LJK/Security Reference Manual
CLASSPROT
Determine whether mandatory access control enabling conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
System parameter CLASS_PROT is 1 in violation of policy
|
|
REQUIRED
|
System parameter CLASS_PROT is 0 in violation of policy
|
Description
System parameter CLASS_PROT enables the optional SEVMS software (if
it has been installed).
Default policy CLASS_PROT is neither prohibited nor required.
Customizing If only some of your nodes use SEVMS, set both limits to
TRUE and use exemptions as appropriate. selector Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>
|
Practical considerations If SEVMS is installed on certain nodes, use of
DECnet by LJK/Security might be impractical, depending on the exact
manner in which classifications are established.
�
CLUSTER
See if cluster membership conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Cluster membership is enabled in violation of policy
|
|
REQUIRED
|
Cluster membership is disabled in violation of policy
|
Description
The tests within this element
determine whther cluster membership conforms to policy.
Default policy Cluster membership is neither required nor prohibited.
Customizing Manipulate limits and
constraints to match your organization's plan.
selector Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>
|
Practical considerations There are many other reliability measures
required to get the benefit of VMS Clusters.
Constraint REQUIRED might just validate the presence
of a single node cluster ! �
CONVBOOT
Determine whether interactive boot of cluster satellite node is allowed.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Interactive booting is enabled in violation of policy
|
|
REQUIRED
|
Interactive booting is disabled in violation of policy
|
Description
Preventing interactive booting removes one of the easier mechanisms
that can be used to gain privileged cluster access through physical
access to a work station. To prevent it
under VMS 5.0 or later versions, set the system
parameter NISCS_CONV_BOOT to 0. Under earlier versions (4.7 or lower),
the system parameter PE3 should be set to 0. This test checks on that
setting.
Default policy Interactive boots of satellite nodes are prohibited.
Customizing Set PROHIBITED and REQUIRED both to FALSE in order to
ignore the value of PE3 or NISCS_CONV_BOOT and leave this security
consideration entirely up to the local cluster administrators. selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
TRUE
|
|
REQUIRED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>
|
Practical considerations Although it is possible to require that
interactive booting be available on all machines, it is difficult to
imagine a situation where that would be useful. Thus, setting REQUIRED
to TRUE for all systems might be inappropriate. �
CRDENABLE
Determine whether ECC memory error reporting conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
System parameter CRDENABLE is 1 in violation of policy
|
|
REQUIRED
|
System parameter CRDENABLE is 0 in violation of policy
|
Description
System parameter CRDENABLE controls whether ECC memory error
corrections are
reported. (Uncorrectable errors are always reported.)
Default policy Reporting ECC corrections is required. Customizing
Modify your policy if your organization takes the view that ECC
corrections are not indicators of possible future uncorrectable errors.
selector Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>
|
Practical considerations For systems with only parity memory such as
the MicroVAX II, system
parameter CRDENABLE does not matter, but LJK/Security runs the test
anyway.
Reporting of ECC memory errors is in the system error log. There
is no protection against denial of service unless the error log
is examined regularly, so be sure that you have someone do so. �
DEFPRI
Determine whether default process priority conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ABSOLUTLO
|
System parameter DEFPRI is lower than policy allows.
|
|
ABSOLUTHI
|
System parameter DEFPRI is higher than policy allows.
|
Description
System parameter DEFPRI controls the default priority of detached
processes by running images other than LOGINOUT.
Default policy Low and high limits are both set to the VMS default of
4. Customizing Customization should be done with exemptions to keep
most systems at the default. selector Limits
| Constraint |
Value |
Default |
|
ABSOLUTLO
|
0---31
|
4
|
|
ABSOLUTHI
|
0---31
|
4
|
Exemptions
| Constraint |
Value |
Parameters |
|
ABSOLUTLO
|
0---31
|
<node>
|
|
ABSOLUTHI
|
0---31
|
<node>
|
Practical considerations Raising system parameter DEFPRI can deny
service to interactive users
in favor of detached jobs.
�
DEFQUEPRI
Determine whether default queue priority conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ABSOLUTLO
|
System parameter DEFQUEPRI is lower than policy allows.
|
|
ABSOLUTHI
|
System parameter DEFQUEPRI is higher than policy allows.
|
Description
System parameter DEFQUEPRI controls the default priority of
entries added to print or batch queues.
Default policy Low and high limits are both set to the VMS default of
100. Customizing This parameter is generally only significant for
relative denial-of-service
considerations in a VAXcluster or VMScluster with queues shared between
nodes.
selector Limits
| Constraint |
Value |
Default |
|
ABSOLUTLO
|
0---255
|
100
|
|
ABSOLUTHI
|
0---255
|
100
|
Exemptions
| Constraint |
Value |
Parameters |
|
ABSOLUTLO
|
0---255
|
<node>
|
|
ABSOLUTHI
|
0---255
|
<node>
|
Practical considerations Default queue priority concerns only the order
in which jobs are processed. It does not affect the process priority at
which jobs execute
once they start. �
DUMPBUG
Determine whether saving of crash dumps on disk conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
System parameter DUMPBUG is 1 in violation of policy.
|
|
REQUIRED
|
System parameter DUMPBUG is 0 in violation of policy.
|
Description
System parameter DUMPBUG controls whether memory contents are
written to disk in the event of a crash.
Default policy Dumps must be written to disk (REQUIRED). Customizing
Most organizations will want to leave the limits set to require dumps
and establish exemptions for special cases such as test/development
systems that crash frequently due to driver debugging.
selector Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>
|
Practical considerations Regardless of the setting of parameter
DUMPBUG, dumps will not be saved to disk if there is insufficient space
available in the existing dump or page file.
Under VMS Version 5.x, it is possible to set the system parameter
DUMPSTYLE so that only
the "relevant" portion of memory is saved to disk when disk space is
limited.
If you choose not to require crash dumps, you will not be able to
determine the cause of the crash. If you do require the crash dumps,
you can determine the cause of the crash by using the ANALYZE/CRASH
command. �
DUMPSTYLE
Determine whether method of writing crash dumps on disk conforms to
policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBIT0
|
System parameter DUMPSTYLE is 0 in violation of policy.
|
|
REQUIRE0
|
System parameter DUMPSTYLE is not 0 in violation of policy.
|
|
PROHIBIT1
|
System parameter DUMPSTYLE is 1 in violation of policy.
|
|
REQUIRE1
|
System parameter DUMPSTYLE is not 1 in violation of policy.
|
Description
System parameter DUMPSTYLE controls how much information from memory is
written to disk in the event of a system crash. Possible values of this
system parameter are:
- 0 - The entire contents of physical memory is written to disk.
- 1 - Selected portions of physical memory are written to disk as
permitted by available space in the dump file.
System parameter DUMPSTYLE is only available on VMS V5.0 or greater.
Default policy No particular dump style is either required or
prohibited. Customizing Requiring a DUMPSTYLE value of 0 ensures that
the maximum amount of information will be available for analyzing the
cause of system failures. Requiring a DUMPSTYLE value of 1 can lead to
a decrease in the amount of sensitive process information stored in
crash dumps.
selector Limits
| Constraint |
Value |
Default |
|
PROHIBIT0
|
FALSE, TRUE or TRY
|
FALSE
|
|
REQUIRE0
|
FALSE or TRUE
|
FALSE
|
|
PROHIBIT1
|
FALSE or TRUE
|
FALSE
|
|
REQUIRE1
|
FALSE, TRUE or TRY
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBIT0
|
FALSE, TRUE or TRY
|
<node>
|
|
REQUIRE0
|
FALSE or TRUE
|
<node>
|
|
PROHIBIT1
|
FALSE or TRUE
|
<node>
|
|
REQUIRE1
|
FALSE, TRUE or TRY
|
<node>
|
Practical considerations Tests in this element only
deal with the method used to write any crash dumps. Whether or not
crash dumps will be written at all is tested by
element VMS_DUMPBUG. �
FILEPROT
Ensure system-wide default file protection conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ABSOLUTLO
|
System parameter RMS_FILEPROT specifies narrower access than permitted
by policy
|
|
ABSOLUTHI
|
System parameter RMS_FILEPROT specifies wider access than permitted by
policy
|
Description
System parameter RMS_FILEPROT controls the default protection used when
new
files are created.
Default policy (VMS, FILEPROT, ABSOLUTLO) gives access only to system,
without giving delete access to system.
(VMS, FILEPROT, ABSOLUTHI) matches the VMS default. Customizing Making
(VMS, FILEPROT, ABSOLUTLO) more permissive would make certain standard
VMS file protections cause violations. selector
Limits
| Constraint |
Value |
Default |
|
ABSOLUTLO
|
Any Protection
|
(S:RWED,O,G,W)
|
|
ABSOLUTHI
|
Any Protection
|
(S:RWED,O:RWED,G:RE,W)
|
Exemptions
| Constraint |
Value |
Parameters |
|
ABSOLUTLO
|
Any Protection
|
<node>
|
|
ABSOLUTHI
|
Any Protection
|
<node>
|
Practical considerations System parameter RMS_FILEPROT affects only the
system-wide default. End users can set a different per-process default
file protection, and can change the protection of files they
create after the fact. When new versions are created for existing
files, the
protection of the previous version is used.
Some programs (e.g., Backup and DBMS) create files with
protections determined by separate schemes, rather than using the
default protection. �
LGIBRKLIM
Determine whether the number of failures allowed before breakin evasion
conforms
to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ABSOLUTLO
|
Failures permitted before breakin evasion are fewer than policy allows.
|
|
ABSOLUTHI
|
Failures permitted before breakin evasion are more than policy allows.
|
Description
System parameter LGI_BRK_LIM is the prominent control over "number of
tries"
for breakin detection.
Default policy The low and high limits are both set to the VMS default
of 3. Customizing In most organizations, policy for these tests will be
the same across all nodes, so customization will be done by modifying
limits rather than creating exemptions.
A limit or exemption with a value of zero means there is no value which
is considered unacceptable. selector
Limits
| Constraint |
Value |
Default |
|
ABSOLUTLO
|
0---n
|
3
|
|
ABSOLUTHI
|
0---n
|
3
|
Exemptions
| Constraint |
Value |
Parameters |
|
ABSOLUTLO
|
0---n
|
<node>
|
|
ABSOLUTHI
|
0---n
|
<node>
|
Practical considerations Setting LGI_BRK_LIM too low can lead to user
resentment and hostility,
as well as increased requirements for support of end users. �
LGIBRKTERM
Determine whether decisions regarding association of terminals for
breakin detection conforms to policy
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
System parameter LGI_BRK_TERM is 1 in violation of policy
|
|
REQUIRED
|
System parameter LGI_BRK_TERM is 0 in violation of policy
|
Description
System parameter LGI_BRK_TERM governs whether a username and terminal
name are both associated with login failures for the purpose of
detecting breakin attempts. Associating them means that breakin evasion
is separately tracked by username-terminal pair, so that an attacker at
one terminal cannot cause a denial of service to a legitimate
user at another terminal by mounting attacks against that username.
Association works against breakin detection, however, in cases where
attempts from a single physical terminal would be seen as coming from
various sources by VMS, such as with many Ethernet interconnection
schemes,
external port selectors or data PBX's, and even some telephone hunt
group arrangements.
Likewise, association might be desirable in some cases where unattended
public terminal rooms have many terminals located together. In that
case,
an attacker could switch to a new terminal for successive attempts to
avoid breakin detection if association was enabled.
Default policy Association is neither prohibited nor required.
Customizing Require this to ensure association. Prohibit this to ensure
no association. Since the choice of whether to associate is largely
based on the nature of terminal interface and data communications
hardware in use, setting both limits to TRUE and then adding exemptions
is generally the preferred method of customizing. selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>
|
Practical considerations Effective with VMS V5.0, the breakin evasion
data structures that are maintained by VMS are supposed to include
information on LAT terminal server identification and port numbers, so
if the use of the LAT protocol
was the only reason for avoiding association, your policy can be
modified as nodes upgrade to VMS V5.0. �
LGIBRKTMO
Determine whether time added to breakin evasion monitoring period
conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ABSOLUTLO
|
Breakin Evasion added time is shorter than policy allows.
|
|
ABSOLUTHI
|
Breakin Evasion added time is longer than policy allows.
|
Description
System parameter LGI_BRK_TMO specifies a time period that is added
to an intruder or suspect's expiration time with each login failure. If
that suspect becomes an intruder, the total expiration time must expire
before a successful login is possible.
Default policy The low and high limits are both set to the VMS default
of 300. Customizing Add exemptions or modify limits in your policy if
you want to permit deviations from the VMS default.