LJK/Security Reference Manual
IDENT
Determine whether enabling of alarms or audits for use of identifier as
privilege event conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ALPROHIBIT
|
Identifier security alarms are enabled in violation of policy
|
|
ALREQUIRE
|
Identifier security alarms are disabled in violation of policy
|
|
AUPROHIBIT
|
Identifier security audits are enabled in violation of policy
|
|
AUREQUIRE
|
Identifier security audits are disabled in violation of policy
|
Description
Use of the qualifier /ENABLE=IDENTIFIER with the SET AUDIT/ALARM
or SET AUDIT/AUDIT command causes
the corresponding reporting when an identifier is used as privilege in
a call to the $CHECK_PRIVILEGE system service (available in VMS V6.0
and above only).
Default policy Enabling of Identifier security alarms and audits is
neither prohibited nor required. Customizing Set
limits TRUE to establish a general prohibition of or
requirement for the enabling of Identifier security alarms or audits.
Then establish exemptions for any individual nodes
which are not to be subjected to the general rule.
selector Limits
| Constraint |
Value |
Default |
|
ALPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
ALREQUIRE
|
FALSE, TRUE or TRY
|
FALSE
|
|
AUPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
ALPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
ALREQUIRE
|
FALSE, TRUE or TRY
|
<node>
|
|
AUPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
<node>
|
Practical considerations Identifiers are used as privilege, for
instance, in DECnet Plus and in LJK/Security itself. �
INSTALL
Determine whether auditing for INSTALL operations conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ALPROHIBIT
|
INSTALL security alarms are enabled in violation of policy
|
|
ALREQUIRE
|
INSTALL security alarms are disabled in violation of policy
|
|
AUPROHIBIT
|
INSTALL security audits are enabled in violation of policy
|
|
AUREQUIRE
|
INSTALL security audits are disabled in violation of policy
|
Description
Use of the qualifier /ENABLE=INSTALL with the SET AUDIT/ALARM
or SET AUDIT/AUDIT command causes
the corresponding reporting when the INSTALL utility is used.
Default policy Enabling of INSTALL security alarms and audits is
neither prohibited nor required. Customizing Set
limits TRUE to establish a general prohibition of or
requirement for the enabling of INSTALL security auditing. Then
establish exemptions for any individual nodes which
are not to be subjected to the general rule. selector Limits
| Constraint |
Value |
Default |
|
ALPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
ALREQUIRE
|
FALSE or TRUE
|
FALSE
|
|
AUPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
ALPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
ALREQUIRE
|
FALSE or TRUE
|
<node>
|
|
AUPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
<node>
|
Practical considerations A large number of INSTALL operations are
performed as part of system startup and system shutdown. Some sites
choose to disable Install security alarms during startup and shutdown.
That is still consistent with an LJK/Security policy requiring that
Install security alarms be enabled so long as the startup of
LJK/Security during system startup is done after all other uses of the
Install utility. Enabling Install security alarms immediately after
starting LJK/Security will typically be sufficiently quick that any
pending assessment will not yet have tested the Install security alarm
setting. �
LOG
Determine whether audit log settings conform to policy.
Violation reports
| Constraint |
Nature of the violation |
|
FLUSH
|
Audit log flush interval exceeds policy maximum
|
|
RETENTION
|
Audit log retention is less than policy minimum
|
|
SPACEDAYS
|
Space available for audit log is less than required for planned number
of days
|
|
SPACEWARN
|
Warning when percentage of available audit log space consumed is too
high
|
Description
The command SET AUDIT/INTERVAL=JOURNAL_FLUSH=time specifies
how frequently the audit server will flush audit messages to the audit
log.
Local command procedures control how long older versions of audit logs
are retained on the system.
Local management practices determine how much space is available for
audit logs.
The command SET AUDIT/JOURNAL=SECURITY/THRESHOLD=WARNING=value
specifies when the audit server will warn security operators about a
lack of audit space, based either on a number of records or a
percentage of disk space available.
Tests for this element determine
whether all those settings conform to policy.
Default policy No particular audit log behavior is required.
Customizing Set the limits for these
constraints to require particular audit log behavior.
selector Limits
| Constraint |
Value |
Default |
|
FLUSH
|
delta-time
|
+00:00:00.00
|
|
RETENTION
|
number-of-days
|
0
|
|
SPACEDAYS
|
number-of-days
|
0
|
|
SPACEWARN
|
0-100
|
100
|
Exemptions
| Constraint |
Value |
Parameters |
|
FLUSH
|
delta-time
|
<node>
|
|
RETENTION
|
number-of-days
|
<node>
|
|
SPACEDAYS
|
number-of-days
|
<node>
|
|
SPACEWARN
|
0-100
|
<node>
|
Practical considerations While the command SET
AUDIT/JOURNAL=SECURITY/THRESHOLD=WARNING=value value is expressed in
terms of a block count or a percentage of disk space, the
limit and any exemptions for the
SPACEDAYS constraint is expressed in the number of
days worth of audit records that can be accommodated in the available
space, based on recent audit record generation rates and audit file
retention policy. This approach is aimed at matching the terminology
used by external requirements such as NIST 800-53 or DoD Instruction
8500.2.
�
LOGFAIL
Determine whether auditing for failed login attempts conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ALPROHIBIT
|
Logfail security alarms are enabled in violation of policy
|
|
ALREQUIRE
|
Logfail security alarms are disabled in violation of policy
|
|
AUPROHIBIT
|
Logfail security audits are enabled in violation of policy
|
|
AUREQUIRE
|
Logfail security audits are disabled in violation of policy
|
Description
Use of the qualifier /ENABLE=LOGFAIL=(keyword,...) with the SET
AUDIT/ALARM
or SET AUDIT/AUDIT command causes
the corresponding reporting when a
failed login attempt is detected. Tests for this
element determine whether those audits or alarms are
enabled or not.
Default policy Enabling of Logfail security alarms and audits is
neither prohibited nor required. Customizing Set
limits FALSE to establish a general prohibition of or
requirement for the enabling of failed login attempt security alarms.
Then establish exemptions for any individual nodes
which are not to be subjected to the general requirement.
selector
Limits for this element can take a
selector consisting of a VMS process type: BATCH,
DIALUP, LOCAL, REMOTE, NETWORK, SUBPROCESS or DETACHED.
Thus, each limit can be set once for each possible
process type. If you do not specify a selector when
changing limits, your change applies to all process
types.
Limits
| Constraint |
Value |
Default |
|
ALPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
ALREQUIRE
|
FALSE or TRUE
|
FALSE
|
|
AUPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
AUREQUIRE
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
ALPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
ALREQUIRE
|
FALSE or TRUE
|
<node>
|
|
AUPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
AUREQUIRE
|
FALSE or TRUE
|
<node>
|
Practical considerations For most sites, security alarms in the case of
failed login attempts are not appropriate since they will be triggered
by any password typing error. Protection against repeated login
failures which are part of a concerted attack are generally reported
via the breakin attempt security alarm.
Failed login security alarms are appropriate for high-security
situations where avoiding investigation of false alarms is less
important than catching sophisticated attackers who will wait
sufficiently long after each attempt to avoid triggering the breakin
detection threshold.
Failed login audits are appropriate in most environments,
allowing investigation after an incident. �
LOGIN
Determine whether auditing for successful logins conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ALPROHIBIT
|
Login security alarms are enabled in violation of policy
|
|
ALREQUIRE
|
Login security alarms are disabled in violation of policy
|
|
AUPROHIBIT
|
Login security audits are enabled in violation of policy
|
|
AUREQUIRE
|
Login security audits are disabled in violation of policy
|
Description
Use of the qualifier /ENABLE=LOGIN=(keyword,...) with the SET
AUDIT/ALARM
or SET AUDIT/AUDIT command causes
the corresponding reporting when a
successful login is accomplished. Tests for this
element determine whether those audits or alarms are
enabled or not.
Default policy Enabling of LOGIN security alarms is neither prohibited
nor required.
Enabling of LOGIN security audits is nrequired. Customizing Set
limits TRUE to establish a general prohibition of or
requirement for the enabling of ACL security auditing. Then establish
exemptions for any individual nodes which are not to
be subjected to the general requirement. selector
Limits for this element can take a
selector consisting of a VMS process type: BATCH,
DIALUP, LOCAL, REMOTE, NETWORK, SUBPROCESS or DETACHED.
Thus, each limit can be set once for each possible
process type. If you do not specify a selector when
changing limits, your change applies to all process
types.
Limits
| Constraint |
Value |
Default |
|
ALPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
ALREQUIRE
|
FALSE or TRUE
|
FALSE
|
|
AUPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
AUREQUIRE
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
ALPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
ALREQUIRE
|
FALSE or TRUE
|
<node>
|
|
AUPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
AUREQUIRE
|
FALSE or TRUE
|
<node>
|
Practical considerations Login security alarms are used in
high-security environments where it is essential that a record be kept
of all logins. In order to guard against the scenario of someone
logging into a privileged account and then destroying the record of
that login, it is essential that security alarms be sent to a
non-erasable medium. Console paper is easiest for most sites, but
requires human search of the output. Write-Once-Read-Many disks allow
for
computer-assisted search, but up through VMS V7.3 are not directly
supported for this purpose by the VMS security auditing software.
�
LOGOUT
Determine whether auditing for logouts conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ALPROHIBIT
|
Logout security alarms are enabled in violation of policy
|
|
ALREQUIRE
|
Logout security alarms are disabled in violation of policy
|
|
AUPROHIBIT
|
Logout security audits are enabled in violation of policy
|
|
AUREQUIRE
|
Logout security audits are disabled in violation of policy
|
Description
Use of the qualifier /ENABLE=LOGOUT=(keyword,...) with the SET
AUDIT/ALARM
or SET AUDIT/AUDIT command causes
the corresponding reporting when a
logout is detected. Tests for this element determine
whether those audits or alarms are enabled or not.
Default policy Enabling of LOGOUT security alarms is neither prohibited
nor required.
Enabling of LOGOUT security audits is nrequired. Customizing Set
limits TRUE to establish a general prohibition of or
requirement for the enabling of logout security auditing. Then
establish exemptions for any individual nodes which
are not to be subjected to the general requirement. selector
Limits for this element can take a
selector consisting of a VMS process type: BATCH,
DIALUP, LOCAL, REMOTE, NETWORK, SUBPROCESS or DETACHED.
Thus, each limit can be set once for each possible
process type. If you do not specify a selector when
changing limits, your change applies to all process
types.
Limits
| Constraint |
Value |
Default |
|
ALPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
ALREQUIRE
|
FALSE or TRUE
|
FALSE
|
|
AUPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
AUREQUIRE
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
ALPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
ALREQUIRE
|
FALSE or TRUE
|
<node>
|
|
AUPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
AUREQUIRE
|
FALSE or TRUE
|
<node>
|
Practical considerations Sites which have enabled auditing of
successful logins will generally want to enable auditing of logouts as
well, to establish a window of activity. �
LP
Determine whether enabling of alarms or audits for layered product
conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ALPROHIBIT
|
Layered Product security alarms are enabled in violation of policy
|
|
ALREQUIRE
|
Layered Product security alarms are disabled in violation of policy
|
|
AUPROHIBIT
|
Layered Product security audits are enabled in violation of policy
|
|
AUREQUIRE
|
Layered Product security audits are disabled in violation of policy
|
Description
As of V7.3 VMS does not provide a method to enable auditing or alarms
for these events.
Default policy Enabling of Layered Product security alarms and audits
is neither prohibited nor required. Customizing Set
limits TRUE to establish a general prohibition of or
requirement for the enabling of Layered Product security alarms or
audits. Then establish exemptions for any individual
nodes which are not to be subjected to the general rule.
selector Limits
| Constraint |
Value |
Default |
|
ALPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
ALREQUIRE
|
FALSE, TRUE or TRY
|
FALSE
|
|
AUPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
ALPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
ALREQUIRE
|
FALSE, TRUE or TRY
|
<node>
|
|
AUPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
<node>
|
Practical considerations As of V7.3 VMS does not provide a method to
enable auditing or alarms for these events. �