| Previous | Contents | Index |
Ensure that unauthorized images are not installed with privilege.
| Constraint | Nature of the violation |
|---|---|
| CHECKSUM | Image installed with privilege not checksummed in violation of policy |
| PRIVPROHIB | Image installation with privilege in violation of policy |
| ABSOLUTHI | Image installation at higher level than maximum in the policy |
Installation of an executable image with privilege allows unprivileged users to perform privileged operations when running the program. Such programs must be carefully constructed to ensure that only the designed functions can be performed. Installation of a program with privilege when it was not designed to be installed with privilege is a major security hazard. This test can be used to ensure that only authorized programs are installed with privilege.Default policy Installing images with privilege is not prohibited. Customizing Setting limits should be accompanied by establishment of corresponding exemptions for images whose installation with privilege is acceptable (many of which are supplied by VMS and layered products). selector Limits and exemptions for test PRIVPROHIB can take a selector consisting of a privilege name.Exemptions within the (DISK, CHECKSUM) element specify checksum values for particular files on disk. The test for the CHECKSUM constraint within this facility determines whether such an exemption has been established for all files on the system that are installed with privilege.
Thus, it can be set once for each possible privilege. When using the Command Interface if you do not specify a selector when changing the limit or exemptions your change applies to all privileges.
| Constraint | Value | Default |
|---|---|---|
| CHECKSUM | FALSE or TRUE | FALSE |
| PRIVPROHIB | FALSE or TRUE | FALSE |
| ABSOLUTHI | Category-None---Category-All | Category-All |
| Constraint | Value | Parameters |
|---|---|---|
| CHECKSUM | FALSE or TRUE | <node>,<filespec> |
| PRIVPROHIB | FALSE or TRUE | <node>,<filespec> |
| ABSOLUTHI | Category-None---Category-All | <node>,<filespec> |
The test ABSOLUTHI is sufficient to express simpler limitations based on privilege level.
If a more complicated selection of privileges is required, it may be necessary to use the test PRIVPROHIB.
Ensure that unauthorized images are not installed as protected.
| Constraint | Nature of the violation |
|---|---|
| CHECKSUM | Image installed as protected not checksummed in violation of policy |
| PROHIBITED | Image installation as protected in violation of policy |
Installation of a shareable image as protected enables any user-written system services it contains so they can execute in Executive or Kernel mode and thus gain access to privileges. This test can be used to ensure that only authorized programs are installed as protected.Default policy Installation of images as protected is not prohibited. Customizing Setting the DISK_INSTPROT_PROHIBITED limit TRUE should be accompanied by establishment of corresponding exemptions for images whose installation as protected is acceptable (many of which are supplied by VMS and layered products). selectorExemptions within the (DISK, CHECKSUM) element specify checksum values for particular files on disk. The test for the CHECKSUM constraint within this facility determines whether such an exemption has been established for all files on the system that are installed as protected.
| Constraint | Value | Default |
|---|---|---|
| CHECKSUM | FALSE or TRUE | FALSE |
| PROHIBITED | FALSE or TRUE | FALSE |
| Constraint | Value | Parameters |
|---|---|---|
| CHECKSUM | FALSE or TRUE | <node>,<filespec> |
| PROHIBITED | FALSE or TRUE | <node>,<filespec> |
Ensure that images are not installed from directories writable by unprivileged users.
| Constraint | Nature of the violation |
|---|---|
| PROHIBITED | Image Installation from user directory in violation of policy |
Installation of an image from a directory tree which can be written by an unprivileged user (that is, one without the privileges required to install images) allows that user to subvert the installation process by substituting a different image before the next system boot (since installation is generally done automatically on boot).Default policy Installation of images from user directories is prohibited. Customizing Customizing to permit certain images to be installed from user directories is generally inappropriate. selector
| Constraint | Value | Default |
|---|---|---|
| PROHIBITED | FALSE or TRUE | TRUE |
| Constraint | Value | Parameters |
|---|---|---|
| PROHIBITED | FALSE or TRUE | <node>,<filespec> |
Ensure that images which can be written by unprivileged users are not installed.
| Constraint | Nature of the violation |
|---|---|
| PROHIBITED | Installation of user image in violation of policy |
Installation of an image which can be written by an unprivileged user (that is, one without the privileges required to install images) allows that user to subvert the installation process by substituting a different image before the next system boot (since installation is generally done automatically on boot).Default policy Installation of images writable by unprivileged users is prohibited. Customizing Customizing to permit certain images to be installed when writable by unprivileged users is generally inappropriate. selector
| Constraint | Value | Default |
|---|---|---|
| PROHIBITED | FALSE or TRUE | TRUE |
| Constraint | Value | Parameters |
|---|---|---|
| PROHIBITED | FALSE or TRUE | <node>,<filespec> |
Ensure that protections on all mail files fall within the restrictions set by policy.
| Constraint | Nature of the violation |
|---|---|
| ABSOLUTLO | Access is narrower than permitted by policy |
| ABSOLUTHI | Access is wider than permitted by policy |
| NOSYSOWNER | File is owned by a system UIC in violation of policy |
| PERCENTLO | Fewer users can access than permitted by policy |
| PERCENTHI | More users can access than permitted by policy |
| SYSOWNER | File is not owned by a system UIC in violation of policy |
| VERSIONMAX | File version number is higher than allowed by policy |
If a mail file's protection setting is not restrictive enough, unauthorized users will be able to read, write, execute, or delete the mail file in question. If the setting is too restrictive, users generally find a less acceptable way of sharing information to get their job done. Typically, they share their password or make an unauthorized copy of the mail file somewhere else.Default policy Mail files do not have a system user.The purpose of this test is to ensure that mail file protection settings are within the limits set by the security manager.
The ABSOLUTLO and ABSOLUTHI tests measure the UIC-based protection mask directly. The PERCENTLO and PERCENTHI tests measure the result of protection (including ACL protection) in terms of the percentage of usernames given access.
Violations for protection-related DISK facility elements are not reported regarding only the writeability of CDROM disks since the apparent writeability is just an illusion.
The mail file protection setting must allow at least the system to read and write the file. By default, the weakest acceptable mail file setting allows the system and owner to read and write the mail file. By default, other users are allowed NO access to the mail file.
By default, a minimum of 0 percent of user must have access and a maximum of 1 percent of users may have access. Customizing Limits for constraints ABSOLUTLO and ABSOLUTHI take the same form as a standard VMS file protection setting. The syntax for this is explained in some detail in VMS documentation. The default settings shown in the limits table below are good examples of how to specify which class of users are allowed which type of access. These are the codes involved:
| Constraint | Value | Default |
|---|---|---|
| ABSOLUTLO | Any Protection | (S:RW,O:RW,G,W) |
| ABSOLUTHI | Any Protection | (S:RW,O:RW,G,W) |
| NOSYSOWNER | FALSE or TRUE | TRUE |
| PERCENTLO | 0-100 | 0 |
| PERCENTHI | 0-100 | 1 |
| SYSOWNER | FALSE or TRUE | FALSE |
| VERSIONMAX | 0-32767 | 0 |
| Constraint | Value | Parameters |
|---|---|---|
| ABSOLUTLO | Any Protection | <node>, <volume-name> |
| ABSOLUTHI | Any Protection | <node>, <volume-name> |
| NOSYSOWNER | FALSE or TRUE | <node>,<filespec> |
| PERCENTLO | Percent/0-n | <node>, <device-name> |
| PERCENTHI | Percent/0-n | <node>, <device-name> |
| SYSOWNER | FALSE or TRUE | <node>,<filespec> |
| VERSIONMAX | 0-32767 | <node>,<filespec> |
Ensure that DECnotes conference files are protected within the limits set by the security policy.
| Constraint | Nature of the violation |
|---|---|
| ABSOLUTLO | Access is narrower than permitted by policy |
| ABSOLUTHI | Access is wider than permitted by policy |
| NOSYSOWNER | File is owned by a system UIC in violation of policy |
| PERCENTLO | Fewer users can access than permitted by policy |
| PERCENTHI | More users can access than permitted by policy |
| SYSOWNER | File is not owned by a system UIC in violation of policy |
| VERSIONMAX | File version number is higher than allowed by policy |
DECnotes conferences have special protection setting requirements in order to remain secure. Although nominally such conferences can be written to by multiple users, the secure method of using DECnotes involves forcing use of the DECnotes server so that modification of conference files is only done through the DECnotes software rather than some other program possible written for the purpose.Default policy The most restrictive permitted setting will allow only users with SYSPRV privilege to Read, Write, Execute, or Delete the conference. Also, by default, the least restrictive permitted setting will allow the owner and users with SYSPRV privilege to Read, Write, Execute, or Delete the conference. Access by other users to DECnotes conferences is done by invocation of the DECnotes server image, in accordance with internal DECnotes data regarding which users are allowed access. The DECnotes server runs in an account which has Access Control List entries associated with properly protected DECnotes conference files.The purpose of this test is to ensure that DECnotes server use is required in order to write to conferences.
The ABSOLUTLO and ABSOLUTHI tests measure the UIC-based protection mask directly. The PERCENTLO and PERCENTHI tests measure the result of protection (including ACL protection) in terms of the percentage of usernames given access.
Violations for protection-related DISK facility elements are not reported regarding only the writeability of CDROM disks since the apparent writeability is just an illusion.
Notes files are owned by a system UIC.
By default, a minimum of 0 percent of users must have access and a maximum of 10 percent of users may have access. Customizing Minimum and maximum settings (i.e., least protective and most protective settings) can be set by using the same syntax as that used for file protection. See the default settings in the limits table below for examples of the syntax used in these settings. For details, see the VMS documentation set. selector Limits for constraints PERCENTLO and PERCENTHI can take a selector consisting of a VMS file access type: READ, WRITE, EXECUTE, DELETE or CONTROL. If no selector is specified, customization commands apply to all possible selector values.
| Constraint | Value | Default |
|---|---|---|
| ABSOLUTLO | Any Protection | (S:RW,O,G,W) |
| ABSOLUTHI | Any Protection | (S:RWED,O:RWED,G,W) |
| NOSYSOWNER | FALSE or TRUE | FALSE |
| PERCENTLO | 0-100 | 0 |
| PERCENTHI | 0-100 | 10 |
| SYSOWNER | FALSE or TRUE | TRUE |
| VERSIONMAX | 0-32767 | 0 |
| Constraint | Value | Parameters |
|---|---|---|
| ABSOLUTLO | Any Protection | <node>, <filespec> |
| ABSOLUTHI | Any Protection | <node>, <filespec> |
| NOSYSOWNER | FALSE or TRUE | <node>,<filespec> |
| PERCENTLO | 0-100 | <node>, <filespec> |
| PERCENTHI | 0-100 | <node>, <filespec> |
| SYSOWNER | FALSE or TRUE | <node>,<filespec> |
| VERSIONMAX | 0-32767 | <node>,<filespec> |
Ensure that the ownership of each disk volume complies with the security policy.
| Constraint | Nature of the violation |
|---|---|
| WRONG | Owner of the disk volume is not the system |
If an individual user is the owner of a disk volume, he can make it unavailable to other users, which is not the usual arrangement in timesharing systems. On the other hand, he can make it available to other users to store their data, but the owner of the disk is the de facto owner of that data, regardless of whether its creators are aware of that. To meet special needs, this can be a desirable situation, but the security manager should be aware of it.Default policy The owner of every disk volume must be the system. Customizing An alternative owner can be specified for any disk volume by setting an exemption. It is also possible to change the standard owner to be some account other than the system, by changing the limit for this test. selectorThe purpose of this test is to make sure that the security manager is aware of any disks that have non-system ownership.
For limits only (not exemptions), owner matching string of [SYSTEM] will match (as a special case) against UIC's which are represented as [1,4] (due, for instance, to absence of a Rights Database (RIGHTSLIST.DAT)).
| Constraint | Value | Default |
|---|---|---|
| WRONG | Any Identifier | [SYSTEM] |
| Constraint | Value | Parameters |
|---|---|---|
| WRONG | Any Identifier | <node>, <volume-name> |
| Previous | Next | Contents | Index |