LJK/Security Reference Manual
FAILWAIT
Determine whether specification of WAIT when security alarms cannot be
generated conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
WAIT on failure is specified in violation of policy
|
|
REQUIRED
|
WAIT on failure is not specified in violation of policy
|
Description
Use of the qualifier /FAILURE_MODE=WAIT with the SET AUDIT command
causes the system to wait for resources when security event information
cannot be written to the OPCOM mailbox (only in VMS V5.4 through V5.5).
Default policy
Specification of WAIT as the failure mode is neither
prohibited nor required
Customizing
Set limits TRUE
to establish a general prohibition of or requirement for WAIT as the
failure mode for security alarms. Then establish
exemptions for any individual nodes which are not to
be subjected to the general rule.
Set limit REQUIRED TRY to establish a requirement for
wait as the failure mode only for those versions of VMS (version 5.4
through 5.5) where such failure modes are supported.
selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE, TRUE or TRY
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE, TRUE or TRY
|
<node>
|
Practical considerations
If individual users have sufficient disk quota
to exhaust disk space on the volume where OPCOM logs are written, they
can force others into MWAIT if WAIT is the failure mode for security
alarms.
Likewise, if the amount of disk space available for writing OPCOM logs
is small, individual users could force a WAIT by maliciously generating
a large number of security alarms.
These possibilities for malicious interference increase the importance
of ensuring that all usernames established on VMS systems are assigned
to known individual users, rather than being shared. �
FINCRASH
Determine whether specification of an Audit Server final action of
crashing the system when it runs out of buffer space conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
CRASH action is specified in violation of policy
|
|
REQUIRED
|
CRASH action is not specified in violation of policy
|
Description
Use of the value FINAL_ACTION=CRASH with the SET AUDIT/SERVER= command
causes the system to crash when the Audit Server runs out of buffer
space.
Default policy
Specification of CRASH as the final action is neither
prohibited nor required
Customizing
Set limits TRUE
to establish a general prohibition of or requirement for CRASH as the
final action for the Audit Server. Then establish
exemptions for any individual nodes which are not to
be subjected to the general rule.
Set limit REQUIRED TRY to establish a requirement for
CRASH as the final action only for those versions of VMS (version 6.0
and above) where such final actions are supported.
selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE, TRUE or TRY
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE, TRUE or TRY
|
<node>
|
Practical considerations
Specifying CRASH as the final action for the
Audit Server is only appropriate where the need for auditing is more
crucial than the need for continuity of service. �
FINIGNORE
Determine whether specification of an Audit Server final action of
ignoring new events when it runs out of buffer space conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
IGNORE_NEW action is specified in violation of policy
|
|
REQUIRED
|
IGNORE_NEW action is not specified in violation of policy
|
Description
Use of the value FINAL_ACTION=IGNORE_NEW with the SET AUDIT/SERVER=
command
causes the Audit Server to ignore new events when it runs out of buffer
space.
Default policy
Specification of IGNORE_NEW as the final action is
neither prohibited nor required
Customizing
Set
limits TRUE to establish a general prohibition of or
requirement for IGNORE_NEW as the final action for the Audit Server.
Then establish exemptions for any individual nodes
which are not to be subjected to the general rule.
Set limit REQUIRED TRY to establish a requirement for
IGNORE_NEW as the final action only for those versions of VMS (version
6.0 and above) where such final actions are supported.
selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE, TRUE or TRY
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE, TRUE or TRY
|
<node>
|
Practical considerations
If a particular factor caused the overflow of
audit events, some initial events from that factor will probably
already be processed, so all knowledge of a repeating event will not be
lost if IGNORE_NEW is specified as the final action for the Audit
Server. �
FINPURGE
Determine whether specification of an Audit Server final action of
ignoring new events when it runs out of buffer space conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
PURGE_OLD action is specified in violation of policy
|
|
REQUIRED
|
PURGE_OLD action is not specified in violation of policy
|
Description
Use of the value FINAL_ACTION=PURGE_OLD with the SET AUDIT/SERVER=
command
causes the Audit Server to purge old events when it runs out of buffer
space.
Default policy
Specification of PURGE_OLD as the final action is
neither prohibited nor required
Customizing
Set
limits TRUE to establish a general prohibition of or
requirement for PURGE_OLD as the final action for the Audit Server.
Then establish exemptions for any individual nodes
which are not to be subjected to the general rule.
Set limit REQUIRED TRY to establish a requirement for
PURGE_OLD as the final action only for those versions of VMS (version
6.0 and above) where such final actions are supported.
selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE, TRUE or TRY
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE, TRUE or TRY
|
<node>
|
Practical considerations
PURGE_OLD is the default Audit Server final
action as VMS ships. �
FINRESTART
Determine whether specification of an Audit Server final action of
restarting the Audit Server when it runs out of buffer space conforms
to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
RESTART action is specified in violation of policy
|
|
REQUIRED
|
RESTART action is not specified in violation of policy
|
Description
Use of the value FINAL_ACTION=RESTART with the SET AUDIT/SERVER= command
causes the Audit Server to restart the audit server when it runs out of
buffer space.
Default policy
Specification of RESTART as the final action is neither
prohibited nor required
Customizing
Set limits TRUE
to establish a general prohibition of or requirement for RESTART as the
final action for the Audit Server. Then establish
exemptions for any individual nodes which are not to
be subjected to the general rule.
Set limit REQUIRED TRY to establish a requirement for
RESTART as the final action only for those versions of VMS (version 6.0
and above) where such final actions are supported.
selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE, TRUE or TRY
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE, TRUE or TRY
|
<node>
|
Practical considerations
The RESTART action is not recommended in the
VMS Documentation. �
GRPPRV
Determine whether auditing for events involving the use of GRPPRV
privilege conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ALPROHIBIT
|
GRPPRV security alarms are enabled in violation of policy
|
|
ALREQUIRE
|
GRPPRV security alarms are disabled in violation of policy
|
|
AUPROHIBIT
|
GRPPRV security audits are enabled in violation of policy
|
|
AUREQUIRE
|
GRPPRV security audits are disabled in violation of policy
|
Description
Use of the qualifiers /CLASS=FILE and
/ENABLE=ACCESS=GRPPRV=(access,...) with the SET AUDIT/ALARM
or SET AUDIT/AUDIT command causes
the corresponding reporting when GRPPRV
privilege is used to obtain the specified type of access to files.
Tests for this element determine whether those audits
or alarms are enabled or not.
Default policy
Enabling of GRPPRV security alarms or audits is neither
prohibited nor required
Customizing
Set limits TRUE
to establish a general prohibition of or requirement for the enabling
of GRPPRV security auditing. Then establish exemptions
for any individual nodes which are not to be subjected to the general
rule.
selector
Limits for this element can take a
selector consisting of a VMS access type: READ, WRITE,
EXECUTE, DELETE or CONTROL. LOGICAL and PHYSICAL access to devices are
indicated by EXECUTE and DELETE respectively.
Thus, each limit can be set once for each possible
access type. If you do not specify a selector when
changing limits, your change applies to all access
types.
Limits
| Constraint |
Value |
Default |
|
ALPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
ALREQUIRE
|
FALSE or TRUE
|
FALSE
|
|
AUPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
AUREQUIRE
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
ALPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
ALREQUIRE
|
FALSE or TRUE
|
<node>
|
|
AUPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
AUREQUIRE
|
FALSE or TRUE
|
<node>
|
Practical considerations
Before enabling GRPPRV alarms, it is wise to
consult with those holding the privilege to determine it's frequency of
use. Although proper operations should be based on regular protection
mechanism for day-to-day use, some users may have developed a habit of
using GRPPRV for normal production purposes. GRPPRV audits on
the other hand, provide a silent record of the activities of privileged
users. �
IDENT
Determine whether enabling of alarms or audits for use of identifier as
privilege event conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ALPROHIBIT
|
Identifier security alarms are enabled in violation of policy
|
|
ALREQUIRE
|
Identifier security alarms are disabled in violation of policy
|
|
AUPROHIBIT
|
Identifier security audits are enabled in violation of policy
|
|
AUREQUIRE
|
Identifier security audits are disabled in violation of policy
|
Description
Use of the qualifier /ENABLE=IDENTIFIER with the SET AUDIT/ALARM
or SET AUDIT/AUDIT command causes
the corresponding reporting when an identifier is used as privilege in
a call to the $CHECK_PRIVILEGE system service (available in VMS V6.0
and above only).
Default policy
Enabling of Identifier security alarms and audits is
neither prohibited nor required
Customizing
Set
limits TRUE to establish a general prohibition of or
requirement for the enabling of Identifier security alarms or audits.
Then establish exemptions for any individual nodes
which are not to be subjected to the general rule.
selector Limits
| Constraint |
Value |
Default |
|
ALPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
ALREQUIRE
|
FALSE, TRUE or TRY
|
FALSE
|
|
AUPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
ALPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
ALREQUIRE
|
FALSE, TRUE or TRY
|
<node>
|
|
AUPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
AUREQUIRE
|
FALSE, TRUE or TRY
|
<node>
|
Practical considerations
Identifiers are used as privilege, for
instance, in DECnet Plus and in LJK/Security itself. �
IMPORT
Determine whether auditing for events involving the use of IMPORT
privilege conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ALPROHIBIT
|
IMPORT security alarms are enabled in violation of policy
|
|
ALREQUIRE
|
IMPORT security alarms are disabled in violation of policy
|
|
AUPROHIBIT
|
IMPORT security audits are enabled in violation of policy
|
|
AUREQUIRE
|
IMPORT security audits are disabled in violation of policy
|
Description
Use of the qualifiers /CLASS=FILE and
/ENABLE=ACCESS=IMPORT=(access,...) with the SET AUDIT/ALARM
or SET AUDIT/AUDIT command causes
the corresponding reporting when IMPORT
privilege is used to obtain the specified type of access to files.
Tests for this element determine whether those audits
or alarms are enabled or not.
SEVMS
required
The (AUDIT, IMPORT, ALREQUIRE) and ((AUDIT, IMPORT, AUREQUIRE)
tests will never report an error on systems that do
not have the CLASS_PROT system parameter enabled.
When the CLASS_PROT system parameter is not enabled, audits and alarms
for use of the IMPORT privilege cannot be enabled.
If the policy covering a number of systems is to require that the SEVMS
product be used, the test (VMS, CLASSPROT, REQUIRED)
should be used.
|
Default policy
Enabling of IMPORT security alarms or audits is neither
prohibited nor required
Customizing
Set limits TRUE
to establish a general prohibition of or requirement for the enabling
of IMPORT security auditing. Then establish exemptions
for any individual nodes which are not to be subjected to the general
rule.
selector
Limits for this element can take a
selector consisting of a VMS access type: READ, WRITE,
EXECUTE, DELETE or CONTROL. LOGICAL and PHYSICAL access to devices are
indicated by EXECUTE and DELETE respectively.
Thus, each limit can be set once for each possible
access type. If you do not specify a selector when
changing limits, your change applies to all access
types.
Limits
| Constraint |
Value |
Default |
|
ALPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
ALREQUIRE
|
FALSE or TRUE
|
FALSE
|
|
AUPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
AUREQUIRE
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
ALPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
ALREQUIRE
|
FALSE or TRUE
|
<node>
|
|
AUPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
AUREQUIRE
|
FALSE or TRUE
|
<node>
|
Practical considerations
The IMPORT privilege is only relevant to
systems running Mandatory Access Controls, as implemented with the
SEVMS (Security Enhanced VMS)
software available from DEC.
IMPORT audits and alarms may both be quite appropriate in such
environments since such activities are rare and worthy of note. �