LJK/Security Reference Manual

SYSEXE

Ensure system program images are valid.

Violation reports

Constraint	Nature of the violation
CHECKSUM	Image in system directory not checksummed in violation of policy

Description

Exemptions within the (DISK, CHECKSUM) element specify checksum values for particular files on disk. The test for the CHECKSUM constraint within this facility determines whether such an exemption has been established for all files in the SYS$SYSROOT:[*...] tree with a file type of .EXE.

Default policy

Checksums of images in the SYS$SYSROOT:[*...] tree are required

Customizing

Setting the (DISK, SYSEXE, CHECKSUM) limit TRUE is appropriate for most environments since upgrading to a new version of a layered product should be done in a controlled fashion

Selector

Limits

Constraint	Value	Default
CHECKSUM	FALSE or TRUE	TRUE

Exemptions

Constraint	Value	Parameters
CHECKSUM	FALSE or TRUE	<node>,<filespec>

Practical considerations

After upgrading layered products, checksums in the policy should be adjusted as soon as possible to match the new values.

SYSEXEPROT

Ensure that protections on files with type .EXE in SYS$COMMON:[*] fall within the restrictions set by policy.

Violation reports

Constraint	Nature of the violation
ABSOLUTLO	Access is narrower than permitted by policy
ABSOLUTHI	Access is wider than permitted by policy
NOSYSOWNER	File is owned by a system UIC in violation of policy
PERCENTLO	Fewer users can access than permitted by policy
PERCENTHI	More users can access than permitted by policy
SYSOWNER	File is not owned by a system UIC in violation of policy
VERSIONMAX	File version number is higher than allowed by policy

Description

If a file's protection setting is not restrictive enough, unauthorized users will be able to read, write, execute, or delete the file in question. If the setting is too restrictive, users generally find a less acceptable way of sharing information to get their job done. Typically, they share their password or make an unauthorized copy of the file somewhere else.
The purpose of this test is to ensure that file protection settings are within the limits set by the security manager.
The ABSOLUTLO and ABSOLUTHI tests measure the UIC-based protection mask directly. The PERCENTLO and PERCENTHI tests measure the result of protection (including ACL protection) in terms of the percentage of usernames given access (ignoring usernames that have been disabled).
Violations for protection-related DISK facility elements are not reported regarding only the writeability of CDROM disks since the apparent writeability is just an illusion.

Default policy

Files have a system owner.

The file protection setting must allow at least the system to read, write, access, and delete the file. By default, the weakest acceptable file setting allows the system and owner to read, write, execute, and delete the file, and also allows other users in the owner's UIC group and the world to read and execute the file.

By default, a minimum of 0 percent of users must have access and a maximum of 100 percent of users may have READ and EXECUTE access with a maximum of 1 percent having WRITE, EXECUTE and DELETE access

Customizing

Limits for constraints ABSOLUTLO and ABSOLUTHI take the same form as a standard VMS file protection setting. The syntax for this is explained in some detail in VMS documentation. The default settings shown in the limits table below are good examples of how to specify which class of users are allowed which type of access. These are the codes involved:

S=System account (or users with the SYSPRV privilege)
O=Owner of the file
G=Group (i.e., other users in the same UIC group as the owner)
W=World (i.e., all other users)

R=Read
W=Write
E=Execute
D=Delete

selector Limits for constraints PERCENTLO and PERCENTHI can take a selector consisting of a VMS file access type: READ, WRITE, EXECUTE, DELETE or CONTROL. If no selector is specified, customization commands apply to all possible selector values.

Limits

Constraint	Value	Default
ABSOLUTLO	Any Protection	(S:RWED,O,G,W)
ABSOLUTHI	Any Protection	(S:RWED,O:RWED,G:RE,W:RE)
NOSYSOWNER	FALSE or TRUE	FALSE
PERCENTLO	0-100	0
PERCENTHI	0-100	R:100,W:1,E:100,D:1,C:1
SYSOWNER	FALSE or TRUE	TRUE
VERSIONMAX	0-32767	0

Exemptions

Constraint	Value	Parameters
ABSOLUTLO	Any Protection	<node>, <filespec>
ABSOLUTHI	Any Protection	<node>, <filespec>
NOSYSOWNER	FALSE or TRUE	<node>,<filespec>
PERCENTLO	0-100	<node>, <filespec>
PERCENTHI	0-100	<node>, <filespec>
SYSOWNER	FALSE or TRUE	<node>,<filespec>
VERSIONMAX	0-32767	<node>,<filespec>

Practical considerations

Files of type .EXE in SYS$COMMON:[*] are typically protected to allow execution by users. Some of them, particularly those provided by DEC, also allow Read access by individual users.

TWOPRODUCT

Ensure that products from conflicting categories are not running in the same environment.

Violation reports

Constraint	Nature of the violation
NOTASSESS	Conflicting products on the nodes of a single assessment
NOTCLUSTER	Conflicting products on the nodes of a single cluster
NOTNODE	Conflicting products on a single node

Description

Some organizations have rules against running two different classes of software in the same environment. These are exemption-driven tests to detect violations of such rules.
Each exemption string is divided into three strings by the backslash character "\".

class of product
common name of software
system logical name indicating software is running
A violation is reported if software from more than one area is running in the same environment (assessment, cluster or node).

Default policy

By default (USAGE,TWOPRODUCT,*) tests are not enabled

Customizing

(DISK,TWOPRODUCT,*) tests are driven by exemptions - the limits are ignored

Selector

Limits

Constraint	Value	Default
NOTASSESS	FALSE or TRUE	FALSE
NOTCLUSTER	FALSE or TRUE	FALSE
NOTNODE	FALSE or TRUE	FALSE

Exemptions

Constraint	Value	Parameters
NOTASSESS	FALSE or TRUE	<node>,<class-of-product>\<common-name>\<logical-name>
NOTCLUSTER	FALSE or TRUE	<node>,<class-of-product>\<common-name>\<logical-name>
NOTNODE	FALSE or TRUE	<node>,<class-of-product>\<common-name>\<logical-name>

Practical considerations

6.6 QUEUE tests

Tests in the QUEUE facility deal with print and batch queues.

Exemptions are based on node name and queue name or job name.

The node name in an exemption for the QUEUE facility can include standard VMS wildcard characters (% and *).

The queue name or job name name in an exemption for the QUEUE facility can include standard VMS wildcard characters (% and *).

ACLIDENT

Ensure that identifier types used in access control lists conform to policy.

Violation reports

Constraint	Nature of the violation
NOGENERAL	General identifier used in violation of policy
NOSYSTEM	System-defined identifier used in violation of policy
NOUIC	UIC identifier used in violation of policy

Description

Use of UIC identifiers directly in access control lists leads to problems if user responsibilities are changed, since control of the access they have been granted is distributed throughout the system.
The purpose of this test is to ensure that identifiers used in Identifier Access Control Entries are of acceptable types.

Note
Support for access control lists on queues was introduced with VMS V6.0, so the tests of this element will always succeed on earlier versions of VMS.

Default policy

Identifiers in ACLs must not be UIC identifiers

Customizing

The options of prohibiting General and System identifiers are provided for flexibility, but are not useful in most circumstances. The main customization which might be desired is to remove the prohibition against the use of UIC identifiers

Selector

Limits

Constraint	Value	Default
NOGENERAL	FALSE or TRUE	FALSE
NOSYSTEM	FALSE or TRUE	FALSE
NOUIC	FALSE or TRUE	TRUE

Exemptions

Constraint	Value	Parameters
NOGENERAL	FALSE or TRUE	<node>, <queue-name>
NOSYSTEM	FALSE or TRUE	<node>, <queue-name>
NOUIC	FALSE or TRUE	<node>, <queue-name>

Practical considerations

In cases where existing use of UIC identifiers is pervasive temporary customization might be required.

MANAGER

Ensure that use of queue manager conform to policy.

Violation reports

Constraint	Nature of the violation
PROHIBITED	Queue Manager is running in violation of policy
REQUIRED	Queue Manager is not running in violation of policy

Description

This element supports tests regarding whether the queue manager is running.

Default policy

The Queue Manager must be running

Customizing

Preventing use of the Queue Manager considerably restricts the ability to run reliable assured backups. Consider protecting queues as an alternative

Selector

Limits

Constraint	Value	Default
PROHIBITED	FALSE or TRUE	FALSE
REQUIRED	FALSE or TRUE	TRUE

Exemptions

Constraint	Value	Parameters
PROHIBITED	FALSE or TRUE	<node>
REQUIRED	FALSE or TRUE	<node>

Practical considerations

Most installations run the Queue Manager.

MARKING

Ensure that use of print queue marking conform to policy.

Violation reports

Constraint	Nature of the violation
PROHIBITED	Output execution queue outputs a description in violation of policy
REQUIRED	Output execution queue does not output a description in violation of policy
CONTAINS	Output execution queue description does not include text required by policy

Description

This element supports tests regarding whether print jobs include descriptions specified by the print command /NOTE= qualifier.

Note
Support for the /NOTE= qualifier on print jobs was introduced with VMS V6.0, so the test (QUEUE, MARKING, CONTAINS) will always fail on earlier versions of VMS.

Default policy

Print queue marking is not required

Customizing

Use this element to verify that output markings restricting distribution of printouts are configured

Selector

Limits

Constraint	Value	Default
PROHIBITED	FALSE or TRUE	FALSE
REQUIRED	FALSE, TRUE or TRY	FALSE
CONTAINS	text	null string

Exemptions

Constraint	Value	Parameters
PROHIBITED	FALSE or TRUE	<node>, <queue-name>
REQUIRED	FALSE, TRUE or TRY	<node>, <queue-name>
CONTAINS	text	<node>, <queue-name>

Practical considerations

This element pertains to user-specified markings that cannot be forced by managerial controls.

OWNER

Ensure that ownership of queues conforms to policy.

Violation reports

Constraint	Nature of the violation
WRONG	Queue owner is not as specified

Description

If an individual user account gains ownership of a queue, it can be used to interfere with services to other users.
The purpose of this test is to ensure that the proper owner retains ownership of QUEUEs that are not in use. This test checks the ownership of any QUEUE not currently in use and reports any instance in which the owner is not the proper owner.
For limits only (not exemptions), owner matching string of [SYSTEM] will match (as a special case) against UIC's which are represented as [1,4] (due, for instance, to absence of a Rights Database (RIGHTSLIST.DAT)).

Default policy

Every queue must be owned by the system

Customizing

An alternative owner can be specified for any QUEUE by setting an exemption. It is also possible to change the standard owner to be some account other than the system, by changing the limit for this test

Selector

Limits

Constraint	Value	Default
WRONG	Identifier	[SYSTEM]

Exemptions

Constraint	Value	Parameters
WRONG	Identifier	<node>, <queue-name>

Practical considerations

QUEUE ownership and protection must be considered jointly.

PROTECTION

Ensure that each QUEUE's protection setting meets the minimum setting defined by policy.

Violation reports

Constraint	Nature of the violation
ABSOLUTLO	Access is narrower than permitted by policy
ABSOLUTHI	Access is wider than permitted by policy
NOSYSOWNER	Queue is owned by a system UIC in violation of policy
PERCENTLO	Fewer users can access than permitted by policy
PERCENTHI	More users can access than permitted by policy
SYSOWNER	Queue is not owned by a system UIC in violation of policy

Description

Under VMS, a protection setting can be applied to a queue in the same way that it can be applied to files. This allows a given user (or group of users) to have exclusive access to a given disk, for example. Conversely, it can be set to keep a QUEUE open for access by all users, or to limit them to read access.
The purpose of this test is to ensure that the protection settings for QUEUEs remain at the levels established by policy.
The ABSOLUTLO and ABSOLUTHI tests measure the UIC-based protection mask directly. The PERCENTLO and PERCENTHI tests measure the result of protection (including ACL protection) in terms of the percentage of usernames given access (ignoring usernames that have been disabled).

Default policy

Queues have a system owner.

The most permissive protection allowed for a queue gives 100 percent of the users Read and Submit access, but only 10 percent of the users more powerful access

Customizing

The default limit values for these tests leave queue protection "wide open", so changes should be made to obtain any value from this test. selector Limits for constraints PERCENTLO and PERCENTHI can take a selector consisting of a VMS QUEUE access type: READ, WRITE, LOGICAL, PHYSICAL or CONTROL. If no selector is specified, customization commands apply to all possible selector values.

Limits

Constraint	Value	Default
ABSOLUTLO	Any Protection	(S:M,O:D,G:R,W:S)
ABSOLUTHI	Any Protection	(S:RSMD,O:RSMD,G:RSMD,W:RSMD)
NOSYSOWNER	FALSE or TRUE	FALSE
PERCENTLO	0-100	0
PERCENTHI	0-100	R:100,S:100,M:10,D:10,C:10
SYSOWNER	FALSE or TRUE	TRUE

Exemptions

Constraint	Value	Parameters
ABSOLUTLO	Any Protection	<node>, <queue-name>
ABSOLUTHI	Any Protection	<node>, <queue-name>
NOSYSOWNER	FALSE or TRUE	<node>, <queue-name>
PERCENTLO	0-100	<node>, <queue-name>
PERCENTHI	0-100	<node>, <queue-name>
SYSOWNER	FALSE or TRUE	<node>, <queue-name>

Practical considerations

Private queue ownership is a powerful mechanism to allow project operators without giving full OPER privilege.

Contents

Index