LJK/Security Reference Manual
VALID
Ensure that preservation of past user identification conform to policy.
Violation reports
| Constraint |
Nature of the violation |
|
UIC
|
UIC found in audit logs is no longer valid
|
|
USERNAME
|
Username found in audit logs is no longer valid
|
Description
The tests within this element
determine whether UIC and Username values are retained (even if
disabled) as long as needed to analyze audit logs and potentially to
retain file ownership.
Default policy UICs and usernames must be retained when usernames are
disabled. Customizing There is seldom a reason to modify the
limits of this element. selector
Limits
| Constraint |
Value |
Default |
|
UIC
|
FALSE or TRUE
|
TRUE
|
|
USERNAME
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
UIC
|
FALSE or TRUE
|
<node>, <absolute-time> or <earliest-time>
|
|
USERNAME
|
FALSE or TRUE
|
<node>, <absolute-time> or <earliest-time>
|
Practical considerations Adding exemptions based on
earliest-time may be appropriate
for situations where use of product is introduced late
in the game. The earliest-time specified cannot be later than the time
at which the exemption is added.
Certain versions of VMS will fabricate UICs like [1,1], [1,3], [1,6]
and Usernames like AUDIT$SERVER and DECNET, that have never existed in
the Rights Database (RIGHTSLIST.DAT) or User Authorization File
respectively.
Since exemptions for the USAGE
facility are based on time of incidents rather than on
username, you may wish to have the system manager add UIC identifiers
and (disabled) User Authorization File
entries until you are running some future version of VMS that resolves
this discrepancy. �
6.10 VMS Tests
Tests in the VMS facility deal with system parameters
and other system-wide security considerations which are not readily
categorized otherwise.
Exemptions are based on node name.
More than in other facilities many VMS tests have to
do with denial of service issues.
�
ACME
Ensure the set of enabled ACME Agents conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
MATCH
|
Ordered list of ACME Agents does not exactly match policy
|
|
MUSTHAVE
|
Set of ACME Agents does not include one required by policy
|
|
MUSTLACK
|
Set of ACME Agents includes one prohibited by policy
|
|
NOMORETHAN
|
Set of ACME Agents includes more than those permitted by policy
|
|
NOTJUST
|
Set of ACME Agents does not include any beyond set declared inadequate
by by policy
|
Description
The tests within the ACME element
determine whether the set of enabled ACME agents conforms to policy.
Default policy There are no restrictions. Customizing Since the test
might be considerably longer than a typical DCL command line, these
tests allow a command line user to progressively
specify text, starting each subsequent value with the character
"+". selector Limits
| Constraint |
Value |
Default |
|
MATCH
|
0-511 characters
|
none
|
|
MUSTHAVE
|
0-510 characters
|
none
|
|
MUSTLACK
|
0-510 characters
|
none
|
|
NOMORETHAN
|
0-510 characters
|
none
|
|
NOTJUST
|
0-510 characters
|
none
|
Exemptions
| Constraint |
Value |
Parameters |
|
MATCH
|
0-511 characters
|
<node>
|
|
MUSTHAVE
|
0-510 characters
|
<node>
|
|
MUSTLACK
|
0-510 characters
|
<node>
|
|
NOMORETHAN
|
0-510 characters
|
<node>
|
|
NOTJUST
|
0-510 characters
|
<node>
|
Practical considerations The MATCH constraint is
different than the others in that the order in which names appears is
significant.
Typically a site policy will be implemented using only a few of the
constraints within this element. �
ACMEORLGI
Ensure the set of enabled ACME Agents and LGI callout providers
conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
MATCH
|
Ordered list of ACME Agents and LGI-callout modules does not exactly
match policy
|
|
MUSTHAVE
|
Set of ACME Agents and LGI-callout modules does not include one
required by policy
|
|
MUSTLACK
|
Set of ACME Agents and LGI-callout modules includes one prohibited by
policy
|
|
NOMORETHAN
|
Set of ACME Agents and LGI-callout modules includes more than those
permitted by policy
|
|
NOTJUST
|
Set of ACME Agents and LGI-callout modules does not include any beyond
set declared inadequate by by policy
|
Description
The tests within the ACMEORLGI
element determine whether the set of enabled ACME agents and LGI
callout providers conforms to policy.
Default policy There are no restrictions. Customizing Since the test
might be considerably longer than a typical DCL command line, these
tests allow a command line user to progressively
specify text, starting each subsequent value with the character
"+". selector Limits
| Constraint |
Value |
Default |
|
MATCH
|
0-511 characters
|
none
|
|
MUSTHAVE
|
0-510 characters
|
none
|
|
MUSTLACK
|
0-510 characters
|
none
|
|
NOMORETHAN
|
0-510 characters
|
none
|
|
NOTJUST
|
0-510 characters
|
none
|
Exemptions
| Constraint |
Value |
Parameters |
|
MATCH
|
0-511 characters
|
<node>
|
|
MUSTHAVE
|
0-510 characters
|
<node>
|
|
MUSTLACK
|
0-510 characters
|
<node>
|
|
NOMORETHAN
|
0-510 characters
|
<node>
|
|
NOTJUST
|
0-510 characters
|
<node>
|
Practical considerations The MATCH constraint is
different than the others in that the order in which names appears is
significant.
Typically a site policy will be implemented using only a few of the
constraints within this element. �
ANNOUNCE
See if the contents of the SYS$ANNOUNCE message conform to policy.
Violation reports
| Constraint |
Nature of the violation |
|
CONTAINED
|
SYS$ANNOUNCE message must be contained within the specified text
|
|
CONTAINS
|
SYS$ANNOUNCE message must contain the specified text
|
|
MATCH
|
SYS$ANNOUNCE message must match the specified text
|
Description
Compare the value of SYS$ANNOUNCE (or the file to which it points) to
the specified policy text.
Default policy There is no required text. Customizing Since the message
might be considerably longer than a typical DCL command line, these
tests allow a command line user to progressively
specify text, starting each subsequent value with the character
"+".
selector Limits
| Constraint |
Value |
Default |
|
CONTAINED
|
0-511 characters
|
none
|
|
CONTAINS
|
0-511 characters
|
none
|
|
MATCH
|
0-511 characters
|
none
|
Exemptions
| Constraint |
Value |
Parameters |
|
CONTAINED
|
0-511 characters
|
<node>
|
|
CONTAINS
|
0-511 characters
|
<node>
|
|
MATCH
|
0-511 characters
|
<node>
|
Practical considerations The MATCH constraint is
equivalent to including the same text in both the CONTAINED
constraint and the MATCH constraint.
Comparison treats line-feed, carriage-return, line-feed and form-feed
as equivalent to space. It also treats multiple spaces as equivalent to
a single space and artifically inserts a space before and after any
punctuation characters.
While the SYS$WELCOME logical name mechanism (measured by
WELCOME) can be customized on a per-username basis, the
SYS$ANNOUNCE logical name mechanism (measured by
ANNOUNCE) lends itself better to requirements that the message
stay on a screen until explicit action is taken by the user. (The
explicit action being the entering of a username.) �
BRKDISUSER
Determine whether the setting to disable usernames on attempted breakin
conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
System parameter LGI_BRK_DISUSER is 1 in violation of policy
|
|
REQUIRED
|
System parameter LGI_BRK_DISUSER is 0 in violation of policy
|
Description
System parameter LGI_BRK_DISUSER controls whether a breakin attempt
causes a username to be disabled until manually reset.
Default policy By default LGI_BRK_DISUSER is prohibited. Customizing
Allowing LGI_BRK_DISUSER should be done only with careful consideration
of organizational politics. selector Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>
|
Practical considerations End users will be hostile to disabling
accounts on breakin attempts
unless there are adequate provisions for restoring an account to
service promptly when the end user follows appropriate procedures.
Therefore, before requiring that system parameter LGI_BRK_DISUSER be
set to 1, be sure that you have established these procedures and that
they are secure and widely published in your organization. �
BUGCHKFATL
Determine whether decisions regarding crashing on Executive Mode
bugchecks conform to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
System parameter BUGCHECKFATAL is enabled [1] in violation of policy
|
|
REQUIRED
|
System parameter BUGCHECKFATAL is disabled [0] in violation of policy
|
Description
All Kernel Mode bugchecks crash the system, but the outcome of
Executive Mode
bugchecks is settable.
Default policy BUGCHECKFATAL is neither prohibited nor required.
Customizing Prohibit BUGCHECKFATAL to avoid immediate denial of service
in spite of
bugchecks.
Require BUGCHECKFATAL to ensure that the conditions that caused each
crash are recorded (in a crash dump), allowing the problem to be
thoroughly analyzed. Providing that each bugcheck is analyzed this way,
you should be able to resolve problems before they build to a crescendo
that results in a substantial denial of service. selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>
|
Practical considerations Allowing the system to run through a bugcheck
without crashing means that there will be no crash dump recorded.
Without the crash dump,
the problem cannot be analyzed and will probably recur.
On the other hand, even when the system is allowed to continue running
through an RMS bugcheck, it will leave an
error code in R2 of the BUGCHK error log entry for the failure.
�
BUGREBOOT
Determine whether rebooting after a crash conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
System parameter BUGREBOOT is 1 in violation of policy
|
|
REQUIRED
|
System parameter BUGREBOOT is 0 in violation of policy
|
Description
System parameter BUGREBOOT determines whether VMS reboots automatically
after a software crash.
Default policy Rebooting after a crash is neither prohibited nor
required. Customizing If the system does not reboot automatically after
a crash, there will be a denial of service until the system is manually
rebooted. This
denial of service might still be better than continuing operation with
an uncorrected problem. selector Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>
|
Practical considerations Whether VMS reboots after a power failure is
controlled by console
hardware settings in a fashion which depends on the processor model AND
NOT
ON BUGREBOOT. �
CHECKSUM
See if choice of checksum algorithm conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
NOSHA1
|
SHA1 checksum algorithm is used in violation of policy
|
|
NOSIMPLE
|
SIMPLE checksum algorithm is used in violation of policy
|
|
NOSITE
|
SITE checksum algorithm is used in violation of policy
|
Description
The tests within this element
determine whether an unapproved checksum algorithm is in use.
Default policy all checksum algorithms are acceptable. Customizing
Change these constraints to match external standards
imposed on your organization. selector Limits
| Constraint |
Value |
Default |
|
NOSHA1
|
FALSE or TRUE
|
FALSE
|
|
NOSIMPLE
|
FALSE or TRUE
|
FALSE
|
|
NOSITE
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
NOSHA1
|
FALSE or TRUE
|
<node>
|
|
NOSIMPLE
|
FALSE or TRUE
|
<node>
|
|
NOSITE
|
FALSE or TRUE
|
<node>
|
Practical considerations For information on how to provide a
site-specific checksum algorithm, refer to Section 9.2.3,LJK$SECURITY_SITE_CHECKSUM callback. �
CLASSPROT
Determine whether mandatory access control enabling conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
System parameter CLASS_PROT is 1 in violation of policy
|
|
REQUIRED
|
System parameter CLASS_PROT is 0 in violation of policy
|
Description
System parameter CLASS_PROT enables the optional SEVMS software (if
it has been installed).
Default policy CLASS_PROT is neither prohibited nor required.
Customizing If only some of your nodes use SEVMS, set both limits to
TRUE and use exemptions as appropriate. selector Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>
|
Practical considerations If SEVMS is installed on certain nodes, use of
DECnet by LJK/Security might be impractical, depending on the exact
manner in which classifications are established.
�
CLUSTER
See if cluster membership conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Cluster membership is enabled in violation of policy
|
|
REQUIRED
|
Cluster membership is disabled in violation of policy
|
Description
The tests within this element
determine whther cluster membership conforms to policy.
Default policy Cluster membership is neither required nor prohibited.
Customizing Manipulate limits and
constraints to match your organization's plan.
selector Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>
|
Practical considerations There are many other reliability measures
required to get the benefit of VMS Clusters.
Constraint REQUIRED might just validate the presence
of a single node cluster ! �