LJK/Security Reference Manual

DOPROCESS

Ensure that separation of Privileged Process Control from other privileged duties conforms to policy.

Violation reports

Constraint	Nature of the violation
DOASSESS	Intervening Security Assessment actions
DOAUDIT	Intervening Audit Control actions
DOCONNECT	Intervening Connect actions
DOINSTALL	Intervening image install activities
DOMOUNT	Intervening mount actions
DONCP	Intervening Network Management actions
DOSYSGEN	Intervening System Parameter changes
DOTIME	Intervening SET TIME actions
DOUAF	Intervening Authorization actions
DOUSEPRIV	Intervening use of privilege for some other purpose

Description

The tests for this element determine separation of duties between Privileged Process Control and other privileged security relevant activities conforms to policy.
Each test will detect any case where one of the other privileged security relevant activities intervenes between two Privileged Process Control activities by the same user that are less that a specified interval apart in time.

Default policy By default, none of the separation of duties tests are enabled. Customizing Make minor adjustments to suit your environment. selector

Limits

Constraint	Value	Default
DOASSESS	time interval	none
DOAUDIT	time interval	none
DOCONNECT	time interval	none
DOINSTALL	time interval	none
DOMOUNT	time interval	none
DONCP	time interval	none
DOSYSGEN	time interval	none
DOTIME	time interval	none
DOUAF	time interval	none
DOUSEPRIV	time interval	none

Exemptions

Constraint	Value	Parameters
DOASSESS	time interval	<node>, <absolute-time> or <earliest-time>
DOAUDIT	time interval	<node>, <absolute-time> or <earliest-time>
DOCONNECT	time interval	<node>, <absolute-time> or <earliest-time>
DOINSTALL	time interval	<node>, <absolute-time> or <earliest-time>
DOMOUNT	time interval	<node>, <absolute-time> or <earliest-time>
DONCP	time interval	<node>, <absolute-time> or <earliest-time>
DOSYSGEN	time interval	<node>, <absolute-time> or <earliest-time>
DOTIME	time interval	<node>, <absolute-time> or <earliest-time>
DOUAF	time interval	<node>, <absolute-time> or <earliest-time>
DOUSEPRIV	time interval	<node>, <absolute-time> or <earliest-time>

Practical considerations The (USAGE, DO*) tests are intended to detect inadequate separation of duties. Do not shoot the messenger.

DOSYSGEN

Ensure that separation of System Parameter Modification from other privileged duties conforms to policy.

Violation reports

Constraint	Nature of the violation
DOASSESS	Intervening Security Assessment actions
DOAUDIT	Intervening Audit Control actions
DOCONNECT	Intervening Connect actions
DOINSTALL	Intervening image install activities
DOMOUNT	Intervening mount actions
DONCP	Intervening Network Management actions
DOPROCESS	Intervening privileged process control actions
DOTIME	Intervening SET TIME actions
DOUAF	Intervening Authorization actions
DOUSEPRIV	Intervening use of privilege for some other purpose

Description

The tests for this element determine separation of duties between System Parameter Modification and other privileged security relevant activities conforms to policy.
Each test will detect any case where one of the other privileged security relevant activities intervenes between two System Parameter Modification activities by the same user that are less that a specified interval apart in time.

Default policy By default, none of the separation of duties tests are enabled. Customizing Make minor adjustments to suit your environment. selector

Limits

Constraint	Value	Default
DOASSESS	time interval	none
DOAUDIT	time interval	none
DOCONNECT	time interval	none
DOINSTALL	time interval	none
DOMOUNT	time interval	none
DONCP	time interval	none
DOPROCESS	time interval	none
DOTIME	time interval	none
DOUAF	time interval	none
DOUSEPRIV	time interval	none

Exemptions

Constraint	Value	Parameters
DOASSESS	time interval	<node>, <absolute-time> or <earliest-time>
DOAUDIT	time interval	<node>, <absolute-time> or <earliest-time>
DOCONNECT	time interval	<node>, <absolute-time> or <earliest-time>
DOINSTALL	time interval	<node>, <absolute-time> or <earliest-time>
DOMOUNT	time interval	<node>, <absolute-time> or <earliest-time>
DONCP	time interval	<node>, <absolute-time> or <earliest-time>
DOPROCESS	time interval	<node>, <absolute-time> or <earliest-time>
DOTIME	time interval	<node>, <absolute-time> or <earliest-time>
DOUAF	time interval	<node>, <absolute-time> or <earliest-time>
DOUSEPRIV	time interval	<node>, <absolute-time> or <earliest-time>

Practical considerations The (USAGE, DO*) tests are intended to detect inadequate separation of duties. Do not shoot the messenger.

DOTIME

Ensure that separation of Time Setting from other privileged duties conforms to policy.

Violation reports

Constraint	Nature of the violation
DOASSESS	Intervening Security Assessment actions
DOAUDIT	Intervening Audit Control actions
DOCONNECT	Intervening Connect actions
DOINSTALL	Intervening image install activities
DOMOUNT	Intervening mount actions
DONCP	Intervening Network Management actions
DOPROCESS	Intervening privileged process control actions
DOSYSGEN	Intervening System Parameter changes
DOUAF	Intervening Authorization actions
DOUSEPRIV	Intervening use of privilege for some other purpose

Description

The tests for this element determine separation of duties between Time Setting and other privileged security relevant activities conforms to policy.
Each test will detect any case where one of the other privileged security relevant activities intervenes between two Time Setting activities by the same user that are less that a specified interval apart in time.

Default policy By default, none of the separation of duties tests are enabled. Customizing Make minor adjustments to suit your environment. selector

Limits

Constraint	Value	Default
DOASSESS	time interval	none
DOAUDIT	time interval	none
DOCONNECT	time interval	none
DOINSTALL	time interval	none
DOMOUNT	time interval	none
DONCP	time interval	none
DOPROCESS	time interval	none
DOSYSGEN	time interval	none
DOUAF	time interval	none
DOUSEPRIV	time interval	none

Exemptions

Constraint	Value	Parameters
DOASSESS	time interval	<node>, <absolute-time> or <earliest-time>
DOAUDIT	time interval	<node>, <absolute-time> or <earliest-time>
DOCONNECT	time interval	<node>, <absolute-time> or <earliest-time>
DOINSTALL	time interval	<node>, <absolute-time> or <earliest-time>
DOMOUNT	time interval	<node>, <absolute-time> or <earliest-time>
DONCP	time interval	<node>, <absolute-time> or <earliest-time>
DOPROCESS	time interval	<node>, <absolute-time> or <earliest-time>
DOSYSGEN	time interval	<node>, <absolute-time> or <earliest-time>
DOUAF	time interval	<node>, <absolute-time> or <earliest-time>
DOUSEPRIV	time interval	<node>, <absolute-time> or <earliest-time>

Practical considerations The (USAGE, DO*) tests are intended to detect inadequate separation of duties. Do not shoot the messenger.

DOUAF

Ensure that separation of Username Authorization from other privileged duties conforms to policy.

Violation reports

Constraint	Nature of the violation
DOASSESS	Intervening Security Assessment actions
DOAUDIT	Intervening Audit Control actions
DOCONNECT	Intervening Connect actions
DOINSTALL	Intervening image install activities
DOMOUNT	Intervening mount actions
DONCP	Intervening Network Management actions
DOPROCESS	Intervening privileged process control actions
DOSYSGEN	Intervening System Parameter changes
DOTIME	Intervening SET TIME actions
DOUSEPRIV	Intervening use of privilege for some other purpose

Description

The tests for this element determine separation of duties between Username Authorization and other privileged security relevant activities conforms to policy.
Each test will detect any case where one of the other privileged security relevant activities intervenes between two Username Authorization activities by the same user that are less that a specified interval apart in time.

Default policy By default, none of the separation of duties tests are enabled. Customizing Make minor adjustments to suit your environment. selector

Limits

Constraint	Value	Default
DOASSESS	time interval	none
DOAUDIT	time interval	none
DOCONNECT	time interval	none
DOINSTALL	time interval	none
DOMOUNT	time interval	none
DONCP	time interval	none
DOPROCESS	time interval	none
DOSYSGEN	time interval	none
DOTIME	time interval	none
DOUSEPRIV	time interval	none

Exemptions

Constraint	Value	Parameters
DOASSESS	time interval	<node>, <absolute-time> or <earliest-time>
DOAUDIT	time interval	<node>, <absolute-time> or <earliest-time>
DOCONNECT	time interval	<node>, <absolute-time> or <earliest-time>
DOINSTALL	time interval	<node>, <absolute-time> or <earliest-time>
DOMOUNT	time interval	<node>, <absolute-time> or <earliest-time>
DONCP	time interval	<node>, <absolute-time> or <earliest-time>
DOPROCESS	time interval	<node>, <absolute-time> or <earliest-time>
DOSYSGEN	time interval	<node>, <absolute-time> or <earliest-time>
DOTIME	time interval	<node>, <absolute-time> or <earliest-time>
DOUSEPRIV	time interval	<node>, <absolute-time> or <earliest-time>

Practical considerations The (USAGE, DO*) tests are intended to detect inadequate separation of duties. Do not shoot the messenger.

DOUSEPRIV

Ensure that separation of Use of Privilege from other privileged duties conforms to policy.

Violation reports

Constraint	Nature of the violation
DOASSESS	Intervening Security Assessment actions
DOAUDIT	Intervening Audit Control actions
DOCONNECT	Intervening Connect actions
DOINSTALL	Intervening image install activities
DOMOUNT	Intervening mount actions
DONCP	Intervening Network Management actions
DOPROCESS	Intervening privileged process control actions
DOSYSGEN	Intervening System Parameter changes
DOTIME	Intervening SET TIME actions
DOUAF	Intervening Authorization actions

Description

The tests for this element determine separation of duties between Use of Privilege and other privileged security relevant activities conforms to policy.
Each test will detect any case where one of the other privileged security relevant activities intervenes between two Use of Privilege activities by the same user that are less that a specified interval apart in time.

Default policy By default, none of the separation of duties tests are enabled. Customizing Make minor adjustments to suit your environment. selector

Limits

Constraint	Value	Default
DOASSESS	time interval	none
DOAUDIT	time interval	none
DOCONNECT	time interval	none
DOINSTALL	time interval	none
DOMOUNT	time interval	none
DONCP	time interval	none
DOPROCESS	time interval	none
DOSYSGEN	time interval	none
DOTIME	time interval	none
DOUAF	time interval	none

Exemptions

Constraint	Value	Parameters
DOASSESS	time interval	<node>, <absolute-time> or <earliest-time>
DOAUDIT	time interval	<node>, <absolute-time> or <earliest-time>
DOCONNECT	time interval	<node>, <absolute-time> or <earliest-time>
DOINSTALL	time interval	<node>, <absolute-time> or <earliest-time>
DOMOUNT	time interval	<node>, <absolute-time> or <earliest-time>
DONCP	time interval	<node>, <absolute-time> or <earliest-time>
DOPROCESS	time interval	<node>, <absolute-time> or <earliest-time>
DOSYSGEN	time interval	<node>, <absolute-time> or <earliest-time>
DOTIME	time interval	<node>, <absolute-time> or <earliest-time>
DOUAF	time interval	<node>, <absolute-time> or <earliest-time>

Practical considerations The (USAGE, DO*) tests are intended to detect inadequate separation of duties. Do not shoot the messenger.

Contents

Index