LJK/Security Reference Manual
MAXACCTJOB
Determine whether specification of maximum jobs for account conforms to
policy.
Violation reports
| Constraint |
Nature of the violation |
|
ABSOLUTLO
|
Maximum jobs for account is lower than allowed by policy
|
|
ABSOLUTHI
|
Maximum jobs for account is higher than allowed by policy
|
Description
User authorization field MAXACCTJOBS limits the number of simultaneous
batch, interactive and detached jobs which may be active on behalf of
users who share a single ACCOUNT value
in their authorization file records.
Default policy No limit is enforced. Customizing Customize if you feel
a need to enforce such a limit. selector Limits
| Constraint |
Value |
Default |
|
ABSOLUTLO
|
0---n
|
0
|
|
ABSOLUTHI
|
0---n
|
0
|
Exemptions
| Constraint |
Value |
Parameters |
|
ABSOLUTLO
|
0---n
|
<node>, <username>
|
|
ABSOLUTHI
|
0---n
|
<node>, <username>
|
Practical considerations Most sites do not use this limitation
capability except for particular chargeback reasons.
�
MAXDETACH
Determine whether specification of maximum detached jobs conforms to
policy.
Violation reports
| Constraint |
Nature of the violation |
|
ABSOLUTLO
|
Maximum detached jobs is lower than allowed by policy
|
|
ABSOLUTHI
|
Maximum detached jobs is lower than allowed by policy
|
Description
User authorization field MAXDETACH limits the number of simultaneous
detached jobs which may be active on behalf of users who share a single
ACCOUNT value
in their authorization file records.
Default policy No limit is enforced. Customizing Customize if you feel
a need to enforce such a limit.
A limit or exemption with a value of zero means there is no value which
is considered unacceptable. selector
Limits
| Constraint |
Value |
Default |
|
ABSOLUTLO
|
0---n
|
0
|
|
ABSOLUTHI
|
0---n
|
0
|
Exemptions
| Constraint |
Value |
Parameters |
|
ABSOLUTLO
|
0---n
|
<node>, <username>
|
|
ABSOLUTHI
|
0---n
|
<node>, <username>
|
Practical considerations Most sites do not use this limitation
capability except for particular chargeback reasons.
�
MAXJOBS
Determine whether specification of maximum jobs for username conforms
to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ABSOLUTLO
|
Maximum jobs for username is lower than allowed by policy
|
|
ABSOLUTHI
|
Maximum jobs for username is higher than allowed by policy
|
Description
User authorization field MAXJOBS limits the number of simultaneous
batch, interactive, network and detached jobs which may be active on
behalf of a single username.
The first 4 network jobs are not counted.
Default policy No limit is enforced. Customizing Customize if you feel
a need to enforce such a limit.
A limit or exemption with a value of zero means there is no value which
is considered unacceptable. selector
Limits
| Constraint |
Value |
Default |
|
ABSOLUTLO
|
0---n
|
0
|
|
ABSOLUTHI
|
0---n
|
0
|
Exemptions
| Constraint |
Value |
Parameters |
|
ABSOLUTLO
|
0---n
|
<node>, <username>
|
|
ABSOLUTHI
|
0---n
|
<node>, <username>
|
Practical considerations Most sites do not use this limitation
capability except for particular chargeback reasons.
�
MIGRATEPWD
Determine whether sharing password changes conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Sharing password changes is enabled in violation of policy
|
|
REQUIRED
|
Sharing password changes is disabled in violation of policy
|
Description
The MIGRATEPWD authorization flag indicates that the passwords changes
made to one ACME agent are shared with others.
Default policy Password sharing is neither required nor prohibited.
Customizing Use these tests to match how you use
external authentication. selector Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>, <username>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>, <username>
|
Practical considerations If you do not use external authentication,
ignore this element. �
NOMAIL
Determine whether disabling of Mail delivery conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Mail delivery is disabled in violation of policy
|
|
REQUIRED
|
Mail delivery is enabled in violation of policy
|
Description
If local practice is to use VMSmail to distribute security-related
notices, prohibiting mail delivery to certain usernames is counter to
security interests.
Default policy Disabling of mail delivery is prohibited. Customizing
Customize here if you have users who are not permitted access to the
VMSmail program. selector Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
TRUE
|
|
REQUIRED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>, <username>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>, <username>
|
Practical considerations If some usernames are arranged so the user
cannot read VMSmail, disabling delivery is the best way to indicate to
would-be mail senders that other communications means should be used.
Mail delivery should also be disabled for any users who have unlimited
disk quota on their login disk. �
OPERATOR
Determine whether the number of Usernames with OPER (but no higher)
privilege conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
TOOFEW
|
The number of simple operators compared to other privileged users is
lower than policy maximum
|
Description
The test associated with the TOOFEW
constraint determines whether the number of Usernames
with OPER (but no higher) privilege conforms to policy.
Default policy The minimum ratio of usernames with only OPER to those
with higher privilege is 2. Customizing Adjust this number higher for
heavy production environments. selector Limits
| Constraint |
Value |
Default |
|
TOOFEW
|
0-n
|
2
|
Exemptions
| Constraint |
Value |
Parameters |
|
TOOFEW
|
0-n
|
<node>, <username>
|
Practical considerations The goal is to avoid situations where routine
operator actions are handled by overprivileged individuals, or where
those with operator duties are granted excessive privilege. �
OWNER
Determine whether the allocation of Usernames to various owners
conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
DIGITSPACE
|
Owner of a username has neither a space between adjacent letters nor 4
consecutive digits in violation of policy
|
|
MAINTAINED
|
Owner of a username is blank in violation of policy
|
|
NONPRIVMAX
|
Number of nonprivileged usernames for a single owner exceeds maximum
|
|
NONPRIVMIN
|
Number of nonprivileged usernames for a single owner is less than
minimum
|
|
PRIVMAX
|
Number of privileged usernames for a single owner exceeds maximum
|
|
PRIVMIN
|
Number of privileged usernames for a single owner is less than minimum
|
Description
Tests in this element determine
whether the maintenance of the "owner" field in the SYSUAF
file and the assignment of usernames to distinct owners conforms to
policy.
Default policy Owner names are maintained and each owner can have at
most one privileged Username and ten non-privileged usernames.
Customizing Reduce the limit for
constraint NONPRIVMAX where possible.
Set the limit for constraint
NONPRIVMIN to 1 to require that users with privileged usernames also
have non-privileged usernames. selector
Limits
| Constraint |
Value |
Default |
|
DIGITSPACE
|
FALSE or TRUE
|
TRUE
|
|
MAINTAINED
|
FALSE or TRUE
|
TRUE
|
|
NONPRIVMAX
|
0-n
|
10
|
|
NONPRIVMIN
|
0-n
|
0
|
|
PRIVMAX
|
0-n
|
1
|
|
PRIVMIN
|
0-n
|
0
|
Exemptions
| Constraint |
Value |
Parameters |
|
DIGITSPACE
|
FALSE or TRUE
|
<node>, <username>
|
|
MAINTAINED
|
FALSE or TRUE
|
<node>, <username>
|
|
NONPRIVMAX
|
0-n
|
<node>, <username>
|
|
NONPRIVMIN
|
0-n
|
<node>, <username>
|
|
PRIVMAX
|
0-n
|
<node>, <username>
|
|
PRIVMIN
|
0-n
|
<node>, <username>
|
Practical considerations LJK/Security can only detect innocent error
in this area,
not deliberate malfeasance.
For the numeric constraints in this
element, tests ignore usernames that
allowed no more than Batch access. This takes care
of usernames created by layered products. �
PRIO
Determine whether base process priority conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ABSOLUTLO
|
Base process priority is lower than allowed by policy
|
|
ABSOLUTHI
|
Base process priority is lower than allowed by policy
|
Description
If base process priority for a username is higher or lower than that
for other usernames (generally 4), denial of service hazards are
created.
Default policy Base process priority must be 4. Customizing Different
base priorities for different users can lead to severe
performance problems.
selector Limits
| Constraint |
Value |
Default |
|
ABSOLUTLO
|
0---31
|
4
|
|
ABSOLUTHI
|
0---31
|
4
|
Exemptions
| Constraint |
Value |
Parameters |
|
ABSOLUTLO
|
0---31
|
<node>, <username>
|
|
ABSOLUTHI
|
0---31
|
<node>, <username>
|
Practical considerations Authorization file base process priority does
not affect batch jobs.
The process priority in that case is controlled by batch queue
parameters. �
PRIVILEGE
Ensure that privileges held by individual usernames are acceptable.
Violation reports
| Constraint |
Nature of the violation |
|
AUTHAUDIT
|
Username with a particular authorized privilege is not set to audit all
action in violation of policy
|
|
AUTHREQUIR
|
Username lacks authorization for privilege
|
|
AUTHPROHIB
|
Username has authorization for privilege
|
|
DEFAUDIT
|
Username with a particular default privilege is not set to audit all
action in violation of policy
|
|
DEFREQUIR
|
Username lacks default privilege
|
|
DEFPROHIB
|
Username has default privilege
|
|
NOIMPLICIT
|
Each username allowed Interactive or Network access has a UIC greater
than MAXSYSGROUP
|
Description
Privileged users can disrupt system operations in may ways. The system
User Authorization File (SYSUAF) specifies any privileges granted to
usernames.
Even if a user is authorized to use privileges, they generally should
not be enabled by default. The system User Authorization File contains
two lists of privileges for each username, those which are enabled by
default and those which the user is entitled to enable by use of the
SET PROCESS/PRIVILEGE= command.
The purpose of this test is to ensure that the default and authorized
privileges for each user complies with organization-wide security
policy.
Implicit SYSPRV (due to a low UIC group) is not considered as SYSPRV
under element UAF_PRIVILEGE, but is considered such
under element UAF_PRIVLEVEL.
Default policy No privileges are required or prohibited by this test
element, because equivalent tests are performed under
test element PRIVLEVEL. Customizing The
tests under element PRIVLEVEL are
sufficient to express simpler limitations based on privilege level.
If a more complicated selection of privileges is required, it may be
necessary to use the tests under
element PRIVILEGE.
You should add exemptions for usernames which are
supposed to have privilege, such as SYSTEM.
selector
Limits and exemptions for this
element can take a selector
consisting of a privilege name.
Thus, each can be set once for each possible privilege. Using the
Command Interface, if you do not specify a selector
when changing limits or exemptions,
your change applies to all privileges.
Limits
| Constraint |
Value |
Default |
|
AUTHAUDIT
|
FALSE or TRUE
|
FALSE
|
|
AUTHREQUIR
|
FALSE or TRUE
|
FALSE
|
|
AUTHPROHIB
|
FALSE or TRUE
|
FALSE
|
|
DEFAUDIT
|
FALSE or TRUE
|
FALSE
|
|
DEFREQUIR
|
FALSE or TRUE
|
FALSE
|
|
DEFPROHIB
|
FALSE or TRUE
|
FALSE
|
|
NOIMPLICIT
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
AUTHAUDIT
|
FALSE or TRUE
|
<node>, <username>
|
|
AUTHREQUIR
|
FALSE or TRUE
|
<node>, <username>
|
|
AUTHPROHIB
|
FALSE or TRUE
|
<node>, <username>
|
|
DEFAUDIT
|
FALSE or TRUE
|
<node>, <username>
|
|
DEFREQUIR
|
FALSE or TRUE
|
<node>, <username>
|
|
DEFPROHIB
|
FALSE or TRUE
|
<node>, <username>
|
|
NOIMPLICIT
|
FALSE or TRUE
|
<node>, <username>
|
Practical considerations TMPMBX privilege is required for most users,
so they can run common utility programs which use mailboxes. NETMBX
privileges is required for
users to access DECnet.
�
PRIVLEVEL
Ensure that privilege levels of individual usernames are acceptable.
Violation reports
| Constraint |
Nature of the violation |
|
ABSOLUTLO
|
Lower than minimum in the policy
|
|
ABSOLUTHI
|
Higher than maximum in the policy
|
|
ACCESSMAX
|
Higher than allowed for a permitted process type
|
|
ACCESSMIN
|
Lower than required for a permitted process type
|
Description
Privilege levels (categories) provide a simple codification as to the
level of power granted by various VMS privileges.
The purpose of these tests is to ensure that the
privilege level granted to each user complies with organization-wide
security policy. This test compares the level for each authorized
username against limit set in the policy in two ways:
- directly under constraints ABSOLUTLO and ABSOLUTHI
- according to access granted under constraints
ACCESSMAX and ACCESSMIN
Implicit SYSPRV (due to a low UIC group) is not considered as SYSPRV
under element UAF_PRIVILEGE, but is considered such
under element UAF_PRIVLEVEL.
Default policy By default, the privilege level NONE is the minimum
allowed
(meaning no restriction) and the privilege level NORMAL is the maximum
allowed
(allowing the holding of TMPMBX and NETMBX).
Customizing The tests under element
PRIVLEVEL are sufficient to express simpler limitations based on
privilege level.
If a more complicated selection of privileges is required, it may be
necessary to use the tests under
element PRIVILEGE.
You should establish exemptions for usernames which
are authorized higher levels of privilege, such as SYSTEM.
selector
Tests (UAF, PRIVLEVEL, ACCESSMAX) and (UAF, PRIVLEVEL,
ACCESSMAX) take a selector consisting of a login type:
LOCAL, DIALUP, REMOTE, NETWORK or BATCH.
Limits
| Constraint |
Value |
Default |
|
ABSOLUTLO
|
Category-None---Category-All
|
Category-None
|
|
ABSOLUTHI
|
Category-None---Category-All
|
Category-Normal
|
|
ACCESSMAX
|
Category-None---Category-All
|
Category-Normal
|
|
ACCESSMIN
|
Category-None---Category-All
|
Category-Normal
|
* Higher value for privileges other than TMPMBX and NETMBX and levels
above NORMAL.
Exemptions
| Constraint |
Value |
Parameters |
|
ABSOLUTLO
|
Category-None---Category-All
|
<node>, <username>
|
|
ABSOLUTHI
|
Category-None---Category-All
|
<node>, <username>
|
|
ACCESSMAX
|
Category-None---Category-All
|
<node>, <username>
|
|
ACCESSMIN
|
Category-None---Category-All
|
<node>, <username>
|
Practical considerations These tests and the UAF_PRIVILEGE tests both
detect excessive
privilege, so when exemptions are granted for one they
need to be granted for the other if both are in use. �
PRIVLGILAT
Ensure ability for privileged users to login over LAT conforms to
policy.
Violation reports
| Constraint |
Nature of the violation |
|
PRIVPROHIB
|
Login with privilege permitted in violation of policy
|
|
ABSOLUTHI
|
Login with privilege permitted in violation of policy
|
Description
When users are allowed to log in over LAT terminals, their passwords
can be read by any station on the Ethernet through the use of
promiscuous mode. If privileged users are allowed to log in over LAT
terminals, compromise of their password can threaten the security of
the entire system.
These tests determine whether user authorization
access masks, in combination with terminal DIALUP indications, prohibit
privileged users from logging in over LAT terminals.