| Previous | Contents | Index |
Determine whether disabling of Mail delivery conforms to policy.
| Constraint | Nature of the violation |
|---|---|
| PROHIBITED | Mail delivery is disabled in violation of policy |
| REQUIRED | Mail delivery is enabled in violation of policy |
If local practice is to use VMSmail to distribute security-related notices, prohibiting mail delivery to certain usernames is counter to security interests.Default policy Disabling of mail delivery is prohibited. Customizing Customize here if you have users who are not permitted access to the VMSmail program. selector
| Constraint | Value | Default |
|---|---|---|
| PROHIBITED | FALSE or TRUE | TRUE |
| REQUIRED | FALSE or TRUE | FALSE |
| Constraint | Value | Parameters |
|---|---|---|
| PROHIBITED | FALSE or TRUE | <node>, <username> |
| REQUIRED | FALSE or TRUE | <node>, <username> |
Mail delivery should also be disabled for any users who have unlimited disk quota on their login disk.
Determine whether the number of Usernames with OPER (but no higher) privilege conforms to policy.
| Constraint | Nature of the violation |
|---|---|
| TOOFEW | The number of simple operators compared to other privileged users is lower than policy maximum |
The test associated with the TOOFEW constraint determines whether the number of Usernames with OPER (but no higher) privilege conforms to policy.Default policy The minimum number of usernames with OPER but no higher privilege is 2. Customizing Adjust this number higher for heavy production environments. selector
| Constraint | Value | Default |
|---|---|---|
| TOOFEW | 0-n | 2 |
| Constraint | Value | Parameters |
|---|---|---|
| TOOFEW | 0-n | <node>, <username> |
Determine whether the allocation of Usernames to various owners conforms to policy.
| Constraint | Nature of the violation |
|---|---|
| DIGITSPACE | Owner of a username has neither spaces between characters nor digits in violation of policy |
| MAINTAINED | Owner of a username is blank in violation of policy |
| NONPRIVMAX | Number of nonprivileged usernames for a single owner exceeds maximum |
| NONPRIVMIN | Number of nonprivileged usernames for a single owner is less than minimum |
| PRIVMAX | Number of privileged usernames for a single owner exceeds maximum |
| PRIVMIN | Number of privileged usernames for a single owner is less than minimum |
Tests in this element determine whether the maintenance of the "owner" field in the SYSUAF file and the assignment of usernames to distinct owners conforms to policy.Default policy Owner names are maintained and each owner can have at most one privileged Username and ten non-privileged usernames. Customizing Reduce the limit for constraint NONPRIVMAX where possible. selector
| Constraint | Value | Default |
|---|---|---|
| DIGITSPACE | FALSE or TRUE | TRUE |
| MAINTAINED | FALSE or TRUE | TRUE |
| NONPRIVMAX | 0-n | 10 |
| NONPRIVMIN | 0-n | 0 |
| PRIVMAX | 0-n | 1 |
| PRIVMIN | 0-n | 0 |
| Constraint | Value | Parameters |
|---|---|---|
| DIGITSPACE | FALSE or TRUE | <node>, <username> |
| MAINTAINED | FALSE or TRUE | <node>, <username> |
| NONPRIVMAX | 0-n | <node>, <username> |
| NONPRIVMIN | 0-n | <node>, <username> |
| PRIVMAX | 0-n | <node>, <username> |
| PRIVMIN | 0-n | <node>, <username> |
For the numeric constraints in this element, tests ignore usernames that allowed no more than Batch access. This takes care of usernames created by layered products.
Determine whether base process priority conforms to policy.
| Constraint | Nature of the violation |
|---|---|
| ABSOLUTLO | Base process priority is lower than allowed by policy |
| ABSOLUTHI | Base process priority is lower than allowed by policy |
If base process priority for a username is higher or lower than that for other usernames (generally 4), denial of service hazards are created.Default policy Base process priority must be 4. Customizing Different base priorities for different users can lead to severe performance problems. selector
| Constraint | Value | Default |
|---|---|---|
| ABSOLUTLO | 0---31 | 4 |
| ABSOLUTHI | 0---31 | 4 |
| Constraint | Value | Parameters |
|---|---|---|
| ABSOLUTLO | 0---31 | <node>, <username> |
| ABSOLUTHI | 0---31 | <node>, <username> |
Ensure that privileges held by individual usernames are acceptable.
| Constraint | Nature of the violation |
|---|---|
| AUTHAUDIT | Username with a particular authorized privilege is not set to audit all action in violation of policy |
| AUTHREQUIR | Username lacks authorization for privilege |
| AUTHPROHIB | Username has authorization for privilege |
| DEFAUDIT | Username with a particular default privilege is not set to audit all action in violation of policy |
| DEFREQUIR | Username lacks default privilege |
| DEFPROHIB | Username has default privilege |
| NOIMPLICIT | Each username allowed Interactive or Network access has a UIC greater than MAXSYSGROUP |
Privileged users can disrupt system operations in may ways. The system User Authorization File (SYSUAF) specifies any privileges granted to usernames.Default policy No privileges are required or prohibited by this test element, because equivalent tests are performed under test element PRIVLEVEL. Customizing The tests under element PRIVLEVEL are sufficient to express simpler limitations based on privilege level.Even if a user is authorized to use privileges, they generally should not be enabled by default. The system User Authorization File contains two lists of privileges for each username, those which are enabled by default and those which the user is entitled to enable by use of the SET PROCESS/PRIVILEGE= command.
The purpose of this test is to ensure that the default and authorized privileges for each user complies with organization-wide security policy.
Implicit SYSPRV (due to a low UIC group) is not considered as SYSPRV under element UAF_PRIVILEGE, but is considered such under element UAF_PRIVLEVEL.
If a more complicated selection of privileges is required, it may be necessary to use the tests under element PRIVILEGE.
You should add exemptions for usernames which are supposed to have privilege, such as SYSTEM. selector Limits and exemptions for this element can take a selector consisting of a privilege name.
Thus, each can be set once for each possible privilege. Using the Command Interface, if you do not specify a selector when changing limits or exemptions, your change applies to all privileges.
| Constraint | Value | Default |
|---|---|---|
| AUTHAUDIT | FALSE or TRUE | FALSE |
| AUTHREQUIR | FALSE or TRUE | FALSE |
| AUTHPROHIB | FALSE or TRUE | FALSE |
| DEFAUDIT | FALSE or TRUE | FALSE |
| DEFREQUIR | FALSE or TRUE | FALSE |
| DEFPROHIB | FALSE or TRUE | FALSE |
| NOIMPLICIT | FALSE or TRUE | TRUE |
| Constraint | Value | Parameters |
|---|---|---|
| AUTHAUDIT | FALSE or TRUE | <node>, <username> |
| AUTHREQUIR | FALSE or TRUE | <node>, <username> |
| AUTHPROHIB | FALSE or TRUE | <node>, <username> |
| DEFAUDIT | FALSE or TRUE | <node>, <username> |
| DEFREQUIR | FALSE or TRUE | <node>, <username> |
| DEFPROHIB | FALSE or TRUE | <node>, <username> |
| NOIMPLICIT | FALSE or TRUE | <node>, <username> |
Ensure that privilege levels of individual usernames are acceptable.
| Constraint | Nature of the violation |
|---|---|
| ABSOLUTLO | Lower than minimum in the policy |
| ABSOLUTHI | Higher than maximum in the policy |
| ACCESSMAX | Higher than allowed for a permitted process type |
| ACCESSMIN | Lower than required for a permitted process type |
Privilege levels (categories) provide a simple codification as to the level of power granted by various VMS privileges.Default policy By default, the privilege level NONE is the minimum allowed (meaning no restriction) and the privilege level NORMAL is the maximum allowed (allowing the holding of TMPMBX and NETMBX). Customizing The tests under element PRIVLEVEL are sufficient to express simpler limitations based on privilege level.The purpose of these tests is to ensure that the privilege level granted to each user complies with organization-wide security policy. This test compares the level for each authorized username against limit set in the policy in two ways:
- directly under constraints ABSOLUTLO and ABSOLUTHI
- according to access granted under constraints ACCESSMAX and ACCESSMIN
Implicit SYSPRV (due to a low UIC group) is not considered as SYSPRV under element UAF_PRIVILEGE, but is considered such under element UAF_PRIVLEVEL.
If a more complicated selection of privileges is required, it may be necessary to use the tests under element PRIVILEGE.
You should establish exemptions for usernames which are authorized higher levels of privilege, such as SYSTEM. selector
| Constraint | Value | Default |
|---|---|---|
| ABSOLUTLO | Category-None---Category-All | Category-None |
| ABSOLUTHI | Category-None---Category-All | Category-Normal |
| ACCESSMAX | Category-None---Category-All | Category-Normal |
| ACCESSMIN | Category-None---Category-All | Category-Normal |
* Higher value for privileges other than TMPMBX and NETMBX and levels above NORMAL.
| Constraint | Value | Parameters |
|---|---|---|
| ABSOLUTLO | Category-None---Category-All | <node>, <username> |
| ABSOLUTHI | Category-None---Category-All | <node>, <username> |
| ACCESSMAX | Category-None---Category-All | <node>, <username> |
| ACCESSMIN | Category-None---Category-All | <node>, <username> |
Ensure ability for privileged users to login over LAT conforms to policy.
| Constraint | Nature of the violation |
|---|---|
| PRIVPROHIB | Login with privilege permitted in violation of policy |
| ABSOLUTHI | Login with privilege permitted in violation of policy |
When users are allowed to log in over LAT terminals, their passwords can be read by any station on the Ethernet through the use of promiscuous mode. If privileged users are allowed to log in over LAT terminals, compromise of their password can threaten the security of the entire system.Default policy All privileges except for NETMBX and TMPMBX are prohibited to be either held by default or authorized. Customizing If an Ethernet is entirely protected by encryption hardware (e.g., DESNC), setting these limits FALSE can be done with reduced hazard, depending on how well terminal server serial lines are protected. selector Limits and exemptions for test PRIVPROHIB can take a selector consisting of a privilege name.These tests determine whether user authorization access masks, in combination with terminal DIALUP indications, prohibit privileged users from logging in over LAT terminals.
Such a scheme is only effective if one of the following conditions is true:
This is because once a process is logged in, it could be used to initiate a further DECnet connection, resulting of transmission of a password in the clear.
- DECnet is not running on the node
- NETMBX privilege is prohibited by these tests
- Elements PRIVLGINET and PRIVLGIREM prohibit all privileges prohibited by element PRIVLGILAT
In addition to terminals served by the LAT terminal port driver supplied as part of VMS (devices named LTAn), this test also includes terminals served by older terminal drivers used by products from Pacer Software (devices named PCLn) and from Xyplex (devices named TTP).
Thus, it can be set once for each possible privilege. When using the Command Interface if you do not specify a selector when changing the limit or exemptions your change applies to all privileges.
| Constraint | Value | Default |
|---|---|---|
| PRIVPROHIB | FALSE or TRUE | FALSE |
| ABSOLUTHI | Category-None---Category-All | Category-Normal |
| Constraint | Value | Parameters |
|---|---|---|
| PRIVPROHIB | FALSE or TRUE | <node>,<filespec> |
| ABSOLUTHI | Category-None---Category-All | <node>, <username> |
For information on controlling the UCB "dialup" bit, consult Section H.3, Changing Template Terminal UCB Characteristics.
| Previous | Next | Contents | Index |