LJK/Security Reference Manual
SYSEXE
Ensure system program images are valid.
Violation reports
| Constraint |
Nature of the violation |
|
CHECKSUM
|
Image in system directory not checksummed in violation of policy
|
Description
Exemptions within the (DISK, CHECKSUM)
element specify checksum values for particular files
on disk. The test for the CHECKSUM
constraint within this facility
determines whether such an exemption has been established for all files
in the SYS$SYSROOT:[*...] tree with a file type of .EXE.
Default policy Checksums of images in the SYS$SYSROOT:[*...] tree are
required. Customizing Setting the (DISK, SYSEXE, CHECKSUM)
limit TRUE is appropriate for most environments since
upgrading to a new version of a layered product should be done in a
controlled fashion. selector Limits
| Constraint |
Value |
Default |
|
CHECKSUM
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
CHECKSUM
|
FALSE or TRUE
|
<node>,<filespec>
|
Practical considerations After upgrading layered products, checksums in
the policy should be adjusted as soon as possible to match the new
values. �
SYSEXEPROT
Ensure that protections on files with type .EXE in SYS$COMMON:[*] fall
within the restrictions set by policy.
Violation reports
| Constraint |
Nature of the violation |
|
ABSOLUTLO
|
Access is narrower than permitted by policy
|
|
ABSOLUTHI
|
Access is wider than permitted by policy
|
|
NOSYSOWNER
|
File is owned by a system UIC in violation of policy
|
|
PERCENTLO
|
Fewer users can access than permitted by policy
|
|
PERCENTHI
|
More users can access than permitted by policy
|
|
SYSOWNER
|
File is not owned by a system UIC in violation of policy
|
|
VERSIONMAX
|
File version number is higher than allowed by policy
|
Description
If a file's protection setting is not restrictive enough, unauthorized
users
will be able to read, write, execute, or delete the file in question.
If the setting is too restrictive, users generally find a less
acceptable way of sharing information to get their job done. Typically,
they share their password or make an unauthorized copy of the file
somewhere else.
The purpose of this test is to ensure that file protection settings are
within the limits set by the security manager.
The ABSOLUTLO and ABSOLUTHI tests measure the UIC-based protection mask
directly. The PERCENTLO and PERCENTHI tests measure the result
of protection (including ACL protection) in terms of the percentage of
usernames given access.
Violations for protection-related DISK facility
elements are not reported regarding only the
writeability of CDROM disks since the apparent writeability is just an
illusion.
Default policy Files have a system owner.
The file protection setting must allow at least the system to read,
write, access, and delete the file. By default, the weakest acceptable
file setting allows the system and owner to read, write, execute, and
delete the file, and also allows other users in the owner's UIC group
and the world to read and execute the file.
By default, a minimum of 0 percent of users must have access and a
maximum of 100 percent of users may have READ and EXECUTE access with a
maximum of 1 percent having WRITE, EXECUTE and DELETE access.
Customizing Limits for constraints ABSOLUTLO and
ABSOLUTHI take the same form as a standard VMS file protection
setting. The syntax for this is explained in some detail in VMS
documentation. The default settings shown in the limits table below are
good examples of how to specify which class of users are allowed which
type of access. These are the codes involved:
- S=System account (or users with the SYSPRV privilege)
- O=Owner of the file
- G=Group (i.e., other users in the same UIC group as the owner)
- W=World (i.e., all other users)
- R=Read
- W=Write
- E=Execute
- D=Delete
selector
Limits for constraints PERCENTLO and
PERCENTHI can take a selector consisting of a VMS file
access type: READ, WRITE, EXECUTE, DELETE or CONTROL. If no
selector is specified, customization commands apply to
all possible selector values. Limits
| Constraint |
Value |
Default |
|
ABSOLUTLO
|
Any Protection
|
(S:RWED,O,G,W)
|
|
ABSOLUTHI
|
Any Protection
|
(S:RWED,O:RWED,G:RE,W:RE)
|
|
NOSYSOWNER
|
FALSE or TRUE
|
FALSE
|
|
PERCENTLO
|
0-100
|
0
|
|
PERCENTHI
|
0-100
|
R:100,W:1,E:100,D:1,C:1
|
|
SYSOWNER
|
FALSE or TRUE
|
TRUE
|
|
VERSIONMAX
|
0-32767
|
0
|
Exemptions
| Constraint |
Value |
Parameters |
|
ABSOLUTLO
|
Any Protection
|
<node>, <filespec>
|
|
ABSOLUTHI
|
Any Protection
|
<node>, <filespec>
|
|
NOSYSOWNER
|
FALSE or TRUE
|
<node>,<filespec>
|
|
PERCENTLO
|
0-100
|
<node>, <filespec>
|
|
PERCENTHI
|
0-100
|
<node>, <filespec>
|
|
SYSOWNER
|
FALSE or TRUE
|
<node>,<filespec>
|
|
VERSIONMAX
|
0-32767
|
<node>,<filespec>
|
Practical considerations Files of type .EXE in SYS$COMMON:[*] are
typically protected to allow execution by users. Some of them,
particularly those provided by DEC, also allow Read access by
individual users.
�
6.6 QUEUE tests
Tests in the QUEUE facility deal with print and batch
queues.
Exemptions are based on node name and
queue name.
�
ACLIDENT
Ensure that identifier types used in access control lists conform to
policy.
Violation reports
| Constraint |
Nature of the violation |
|
NOGENERAL
|
General identifier used in violation of policy
|
|
NOSYSTEM
|
System-defined identifier used in violation of policy
|
|
NOUIC
|
UIC identifier used in violation of policy
|
Description
Use of UIC identifiers directly in access control lists leads to
problems if user responsibilities are changed, since control of the
access they have been granted is distributed throughout the system.
The purpose of this test is to ensure that identifiers used in
Identifier Access Control Entries are of acceptable types.
Default policy Identifiers in ACLs must not be UIC identifiers.
Customizing The options of prohibiting General and System identifiers
are provided for flexibility, but are not useful in most circumstances.
The main customization which might be desired is to remove the
prohibition against the use of UIC identifiers. selector Limits
| Constraint |
Value |
Default |
|
NOGENERAL
|
FALSE or TRUE
|
FALSE
|
|
NOSYSTEM
|
FALSE or TRUE
|
FALSE
|
|
NOUIC
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
NOGENERAL
|
FALSE or TRUE
|
<node>, <QUEUE-name>
|
|
NOSYSTEM
|
FALSE or TRUE
|
<node>, <QUEUE-name>
|
|
NOUIC
|
FALSE or TRUE
|
<node>, <QUEUE-name>
|
Practical considerations In cases where existing use of UIC identifiers
is pervasive temporary customization might be required. �
CHECKPOINT
Ensure that use of queue checkpoint capability conform to policy.
Violation reports
| Constraint |
Nature of the violation |
|
BATPROHIB
|
Batch job was submitted /RESTART in violation of policy
|
|
BATREQUIRE
|
Batch job was submitted /NORESTART in violation of policy
|
|
PRIPROHIB
|
Print job was submitted /RESTART in violation of policy
|
|
PRIREQUIRE
|
Print job was submitted /NORESTART in violation of policy
|
Description
This element supports tests regarding
whether the /RESTART capability is specified for jobs in print queues
(where it is the VMS default) and batch queues (where it is not the VMS
default).
Default policy Print jobs just be submitted /RESTART. Customizing Use
the tests for this element to ensure
batch and print operations are carried out in a reliable fashion.
selector Limits
| Constraint |
Value |
Default |
|
BATPROHIB
|
FALSE or TRUE
|
FALSE
|
|
BATREQUIRE
|
FALSE or TRUE
|
FALSE
|
|
PRIPROHIB
|
FALSE or TRUE
|
FALSE
|
|
PRIREQUIRE
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
BATPROHIB
|
FALSE or TRUE
|
<node>, <QUEUE-name>
|
|
BATREQUIRE
|
FALSE or TRUE
|
<node>, <QUEUE-name>
|
|
PRIPROHIB
|
FALSE or TRUE
|
<node>, <QUEUE-name>
|
|
PRIREQUIRE
|
FALSE or TRUE
|
<node>, <QUEUE-name>
|
Practical considerations This element does not
consider the issue of whether batch jobs are making efficient use of
the BATCH$RESTART capability, since that requires analysis of
individual batch jobs. �
MANAGER
Ensure that use of queue manager conform to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Queue Manager is running in violation of policy
|
|
REQUIRED
|
Queue Manager is not running in violation of policy
|
Description
This element supports tests regarding
whether the queue manager is running.
Default policy The Queue Manager must be running. Customizing
Preventing use of the Queue Manager considerably restricts the ability
to run reliable assured backups. Consider protecting queues as an
alternative. selector Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>, <QUEUE-name>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>, <QUEUE-name>
|
Practical considerations Most installations run the Queue Manager. �
OPRMARKING
Ensure that use of mandatory print queue marking conform to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Output execution queue outputs a description in violation of policy
|
|
REQUIRED
|
Output execution queue does not output a description in violation of
policy
|
|
CONTAINS
|
Output execution queue description does not include text required by
policy
|
Description
This element supports tests regarding
whether print queues include mandatory descriptions as specified by the
queue initialization command
/SEPARATE=(BURST,FLAG,TRAILER)/DESCRIPTION="description".
Default policy Mandatory print queue marking is not required.
Customizing Use this element to verify that output
markings restricting distribution of printouts are configured. selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
FALSE
|
|
CONTAINS
|
text
|
null string
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>, <QUEUE-name>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>, <QUEUE-name>
|
|
CONTAINS
|
text
|
<node>, <QUEUE-name>
|
Practical considerations This element pertains to
operator-imposed markings that cannot be bypassed by individual users. �
OWNER
Ensure that ownership of queues conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
WRONG
|
Queue owner is not as specified
|
Description
If an individual user account gains ownership of a queue, it can be
used to interfere with services to other users.
The purpose of this test is to ensure that the proper owner retains
ownership of QUEUEs that are not in use. This test checks the ownership
of any QUEUE not currently in use and reports any instance in which the
owner is not the proper owner.
For limits only (not exemptions), owner matching string of [SYSTEM]
will match (as a special case) against UIC's which are represented as
[1,4] (due, for instance, to absence of a Rights Database
(RIGHTSLIST.DAT)).
Default policy Every queue must be owned by the system. Customizing An
alternative owner can be specified for any QUEUE by setting an
exemption. It is also possible to change the standard owner to be some
account other than the system, by changing the limit for this test.
selector Limits
| Constraint |
Value |
Default |
|
WRONG
|
Identifier
|
[SYSTEM]
|
Exemptions
| Constraint |
Value |
Parameters |
|
WRONG
|
Identifier
|
<node>, <QUEUE-name>
|
Practical considerations QUEUE ownership and protection must be
considered jointly. �
PROTECTION
Ensure that each QUEUE's protection setting meets the minimum setting
defined by policy.
Violation reports
| Constraint |
Nature of the violation |
|
ABSOLUTLO
|
Access is narrower than permitted by policy
|
|
ABSOLUTHI
|
Access is wider than permitted by policy
|
|
NOSYSOWNER
|
Queue is owned by a system UIC in violation of policy
|
|
PERCENTLO
|
Fewer users can access than permitted by policy
|
|
PERCENTHI
|
More users can access than permitted by policy
|
|
SYSOWNER
|
Queue is not owned by a system UIC in violation of policy
|
Description
Under VMS, a protection setting can be applied to a queue in the same
way that it can be applied to files. This allows a given user (or group
of users) to have exclusive access to a given disk,
for example. Conversely, it can be set to keep a QUEUE open for access
by all users, or to limit them to read access.
The purpose of this test is to ensure that the protection settings for
QUEUEs remain at the levels established by policy.
The ABSOLUTLO and ABSOLUTHI tests measure the UIC-based protection mask
directly. The PERCENTLO and PERCENTHI tests measure the result
of protection (including ACL protection) in terms of the percentage of
usernames given access.
Default policy Queues have a system owner.
The most permissive protection allowed for a queue gives 100 percent of
the users Read and Submit access, but only 10 percent of the users more
powerful access. Customizing The default limit values
for these tests leave queue protection "wide open", so
changes should be made to obtain any value from this test. selector
Limits for constraints PERCENTLO and
PERCENTHI can take a selector consisting of a VMS
QUEUE access type: READ, WRITE, LOGICAL, PHYSICAL or CONTROL. If no
selector is specified, customization commands apply to
all possible selector values.
Limits
| Constraint |
Value |
Default |
|
ABSOLUTLO
|
Any Protection
|
(S:M,O:D,G:R,W:S)
|
|
ABSOLUTHI
|
Any Protection
|
(S:RSMD,O:RSMD,G:RSMD,W:RSMD)
|
|
NOSYSOWNER
|
FALSE or TRUE
|
FALSE
|
|
PERCENTLO
|
0-100
|
0
|
|
PERCENTHI
|
0-100
|
R:100,S:100,M:10,D:10,C:10
|
|
SYSOWNER
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
ABSOLUTLO
|
Any Protection
|
<node>, <QUEUE-name>
|
|
ABSOLUTHI
|
Any Protection
|
<node>, <QUEUE-name>
|
|
NOSYSOWNER
|
FALSE or TRUE
|
<node>,<filespec>
|
|
PERCENTLO
|
0-100
|
<node>, <QUEUE-name>
|
|
PERCENTHI
|
0-100
|
<node>, <QUEUE-name>
|
|
SYSOWNER
|
FALSE or TRUE
|
<node>,<filespec>
|
Practical considerations Private queue ownership is a powerful
mechanism to allow project operators without giving full OPER
privilege. �