LJK/Security Reference Manual
REBLDSYS
Determine whether the system disk will be rebuilt after a system crash.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
System parameter ACP_REBLDSYSD is 1 in violation of policy
|
|
REQUIRED
|
System parameter ACP_REBLDSYSD is 0 in violation of policy
|
Description
Free space bit maps on various disks may be incorrect after a system
crash. For most disks, this is corrected by the (default) MOUNT/REBUILD
qualifier. For the system disk, however, rebuilding is controlled by
the system parameter ACP_REBLDSYSD.
Default policy Rebuilding is required. Customizing To ensure that
system disks are rebuilt, you should set REQUIRED to TRUE. Setting
PROHIBITED to TRUE will allow faster reboots. Setting both limits to
FALSE will allow local discretion. selector Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>
|
Practical considerations Rebuilding the system disk can be
time-consuming, denying service to
some extent, depending on local standards.
Generally, the worst outcome of failing to rebuild the system disk (or
any other disk, in fact) is just the unavailability of some free space
on the disk. This is due to
the "careful write" methods of the VMS file system. If denial of
service time is more onerous than denial of disk space at your site,
you might prefer to set PROHIBITED to TRUE and REQUIRED to FALSE. �
REMEDIATE
Specify times required and name responsible parties for inclusion in
remediation planning.
Violation reports
| Constraint |
Nature of the violation |
|
CHANGES
|
The number of days required to implement an application change
|
|
CONFIGURE
|
The number of days required to implement a parameter change
|
|
INITIALIZE
|
The number of days required to propagate assessment results
|
|
MANAGEACC
|
The name or title of the individual or group managing accounts
(usernames)
|
|
MANAGEAPP
|
The name or title of the individual or group managing applications
|
|
MANAGEASS
|
The name or title of the individual or group managing security
assessments
|
|
MANAGEAUD
|
The name or title of the individual or group managing auditing
|
|
MANAGENET
|
The name or title of the individual or group managing network security
|
|
MANAGESYS
|
The name or title of the individual or group managing the system
|
|
MAXIMUM
|
The number of days it takes for all applications to be exercised at
least once
|
|
MEDIAN
|
The number of days it takes for half of the applications to be
exercised at least once
|
|
MINIMUM
|
The number of days it takes for half the applications to be exercised
at least once
|
|
REPORTNAM
|
The name or title of the individual or group managing the system
|
|
SYSTEMNAM
|
The name or title of the individual or group managing the system
|
Description
The constraints within this element
are not really tests, but provide organization latency and naming
information used to generate remediation plans.
Default policy Most applications run every month.
All applications run every year.
It takes 7 days to propagate violation reports.
It takes 90 days to change an application. Customizing Change these
constraints freely to match reality within your
organization. selector
Limits
| Constraint |
Value |
Default |
|
CHANGES
|
number of days
|
90
|
|
CONFIGURE
|
number of days
|
7
|
|
INITIALIZE
|
number of days
|
7
|
|
MANAGEACC
|
text string
|
"Account Manager"
|
|
MANAGEAPP
|
text string
|
"Application Manager"
|
|
MANAGEASS
|
text string
|
"Assessment Manager"
|
|
MANAGEAUD
|
text string
|
"Audit Manager"
|
|
MANAGENET
|
text string
|
"Network Manager"
|
|
MANAGESYS
|
text string
|
"System Manager"
|
|
MAXIMUM
|
number of days
|
366
|
|
MEDIAN
|
number of days
|
31
|
|
MINIMUM
|
number of days
|
31
|
|
REPORTNAM
|
text string
|
"Remediation Plan"
|
|
SYSTEMNAM
|
text string
|
assessment-name
|
Exemptions
| Constraint |
Value |
Parameters |
|
CHANGES
|
number of days
|
<node>
|
|
CONFIGURE
|
number of days
|
<node>
|
|
INITIALIZE
|
number of days
|
<node>
|
|
MANAGEACC
|
text string
|
<node>
|
|
MANAGEAPP
|
text string
|
<node>
|
|
MANAGEASS
|
text string
|
<node>
|
|
MANAGEAUD
|
text string
|
<node>
|
|
MANAGENET
|
text string
|
<node>
|
|
MANAGESYS
|
text string
|
<node>
|
|
MAXIMUM
|
number of days
|
<node>
|
|
MEDIAN
|
number of days
|
<node>
|
|
MINIMUM
|
number of days
|
<node>
|
|
REPORTNAM
|
text string
|
<node>
|
|
SYSTEMNAM
|
text string
|
<node>
|
Practical considerations These tests do not really
test any controls, they are used only to generate remediation
schedules. �
SAVEDUMP
Determine whether crash dumps written to a page file are preserved
until they can be analyzed.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
System parameter SAVEDUMP is 1 in violation of policy
|
|
REQUIRED
|
System parameter SAVEDUMP is 0 in violation of policy
|
Description
On systems that do not have a separate dump file, crash dumps
will be written into the paging file. These tests check whether the
crash information will be preserved until it is analyzed.
VMS SAVEDUMP element tests PROHIBITED and REQUIRED
never report violations if a dump file is present on the tributary node
(since the SAVEDUMP parameter only affects saving dumps in the page
file, in the absence of a dump file).
Default policy The preserving crash dump information is required.
Customizing If analysis of system failures is important at your site,
set REQUIRED to TRUE. If system parameter DUMPBUG is 0, this test will
be
skipped. This test will also be skipped if a separate dump file exists.
selector Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>
|
Practical considerations Analysis of each crash dump can help you to
track down the cause of the crash and suggest ways of avoiding future
crashes. A dump takes up disk space, so it is desirable to analyze each
crash quickly and release the space that it used. Unless analysis is
timely (or unless page file space is plentiful), preserving a crash
dump can be a threat to continuity of service.
This puts a security manager in a bind between system availability
requirements and disk space requirements. Therefore, if no one in your
organization is prepared to do timely crash dump analysis, requiring
this might be a futile effort. �
SECPOLICY
Ensure bit settings in system parameter SECURITY_POLICY conform to
policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
allowed in violation of policy
|
|
REQUIRED
|
prevented in violation of policy
|
Description
These bits in VMS V6.0 and beyond control overall system security,
including whether deviations from C2 evaluated components is allowed.
Default policy DECwindows access is permitted to allow behavior which
was allowed under prior versions of VMS, while other items are
prohibited. Customizing These tests are primarily of interest to
government sites which require running under evaluated software.
selector
Limits for this test can take a
selector indicating a security policy bit:
Table 6-1 Selectors for Security Policy Bits
| Selector Name |
VMS Security Policy Bit |
Meaning |
|
DPS
|
ALLOW_DISPLAY_POSTSCRIPT
|
allow display postscript extensions
|
|
MULTIDECW
|
ALLOW_MULTIPLE_DECW_USERS
|
allow multiple username to connect to DECW$SERVER
|
|
TRANSPORTS
|
ALLOW_ALTERNATE_TRANSPORTS
|
allow unevaluated transports
|
|
CROSSJOB
|
ALLOW_SPAN_JOB_TREES
|
allow $SIGPRC to span job trees
|
|
LOCPROFILE
|
LOCAL_UPDATE
|
allow local profile changes
|
|
LOCOBJECT
|
LOCAL_PROFILE
|
allow local object creation
|
|
CAPTIVESPAWN
|
ALLOW_CAPTIVE_SPAWN
|
allow SPAWN or LIB$SPAWN in CAPTIVE accounts
|
|
COMPRESSMAC
|
COMPRESS_MAC_STRINGS
|
compress MAC category strings (SEVMS)
|
|
UPPERCASEINPUT
|
UPPERCASE_INPUT
|
as prior to VMS V7.1
|
|
GUARDPASSWORDS
|
GUARD_PASSWORDS
|
ACMEs shall not share
|
|
DOIAUTHORIZATION
|
DOI_AUTHORIZATION_ONLY
|
prevent feature mixing
|
|
IGNOREEXTAUTH
|
IGNORE_EXTAUTH
|
ignore user-specific EXTAUTH and VMSAUTH restrictions
|
|
INTRUSIONSLOCAL
|
INTRUSIONS_ARE_LOCAL
|
consider local intrusions onlywhen set
|
|
USEPOSIXUIDGID
|
USE_POSIX_UID_GID
|
perform UID/GID lookup in tcpip proxy database
|
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
TRUE*
|
|
REQUIRED
|
FALSE or TRUE
|
FALSE*
|
* except for DPS, MULTIDECW, TRANSPORTS and GUARDPASSWORDS
selectors.
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>
|
Practical considerations The CAPTIVESPAWN bit will be of the most
interest to commercial sites. �
SECONDARY
Ensure an appropriate percentage of usernames require secondary
passwords.
Violation reports
| Constraint |
Nature of the violation |
|
PERCENTLO
|
Fewer usernames require secondary passwords than permitted by policy
|
|
PERCENTHI
|
More usernames require secondary passwords than permitted by policy
|
Description
These tests determine whether an appropriate
percentage of usernames require secondary passwords.
Default policy There is no requirement for a particular percentage of
usernames to require secondary passwords. Customizing These tests are
primarily of interest to sites which have a need for secondary
passwords unrelated to VMS privilege levels. When the need is related
to VMS privilege levels, use the (UAF,PWDNULL,SECMAXPRIV)
test. selector Limits
| Constraint |
Value |
Default |
|
PERCENTLO
|
0-100
|
0
|
|
PERCENTHI
|
0-100
|
100
|
Exemptions
| Constraint |
Value |
Parameters |
|
PERCENTLO
|
0-100
|
<node>, <device-name>
|
|
PERCENTHI
|
0-100
|
<node>, <device-name>
|
Practical considerations The VMS secondary password mechanism is only
effective if the primary and secondary passwords are held by different
individuals, and that aspect of usage cannot be automatically verified.
�
SETTIME
Determine whether VMS will delay on boot for the time to be entered.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
System parameter SETTIME is 1 in violation of policy
|
|
REQUIRED
|
System parameter SETTIME is 0 in violation of policy
|
Description
If system parameter SETTIME is 1, VMS will wait for the time to be
entered on each boot.
Default policy Prompting on every boot is prohibited. Customizing
LJK Software recommends that you leave the limits for these tests at
their default value.
If you have particular systems which are supposed to have system
parameter SETTIME set to 1, you can add exemptions for those nodes to
the PROHIBITED constraint.
A more thorough approach in situations where some nodes must have the
system parameter SETTIME set to 1 would be to set both the PROHIBITED
and the REQUIRED limits to TRUE and then establish
exemptions for all nodes. selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
TRUE
|
|
REQUIRED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>
|
Practical considerations Except for the MicroVAX I and the VAX 11/730,
systems which run VMS have built-in
time-of-year clocks. With such a clock, system parameter SETTIME should
be 0, and the default values for these tests will be sufficient.
While waiting for time to be input on boot is a threat to continuity of
service, running with the software clock incorrectly set can lead to
improper operation of applications, also an undesirable condition. �
STARTUP
See if the list of system startup modules conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
MATCH
|
Ordered list of Startup modules does not exactly match policy
|
|
MUSTHAVE
|
Set of Startup modules does not include one required by policy
|
|
MUSTLACK
|
Set of Startup modules includes one prohibited by policy
|
|
NOMORETHAN
|
Set of Startup modules includes more than those permitted by policy
|
|
NOTJUST
|
Set of Startup modules does not include any beyond set declared
inadequate by by policy
|
Description
The tests within this element
determine whether the list of system startup modules conforms to policy.
Default policy There are no requirements regarding startup modules.
Customizing Modify these constraints for any required
or forbidden startup modules being enabled via MCR SYSMAN STARTUP
commands. selector Limits
| Constraint |
Value |
Default |
|
MATCH
|
0-511 characters
|
none
|
|
MUSTHAVE
|
0-510 characters
|
none
|
|
MUSTLACK
|
0-510 characters
|
none
|
|
NOMORETHAN
|
0-510 characters
|
none
|
|
NOTJUST
|
0-510 characters
|
none
|
Exemptions
| Constraint |
Value |
Parameters |
|
MATCH
|
0-511 characters
|
<node>
|
|
MUSTHAVE
|
0-510 characters
|
<node>
|
|
MUSTLACK
|
0-510 characters
|
<node>
|
|
NOMORETHAN
|
0-510 characters
|
<node>
|
|
NOTJUST
|
0-510 characters
|
<node>
|
Practical considerations This element is useful for
assessing multiple distinct nodes that are alleged to be configured the
same. �