LJK/Security Reference Manual
BREAKIN
Determine whether auditing for attempted breakins conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ALPROHIBIT
|
Breakin security alarms are enabled in violation of policy
|
|
ALREQUIRE
|
Breakin security alarms are disabled in violation of policy
|
|
AUPROHIBIT
|
Breakin security audits are enabled in violation of policy
|
|
AUREQUIRE
|
Breakin security audits are disabled in violation of policy
|
Description
Use of the qualifier /ENABLE=BREAKIN=(keyword,...) with the SET
AUDIT/ALARM
or SET AUDIT/AUDIT command causes
the corresponding reporting when a
breakin attempt is detected. Tests for this element
determine whether those audits or alarms are enabled or not.
Default policy Enabling of Breakin security alarms and audits is
required. Customizing Set limit ALREQUIRED to be FALSE
to remove the general requirement that Breakin security auditing be
enabled. Otherwise establish exemptions for any
individual nodes which are not to be subjected to the general
requirement.
selector
Limits for this element can take a
selector consisting of a VMS process type: DIALUP,
LOCAL, REMOTE, NETWORK or DETACHED. Note that BATCH and SUBPROCESS are
not applicable the BREAKIN element.
Thus, each limit can be set once for each possible
process type. If you do not specify a selector when
changing limits, your change applies to all process
types.
Limits
| Constraint |
Value |
Default |
|
ALPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
ALREQUIRE
|
FALSE or TRUE
|
TRUE
|
|
AUPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
AUREQUIRE
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
ALPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
ALREQUIRE
|
FALSE or TRUE
|
<node>
|
|
AUPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
AUREQUIRE
|
FALSE or TRUE
|
<node>
|
Practical considerations Since a breakin attempt is composed of a
series of login failures which meet threshold criteria set with the
LGI_* system parameters, it constitutes a more significant event than
individual login failures. Breakin attempts are generally the
first priority for security alarms, enabled even on systems
which do not otherwise use security alarms.
In general, security events for which alarms are enabled should also
have audits enabled. �
BYPASS
Determine whether auditing for events involving the use of BYPASS
privilege conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ALPROHIBIT
|
BYPASS security alarms are enabled in violation of policy
|
|
ALREQUIRE
|
BYPASS security alarms are disabled in violation of policy
|
|
AUPROHIBIT
|
BYPASS security audits are enabled in violation of policy
|
|
AUREQUIRE
|
BYPASS security audits are disabled in violation of policy
|
Description
Use of the qualifiers /CLASS=FILE and
/ENABLE=ACCESS=BYPASS=(access,...) with the SET AUDIT/ALARM
or SET AUDIT/AUDIT command causes
the corresponding reporting when BYPASS
privilege is used to obtain the specified type of access to files.
Tests for this element determine whether those audits
or alarms are enabled or not.
Default policy Enabling of BYPASS security alarms or audits is neither
prohibited nor required. Customizing Set limits TRUE
to establish a general prohibition of or requirement for the enabling
of BYPASS security auditing. Then establish exemptions
for any individual nodes which are not to be subjected to the general
rule.
selector
Limits for this element can take a
selector consisting of a VMS access type: READ, WRITE,
EXECUTE, DELETE or CONTROL. LOGICAL and PHYSICAL access to devices are
indicated by EXECUTE and DELETE respectively.
Thus, each limit can be set once for each possible
access type. If you do not specify a selector when
changing limits, your change applies to all access
types.
Limits
| Constraint |
Value |
Default |
|
ALPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
ALREQUIRE
|
FALSE or TRUE
|
FALSE
|
|
AUPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
AUREQUIRE
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
ALPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
ALREQUIRE
|
FALSE or TRUE
|
<node>
|
|
AUPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
AUREQUIRE
|
FALSE or TRUE
|
<node>
|
Practical considerations Use of the BYPASS or READALL privilege is
required for successful disk volume backups. Enabling these alarms
during the time period when full volume backups are done can cause a
large number of security alarms to be generated.
BYPASS audits on the other hand, provide a silent record of
the activities of privileged users. �
CONNECT
Determine whether enabling of alarms or audits for connection events
through DECnet Phase IV, DECwindows, $IPC and SYSMAN conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ALPROHIBIT
|
Connection security alarms are enabled in violation of policy
|
|
ALREQUIRE
|
Connection security alarms are disabled in violation of policy
|
|
AUPROHIBIT
|
Connection security audits are enabled in violation of policy
|
|
AUREQUIRE
|
Connection security audits are disabled in violation of policy
|
Description
Use of the qualifier /ENABLE=CONNECTION with the SET AUDIT/ALARM
or SET AUDIT/AUDIT command causes
the corresponding reporting when a connection takes place.
Default policy Enabling of Connection security alarms and audits is
neither prohibited nor required. Customizing Set
limits TRUE to establish a general prohibition of or
requirement for the enabling of Connection security alarms or audits.
Then establish exemptions for any individual nodes
which are not to be subjected to the general rule.
selector Limits
| Constraint |
Value |
Default |
|
ALPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
ALREQUIRE
|
FALSE, TRUE or TRY
|
FALSE
|
|
AUPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
ALPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
ALREQUIRE
|
FALSE, TRUE or TRY
|
<node>
|
|
AUPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
<node>
|
Practical considerations Enabling this for alarms would be
burdensome in most environments. �
CSS
Determine whether enabling of alarms or audits for CSS event conforms
to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ALPROHIBIT
|
CSS security alarms are enabled in violation of policy
|
|
ALREQUIRE
|
CSS security alarms are disabled in violation of policy
|
|
AUPROHIBIT
|
CSS security audits are enabled in violation of policy
|
|
AUREQUIRE
|
CSS security audits are disabled in violation of policy
|
Description
As of V7.3 VMS does not provide a method to enable auditing or alarms
for these events.
Default policy Enabling of CSS security alarms and audits is neither
prohibited nor required. Customizing Set limits TRUE
to establish a general prohibition of or requirement for the enabling
of CSS security alarms or audits. Then establish
exemptions for any individual nodes which are not to
be subjected to the general rule.
selector Limits
| Constraint |
Value |
Default |
|
ALPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
ALREQUIRE
|
FALSE, TRUE or TRY
|
FALSE
|
|
AUPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
ALPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
ALREQUIRE
|
FALSE, TRUE or TRY
|
<node>
|
|
AUPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
<node>
|
Practical considerations As of V7.3 VMS does not provide a method to
enable auditing or alarms for these events. �
CUSTOMER
Determine whether enabling of alarms or audits for customer event
conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ALPROHIBIT
|
Customer security alarms are enabled in violation of policy
|
|
ALREQUIRE
|
Customer security alarms are disabled in violation of policy
|
|
AUPROHIBIT
|
Customer security audits are enabled in violation of policy
|
|
AUREQUIRE
|
Customer security audits are disabled in violation of policy
|
Description
As of V7.3 VMS does not provide a method to enable auditing or alarms
for these events.
Default policy Enabling of Customer security alarms and audits is
neither prohibited nor required. Customizing Set
limits TRUE to establish a general prohibition of or
requirement for the enabling of Customer security alarms or audits.
Then establish exemptions for any individual nodes
which are not to be subjected to the general rule.
selector Limits
| Constraint |
Value |
Default |
|
ALPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
ALREQUIRE
|
FALSE, TRUE or TRY
|
FALSE
|
|
AUPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
ALPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
ALREQUIRE
|
FALSE, TRUE or TRY
|
<node>
|
|
AUPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
<node>
|
Practical considerations As of V7.3 VMS does not provide a method to
enable auditing or alarms for these events. �
DOWNGRADE
Determine whether auditing for events involving the use of DOWNGRADE
privilege conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ALPROHIBIT
|
DOWNGRADE security alarms are enabled in violation of policy
|
|
ALREQUIRE
|
DOWNGRADE security alarms are disabled in violation of policy
|
|
AUPROHIBIT
|
DOWNGRADE security audits are enabled in violation of policy
|
|
AUREQUIRE
|
DOWNGRADE security audits are disabled in violation of policy
|
Description
Use of the qualifiers /CLASS=FILE and
/ENABLE=ACCESS=DOWNGRADE=(access,...) with the SET AUDIT/ALARM
or SET AUDIT/AUDIT command causes
the corresponding reporting when DOWNGRADE
privilege is used to obtain the specified type of access to files.
Tests for this element determine whether those audits
or alarms are enabled or not.
SEVMS
required
The (AUDIT, DOWNGRADE, ALREQUIRE) and ((AUDIT, DOWNGRADE, AUREQUIRE)
tests will never report an error on systems that do
not have the CLASS_PROT system parameter enabled.
When the CLASS_PROT system parameter is not enabled, audits and alarms
for use of the DOWNGRADE privilege cannot be enabled.
If the policy covering a number of systems is to require that the SEVMS
product be used, the test (VMS, CLASSPROT, REQUIRED)
should be used.
|
Default policy Enabling of DOWNGRADE security alarms or audits is
neither prohibited nor required. Customizing Set
limits TRUE to establish a general prohibition of or
requirement for the enabling of DOWNGRADE security auditing. Then
establish exemptions for any individual nodes which
are not to be subjected to the general rule.
selector
Limits for this element can take a
selector consisting of a VMS access type: READ, WRITE,
EXECUTE, DELETE or CONTROL. LOGICAL and PHYSICAL access to devices are
indicated by EXECUTE and DELETE respectively.
Thus, each limit can be set once for each possible
access type. If you do not specify a selector when
changing limits, your change applies to all access
types.
Limits
| Constraint |
Value |
Default |
|
ALPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
ALREQUIRE
|
FALSE or TRUE
|
FALSE
|
|
AUPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
AUREQUIRE
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
ALPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
ALREQUIRE
|
FALSE or TRUE
|
<node>
|
|
AUPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
AUREQUIRE
|
FALSE or TRUE
|
<node>
|
Practical considerations The DOWNGRADE privilege is only relevant to
systems running Mandatory Access Controls, as implemented with the
SEVMS (Security Enhanced VMS)
software available from DEC.
DOWNGRADE audits and alarms may both be quite appropriate in
such environments since such activities are rare and worthy of note. �
FAILCRASH
Determine whether specification of system crash when security alarms
cannot be generated conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Crash on failure is specified in violation of policy
|
|
REQUIRED
|
Crash on failure is not specified in violation of policy
|
Description
Use of the qualifier /FAILURE_MODE=CRASH with the SET AUDIT command
causes the system to crash when security alarms cannot be written to
the OPCOM mailbox (only in VMS V5.4 through V5.5).
Default policy Specification of CRASH as the failure mode is neither
prohibited nor required. Customizing Set limits TRUE
to establish a general prohibition of or requirement for system crash
as the failure mode for security alarms. Then establish
exemptions for any individual nodes which are not to
be subjected to the general rule.
Set limit REQUIRED TRY to establish a requirement for
system crash as the failure mode only for those versions of VMS
(version 5.4 through 5.5) where such failure modes are supported.
selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE, TRUE or TRY
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE, TRUE or TRY
|
<node>
|
Practical considerations If individual users have sufficient disk quota
to exhaust disk space on the volume where OPCOM logs are written, they
can force a system crash if CRASH is the failure mode for security
alarms.
Likewise, if the amount of disk space available for writing OPCOM logs
is small, individual users could force a system crash by maliciously
generating a large number of security alarms.
These possibilities for malicious interference increase the importance
of ensuring that all usernames established on VMS systems are assigned
to known individual users, rather than being shared. �