LJK/Security Reference Manual

MOUNT

Determine whether auditing for issuance of MOUNT or DISMOUNT requests conforms to policy.

Violation reports

Constraint	Nature of the violation
ALPROHIBIT	MOUNT security alarms are enabled in violation of policy
ALREQUIRE	MOUNT security alarms are disabled in violation of policy
AUPROHIBIT	MOUNT security audits are enabled in violation of policy
AUREQUIRE	MOUNT security audits are disabled in violation of policy

Description

Use of the qualifier /ENABLE=MOUNT with the SET AUDIT/ALARM or SET AUDIT/AUDIT command causes the corresponding reporting when mount or dismount requests are issued.

Default policy Enabling of MOUNT security alarms and audits is neither prohibited nor required. Customizing Set limits TRUE to establish a general prohibition of or requirement for the enabling of MOUNT security auditing. Then establish exemptions for any individual nodes which are not to be subjected to the general rule. selector

Limits

Constraint	Value	Default
ALPROHIBIT	FALSE or TRUE	FALSE
ALREQUIRE	FALSE or TRUE	FALSE
AUPROHIBIT	FALSE or TRUE	FALSE
AUREQUIRE	FALSE, TRUE or TRY	FALSE

Exemptions

Constraint	Value	Parameters
ALPROHIBIT	FALSE or TRUE	<node>
ALREQUIRE	FALSE or TRUE	<node>
AUPROHIBIT	FALSE or TRUE	<node>
AUREQUIRE	FALSE, TRUE or TRY	<node>

Practical considerations Some sites choose to disable MOUNT security alarms during system startup and system shutdown. Such actions will not be detected by LJK/Security if it is done outside the period when LJK/Security is running.

Note that LJK/Security may issue MOUNT requests in the course of its own operations, causing additional alarms.

NCP

Determine whether enabling of alarms or audits for NCP event conforms to policy.

Violation reports

Constraint	Nature of the violation
ALPROHIBIT	NCP security alarms are enabled in violation of policy
ALREQUIRE	NCP security alarms are disabled in violation of policy
AUPROHIBIT	NCP security audits are enabled in violation of policy
AUREQUIRE	NCP security audits are disabled in violation of policy

Description

Use of the qualifier /ENABLE=NCP with the SET AUDIT/ALARM or SET AUDIT/AUDIT command causes the corresponding reporting when an NCP change takes place.

Default policy Enabling of NCP security alarms and audits is neither prohibited nor required. Customizing Set limits TRUE to establish a general prohibition of or requirement for the enabling of security alarms or audits on access to the netowrk configuration database using the NCP utility. Then establish exemptions for any individual nodes which are not to be subjected to the general rule. selector

Limits

Constraint	Value	Default
ALPROHIBIT	FALSE or TRUE	FALSE
ALREQUIRE	FALSE, TRUE or TRY	FALSE
AUPROHIBIT	FALSE or TRUE	FALSE
AUREQUIRE	FALSE, TRUE or TRY	FALSE

Exemptions

Constraint	Value	Parameters
ALPROHIBIT	FALSE or TRUE	<node>
ALREQUIRE	FALSE, TRUE or TRY	<node>
AUPROHIBIT	FALSE or TRUE	<node>
AUREQUIRE	FALSE, TRUE or TRY	<node>

Practical considerations Such access can represent a significant change to system configuration, and audits or alarms are appropriate in most settings where security is taken seriously. If DECnet Phase IV is not in use, it might be worthwhile to detect if anyone enables it.

OBJCREATE

Determine whether enabling of alarms or audits for disk file creation event conforms to policy.

Violation reports

Constraint	Nature of the violation
ALPROHIBIT	File creation security alarms are enabled in violation of policy
ALREQUIRE	File creation security alarms are disabled in violation of policy
AUPROHIBIT	File creation security audits are enabled in violation of policy
AUREQUIRE	File creation security audits are disabled in violation of policy

Description

Use of the qualifiers /CLASS=FILE and /ENABLE=CREATE with the SET AUDIT/ALARM or SET AUDIT/AUDIT command causes the corresponding reporting when a disk file is created.

Default policy Enabling of File creation security alarms and audits is neither prohibited nor required. Customizing Set limits TRUE to establish a general prohibition of or requirement for the enabling of File creation security alarms or audits. Then establish exemptions for any individual nodes which are not to be subjected to the general rule. selector

Limits

Constraint	Value	Default
ALPROHIBIT	FALSE or TRUE	FALSE
ALREQUIRE	FALSE, TRUE or TRY	FALSE
AUPROHIBIT	FALSE or TRUE	FALSE
AUREQUIRE	FALSE, TRUE or TRY	FALSE

Exemptions

Constraint	Value	Parameters
ALPROHIBIT	FALSE or TRUE	<node>
ALREQUIRE	FALSE, TRUE or TRY	<node>
AUPROHIBIT	FALSE or TRUE	<node>
AUREQUIRE	FALSE, TRUE or TRY	<node>

Practical considerations Disk file creation is a frequent event in many environments.

OBJDEACC

Determine whether enabling of alarms or audits for disk file deaccess event conforms to policy.

Violation reports

Constraint	Nature of the violation
ALPROHIBIT	File deaccess security alarms are enabled in violation of policy
ALREQUIRE	File deaccess security alarms are disabled in violation of policy
AUPROHIBIT	File deaccess security audits are enabled in violation of policy
AUREQUIRE	File deaccess security audits are disabled in violation of policy

Description

Use of the qualifiers /CLASS=FILE and /ENABLE=DEACCESS with the SET AUDIT/ALARM or SET AUDIT/AUDIT command causes the corresponding reporting when a disk file is deaccessed.

Default policy Enabling of File deaccess security alarms and audits is neither prohibited nor required. Customizing Set limits TRUE to establish a general prohibition of or requirement for the enabling of File deaccess security alarms or audits. Then establish exemptions for any individual nodes which are not to be subjected to the general rule. selector

Limits

Constraint	Value	Default
ALPROHIBIT	FALSE or TRUE	FALSE
ALREQUIRE	FALSE, TRUE or TRY	FALSE
AUPROHIBIT	FALSE or TRUE	FALSE
AUREQUIRE	FALSE, TRUE or TRY	FALSE

Exemptions

Constraint	Value	Parameters
ALPROHIBIT	FALSE or TRUE	<node>
ALREQUIRE	FALSE, TRUE or TRY	<node>
AUPROHIBIT	FALSE or TRUE	<node>
AUREQUIRE	FALSE, TRUE or TRY	<node>

Practical considerations Disk file deaccess is a frequent event in almost all environments.

OBJDELETE

Determine whether enabling of alarms or audits for disk file deletion event conforms to policy.

Violation reports

Constraint	Nature of the violation
ALPROHIBIT	File deletion security alarms are enabled in violation of policy
ALREQUIRE	File deletion security alarms are disabled in violation of policy
AUPROHIBIT	File deletion security audits are enabled in violation of policy
AUREQUIRE	File deletion security audits are disabled in violation of policy

Description

Use of the qualifiers /CLASS=FILE and /ENABLE=DELETE with the SET AUDIT/ALARM or SET AUDIT/AUDIT command causes the corresponding reporting when a disk file is deleted.

Default policy Enabling of File deletion security alarms and audits is neither prohibited nor required. Customizing Set limits TRUE to establish a general prohibition of or requirement for the enabling of File deletion security alarms or audits. Then establish exemptions for any individual nodes which are not to be subjected to the general rule. selector

Limits

Constraint	Value	Default
ALPROHIBIT	FALSE or TRUE	FALSE
ALREQUIRE	FALSE, TRUE or TRY	FALSE
AUPROHIBIT	FALSE or TRUE	FALSE
AUREQUIRE	FALSE, TRUE or TRY	FALSE

Exemptions

Constraint	Value	Parameters
ALPROHIBIT	FALSE or TRUE	<node>
ALREQUIRE	FALSE, TRUE or TRY	<node>
AUPROHIBIT	FALSE or TRUE	<node>
AUREQUIRE	FALSE, TRUE or TRY	<node>

Practical considerations Disk file deletion is a frequent event in most environments.

PRCCANWAK

Determine whether enabling of alarms or audits for privileged use of $CANWAK conforms to policy.

Violation reports

Constraint	Nature of the violation
ALPROHIBIT	CANWAK security alarms are enabled in violation of policy
ALREQUIRE	CANWAK security alarms are disabled in violation of policy
AUPROHIBIT	CANWAK security audits are enabled in violation of policy
AUREQUIRE	CANWAK security audits are disabled in violation of policy

Description

Use of the qualifier /ENABLE=PROCESS=CANWAK with the SET AUDIT/ALARM or SET AUDIT/AUDIT command causes the corresponding reporting when privileged use is made of the $CANWAK system service.

Default policy Enabling of CANWAK security alarms and audits is neither prohibited nor required. Customizing Set limits TRUE to establish a general prohibition of or requirement for the enabling of CANWAK security alarms or audits. Then establish exemptions for any individual nodes which are not to be subjected to the general rule. selector

Limits

Constraint	Value	Default
ALPROHIBIT	FALSE or TRUE	FALSE
ALREQUIRE	FALSE, TRUE or TRY	FALSE
AUPROHIBIT	FALSE or TRUE	FALSE
AUREQUIRE	FALSE, TRUE or TRY	FALSE

Exemptions

Constraint	Value	Parameters
ALPROHIBIT	FALSE or TRUE	<node>
ALREQUIRE	FALSE, TRUE or TRY	<node>
AUPROHIBIT	FALSE or TRUE	<node>
AUREQUIRE	FALSE, TRUE or TRY	<node>

Practical considerations Concern about this event is typically only for specialized environments or for troubleshooting.

PRCCPUCAP

Determine whether enabling of alarms or audits for change in CPU capabilities conforms to policy.

Violation reports

Constraint	Nature of the violation
ALPROHIBIT	CPU Capability security alarms are enabled in violation of policy
ALREQUIRE	CPU Capability security alarms are disabled in violation of policy
AUPROHIBIT	CPU Capability security audits are enabled in violation of policy
AUREQUIRE	CPU Capability security audits are disabled in violation of policy

Description

Use of the qualifier /ENABLE=PROCESS=SUSPND with the SET AUDIT/ALARM or SET AUDIT/AUDIT command causes the corresponding reporting when privileged use is made of the $SUSPND system service.

Default policy Enabling of CPU Capability security alarms and audits is neither prohibited nor required. Customizing Set limits TRUE to establish a general prohibition of or requirement for the enabling of CPU Capability security alarms or audits. Then establish exemptions for any individual nodes which are not to be subjected to the general rule. selector

Limits

Constraint	Value	Default
ALPROHIBIT	FALSE or TRUE	FALSE
ALREQUIRE	FALSE, TRUE or TRY	FALSE
AUPROHIBIT	FALSE or TRUE	FALSE
AUREQUIRE	FALSE, TRUE or TRY	FALSE

Exemptions

Constraint	Value	Parameters
ALPROHIBIT	FALSE or TRUE	<node>
ALREQUIRE	FALSE, TRUE or TRY	<node>
AUPROHIBIT	FALSE or TRUE	<node>
AUREQUIRE	FALSE, TRUE or TRY	<node>

Practical considerations Concern about this event is typically only for specialized environments or for troubleshooting.

PRCCREPRC

Determine whether enabling of alarms or audits for all use of $CREPRC conforms to policy.

Violation reports

Constraint	Nature of the violation
ALPROHIBIT	CREPRC security alarms are enabled in violation of policy
ALREQUIRE	CREPRC security alarms are disabled in violation of policy
AUPROHIBIT	CREPRC security audits are enabled in violation of policy
AUREQUIRE	CREPRC security audits are disabled in violation of policy

Description

Use of the qualifier /ENABLE=PROCESS=CREPRC with the SET AUDIT/ALARM or SET AUDIT/AUDIT command causes the corresponding reporting when any process creation takes place.

Default policy Enabling of CREPRC security alarms and audits is neither prohibited nor required. Customizing Set limits TRUE to establish a general prohibition of or requirement for the enabling of CREPRC security alarms or audits. Then establish exemptions for any individual nodes which are not to be subjected to the general rule. selector

Limits

Constraint	Value	Default
ALPROHIBIT	FALSE or TRUE	FALSE
ALREQUIRE	FALSE, TRUE or TRY	FALSE
AUPROHIBIT	FALSE or TRUE	FALSE
AUREQUIRE	FALSE, TRUE or TRY	FALSE

Exemptions

Constraint	Value	Parameters
ALPROHIBIT	FALSE or TRUE	<node>
ALREQUIRE	FALSE, TRUE or TRY	<node>
AUPROHIBIT	FALSE or TRUE	<node>
AUREQUIRE	FALSE, TRUE or TRY	<node>

Practical considerations This type of event is common in most environments.

Contents

Index