| Previous | Contents | Index |
See if the value of the TTY_TIMEOUT parameter conforms to policy.
| Constraint | Nature of the violation |
|---|---|
| ABSOLUTHI | Interval for terminating a detached terminal process is higher than allowed by policy |
| ABSOLUTLO | Interval for terminating a detached terminal process is lower than allowed by policy |
The tests within this element determine whether the value of the TTY_TIMEOUT parameter conforms to policy.Default policy TTY_TIMEOUT must specify between 15 and 60 minutes. Customizing Wider range for TTY_TIMEOUT is rarely required. selector
| Constraint | Value | Default |
|---|---|---|
| ABSOLUTHI | 0-n | 3600 |
| ABSOLUTLO | 0-n | 900 |
| Constraint | Value | Parameters |
|---|---|---|
| ABSOLUTHI | 0-n | <node> |
| ABSOLUTLO | 0-n | <node> |
Comparison treats line-feed, carriage-return, line-feed and form-feed as equivalent to space. It also treats multiple spaces as equivalent to a single space and artifically inserts a space before and after any punctuation characters.
Determine whether VMS looks for SYSUAF in an alternate location.
| Constraint | Nature of the violation |
|---|---|
| PROHIBITED | System parameter UAFALT is 1 in violation of policy |
| REQUIRED | System parameter UAFALT is 0 in violation of policy |
If system parameter UAFALT is 1, VMS will define a logical name to specify that SYSUAF has an alternate name.Default policy The setting of UAFALT is immaterial. Customizing Use tests from this element to detect unauthorized methods of affecting choice between multiple SYSUAF files, including attempts to point to a non-existent file as part of a breakin attempt through physical access. selector
| Constraint | Value | Default |
|---|---|---|
| PROHIBITED | FALSE or TRUE | FALSE |
| REQUIRED | FALSE or TRUE | FALSE |
| Constraint | Value | Parameters |
|---|---|---|
| PROHIBITED | FALSE or TRUE | <node> |
| REQUIRED | FALSE or TRUE | <node> |
See if the VMS Version conforms to policy.
| Constraint | Nature of the violation |
|---|---|
| MATCH | VMS Version does not match that specified by policy |
| MAXIMUM | VMS Version is higher than allowed by policy |
| MINIMUM | VMS Version is lower than allowed by policy |
The tests within this element determine whether the VMS Version of the tributary node conforms to policy.Default policy There are no requirements. Customizing Use the constraints MAXIMUM and MINIMUM to check organizational requirements for particular VMS versions. selector
| Constraint | Value | Default |
|---|---|---|
| MATCH | 0-8 characters | null string |
| MAXIMUM | 0-8 characters | null string |
| MINIMUM | 0-8 characters | null string |
| Constraint | Value | Parameters |
|---|---|---|
| MATCH | 0-8 characters | <node> |
| MAXIMUM | 0-8 characters | <node> |
| MINIMUM | 0-8 characters | <node> |
See if the contents of the SYS$WELCOME message conform to policy.
| Constraint | Nature of the violation |
|---|---|
| CONTAINED | SYS$WELCOME message must be contained within the specified text |
| CONTAINS | SYS$WELCOME message must contain the specified text |
| MATCH | SYS$WELCOME message must match the specified text |
Compare the value of SYS$WELCOME (or the file to which it points) to the specified policy text. If the logical name points to a file that is not world readable, the message is consider to be null.Default policy There is no required text. Customizing Since the message might be considerably longer than a typical DCL command line, these tests allow a command line user to progressively specify text, starting each subsequent value with the character "+". selector
| Constraint | Value | Default |
|---|---|---|
| CONTAINED | 0-511 characters | none |
| CONTAINS | 0-511 characters | none |
| MATCH | 0-511 characters | none |
| Constraint | Value | Parameters |
|---|---|---|
| CONTAINED | 0-511 characters | <node> |
| CONTAINS | 0-511 characters | <node> |
| MATCH | 0-511 characters | <node> |
Comparison treats line-feed, carriage-return, line-feed and form-feed as equivalent to space. It also treats multiple spaces as equivalent to a single space and artifically inserts a space before and after any punctuation characters. While the SYS$WELCOME logical name mechanism (measured by WELCOME) can be customized on a per-username basis, the SYS$ANNOUNCE logical name mechanism (measured by ANNOUNCE) lends itself better to requirements that the message stay on a screen until explicit action is taken by the user. (The explicit action being the entering of a username.)
If you use tests from the element (VMS, ANNOUNCE, *), you should consider using the test (UAF, DISWELCOME, PROHIBITED).
Determine whether file header modifications are delayed in being written to disk.
| Constraint | Nature of the violation |
|---|---|
| PROHIBITED | System parameter WRITEBACK is 1 in violation of policy |
| REQUIRED | System parameter WRITEBACK is 0 in violation of policy |
These tests check the VMS system parameter ACP_WRITEBACK, which controls whether file header writes are deferred. Deferring writebacks (the VMS default) increases the chance that data written to disk could not be recovered after a system crash.Default policy Both tests are off, due to the conflicting practical considerations outlined below, including the political impact of affecting performance for security purposes. Customizing If your policy is to avoid deferred writeback, set (VMS, WRITEBACK, PROHIBITED) to be true. If your policy is to defer writeback, set (VMS, WRITEBACK, REQUIRED) to be TRUE. selector
| Constraint | Value | Default |
|---|---|---|
| PROHIBITED | FALSE or TRUE | TRUE |
| REQUIRED | FALSE or TRUE | FALSE |
| Constraint | Value | Parameters |
|---|---|---|
| PROHIBITED | FALSE or TRUE | <node> |
| REQUIRED | FALSE or TRUE | <node> |
By default, VMS enabled deferred writeback of file headers, so prohibiting it by policy will result in considerable interaction with various system administrators to either get writeback disabled or reach agreement that an exemption for a particular node should be added to the policy.
In tight capacity situations, disabling deferred writebacks might be enough to push a system over the knee of a performance curve. If the result prolongs operations significantly, it could increase the window between file updates and the corresponding file header updates, exacerbating the very condition it was meant to alleviate!
This chapter discusses the uses of policy modification.
7.1 Disables
The primary use of disables is to save execution time by avoiding testing of an entire facility. If one of your nodes has an extremely large User Authorization File, for instance, you might choose to test it only once per day, while testing other facilities at the start of each 8 hour shift.
No capability is provided to disable particular tests within a facility, because the time-consuming portion of the testing process is getting the raw information, such as user authorization or file data, which is done once per data item for all the tests in a facility. For instance, once information about a particular file has been retrieved from VMS, the number of tests applied to it in memory does not have a significant effect on performance. Of course, the number of tests failed, and thus the number of violation records written, can affect performance.
Newly created policies have all facilities enabled by default.
7.1.1 Using the /METHOD=QUICK qualifier
The most common candidate facilities for disabling are those that involve extensive disk reading, such as the DISK facility that reads protection information for all files and the USAGE facility that reads all available audit logs.
But those who want to disable those facilities often want to do it only some of the time, perhaps as part of a more frequent assessment that shares a policy with a less frequent more thorough assessment. Rather than constantly modifying the policy disable to first prevent and then allow those facilities to run, you will probably want to use the /METHOD=QUICK qualifier on one of two commands:
Limits are the cornerstone of policies, setting the basic criteria by which nodes will be assessed. As supplied, LJK/Security provides a default set of limits for each policy you create, but after you have used the software for a while it is likely you will want to make some changes to suit your own organization's needs.
Newly created policies have a default value for each limit, either taken from the policy named DEFAULT or from the factory defaults. When you customize a policy by changing particular limits, all other limits retain their value unless you change them.
In general comments applied to limits (and as a special case, exemptions for tests (DISK, CHECKPROT, *)) are included in violation reports created by LJK/Security. As such they can be used to indicate the authority requiring a particular limit setting, such as a particular internal memo or some external requirement such as a particular control listed in NIST Special Publication 800-53.
In contrast, most comments applied to disables or to exemptions just provide a record for those inspecting why particular settings were made.
The major exception to the above general description is tests in the (DISK, CHECKPROT) element. For that element, comments associated with limits just provide a record for those inspecting settings, while comments associated with exemptions are included in violation reports.
Disabling tests entirely is only done on a facility-wide basis through
the
use of disables (see Section 7.1), but the same
effect can be achieved by setting tests to be totally permissive, as is
done by the command procedure described in Section K.1.1, POLICY_NULL.COM.
7.3 Exemptions
Exemptions provide a finer control over reporting of assessment results, allowing for policy deviations in specific cases. 1
Certain exemptions are normal, since the conditions they permit are required for normal operation of VMS. These exemptions are not automatically generated by LJK/Security software, since LJK Software believes that sites should always be aware of all exemptions added to their policies. Exemptions LJK Software has identified that most sites will want to add are:
1 Except for Disk tests, exemption processing is done when receiving results on the master node. Thus no processing time is consumed on the tributary nodes due to a long list of exemptions. |
The audit history mechanism can be used to show when changes were made
to
your policies. Preservation of this audit history is the reason why
LJK/Security provides no command to delete a policy
or an assessment.
7.5 Tri-valued logic
Some tests take limit and exemption values using tri-valued logic:
Many elements have tests for exactly two boolean constraints, PROHIBITED and REQUIRED. With these two boolean tests, there are four possible limit settings:
| Value of REQUIRED limit | Value of PROHIBITED limit | |
|---|---|---|
| FALSE | TRUE | |
| FALSE | never report a violation | report violation if TRUE |
| TRUE | report violation if FALSE | always report violation |
Many elements have tests for exactly two numeric
constraints, ABSOLUTLO and ABSOLUTHI. If the
limits for these
two numeric tests are set such that the ABSOLUTHI
limit is lower than the ABSOLUTLO
limit, the result is to report
violations in all cases, similar
to setting both limits TRUE as described in
Section 7.6.
7.8 Policy Performance Considerations
There are three major areas where the performance of LJK/Security is drastically affected by policy choices:
Finally, violation processing in general is slow. It is better to run a less ambitious policy until the most outrageous security errors are brought under control.
| Previous | Next | Contents | Index |