LJK/Security Reference Manual
The second part (Volume Name) of the (DISK,DISKWRITE,*) exemption
specification must be the of the form "DISK$<label>"
Selector
Limits
| Constraint |
Value |
Default |
|
GRPFORBID
|
FALSE or TRUE
|
FALSE
|
|
SYSFORBID
|
FALSE or TRUE
|
FALSE
|
|
USERFORBID
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
GRPFORBID
|
FALSE or TRUE
|
<node>,<device-name>
|
|
SYSFORBID
|
FALSE or TRUE
|
<node>,<device-name>
|
|
USERFORBID
|
FALSE or TRUE
|
<node>,<device-name>
|
Practical considerations
These tests can detect use of
unauthorized portable media such as CDROMs if they happens to run while
they are mounted. To detect other cases, use tests
(USAGE, DISKMOUNT, *). �
DISKWRITE
Ensure that only authorized disks have been mounted writable.
Violation reports
| Constraint |
Nature of the violation |
|
GRPFORBID
|
Unauthorized disk was mounted /GROUP
|
|
SYSFORBID
|
Unauthorized disk was mounted /SYSTEM
|
|
USERFORBID
|
Unauthorized disk was mounted privately
|
Description
These tests ensure than any disks previously mounted write-enabled had
authorized names (as indicated by the presence of an
exemption).
Default policy
By default (USAGE,DISKWRITE,*) tests are not enabled
Customizing
Exemptions for (DISK,DISKWRITE,*) tests are also honored
for (USAGE,DISKWRITE,*) tests.
The second part (Volume Name) of the (DISK,DISKWRITE,*) exemption
specification must be the of the form "DISK$<label>"
Selector
Limits
| Constraint |
Value |
Default |
|
GRPFORBID
|
FALSE or TRUE
|
FALSE
|
|
SYSFORBID
|
FALSE or TRUE
|
FALSE
|
|
USERFORBID
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
GRPFORBID
|
FALSE or TRUE
|
<node>,<device-name>
|
|
SYSFORBID
|
FALSE or TRUE
|
<node>,<device-name>
|
|
USERFORBID
|
FALSE or TRUE
|
<node>,<device-name>
|
Practical considerations
These tests can detect use of
unauthorized portable media such as USB memory sticks if they happens
to run while they are mounted. To detect other cases, use
tests (USAGE, DISKWRITE, *). �
ERASEDELET
Ensure that specification of Erase On Delete for disk volumes conforms
to local policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Erase On Delete is enabled in violation of policy
|
|
REQUIRED
|
Erase On Delete is disabled in violation of policy
|
Description
When Erase On Delete is specified for a disk volume, all files deleted
from that volume will have their disk space overwritten with a
system-specified pattern.
Note that this is different from setting individual files to
be erased on deletion.
Default policy
Use of Erase On Delete is neither prohibited nor
required
Customizing
Set the limit for DISK_ERASEDELET_REQUIRED to
TRUE in order to require all disk volumes to be set for Erase On
Delete
Selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>,<volume-name>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>,<volume-name>
|
Practical considerations
Enabling Erase On Delete has a significant
performance impact when files are deleted.
�
FILEPROT
Ensure that protections on files not covered by other file protection
elements fall within the restrictions set by policy.
Violation reports
| Constraint |
Nature of the violation |
|
ABSOLUTLO
|
Access is narrower than permitted by policy
|
|
ABSOLUTHI
|
Access is wider than permitted by policy
|
|
NOSYSOWNER
|
File is owned by a system UIC in violation of policy
|
|
PERCENTLO
|
Fewer users can access than permitted by policy
|
|
PERCENTHI
|
More users can access than permitted by policy
|
|
SYSOWNER
|
File is not owned by a system UIC in violation of policy
|
|
VERSIONMAX
|
File version number is higher than allowed by policy
|
Description
If a file's protection setting is not restrictive enough, unauthorized
users
will be able to read, write, execute, or delete the file in question.
If the setting is too restrictive, users generally find a less
acceptable way of sharing information to get their job done. Typically,
they share their password or make an unauthorized copy of the file
somewhere else.
The purpose of this test is to ensure that file protection settings are
within the limits set by the security manager.
The ABSOLUTLO and ABSOLUTHI tests measure the UIC-based protection mask
directly. The PERCENTLO and PERCENTHI tests measure the result
of protection (including ACL protection) in terms of the percentage of
usernames given access (ignoring usernames that have been disabled).
Violations for protection-related DISK facility
elements are not reported regarding only the
writeability of CDROM disks since the apparent writeability is just an
illusion.
Default policy
The file protection setting must allow at least the
system to read, write, access, and delete the file. By default, the
weakest acceptable file setting allows the system and owner to read,
write, execute, and delete the file, and also allows other users in the
owner's UIC group to read and execute the file.
By default, other users outside the owner's group are allowed NO access
to the file.
By default, a minimum of 0 percent of users must have access and a
maximum of 10 percent of users may have access
Customizing
Limits for
constraints ABSOLUTLO and ABSOLUTHI take the same form
as a standard VMS file protection
setting. The syntax for this is explained in some detail in VMS
documentation. The default settings shown in the limits table below are
good examples of how to specify which class of users are allowed which
type of access. These are the codes involved:
- S=System account (or users with the SYSPRV privilege)
- O=Owner of the file
- G=Group (i.e., other users in the same UIC group as the owner)
- W=World (i.e., all other users)
- R=Read
- W=Write
- E=Execute
- D=Delete
selector
Limits for constraints PERCENTLO and
PERCENTHI can take a selector consisting of a VMS file
access type: READ, WRITE, EXECUTE, DELETE or CONTROL. If no
selector is specified, customization commands apply to
all possible selector values. Limits
| Constraint |
Value |
Default |
|
ABSOLUTLO
|
Any Protection
|
(S:RWED,O,G,W)
|
|
ABSOLUTHI
|
Any Protection
|
(S:RWED,O:RWED,G:RE,W)
|
|
NOSYSOWNER
|
FALSE or TRUE
|
FALSE
|
|
PERCENTLO
|
0-100
|
0
|
|
PERCENTHI
|
0-100
|
10
|
|
SYSOWNER
|
FALSE or TRUE
|
FALSE
|
|
VERSIONMAX
|
0-32767
|
0
|
Exemptions
| Constraint |
Value |
Parameters |
|
ABSOLUTLO
|
Any Protection
|
<node>, <filespec>
|
|
ABSOLUTHI
|
Any Protection
|
<node>, <filespec>
|
|
NOSYSOWNER
|
FALSE or TRUE
|
<node>,<filespec>
|
|
PERCENTLO
|
0-100
|
<node>, <filespec>
|
|
PERCENTHI
|
0-100
|
<node>, <filespec>
|
|
SYSOWNER
|
FALSE or TRUE
|
<node>,<filespec>
|
|
VERSIONMAX
|
0-32767
|
<node>,<filespec>
|
Practical considerations
File protection is an area which usually
cannot be managed at arm's length from individual users and
applications. Departments or people
who depend on each other for data frequently will need some assistance
in working out a protection scheme that allows this to take place
without opening the files up to all users. Be sure to consider Access
Control Lists (which explicitly name the users who
can access a given file) if you find yourself getting painted into a
corner with simple file protection settings. See the VMS system
manager's documentation for details. �
HELPPROT
Ensure that protections on files in SYS$HELP and SYS$LIBRARY fall
within the restrictions set by policy.
Violation reports
| Constraint |
Nature of the violation |
|
ABSOLUTLO
|
Access is narrower than permitted by policy
|
|
ABSOLUTHI
|
Access is wider than permitted by policy
|
|
NOSYSOWNER
|
File is owned by a system UIC in violation of policy
|
|
PERCENTLO
|
Fewer users can access than permitted by policy
|
|
PERCENTHI
|
More users can access than permitted by policy
|
|
SYSOWNER
|
File is not owned by a system UIC in violation of policy
|
|
VERSIONMAX
|
File version number is higher than allowed by policy
|
Description
If a file's protection setting is not restrictive enough, unauthorized
users
will be able to read, write, execute, or delete the file in question.
If the setting is too restrictive, users generally find a less
acceptable way of sharing information to get their job done. Typically,
they share their password or make an unauthorized copy of the file
somewhere else.
The purpose of this test is to ensure that file protection settings are
within the limits set by the security manager.
The ABSOLUTLO and ABSOLUTHI tests measure the UIC-based protection mask
directly. The PERCENTLO and PERCENTHI tests measure the result
of protection (including ACL protection) in terms of the percentage of
usernames given access (ignoring usernames that have been disabled).
Violations for protection-related DISK facility
elements are not reported regarding only the
writeability of CDROM disks since the apparent writeability is just an
illusion.
Default policy
Files have a system owner.
The file protection setting must allow at least the system to read,
write, access, and delete the file. By default, the weakest acceptable
file setting allows the system and owner to read, write, execute, and
delete the file, and also allows other users in the owner's UIC group
to read and execute the file.
By default, other users outside the owner's group are allowed NO access
to the file.
By default, a minimum of 0 percent of users must have access and a
maximum of 10 percent of users may have access
Customizing
Limits for
constraints ABSOLUTLO and ABSOLUTHI take the same form
as a standard VMS file protection
setting. The syntax for this is explained in some detail in VMS
documentation. The default settings shown in the limits table below are
good examples of how to specify which class of users are allowed which
type of access. These are the codes involved:
- S=System account (or users with the SYSPRV privilege)
- O=Owner of the file
- G=Group (i.e., other users in the same UIC group as the owner)
- W=World (i.e., all other users)
- R=Read
- W=Write
- E=Execute
- D=Delete
selector
Limits for constraints PERCENTLO and
PERCENTHI can take a selector consisting of a VMS file
access type: READ, WRITE, EXECUTE, DELETE or CONTROL. If no
selector is specified, customization commands apply to
all possible selector values. Limits
| Constraint |
Value |
Default |
|
ABSOLUTLO
|
Any Protection
|
(S:RWED,O,G,W)
|
|
ABSOLUTHI
|
Any Protection
|
(S:RWED,O:RWED,G:RE,W:RE)
|
|
NOSYSOWNER
|
FALSE or TRUE
|
FALSE
|
|
PERCENTLO
|
0-100
|
0
|
|
PERCENTHI
|
0-100
|
100
|
|
SYSOWNER
|
FALSE or TRUE
|
TRUE
|
|
VERSIONMAX
|
0-32767
|
0
|
Exemptions
| Constraint |
Value |
Parameters |
|
ABSOLUTLO
|
Any Protection
|
<node>, <filespec>
|
|
ABSOLUTHI
|
Any Protection
|
<node>, <filespec>
|
|
NOSYSOWNER
|
FALSE or TRUE
|
<node>, <filespec>
|
|
PERCENTLO
|
0-100
|
<node>, <filespec>
|
|
PERCENTHI
|
0-100
|
<node>, <filespec>
|
|
SYSOWNER
|
FALSE or TRUE
|
<node>, <filespec>
|
|
VERSIONMAX
|
0-32767
|
<node>,<filespec>
|
Practical considerations
File protection is an area which usually
cannot be managed at arm's length from individual users and
applications. Departments or people
who depend on each other for data frequently will need some assistance
in working out a protection scheme that allows this to take place
without opening the files up to all users. Be sure to consider Access
Control Lists (which explicitly name the users who
can access a given file) if you find yourself getting painted into a
corner with simple file protection settings. See the VMS system
manager's documentation for details. �
HIGHWATER
Ensure that specification of File Highwater Marking for disk volumes
conforms to local policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
File Highwater Marking is enabled in violation of policy
|
|
REQUIRED
|
File Highwater Marking is disabled in violation of policy
|
Description
When File Highwater Marking is specified for a disk volume, users are
prevented from reading the previous contents of space now allocated to
their files.
Default policy
Use of File Highwater Marking is required
Customizing
Change the DISK_HIGHWATER_REQUIRED limit to FALSE or
add exemptions if File Highwater Marking causes severe performance
problems because systems are still running VMS V4.
selector Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>,<volume-name>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>,<volume-name>
|
Practical considerations
Under VMS V4, enabling File Highwater Marking
could cause performance problems when files were created or extended.
Effective with VMS V5.0, that problem was eliminated for sequential
files as DEC implemented their original plan for File Highwater
Marking, rather than the "erase on extend" temporary method they had
used under VMS V4.
Under VMS V5 "erase on extend" implementation is still used for
relative and indexed files, but the overhead introduced is not usually
noticed because of the overhead already present in creation or
extending relative and indexed files.
�
INSTALLED
Ensure that unauthorized images are not installed.
Violation reports
| Constraint |
Nature of the violation |
|
CHECKSUM
|
Installed image not checksummed in violation of policy
|
|
PROHIBITED
|
Image Installation in violation of policy
|
Description
Installation of a shareable image declares it "trusted" and
accessible by privileged programs. This test can be used to ensure that
only authorized programs are installed.
Exemptions within the (DISK, CHECKSUM)
element specify checksum values for particular files
on disk. The test for the CHECKSUM
constraint within this facility
determines whether such an exemption has been established for all
installed images on the system.
Default policy
Image installation is not prohibited
Customizing
Setting the DISK_INSTALLED_PROHIBITED limit TRUE
should be accompanied by establishment of corresponding
exemptions for images whose installation is acceptable
(many of which are supplied by VMS and layered products)
Selector
Limits
| Constraint |
Value |
Default |
|
CHECKSUM
|
FALSE or TRUE
|
FALSE
|
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
CHECKSUM
|
FALSE or TRUE
|
<node>,<filespec>
|
|
PROHIBITED
|
FALSE or TRUE
|
<node>,<filespec>
|
Practical considerations
Tracking all images allowed to be installed
can be a considerable effort. �