Determine whether auditing for events requested by access control list entries conforms to policy.

Violation reports

Description

Use of the qualifier /ENABLE=ACL with the SET AUDIT/ALARM or SET AUDIT/AUDIT command causes the corresponding reporting when any user has requested them. Users make that request by placing a Security Alarm Access Control Entry in the Access Control List of some object (file, global section, etc.).

Limits

Exemptions

Enabling ACL security audits allows individual users the power consume unlimited disk space in the audit logs, but typically does not cause extra work for the security officer. 

Determine whether operator settings and responsiveness conform to policy.

Violation reports

Description

Use of the qualifier /ENABLE or /ENABLE=(keyword,...) with the REPLY command enables a terminal for operator interaction for one or more of 24 operator classes.

Tests for this element determine in a slightly invasive manner whether any terminal is enabled for selected operator classes and whether operator responses are received within an acceptable time interval.

For the REPORT constraint "ignore this message" text is sent to the relevant operator. This test will report if the OPCOM process is not set up to send those message to operators. The test (AUDIT, ALARM, REPORT) is quite similar to the test (VMS, OPCOM, REQUIRED) with the following differences:

• test (AUDIT, ALARM, REPORT) uses a supported VMS interface
• test (VMS, OPCOM, REQUIRED) does not send any message to an operator

When using test (AUDIT, ALARM, REPORT) one should choose a selector corresponding to an operator class not in use at the local site.

For the RESPONSE constraint text is sent to the operator designated by the selector and requires an operator response. The response from the target operator shows:

• at least one terminal is enabled for the target operator class
• an operator with a terminal enabled was present to respond to the message

If limit REPORT is set to FALSE, no testing for limit RESPONSE is performed, since no response is possible for a type of operator message that is not enabled at any terminal. selector Limits for this element can take a selector consisting of an operator message type: CENTRAL, PRINTER, TAPES, DISKS, DEVICES, CARDS, NETWORK, CLUSTER, SECURITY, LICENSE, USER1, USER2, USER3, USER4, USER5, USER6, USER7, USER8, USER9, USER10, USER11, USER12.

Thus, each limit can be set once for each possible operator message type. If you do not specify a selector when changing limits, your change applies to all operator message types.

Of the operator message types listed above, the REPLY and SOFTWARE types are not documented (as late as VMS Version 8.3) and by default are not enabled (by REPLY/ENABLE command) or disabled (by the REPLY/DISABLE command).

Of the operator message types listed above, the LICENSE type is not documented (as late as VMS Version 8.3) but by default is enabled (by REPLY/ENABLE command) and disabled (by the REPLY/DISABLE command).

Limits

Exemptions

If one wanted to use test (AUDIT, ALARM, RESPONSE) in support of certain external rule sets (such as NIST 800-53 control AU-5(2)) that are aimed at security functions, it is better to specify only the SECURITY selector, providing a single message to which the SECURITY operator must respond, rather than multiple messages to which 24 separate operator responses are required. 

Determine whether use of an additional audit file destination conforms to policy.

Violation reports

Description

The SET AUDIT/ARCHIVE command can be used to establish a secondary audit log file, such as one on a different node. Tests in this element determine whether those settings conform to policy.

Set flush limit to specify a particular maximum interval for flushing those records to the additional (archive) audit file.

Set location limit to specify the proper location for the additional audit file. selector

Limits

Exemptions

Determine whether enabling of alarms or audits for ill-formed audit events conforms to policy.

Violation reports

Description

Use of the qualifier /ENABLE=AUDIT=ILLFORMED with the SET AUDIT/ALARM or SET AUDIT/AUDIT command causes the corresponding reporting when an ill-formed call to cause an audit is made by an internal VMS component.

Limits

Exemptions

Determine whether auditing for events resulting from the SET AUDIT command conforms to policy.

Violation reports

Description

Use of the qualifier /ENABLE=AUDIT with the SET AUDIT/ALARM or SET AUDIT/AUDIT command causes the corresponding reporting when the SET AUDIT command is used.

Set limit ALPROHIBIT TRUE to prohibit the enabling of Audit security alarms on versions of VMS prior V6.0. On VMS V6.0 and later there is no way to disable the auditing of the SET AUDIT command. If you are running mixed versions of VMS and want to prohibit the auditing of SET AUDIT on whatever versions where it is possible, set limit AUPROHIBIT to the value TRY. selector

Limits

Exemptions

Determine whether enabling of alarms or audits for authentication events conforms to policy.

Violation reports

Description

The corresponding auditing is not supported as of VMS V7.3.

Limits

Exemptions

Determine whether auditing for user authorization changes conforms to policy.

Violation reports

Description

Use of the qualifier /ENABLE=AUTHORIZATION with the SET AUDIT/ALARM or SET AUDIT/AUDIT command causes the corresponding reporting when standard utilities such as LOGIN, AUTHORIZE and SET PASSWORD are used to change authorization information.

Enabling of Authorize security audits is required. Customizing Set limits TRUE to establish a general prohibition of or requirement for the enabling of Authorize security auditing. Then establish exemptions for any individual nodes which are not to be subjected to the general rule. selector

Limits

Exemptions

For authorization security events, using audits rather than alarms is more practical for most situations.