LJK/Security Reference Manual

PROTECTION

Ensure that disk volumes have protection settings that fall within the restrictions of the security policy.

Violation reports

Constraint	Nature of the violation
ABSOLUTLO	Access is narrower than permitted by policy
ABSOLUTHI	Access is wider than permitted by policy
PERCENTLO	Fewer users can access than permitted by policy
PERCENTHI	More users can access than permitted by policy

Description

Disk volumes, like files and other resources, can be given protection settings. For the same reasons, their protection settings are important to a security manager.
The ABSOLUTLO and ABSOLUTHI tests measure the UIC-based protection mask directly. The PERCENTLO and PERCENTHI tests measure the result of protection (including ACL protection) in terms of the percentage of usernames given access (ignoring usernames that have been disabled).
Violations for protection-related DISK facility elements are not reported regarding only the writeability of CDROM disks since the apparent writeability is just an illusion.

Default policy

The most restrictive volume protection must allow only users with SYSPRV privilege to read, write, execute, or delete files that are stored on the disk volume. In most cases, this will be far too restrictive. On the other hand, by default, the most permissive volume protection setting will allow all users to read, write, execute, and delete files that are on that volume. This might sound too permissive, but it is the one that is usually appropriate for a timesharing system, since it grants users access to any files that individually allow it.

By default, a minimum of 0 percent of users must have access and a maximum of 100 percent of users may have access

Customizing

As mentioned above, the default restrictive limit is too restrictive for most cases. It can be eased by changing the ABSOLUTLO limit to allow the owner, group, and world users to access the disk volume in some degree. Similarly, if the default permissive limit is too permissive for your site, you can change it by changing the ABSOLUTHI limit to deny some forms of access to some classes of users (system, owner, group, or world). selector Limits for constraints PERCENTLO and PERCENTHI can take a selector consisting of a VMS file access type: READ, WRITE, EXECUTE, DELETE or CONTROL. If no selector is specified, customization commands apply to all possible selector values.

Limits

Constraint	Value	Default
ABSOLUTLO	Any Protection	(S:RWED,O,G,W)
ABSOLUTHI	Any Protection	(S:RWED,O:RWED,G:RWED,W:RWED)
PERCENTLO	0-100	0
PERCENTHI	0-100	100

Exemptions

Constraint	Value	Parameters
ABSOLUTLO	Any Protection	<node>, <volume-name>
ABSOLUTHI	Any Protection	<node>, <volume-name>
PERCENTLO	0-100	<node>, <volume-name>
PERCENTHI	0-100	<node>, <volume-name>

Practical considerations

Protection of individual files on a volume is also used to control access.

QUOTA

Ensure that disk quotas are administered in compliance with security policy and that no single user is capable of filling the disk to a dangerous level.

Violation reports

Constraint	Nature of the violation
COULDFILL	The named user has quota high enough to fill the disk.
PROHIBITED	Quotas have been applied to the disk against policy.
REQUIRED	Quotas are missing from the disk against policy.

Description

The VMS operating system handles disk space allocation differently from some others, notably most IBM systems. A quota of 1000 blocks, for example, allows the user to use up to 1000 blocks on the disk if they are available, but the quota itself does not guarantee that 1000 blocks are available.
In most VMS timesharing systems, it is usually practical to assign quotas that total more than the number of blocks that physically exist on the disk. This is because a typical user needs his full quota only for a day or two out of a month or quarter, and can get by with (for instance) half his quota the rest of the time.
Thus, "over-allocating" allows users who are good citizens and who have varying disk requirements to share a disk economically. To guarantee every user an exact number of blocks is possible by limiting the total quotas to the physical size of the disk, but that usually means buying more disks than are justified by the total number of blocks actually in use.
On the other hand, it is appropriate to set up some disks without quotas. A disk that is used for temporary work space by the SORT utility is a good example: the files vary widely in size and user but are deleted promptly after use.
The purpose of this test is to ensure that quotas are enabled or disabled on each disk as planned, and that they have not reached a state in which a single user could fill the disk to a dangerous level and thus limit access by other users.
Disk quota tests will not be applied to the RRD40 or RRD50 CDROM disk drive, since disk quota is not meaningful for a read-only device.

Default policy

The default policy requires that quotas be enabled on each disk and that no single user be able to fill the disk to the 90% level

Customizing

If quotas must be enabled on some of your disks, the default settings for PROHIBITED and REQUIRED are correct for those disks.

If disk availability is critical on some disks at your site, you might wish to set a lower limit than the default percentage (90) for COULDFILL, such as 75, but this means that you will receive violation reports more frequently. Note that this is only effective when quotas are enabled, so you should also use the TRUE setting for REQUIRED.

If quotas should not be enabled on some of your disks, you should change the PROHIBITED setting to TRUE and the REQUIRED setting to FALSE for those disks.

If you do not wish to monitor quota settings at all, set both PROHIBITED and REQUIRED to FALSE

Selector

Limits

Constraint	Value	Default
COULDFILL	0---100	90
PROHIBITED	FALSE or TRUE	FALSE
REQUIRED	FALSE or TRUE	TRUE

Exemptions

Constraint	Value	Parameters
COULDFILL	0---100	<node>, <volume-name>
PROHIBITED	FALSE or TRUE	<node>, <volume-name>
REQUIRED	FALSE or TRUE	<node>, <volume-name>

Practical considerations

Disks without quotas enabled are easy targets for denial-of-service attacks. i

Giving any user (for instance, SYSTEM) unlimited quota on their default login disk opens the window for such an attack if the user is enabled to receive mail messages. If there is a true need for a user to have unlimited quota on their default login disk, receipt of mail should be disabled for the username.

RDBVMSPROT

Ensure that protections on all Rdb/VMS files fall within the restrictions set by policy. Rdb/VMS files in this context are all of those with the following file types:

.RDB
.SNP

Violation reports

Constraint	Nature of the violation
ABSOLUTLO	Access is narrower than permitted by policy
ABSOLUTHI	Access is wider than permitted by policy
NOSYSOWNER	File is owned by a system UIC in violation of policy
PERCENTLO	Fewer users can access than permitted by policy
PERCENTHI	More users can access than permitted by policy
SYSOWNER	File is not owned by a system UIC in violation of policy
VERSIONMAX	File version number is higher than allowed by policy

Description

Rdb/VMS files are normally protected to allow only SYSTEM access, so that even the owner of the database must use DBMS access methods.
The ABSOLUTLO and ABSOLUTHI tests measure the UIC-based protection mask directly. The PERCENTLO and PERCENTHI tests measure the result of protection (including ACL protection) in terms of the percentage of usernames given access (ignoring usernames that have been disabled).
Violations for protection-related DISK facility elements are not reported regarding only the writeability of CDROM disks since the apparent writeability is just an illusion.

Default policy

The Rdb/VMS file protection setting must allow only the system to read and write the Rdb/VMS files.

By default, a minimum of 0 percent of users must have access and a maximum of 1 percent of users may have READ, WRITE and CONTROL access, and a maximum of 0 percent of users may have other forms of access

Customizing

Rdb/VMS access is normally granted only through access control lists within the database, so there should be no need to customize the default limits for this element. selector Limits for constraints PERCENTLO and PERCENTHI can take a selector consisting of a VMS file access type: READ, WRITE, EXECUTE, DELETE or CONTROL. If no selector is specified, customization commands apply to all possible selector values.

Limits

Constraint	Value	Default
ABSOLUTLO	Any Protection	(S:RW,O,G,W)
ABSOLUTHI	Any Protection	(S:RW,O,G,W)
NOSYSOWNER	FALSE or TRUE	FALSE
PERCENTLO	0-100	0
PERCENTHI	0-100	R:1,W:1,E:0,D:0,C:1
SYSOWNER	FALSE or TRUE	FALSE
VERSIONMAX	0-32767	0

Exemptions

Constraint	Value	Parameters
ABSOLUTLO	Any Protection	<node>,<filespec>
ABSOLUTHI	Any Protection	<node>,<filespec>
NOSYSOWNER	FALSE or TRUE	<node>,<filespec>
PERCENTLO	0-100	<node>,<filespec>
PERCENTHI	0-100	<node>,<filespec>
SYSOWNER	FALSE or TRUE	<node>,<filespec>
VERSIONMAX	0-32767	<node>,<filespec>

Practical considerations

Some file types overlap between DEC DBMS and Rdb/VMS, but the default limits for the two elements (DISK, RDBVMSPROT and DISK, RDBVMSPROT) also match, so except for the unlikely event that customization is required there should be no conflict.

SHADOW

Ensure that use of Volume Shadowing conforms to local policy.

Violation reports

Constraint	Nature of the violation
DATAMAX	Data disk has more shadowing than allowed by policy
DATAMIN	Data disk has less shadowing than allowed by policy
SYSTEMMAX	System disk has more shadowing than allowed by policy
SYSTEMMIN	System disk has less shadowing than allowed by policy

Description

Shadowing levels are encoded as "number of shadow set members" where 1 means a single member shadow set and 0 means a disk not in a shadow set.

Default policy

Volume Shadowing is neither prohibited nor required, in that limits DATAMIN and SYSTEMMIN test are set to zero while limits DATAMAX and SYSTEMMAX test are set to 255 (well beyond the maximum shadow set size supported by VMS)

Customizing

To enforce the use of Volume Shadowing set limits DATAMIN and SYSTEMMIN to the largest number of shadow set members required for any disk volume. Then add exemptions for disk volumes allowed to have a lower number of shadow set members.

To limit the use of Volume Shadowing set limits DATAMAX and SYSTEMMAX to the smallest number of shadow set members permitted for any disk volume. Then add exemptions for disk volumes allowed to have a higher number of shadow set members

Selector

Limits

Constraint	Value	Default
DATAMAX	0 - 255	255
DATAMIN	0 - 255	0
SYSTEMMAX	0 - 255	255
SYSTEMMIN	0 - 255	0

Exemptions

Constraint	Value	Parameters
DATAMAX	0 - 255	<node>,<volume-name>
DATAMIN	0 - 255	<node>,<volume-name>
SYSTEMMAX	0 - 255	<node>,<volume-name>
SYSTEMMIN	0 - 255	<node>,<volume-name>

Practical considerations

Typically limits DATAMIN and SYSTEMMIN will be more useful than limits DATAMAX and SYSTEMMAX.

SUBSYSTEM

Ensure that use of protected subsystems conforms to local policy.

Violation reports

Constraint	Nature of the violation
CHECKSUM	Image designated as protected subsystem not checksummed in violation of policy
NOFILE	Image designated as protected subsystem in violation of policy
PROHIBITED	Disk is mounted /SUBSYSTEM in violation of policy
REQUIRED	Disk is mounted /NOSUBSYSTEM in violation of policy

Description

Exemptions within the (DISK, CHECKSUM) element specify checksum values for particular files on disk. The test for the CHECKSUM constraint within this facility determines whether such an exemption has been established for all images which have been designated as part of a protected subsystem.
The test for the NOFILE constraint within this facility determines whether any image has a subsystem ACE within its Access Control List.
The tests for the PROHIBITED and REQUIRED constraints within this facility determines whether mounting of disks conforms to policy regarding protected subsystems.

Default policy

There are no restrictions regarding the use of Protected Subsystems

Customizing

Limits PROHIBITED and REQUIRED test whether a disk was mounted to honor protected subsystems.

Limit NOFILE can be used to prohibit individual files (for which no exemption has been entered from having a subsystem ACE within its Access Control List.

Limit CHECKSUM can be used to require individual files which have a subsystem ACE within their Access Control List to also have an exemptions within the (DISK, CHECKSUM) element

Selector

Limits

Constraint	Value	Default
CHECKSUM	FALSE or TRUE	TRUE
NOFILE	FALSE or TRUE	FALSE
PROHIBITED	FALSE or TRUE	FALSE
REQUIRED	FALSE or TRUE	TRUE

Exemptions

Constraint	Value	Parameters
CHECKSUM	FALSE or TRUE	<node>,<file-name>
NOFILE	FALSE or TRUE	<node>,<file-name>
PROHIBITED	FALSE or TRUE	<node>,<volume-name>
REQUIRED	FALSE or TRUE	<node>,<volume-name>

Practical considerations

Use of (DISK, SUBSYSTEM, CHECKSUM) restricts the freedom with which those who provide protected subsystem images can manipulate them, but add a degree of assurance appropriate for granting subsystem access.

SYSCOM

Ensure system command procedures are valid.

Violation reports

Constraint	Nature of the violation
CHECKSUM	Command procedure in system directory not checksummed in violation of policy

Description

Exemptions within the (DISK, CHECKSUM) element specify checksum values for particular files on disk. The test for the CHECKSUM constraint within this facility determines whether such an exemption has been established for all files in the SYS$SYSROOT:[*...] tree with a file type of .COM.

Default policy

Checksums of command procedures in the SYS$SYSROOT:[*...] tree are not required

Customizing

Setting the (DISK, SYSCOM, CHECKSUM) limit TRUE is appropriate for production environments where system management activities are to be constrained

Selector

Limits

Constraint	Value	Default
CHECKSUM	FALSE or TRUE	FALSE

Exemptions

Constraint	Value	Parameters
CHECKSUM	FALSE or TRUE	<node>,<filespec>

Practical considerations

In most environments, system managers regularly make modifications to command procedures in system directories.

Contents

Index