LJK/Security Reference Manual

CHECKPROT

Test the protection of specified files.

Violation reports

Constraint	Nature of the violation
ABSOLUTLO	Access is narrower than permitted by policy
ABSOLUTHI	Access is wider than permitted by policy
ACLNOGEN	General identifier used in violation of policy
ACLNOSYS	System-defined identifier used in violation of policy
ACLNOUIC	UIC identifier used in violation of policy
ALFPROHIB	Alarm ACE for failure is present in violation of policy
ALFREQUIRE	Alarm ACE for failure is absent in violation of policy
ALSPROHIB	Alarm ACE for success is present in violation of policy
ALSREQUIRE	Alarm ACE for success is absent in violation of policy
AUFPROHIB	Audit ACE for failure is present in violation of policy
AUFREQUIRE	Audit ACE for failure is absent in violation of policy
AUSPROHIB	Audit ACE for success is present in violation of policy
AUSREQUIRE	Audit ACE for success is absent in violation of policy
PERCENTLO	Fewer users can access than permitted by policy
PERCENTHI	More users can access than permitted by policy

Description

This element tests protection of specific files for which you want tighter control than general files on the system. It is also the only element that tests for the presence (or absence) of particular audit or alarm ACEs (access control entries) within an ACL (access control list).
There are three types of tests included:

Basic file protection tests ABSOLUT%% and PERCENT%%
For certain files you may require tighter protection than your general standards.
Identifier ACE tests ACLNO%%%
Use of UIC identifiers directly in access control lists leads to problems if user responsibilities are changed, since control of the access they have been granted is distributed throughout the system. The purpose of this test is to ensure that identifiers used in Identifier Access Control Entries are of acceptable types.
In addition, for certain files you might want to prohibit all forms of ACL-based access.
Alarm and Audit ACE tests AL* and AU* (for failure and success audits)
Auditing is the only defense against access by highly privileged users (coupled with review of the audit logs). But in some cases even for files that are not tightly protected you might want to audit access to ensure you have a record of how they are used.
This element uses limits and exemptions in a different fashion than most. Each file to be tested must be specified in an exemption, with the desired value. Limits are ignored for this element.
If the specified file cannot be found (status codes RMS$_FNF, RMS$_NMF, RMS$_DNF and RMS$_DEV) it is not considered an error. This eases the task of maintaining policies to cover multiple nodes.

Default policy The default value for the limit is the null string. Customizing Without customization, this element has no effect. Add an exemption for each file which you want tested, specifying the proper value as the value for the exemption. selector Exemptions for constraints:

ALFPROHIB
ALFREQUIRE
ALSPROHIB
ALSREQUIRE
AUFPROHIB
AUFREQUIRE
AUSPROHIB
AUSREQUIRE
PERCENTLO
PERCENTHI

can take a selector consisting of a VMS file access type: READ, WRITE, EXECUTE, DELETE or CONTROL.

Thus, each such exemption can be set once for each possible access type. If no selector is specified with the command interface, customization commands apply to all possible selector values.

Limits

Constraint	Value	Default
ABSOLUTLO	Any Protection	(S,O,G,W)
ABSOLUTHI	Any Protection	(S:RWED,O:RWED,G:RWED,W:RWED)
ACLNOGEN	FALSE or TRUE	FALSE
ACLNOSYS	FALSE or TRUE	FALSE
ACLNOUIC	FALSE or TRUE	FALSE
ALFPROHIB	FALSE or TRUE	FALSE
ALFREQUIRE	FALSE or TRUE	FALSE
ALSPROHIB	FALSE or TRUE	FALSE
ALSREQUIRE	FALSE or TRUE	FALSE
AUFPROHIB	FALSE or TRUE	FALSE
AUFREQUIRE	FALSE or TRUE	FALSE
AUSPROHIB	FALSE or TRUE	FALSE
AUSREQUIRE	FALSE or TRUE	FALSE
PERCENTLO	0-100	R:0,W:0,E:0,D:0,C:0
PERCENTHI	0-100	R:100,W:100,E:100,D:100,C:100

Exemptions

Constraint	Value	Parameters
ABSOLUTLO	Any Protection	<node>,<filespec>
ABSOLUTHI	Any Protection	<node>,<filespec>
ACLNOGEN	FALSE or TRUE	<node>, <filespec>
ACLNOSYS	FALSE or TRUE	<node>, <filespec>
ACLNOUIC	FALSE or TRUE	<node>, <filespec>
ALFPROHIB	FALSE or TRUE	<node>,<filespec>
ALFREQUIRE	FALSE or TRUE	<node>,<filespec>
ALSPROHIB	FALSE or TRUE	<node>,<filespec>
ALSREQUIRE	FALSE or TRUE	<node>,<filespec>
AUFPROHIB	FALSE or TRUE	<node>,<filespec>
AUFREQUIRE	FALSE or TRUE	<node>,<filespec>
AUSPROHIB	FALSE or TRUE	<node>,<filespec>
AUSREQUIRE	FALSE or TRUE	<node>,<filespec>
PERCENTLO	0-100	<node>,<filespec>
PERCENTHI	0-100	<node>,<filespec>

Practical considerations The values for limits within the CHECKPROT element are immaterial, since all testing is based on exemptions. The default values above are set merely to demonstrate the "do not care" value.

There is not much point in establishing an exemption with a value of FALSE for one of the ACL-related constraints.

CHECKSUM

Test the integrity of specified files.

Violation reports

Constraint	Nature of the violation
SHA1	SHA-1 checksum value does not match
SIMPLE	Simple checksum value does not match
SITE	Site-specific checksum value does not match

Description

This element uses limits and exemptions in a different fashion than most. Each file to be tested must be specified in an exemption, where the value associated with the exemption is a string of hexadecimal characters representing the proper checksum value. The value associated with the limit can be used as an initialization vector for the checksum algorithm. No such use is made for the SHA1 or SIMPLE tests, so this capability is only meaningful for the SITE test.
If the specified file cannot be found (status codes RMS$_FNF, RMS$_NMF, RMS$_DNF and RMS$_DEV) it is not considered an error. This eases the task of maintaining policies to cover multiple nodes.
Test SIMPLE provides a very simple checksum routine which could be fooled by a skilled attacker who crafted their file modifications so as not to change the resulting checksum value.
Test SHA-1 provides a true cryptographic checksum, giving detection of not only inadvertent but also malicious manipulation of images by a skilled attacker. There is a price to be paid in execution time, however, since on a fast VAX running the SHA1 test across all images provided as part of VMS takes about 2 hours, while doing the same thing with the SIMPLE test takes about 2 minutes.
In special circumstances, some sites prefer to use a cryptographic checksum of their own design. Test SITE provides for a site-specified checksum algorithm.
For information on how to provide a site-specific checksum algorithm, refer to Section 9.2.3,LJK$SECURITY_SITE_CHECKSUM callback.

Default policy The default value for the limit is the null string. Customizing Without customization, this element has no effect. Add an exemption for each file which you want checksummed, specifying the proper value as the value for the exemption. selector

Limits

Constraint	Value	Default
SHA1	0-254 hexadecimal characters (even number)	null string
SIMPLE	0-254 hexadecimal characters (even number)	null string
SITE	0-254 hexadecimal characters (even number)	null string

Exemptions

Constraint	Value	Parameters
SHA1	0-254 hexadecimal characters (even number)	<node>,filespec
SIMPLE	0-254 hexadecimal characters (even number)	<node>,filespec
SITE	0-254 hexadecimal characters (even number)	<node>,filespec

Practical considerations Updating exemptions to correspond to changes caused by authorized updates is a considerable effort, which should only be undertaken by sites which are willing to invest the time required.

For sites which are interested in such a high level of security, the list of installed images is a good starting list, since they are declared "trusted" by installing them. For those images that come as part of VMS, command procedures to set a policy up are described in Appendix K, Creating Policies Based on Examples. Added to that list should be any other programs run by privileged users.

LJK Software makes no claims regarding the stability of executable images on a typical VMS system. In the past, some VMS images have undergone regular modification as a part of normal operation. In particular, this is true of the SYS.EXE image on VAX.

DBMSPROT

Ensure that protections on all DEC DBMS files fall within the restrictions set by policy. DEC DBMS files in this context are all of those with the following file types:

.ROO
.DBS
.AIJ

Violation reports

Constraint	Nature of the violation
ABSOLUTLO	Access is narrower than permitted by policy
ABSOLUTHI	Access is wider than permitted by policy
PERCENTLO	Fewer users can access than permitted by policy
PERCENTHI	More users can access than permitted by policy

Description

DEC DBMS files are normally protected to allow only SYSTEM access, so that even the owner of the database must use DBMS access methods.
The ABSOLUTLO and ABSOLUTHI tests measure the UIC-based protection mask directly. The PERCENTLO and PERCENTHI tests measure the result of protection (including ACL protection) in terms of the percentage of usernames given access.
Violations for protection-related DISK facility elements are not reported regarding only the writeability of CDROM disks since the apparent writeability is just an illusion.

Default policy By default, the DEC DBMS file protection setting must allow only the system to read and write the DEC DBMS files.

By default, a minimum of 0 percent of users must have access and a maximum of 1 percent of users may have READ, WRITE and CONTROL access, and a maximum of 0 percent of users may have other forms of access. Customizing DEC DBMS access is normally granted only through access control lists within the database, so there should be no need to customize the default limits for this element. selector Limits for constraints PERCENTLO and PERCENTHI can take a selector consisting of a VMS file access type: READ, WRITE, EXECUTE, DELETE or CONTROL. If no selector is specified, customization commands apply to all possible selector values.

Limits

Constraint	Value	Default
ABSOLUTLO	Any Protection	(S:RW,O,G,W)
ABSOLUTHI	Any Protection	(S:RW,O,G,W)
PERCENTLO	0-100	0
PERCENTHI	0-100	R:1,W:1,E:0,D:0,C:1

Exemptions

Constraint	Value	Parameters
ABSOLUTLO	Any Protection	<node>,<filespec>
ABSOLUTHI	Any Protection	<node>,<filespec>
PERCENTLO	0-100	<node>,<filespec>
PERCENTHI	0-100	<node>,<filespec>

Practical considerations Some file types overlap between DEC DBMS and Rdb/VMS, but the default limits for the two elements (DISK, DBMSPROT and DISK, RDBVMSPROT) also match, so except for the unlikely event that customization is required there should be no conflict.

DIRPROT

Ensure that protections on all directories fall within the restrictions set by policy.

Violation reports

Constraint	Nature of the violation
ABSOLUTLO	Access is narrower than permitted by policy
ABSOLUTHI	Access is wider than permitted by policy
PERCENTLO	Fewer users can access than permitted by policy
PERCENTHI	More users can access than permitted by policy

Description

If a directory's protection setting is not restrictive enough, unauthorized users will be able to read, write, execute, or delete the directory in question. If the setting is too restrictive, users generally find a less acceptable way of sharing information to get their job done. Typically, they share their password or make an unauthorized copy of the files within the directory somewhere else.
The purpose of this test is to ensure that directory protection settings are within the limits set by the security manager.
The ABSOLUTLO and ABSOLUTHI tests measure the UIC-based protection mask directly. The PERCENTLO and PERCENTHI tests measure the result of protection (including ACL protection) in terms of the percentage of usernames given access.
Violations for protection-related DISK facility elements are not reported regarding only the writeability of CDROM disks since the apparent writeability is just an illusion.

Default policy By default, the directory protection setting must allow at least the system to read, write, and execute the directory. By default, the weakest acceptable directory setting allows the system and owner to read, write, execute, and delete the directory, and also allows other users in the owner's UIC group to read and execute the directory. By default, other users outside the owner's group are allowed only execute access to the directory.

By default, a minimum of 0 percent of users must have access and a maximum of 10 percent of users may have READ, WRITE, DELETE and CONTROL access while a maximum of 100 percent may have EXECUTE access. Customizing Limits for constraints ABSOLUTLO and ABSOLUTHI take the same form as a standard VMS file protection setting. The syntax for this is explained in some detail in VMS documentation. The default settings shown in the limits table below are good examples of how to specify which class of users are allowed which type of access. These are the codes involved:

S=System account (or users with the SYSPRV privilege)
O=Owner of the file
G=Group (i.e., other users in the same UIC group as the owner)
W=World (i.e., all other users)

R=Read
W=Write
E=Execute
D=Delete

selector Limits for constraints PERCENTLO and PERCENTHI can take a selector consisting of a VMS file access type: READ, WRITE, EXECUTE, DELETE or CONTROL. If no selector is specified, customization commands apply to all possible selector values.

Limits

Constraint	Value	Default
ABSOLUTLO	Any Protection	(S:RWE,O,G,W)
ABSOLUTHI	Any Protection	(S:RWED,O:RWED,G:RE,W)
PERCENTLO	0-100	0
PERCENTHI	0-100	R:10,W:10,E:100,D:10,C:10

Exemptions

Constraint	Value	Parameters
ABSOLUTLO	Any Protection	<node>,<filespec>
ABSOLUTHI	Any Protection	<node>,<filespec>
PERCENTLO	0-100	<node>,<filespec>
PERCENTHI	0-100	<node>,<filespec>

Practical considerations File protection is an area which usually cannot be managed at arm's length from individual users and applications. Departments or people who depend on each other for data frequently will need some assistance in working out a protection scheme that allows this to take place without opening the files up to all users. Be sure to consider Access Control Lists (which explicitly name the users who can access a given file) if you find yourself getting painted into a corner with simple file protection settings. See the VMS system manager's documentation for details.

ERASEDELET

Ensure that specification of Erase On Delete for disk volumes conforms to local policy.

Violation reports

Constraint	Nature of the violation
PROHIBITED	Erase On Delete is enabled in violation of policy
REQUIRED	Erase On Delete is disabled in violation of policy

Description

When Erase On Delete is specified for a disk volume, all files deleted from that volume will have their disk space overwritten with a system-specified pattern.
Note that this is different from setting individual files to be erased on deletion.

Default policy Use of Erase On Delete is neither prohibited nor required. Customizing Set the limit for DISK_ERASEDELET_REQUIRED to TRUE in order to require all disk volumes to be set for Erase On Delete. selector

Limits

Constraint	Value	Default
PROHIBITED	FALSE or TRUE	FALSE
REQUIRED	FALSE or TRUE	FALSE

Exemptions

Constraint	Value	Parameters
PROHIBITED	FALSE or TRUE	<node>,<volume-name>
REQUIRED	FALSE or TRUE	<node>,<volume-name>

Practical considerations Enabling Erase On Delete has a significant performance impact when files are deleted.

FILEPROT

Ensure that protections on files not covered by other file protection elements fall within the restrictions set by policy.

Violation reports

Constraint	Nature of the violation
ABSOLUTLO	Access is narrower than permitted by policy
ABSOLUTHI	Access is wider than permitted by policy
PERCENTLO	Fewer users can access than permitted by policy
PERCENTHI	More users can access than permitted by policy

Description

If a file's protection setting is not restrictive enough, unauthorized users will be able to read, write, execute, or delete the file in question. If the setting is too restrictive, users generally find a less acceptable way of sharing information to get their job done. Typically, they share their password or make an unauthorized copy of the file somewhere else.
The purpose of this test is to ensure that file protection settings are within the limits set by the security manager.

Previous Next Contents Index