LJK/Security Reference Manual
QUEPRIO
Determine whether a username's maximum queue priority conforms to
policy.
Violation reports
| Constraint |
Nature of the violation |
|
ABSOLUTLO
|
Username's maximum queue priority is lower than permitted by policy
|
|
ABSOLUTHI
|
Username's maximum queue priority is higher than permitted by policy
|
Description
Intended to store a username's maximum queue priority, this field is
not actually used by current values of VMS.
Default policy Defaults are a minimum of 0 and a maximum of 4, to
correspond to the values which happen to be left in the field by the
VMS utility AUTHORIZE. Customizing No customization should be
necessary. selector Limits
| Constraint |
Value |
Default |
|
ABSOLUTLO
|
0---255
|
0
|
|
ABSOLUTHI
|
0---255
|
4
|
Exemptions
| Constraint |
Value |
Parameters |
|
ABSOLUTLO
|
0---255
|
<node>, <username>
|
|
ABSOLUTHI
|
0---255
|
<node>, <username>
|
Practical considerations
This test exists in case later versions of VMS make use of the
authorization field. �
RESTRICTED
Determine whether designation as restricted account conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Restricted flag is enabled in violation of policy
|
|
REQUIRED
|
Restricted flag is disabled in violation of policy
|
Description
The RESTRICTED authorization flag prevents a user from avoiding a login
command procedure by disabling some techniques commonly used to escape
such procedures.
Default policy Restricted flag is neither prohibited nor required.
Customizing Set limit REQUIRED to be TRUE to force
restriction in general. Add exemptions to allow
particular usernames to avoid restriction.
Set limit REQUIRED to be TRY to force restriction only
on those versions of VMS where the RESTRICTED flag is supported (VMS
version 5.2 and greater).
selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE, TRUE or TRY
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>,<username>
|
|
REQUIRED
|
FALSE, TRUE or TRY
|
<node>,<username>
|
Practical considerations
The RESTRICTED flag is implemented effective with VMS Version 5.2. For
the future its purpose is to maintain the user in a confined
environment until all login command procedures have executed, while the
purpose of the CAPTIVE flag is to maintain the user in a confined
environment throughout a session. �
UICPRIV
Ensure usernames with different privileges do not share UICs.
Violation reports
| Constraint |
Nature of the violation |
|
PRIVPROHIB
|
Username sharing UIC with one more privileged
|
|
ABSOLUTHI
|
Username sharing UIC with one more privileged
|
Description
If a username shares a UIC with another username which has more
privilege, it can readily subvert the privileges of the more privileged
username by tactics such as changing the login command file.
Default policy Any difference in privilege between two usernames
sharing a UIC is prohibited. Customizing RELAXATION of the default
limits or establishment of exemptions
for these tests should only be done after an
extremely thorough security review.
The test ABSOLUTHI is sufficient to express simpler
limitations based on privilege level.
If a more complicated selection of privileges is required, it may be
necessary to use the test PRIVPROHIB. selector
Limits and exemptions for
test PRIVPROHIB can take a selector
consisting of a privilege name.
Thus, each can be set once for each possible privilege. When using the
Command Interface if you do not specify a selector
when changing the limit or exemptions
your change applies to all privileges.
Limits
| Constraint |
Value |
Default |
|
PRIVPROHIB
|
FALSE or TRUE
|
FALSE
|
|
ABSOLUTHI
|
Category-None---Category-All
|
Category-None
|
Exemptions
| Constraint |
Value |
Parameters |
|
PRIVPROHIB
|
FALSE or TRUE
|
<node>,<filespec>
|
|
ABSOLUTHI
|
Category-None---Category-All
|
<node>, <username>
|
Practical considerations Users who wish to simulate a less privileged
environment can do so with a SET PRIVILEGE command followed by SPAWN.
If a more complicated selection of privileges is required, it may be
necessary to use the test PRIVPROHIB. �
UICSHARE
Ensure the number of usernames sharing a UIC does not exceed policy
maximum.
Violation reports
| Constraint |
Nature of the violation |
|
ABSOLUTHI
|
Username sharing UIC with more than permitted
|
Description
Sharing UICs without reason is a security exposure, while UICs must be
shared in some cases (e.g., identical functions on multiple shifts).
This test compares the number of usernames sharing a
UIC with an organization-specific maximum.
Default policy A maximum of 5 usernames can share a UIC. Customizing
Any exemption must be set up for all
usernames sharing a UIC. The tightest restriction that can be set is a
value of 1, since each username at least share it's UIC with itself.
A limit or exemption with a value of zero means there is no value which
is considered unacceptable. selector
Limits
| Constraint |
Value |
Default |
|
ABSOLUTHI
|
0-n
|
5
|
Exemptions
| Constraint |
Value |
Parameters |
|
ABSOLUTHI
|
0-n
|
<node>, <username>
|
Practical considerations Sharing UICs can actually be of security
benefit, in cases where it is applied to users of a common application
who would otherwise share a username and password. For existing
applications with built-in limitations, UIC sharing can sometimes be
the only recourse until the application is replaced. �
USRDATOFF
Determine whether presence of site-specific UAF data area conforms to
policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Site-specific UAF data is present in violation of policy
|
|
REQUIRED
|
Site-specific UAF data is absent in violation of policy
|
Description
Some sites use this optional area of the authorization file records to
store authorized data (including security-relevant data in some cases).
Attackers have been known to use this area to store data associated with
their breakin efforts.
As a result, each site should ensure that the presence or absence of
this field matches their intent.
Default policy Existence of a site-specific UAF data area is
prohibited. Customizing Modify both limits if you use
the data area on all your nodes. Exemptions should be
only on a node-by-node basis with a wildcard "*" for username
since information only maintained for certain usernames can be kept in
another file. selector Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
TRUE
|
|
REQUIRED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>, <username>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>, <username>
|
Practical considerations If a site uses the site-specific data field,
regular program runs should be made to ensure the field is being used
only for its authorized purpose. �
VMSAUTH
Determine whether ability of user to avoid external authentication
conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
User is allowed to avoid external authentication in violation of policy
|
|
REQUIRED
|
User is not allowed to avoid external authentication in violation of
policy
|
Description
The VMSAUTH authorization flag indicates that the user can choose to
authenticate directly to the VMS ACME Agent.
Default policy The ability of the user to avoid external authentication
is neither required nor prohibited. Customizing This capability should
be available to system managers for troubleshooting. selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
TRUE
|
|
REQUIRED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>, <username>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>, <username>
|
Practical considerations Unskilled users can get themselves confused
with this capability by losing password synchronization between
multiple ACME Agents. �
6.9 USAGE tests
Tests in the USAGE facility deal with all USAGEs,
although some give different treatment to disks
and terminals (for which there are separate tests).
Exemptions are based on node name and
one of
- Absolute Time (dd-mmm-yyyy:hh:mm:ss.hh)
- Earliest Time ("<"dd-mmm-yyyy:hh:mm:ss.hh)
�
ASSESSMENT
Ensure frequency of past security assessments conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
CERTIFY
|
Two consecutive assessments for the selected facility or
pseudo-facility were separated by more than the maximum interval
|
|
CLUSTER
|
Most recent assessment of another cluster member for the selected
facility or pseudo-facility is longer ago than the maximum interval
|
|
CONTINUING
|
Two consecutive assessments for the selected facility or
pseudo-facility were separated by more than the maximum interval
|
|
PERIODIC
|
Two consecutive assessments for the selected facility or
pseudo-facility were separated by more than the maximum interval
|
Description
The tests for this element determine
whether the intervals between past assessments conform to policy. The
tests for each of the constraints
have different purposes:
- CERTIFY - The assessment for the periodic certification and
accreditation
- CLUSTER - Most recent assessment of another cluster member
The
nature of a VMS cluster is such that all members are necessarily part
of the same security domain and thus must be subject to the same
standards.
- CONTINUING - Ongoing assessments
FISMA documentation calls this
"continuous monitoring" under CA-7
while DoD Instruction 8500.2 calls it "vulnerability
assessment"
under control VIVM-1.
- PERIODIC - An assessment less frequent that CONTINUING but
potentially more through
FISMA documentation calls this
"security assessment" under CA-2
while DoD Instruction 8500.2 calls it "conformance testing"
under control ECMT-1 or ECMT-2.
The CLUSTER constraint is the only one whose
test is different. It covers just the most recent
assessment while the others go back in history. The
others could be used for different purposes than described in this
documentation, at the risk of confusing the successor of those who make
such a change.
Default policy The most frequent interval is one day for quick
facilities and seven days for slow facilities. Customizing A more
aggressive approach than the default would be to have a time interval
of 1 hour for quick facilities and one day for slow facilities (DISK
and USAGE). selector
Limits and exemptions for
test PRIVPROHIB can take a selector
consisting of a facility or pseudo-facility name.
Thus, each can be set once for each possible facility or
pseudo-facility. When using the Command Interface if you do not specify
a selector when changing the limit or
exemptions your change applies to all facility and
pseudo-facilities.
Limits
| Constraint |
Value |
Default |
|
CERTIFY
|
time-interval
|
9999 days
|
|
CLUSTER
|
time-interval
|
one day for quick facilities, seven days for slow facilities
|
|
CONTINUING
|
time-interval
|
one day for quick facilities, seven days for slow facilities
|
|
PERIODIC
|
time-interval
|
one year
|
Exemptions
| Constraint |
Value |
Parameters |
|
CERTIFY
|
time-interval
|
<node>,<absolute-time> or <earliest-time>
|
|
CLUSTER
|
time-interval
|
<node>,<absolute-time> or <earliest-time>
|
|
CONTINUING
|
time-interval
|
<node>,<absolute-time> or <earliest-time>
|
|
PERIODIC
|
time-interval
|
<node>,<absolute-time> or <earliest-time>
|
Practical considerations Adding exemptions based on
earliest-time may be appropriate for situations where use of
product is introduced late in the game. The
earliest-time specified cannot be later than the time at which the
exemption is added. �
DISKMOUNT
Ensure that only authorized disks have been mounted.
Violation reports
| Constraint |
Nature of the violation |
|
GRPFORBID
|
Unauthorized disk was mounted /GROUP
|
|
SYSFORBID
|
Unauthorized disk was mounted /SYSTEM
|
|
USERFORBID
|
Unauthorized disk was mounted privately
|
Description
These tests ensure than any previously mounted disks had authorized
names (as indicated by the presence of an exemption).
Default policy By default (USAGE,DISKMOUNT,*) tests are not enabled.
Customizing Exemptions for (DISK,DISKMOUNT,*) tests are also honored
for (USAGE,DISKMOUNT,*) tests. selector Limits
| Constraint |
Value |
Default |
|
GRPFORBID
|
FALSE or TRUE
|
FALSE
|
|
SYSFORBID
|
FALSE or TRUE
|
FALSE
|
|
USERFORBID
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
GRPFORBID
|
FALSE or TRUE
|
<node>,<filespec>
|
|
SYSFORBID
|
FALSE or TRUE
|
<node>,<filespec>
|
|
USERFORBID
|
FALSE or TRUE
|
<node>,<filespec>
|
Practical considerations Enable these tests only when also adding
exemptions for (DISK,DISKMOUNT,*). �
DOASSESS
Ensure that separation of Security Assessment from other privileged
duties conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
DOAUDIT
|
Intervening Audit Control actions
|
|
DOCONNECT
|
Intervening Connect actions
|
|
DOINSTALL
|
Intervening image install activities
|
|
DOMOUNT
|
Intervening mount actions
|
|
DONCP
|
Intervening Network Management actions
|
|
DOPROCESS
|
Intervening privileged process control actions
|
|
DOSYSGEN
|
Intervening System Parameter changes
|
|
DOTIME
|
Intervening SET TIME actions
|
|
DOUAF
|
Intervening Authorization actions
|
|
DOUSEPRIV
|
Intervening use of privilege for some other purpose
|
Description
The tests for this element determine
separation of duties between Security Assessment and other privileged
security relevant activities conforms to policy.
Each test will detect any case where one of the other
privileged security relevant activities intervenes between two Security
Assessment activities by the same user that are less that a specified
interval apart in time.
Default policy By default, none of the separation of duties tests are
enabled. Customizing Make minor adjustments to suit your environment.
selector Limits
| Constraint |
Value |
Default |
|
DOAUDIT
|
time interval
|
none
|
|
DOCONNECT
|
time interval
|
none
|
|
DOINSTALL
|
time interval
|
none
|
|
DOMOUNT
|
time interval
|
none
|
|
DONCP
|
time interval
|
none
|
|
DOPROCESS
|
time interval
|
none
|
|
DOSYSGEN
|
time interval
|
none
|
|
DOTIME
|
time interval
|
none
|
|
DOUAF
|
time interval
|
none
|
|
DOUSEPRIV
|
time interval
|
none
|
Exemptions
| Constraint |
Value |
Parameters |
|
DOAUDIT
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOCONNECT
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOINSTALL
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOMOUNT
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DONCP
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOPROCESS
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOSYSGEN
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOTIME
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOUAF
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
|
DOUSEPRIV
|
time interval
|
<node>, <absolute-time> or <earliest-time>
|
Practical considerations The (USAGE, DO*) tests are
intended to detect inadequate separation of duties. Do not shoot the
messenger. �