LJK/Security Reference Manual
RETAIN
Ensure batch and print job retention conform to policy.
Violation reports
| Constraint |
Nature of the violation |
|
BATCHJALL
|
Some batch job is not set for unconditional retention
|
|
BATCHJERR
|
Some batch job is not set for retention on error
|
|
BATCHJTIM
|
Some batch job is not set for timed retention
|
|
BATCHQALL
|
Some batch queue is not set for unconditional retention
|
|
BATCHQERR
|
Some batch queue is not set for retention on error
|
|
PRINTJALL
|
Some print job is not set for unconditional retention
|
|
PRINTJERR
|
Some print job is not set for retention on error
|
|
PRINTJTIM
|
Some print job is not set for timed retention
|
|
PRINTQALL
|
Some print queue is not set for unconditional retention
|
|
PRINTQERR
|
Some print queue is not set for retention on error
|
|
UNHANDLED
|
Error retention of a job exceeds remediation time limit
|
Description
The tests for the *QALL and *QERR
constraints determine whether SET QUEUE/RETAIN=
settings on batch and print queues conform to policy.
The tests for the *JALL, *JERR and *JTIM
constraints determine whether SUBMIT/RETAIN= or
PRINT/RETAIN= settings conform to policy.
The test for the UNHANDLED constraint
determines whether a job has been retained too long after an error
without being handled (and deleted or released).
Default policy Retention on error is require for all queues and
retained jobs must be handled within four days. Customizing Since
SUBMIT and PRINT qualifiers can override queue defaults, these
tests look at both the queue defaults and how
individual jobs get submitted. selector Limits
| Constraint |
Value |
Default |
|
BATCHJALL
|
FALSE or TRUE
|
FALSE
|
|
BATCHJERR
|
FALSE or TRUE
|
TRUE
|
|
BATCHJTIM
|
time interval
|
+0-00:00:00.00
|
|
BATCHQALL
|
FALSE or TRUE
|
FALSE
|
|
BATCHQERR
|
FALSE or TRUE
|
TRUE
|
|
PRINTJALL
|
FALSE or TRUE
|
FALSE
|
|
PRINTJERR
|
FALSE or TRUE
|
TRUE
|
|
PRINTJTIM
|
time interval
|
+0-00:00:00.00
|
|
PRINTQALL
|
FALSE or TRUE
|
FALSE
|
|
PRINTQERR
|
FALSE or TRUE
|
TRUE
|
|
UNHANDLED
|
0-n minutes
|
5760
|
Exemptions
| Constraint |
Value |
Parameters |
|
BATCHJALL
|
FALSE or TRUE
|
<node>, <queue-name>/<username>/<job-name>
|
|
BATCHJERR
|
FALSE or TRUE
|
<node>, <queue-name>/<username>/<job-name>
|
|
BATCHJTIM
|
+[dddd-][hh:mm:ss.cc]||<node>,
<queue-name>/<username>/<job-name>
|
BATCHQALL
|
|
FALSE or TRUE
|
<node>, <queue-name>
|
BATCHQERR
|
|
FALSE or TRUE
|
<node>, <queue-name>
|
PRINTJALL
|
|
FALSE or TRUE
|
<node>, <queue-name>/<username>/<job-name>
|
PRINTJERR
|
|
FALSE or TRUE
|
<node>, <queue-name>/<username>/<job-name>
|
PRINTJTIM
|
|
+[dddd-][hh:mm:ss.cc]||<node>,
<queue-name>/<username>/<job-name>
|
PRINTQALL
|
FALSE or TRUE
|
|
<node>, <queue-name>
|
PRINTQERR
|
FALSE or TRUE
|
|
<node>, <queue-name>
|
UNHANDLED
|
0-n
|
|
<node>, <queue-name>/<username>/<job-name>
|
Practical considerations Requiring retention on batch job errors can
help detect confused mishandling of data. �
6.7 TERM Tests
Tests in the TERM facility deal with terminal
protection.
Security-relevant system parameters affecting terminal security are
not tested, since their effect can be undone by DCL commands
from privileged usernames (typically in the site-specific system startup
command procedure). The approach taken by LJK/Security is to consider
the resulting security rather than how that state was achieved.
Exemptions are based on node name and
device name.
�
ACLIDENT
Ensure that identifier types used in access control lists conform to
policy.
Violation reports
| Constraint |
Nature of the violation |
|
NOGENERAL
|
General identifier used in violation of policy
|
|
NOSYSTEM
|
System-defined identifier used in violation of policy
|
|
NOUIC
|
UIC identifier used in violation of policy
|
Description
Use of UIC identifiers directly in access control lists leads to
problems if user responsibilities are changed, since control of the
access they have been granted is distributed throughout the system.
The purpose of this test is to ensure that identifiers used in
Identifier Access Control Entries are of acceptable types.
Default policy Identifiers in ACLs must not be UIC identifiers.
Customizing The options of prohibiting General and System identifiers
are provided for flexibility, but are not useful in most circumstances.
The main customization which might be desired is to remove the
prohibition against the use of UIC identifiers. selector Limits
| Constraint |
Value |
Default |
|
NOGENERAL
|
FALSE or TRUE
|
FALSE
|
|
NOSYSTEM
|
FALSE or TRUE
|
FALSE
|
|
NOUIC
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
NOGENERAL
|
FALSE or TRUE
|
<node>, <device-name>
|
|
NOSYSTEM
|
FALSE or TRUE
|
<node>, <device-name>
|
|
NOUIC
|
FALSE or TRUE
|
<node>, <device-name>
|
Practical considerations In cases where existing use of UIC identifiers
is pervasive temporary customization might be required. �
AUTOLOGIN
Ensure presence of entries in the autologin file (SYSALF.DAT) complies
with policy.
Violation reports
| Constraint |
Nature of the violation |
|
ENTRY
|
Autologin is used in violation of policy
|
|
NONCAPTIVE
|
Autologin is used to a non-captive username
|
|
NOPASSWORD
|
Autologin is used without a password
|
|
NOSUCHUSER
|
Autologin specifies a Username that does not exist or is disabled
|
|
PRIVPROHIB
|
Autologin is used to a privileged username
|
|
ABSOLUTHI
|
Autologin is used to a privileged username
|
Description
Entries in the autologin file can be used to automatically log a
particular terminal in to a designated account when the carriage-return
key is pressed. Such accounts can be set up either with or without
passwords, but even when passwords are required, the automatic choice
of username can provide an interloper "part of the puzzle".
The purpose of these tests are to ensure that any entries in the
autologin file complies with organization-wide security policy.
Default policy No use of the autologin file is permitted. Customizing
Establish exemptions based on individual terminal
names to permit limited use of autologin files. Change the
limits to permit unrestricted use of autologin files.
selector
Limits and exemptions for
test TERM_AUTOLOGIN_PRIVPROHIB can take a
selector consisting of a privilege name.
Thus, each can be set once for each possible privilege. When using the
Command Interface if you do not specify a selector
when changing the limit or exemptions
your change applies to all privileges.
Limits
| Constraint |
Value |
Default |
|
ENTRY
|
FALSE or TRUE
|
TRUE
|
|
NONCAPTIVE
|
FALSE or TRUE
|
TRUE
|
|
NOPASSWORD
|
FALSE or TRUE
|
TRUE
|
|
NOSUCHUSER
|
FALSE or TRUE
|
TRUE
|
|
PRIVPROHIB
|
FALSE or TRUE
|
TRUE *
|
|
ABSOLUTHI
|
Category-None---Category-All
|
Category-Normal
|
* FALSE value for privilege TMPMBX.
Exemptions
| Constraint |
Value |
Parameters |
|
ENTRY
|
FALSE or TRUE
|
<node>,<device-name>
|
|
NONCAPTIVE
|
FALSE or TRUE
|
<node>,<device-name>
|
|
NOPASSWORD
|
FALSE or TRUE
|
<node>,<device-name>
|
|
NOSUCHUSER
|
FALSE or TRUE
|
<node>,<device-name>
|
|
PRIVPROHIB
|
FALSE or TRUE
|
<node>,<device-name>
|
|
ABSOLUTHI
|
Category-None---Category-All
|
<node>,<device-name>
|
Practical considerations Manual methods must be used to ensure that
named terminals are actually in their putative locations. Assumptions
can be readily thwarted by cabling changes.
The test ABSOLUTHI is sufficient to express simpler
limitations based on privilege level.
If a more complicated selection of privileges is required, it may be
necessary to use the test PRIVPROHIB. �
BROADCAST
Determine whether enable state for broadcast messages conforms to
policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Broadcast messages are enabled in violation of policy
|
|
REQUIRED
|
Broadcast messages are disabled in violation of policy
|
Description
In certain situations the permanent characteristics of terminals to
enable or disable reception of broadcast messages can have security
implications.
These tests are intended to allow reporting when permanent terminal
characteristics do not conform to policy.
Default policy Enabling of broadcast messages is neither prohibited nor
required. Customizing You can set limits to indicate a general policy,
and exemptions on an individual basis. The most likely situation would
be to have the limits require broadcast messages be enabled and set
exemptions for other cases. selector Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>, <device-name>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>, <device-name>
|
Practical considerations The permanent terminal broadcast setting is
only one factor in the delivery of broadcast messages. It can be
overridden by the user logged in at a terminal (without privilege). The
types of messages delivered can be subsetted by that user through the
SET BROADCAST command.
�
DIALUP
Determine whether designation as dialup conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Designated as dialup in violation of policy
|
|
REQUIRED
|
Designated as non-dialup in violation of policy
|
Description
VMS provides the capability to designate certain terminal lines as
"dialup" and restrict system access to particular usernames
or particular files based on whether the access is coming over a
"dialup" line.
Trusting the "dialup" designation in the permanent characteristics of a
terminal can be illusory, since a non-dialup line can have a modem
attached
to it.
On the other hand, some sites use the "dialup" designation for other
meanings which are either not relevant to security or do not have the
same risk of spoofing.
Default policy Designation as dialup is prohibited. Customizing
Customization is in order if your organization has some other use for
the "dialup" designation. It also may be required in cases
where a higher governing authority mandates such a distinction.
selector Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
TRUE
|
|
REQUIRED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>, <device-name>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>, <device-name>
|
Practical considerations Keeping track of which lines are dialup also
means tracking all changes in wiring schemes for various nodes.
�
DISCONNECT
Determine whether enabling of virtual terminals conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Disconnect allowed is enabled in violation of policy
|
|
REQUIRED
|
Disconnect allowed is disabled in violation of policy
|
Description
Provision of virtual terminals allows a user whose session is
interrupted by circuit disconnection to continue the existing session
by supplying the appropriate password after connecting again. This is
generally regarded as
a continuity-of-service feature.
Some sites may have specific requirements mandating that virtual
terminals not be enabled.
Default policy Enabling of disconnection is neither prohibited nor
required. Customizing Customize here if you have the need to ensure
uniformity across all nodes owned by your organization. selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>, <device-name>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>, <device-name>
|
Practical considerations The length of time a disconnected process will
remain available can be
controlled on a node-by-node basis. �
HANGUP
Determine whether forcing hangup on logout conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Hangup on logout is enabled in violation of policy
|
|
REQUIRED
|
Hangup on logout is disabled in violation of policy
|
Description
Forcing hangup on logout is generally viewed as an
availability-of-service
feature, since it frees dialup lines for use by another caller. Most
sites combine it with allowing users to use the /NOHANGUP qualifier on
a particular
logout, since the goal is to defend against unknowing failure to
properly terminate a call.
Default policy Hangup on logout is required. Customizing In most cases,
provision of the MODHANGUP capability is sufficient to
meet user needs and no customization of this test is required. selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>, <device-name>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>, <device-name>
|
Practical considerations Use of an application which performs process
deletion rather than allowing
the user to invoke LOGOUT may require that hangup on logout not be
enabled.
�
MODEM
Determine whether specification of modem control conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Modem control is enabled in violation of policy
|
|
REQUIRED
|
Modem control is disabled in violation of policy
|
Description
Enabling modem control specifies that VMS will provide and expect
proper modem signalling on a particular terminal line. It does
not
necessarily have anything to do with dialup modems, as many other types
of
data communications equipment require and provide modem control signals.
Default policy Enabling of modem control is neither prohibited nor
required. Customizing In most cases, enforcement of particular modem
control settings is not required since equipment will not work if the
setting is wrong. selector Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>, <device-name>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>, <device-name>
|
Practical considerations Cases where modem control is not provided when
it might seem to be needed may indicate situations where modem cabling
has been modified so as not to
require such signals. This generally results in reduced information
flow regarding the state of calls, and reduced security. �
MODHANGUP
Determine whether allowing user modification of hangup on logout
conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
User modification of hangup on logout is enabled in violation of policy
|
|
REQUIRED
|
User modification of hangup on logout is disabled in violation of policy
|
Description
Enabling user modification of hangup on logout allows knowledgeable
users to avoid having to redial calls when logging in to another
session. Most
sites enable it, using the hangup on logout feature of VMS only to
protect against authorized but forgetful users from tying up lines
after they are
finished.
Default policy Allowing user modification of hangup on logout is
neither prohibited nor required. Customizing Abuse of the
LOGOUT/NOHANGUP feature may require MODHANGUP be prohibited. selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>, <device-name>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>, <device-name>
|
Practical considerations Although the LOGOUT/NOHANGUP feature is
supposed to be used only in cases where it is needed, some users might
define DCL symbols to change every LOGOUT command into a
LOGOUT/NOHANGUP command, thereby violating the spirit
of the feature. �
NETDEVICE
Determine whether designation as network device conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Set as network device in violation of policy
|
|
REQUIRED
|
Set as interactive device in violation of policy
|
Description
When terminal lines are used for asynchronous DECnet, they are
automatically designated as network devices. These tests can be used to
check for unauthorized asynchronous DECnet connections, if a site
has sufficient staff to track all changes in network connections.
Default policy Designation as a network device is neither prohibited
nor required. Customizing An aggressive program of tracking network
connections would require setting
both limits TRUE and then setting an exemption for
every line (or group of lines via wildcard exemptions). selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>, <device-name>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>, <device-name>
|
Practical considerations Dynamic (dialup) asynchronous DECnet allows
certain lines to change their
state between network and terminal devices. �
OPERATOR
Determine whether enabling for operator messages conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Enabled for operator messages in violation of policy
|
|
REQUIRED
|
Disabled from operator messages in violation of policy
|
Description
Certain terminals at a site are generally designated as operator
terminals
to receive user and program requests for operator assistance. These
tests
can be used to ensure that no unauthorized terminals are so enabled and
to
ensure that required terminals are enabled.
Default policy Enabling as an operator terminal is prohibited.
Customizing Establish PROHIBITED exemptions for authorized operator
terminals.
If you want to ensure that certain terminals are enabled, set
the REQUIRED limit TRUE and establish exemptions for
all the "other" terminals (a tall order). selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
TRUE
|
|
REQUIRED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>, <device-name>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>, <device-name>
|
Practical considerations Enabling a terminal for operator messages does
not grant any ability to control anything, merely to receive
information. In that light, you may not care what terminals are enabled
and may prefer to relax the default PROHIBITED limit
to FALSE. �