| Previous | Contents | Index |
Ensure that uses of privilege that might evade password policy conform to policy.
| Constraint | Nature of the violation |
|---|---|
| DICTIONARY | Bypassing password dictionary controls not corrected within interval |
| HISTORY | Bypassing password history controls not corrected within interval |
| PREEXPIRED | Bypassing password pre-expiration controls |
| SELF | Bypassing password change controls for the acting Username |
The tests for this element detect evasion of password policy by setting passwords outside the SET PASSWORD and LOGINOUT rules. Since such changes will legitimately be made for correcting "lost password" situations, there is a time interval allowed for the proper resetting of the password with SET PASSWORD, LOGINOUT or a call to $ACM. There is no such time interval when such a change is made by the affected (privileged) username.Default policy Five minutes are allowed for a subsequent password change conforming to password policy, except none is allowed when a user changes their own password. Customizing Allow more time if your organization sends password change information via courier or other slow methods.
There should be no reason to alter the SELF constraint. selector
| Constraint | Value | Default |
|---|---|---|
| DICTIONARY | time interval | 5 minutes |
| HISTORY | time interval | 5 minutes |
| PREEXPIRED | FALSE or TRUE | TRUE |
| SELF | FALSE or TRUE | TRUE |
| Constraint | Value | Parameters |
|---|---|---|
| DICTIONARY | time interval | <node>, <absolute-time> or <earliest-time> |
| HISTORY | time interval | <node>, <absolute-time> or <earliest-time> |
| PREEXPIRED | FALSE or TRUE | <node>, <absolute-time> or <earliest-time> |
| SELF | FALSE or TRUE | <node>, <absolute-time> or <earliest-time> |
Ensure that separation of simple operator duties from more complex privileged activities conform to policy.
| Constraint | Nature of the violation |
|---|---|
| ACCOUNTING | Percentage of accounting activities performed by those with more than operator privilege exceeds policy maximum |
| BROADCAST | Percentage of broadcast activities performed by those with more than operator privilege exceeds policy maximum |
| CLUSTER | Percentage of cluster activities performed by those with more than operator privilege exceeds policy maximum |
| DEVICE | Percentage of device activities performed by those with more than operator privilege exceeds policy maximum |
| LOGIN | Percentage of login activities performed by those with more than operator privilege exceeds policy maximum |
| OPERLOGIN | Percentage of operlogin activities performed by those with more than operator privilege exceeds policy maximum |
| QUEUE | Percentage of queue activities performed by those with more than operator privilege exceeds policy maximum |
| TAPE | Percentage of tape activities performed by those with more than operator privilege exceeds policy maximum |
| UNDOC | Percentage of undocumented activities performed by those with more than operator privilege exceeds policy maximum |
The tests for this element determine whether more than a specified percentage of operator activities are made by username with higher privileges than OPER.Default policy By default, there are no restrictions on which privileged users perform operator duties. Customizing Constraints BROADCAST, QUEUE and TAPE are most appropriate for limiting the percentage of operations performed by highly privileged usernames. selector
| Constraint | Value | Default |
|---|---|---|
| ACCOUNTING | 0-100 | 100 |
| BROADCAST | 0-100 | 100 |
| CLUSTER | 0-100 | 100 |
| DEVICE | 0-100 | 100 |
| LOGIN | 0-100 | 100 |
| OPERLOGIN | 0-100 | 100 |
| QUEUE | 0-100 | 100 |
| TAPE | 0-100 | 100 |
| UNDOC | 0-100 | 100 |
| Constraint | Value | Parameters |
|---|---|---|
| ACCOUNTING | 0-100 | <node>, <absolute-time> or <earliest-time> |
| BROADCAST | 0-100 | <node>, <absolute-time> or <earliest-time> |
| CLUSTER | 0-100 | <node>, <absolute-time> or <earliest-time> |
| DEVICE | 0-100 | <node>, <absolute-time> or <earliest-time> |
| LOGIN | 0-100 | <node>, <absolute-time> or <earliest-time> |
| OPERLOGIN | 0-100 | <node>, <absolute-time> or <earliest-time> |
| QUEUE | 0-100 | <node>, <absolute-time> or <earliest-time> |
| TAPE | 0-100 | <node>, <absolute-time> or <earliest-time> |
| UNDOC | 0-100 | <node>, <absolute-time> or <earliest-time> |
Ensure privilege assignment and usage characteristics conform to policy.
| Constraint | Nature of the violation |
|---|---|
| IMPLICIT | Username authorized interactive or network access had implicit privilege based on UIC group |
| NEVERUSED | Username has privileges that are never used |
| UAFSELF | User modified authorization data for their own username |
The tests in this element determine whether particular inappropriate privilege has been granted.Default policy There are no restrictions on IMPLICIT or NEVERUSED privileges. Customizing The test for the NEVERUSED constraint will not produce meaningful results with inadequate audit logs. selector Limits and exemptions for test NEVERUSED can take a selector consisting of a privilege name.
Thus, each can be set once for each possible privilege. When using the Command Interface if you do not specify a selector when changing the limit or exemptions your change applies to all privileges.
| Constraint | Value | Default |
|---|---|---|
| IMPLICIT | FALSE or TRUE | TRUE |
| NEVERUSED | FALSE or TRUE | FALSE for TMPMBX and NETMBX, TRUE for others |
| UAFSELF | FALSE or TRUE | TRUE |
| Constraint | Value | Parameters |
|---|---|---|
| IMPLICIT | FALSE or TRUE | <node>, <absolute-time> or <earliest-time> |
| NEVERUSED | FALSE or TRUE | <node>, <absolute-time> or <earliest-time> |
| UAFSELF | FALSE or TRUE | <node>, <absolute-time> or <earliest-time> |
Ensure reading of audit logs conforms to policy.
| Constraint | Nature of the violation |
|---|---|
| ANY | The interval between any reading of the audit data exceeds the policy minimum |
| BATCH | The interval between batch reading of the audit data exceeds the policy minimum |
| INTERACT | The interval between interactive reading of the audit data exceeds the policy minimum |
| NETWORK | The interval between network reading of the audit data exceeds the policy minimum |
The tests within this element determine the history of reading the audit logs.Default policy Some reading of the audit log is required every 7 days. Customizing Make changes to match your organization's own plan for reviewing audit results. selector
| Constraint | Value | Default |
|---|---|---|
| ANY | time interval | 0 (not required) |
| BATCH | time interval | 0 (not required) |
| INTERACT | time interval | 0 (not required) |
| NETWORK | time interval | 0 (not required) |
| Constraint | Value | Parameters |
|---|---|---|
| ANY | time interval | <node>, <absolute-time> or <earliest-time> |
| BATCH | time interval | <node>, <absolute-time> or <earliest-time> |
| INTERACT | time interval | <node>, <absolute-time> or <earliest-time> |
| NETWORK | time interval | <node>, <absolute-time> or <earliest-time> |
Ensure remediation reports are generated sufficiently often.
| Constraint | Nature of the violation |
|---|---|
| MAXIMUM | Remediation report generation interval exceeds policy maximum |
The test within this element determine whether the command LJK/SECURITY REPORT/REMEDIATION has been issued for a completed full assessment (/METHOD=ALL) sufficiently often.Default policy The test (USAGE,REMEDIATE,MAXIMUM) is not used. Customizing Modify the limit to match your local policy. selector
| Constraint | Value | Default |
|---|---|---|
| MAXIMUM | delta-time | +00:00:00.00 |
| Constraint | Value | Parameters |
|---|---|---|
| MAXIMUM | delta-time | <node> |
Ensure time is set or synchronized sufficiently often.
| Constraint | Nature of the violation |
|---|---|
| MAXIMUM | Assessment-wide time setting interval exceeds policy maximum |
The tests within this element determine whether time is coordinated between multiple systems being assessed.Default policy The test (USAGE,SETTIME,MAXIMUM) is not used because VMS auditing shortcomings (at least through VMS Version 8.3) require additional discipline to cause auditing of setting time. Customizing Modify the limit to match your local policy. selector
| Constraint | Value | Default |
|---|---|---|
| MAXIMUM | delta-time | +00:00:00.00 |
| Constraint | Value | Parameters |
|---|---|---|
| MAXIMUM | delta-time | <node> |
Ensure restrictions on SYSTEM username conform to policy.
| Constraint | Nature of the violation |
|---|---|
| NOBATCH | Batch process for username SYSTEM in violation of policy |
| NOINTERACT | Interactive process for username SYSTEM in violation of policy |
| NONETWORK | Network process for username SYSTEM in violation of policy |
The tests within this element determine whether proper restrictions are in place for the SYSTEM username.Default policy Only BATCH access is allowed for username SYSTEM. Customizing Adding exemptions based on earliest-time may be appropriate for situations where use of LJK/Security is introduced late in the game. The earliest-time specified cannot be later than the time at which the exemption is added. selector
| Constraint | Value | Default |
|---|---|---|
| NOBATCH | FALSE or TRUE | FALSE |
| NOINTERACT | FALSE or TRUE | TRUE |
| NONETWORK | FALSE or TRUE | TRUE |
| Constraint | Value | Parameters |
|---|---|---|
| NOBATCH | FALSE or TRUE | <node>, <absolute-time> or <earliest-time> |
| NOINTERACT | FALSE or TRUE | <node>, <absolute-time> or <earliest-time> |
| NONETWORK | FALSE or TRUE | <node>, <absolute-time> or <earliest-time> |
Ensure modification user authorization is done from the proper type of process.
| Constraint | Nature of the violation |
|---|---|
| DISUNUSED | Unused username was disabled by a prohibited process type |
| PROHIBITED | Privileged changes were made by a prohibited process type |
| REQUIRED | Privileged changes were not made by a required process type |
The history of user authorization changes is examined for proper process type.Default policy By default (USAGE,UAFMODIFY,*) tests are not enabled. Customizing Enabling more than one process type for (USAGE,UAFMODIFY,REQUIRED) is not helpful, since each modification is done by only one process type. selector Limits for this test can take a selector consisting of a login type: LOCAL, DIALUP, REMOTE, NETWORK or BATCH.Unprivileged changes like password and last login date due to logging in are not considered.
Thus, each can be set once for each possible login type. If you do not specify a selector when changing limits, your change applies to all login types.
The availability of separate selector values for LOCAL and DIALUP should not be taken as a suggestion that the DIALUP indication associated with terminals be trusted to accurately represent whether or not a dialup line is actually in use. It is provided, however, for sites which use the DIALUP indication to denote some aspect of a terminal which can be determined with certainty, such as whether or not a given terminal connection is via an X.25 circuit. |
| Constraint | Value | Default |
|---|---|---|
| DISUNUSED | FALSE or TRUE | FALSE |
| PROHIBITED | FALSE or TRUE | FALSE |
| REQUIRED | FALSE or TRUE | FALSE |
| Constraint | Value | Parameters |
|---|---|---|
| DISUNUSED | FALSE or TRUE | <node>,<filespec> |
| PROHIBITED | FALSE or TRUE | <node>,<filespec> |
| REQUIRED | FALSE or TRUE | <node>,<filespec> |
| Previous | Next | Contents | Index |