LJK/Security Reference Manual
DISMAIL
Determine whether disabling announcement of mail conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Mail announcement is enabled in violation of policy
|
|
REQUIRED
|
Mail announcement is disabled in violation of policy
|
Description
The DISMAIL authorization flag prevents messages when a user logs in
or when mail is delivered.
Default policy Disabling of mail announcement is prohibited.
Customizing Customization may be appropriate for users in a very
captive environment,
but it is more likely that the NOMAIL indication should be used to
prevent
those users from being sent mail in the first place. selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
TRUE
|
|
REQUIRED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>, <username>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>, <username>
|
Practical considerations Announcement of mail when delivered or on
login can be viewed as a continuity-of-service consideration, although
even when enabled for a
particular username, individual announcements can still be suppressed
by end user action. �
DISPWDDIC
Determine whether disabling of password dictionary screening conforms
to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Password dictionary screening is disabled in violation of policy
|
|
REQUIRED
|
Password dictionary screening is enabled in violation of policy
|
Description
Password dictionary screening is an important technique for preventing
selection of weak passwords by users. This test can be used to ensure
whether or not such screening is in force.
Default policy Disabling the password dictionary screening is
prohibited. Customizing If there is a strong reason for allowing use of
versions of VMS earlier than VMS V5.4 at your site, you may wish to
establish exemptions for the test
PROHIBITED on certain nodes to have the value of TRY
rather than TRUE.
There is virtually no security-acceptable reason for allowing password
screening to be disabled on versions of VMS which are capable of it,
but the customization capability is provided. selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE, TRUE or TRY
|
TRUE
|
|
REQUIRED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE, TRUE or TRY
|
<node>, <username>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>, <username>
|
Practical considerations Password dictionary screening only works for
password choices made with the SET PASSWORD command. It does not
prevent privileged users from selecting a weak password for themselves
or another user with the AUTHORIZE utility. �
DISPWDFCHG
Determine whether forcing of password change on expiration conforms to
policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Forced password change is disabled in violation of policy
|
|
REQUIRED
|
Forced password change is enabled in violation of policy
|
Description
The DISFORCE_EXP_PWD_CHANGE authorization flag disables forcing of
users to change their password on login if it has expired.
Default policy Forced password change is required for versions of VMS
which support it. Customizing Set limit PROHIBITED to
be FALSE to remove the requirement for forced password change.
Set limit PROHIBITED to be TRUE to impose the
requirement for forced password change ON ALL versions of VMS (meaning
a violation on versions of VMS earlier than V5.0).
selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE, TRUE or TRY
|
TRY
|
|
REQUIRED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE, TRUE or TRY
|
<node>,<username>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>,<username>
|
Practical considerations There is very little reason to use the
DISFORCE_EXP_PWD_CHANGE flag. If it is set, then users can log in and
forget to change their password, meaning they will be locked out on the
next login attempt. �
DISPWDHIS
Determine whether disabling of password history screening conforms to
policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Password history screening is disabled in violation of policy
|
|
REQUIRED
|
Password history screening is enabled in violation of policy
|
Description
Password history screening is an important technique for preventing
reuse passwords by users. This test can be used to ensure whether or
not such screening is in force.
Default policy Disabling the password history screening is prohibited.
Customizing If there is a strong reason for allowing use of versions of
VMS earlier than VMS V5.4 at your site, you may wish to establish
exemptions for the test PROHIBITED on
certain nodes to have the value of TRY rather than
TRUE.
There is virtually no security-acceptable reason for allowing password
screening to be disabled on versions of VMS which are capable of it,
but the customization capability is provided. selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE, TRUE or TRY
|
TRUE
|
|
REQUIRED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE, TRUE or TRY
|
<node>, <username>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>, <username>
|
Practical considerations Password history screening only works for
password choices made with the SET PASSWORD command. It does not
prevent privileged users from selecting a previously used password for
themselves or another user with the AUTHORIZE utility. �
DISRECON
Determine whether disabling of reconnection conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Reconnection is disabled in violation of policy
|
|
REQUIRED
|
Reconnection is not disabled in violation of policy
|
Description
Individual usernames can be prohibited from reconnecting to detached
processes. The ability to reconnect (provided by the VMS virtual
terminal
mechanism) is generally viewed as a continuity of service feature. In
cases where a single username might have multiple
interactive jobs at the same time, prohibiting reconnection might be
appropriate in order to avoid confusion.
Default policy Disabling of reconnection is neither prohibited nor
required. Customizing Setting limits in combination
with exemptions can be used to PROHIBIT or REQUIRE
reconnection capability for particular usernames. selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>, <username>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>, <username>
|
Practical considerations If allowing reconnection would cause confusion
due to sharing of usernames
between individuals, it is that sharing which should be addressed. If
multiple individuals have identical access requirements, they can be
assigned separate usernames with identical characteristics (including
UIC) while preserving separate passwords and process accountability. �
DISREPORT
Determine whether disabling reporting of last login conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Reporting last login is disabled in violation of policy
|
|
REQUIRED
|
Reporting last login is enabled in violation of policy
|
Description
Reporting of last login time is an important technique for detecting
unauthorized use of usernames (since only the authorized individual is
in a position to know the proper last login).
Default policy Disabling the reporting of last login is prohibited.
Customizing There is virtually no security-acceptable reason for
disabling this notification, but like all tests, the customization
capability is provided. selector Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
TRUE
|
|
REQUIRED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>, <username>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>, <username>
|
Practical considerations This notification is of no use unless end
users are trained to report suspicious incidents. Setting a false
"last login" value through
system programming can be used to test whether end users are in fact
going to report such incidents. �
DISPWDSYNC
Determine whether password synchronization into VMS conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Password synchronization into VMS is enabled in violation of policy
|
|
REQUIRED
|
Password synchronization into VMS is disabled in violation of policy
|
Description
The DISPWDSYNC authorization flag indicates that the passwords used to
authenticate to non-VMS ACME agents should be stored by the VMS ACME
into SYSUAF for future use in VMS-only authentication.
Default policy Password synchronization is neither required nor
prohibited. Customizing Use these tests to match how
you use external authentication. selector Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>, <username>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>, <username>
|
Practical considerations If you do not use external authentication,
ignore this element. �
DISUSER
Determine whether disabling of username conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Username is disabled in violation of policy
|
|
REQUIRED
|
Username is not disabled in violation of policy
|
Description
The DISUSER flag applied to a username entry in the authorization file
prevents logins under the username.
Default policy Disabling of a username is neither prohibited nor
required. Customizing Customization here can be used to track usernames
as outlined in
Section 11.2, Tracking Usernames. selector Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>, <username>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>, <username>
|
Practical considerations Rather than removing usernames from the
authorization file, many
system administrators prefer to set the DISUSER flag, so that any
attempts
against those usernames will include the username in the accounting
file.
If a username is not on the system at all, it is not included in the
accounting file record of a login failure. �
DISWELCOME
Determine whether disabling welcome message conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Display of welcome message is disabled in violation of policy
|
|
REQUIRED
|
Display of welcome message is enabled in violation of policy
|
Description
Disabling the welcome message from being displayed to particular
usernames can be a security hazard if that message is typically used to
alert users to security-relevant information.
Default policy Disabling the welcome message is prohibited. Customizing
Disabling the Welcome message may be acceptable if is it not used for
security-relevant information. selector Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
TRUE
|
|
REQUIRED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>, <username>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>, <username>
|
Practical considerations The Welcome message (received after successful
login) should not be confused with the Announce message (received just
before the username prompt).
Since the username is not known at the time the Announce message is
issued, there is no way to tailor the Announce message on a
per-username basis. �
EXPIRATION
Determine whether expiration of username conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
RELATIVHI
|
Username expiration is too far away in violation of policy
|
|
RELTEMPHI
|
Username expiration is too far away in violation of policy
|
|
RELATIVLO
|
Username expiration is too soon in violation of policy
|
Description
Usernames which have expiration dates very far in the future will
possibly escape periodic review by appropriate authorities to determine
if the usernames
are still needed.
Usernames which expire very soon are presumably overdue for management
review.
If such usernames are allowed to expire when they are still needed, the
result will be increased user hostility toward security concerns in
general.
The constraints RELATIVHI and RELTEMPHI are equivalent
in function but intended for different use. The intent is that
constraint RELTEMPHI be the intended maximum lifetime
of usernames an organization defines as "temporary". The
normal long-term (nothing is "permanent") usernames would
each receive an exemption from the RELTEMPHI test.
Default policy Usernames must have a remaining lifetime between 30 and
1000 days. The constraint RELTEMPHI has a value of
1000, providing no difference from constraint
RELATIVHI for organizations that do not create temporary usernames.
Customizing The default RELATIVLO limit should be
changed if you have a different need for warning about expiring
usernames. Exemptions are probably in order for the
SYSTEM username.
A limit or exemption with a value of zero means there is no value which
is considered unacceptable. selector
Limits
| Constraint |
Value |
Default |
|
RELATIVHI
|
0---n (days)
|
1000
|
|
RELTEMPHI
|
0---n (days)
|
1000
|
|
RELATIVLO
|
0---n (days)
|
30
|
Exemptions
| Constraint |
Value |
Parameters |
|
RELATIVHI
|
0---n (days)
|
<node>, <username>
|
|
RELTEMPHI
|
0---n (days)
|
<node>, <username>
|
|
RELATIVLO
|
0---n (days)
|
<node>, <username>
|
Practical considerations Limited username lifetime will only be
acceptable if you provide timely
notification in advance of expiration to those who might care if a
username becomes unavailable. �
EXTAUTH
Determine whether external authentication conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
External authentication is enabled in violation of policy
|
|
REQUIRED
|
External authentication is disabled in violation of policy
|
Description
The EXTAUTH authorization flag indicates that non-VMS ACME agents are
allowed to authenticate this user.
Default policy External authentication is neither required nor
prohibited. Customizing Use these tests to match how
you use external authentication. selector Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>, <username>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>, <username>
|
Practical considerations If you do not use external authentication,
ignore this element. �