| Previous | Contents | Index |
Ensure that disk volumes have protection settings that fall within the restrictions of the security policy.
| Constraint | Nature of the violation |
|---|---|
| ABSOLUTLO | Access is narrower than permitted by policy |
| ABSOLUTHI | Access is wider than permitted by policy |
| PERCENTLO | Fewer users can access than permitted by policy |
| PERCENTHI | More users can access than permitted by policy |
Disk volumes, like files and other resources, can be given protection settings. For the same reasons, their protection settings are important to a security manager.Default policy The most restrictive volume protection must allow only users with SYSPRV privilege to read, write, execute, or delete files that are stored on the disk volume. In most cases, this will be far too restrictive. On the other hand, by default, the most permissive volume protection setting will allow all users to read, write, execute, and delete files that are on that volume. This might sound too permissive, but it is the one that is usually appropriate for a timesharing system, since it grants users access to any files that individually allow it.The ABSOLUTLO and ABSOLUTHI tests measure the UIC-based protection mask directly. The PERCENTLO and PERCENTHI tests measure the result of protection (including ACL protection) in terms of the percentage of usernames given access.
Violations for protection-related DISK facility elements are not reported regarding only the writeability of CDROM disks since the apparent writeability is just an illusion.
By default, a minimum of 0 percent of users must have access and a maximum of 100 percent of users may have access. Customizing As mentioned above, the default restrictive limit is too restrictive for most cases. It can be eased by changing the ABSOLUTLO limit to allow the owner, group, and world users to access the disk volume in some degree. Similarly, if the default permissive limit is too permissive for your site, you can change it by changing the ABSOLUTHI limit to deny some forms of access to some classes of users (system, owner, group, or world). selector Limits for constraints PERCENTLO and PERCENTHI can take a selector consisting of a VMS file access type: READ, WRITE, EXECUTE, DELETE or CONTROL. If no selector is specified, customization commands apply to all possible selector values.
| Constraint | Value | Default |
|---|---|---|
| ABSOLUTLO | Any Protection | (S:RWED,O,G,W) |
| ABSOLUTHI | Any Protection | (S:RWED,O:RWED,G:RWED,W:RWED) |
| PERCENTLO | 0-100 | 0 |
| PERCENTHI | 0-100 | 100 |
| Constraint | Value | Parameters |
|---|---|---|
| ABSOLUTLO | Any Protection | <node>, <volume-name> |
| ABSOLUTHI | Any Protection | <node>, <volume-name> |
| PERCENTLO | 0-100 | <node>, <volume-name> |
| PERCENTHI | 0-100 | <node>, <volume-name> |
Ensure that disk quotas are administered in compliance with security policy and that no single user is capable of filling the disk to a dangerous level.
| Constraint | Nature of the violation |
|---|---|
| COULDFILL | The named user has quota high enough to fill the disk. |
| PROHIBITED | Quotas have been applied to the disk against policy. |
| REQUIRED | Quotas are missing from the disk against policy. |
The VMS operating system handles disk space allocation differently from some others, notably most IBM systems. A quota of 1000 blocks, for example, allows the user to use up to 1000 blocks on the disk if they are available, but the quota itself does not guarantee that 1000 blocks are available.Default policy The default policy requires that quotas be enabled on each disk and that no single user be able to fill the disk to the 90% level. Customizing If quotas must be enabled on some of your disks, the default settings for PROHIBITED and REQUIRED are correct for those disks.In most VMS timesharing systems, it is usually practical to assign quotas that total more than the number of blocks that physically exist on the disk. This is because a typical user needs his full quota only for a day or two out of a month or quarter, and can get by with (for instance) half his quota the rest of the time.
Thus, "over-allocating" allows users who are good citizens and who have varying disk requirements to share a disk economically. To guarantee every user an exact number of blocks is possible by limiting the total quotas to the physical size of the disk, but that usually means buying more disks than are justified by the total number of blocks actually in use.
On the other hand, it is appropriate to set up some disks without quotas. A disk that is used for temporary work space by the SORT utility is a good example: the files vary widely in size and user but are deleted promptly after use.
The purpose of this test is to ensure that quotas are enabled or disabled on each disk as planned, and that they have not reached a state in which a single user could fill the disk to a dangerous level and thus limit access by other users.
Disk quota tests will not be applied to the RRD40 or RRD50 CDROM disk drive, since disk quota is not meaningful for a read-only device.
If disk availability is critical on some disks at your site, you might wish to set a lower limit than the default percentage (90) for COULDFILL, such as 75, but this means that you will receive violation reports more frequently. Note that this is only effective when quotas are enabled, so you should also use the TRUE setting for REQUIRED.
If quotas should not be enabled on some of your disks, you should change the PROHIBITED setting to TRUE and the REQUIRED setting to FALSE for those disks.
If you do not wish to monitor quota settings at all, set both PROHIBITED and REQUIRED to FALSE. selector
| Constraint | Value | Default |
|---|---|---|
| COULDFILL | 0---100 | 90 |
| PROHIBITED | FALSE or TRUE | FALSE |
| REQUIRED | FALSE or TRUE | TRUE |
| Constraint | Value | Parameters |
|---|---|---|
| COULDFILL | 0---100 | <node>, <volume-name> |
| PROHIBITED | FALSE or TRUE | <node>, <volume-name> |
| REQUIRED | FALSE or TRUE | <node>, <volume-name> |
Giving any user (for instance, SYSTEM) unlimited quota on their default login disk opens the window for such an attack if the user is enabled to receive mail messages. If there is a true need for a user to have unlimited quota on their default login disk, receipt of mail should be disabled for the username.
Ensure that protections on all Rdb/VMS files fall within the restrictions set by policy. Rdb/VMS files in this context are all of those with the following file types:
- .RDB
- .SNP
| Constraint | Nature of the violation |
|---|---|
| ABSOLUTLO | Access is narrower than permitted by policy |
| ABSOLUTHI | Access is wider than permitted by policy |
| NOSYSOWNER | File is owned by a system UIC in violation of policy |
| PERCENTLO | Fewer users can access than permitted by policy |
| PERCENTHI | More users can access than permitted by policy |
| SYSOWNER | File is not owned by a system UIC in violation of policy |
| VERSIONMAX | File version number is higher than allowed by policy |
Rdb/VMS files are normally protected to allow only SYSTEM access, so that even the owner of the database must use DBMS access methods.Default policy The Rdb/VMS file protection setting must allow only the system to read and write the Rdb/VMS files.The ABSOLUTLO and ABSOLUTHI tests measure the UIC-based protection mask directly. The PERCENTLO and PERCENTHI tests measure the result of protection (including ACL protection) in terms of the percentage of usernames given access.
Violations for protection-related DISK facility elements are not reported regarding only the writeability of CDROM disks since the apparent writeability is just an illusion.
By default, a minimum of 0 percent of users must have access and a maximum of 1 percent of users may have READ, WRITE and CONTROL access, and a maximum of 0 percent of users may have other forms of access. Customizing Rdb/VMS access is normally granted only through access control lists within the database, so there should be no need to customize the default limits for this element. selector Limits for constraints PERCENTLO and PERCENTHI can take a selector consisting of a VMS file access type: READ, WRITE, EXECUTE, DELETE or CONTROL. If no selector is specified, customization commands apply to all possible selector values.
| Constraint | Value | Default |
|---|---|---|
| ABSOLUTLO | Any Protection | (S:RW,O,G,W) |
| ABSOLUTHI | Any Protection | (S:RW,O,G,W) |
| NOSYSOWNER | FALSE or TRUE | FALSE |
| PERCENTLO | 0-100 | 0 |
| PERCENTHI | 0-100 | R:1,W:1,E:0,D:0,C:1 |
| SYSOWNER | FALSE or TRUE | FALSE |
| VERSIONMAX | 0-32767 | 0 |
| Constraint | Value | Parameters |
|---|---|---|
| ABSOLUTLO | Any Protection | <node>,<filespec> |
| ABSOLUTHI | Any Protection | <node>,<filespec> |
| NOSYSOWNER | FALSE or TRUE | <node>,<filespec> |
| PERCENTLO | 0-100 | <node>,<filespec> |
| PERCENTHI | 0-100 | <node>,<filespec> |
| SYSOWNER | FALSE or TRUE | <node>,<filespec> |
| VERSIONMAX | 0-32767 | <node>,<filespec> |
Ensure that use of Volume Shadowing conforms to local policy.
| Constraint | Nature of the violation |
|---|---|
| DATAMAX | Data disk has more shadowing than allowed by policy |
| DATAMIN | Data disk has less shadowing than allowed by policy |
| SYSTEMMAX | System disk has more shadowing than allowed by policy |
| SYSTEMMIN | System disk has less shadowing than allowed by policy |
Shadowing levels are encoded as "number of shadow set members" where 1 means a single member shadow set and 0 means a disk not in a shadow set.Default policy Volume Shadowing is neither prohibited nor required, in that limits DATAMIN and SYSTEMMIN test are set to zero while limits DATAMAX and SYSTEMMAX test are set to 255 (well beyond the maximum shadow set size supported by VMS). Customizing To enforce the use of Volume Shadowing set limits DATAMIN and SYSTEMMIN to the largest number of shadow set members required for any disk volume. Then add exemptions for disk volumes allowed to have a lower number of shadow set members.
To limit the use of Volume Shadowing set limits DATAMAX and SYSTEMMAX to the smallest number of shadow set members permitted for any disk volume. Then add exemptions for disk volumes allowed to have a higher number of shadow set members. selector
| Constraint | Value | Default |
|---|---|---|
| DATAMAX | 0 - 255 | 255 |
| DATAMIN | 0 - 255 | 0 |
| SYSTEMMAX | 0 - 255 | 255 |
| SYSTEMMIN | 0 - 255 | 0 |
| Constraint | Value | Parameters |
|---|---|---|
| DATAMAX | 0 - 255 | <node>,<volume-name> |
| DATAMIN | 0 - 255 | <node>,<volume-name> |
| SYSTEMMAX | 0 - 255 | <node>,<volume-name> |
| SYSTEMMIN | 0 - 255 | <node>,<volume-name> |
Ensure that use of protected subsystems conforms to local policy.
| Constraint | Nature of the violation |
|---|---|
| CHECKSUM | Image designated as protected subsystem not checksummed in violation of policy |
| NOFILE | Image designated as protected subsystem in violation of policy |
| PROHIBITED | Disk is mounted /SUBSYSTEM in violation of policy |
| REQUIRED | Disk is mounted /NOSUBSYSTEM in violation of policy |
Exemptions within the (DISK, CHECKSUM) element specify checksum values for particular files on disk. The test for the CHECKSUM constraint within this facility determines whether such an exemption has been established for all images which have been designated as part of a protected subsystem.Default policy Use of Erase On Delete is neither prohibited nor required. Customizing Limits PROHIBITED and REQUIRED test whether a disk was mounted to honor protected subsystems.The test for the NOFILE constraint within this facility determines whether any image has a subsystem ACE within its Access Control List.
The tests for the PROHIBITED and REQUIRED constraints within this facility determines whether mounting of disks conforms to policy regarding protected subsystems.
Limit NOFILE can be used to prohibit individual files (for which no exemption has been entered from having a subsystem ACE within its Access Control List.
Limit CHECKSUM can be used to require individual files which have a subsystem ACE within their Access Control List to also have an exemptions within the (DISK, CHECKSUM) element. selector
| Constraint | Value | Default |
|---|---|---|
| CHECKSUM | FALSE or TRUE | TRUE |
| NOFILE | FALSE or TRUE | FALSE |
| PROHIBITED | FALSE or TRUE | FALSE |
| REQUIRED | FALSE or TRUE | TRUE |
| Constraint | Value | Parameters |
|---|---|---|
| CHECKSUM | FALSE or TRUE | <node>,<volume-name> |
| NOFILE | FALSE or TRUE | <node>,<volume-name> |
| PROHIBITED | FALSE or TRUE | <node>,<volume-name> |
| REQUIRED | FALSE or TRUE | <node>,<volume-name> |
Ensure system command procedures are valid.
| Constraint | Nature of the violation |
|---|---|
| CHECKSUM | Command procedure in system directory not checksummed in violation of policy |
Exemptions within the (DISK, CHECKSUM) element specify checksum values for particular files on disk. The test for the CHECKSUM constraint within this facility determines whether such an exemption has been established for all files in the SYS$SYSROOT:[*...] tree with a file type of .COM.Default policy Checksums of command procedures in the SYS$SYSROOT:[*...] tree are not required. Customizing Setting the (DISK, SYSCOM, CHECKSUM) limit TRUE is appropriate for production environments where system management activities are to be constrained. selector
| Constraint | Value | Default |
|---|---|---|
| CHECKSUM | FALSE or TRUE | FALSE |
| Constraint | Value | Parameters |
|---|---|---|
| CHECKSUM | FALSE or TRUE | <node>,<filespec> |
| Previous | Next | Contents | Index |