LJK/Security Reference Manual
Previous Contents Index

DOAUDIT

Ensure that separation of Security Audit Control from other privileged duties conforms to policy.

Violation reports

Constraint Nature of the violation
DOASSESS Intervening Security Assessment actions
DOCONNECT Intervening Connect actions
DOINSTALL Intervening image install activities
DOMOUNT Intervening mount actions
DONCP Intervening Network Management actions
DOPROCESS Intervening privileged process control actions
DOSYSGEN Intervening System Parameter changes
DOTIME Intervening SET TIME actions
DOUAF Intervening Authorization actions
DOUSEPRIV Intervening use of privilege for some other purpose

Description

The tests for this element determine separation of duties between Security Audit Control and other privileged security relevant activities conforms to policy.

Each test will detect any case where one of the other privileged security relevant activities intervenes between two Security Audit Control activities by the same user that are less that a specified interval apart in time.

Default policy By default, none of the separation of duties tests are enabled. Customizing Make minor adjustments to suit your environment. selector

Limits

Constraint Value Default
DOASSESS time interval none
DOCONNECT time interval none
DOINSTALL time interval none
DOMOUNT time interval none
DONCP time interval none
DOPROCESS time interval none
DOSYSGEN time interval none
DOTIME time interval none
DOUAF time interval none
DOUSEPRIV time interval none

Exemptions

Constraint Value Parameters
DOASSESS time interval <node>, <absolute-time> or <earliest-time>
DOCONNECT time interval <node>, <absolute-time> or <earliest-time>
DOINSTALL time interval <node>, <absolute-time> or <earliest-time>
DOMOUNT time interval <node>, <absolute-time> or <earliest-time>
DONCP time interval <node>, <absolute-time> or <earliest-time>
DOPROCESS time interval <node>, <absolute-time> or <earliest-time>
DOSYSGEN time interval <node>, <absolute-time> or <earliest-time>
DOTIME time interval <node>, <absolute-time> or <earliest-time>
DOUAF time interval <node>, <absolute-time> or <earliest-time>
DOUSEPRIV time interval <node>, <absolute-time> or <earliest-time>
Practical considerations The (USAGE, DO*) tests are intended to detect inadequate separation of duties. Do not shoot the messenger.

DOCONNECT

Ensure that separation of Network Connection from other privileged duties conforms to policy.

Violation reports

Constraint Nature of the violation
DOASSESS Intervening Security Assessment actions
DOAUDIT Intervening Audit Control actions
DOINSTALL Intervening image install activities
DOMOUNT Intervening mount actions
DONCP Intervening Network Management actions
DOPROCESS Intervening privileged process control actions
DOSYSGEN Intervening System Parameter changes
DOTIME Intervening SET TIME actions
DOUAF Intervening Authorization actions
DOUSEPRIV Intervening use of privilege for some other purpose

Description

The tests for this element determine separation of duties between Network Connection and other privileged security relevant activities conforms to policy.

Each test will detect any case where one of the other privileged security relevant activities intervenes between two Network Connection activities by the same user that are less that a specified interval apart in time.

Default policy By default, none of the separation of duties tests are enabled. Customizing Make minor adjustments to suit your environment. selector

Limits

Constraint Value Default
DOASSESS time interval none
DOAUDIT time interval none
DOINSTALL time interval none
DOMOUNT time interval none
DONCP time interval none
DOPROCESS time interval none
DOSYSGEN time interval none
DOTIME time interval none
DOUAF time interval none
DOUSEPRIV time interval none

Exemptions

Constraint Value Parameters
DOASSESS time interval <node>, <absolute-time> or <earliest-time>
DOAUDIT time interval <node>, <absolute-time> or <earliest-time>
DOINSTALL time interval <node>, <absolute-time> or <earliest-time>
DOMOUNT time interval <node>, <absolute-time> or <earliest-time>
DONCP time interval <node>, <absolute-time> or <earliest-time>
DOPROCESS time interval <node>, <absolute-time> or <earliest-time>
DOSYSGEN time interval <node>, <absolute-time> or <earliest-time>
DOTIME time interval <node>, <absolute-time> or <earliest-time>
DOUAF time interval <node>, <absolute-time> or <earliest-time>
DOUSEPRIV time interval <node>, <absolute-time> or <earliest-time>
Practical considerations The (USAGE, DO*) tests are intended to detect inadequate separation of duties. Do not shoot the messenger.

DOINSTALL

Ensure that separation of Use of the Install Utility from other privileged duties conforms to policy.

Violation reports

Constraint Nature of the violation
DOASSESS Intervening Security Assessment actions
DOAUDIT Intervening Audit Control actions
DOCONNECT Intervening Connect actions
DOMOUNT Intervening mount actions
DONCP Intervening Network Management actions
DOPROCESS Intervening privileged process control actions
DOSYSGEN Intervening System Parameter changes
DOTIME Intervening SET TIME actions
DOUAF Intervening Authorization actions
DOUSEPRIV Intervening use of privilege for some other purpose

Description

The tests for this element determine separation of duties between Use of the Install Utility and other privileged security relevant activities conforms to policy.

Each test will detect any case where one of the other privileged security relevant activities intervenes between two Use of the Install Utility activities by the same user that are less that a specified interval apart in time.

Default policy By default, none of the separation of duties tests are enabled. Customizing Make minor adjustments to suit your environment. selector

Limits

Constraint Value Default
DOASSESS time interval 1 year
DOAUDIT time interval 1 year
DOCONNECT time interval none
DOMOUNT time interval none
DONCP time interval 1 year
DOPROCESS time interval none
DOSYSGEN time interval none
DOTIME time interval none
DOUAF time interval 1 year
DOUSEPRIV time interval none

Exemptions

Constraint Value Parameters
DOASSESS time interval <node>, <absolute-time> or <earliest-time>
DOAUDIT time interval <node>, <absolute-time> or <earliest-time>
DOCONNECT time interval <node>, <absolute-time> or <earliest-time>
DOMOUNT time interval <node>, <absolute-time> or <earliest-time>
DONCP time interval <node>, <absolute-time> or <earliest-time>
DOPROCESS time interval <node>, <absolute-time> or <earliest-time>
DOSYSGEN time interval <node>, <absolute-time> or <earliest-time>
DOTIME time interval <node>, <absolute-time> or <earliest-time>
DOUAF time interval <node>, <absolute-time> or <earliest-time>
DOUSEPRIV time interval <node>, <absolute-time> or <earliest-time>
Practical considerations The (USAGE, DO*) tests are intended to detect inadequate separation of duties. Do not shoot the messenger.

DOMOUNT

Ensure that separation of Mount from other privileged duties conforms to policy.

Violation reports

Constraint Nature of the violation
DOASSESS Intervening Security Assessment actions
DOAUDIT Intervening Audit Control actions
DOCONNECT Intervening Connect actions
DOINSTALL Intervening image install activities
DONCP Intervening Network Management actions
DOPROCESS Intervening privileged process control actions
DOSYSGEN Intervening System Parameter changes
DOTIME Intervening SET TIME actions
DOUAF Intervening Authorization actions
DOUSEPRIV Intervening use of privilege for some other purpose

Description

The tests for this element determine separation of duties between Mount and other privileged security relevant activities conforms to policy.

Each test will detect any case where one of the other privileged security relevant activities intervenes between two Mount activities by the same user that are less that a specified interval apart in time.

Default policy By default, none of the separation of duties tests are enabled. Customizing Make minor adjustments to suit your environment. selector

Limits

Constraint Value Default
DOASSESS time interval none
DOAUDIT time interval none
DOCONNECT time interval none
DOINSTALL time interval none
DONCP time interval none
DOPROCESS time interval none
DOSYSGEN time interval none
DOTIME time interval none
DOUAF time interval none
DOUSEPRIV time interval none

Exemptions

Constraint Value Parameters
DOASSESS time interval <node>, <absolute-time> or <earliest-time>
DOAUDIT time interval <node>, <absolute-time> or <earliest-time>
DOCONNECT time interval <node>, <absolute-time> or <earliest-time>
DOINSTALL time interval <node>, <absolute-time> or <earliest-time>
DONCP time interval <node>, <absolute-time> or <earliest-time>
DOPROCESS time interval <node>, <absolute-time> or <earliest-time>
DOSYSGEN time interval <node>, <absolute-time> or <earliest-time>
DOTIME time interval <node>, <absolute-time> or <earliest-time>
DOUAF time interval <node>, <absolute-time> or <earliest-time>
DOUSEPRIV time interval <node>, <absolute-time> or <earliest-time>
Practical considerations The (USAGE, DO*) tests are intended to detect inadequate separation of duties. Do not shoot the messenger.

DONCP

Ensure that separation of Network Management from other privileged duties conforms to policy.

Violation reports

Constraint Nature of the violation
DOASSESS Intervening Security Assessment actions
DOAUDIT Intervening Audit Control actions
DOCONNECT Intervening Connect actions
DOINSTALL Intervening image install activities
DOMOUNT Intervening mount actions
DOPROCESS Intervening privileged process control actions
DOSYSGEN Intervening System Parameter changes
DOTIME Intervening SET TIME actions
DOUAF Intervening Authorization actions
DOUSEPRIV Intervening use of privilege for some other purpose

Description

The tests for this element determine separation of duties between Network Management and other privileged security relevant activities conforms to policy.

Each test will detect any case where one of the other privileged security relevant activities intervenes between two Network Management activities by the same user that are less that a specified interval apart in time.

Default policy By default, none of the separation of duties tests are enabled. Customizing Make minor adjustments to suit your environment. selector

Limits

Constraint Value Default
DOASSESS time interval none
DOAUDIT time interval none
DOCONNECT time interval none
DOINSTALL time interval none
DOMOUNT time interval none
DOPROCESS time interval none
DOSYSGEN time interval none
DOTIME time interval none
DOUAF time interval none
DOUSEPRIV time interval none

Exemptions

Constraint Value Parameters
DOASSESS time interval <node>, <absolute-time> or <earliest-time>
DOAUDIT time interval <node>, <absolute-time> or <earliest-time>
DOCONNECT time interval <node>, <absolute-time> or <earliest-time>
DOINSTALL time interval <node>, <absolute-time> or <earliest-time>
DOMOUNT time interval <node>, <absolute-time> or <earliest-time>
DOPROCESS time interval <node>, <absolute-time> or <earliest-time>
DOSYSGEN time interval <node>, <absolute-time> or <earliest-time>
DOTIME time interval <node>, <absolute-time> or <earliest-time>
DOUAF time interval <node>, <absolute-time> or <earliest-time>
DOUSEPRIV time interval <node>, <absolute-time> or <earliest-time>
Practical considerations The (USAGE, DO*) tests are intended to detect inadequate separation of duties. Do not shoot the messenger.

Previous Next Contents Index