LJK/Security Reference Manual
Previous Contents Index

DOUAF

Ensure that separation of Username Authorization from other privileged duties conforms to policy.

Violation reports

Constraint Nature of the violation
DOASSESS Intervening Security Assessment actions
DOAUDIT Intervening Audit Control actions
DOCONNECT Intervening Connect actions
DOINSTALL Intervening image install activities
DOMOUNT Intervening mount actions
DONCP Intervening Network Management actions
DOPROCESS Intervening privileged process control actions
DOSYSGEN Intervening System Parameter changes
DOTIME Intervening SET TIME actions
DOUSEPRIV Intervening use of privilege for some other purpose

Description

The tests for this element determine separation of duties between Username Authorization and other privileged security relevant activities conforms to policy.

Each test will detect any case where one of the other privileged security relevant activities intervenes between two Username Authorization activities by the same user that are less that a specified interval apart in time.

Default policy By default, none of the separation of duties tests are enabled. Customizing Make minor adjustments to suit your environment. selector

Limits

Constraint Value Default
DOASSESS time interval none
DOAUDIT time interval none
DOCONNECT time interval none
DOINSTALL time interval none
DOMOUNT time interval none
DONCP time interval none
DOPROCESS time interval none
DOSYSGEN time interval none
DOTIME time interval none
DOUSEPRIV time interval none

Exemptions

Constraint Value Parameters
DOASSESS time interval <node>, <absolute-time> or <earliest-time>
DOAUDIT time interval <node>, <absolute-time> or <earliest-time>
DOCONNECT time interval <node>, <absolute-time> or <earliest-time>
DOINSTALL time interval <node>, <absolute-time> or <earliest-time>
DOMOUNT time interval <node>, <absolute-time> or <earliest-time>
DONCP time interval <node>, <absolute-time> or <earliest-time>
DOPROCESS time interval <node>, <absolute-time> or <earliest-time>
DOSYSGEN time interval <node>, <absolute-time> or <earliest-time>
DOTIME time interval <node>, <absolute-time> or <earliest-time>
DOUSEPRIV time interval <node>, <absolute-time> or <earliest-time>
Practical considerations The (USAGE, DO*) tests are intended to detect inadequate separation of duties. Do not shoot the messenger.

DOUSEPRIV

Ensure that separation of Use of Privilege from other privileged duties conforms to policy.

Violation reports

Constraint Nature of the violation
DOASSESS Intervening Security Assessment actions
DOAUDIT Intervening Audit Control actions
DOCONNECT Intervening Connect actions
DOINSTALL Intervening image install activities
DOMOUNT Intervening mount actions
DONCP Intervening Network Management actions
DOPROCESS Intervening privileged process control actions
DOSYSGEN Intervening System Parameter changes
DOTIME Intervening SET TIME actions
DOUAF Intervening Authorization actions

Description

The tests for this element determine separation of duties between Use of Privilege and other privileged security relevant activities conforms to policy.

Each test will detect any case where one of the other privileged security relevant activities intervenes between two Use of Privilege activities by the same user that are less that a specified interval apart in time.

Default policy By default, none of the separation of duties tests are enabled. Customizing Make minor adjustments to suit your environment. selector

Limits

Constraint Value Default
DOASSESS time interval none
DOAUDIT time interval none
DOCONNECT time interval none
DOINSTALL time interval none
DOMOUNT time interval none
DONCP time interval none
DOPROCESS time interval none
DOSYSGEN time interval none
DOTIME time interval none
DOUAF time interval none

Exemptions

Constraint Value Parameters
DOASSESS time interval <node>, <absolute-time> or <earliest-time>
DOAUDIT time interval <node>, <absolute-time> or <earliest-time>
DOCONNECT time interval <node>, <absolute-time> or <earliest-time>
DOINSTALL time interval <node>, <absolute-time> or <earliest-time>
DOMOUNT time interval <node>, <absolute-time> or <earliest-time>
DONCP time interval <node>, <absolute-time> or <earliest-time>
DOPROCESS time interval <node>, <absolute-time> or <earliest-time>
DOSYSGEN time interval <node>, <absolute-time> or <earliest-time>
DOTIME time interval <node>, <absolute-time> or <earliest-time>
DOUAF time interval <node>, <absolute-time> or <earliest-time>
Practical considerations The (USAGE, DO*) tests are intended to detect inadequate separation of duties. Do not shoot the messenger.

EVADEPWD

Ensure that uses of privilege that might evade password policy conform to policy.

Violation reports

Constraint Nature of the violation
DICTIONARY Bypassing password dictionary controls not corrected within interval
HISTORY Bypassing password history controls not corrected within interval
PREEXPIRED Bypassing password pre-expiration controls
SELF Bypassing password change controls for the acting Username

Description

The tests for this element detect evasion of password policy by setting passwords outside the SET PASSWORD and LOGINOUT rules. Since such changes will legitimately be made for correcting "lost password" situations, there is a time interval allowed for the proper resetting of the password with SET PASSWORD, LOGINOUT or a call to $ACM. There is no such time interval when such a change is made by the affected (privileged) username.
Default policy Five minutes are allowed for a subsequent password change conforming to password policy, except none is allowed when a user changes their own password. Customizing Allow more time if your organization sends password change information via courier or other slow methods.

There should be no reason to alter the SELF constraint. selector

Limits

Constraint Value Default
DICTIONARY time interval 5 minutes
HISTORY time interval 5 minutes
PREEXPIRED FALSE or TRUE TRUE
SELF FALSE or TRUE TRUE

Exemptions

Constraint Value Parameters
DICTIONARY time interval <node>, <absolute-time> or <earliest-time>
HISTORY time interval <node>, <absolute-time> or <earliest-time>
PREEXPIRED FALSE or TRUE <node>, <absolute-time> or <earliest-time>
SELF FALSE or TRUE <node>, <absolute-time> or <earliest-time>
Practical considerations It may be necessary to add exemptions based on earliest-time to avoid continually reviewing past bad practices.

OPERATOR

Ensure that separation of simple operator duties from more complex privileged activities conform to policy.

Violation reports

Constraint Nature of the violation
ACCOUNTING Percentage of accounting activities performed by those with more than operator privilege exceeds policy maximum
BROADCAST Percentage of broadcast activities performed by those with more than operator privilege exceeds policy maximum
CLUSTER Percentage of cluster activities performed by those with more than operator privilege exceeds policy maximum
DEVICE Percentage of device activities performed by those with more than operator privilege exceeds policy maximum
LOGIN Percentage of login activities performed by those with more than operator privilege exceeds policy maximum
OPERLOGIN Percentage of operlogin activities performed by those with more than operator privilege exceeds policy maximum
QUEUE Percentage of queue activities performed by those with more than operator privilege exceeds policy maximum
TAPE Percentage of tape activities performed by those with more than operator privilege exceeds policy maximum
UNDOC Percentage of undocumented activities performed by those with more than operator privilege exceeds policy maximum

Description

The tests for this element determine whether more than a specified percentage of operator activities are made by username with higher privileges than OPER.
Default policy By default, there are no restrictions on which privileged users perform operator duties. Customizing Constraints BROADCAST, QUEUE and TAPE are most appropriate for limiting the percentage of operations performed by highly privileged usernames. selector

Limits

Constraint Value Default
ACCOUNTING 0-100 100
BROADCAST 0-100 100
CLUSTER 0-100 100
DEVICE 0-100 100
LOGIN 0-100 100
OPERLOGIN 0-100 100
QUEUE 0-100 100
TAPE 0-100 100
UNDOC 0-100 100

Exemptions

Constraint Value Parameters
ACCOUNTING 0-100 <node>, <absolute-time> or <earliest-time>
BROADCAST 0-100 <node>, <absolute-time> or <earliest-time>
CLUSTER 0-100 <node>, <absolute-time> or <earliest-time>
DEVICE 0-100 <node>, <absolute-time> or <earliest-time>
LOGIN 0-100 <node>, <absolute-time> or <earliest-time>
OPERLOGIN 0-100 <node>, <absolute-time> or <earliest-time>
QUEUE 0-100 <node>, <absolute-time> or <earliest-time>
TAPE 0-100 <node>, <absolute-time> or <earliest-time>
UNDOC 0-100 <node>, <absolute-time> or <earliest-time>
Practical considerations The (USAGE, OPERATOR) tests are intended to detect inadequate separation of duties. Do not shoot the messenger.

PRIVILEGE

Ensure privilege assignment and usage characteristics conform to policy.

Violation reports

Constraint Nature of the violation
NEVERUSED Username has privileges that are never used
NOIMPLICIT Username authorized interactive or network access had implicit privilege based on UIC group
UAFSELF User modified authorization data for their own username

Description

The tests in this element determine whether particular inappropriate privilege has been granted.
Default policy There are no restrictions on IMPLICIT or NEVERUSED privileges. Customizing The test for the NEVERUSED constraint will not produce meaningful results with inadequate audit logs. selector Limits and exemptions for test NEVERUSED can take a selector consisting of a privilege name.

Thus, each can be set once for each possible privilege. When using the Command Interface if you do not specify a selector when changing the limit or exemptions your change applies to all privileges.

Limits

Constraint Value Default
NEVERUSED FALSE or TRUE FALSE for TMPMBX and NETMBX, TRUE for others
NOIMPLICIT FALSE or TRUE TRUE
UAFSELF FALSE or TRUE TRUE

Exemptions

Constraint Value Parameters
NEVERUSED FALSE or TRUE <node>, <absolute-time> or <earliest-time>
NOIMPLICIT FALSE or TRUE <node>, <absolute-time> or <earliest-time>
UAFSELF FALSE or TRUE <node>, <absolute-time> or <earliest-time>
Practical considerations The tests for this element ignore usernames that allowed no more than Batch access. This takes care of usernames created by layered products.

READAUDIT

Ensure reading of audit logs conforms to policy.

Violation reports

Constraint Nature of the violation
ANY The interval between any reading of the audit data exceeds the policy minimum
BATCH The interval between batch reading of the audit data exceeds the policy minimum
INTERACT The interval between interactive reading of the audit data exceeds the policy minimum
INTERBREAK The number of readings of the audit data does not increase enough in response to increased breakin attempts
NETWORK The interval between network reading of the audit data exceeds the policy minimum

Description

The tests within this element measure the history of reading the audit logs.

Test (USAGE, READAUDIT, INTERBREAK) measures:

  1. the percentage week-to-week increase in reading of the audit data
  2. the percentage week-to-week increase in breakin attempts
If the ratio of the first to the second is less than the percentage specified by the Limit for this test, a violation is reported.

The other tests specify the maximum number of days between reading the audit data from various types of processes.

Default policy Some reading of the audit log is required every 7 days. Customizing Make changes to match your organization's own plan for reviewing audit results. selector

Limits

Constraint Value Default
ANY time interval 0 (not required)
BATCH time interval 0 (not required)
INTERACT time interval 0 (not required)
INTERBREAK percentage 0 (not required)
NETWORK time interval 0 (not required)

Exemptions

Constraint Value Parameters
ANY time interval <node>, <absolute-time> or <earliest-time>
BATCH time interval <node>, <absolute-time> or <earliest-time>
INTERACT time interval <node>, <absolute-time> or <earliest-time>
INTERBREAK percentage <node>, <absolute-time> or <earliest-time>
NETWORK time interval <node>, <absolute-time> or <earliest-time>
Practical considerations LJK/Security can only detect innocent error in this area, not deliberate malfeasance. LJK/Security

REMEDIATE

Ensure remediation reports are generated sufficiently often.

Violation reports

Constraint Nature of the violation
MAXIMUM Remediation report generation interval exceeds policy maximum

Description

The test within this element determine whether the command LJK/SECURITY REPORT/REMEDIATION has been issued for a completed full assessment (/METHOD=ALL) sufficiently often.
Default policy The test (USAGE,REMEDIATE,MAXIMUM) is not used. Customizing Modify the limit to match your local policy. selector

Limits

Constraint Value Default
MAXIMUM delta-time +00:00:00.00

Exemptions

Constraint Value Parameters
MAXIMUM delta-time <node>
Practical considerations For NIST Special Publication 800-53, the remediation report is called a "Plan of Action and Milestones" or "POA&M".

SETTIME

Ensure time is set or synchronized sufficiently often.

Violation reports

Constraint Nature of the violation
MAXIMUM Assessment-wide time setting interval exceeds policy maximum

Description

The tests within this element determine whether time is coordinated between multiple systems being assessed.
Default policy The test (USAGE,SETTIME,MAXIMUM) is not used because VMS auditing shortcomings (at least through VMS Version 8.3) require additional discipline to cause auditing of setting time. Customizing Modify the limit to match your local policy. selector

Limits

Constraint Value Default
MAXIMUM delta-time +00:00:00.00

Exemptions

Constraint Value Parameters
MAXIMUM delta-time <node>
Practical considerations Due to VMS auditing shortcomings (at least through VMS Version 8.3) the coordinated setting of time on multiple tributary nodes covered by a single assessment can only be assured by doing separate coordinated SET TIME commands on each node. Using the /CLUSTER qualifier to the VMS command SET TIME does not create an audit trail suitable for measuring compliance.

SYSTEMUSER

Ensure restrictions on SYSTEM username conform to policy.

Violation reports

Constraint Nature of the violation
NOBATCH Batch process for username SYSTEM in violation of policy
NOINTERACT Interactive process for username SYSTEM in violation of policy
NONETWORK Network process for username SYSTEM in violation of policy

Description

The tests within this element determine whether proper restrictions are in place for the SYSTEM username.
Default policy Only BATCH access is allowed for username SYSTEM. Customizing Adding exemptions based on earliest-time may be appropriate for situations where use of LJK/Security is introduced late in the game. The earliest-time specified cannot be later than the time at which the exemption is added. selector

Limits

Constraint Value Default
NOBATCH FALSE or TRUE FALSE
NOINTERACT FALSE or TRUE TRUE
NONETWORK FALSE or TRUE TRUE

Exemptions

Constraint Value Parameters
NOBATCH FALSE or TRUE <node>, <absolute-time> or <earliest-time>
NOINTERACT FALSE or TRUE <node>, <absolute-time> or <earliest-time>
NONETWORK FALSE or TRUE <node>, <absolute-time> or <earliest-time>
Practical considerations The tests for this element are for usage, while those in the UAF facility are for access control. Thus absolute-time exemptions should be added for the constraint NOINTERACT when the SYSTEM username is used on the console to recover from breakin evasion.

UAFMODIFY

Ensure modification user authorization is done from the proper type of process.

Violation reports

Constraint Nature of the violation
DISUNUSED Unused username was disabled by a prohibited process type
PROHIBITED Privileged changes were made by a prohibited process type
REQUIRED Privileged changes were not made by a required process type

Description

The history of user authorization changes is examined for proper process type.

Previous Next Contents Index