LJK/Security Reference Manual
LGIHIDTIM
Determine whether breakin evasion duration conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ABSOLUTLO
|
Breakin evasion duration is shorter than policy allows.
|
|
ABSOLUTHI
|
Breakin evasion duration is longer than policy allows.
|
Description
System parameter LGI_HID_TIM determines approximately how
many seconds breakin evasion will last when
first triggered. VMS adds a randomizing factor of up to 50% to this
value in order to reduce the predictability of the breakin evasion
behavior as experienced by attackers. VMS also increases the breakin
evasion duration
if subsequent attempts are made during the evasion period.
Default policy The low and high limits are both set to the VMS default
of 300. Customizing Add exemptions or modify limits in your policy if
you want to permit deviations from the VMS default.
A limit or exemption with a value of zero means there is no value which
is considered unacceptable. selector
Limits
| Constraint |
Value |
Default |
|
ABSOLUTLO
|
0---n
|
300
|
|
ABSOLUTHI
|
0---n
|
300
|
Exemptions
| Constraint |
Value |
Parameters |
|
ABSOLUTLO
|
0---n
|
<node>
|
|
ABSOLUTHI
|
0---n
|
<node>
|
Practical considerations Making LGI_HID_TIM too long can exacerbate
denial of service problems,
but if authorized users (or user assistance personnel) can be properly
educated about the increased duration, denial of service due to user
error can be minimized by avoiding further attempts during the evasion
period.
By default the VMS program AUTOGEN sets system parameters LGI_BRK_TMO
and LGI_HID_TIM to 0 in the case of MicroVMS. This special-case
treatment has been removed in VMS V5.0, and sites which are concerned
about security will want to remove this special case treatment in
MicroVMS.
�
LGIPWDTMO
Determine whether system password timeout period conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ABSOLUTLO
|
System password timeout period is shorter than policy allows.
|
|
ABSOLUTHI
|
System password timeout period is longer than policy allows.
|
Description
System parameter LGI_PWD_TMO determines how many seconds a user
is provided to enter the system password.
Default policy The low and high limits are both set to the VMS default
of 30. Customizing Add exemptions or modify limits in your policy if
you want to permit deviations from the VMS default.
A limit or exemption with a value of zero means there is no value which
is considered unacceptable. selector
Limits
| Constraint |
Value |
Default |
|
ABSOLUTLO
|
0---n
|
30
|
|
ABSOLUTHI
|
0---n
|
30
|
Exemptions
| Constraint |
Value |
Parameters |
|
ABSOLUTLO
|
0---n
|
<node>
|
|
ABSOLUTHI
|
0---n
|
<node>
|
Practical considerations This test is relevant only if you have lines
that use system passwords. Setting this interval too short can lead to
confusion, hostility, and resentment from authorized users who are
deliberate typists.
�
LGIRETRYLM
Determine whether login retry count conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ABSOLUTLO
|
Login retry count is lower than policy allows.
|
|
ABSOLUTHI
|
Login retry count is higher than policy allows.
|
Description
System parameter LGI_RETRY_LIM determines how many subsequent attempts
are allowed after a failure before hanging up the modem (where
provided).
Default policy The low and high limits are both set to the VMS default
of 3. Customizing Add exemptions or modify limits on your policy to
allow deviation from the VMS default.
A limit or exemption with a value of zero means there is no value which
is considered unacceptable. selector
Limits
| Constraint |
Value |
Default |
|
ABSOLUTLO
|
0---n
|
3
|
|
ABSOLUTHI
|
0---n
|
3
|
Exemptions
| Constraint |
Value |
Parameters |
|
ABSOLUTLO
|
0---n
|
<node>
|
|
ABSOLUTHI
|
0---n
|
<node>
|
Practical considerations Increasing LGI_RETRY_LIM above LGI_BRK_LIM
serves to increase
the time that attackers would waste without realizing that breakin
evasion
is in effect. Sophisticated attackers, however, will now spend too much
time, because they are aware of the breakin evasion feature of VMS.
Decreasing LGI_RETRY_LIM below LGI_BRK_LIM prevents the user of breakin
evasion, and reporting of intrusion attempts.
The notion of "hangup" is relevant only for lines that have one of
the following, since termination of a login process in other situations
means only that an additional carriage return must be typed.
- Modem control
- System password enabled
- Secure server enabled
�
LGIRETRYTM
Determine whether login retry timeout conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ABSOLUTLO
|
Login retry timeout is shorter than policy allows.
|
|
ABSOLUTHI
|
Login retry timeout is longer than policy allows.
|
Description
System parameter LGI_RETRY_TIM controls how long the
loginout image will wait for a successful login attempt after a failure
before hanging up the modem (where provided).
Default policy The low and high limits are both set to the VMS default
of 20 seconds. Customizing Add exemptions or modify limits in your
policy if you want to allow deviation from the VMS default. selector
Limits
| Constraint |
Value |
Default |
|
ABSOLUTLO
|
0---n
|
20
|
|
ABSOLUTHI
|
0---n
|
20
|
Exemptions
| Constraint |
Value |
Parameters |
|
ABSOLUTLO
|
0---n
|
<node>
|
|
ABSOLUTHI
|
0---n
|
<node>
|
Practical considerations This test is meaningful only for lines that
are under modem control or lines
that use the secure server or system password options. On other lines,
the effect of login timeout is merely to require an additional carriage
return. �
MAXSYSGRP
Determine the UIC group number at (or below) which implicit SYSPRV
privilege is granted.
Violation reports
| Constraint |
Nature of the violation |
|
ABSOLUTLO
|
Limiting group number is lower than policy allows.
|
|
ABSOLUTHI
|
Limiting group number is higher than policy allows.
|
Description
System parameter MAXSYSGROUP sets a limiting UIC group number, below
which users implicitly have the SYSPRV privilege.
Default policy Limits are set to allow the VMS default of 8 (octal 10)
and anything more restrictive down to 1 (group used by VMS itself).
Customizing Tighten this if you want, although individual usernames
that obtain implicit privileges through this mechanism are reported as
having
these privileges by the UAF facility tests of LJK/Security.
A limit or exemption with a value of zero means there is no value which
is considered unacceptable. selector
Limits
| Constraint |
Value |
Default |
|
ABSOLUTLO
|
0---2**14
|
1
|
|
ABSOLUTHI
|
0---2**14
|
8 [usually expressed in its octal form---10---by VMS]
|
Exemptions
| Constraint |
Value |
Parameters |
|
ABSOLUTLO
|
0---2**14
|
<node>
|
|
ABSOLUTHI
|
0---2**14
|
<node>
|
Practical considerations There are very few valid reasons for ever
allowing an administrator to raise this parameter, but one might exist
at your site.
Please be prepared to see each UIC expressed as an octal number or as a
text string. Octal numbers are in base 8 and include only the digits
0---7. Therefore, a typical UIC with the group equal to 8 would be
[10,22]. So if your ABSOLUTHI for MAXSYSGRP is 8, don't be shocked to
learn that you have privileged users who appear in a listing with these
UIC groups: 1, 2, 3, 4, 5, 6, 7, 10. �
MVTIMEOUT
Determine how long VMS will wait for mount verification in case of a
device error.
Violation reports
| Constraint |
Nature of the violation |
|
ABSOLUTLO
|
Timeout period is shorter than policy allows.
|
|
ABSOLUTHI
|
Timeout period is longer than policy allows.
|
Description
System parameter MVTIMEOUT controls how long VMS will stall a process
while waiting for a device error to be cleared. After that time period,
an error is returned to the user.
Default policy The default limits are set to widely bracket the VMS
default value of 3600 for system parameter MVTIMEOUT. Customizing If
local policy is to change the VMS defaults, it should be reflected in
limits or exemptions
A limit or exemption with a value of zero means there is no value which
is considered unacceptable. selector
Limits
| Constraint |
Value |
Default |
|
ABSOLUTLO
|
0---64,000 (seconds)
|
300
|
|
ABSOLUTHI
|
0---64,000 (seconds)
|
64,000
|
Exemptions
| Constraint |
Value |
Parameters |
|
ABSOLUTLO
|
0---64,000 (seconds)
|
<node>
|
|
ABSOLUTHI
|
0---64,000 (seconds)
|
<node>
|
Practical considerations Excessively long timeout periods delay
detection of errors and leave user processes hung with no indication of
the problem.
Excessively short timeout periods reduce the chance that a device error
can be corrected without aborting user transactions.
�
OPCOM
Determine whether OPCOM state conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
OPCOM is started in violation of policy
|
|
REQUIRED
|
OPCOM is stopped in violation of policy
|
Description
Security alarm transmission to operators uses the OPCOM process, and if
that process is not running there will be no notification. In addition,
for versions of VMS prior to V5.2, the OPCOM process is required in
order to record security alarms on disk.
Default policy The OPCOM process must be running. Customizing Add an
exemption to the REQUIRED test for any node which you
wish to exempt from requirements to run the OPCOM process. selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>
|
Practical considerations Future versions of VMS (after V5.4) may
provide an alternative method of operator notification without
requiring the OPCOM process. �
POLICY
See if LJK/Security policy modification history
conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
AUDEVTDAYS
|
The last LJK/Security
policy modification of auditable events was longer ago
than the maximum allowed
|
|
MODIFYDAYS
|
The last LJK/Security
policy modification was longer ago than the maximum
allowed
|
Description
The tests within this element
determines whether the LJK/Security policy used in
this assessment has been changed recently enough.
Default policy No particular policy modification schedule is required.
Customizing Some external requirements require ongoing modification of
policy values. selector Limits
| Constraint |
Value |
Default |
|
AUDEVTDAYS
|
number of days
|
0
|
|
MODIFYDAYS
|
number of days
|
0
|
Exemptions
| Constraint |
Value |
Parameters |
|
AUDEVTDAYS
|
number of days
|
<node>
|
|
MODIFYDAYS
|
number of days
|
<node>
|
Practical considerations While LJK/Security can detect policy
modification dates, it cannot determine whether they were based on
sound judgement. �
PWDHISTORY
Determine whether password history parameters conform to policy.
Violation reports
| Constraint |
Nature of the violation |
|
MINLIFE
|
Password history lifetime is shorter than policy allows.
|
|
MAXLIFE
|
Password history lifetime is longer than policy allows.
|
|
MINLIMIT
|
Password history entry limit is less than policy allows.
|
|
MAXLIMIT
|
Password history entry limit is more than policy allows.
|
Description
Logical names SYS$PASSWORD_HISTORY_LIFETIME and
SYS$PASSWORD_HISTORY_LIMIT can be used to alter the VMS defaults of 365
days and 60 entries respectively.
Regardless of whether those logical names are used or not,
tests for this element will determine
if the values in effect on the system conform to policy.
Default policy The VMS default values of 365 days and 60 entries is
required. Customizing Add exemptions or modify limits in your policy if
you want to permit deviations from the VMS default.
A limit or exemption with a value of zero means there is no value which
is considered unacceptable. selector
Limits
| Constraint |
Value |
Default |
|
MINLIFE
|
0---3650
|
365
|
|
MAXLIFE
|
0---3650
|
365
|
|
MINLIMIT
|
2---255
|
60
|
|
MAXLIMIT
|
2---255
|
60
|
Exemptions
| Constraint |
Value |
Parameters |
|
MINLIFE
|
0---3650
|
<node>
|
|
MAXLIFE
|
0---3650
|
<node>
|
|
MINLIMIT
|
2---255
|
<node>
|
|
MAXLIMIT
|
2---255
|
<node>
|
Practical considerations In most cases, the VMS defaults are adequate
and this test merely ensure there are no local deviations. �
PWDPOLICY
Determine whether site-specific password policy on disk conforms to
policy.
Violation reports
| Constraint |
Nature of the violation |
|
LOADPWDPRO
|
Loading site code is enabled in violation of policy.
|
|
LOADPWDREQ
|
Loading site code is disabled in violation of policy.
|
|
PWDEXEPRO
|
Site-specific password policy is provided in violation of policy.
|
|
PWDEXEREQ
|
Site-specific password policy is absent in violation of policy.
|
|
HASHPWDPRO
|
Site-specific password algorithm is provided in violation of policy.
|
|
HASHPWDREQ
|
Site-specific password algorithm is absent in violation of policy.
|
Description
Tests VMS_LOADPWDPRO and VMS_LOADPWDREQ test whether
system parameter LOAD_PWD_POLICY is set.
Tests VMS_PWDEXEPRO and VMS_PWDEXEREQ test whether the
image SYS$LIBRARY:VMS$PASSWORD_POLICY.EXE is provided.
Tests VMS_HASHPWDPRO and VMS_HASHPWDREQ test whether
the image SYS$LOADABLE_IMAGES:SYS$HASH_PASSWORD.EXE is provided. This
capability is provided only on VMS V5.4 or greater.
System parameter LOAD_PWD_POLICY is only available on VMS V5.4 or
greater.
Default policy Password policy options are prohibited, since they could
be used as the basis for further efforts by a successful attacker.
Customizing Limits and exemptions for
tests VMS_LOADPWD* and VMS_PWDEXE* should be set in
concert, since the parameter setting and image presence must be
coordinated to have the desired effect. selector Limits
| Constraint |
Value |
Default |
|
LOADPWDPRO
|
FALSE or TRUE
|
TRUE
|
|
LOADPWDREQ
|
FALSE, TRUE or TRY
|
FALSE
|
|
PWDEXEPRO
|
FALSE or TRUE
|
TRUE
|
|
PWDEXEREQ
|
FALSE, TRUE or TRY
|
FALSE
|
|
HASHPWDPRO
|
FALSE or TRUE
|
TRUE
|
|
HASHPWDREQ
|
FALSE, TRUE or TRY
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
LOADPWDPRO
|
FALSE or TRUE
|
<node>
|
|
LOADPWDREQ
|
FALSE, TRUE or TRY
|
<node>
|
|
PWDEXEPRO
|
FALSE or TRUE
|
<node>
|
|
PWDEXEREQ
|
FALSE, TRUE or TRY
|
<node>
|
|
HASHPWDPRO
|
FALSE or TRUE
|
<node>
|
|
HASHPWDREQ
|
FALSE, TRUE or TRY
|
<node>
|
Practical considerations The tests in the
element do nothing to test whether the site-specific
code provided is the correct code.
It is important that no unauthorized site specific password policy be
in use, since it might have been left as a back door into the system by
an attacker who successfully gained privileged access. Attackers in the
past have gone so far as to patch the LOGINOUT image, and this
mechanism, though useful for its stated purpose, could be hazardous if
an attacker gains control. Among other tactics used in the past,
collecting the cleartext passwords of individual users has sometimes
given attackers some help in guessing what passwords were chosen by the
same users on systems in the same network which have not yet been
compromised. �