LJK/Security Reference Manual
SYSEXE
Ensure system program images are valid.
Violation reports
| Constraint |
Nature of the violation |
|
CHECKSUM
|
Image in system directory not checksummed in violation of policy
|
Description
Exemptions within the (DISK, CHECKSUM)
element specify checksum values for particular files
on disk. The test for the CHECKSUM
constraint within this facility
determines whether such an exemption has been established for all files
in the SYS$SYSROOT:[*...] tree with a file type of .EXE.
Default policy Checksums of images in the SYS$SYSROOT:[*...] tree are
required. Customizing Setting the (DISK, SYSEXE, CHECKSUM)
limit TRUE is appropriate for most environments since
upgrading to a new version of a layered product should be done in a
controlled fashion. selector Limits
| Constraint |
Value |
Default |
|
CHECKSUM
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
CHECKSUM
|
FALSE or TRUE
|
<node>,<filespec>
|
Practical considerations After upgrading layered products, checksums in
the policy should be adjusted as soon as possible to match the new
values. �
SYSEXEPROT
Ensure that protections on files with type .EXE in SYS$COMMON:[*] fall
within the restrictions set by policy.
Violation reports
| Constraint |
Nature of the violation |
|
ABSOLUTLO
|
Access is narrower than permitted by policy
|
|
ABSOLUTHI
|
Access is wider than permitted by policy
|
|
NOSYSOWNER
|
File is owned by a system UIC in violation of policy
|
|
PERCENTLO
|
Fewer users can access than permitted by policy
|
|
PERCENTHI
|
More users can access than permitted by policy
|
|
SYSOWNER
|
File is not owned by a system UIC in violation of policy
|
|
VERSIONMAX
|
File version number is higher than allowed by policy
|
Description
If a file's protection setting is not restrictive enough, unauthorized
users
will be able to read, write, execute, or delete the file in question.
If the setting is too restrictive, users generally find a less
acceptable way of sharing information to get their job done. Typically,
they share their password or make an unauthorized copy of the file
somewhere else.
The purpose of this test is to ensure that file protection settings are
within the limits set by the security manager.
The ABSOLUTLO and ABSOLUTHI tests measure the UIC-based protection mask
directly. The PERCENTLO and PERCENTHI tests measure the result
of protection (including ACL protection) in terms of the percentage of
usernames given access.
Violations for protection-related DISK facility
elements are not reported regarding only the
writeability of CDROM disks since the apparent writeability is just an
illusion.
Default policy Files have a system owner.
The file protection setting must allow at least the system to read,
write, access, and delete the file. By default, the weakest acceptable
file setting allows the system and owner to read, write, execute, and
delete the file, and also allows other users in the owner's UIC group
and the world to read and execute the file.
By default, a minimum of 0 percent of users must have access and a
maximum of 100 percent of users may have READ and EXECUTE access with a
maximum of 1 percent having WRITE, EXECUTE and DELETE access.
Customizing Limits for constraints ABSOLUTLO and
ABSOLUTHI take the same form as a standard VMS file protection
setting. The syntax for this is explained in some detail in VMS
documentation. The default settings shown in the limits table below are
good examples of how to specify which class of users are allowed which
type of access. These are the codes involved:
- S=System account (or users with the SYSPRV privilege)
- O=Owner of the file
- G=Group (i.e., other users in the same UIC group as the owner)
- W=World (i.e., all other users)
- R=Read
- W=Write
- E=Execute
- D=Delete
selector
Limits for constraints PERCENTLO and
PERCENTHI can take a selector consisting of a VMS file
access type: READ, WRITE, EXECUTE, DELETE or CONTROL. If no
selector is specified, customization commands apply to
all possible selector values. Limits
| Constraint |
Value |
Default |
|
ABSOLUTLO
|
Any Protection
|
(S:RWED,O,G,W)
|
|
ABSOLUTHI
|
Any Protection
|
(S:RWED,O:RWED,G:RE,W:RE)
|
|
NOSYSOWNER
|
FALSE or TRUE
|
FALSE
|
|
PERCENTLO
|
0-100
|
0
|
|
PERCENTHI
|
0-100
|
R:100,W:1,E:100,D:1,C:1
|
|
SYSOWNER
|
FALSE or TRUE
|
TRUE
|
|
VERSIONMAX
|
0-32767
|
0
|
Exemptions
| Constraint |
Value |
Parameters |
|
ABSOLUTLO
|
Any Protection
|
<node>, <filespec>
|
|
ABSOLUTHI
|
Any Protection
|
<node>, <filespec>
|
|
NOSYSOWNER
|
FALSE or TRUE
|
<node>,<filespec>
|
|
PERCENTLO
|
0-100
|
<node>, <filespec>
|
|
PERCENTHI
|
0-100
|
<node>, <filespec>
|
|
SYSOWNER
|
FALSE or TRUE
|
<node>,<filespec>
|
|
VERSIONMAX
|
0-32767
|
<node>,<filespec>
|
Practical considerations Files of type .EXE in SYS$COMMON:[*] are
typically protected to allow execution by users. Some of them,
particularly those provided by DEC, also allow Read access by
individual users.
�
TWOPRODUCT
Ensure that products from conflicting categories are not running in the
same environment.
Violation reports
| Constraint |
Nature of the violation |
|
NOTASSESS
|
Conflicting products on the nodes of a single assessment
|
|
NOTCLUSTER
|
Conflicting products on the nodes of a single cluster
|
|
NOTNODE
|
Conflicting products on a single node
|
Description
Some organizations have rules against running two different classes of
software in the same environment. These are exemption-driven
tests to detect violations of such rules.
Each exemption string is divided into three strings by
the backslash character "\".
- class of product
- common name of software
- system logical name indicating software is running
A violation is reported if software from more than one area is running
in the same environment (assessment, cluster or node).
Default policy By default (USAGE,TWOPRODUCT,*) tests are not enabled.
Customizing (DISK,TWOPRODUCT,*) tests are driven by
exemptions - the limits are ignored.
selector Limits
| Constraint |
Value |
Default |
|
NOTASSESS
|
FALSE or TRUE
|
FALSE
|
|
NOTCLUSTER
|
FALSE or TRUE
|
FALSE
|
|
NOTNODE
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
NOTASSESS
|
FALSE or TRUE
|
<node>,<class-of-product>\<common-name>\<logical-name>
|
|
NOTCLUSTER
|
FALSE or TRUE
|
<node>,<class-of-product>\<common-name>\<logical-name>
|
|
NOTNODE
|
FALSE or TRUE
|
<node>,<class-of-product>\<common-name>\<logical-name>
|
Practical considerations �
6.6 QUEUE tests
Tests in the QUEUE facility deal with print and batch
queues.
Exemptions are based on node name and
queue name or job name.
�
ACLIDENT
Ensure that identifier types used in access control lists conform to
policy.
Violation reports
| Constraint |
Nature of the violation |
|
NOGENERAL
|
General identifier used in violation of policy
|
|
NOSYSTEM
|
System-defined identifier used in violation of policy
|
|
NOUIC
|
UIC identifier used in violation of policy
|
Description
Use of UIC identifiers directly in access control lists leads to
problems if user responsibilities are changed, since control of the
access they have been granted is distributed throughout the system.
The purpose of this test is to ensure that identifiers used in
Identifier Access Control Entries are of acceptable types.
Note
Support for access control lists on queues was introduced with VMS
V6.0, so the tests of this element
will always succeed on earlier versions of VMS.
|
Default policy Identifiers in ACLs must not be UIC identifiers.
Customizing The options of prohibiting General and System identifiers
are provided for flexibility, but are not useful in most circumstances.
The main customization which might be desired is to remove the
prohibition against the use of UIC identifiers. selector Limits
| Constraint |
Value |
Default |
|
NOGENERAL
|
FALSE or TRUE
|
FALSE
|
|
NOSYSTEM
|
FALSE or TRUE
|
FALSE
|
|
NOUIC
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
NOGENERAL
|
FALSE or TRUE
|
<node>, <queue-name>
|
|
NOSYSTEM
|
FALSE or TRUE
|
<node>, <queue-name>
|
|
NOUIC
|
FALSE or TRUE
|
<node>, <queue-name>
|
Practical considerations In cases where existing use of UIC identifiers
is pervasive temporary customization might be required. �
MANAGER
Ensure that use of queue manager conform to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Queue Manager is running in violation of policy
|
|
REQUIRED
|
Queue Manager is not running in violation of policy
|
Description
This element supports tests regarding
whether the queue manager is running.
Default policy The Queue Manager must be running. Customizing
Preventing use of the Queue Manager considerably restricts the ability
to run reliable assured backups. Consider protecting queues as an
alternative. selector Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>
|
Practical considerations Most installations run the Queue Manager. �
MARKING
Ensure that use of print queue marking conform to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Output execution queue outputs a description in violation of policy
|
|
REQUIRED
|
Output execution queue does not output a description in violation of
policy
|
|
CONTAINS
|
Output execution queue description does not include text required by
policy
|
Description
This element supports tests regarding
whether print jobs include descriptions specified by the print command
/NOTE= qualifier.
Note
Support for the /NOTE= qualifier on print jobs was introduced with VMS
V6.0, so the test (QUEUE, MARKING, CONTAINS) will
always fail on earlier versions of VMS.
|
Default policy Print queue marking is not required. Customizing Use
this element to verify that output markings
restricting distribution of printouts are configured. selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE, TRUE or TRY
|
FALSE
|
|
CONTAINS
|
text
|
null string
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>, <queue-name>
|
|
REQUIRED
|
FALSE, TRUE or TRY
|
<node>, <queue-name>
|
|
CONTAINS
|
text
|
<node>, <queue-name>
|
Practical considerations This element pertains to
user-specified markings that cannot be forced by managerial controls. �
OWNER
Ensure that ownership of queues conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
WRONG
|
Queue owner is not as specified
|
Description
If an individual user account gains ownership of a queue, it can be
used to interfere with services to other users.
The purpose of this test is to ensure that the proper owner retains
ownership of QUEUEs that are not in use. This test checks the ownership
of any QUEUE not currently in use and reports any instance in which the
owner is not the proper owner.
For limits only (not exemptions), owner matching string of [SYSTEM]
will match (as a special case) against UIC's which are represented as
[1,4] (due, for instance, to absence of a Rights Database
(RIGHTSLIST.DAT)).
Default policy Every queue must be owned by the system. Customizing An
alternative owner can be specified for any QUEUE by setting an
exemption. It is also possible to change the standard owner to be some
account other than the system, by changing the limit for this test.
selector Limits
| Constraint |
Value |
Default |
|
WRONG
|
Identifier
|
[SYSTEM]
|
Exemptions
| Constraint |
Value |
Parameters |
|
WRONG
|
Identifier
|
<node>, <queue-name>
|
Practical considerations QUEUE ownership and protection must be
considered jointly. �
PROTECTION
Ensure that each QUEUE's protection setting meets the minimum setting
defined by policy.
Violation reports
| Constraint |
Nature of the violation |
|
ABSOLUTLO
|
Access is narrower than permitted by policy
|
|
ABSOLUTHI
|
Access is wider than permitted by policy
|
|
NOSYSOWNER
|
Queue is owned by a system UIC in violation of policy
|
|
PERCENTLO
|
Fewer users can access than permitted by policy
|
|
PERCENTHI
|
More users can access than permitted by policy
|
|
SYSOWNER
|
Queue is not owned by a system UIC in violation of policy
|
Description
Under VMS, a protection setting can be applied to a queue in the same
way that it can be applied to files. This allows a given user (or group
of users) to have exclusive access to a given disk,
for example. Conversely, it can be set to keep a QUEUE open for access
by all users, or to limit them to read access.
The purpose of this test is to ensure that the protection settings for
QUEUEs remain at the levels established by policy.
The ABSOLUTLO and ABSOLUTHI tests measure the UIC-based protection mask
directly. The PERCENTLO and PERCENTHI tests measure the result
of protection (including ACL protection) in terms of the percentage of
usernames given access.
Default policy Queues have a system owner.
The most permissive protection allowed for a queue gives 100 percent of
the users Read and Submit access, but only 10 percent of the users more
powerful access. Customizing The default limit values
for these tests leave queue protection "wide open", so
changes should be made to obtain any value from this test. selector
Limits for constraints PERCENTLO and
PERCENTHI can take a selector consisting of a VMS
QUEUE access type: READ, WRITE, LOGICAL, PHYSICAL or CONTROL. If no
selector is specified, customization commands apply to
all possible selector values.
Limits
| Constraint |
Value |
Default |
|
ABSOLUTLO
|
Any Protection
|
(S:M,O:D,G:R,W:S)
|
|
ABSOLUTHI
|
Any Protection
|
(S:RSMD,O:RSMD,G:RSMD,W:RSMD)
|
|
NOSYSOWNER
|
FALSE or TRUE
|
FALSE
|
|
PERCENTLO
|
0-100
|
0
|
|
PERCENTHI
|
0-100
|
R:100,S:100,M:10,D:10,C:10
|
|
SYSOWNER
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
ABSOLUTLO
|
Any Protection
|
<node>, <queue-name>
|
|
ABSOLUTHI
|
Any Protection
|
<node>, <queue-name>
|
|
NOSYSOWNER
|
FALSE or TRUE
|
<node>, <queue-name>
|
|
PERCENTLO
|
0-100
|
<node>, <queue-name>
|
|
PERCENTHI
|
0-100
|
<node>, <queue-name>
|
|
SYSOWNER
|
FALSE or TRUE
|
<node>, <queue-name>
|
Practical considerations Private queue ownership is a powerful
mechanism to allow project operators without giving full OPER
privilege. �