LJK/Security Reference Manual
AUTOLOGIN
Ensure presence of entries in the autologin file (SYSALF.DAT) complies
with policy.
Violation reports
| Constraint |
Nature of the violation |
|
ENTRY
|
Autologin is used in violation of policy
|
|
NOPASSWORD
|
Autologin is used without a password
|
|
NONCAPTIVE
|
Autologin is used to a non-captive username
|
|
PRIVPROHIB
|
Autologin is used to a privileged username
|
|
ABSOLUTHI
|
Autologin is used to a privileged username
|
Description
Entries in the autologin file can be used to automatically log a
particular terminal in to a designated account when the carriage-return
key is pressed. Such accounts can be set up either with or without
passwords, but even when passwords are required, the automatic choice
of username can provide an interloper "part of the puzzle".
The purpose of these tests are to ensure that any entries in the
autologin file complies with organization-wide security policy.
Default policy By default, no use of the autologin file is permitted.
Customizing Establish exemptions based on individual
terminal names to permit limited use of autologin files. Change the
limits to permit unrestricted use of autologin files.
selector
Limits and exemptions for
test TERM_AUTOLOGIN_PRIVPROHIB can take a selector
consisting of a privilege name.
Thus, each can be set once for each possible privilege. When using the
Command Interface if you do not specify a selector when changing the
limit or exemptions your change
applies to all privileges.
Limits
| Constraint |
Value |
Default |
|
ENTRY
|
FALSE or TRUE
|
TRUE
|
|
NOPASSWORD
|
FALSE or TRUE
|
TRUE
|
|
NONCAPTIVE
|
FALSE or TRUE
|
TRUE
|
|
PRIVPROHIB
|
FALSE or TRUE
|
TRUE *
|
|
ABSOLUTHI
|
Category-None---Category-All
|
Category-Normal
|
* FALSE value for privilege TMPMBX.
Exemptions
| Constraint |
Value |
Parameters |
|
ENTRY
|
FALSE or TRUE
|
<node>,<device-name>
|
|
NOPASSWORD
|
FALSE or TRUE
|
<node>,<device-name>
|
|
NONCAPTIVE
|
FALSE or TRUE
|
<node>,<device-name>
|
|
PRIVPROHIB
|
FALSE or TRUE
|
<node>,<device-name>
|
|
ABSOLUTHI
|
Category-None---Category-All
|
<node>,<device-name>
|
Practical considerations Manual methods must be used to ensure that
named terminals are actually in their putative locations. Assumptions
can be readily thwarted by cabling changes.
The test ABSOLUTHI is sufficient to express simpler
limitations based on privilege level.
If a more complicated selection of privileges is required, it may be
necessary to use the test PRIVPROHIB. �
BROADCAST
Determine whether enable state for broadcast messages conforms to
policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Broadcast messages are enabled in violation of policy
|
|
REQUIRED
|
Broadcast messages are disabled in violation of policy
|
Description
In certain situations the permanent characteristics of terminals to
enable or disable reception of broadcast messages can have security
implications.
These tests are intended to allow reporting when permanent terminal
characteristics do not conform to policy.
Default policy Enabling of broadcast messages is neither prohibited nor
required. Customizing You can set limits to indicate a general policy,
and exemptions on an individual basis. The most likely situation would
be to have the limits require broadcast messages be enabled and set
exemptions for other cases. selector Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>, <device-name>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>, <device-name>
|
Practical considerations The permanent terminal broadcast setting is
only one factor in the delivery of broadcast messages. It can be
overridden by the user logged in at a terminal (without privilege). The
types of messages delivered can be subsetted by that user through the
SET BROADCAST command.
�
DIALUP
Determine whether designation as dialup conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Designated as dialup in violation of policy
|
|
REQUIRED
|
Designated as non-dialup in violation of policy
|
Description
VMS provides the capability to designate certain terminal lines as
"dialup" and restrict system access to particular usernames
or particular files based on whether the access is coming over a
"dialup" line.
Trusting the "dialup" designation in the permanent characteristics of a
terminal can be illusory, since a non-dialup line can have a modem
attached
to it.
On the other hand, some sites use the "dialup" designation for other
meanings which are either not relevant to security or do not have the
same risk of spoofing.
Default policy Designation as dialup is prohibited. Customizing
Customization is in order if your organization has some other use for
the "dialup" designation. It also may be required in cases
where a higher governing authority mandates such a distinction.
selector Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
TRUE
|
|
REQUIRED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>, <device-name>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>, <device-name>
|
Practical considerations Keeping track of which lines are dialup also
means tracking all changes in wiring schemes for various nodes.
�
DISCONNECT
Determine whether enabling of virtual terminals conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Disconnect allowed is enabled in violation of policy
|
|
REQUIRED
|
Disconnect allowed is disabled in violation of policy
|
Description
Provision of virtual terminals allows a user whose session is
interrupted by circuit disconnection to continue the existing session
by supplying the appropriate password after connecting again. This is
generally regarded as
a continuity-of-service feature.
Some sites may have specific requirements mandating that virtual
terminals not be enabled.
Default policy Enabling of disconnection is neither prohibited nor
required. Customizing Customize here if you have the need to ensure
uniformity across all nodes owned by your organization. selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>, <device-name>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>, <device-name>
|
Practical considerations The length of time a disconnected process will
remain available can be
controlled on a node-by-node basis. �
HANGUP
Determine whether forcing hangup on logout conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Hangup on logout is enabled in violation of policy
|
|
REQUIRED
|
Hangup on logout is disabled in violation of policy
|
Description
Forcing hangup on logout is generally viewed as an
availability-of-service
feature, since it frees dialup lines for use by another caller. Most
sites combine it with allowing users to use the /NOHANGUP qualifier on
a particular
logout, since the goal is to defend against unknowing failure to
properly terminate a call.
Default policy Hangup on logout is required. Customizing In most cases,
provision of the MODHANGUP capability is sufficient to
meet user needs and no customization of this test is required. selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>, <device-name>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>, <device-name>
|
Practical considerations Use of an application which performs process
deletion rather than allowing
the user to invoke LOGOUT may require that hangup on logout not be
enabled.
�
MODEM
Determine whether specification of modem control conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Modem control is enabled in violation of policy
|
|
REQUIRED
|
Modem control is disabled in violation of policy
|
Description
Enabling modem control specifies that VMS will provide and expect
proper modem signalling on a particular terminal line. It does
not
necessarily have anything to do with dialup modems, as many other types
of
data communications equipment require and provide modem control signals.
Default policy Enabling of modem control is neither prohibited nor
required. Customizing In most cases, enforcement of particular modem
control settings is not required since equipment will not work if the
setting is wrong. selector Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>, <device-name>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>, <device-name>
|
Practical considerations Cases where modem control is not provided when
it might seem to be needed may indicate situations where modem cabling
has been modified so as not to
require such signals. This generally results in reduced information
flow regarding the state of calls, and reduced security. �
MODHANGUP
Determine whether allowing user modification of hangup on logout
conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
User modification of hangup on logout is enabled in violation of policy
|
|
REQUIRED
|
User modification of hangup on logout is disabled in violation of policy
|
Description
Enabling user modification of hangup on logout allows knowledgeable
users to avoid having to redial calls when logging in to another
session. Most
sites enable it, using the hangup on logout feature of VMS only to
protect against authorized but forgetful users from tying up lines
after they are
finished.
Default policy Allowing user modification of hangup on logout is
neither prohibited nor required. Customizing Abuse of the
LOGOUT/NOHANGUP feature may require MODHANGUP be prohibited. selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>, <device-name>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>, <device-name>
|
Practical considerations Although the LOGOUT/NOHANGUP feature is
supposed to be used only in cases where it is needed, some users might
define DCL symbols to change every LOGOUT command into a
LOGOUT/NOHANGUP command, thereby violating the spirit
of the feature. �
NETDEVICE
Determine whether designation as network device conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Set as network device in violation of policy
|
|
REQUIRED
|
Set as interactive device in violation of policy
|
Description
When terminal lines are used for asynchronous DECnet, they are
automatically designated as network devices. These tests can be used to
check for unauthorized asynchronous DECnet connections, if a site
has sufficient staff to track all changes in network connections.
Default policy Designation as a network device is neither prohibited
nor required. Customizing An aggressive program of tracking network
connections would require setting
both limits TRUE and then setting an exemption for
every line (or group of lines via wildcard exemptions). selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>, <device-name>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>, <device-name>
|
Practical considerations Dynamic (dialup) asynchronous DECnet allows
certain lines to change their
state between network and terminal devices. �
OPERATOR
Determine whether enabling for operator messages conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Enabled for operator messages in violation of policy
|
|
REQUIRED
|
Disabled from operator messages in violation of policy
|
Description
Certain terminals at a site are generally designated as operator
terminals
to receive user and program requests for operator assistance. These
tests
can be used to ensure that no unauthorized terminals are so enabled and
to
ensure that required terminals are enabled.
Default policy Enabling as an operator terminal is prohibited.
Customizing Establish PROHIBITED exemptions for authorized operator
terminals.
If you want to ensure that certain terminals are enabled, set
the REQUIRED limit TRUE and establish exemptions for
all the "other" terminals (a tall order). selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
TRUE
|
|
REQUIRED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>, <device-name>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>, <device-name>
|
Practical considerations Enabling a terminal for operator messages does
not grant any ability to control anything, merely to receive
information. In that light, you may not care what terminals are enabled
and may prefer to relax the default PROHIBITED limit
to FALSE. �