LJK/Security Reference Manual
STOP
Stop the collection of security data from tributary nodes.
Format
$ LJK/SECURITY STOP -
assessment-name
or
LJKS„ STOP -
assessment-name
| Command Qualifiers |
Defaults |
|
None.
|
None.
|
restrictions
- You must have the facility-specific identifier
LJK$SECURITY_ROLE_OPERATE,
LJK$SECURITY_STOP or LJK$SECURITY_ALL.
- On systems prior to VAX VMS V6.0 or systems which do not have a
Rights Database (RIGHTSLIST.DAT),
you must have the SECURITY privilege.
Parameters
assessment-name
Name of the assessment.
Description
Stop the collection of security data from tributary nodes.
This does not affect future scheduled future runs of the specified
assessment. That is accomplished with the CANCEL
command.
Qualifiers
None.
Example
|
$ LJK/SECURITY STOP MY_SPECIAL
|
Stop current collection of assessment MY_SPECIAL from
remote nodes.
Tests
For a complete list of automatic tests performed by
LJK/Security, read:
Chapter 6
LJK/Security Automatic Tests
This chapter lists each of the tests that can be performed by LJK/Security for the Automatic method.
Specification of tests
Each LJK/Security test is specified by a set of three
names: facility, element, and
constraint.
- Facility
Section of VMS or layered product being tested.
1
- Element
Particular parameter or security-relevant item being tested.
- Constraint
Exact condition being tested (value too low, value too high, etc.).
Modification mechanism
As explained in Section 1.4.4 and Chapter 7, the two
policy items associated
with individual tests are limits and
exemptions. The exact method for making a modification
depends
on which interface you are using, as described elsewhere in this manual:
- Window Interface - A Policy Dialog Box created using techniques
described in Chapter 3
- Menu Interface - The CUSTOMIZE menu accessed using techniques
described in Chapter 4
- Command Interface - The MODIFY POLICY command described in
Chapter 5
Items which can be modified
Using the appropriate modification technique, the following
policy
items can be modified for individual tests:
- Value
For a limit, this is a standard against which
comparison is made
on the tributary node.
For an exemption, this is a relaxed standard
against which
suspected violations are compared on the
master node.
If an
aspect of the tributary node violates a
limit when
compared on the tributary node but then is allowed by
an exemption on the master node, no
violation is
reported. In some cases, evaluation of exemptions may
take place on the tributary node to reduce the amount
of violation data which must be transferred.
- Parameters (only for exemptions)
For an
exemption, these specify under what condition the
exemption will apply. The first parameter is always the
(possibly wildcarded) node name.
The meaning of the second parameter differs according to the
facility to which the test belongs:
- DEVICE tests
the device name (possibly wildcarded)
- DISK tests
the volume name or file specification (possibly wildcarded)
File
specifications can also be in the form of:
- AUDIT_LOG=SECURITY (or any other VMS-supported Audit Log)
The
specified filespec for the named audit log (usually SECURITY)
- SYSTEM=PARAMETER
Specifies in an architecture-independent
fashion, the architecture-specific VMS system parameter file
(VAX=SYS$SYSTEM:VAXVMSSYS.PAR, AXP=SYS$SYSTEM:ALPHAVMSSYS.PAR).
- FILE=<filespec>
This is just a more verbose way of
specifying a filespec
- LOGICAL,DEFAULT
The logical name is used with the default file
specification indicated
- TERM tests
the device name (possibly wildcarded)
- UAF tests
the username (possibly wildcarded)
- USAGE tests
absolute or earliest time ("1-Mar-2005:21:35:15.00" or
"<=1-Mar-2005:21:35:15.00")
- QUEUE tests
the queue name (possibly wildcarded)
- Selector (optional, but only for certain
tests)
For certain tests (listed in the next section), a
selector specifies a subdivision of the
test on a further basis.
Use of selectors
Certain test values are actually multi-valued based on an additional
variable called a selector:
- AUDIT, BREAKIN and LOGIN and LOGFAIL and LOGOUT, ALPROHIBIT and
ALREQUIRE and AUPROHIBIT and AUREQUIRE
The selector is the name of a VMS process type:
BATCH, DIALUP, LOCAL, REMOTE, NETWORK, SUBPROCESS or DETACHED, except
that BATCH and SUBPROCESS are not applicable to BREAKIN.
- AUDIT, BYPASS and DOWNGRADE and FAILURE and GRPPRV and READALL and
SUCCESS and SYSPRV and UPGRADE, ALPROHIBIT and ALREQUIRE and AUPROHIBIT
and AUREQUIRE
The selector is the name of a VMS access type:
READ, WRITE, EXECUTE, DELETE or CONTROL. LOGICAL and PHYSICAL access to
devices are indicated by EXECUTE and DELETE respectively.
- AUDIT, PRVFAIL and PRVSUCC, ALPROHIBIT and ALREQUIRE and AUPROHIBIT
and AUREQUIRE
The selector is the name of a VMS privilege.
- DEVICE, PROTECTION, PERCENTLO and PERCENTHI
The selector is the name of a VMS device access
type: READ, WRITE, LOGICAL, PHYSICAL or CONTROL.
- DISK, PROTECTION, PERCENTLO and PERCENTHI
The selector is the name of a VMS device access
type: READ, WRITE, LOGICAL, PHYSICAL or CONTROL.
- DISK, DBMSPROT and DIRPROT and FILEPROT and HELPPROT and MAILPROT
and NOTESPROT and RDBVMSPROT and SYSEXEPROT and CHECKPROT, PERCENTLO
and PERCENTHI
The selector is the name of a VMS file access
type: READ, WRITE, EXECUTE, DELETE or CONTROL.
- DISK, INSTPRIV, PRIVPROHIB
The selector is the name of a VMS privilege.
- TERM, AUTOLOGIN, PRIVPROHIB
The selector is the name of a VMS privilege.
- QUEUE, PROTECTION, PERCENTLO and PERCENTHI
The selector is the name of a VMS queue access
type: READ, SUBMIT, MANAGE, DELETE or CONTROL.
- TERM, PROTECTION, PERCENTLO and PERCENTHI
The selector is the name of a VMS device access
type: READ, WRITE, LOGICAL, PHYSICAL or CONTROL.
- UAF, DAYMUSTBE, PRIMARY and SECONDARY
The selector is the name of a day of the week.
- UAF, PRIVILEGE, AUTHREQUIR and AUTHPROHIB and DEFREQUIR and
DEFPROHIB and AUTHAUDIT and DEFAUDIT
The selector is the name of a VMS privilege.
- UAF, GRPNAM and GRPPRV and PRIVLGILAT and PRIVLGINET and PRIVLGIPRX
and PRIVLGIREM and PRIVLGITCP and PRIVLGIX29, PRIVPROHIB
The selector is the name of a VMS privilege.
- UAF, PWDGUESS, TRIES
The selector is the name of a VMS privilege or the
name of a VMS privilege level.
- UAF, PWDLIFE, ABSOLUTLO and ABSOLUTHI
The selector is the name of a VMS privilege or the
name of a VMS privilege level.
- UAF, PWDMINLEN, ABSOLUTLO and ABSOLUTHI
The selector is the name of a VMS privilege or the
name of a VMS privilege level.
- UAF, UICPRIV, PRIVPROHIB
The selector is the name of a VMS privilege.
- VMS, SYSTEMLGI, PROHIBITED and REQUIRED / UAF, ACCESS, * . UAF,
PRIVLEVEL, ACCESSMAX and ACCESSMIN
The selector is one of the login types: LOCAL,
DIALUP, REMOTE, NETWORK, or BATCH.
- VMS, SECPOLICY, PROHIBITED and REQUIRED
The selector is one of the security policy bits
introduced with VAX VMS v6.0: DPS, MULTIDECW, TRANSPORTS, CROSSJOB,
LOCPROFILE, LOCOBJECT, CAPTIVESPAWN, COMPRESSMAC, UPPERCASEINPUT,
GUARDPASSWORDS, DOIAUTHORIZATION, IGNOREEXTAUTH, INTRUSIONSLOCAL,
USEPOSIXUIDGID, ALLOWSYMLINKACCESS.
- AUDIT, ALARM, REPORT and RESPONSE
The selector is one of the operator classes used
in the Request command: CENTRAL, PRINTER, TAPES, DISKS, DEVICES, CARDS,
NETWORK, CLUSTER, SECURITY, LICENSE2, USER1, USER2, USER3,
USER4, USER5, USER6, USER7, USER8, USER9, USER10, USER11, USER12
- USAGE, ASSESSMENT, CERTIFY and CLUSTER and CONTINUING and PERIODIC
The selector is one of the pseudo-facilities used
to track certain LJK/Security assessments: COMPENSATING_CONTROL,
INVASIVE_TESTING, MANUAL_EXAMINATION, INTERVIEW, SUBSYSTEM, ALLEXE,
ALLCOM, SYSEXE, SYSCOM, INSTPROT, INSTPRIV, INSTALLED or an
LJK/Security facility name UAF, VMS, DECNET, DEVICE, TERM, DISK, ACC,
AUDIT, QUEUE or USAGE.
For more information on the effect of a selector,
see the description of the individual tests later in this chapter.
Note
1 Names may or may not correspond to
VMS facility names.
2 The LICENSE type of operator message
is not documented in the VMS documentation as late as V8.3.
|
6.1 ACC Tests
Tests in the ACC facility deal with use of VMS
Accounting features on a machine.
Exemptions are based on node name.
In establishing a policy for the ACC facility, it is important to be
aware of the interaction between VMS Accounting controls. Five of the
controls select types of processes for which accounting records are to
be written:
- Batch
- Detached
- Interactive
- Network
- Subprocess
But those five controls are effective only in combination with one or
both of the following controls, specifying the types of accounting
records to be written:
Independent of the interaction between those seven controls, three
other controls act independently to govern the writing of specific
types of accounting records:
The interaction between the first two groups of controls listed is one
which historically has not been understood by many VMS system managers.
That lack of understanding has been exploited by successful attackers
to hide the fact that they have gained privileged access to a machine.
The node name in an exemption for the ACC facility can
include standard VMS wildcard characters (% and *). �
BATCH
Determine whether generation of Batch process termination accounting
records conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Batch accounting is enabled in violation of policy
|
|
REQUIRED
|
Batch accounting is disabled in violation of policy
|
Description
Use of the qualifier /ENABLE=BATCH with the SET ACCOUNTING command
causes
process or image termination records for batch jobs to be written to
the VMS accounting file (only if /ENABLE=IMAGE or /ENABLE=PROCESS has
also been specified).
Default policy
Enabling of batch accounting is required
Customizing
Set limit REQUIRED to be FALSE to remove the general
requirement that batch accounting be enabled
Selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>
|
Practical considerations
Accounting records provide more information
regarding resource usage that logout security alarms. �
DETACHED
Determine whether generation of detached process termination accounting
records conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Detached accounting is enabled in violation of policy
|
|
REQUIRED
|
Detached accounting is disabled in violation of policy
|
Description
Use of the qualifier /ENABLE=DETACHED with the SET ACCOUNTING command
causes
process or image termination records for detached jobs to be written to
the VMS accounting file (only if /ENABLE=IMAGE or /ENABLE=PROCESS has
also been specified).
Default policy
Enabling of detached accounting is required
Customizing
Set limit REQUIRED to be FALSE to remove the general
requirement that detached accounting be enabled
Selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>
|
Practical considerations
Accounting records provide more information
regarding resource usage that logout security alarms. �
IMAGE
Determine whether generation of image termination accounting records
conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Image accounting is enabled in violation of policy
|
|
REQUIRED
|
Image accounting is disabled in violation of policy
|
Description
Use of the qualifier /ENABLE=IMAGE with the SET ACCOUNTING command
causes
image termination records to be written to the VMS accounting file.
Default policy
Enabling of image accounting is neither prohibited nor
required
Customizing
Set limit REQUIRED to be TRUE to
add a general requirement that image accounting be enabled
Selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>
|
Practical considerations
Recording image termination accounting records
greatly increases the disk space needed for the accounting file. �