LJK/Security Reference Manual

SECPOLICY

Ensure bit settings in system parameter SECURITY_POLICY conform to policy.

Violation reports

Constraint	Nature of the violation
PROHIBITED	allowed in violation of policy
REQUIRED	prevented in violation of policy

Description

These bits in VMS V6.0 and beyond control overall system security, including whether deviations from C2 evaluated components is allowed.

Default policy DECwindows access is permitted to allow behavior which was allowed under prior versions of VMS, while other items are prohibited. Customizing These tests are primarily of interest to government sites which require running under evaluated software. selector Limits for this test can take a selector indicating a security policy bit:

Table 6-1 Selectors for Security Policy Bits
Selector Name VMS Security Policy Bit Meaning

DPS ALLOW_DISPLAY_POSTSCRIPT allow display postscript extensions

MULTIDECW ALLOW_MULTIPLE_DECW_USERS allow multiple username to connect to DECW$SERVER

TRANSPORTS ALLOW_ALTERNATE_TRANSPORTS allow unevaluated transports

CROSSJOB ALLOW_SPAN_JOB_TREES allow $SIGPRC to span job trees

LOCPROFILE LOCAL_UPDATE allow local profile changes

LOCOBJECT LOCAL_PROFILE allow local object creation

CAPTIVESPAWN ALLOW_CAPTIVE_SPAWN allow SPAWN or LIB$SPAWN in CAPTIVE accounts

COMPRESSMAC COMPRESS_MAC_STRINGS compress MAC category strings (SEVMS)

UPPERCASEINPUT UPPERCASE_INPUT as prior to VMS V7.1

GUARDPASSWORDS GUARD_PASSWORDS ACMEs shall not share

DOIAUTHORIZATION DOI_AUTHORIZATION_ONLY prevent feature mixing

IGNOREEXTAUTH IGNORE_EXTAUTH ignore user-specific EXTAUTH and VMSAUTH restrictions

INTRUSIONSLOCAL INTRUSIONS_ARE_LOCAL consider local intrusions onlywhen set

USEPOSIXUIDGID USE_POSIX_UID_GID perform UID/GID lookup in tcpip proxy database

**Table 6-1 Selectors for Security Policy Bits**
Selector Name	VMS Security Policy Bit	Meaning
DPS	ALLOW_DISPLAY_POSTSCRIPT	allow display postscript extensions
MULTIDECW	ALLOW_MULTIPLE_DECW_USERS	allow multiple username to connect to DECW$SERVER
TRANSPORTS	ALLOW_ALTERNATE_TRANSPORTS	allow unevaluated transports
CROSSJOB	ALLOW_SPAN_JOB_TREES	allow $SIGPRC to span job trees
LOCPROFILE	LOCAL_UPDATE	allow local profile changes
LOCOBJECT	LOCAL_PROFILE	allow local object creation
CAPTIVESPAWN	ALLOW_CAPTIVE_SPAWN	allow SPAWN or LIB$SPAWN in CAPTIVE accounts
COMPRESSMAC	COMPRESS_MAC_STRINGS	compress MAC category strings (SEVMS)
UPPERCASEINPUT	UPPERCASE_INPUT	as prior to VMS V7.1
GUARDPASSWORDS	GUARD_PASSWORDS	ACMEs shall not share
DOIAUTHORIZATION	DOI_AUTHORIZATION_ONLY	prevent feature mixing
IGNOREEXTAUTH	IGNORE_EXTAUTH	ignore user-specific EXTAUTH and VMSAUTH restrictions
INTRUSIONSLOCAL	INTRUSIONS_ARE_LOCAL	consider local intrusions onlywhen set
USEPOSIXUIDGID	USE_POSIX_UID_GID	perform UID/GID lookup in tcpip proxy database

Limits

Constraint	Value	Default
PROHIBITED	FALSE or TRUE	TRUE*
REQUIRED	FALSE or TRUE	FALSE*

* except for DPS, MULTIDECW, TRANSPORTS and GUARDPASSWORDS selectors.

Exemptions

Constraint	Value	Parameters
PROHIBITED	FALSE or TRUE	<node>
REQUIRED	FALSE or TRUE	<node>

Practical considerations The CAPTIVESPAWN bit will be of the most interest to commercial sites.

SECONDARY

Ensure an appropriate percentage of usernames require secondary passwords.

Violation reports

Constraint	Nature of the violation
PERCENTLO	Fewer usernames require secondary passwords than permitted by policy
PERCENTHI	More usernames require secondary passwords than permitted by policy

Description

These tests determine whether an appropriate percentage of usernames require secondary passwords.

Default policy There is no requirement for a particular percentage of usernames to require secondary passwords. Customizing These tests are primarily of interest to sites which have a need for secondary passwords unrelated to VMS privilege levels. When the need is related to VMS privilege levels, use the (UAF,PWDNULL,SECMAXPRIV) test. selector

Limits

Constraint	Value	Default
PERCENTLO	0-100	0
PERCENTHI	0-100	100

Exemptions

Constraint	Value	Parameters
PERCENTLO	0-100	<node>, <device-name>
PERCENTHI	0-100	<node>, <device-name>

Practical considerations The VMS secondary password mechanism is only effective if the primary and secondary passwords are held by different individuals, and that aspect of usage cannot be automatically verified.

SETTIME

Determine whether VMS will delay on boot for the time to be entered.

Violation reports

Constraint	Nature of the violation
PROHIBITED	System parameter SETTIME is 1 in violation of policy
REQUIRED	System parameter SETTIME is 0 in violation of policy

Description

If system parameter SETTIME is 1, VMS will wait for the time to be entered on each boot.

Default policy Prompting on every boot is prohibited. Customizing LJK Software recommends that you leave the limits for these tests at their default value.

If you have particular systems which are supposed to have system parameter SETTIME set to 1, you can add exemptions for those nodes to the PROHIBITED constraint.

A more thorough approach in situations where some nodes must have the system parameter SETTIME set to 1 would be to set both the PROHIBITED and the REQUIRED limits to TRUE and then establish exemptions for all nodes. selector

Limits

Constraint	Value	Default
PROHIBITED	FALSE or TRUE	TRUE
REQUIRED	FALSE or TRUE	FALSE

Exemptions

Constraint	Value	Parameters
PROHIBITED	FALSE or TRUE	<node>
REQUIRED	FALSE or TRUE	<node>

Practical considerations Except for the MicroVAX I and the VAX 11/730, systems which run VMS have built-in time-of-year clocks. With such a clock, system parameter SETTIME should be 0, and the default values for these tests will be sufficient.

While waiting for time to be input on boot is a threat to continuity of service, running with the software clock incorrectly set can lead to improper operation of applications, also an undesirable condition.

STARTUP

See if the list of system startup modules conforms to policy.

Violation reports

Constraint	Nature of the violation
MATCH	Ordered list of Startup modules does not exactly match policy
MUSTHAVE	Set of Startup modules does not include one required by policy
MUSTLACK	Set of Startup modules includes one prohibited by policy
NOMORETHAN	Set of Startup modules includes more than those permitted by policy
NOTJUST	Set of Startup modules does not include any beyond set declared inadequate by by policy

Description

The tests within this element determine whether the list of system startup modules conforms to policy. Test (VMS, STARTUP, MATCH) treats the names of Startup modules as an ordered list in a specific order, while the other tests treat the names of Startup modules as a set in no particular order.

Default policy There are no requirements regarding startup modules. Customizing Modify these constraints for any required or forbidden startup modules being enabled via MCR SYSMAN STARTUP commands. selector

Limits

Constraint	Value	Default
MATCH	0-511 characters	none
MUSTHAVE	0-510 characters	none
MUSTLACK	0-510 characters	none
NOMORETHAN	0-510 characters	none
NOTJUST	0-510 characters	none

Exemptions

Constraint	Value	Parameters
MATCH	0-511 characters	<node>
MUSTHAVE	0-510 characters	<node>
MUSTLACK	0-510 characters	<node>
NOMORETHAN	0-510 characters	<node>
NOTJUST	0-510 characters	<node>

Practical considerations This element is useful for assessing multiple distinct nodes that are alleged to be configured the same.

SYSTEMLGI

Ensure that ability to log into the SYSTEM account conforms to policy.

Violation reports

Constraint	Nature of the violation
PROHIBITED	allowed in violation of policy
REQUIRED	prevented in violation of policy

Description

For reasons of accountability it is generally best to allow username SYSTEM to log in only via Batch. System administrative tasks are then performed in privileged accounts which can be traced to individuals.

Default policy Username SYSTEM is required to be able to log in for batch and prohibited all other login methods. Customizing Exemptions for individual nodes are generally better than an organization-wide relaxation of limits, so that over time nodes can be converted back one-by-one. selector Limits for this test can take a selector consisting of a login type: LOCAL, DIALUP, REMOTE, NETWORK or BATCH.

Thus, each can be set once for each possible login type. If you do not specify a selector when changing limits, your change applies to all login types.

Note

The availability of separate selector values for LOCAL and DIALUP should not be taken as a suggestion that the DIALUP indication associated with terminals be trusted to accurately represent whether or not a dialup line is actually in use. It is provided, however, for sites which use the DIALUP indication to denote some aspect of a terminal which can be determined with certainty, such as whether or not a given terminal connection is via an X.25 circuit.

Limits

Constraint	Value	Default
PROHIBITED	FALSE or TRUE	TRUE*
REQUIRED	FALSE or TRUE	FALSE*

* except for BATCH selection.

Exemptions

Constraint	Value	Parameters
PROHIBITED	FALSE or TRUE	<node>
REQUIRED	FALSE or TRUE	<node>

Practical considerations In certain failure modes, such as the absence of an authorization file or a denial-of-service attack via breakin evasion, the username SYSTEM is uniquely allowed to log in from the system console. This special capability of username SYSTEM indicates it should be available to system managers, while general accountability goals indicate that system managers should each use their own separate usernames.

The best resolution of this conundrum is to implement the equivalent of a "break the glass" fire alarm, with a generated password for the SYSTEM username stored inside a tamper-evident container physically bolted inside the protected computer room. Covering such a container with video surveillance would be ideal.

SYSUAF

Determine the location of the user authorization file.

Violation reports

Constraint	Nature of the violation
LOCATION	File is in an improper location

Description

Putting the system authorization file in a non-default location can be a valuable administrative tool, particularly in clusters. If this is done in an uncoordinated fashion, however, authorization changes might be made to the wrong file.

Default policy The default location is SYS$COMMON:[SYSEXE]SYSUAF.DAT;, which is the VMS default. Customizing Since alternate locations will be on a system-specific basis, you should leave the limit at its default value and use per-system exemptions to permit deviations. The expression of values should be phrased based on canonical mount logical names if the files are not in SYS$COMMON.

A limit or exemption with a value of the null string means there is no value which is considered unacceptable. selector

Limits

Constraint	Value	Default
LOCATION	Any filespec	SYS$COMMON:[SYSEXE]SYSUAF.DAT;

Exemptions

Constraint	Value	Parameters
LOCATION	Any filespec	<node>

Practical considerations If particular systems have varying locations for the authorization file, you can nullify this test through the use of wildcards in the value.

Note that system parameter UAFALT can be used to affect the filespec which is used.

The test (VMS, SYSUAF, LOCATION) is an older special-purpose test. Starting with LJK/Security V3.0 the more general test (DISK, CHECKPROT, LOCATION) can be used for multiple files.

TIME

See if the relative times of master and tributary nodes conforms to policy.

Violation reports

Constraint	Nature of the violation
OFFSET	Time offset between tributary and master node does not conform to policy

Description

The test within this element determines whether the time offset between the master and tributary nodes conforms to policy.

Default policy Time offset must be less than 15 seconds. Customizing A common use is to check synchronization between tributary nodes covered by a single assessment. The fact that the comparison is against the master node is just an artifact of implementation. selector

Limits

Constraint	Value	Default
OFFSET	signed offset with deviation	-0-00:00:00.00/0-00:00:15.00

Exemptions

Constraint	Value	Parameters
OFFSET	signed offset with deviation	<node>

Practical considerations The value for the OFFSET constraint may require periodic adjustment if some of the tributary nodes change their times due to Daylight Savings Time, British Summer Time and the like.

Comparison across the network only works over DECnet because that is when LJK/Security has direct control.

TIMEPROMPT

Determine interval VMS will delay on boot for time to be entered.

Violation reports

Constraint	Nature of the violation
ABSOLUTLO	System parameter TIMEPROMPTWAIT is lower than allowed by policy
ABSOLUTHI	System parameter TIMEPROMPTWAIT is higher than allowed by policy

Description

If system parameter SETTIME is 1, VMS will prompt for the time on each boot. The length of time VMS will wait for time to be input is set by system parameter TIMEPROMPTWAIT, which is monitored by these tests. (These tests are not performed, however, if system parameter SETTIME is 0).
Values for TIMEPROMPTWAIT from 1 to 32768 specify that a single prompt should be issued with a wait of the specified number of seconds. After that wait, if no response has been received, the system boots using the time of the last system boot.
Values from 32768 through 65535 indicate that prompting is to be repeated indefinitely until a response is given.
The VMS parameter TIMEPROMPTWAIT has no effect if there is a time-of-year clock containing a valid time when the system is booted.

Default policy The default limits are both set to the VMS default value for system parameter TIMEPROMPTWAIT. Customizing If you have VMS systems which have system parameter SETTIME set to 1, and have a non-standard interval specified in system parameter TIMEPROMPTWAIT, you will have to alter these limits or establish exemptions for the affected nodes.

A limit or exemption with a value of zero means there is no value which is considered unacceptable. selector

Limits

Constraint	Value	Default
ABSOLUTLO	0---n	65535
ABSOLUTHI	0---n	65535

Exemptions

Constraint	Value	Parameters
ABSOLUTLO	0---n	<node>
ABSOLUTHI	0---n	<node>

Practical considerations Except for the MicroVAX I and the VAX 11/730, VAX processors have built-in time-of-year clocks. With a clock, test (VMS, SETTIME, PROHIBITED) can be set to TRUE, and this test can be ignored.

While an overly long delay on boot is a threat to continuity of service, running with the software clock incorrectly set can lead to improper application operation, also an undesirable condition.

TRIBUTARY

Ensure an appropriate number of tributary nodes are tested in this assessment.

Violation reports

Constraint	Nature of the violation
PERCENTLO	Fewer nodes in the assessment than permitted by policy
PERCENTHI	More nodes in the assessment than permitted by policy

Description

These tests measure against requirements that security assessment be centralized.

Default policy There is no requirement for a particular number of tributary nodes. Customizing These tests are primarily of interest to sites which have a requirement that security assessment be centralized. selector

Limits

Constraint	Value	Default
PERCENTLO	0-100	0
PERCENTHI	0-100	100

Exemptions

Constraint	Value	Parameters
PERCENTLO	0-100	<node>, <device-name>
PERCENTHI	0-100	<node>, <device-name>

Practical considerations These tests are not helpful on specialized assessments done to investigate particular tributaries.

Contents

Index