LJK/Security Reference Manual
The ABSOLUTLO and ABSOLUTHI tests measure the UIC-based protection mask
directly. The PERCENTLO and PERCENTHI tests measure the result
of protection (including ACL protection) in terms of the percentage of
usernames given access.
Violations for protection-related DISK facility
elements are not reported regarding only the
writeability of CDROM disks since the apparent writeability is just an
illusion.
Default policy By default, the file protection setting must allow at
least the system to read, write, access, and delete the file. By
default, the weakest acceptable file setting allows the system and
owner to read, write, execute, and delete the file, and also allows
other users in the owner's UIC group to read and execute the file.
By default, other users outside the owner's group are allowed NO access
to the file.
By default, a minimum of 0 percent of users must have access and a
maximum of 10 percent of users may have access. Customizing Limits for
constraints ABSOLUTLO and ABSOLUTHI take the same form
as a standard VMS file protection
setting. The syntax for this is explained in some detail in VMS
documentation. The default settings shown in the limits table below are
good examples of how to specify which class of users are allowed which
type of access. These are the codes involved:
- S=System account (or users with the SYSPRV privilege)
- O=Owner of the file
- G=Group (i.e., other users in the same UIC group as the owner)
- W=World (i.e., all other users)
- R=Read
- W=Write
- E=Execute
- D=Delete
selector
Limits for constraints PERCENTLO and
PERCENTHI can take a selector consisting of a VMS file access type:
READ, WRITE, EXECUTE, DELETE or CONTROL. If no selector is specified,
customization commands apply to all possible selector values.
Limits
| Constraint |
Value |
Default |
|
ABSOLUTLO
|
Any Protection
|
(S:RWED,O,G,W)
|
|
ABSOLUTHI
|
Any Protection
|
(S:RWED,O:RWED,G:RE,W)
|
|
PERCENTLO
|
0-100
|
0
|
|
PERCENTHI
|
0-100
|
10
|
Exemptions
| Constraint |
Value |
Parameters |
|
ABSOLUTLO
|
Any Protection
|
<node>, <filespec>
|
|
ABSOLUTHI
|
Any Protection
|
<node>, <filespec>
|
|
PERCENTLO
|
0-100
|
<node>, <filespec>
|
|
PERCENTHI
|
0-100
|
<node>, <filespec>
|
Practical considerations File protection is an area which usually
cannot be managed at arm's length from individual users and
applications. Departments or people
who depend on each other for data frequently will need some assistance
in working out a protection scheme that allows this to take place
without opening the files up to all users. Be sure to consider Access
Control Lists (which explicitly name the users who
can access a given file) if you find yourself getting painted into a
corner with simple file protection settings. See the VMS system
manager's documentation for details. �
HIGHWATER
Ensure that specification of File Highwater Marking for disk volumes
conforms to local policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
File Highwater Marking is enabled in violation of policy
|
|
REQUIRED
|
File Highwater Marking is disabled in violation of policy
|
Description
When File Highwater Marking is specified for a disk volume, users are
prevented from reading the previous contents of space now allocated to
their files.
Default policy Use of File Highwater Marking is required. Customizing
Change the DISK_HIGHWATER_REQUIRED limit to FALSE or
add exemptions if File Highwater Marking causes severe performance
problems because systems are still running VMS V4.
selector Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>,<volume-name>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>,<volume-name>
|
Practical considerations Under VMS V4, enabling File Highwater Marking
could cause performance problems when files were created or extended.
Effective with VMS V5.0, that problem was eliminated for sequential
files as DEC implemented their original plan for File Highwater
Marking, rather than the "erase on extend" temporary method they had
used under VMS V4.
Under VMS V5 "erase on extend" implementation is still used for
relative and indexed files, but the overhead introduced is not usually
noticed because of the overhead already present in creation or
extending relative and indexed files.
�
INSTALLED
Ensure that unauthorized images are not installed.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Image Installation in violation of policy
|
Description
Installation of a shareable image declares it "trusted" and
accessible by privileged programs. This test can be used to ensure that
only authorized programs are installed.
Default policy Image installation is not prohibited. Customizing
Setting the DISK_INSTALLED_PROHIBITED limit TRUE
should be accompanied by establishment of corresponding
exemptions for images whose installation is acceptable
(many of which are supplied by VMS and layered products). selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>,<filespec>
|
Practical considerations Tracking all images allowed to be installed
can be a considerable effort. �
INSTPRIV
Ensure that unauthorized images are not installed with privilege.
Violation reports
| Constraint |
Nature of the violation |
|
PRIVPROHIB
|
Image installation with privilege in violation of policy
|
|
ABSOLUTHI
|
Image installation at higher level than maximum in the policy
|
Description
Installation of an executable image with privilege allows unprivileged
users to perform privileged operations when running the program. Such
programs must be carefully constructed to ensure that only the designed
functions can be performed. Installation of a program with privilege
when it was not designed to be installed with privilege is a
major security hazard. This test can be used to ensure that
only authorized programs are installed with privilege.
Default policy Installing images with privilege is not prohibited.
Customizing Setting limits should be accompanied by
establishment of corresponding exemptions for images
whose installation with privilege is acceptable (many of which are
supplied by VMS and layered products). selector
Limits and exemptions for
test PRIVPROHIB can take a selector consisting of a
privilege name.
Thus, it can be set once for each possible privilege. When using the
Command Interface if you do not specify a selector when changing the
limit or exemptions your change
applies to all privileges.
Limits
| Constraint |
Value |
Default |
|
PRIVPROHIB
|
FALSE or TRUE
|
FALSE
|
|
ABSOLUTHI
|
Category-None---Category-All
|
Category-All
|
Exemptions
| Constraint |
Value |
Parameters |
|
PRIVPROHIB
|
FALSE or TRUE
|
<node>,<filespec>
|
|
ABSOLUTHI
|
Category-None---Category-All
|
<node>,<filespec>
|
Practical considerations Tracking all images allowed to be installed
with privilege can be a considerable effort.
The test ABSOLUTHI is sufficient to express simpler
limitations based on privilege level.
If a more complicated selection of privileges is required, it may be
necessary to use the test PRIVPROHIB. �
INSTPROT
Ensure that unauthorized images are not installed as protected.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Image installation as protected in violation of policy
|
Description
Installation of a shareable image as protected enables any user-written
system services it contains so they can execute in Executive or Kernel
mode and thus gain access to privileges. This test can be used to
ensure that only authorized programs are installed as protected.
Default policy Installation of images as protected is not prohibited.
Customizing Setting the DISK_INSTPROT_PROHIBITED limit
TRUE should be accompanied by establishment of corresponding
exemptions for images whose installation as protected
is acceptable (many of which are supplied by VMS and layered products).
selector Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>,<filespec>
|
Practical considerations These images are also known as
"privileged shareable images". Tracking all images allowed to
be installed as protected can be a considerable effort. �
INSTUSRDIR
Ensure that images are not installed from directories writable by
unprivileged users.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Image Installation from user directory in violation of policy
|
Description
Installation of an image from a directory tree which can be written by
an unprivileged user (that is, one without the privileges required to
install images) allows that user to subvert the installation process by
substituting a different image before the next system boot (since
installation is generally done automatically on boot).
Default policy Installation of images from user directories is
prohibited. Customizing Customizing to permit certain images to be
installed from user directories is generally inappropriate. selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>,<filespec>
|
Practical considerations There may be complaints for cases where
certain images are being installed only for performance reasons. In
such cases, a mechanism for turning those programs over to system
administrators when they are revised should be devised. Such mechanism
should obviously include code review for security purposes. This is an
unfortunate situation, but VMS does not distinguish between images
installed for performance purposes and images installed for security
purposes. �
INSTUSRFIL
Ensure that images which can be written by unprivileged users are not
installed.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Installation of user image in violation of policy
|
Description
Installation of an image which can be written by an unprivileged user
(that is, one without the privileges required to install images) allows
that user to subvert the installation process by substituting a
different image before the next system boot (since installation is
generally done automatically on boot).
Default policy Installation of images writable by unprivileged users is
prohibited. Customizing Customizing to permit certain images to be
installed when writable by unprivileged users is generally
inappropriate. selector Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>,<filespec>
|
Practical considerations There may be complaints for cases where
certain images are being installed only for performance reasons. In
such cases, a mechanism for turning those programs over to system
administrators when they are revised should be devised. Such mechanism
should obviously include code review for security purposes. This is an
unfortunate situation, but VMS does not distinguish between images
installed for performance purposes and images installed for security
purposes. �
MAILPROT
Ensure that protections on all mail files fall within the restrictions
set by policy.
Violation reports
| Constraint |
Nature of the violation |
|
ABSOLUTLO
|
Access is narrower than permitted by policy
|
|
ABSOLUTHI
|
Access is wider than permitted by policy
|
|
PERCENTLO
|
Fewer users can access than permitted by policy
|
|
PERCENTHI
|
More users can access than permitted by policy
|
Description
If a mail file's protection setting is not restrictive enough,
unauthorized users
will be able to read, write, execute, or delete the mail file in
question. If the setting is too restrictive, users generally find a
less acceptable way of sharing information to get their job done.
Typically, they share their password or make an unauthorized copy of
the mail file somewhere else.
The purpose of this test is to ensure that mail file protection
settings are within the limits set by the security manager.
The ABSOLUTLO and ABSOLUTHI tests measure the UIC-based protection mask
directly. The PERCENTLO and PERCENTHI tests measure the result
of protection (including ACL protection) in terms of the percentage of
usernames given access.
Violations for protection-related DISK facility
elements are not reported regarding only the
writeability of CDROM disks since the apparent writeability is just an
illusion.
Default policy By default, the mail file protection setting must allow
at least the system to read and write the file. By default, the weakest
acceptable mail file setting allows the system and owner to read and
write the mail file. By default, other users are allowed NO access to
the mail file.
By default, a minimum of 0 percent of user must have access and a
maximum of 1 percent of users may have access. Customizing Limits for
constraints ABSOLUTLO and ABSOLUTHI take the same form
as a standard VMS file protection
setting. The syntax for this is explained in some detail in VMS
documentation. The default settings shown in the limits table below are
good examples of how to specify which class of users are allowed which
type of access. These are the codes involved:
- S=System account (or users with the SYSPRV privilege)
- O=Owner of the file
- G=Group (i.e., other users in the same UIC group as the owner)
- W=World (i.e., all other users)
- R=Read
- W=Write
- E=Execute
- D=Delete
selector
Limits for constraints PERCENTLO and
PERCENTHI can take a selector consisting of a VMS file access type:
READ, WRITE, EXECUTE, DELETE or CONTROL. If no selector is specified,
customization commands apply to all possible selector values.
Limits
| Constraint |
Value |
Default |
|
ABSOLUTLO
|
Any Protection
|
(S:RW,O:RW,G,W)
|
|
ABSOLUTHI
|
Any Protection
|
(S:RW,O:RW,G,W)
|
|
PERCENTLO
|
0-100
|
0
|
|
PERCENTHI
|
0-100
|
1
|
Exemptions
| Constraint |
Value |
Parameters |
|
ABSOLUTLO
|
Any Protection
|
<node>, <volume-name>
|
|
ABSOLUTHI
|
Any Protection
|
<node>, <volume-name>
|
|
PERCENTLO
|
Percent/0-n
|
<node>, <device-name>
|
|
PERCENTHI
|
Percent/0-n
|
<node>, <device-name>
|
Practical considerations There is generally no need for sharing access
to mail files, but in certain cases an exemption may be in order. �
NOTESPROT
Ensure that VAXnotes conference files are protected within the limits
set by the security policy.
Violation reports
| Constraint |
Nature of the violation |
|
ABSOLUTLO
|
Access is narrower than permitted by policy
|
|
ABSOLUTHI
|
Access is wider than permitted by policy
|
|
PERCENTLO
|
Fewer users can access than permitted by policy
|
|
PERCENTHI
|
More users can access than permitted by policy
|
Description
VAXnotes conferences have special protection setting requirements in
order to remain secure. Although nominally such conferences can be
written to by multiple users, the secure method of using VAXnotes
involves forcing use of the VAXnotes server so that modification of
conference
files is only done through the VAXnotes software rather than some other
program possible written for the purpose.
The purpose of this test is to ensure that VAXnotes
server use is required in order to write to conferences.
The ABSOLUTLO and ABSOLUTHI tests measure the UIC-based protection mask
directly. The PERCENTLO and PERCENTHI tests measure the result
of protection (including ACL protection) in terms of the percentage of
usernames given access.
Violations for protection-related DISK facility
elements are not reported regarding only the
writeability of CDROM disks since the apparent writeability is just an
illusion.
Default policy By default, the most restrictive permitted setting will
allow only users with SYSPRV privilege to Read, Write, Execute, or
Delete the conference.
Also, by default, the least restrictive permitted setting will allow
the owner and users with SYSPRV privilege to Read, Write, Execute, or
Delete the conference. Access by other users to VAXnotes conferences is
done by invocation of the VAXnotes server image, in accordance with
internal VAXnotes data regarding which users are allowed access. The
VAXnotes server runs in an account which has Access Control List
entries associated with properly protected VAXnotes conference files.
By default, a minimum of 0 percent of users must have access and a
maximum of 10 percent of users may have access. Customizing Minimum and
maximum settings (i.e., least protective and most protective settings)
can be set by using the same syntax as that used for file protection.
See the default settings in the limits table below for examples of the
syntax used in these settings. For details, see the VMS documentation
set. selector
Limits for constraints PERCENTLO and
PERCENTHI can take a selector consisting of a VMS file access type:
READ, WRITE, EXECUTE, DELETE or CONTROL. If no selector is specified,
customization commands apply to all possible selector values.
Limits
| Constraint |
Value |
Default |
|
ABSOLUTLO
|
Any Protection
|
(S:RW,O,G,W)
|
|
ABSOLUTHI
|
Any Protection
|
(S:RWED,O:RWED,G,W)
|
|
PERCENTLO
|
0-100
|
0
|
|
PERCENTHI
|
0-100
|
10
|
Exemptions
| Constraint |
Value |
Parameters |
|
ABSOLUTLO
|
Any Protection
|
<node>, <filespec>
|
|
ABSOLUTHI
|
Any Protection
|
<node>, <filespec>
|
|
PERCENTLO
|
0-100
|
<node>, <filespec>
|
|
PERCENTHI
|
0-100
|
<node>, <filespec>
|
Practical considerations Access Control Lists are required for granting
access through the VAXnotes server.
See the VAXnotes documentation for details. �
OWNER
Ensure that the ownership of each disk volume complies with the
security policy.
Violation reports
| Constraint |
Nature of the violation |
|
WRONG
|
Owner of the disk volume is not the system
|
Description
If an individual user is the owner of a disk volume, he can make it
unavailable to other users, which is not the usual arrangement in
timesharing systems. On the other hand, he can make it available to
other users
to store their data, but the owner of the disk is the de facto owner of
that data, regardless of whether its creators are aware of that. To
meet special needs, this can be a desirable situation, but the security
manager should be aware of it.