.DAT)).
Default policy The owner of every disk volume must be the system.
Customizing An alternative owner can be specified for any disk volume
by setting an exemption. It is also possible to change the standard
owner to be some account other than the system, by changing the limit
for this test. selector Limits
| Constraint |
Value |
Default |
|
WRONG
|
Any Identifier
|
[SYSTEM]
|
Exemptions
| Constraint |
Value |
Parameters |
|
WRONG
|
Any Identifier
|
<node>, <volume-name>
|
Practical considerations In most cases, system ownership for disk
volumes is quite sufficient. Individual users can still be owners of
particular files on that disk. �