LJK/Security Reference Manual
MESSAGE
Determine whether generation of user message accounting records
conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Message accounting is enabled in violation of policy
|
|
REQUIRED
|
Message accounting is disabled in violation of policy
|
Description
Use of the qualifier /ENABLE=MESSAGE with the SET ACCOUNTING command
causes
user message records to be written to the VMS accounting file.
Default policy Enabling of message accounting is required. Customizing
Set limit REQUIRED to be FALSE to remove the general
requirement that message accounting be enabled. selector Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>
|
Practical considerations User message records are used to record
application-specific information in the accounting file. �
NETWORK
Determine whether generation of network process termination accounting
records conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Network accounting is enabled in violation of policy
|
|
REQUIRED
|
Network accounting is disabled in violation of policy
|
Description
Use of the qualifier /ENABLE=NETWORK with the SET ACCOUNTING command
causes
process or image termination records for network jobs to be written to
the VMS accounting file (only if /ENABLE=IMAGE or /ENABLE=PROCESS has
also been specified).
Default policy Enabling of network accounting is required. Customizing
Set limit REQUIRED to be FALSE to remove the general
requirement that network accounting be enabled. selector Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>
|
Practical considerations Accounting records provide more information
regarding resource usage that logout security alarms. �
PRINT
Determine whether generation of print job accounting records conforms
to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Print accounting is enabled in violation of policy
|
|
REQUIRED
|
Print accounting is disabled in violation of policy
|
Description
Use of the qualifier /ENABLE=PRINT with the SET ACCOUNTING command
causes
print job records to be written to the VMS accounting file.
Default policy Enabling of print accounting is required. Customizing
Set limit REQUIRED to be FALSE to remove the general
requirement that print accounting be enabled. selector Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>
|
Practical considerations Information regarding individual print jobs is
not otherwise recorded by VMS. �
PROCESS
Determine whether generation of process termination accounting records
conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Process accounting is enabled in violation of policy
|
|
REQUIRED
|
Process accounting is disabled in violation of policy
|
Description
Use of the qualifier /ENABLE=PROCESS with the SET ACCOUNTING command
causes
process termination records to be written to the VMS accounting file.
Default policy Enabling of process accounting is required. Customizing
Set limit REQUIRED to be FALSE to remove the
requirement that process accounting be enabled. selector Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>
|
Practical considerations Recording process termination accounting
records is generally accepted as a minimum requirement in cases where
accounting is being used at all. �
SUBPROCESS
Determine whether generation of subprocess process termination
accounting records conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Subprocess accounting is enabled in violation of policy
|
|
REQUIRED
|
Subprocess accounting is disabled in violation of policy
|
Description
Use of the qualifier /ENABLE=SUBPROCESS with the SET ACCOUNTING command
causes
process or image termination records for subprocess jobs to be written
to the VMS accounting file (only if /ENABLE=IMAGE or /ENABLE=PROCESS
has also been specified).
Default policy Enabling of subprocess accounting is required.
Customizing Set limit REQUIRED to be FALSE to remove
the general requirement that subprocess accounting be enabled. selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>
|
Practical considerations Accounting records provide more information
regarding resource usage that logout security alarms. �
6.2 AUDIT Tests
Tests in the AUDIT facility deal with parameters used to control the
use of VMS security auditing features on a machine.
Exemptions are based on node name.
VMS Treatment of Alarms vs. Audits
Starting with VMS V5.4 there have been separate controls for Alarms and
Audits provided by the operating system. Prior to that, the only
mechanism for retaining a record of security events on disk was the
Operator Log File (SYS$MANAGER:OPERATOR.LOG). While the data related to
security events could be extracted with the Audit Reduction Facility
command procedure (SYS$MANAGER:SECAUDIT.COM), VMS still recorded all
data as Alarms (not Audits) and there was no way to separate which
security events called for immediate human attention (Alarms) versus
those which only needed to be recorded for possible later review
(Audits).
LJK/Security Treatment of Alarms vs. Audits
Elements described in this chapter often have separate
Constraints for Alarm controls and Audit controls. For example, a
typical list of Constraints might be:
- ALPROHIBIT - Security alarms are enabled in violation of policy
- ALREQUIRE - Security alarms are disabled in violation of policy
- AUPROHIBIT - Security audits are enabled in violation of policy
- AUREQUIRE - Security audits are disabled in violation of policy
But since only alarms (not audits) were supported under VMS versions
prior to V5.4, the AUREQUIRE constraint will often provide three
choices for your security assessment requirements:
The TRY value will require the control be enabled for VMS versions
where it exists (V5.4 and above), but not report a violation for VMS
versions where it does not exist.
The TRY value is also available for certain alarms (not audits) that
were provided only in particular versions of VMS. �
ACL
Determine whether auditing for events requested by access control list
entries conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ALPROHIBIT
|
ACL security alarms are enabled in violation of policy
|
|
ALREQUIRE
|
ACL security alarms are disabled in violation of policy
|
|
AUPROHIBIT
|
ACL security audits are enabled in violation of policy
|
|
AUREQUIRE
|
ACL security audits are disabled in violation of policy
|
Description
Use of the qualifier /ENABLE=ACL with the SET AUDIT/ALARM
or SET AUDIT/AUDIT command causes
the corresponding reporting when any user has requested them. Users
make that request by placing a Security Alarm Access Control Entry in
the Access Control List of some object (file, global section, etc.).
Default policy Enabling of ACL security alarms and audits is neither
prohibited nor required. Customizing Set limits TRUE
to establish a general prohibition of or requirement for the enabling
of ACL security auditing. Then establish exemptions
for any individual nodes which are not to be subjected to the general
rule.
selector Limits
| Constraint |
Value |
Default |
|
ALPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
ALREQUIRE
|
FALSE or TRUE
|
FALSE
|
|
AUPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
ALPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
ALREQUIRE
|
FALSE or TRUE
|
<node>
|
|
AUPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
<node>
|
Practical considerations Enabling ACL security alarms allows individual
users the power to cause the generation of unlimited alarms,
potentially swamping more significant alarms from other sources.
Enabling ACL security audits allows individual users the power
consume unlimited disk space in the audit logs, but typically does not
cause extra work for the security officer. �
AUDILLFOR
Determine whether enabling of alarms or audits for ill-formed audit
events conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ALPROHIBIT
|
Ill-formed audit security alarms are enabled in violation of policy
|
|
ALREQUIRE
|
Ill-formed audit security alarms are disabled in violation of policy
|
|
AUPROHIBIT
|
Ill-formed audit security audits are enabled in violation of policy
|
|
AUREQUIRE
|
Ill-formed audit security audits are disabled in violation of policy
|
Description
Use of the qualifier /ENABLE=AUDIT=ILLFORMED with the SET AUDIT/ALARM
or SET AUDIT/AUDIT command causes
the corresponding reporting when an ill-formed call to cause an audit
is made by an internal VMS component.
Default policy Enabling of Ill-formed audit security alarms and audits
is neither prohibited nor required. Customizing Set
limits TRUE to establish a general prohibition of or
requirement for the enabling of Ill-formed audit security alarms or
audits. Then establish exemptions for any individual
nodes which are not to be subjected to the general rule.
selector Limits
| Constraint |
Value |
Default |
|
ALPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
ALREQUIRE
|
FALSE, TRUE or TRY
|
FALSE
|
|
AUPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
ALPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
ALREQUIRE
|
FALSE, TRUE or TRY
|
<node>
|
|
AUPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
<node>
|
Practical considerations The corresponding audits and alarms are
enabled on VMS by default, and cause no extra burden on a properly
running system. �
AUDIT
Determine whether auditing for events resulting from the SET AUDIT
command conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ALPROHIBIT
|
Audit security alarms are enabled in violation of policy
|
|
ALREQUIRE
|
Audit security alarms are disabled in violation of policy
|
|
AUPROHIBIT
|
Audit security audits are enabled in violation of policy
|
|
AUREQUIRE
|
Audit security audits are disabled in violation of policy
|
Description
Use of the qualifier /ENABLE=AUDIT with the SET AUDIT/ALARM
or SET AUDIT/AUDIT command causes
the corresponding reporting when the SET AUDIT command is used.
Effective with VMS V5.2, such alarms are always generated, and are not
controlled by the SET AUDIT command.
Default policy Enabling of Audit security alarms and audits is
required. Customizing Set limit ALREQUIRE FALSE to
remove the requirement for the enabling of Audit security alarms.
Set limit ALPROHIBIT TRUE to prohibit the enabling of
Audit security alarms on versions of VMS prior V6.0. On VMS V6.0 and
later there is no way to disable the auditing of the SET AUDIT command.
If you are running mixed versions of VMS and want to prohibit the
auditing of SET AUDIT on whatever versions where it is possible, set
limit AUPROHIBIT to the value TRY.
selector
Limits
| Constraint |
Value |
Default |
|
ALPROHIBIT
|
FALSE, TRUE or TRY
|
FALSE
|
|
ALREQUIRE
|
FALSE or TRUE
|
TRUE
|
|
AUPROHIBIT
|
FALSE, TRUE or TRY
|
FALSE
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
ALPROHIBIT
|
FALSE, TRUE or TRY
|
<node>
|
|
ALREQUIRE
|
FALSE or TRUE
|
<node>
|
|
AUPROHIBIT
|
FALSE, TRUE or TRY
|
<node>
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
<node>
|
Practical considerations The recording of Audit events is essential to
verify the completeness of other events which are recorded. �
AUTHENT
Determine whether enabling of alarms or audits for authentication
events conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ALPROHIBIT
|
Authentication security alarms are enabled in violation of policy
|
|
ALREQUIRE
|
Authentication security alarms are disabled in violation of policy
|
|
AUPROHIBIT
|
Authentication security audits are enabled in violation of policy
|
|
AUREQUIRE
|
Authentication security audits are disabled in violation of policy
|
Description
The corresponding auditing is not supported as of VMS V7.3.
Default policy Enabling of Authentication security alarms and audits is
neither prohibited nor required. Customizing Set
limits TRUE to establish a general prohibition of or
requirement for the enabling of Authentication security alarms or
audits. Then establish exemptions for any individual
nodes which are not to be subjected to the general rule.
selector Limits
| Constraint |
Value |
Default |
|
ALPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
ALREQUIRE
|
FALSE, TRUE or TRY
|
FALSE
|
|
AUPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
ALPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
ALREQUIRE
|
FALSE, TRUE or TRY
|
<node>
|
|
AUPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
<node>
|
Practical considerations As of V7.3 VMS does not provide a method to
enable auditing or alarms for these events. �