LJK/Security Reference Manual
CONVBOOT
Determine whether interactive boot of cluster satellite node is allowed.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Interactive booting is enabled in violation of policy
|
|
REQUIRED
|
Interactive booting is disabled in violation of policy
|
Description
Preventing interactive booting removes one of the easier mechanisms
that can be used to gain privileged cluster access through physical
access to a work station. To prevent it
under VMS 5.0 or later versions, set the system
parameter NISCS_CONV_BOOT to 0. Under earlier versions (4.7 or lower),
the system parameter PE3 should be set to 0. This test checks on that
setting.
Default policy Interactive boots of satellite nodes are prohibited.
Customizing Set PROHIBITED and REQUIRED both to FALSE in order to
ignore the value of PE3 or NISCS_CONV_BOOT and leave this security
consideration entirely up to the local cluster administrators. selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
TRUE
|
|
REQUIRED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>
|
Practical considerations Although it is possible to require that
interactive booting be available on all machines, it is difficult to
imagine a situation where that would be useful. Thus, setting REQUIRED
to TRUE for all systems might be inappropriate. �
CRDENABLE
Determine whether ECC memory error reporting conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
System parameter CRDENABLE is 1 in violation of policy
|
|
REQUIRED
|
System parameter CRDENABLE is 0 in violation of policy
|
Description
System parameter CRDENABLE controls whether ECC memory error
corrections are
reported. (Uncorrectable errors are always reported.)
Default policy Reporting ECC corrections is required. Customizing
Modify your policy if your organization takes the view that ECC
corrections are not indicators of possible future uncorrectable errors.
selector Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>
|
Practical considerations For systems with only parity memory such as
the MicroVAX II, system
parameter CRDENABLE does not matter, but LJK/Security runs the test
anyway.
Reporting of ECC memory errors is in the system error log. There
is no protection against denial of service unless the error log
is examined regularly, so be sure that you have someone do so. �
DEFPRI
Determine whether default process priority conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ABSOLUTLO
|
System parameter DEFPRI is lower than policy allows.
|
|
ABSOLUTHI
|
System parameter DEFPRI is higher than policy allows.
|
Description
System parameter DEFPRI controls the default priority of detached
processes by running images other than LOGINOUT.
Default policy Low and high limits are both set to the VMS default of
4. Customizing Customization should be done with exemptions to keep
most systems at the default. selector Limits
| Constraint |
Value |
Default |
|
ABSOLUTLO
|
0---31
|
4
|
|
ABSOLUTHI
|
0---31
|
4
|
Exemptions
| Constraint |
Value |
Parameters |
|
ABSOLUTLO
|
0---31
|
<node>
|
|
ABSOLUTHI
|
0---31
|
<node>
|
Practical considerations Raising system parameter DEFPRI can deny
service to interactive users
in favor of detached jobs.
�
DEFQUEPRI
Determine whether default queue priority conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ABSOLUTLO
|
System parameter DEFQUEPRI is lower than policy allows.
|
|
ABSOLUTHI
|
System parameter DEFQUEPRI is higher than policy allows.
|
Description
System parameter DEFQUEPRI controls the default priority of
entries added to print or batch queues.
Default policy Low and high limits are both set to the VMS default of
100. Customizing This parameter is generally only significant for
relative denial-of-service
considerations in a VAXcluster or VMScluster with queues shared between
nodes.
selector Limits
| Constraint |
Value |
Default |
|
ABSOLUTLO
|
0---255
|
100
|
|
ABSOLUTHI
|
0---255
|
100
|
Exemptions
| Constraint |
Value |
Parameters |
|
ABSOLUTLO
|
0---255
|
<node>
|
|
ABSOLUTHI
|
0---255
|
<node>
|
Practical considerations Default queue priority concerns only the order
in which jobs are processed. It does not affect the process priority at
which jobs execute
once they start. �
DUMPBUG
Determine whether saving of crash dumps on disk conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
System parameter DUMPBUG is 1 in violation of policy.
|
|
REQUIRED
|
System parameter DUMPBUG is 0 in violation of policy.
|
Description
System parameter DUMPBUG controls whether memory contents are
written to disk in the event of a crash.
Default policy Dumps must be written to disk (REQUIRED). Customizing
Most organizations will want to leave the limits set to require dumps
and establish exemptions for special cases such as test/development
systems that crash frequently due to driver debugging.
selector Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>
|
Practical considerations Regardless of the setting of parameter
DUMPBUG, dumps will not be saved to disk if there is insufficient space
available in the existing dump or page file.
Under VMS Version 5.x, it is possible to set the system parameter
DUMPSTYLE so that only
the "relevant" portion of memory is saved to disk when disk space is
limited.
If you choose not to require crash dumps, you will not be able to
determine the cause of the crash. If you do require the crash dumps,
you can determine the cause of the crash by using the ANALYZE/CRASH
command. �
DUMPSTYLE
Determine whether method of writing crash dumps on disk conforms to
policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBIT0
|
System parameter DUMPSTYLE is 0 in violation of policy.
|
|
REQUIRE0
|
System parameter DUMPSTYLE is not 0 in violation of policy.
|
|
PROHIBIT1
|
System parameter DUMPSTYLE is 1 in violation of policy.
|
|
REQUIRE1
|
System parameter DUMPSTYLE is not 1 in violation of policy.
|
Description
System parameter DUMPSTYLE controls how much information from memory is
written to disk in the event of a system crash. Possible values of this
system parameter are:
- 0 - The entire contents of physical memory is written to disk.
- 1 - Selected portions of physical memory are written to disk as
permitted by available space in the dump file.
System parameter DUMPSTYLE is only available on VMS V5.0 or greater.
Default policy No particular dump style is either required or
prohibited. Customizing Requiring a DUMPSTYLE value of 0 ensures that
the maximum amount of information will be available for analyzing the
cause of system failures. Requiring a DUMPSTYLE value of 1 can lead to
a decrease in the amount of sensitive process information stored in
crash dumps.
selector Limits
| Constraint |
Value |
Default |
|
PROHIBIT0
|
FALSE, TRUE or TRY
|
FALSE
|
|
REQUIRE0
|
FALSE or TRUE
|
FALSE
|
|
PROHIBIT1
|
FALSE or TRUE
|
FALSE
|
|
REQUIRE1
|
FALSE, TRUE or TRY
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBIT0
|
FALSE, TRUE or TRY
|
<node>
|
|
REQUIRE0
|
FALSE or TRUE
|
<node>
|
|
PROHIBIT1
|
FALSE or TRUE
|
<node>
|
|
REQUIRE1
|
FALSE, TRUE or TRY
|
<node>
|
Practical considerations Tests in this element only
deal with the method used to write any crash dumps. Whether or not
crash dumps will be written at all is tested by
element VMS_DUMPBUG. �
FILEPROT
Ensure system-wide default file protection conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ABSOLUTLO
|
System parameter RMS_FILEPROT specifies narrower access than permitted
by policy
|
|
ABSOLUTHI
|
System parameter RMS_FILEPROT specifies wider access than permitted by
policy
|
Description
System parameter RMS_FILEPROT controls the default protection used when
new
files are created.
Default policy (VMS, FILEPROT, ABSOLUTLO) gives access only to system,
without giving delete access to system.
(VMS, FILEPROT, ABSOLUTHI) matches the VMS default. Customizing Making
(VMS, FILEPROT, ABSOLUTLO) more permissive would make certain standard
VMS file protections cause violations. selector
Limits
| Constraint |
Value |
Default |
|
ABSOLUTLO
|
Any Protection
|
(S:RWED,O,G,W)
|
|
ABSOLUTHI
|
Any Protection
|
(S:RWED,O:RWED,G:RE,W)
|
Exemptions
| Constraint |
Value |
Parameters |
|
ABSOLUTLO
|
Any Protection
|
<node>
|
|
ABSOLUTHI
|
Any Protection
|
<node>
|
Practical considerations System parameter RMS_FILEPROT affects only the
system-wide default. End users can set a different per-process default
file protection, and can change the protection of files they
create after the fact. When new versions are created for existing
files, the
protection of the previous version is used.
Some programs (e.g., Backup and DBMS) create files with
protections determined by separate schemes, rather than using the
default protection. �
LGIBRKLIM
Determine whether the number of failures allowed before breakin evasion
conforms
to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ABSOLUTLO
|
Failures permitted before breakin evasion are fewer than policy allows.
|
|
ABSOLUTHI
|
Failures permitted before breakin evasion are more than policy allows.
|
Description
System parameter LGI_BRK_LIM is the prominent control over "number of
tries"
for breakin detection.
Default policy The low and high limits are both set to the VMS default
of 3. Customizing In most organizations, policy for these tests will be
the same across all nodes, so customization will be done by modifying
limits rather than creating exemptions.
A limit or exemption with a value of zero means there is no value which
is considered unacceptable. selector
Limits
| Constraint |
Value |
Default |
|
ABSOLUTLO
|
0---n
|
3
|
|
ABSOLUTHI
|
0---n
|
3
|
Exemptions
| Constraint |
Value |
Parameters |
|
ABSOLUTLO
|
0---n
|
<node>
|
|
ABSOLUTHI
|
0---n
|
<node>
|
Practical considerations Setting LGI_BRK_LIM too low can lead to user
resentment and hostility,
as well as increased requirements for support of end users. �
LGIBRKTERM
Determine whether decisions regarding association of terminals for
breakin detection conforms to policy
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
System parameter LGI_BRK_TERM is 1 in violation of policy
|
|
REQUIRED
|
System parameter LGI_BRK_TERM is 0 in violation of policy
|
Description
System parameter LGI_BRK_TERM governs whether a username and terminal
name are both associated with login failures for the purpose of
detecting breakin attempts. Associating them means that breakin evasion
is separately tracked by username-terminal pair, so that an attacker at
one terminal cannot cause a denial of service to a legitimate
user at another terminal by mounting attacks against that username.
Association works against breakin detection, however, in cases where
attempts from a single physical terminal would be seen as coming from
various sources by VMS, such as with many Ethernet interconnection
schemes,
external port selectors or data PBX's, and even some telephone hunt
group arrangements.
Likewise, association might be desirable in some cases where unattended
public terminal rooms have many terminals located together. In that
case,
an attacker could switch to a new terminal for successive attempts to
avoid breakin detection if association was enabled.
Default policy Association is neither prohibited nor required.
Customizing Require this to ensure association. Prohibit this to ensure
no association. Since the choice of whether to associate is largely
based on the nature of terminal interface and data communications
hardware in use, setting both limits to TRUE and then adding exemptions
is generally the preferred method of customizing. selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>
|
Practical considerations Effective with VMS V5.0, the breakin evasion
data structures that are maintained by VMS are supposed to include
information on LAT terminal server identification and port numbers, so
if the use of the LAT protocol
was the only reason for avoiding association, your policy can be
modified as nodes upgrade to VMS V5.0. �
LGIBRKTMO
Determine whether time allowed before breakin evasion conforms to
policy.
Violation reports
| Constraint |
Nature of the violation |
|
ABSOLUTLO
|
Breakin Evasion timeout is shorter than policy allows.
|
|
ABSOLUTHI
|
Breakin Evasion timeout is longer than policy allows.
|
Description
System parameter LGI_BRK_TMO specifies a time period that is added
to an intruder or suspect's expiration time with each login failure. If
that suspect becomes an intruder, the total expiration time must expire
before a successful login is possible.
Default policy The low and high limits are both set to the VMS default
of 300. Customizing Add exemptions or modify limits in your policy if
you want to permit deviations from the VMS default.
A limit or exemption with a value of zero means there is no value which
is considered unacceptable. selector
Limits
| Constraint |
Value |
Default |
|
ABSOLUTLO
|
0---n (seconds)
|
300
|
|
ABSOLUTHI
|
0---n (seconds)
|
300
|
Exemptions
| Constraint |
Value |
Parameters |
|
ABSOLUTLO
|
0---n (seconds)
|
<node>
|
|
ABSOLUTHI
|
0---n (seconds)
|
<node>
|
Practical considerations Generally LGI_BRK_LIM is a more important
control.
By default the VMS program AUTOGEN sets system parameters LGI_BRK_TMO
and LGI_HID_TIM to 0 in the case of MicroVMS. This special-case
treatment has been removed in VMS V5.0, and sites which are concerned
about security will want to remove this special case treatment in
MicroVMS.
�
LGICALLOUT
Determine whether system parameter conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ABSOLUTLO
|
System parameter LGICALLOUT is lower than policy allows.
|
|
ABSOLUTHI
|
System parameter LGICALLOUT is higher than policy allows.
|
Description
System parameter LGICALLOUT enables third party authentication
software, and should be set to the value recommended by the device
manufacturer.
Default policy Low and high limits are both set to the VMS default of
0. Customizing Customization should be done with exemptions to keep
most systems at the default. selector Limits
| Constraint |
Value |
Default |
|
ABSOLUTLO
|
0---255
|
0
|
|
ABSOLUTHI
|
0---255
|
0
|
Exemptions
| Constraint |
Value |
Parameters |
|
ABSOLUTLO
|
0---255
|
<node>
|
|
ABSOLUTHI
|
0---255
|
<node>
|
Practical considerations Consistent policy across a range of
manufacturers can be difficult to achieve. �