LJK/Security Reference Manual
RETAIN
Ensure batch and print job retention conform to policy.
Violation reports
| Constraint |
Nature of the violation |
|
BATCHJALL
|
Some batch job is not set for unconditional retention
|
|
BATCHJERR
|
Some batch job is not set for retention on error
|
|
BATCHJTIM
|
Some batch job is not set for timed retention
|
|
BATCHQALL
|
Some batch queue is not set for unconditional retention
|
|
BATCHQERR
|
Some batch queue is not set for retention on error
|
|
PRINTJALL
|
Some print job is not set for unconditional retention
|
|
PRINTJERR
|
Some print job is not set for retention on error
|
|
PRINTJTIM
|
Some print job is not set for timed retention
|
|
PRINTQALL
|
Some print queue is not set for unconditional retention
|
|
PRINTQERR
|
Some print queue is not set for retention on error
|
|
UNHANDLED
|
Error retention of a job exceeds remediation time limit
|
Description
The tests for the *QALL and *QERR
constraints determine whether SET QUEUE/RETAIN=
settings on batch and print queues conform to policy.
The tests for the *JALL, *JERR and *JTIM
constraints determine whether SUBMIT/RETAIN= or
PRINT/RETAIN= settings conform to policy.
The test for the UNHANDLED constraint
determines whether a job has been retained too long after an error
without being handled (and deleted or released).
Default policy
Retention on error is require for all queues and
retained jobs must be handled within four days
Customizing
Since
SUBMIT and PRINT qualifiers can override queue defaults, these
tests look at both the queue defaults and how
individual jobs get submitted
Selector
Limits
| Constraint |
Value |
Default |
|
BATCHJALL
|
FALSE or TRUE
|
FALSE
|
|
BATCHJERR
|
FALSE or TRUE
|
TRUE
|
|
BATCHJTIM
|
time interval
|
+0-00:00:00.00
|
|
BATCHQALL
|
FALSE or TRUE
|
FALSE
|
|
BATCHQERR
|
FALSE or TRUE
|
TRUE
|
|
PRINTJALL
|
FALSE or TRUE
|
FALSE
|
|
PRINTJERR
|
FALSE or TRUE
|
TRUE
|
|
PRINTJTIM
|
time interval
|
+0-00:00:00.00
|
|
PRINTQALL
|
FALSE or TRUE
|
FALSE
|
|
PRINTQERR
|
FALSE or TRUE
|
TRUE
|
|
UNHANDLED
|
0-n minutes
|
5760
|
Exemptions
| Constraint |
Value |
Parameters |
|
BATCHJALL
|
FALSE or TRUE
|
<node>, <queue-name>/<username>/<job-name>
|
|
BATCHJERR
|
FALSE or TRUE
|
<node>, <queue-name>/<username>/<job-name>
|
|
BATCHJTIM
|
+[dddd-][hh:mm:ss.cc]||<node>,
<queue-name>/<username>/<job-name>
|
BATCHQALL
|
|
FALSE or TRUE
|
<node>, <queue-name>
|
BATCHQERR
|
|
FALSE or TRUE
|
<node>, <queue-name>
|
PRINTJALL
|
|
FALSE or TRUE
|
<node>, <queue-name>/<username>/<job-name>
|
PRINTJERR
|
|
FALSE or TRUE
|
<node>, <queue-name>/<username>/<job-name>
|
PRINTJTIM
|
|
+[dddd-][hh:mm:ss.cc]||<node>,
<queue-name>/<username>/<job-name>
|
PRINTQALL
|
FALSE or TRUE
|
|
<node>, <queue-name>
|
PRINTQERR
|
FALSE or TRUE
|
|
<node>, <queue-name>
|
UNHANDLED
|
0-n
|
|
<node>, <queue-name>/<username>/<job-name>
|
Practical considerations
Requiring retention on batch job errors can
help detect confused mishandling of data. �
RESTART
Ensure that use of queue restart capability conform to policy.
Violation reports
| Constraint |
Nature of the violation |
|
BATPROHIB
|
Batch job was submitted /RESTART in violation of policy
|
|
BATREQUIRE
|
Batch job was submitted /NORESTART in violation of policy
|
|
PRIPROHIB
|
Print job was submitted /RESTART in violation of policy
|
|
PRIREQUIRE
|
Print job was submitted /NORESTART in violation of policy
|
Description
This element supports tests regarding
whether the /RESTART capability is specified for jobs in print queues
(where it is the VMS default) and batch queues (where it is not the VMS
default).
Default policy
Print jobs must be submitted /RESTART
Customizing
Use
the tests for this element to ensure
batch and print operations are carried out in a reliable fashion
Selector
Limits
| Constraint |
Value |
Default |
|
BATPROHIB
|
FALSE or TRUE
|
FALSE
|
|
BATREQUIRE
|
FALSE or TRUE
|
FALSE
|
|
PRIPROHIB
|
FALSE or TRUE
|
FALSE
|
|
PRIREQUIRE
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
BATPROHIB
|
FALSE or TRUE
|
<node>, <queue-name>/<username>/<job-name>
|
|
BATREQUIRE
|
FALSE or TRUE
|
<node>, <queue-name>/<username>/<job-name>
|
|
PRIPROHIB
|
FALSE or TRUE
|
<node>, <queue-name>/<username>/<job-name>
|
|
PRIREQUIRE
|
FALSE or TRUE
|
<node>, <queue-name>/<username>/<job-name>
|
Practical considerations
This element does not
consider the issue of whether batch jobs are making efficient use of
the BATCH$RESTART capability, since that requires analysis of
individual batch jobs. �
6.7 TERM Tests
Tests in the TERM facility deal with terminal
protection.
Security-relevant system parameters affecting terminal security are
not tested, since their effect can be undone by DCL commands
from privileged usernames (typically in the site-specific system startup
command procedure). The approach taken by LJK/Security is to consider
the resulting security rather than how that state was achieved.
Exemptions are based on node name and
terminal name.
The node name in an exemption for the TERM facility
can include standard VMS wildcard characters (% and *).
The terminal name in an exemption for the TERM
facility can include standard VMS wildcard characters (% and *). �
ACLIDENT
Ensure that identifier types used in access control lists conform to
policy.
Violation reports
| Constraint |
Nature of the violation |
|
NOGENERAL
|
General identifier used in violation of policy
|
|
NOSYSTEM
|
System-defined identifier used in violation of policy
|
|
NOUIC
|
UIC identifier used in violation of policy
|
Description
Use of UIC identifiers directly in access control lists leads to
problems if user responsibilities are changed, since control of the
access they have been granted is distributed throughout the system.
The purpose of this test is to ensure that identifiers used in
Identifier Access Control Entries are of acceptable types.
Default policy
Identifiers in ACLs must not be UIC identifiers
Customizing
The options of prohibiting General and System identifiers
are provided for flexibility, but are not useful in most circumstances.
The main customization which might be desired is to remove the
prohibition against the use of UIC identifiers
Selector
Limits
| Constraint |
Value |
Default |
|
NOGENERAL
|
FALSE or TRUE
|
FALSE
|
|
NOSYSTEM
|
FALSE or TRUE
|
FALSE
|
|
NOUIC
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
NOGENERAL
|
FALSE or TRUE
|
<node>, <device-name>
|
|
NOSYSTEM
|
FALSE or TRUE
|
<node>, <device-name>
|
|
NOUIC
|
FALSE or TRUE
|
<node>, <device-name>
|
Practical considerations
In cases where existing use of UIC identifiers
is pervasive temporary customization might be required. �
AUTOLOGIN
Ensure presence of entries in the autologin file (SYSALF.DAT) complies
with policy.
Violation reports
| Constraint |
Nature of the violation |
|
ENTRY
|
Autologin is used in violation of policy
|
|
NONCAPTIVE
|
Autologin is used to a non-captive username
|
|
NOPASSWORD
|
Autologin is used without a password
|
|
NOSUCHUSER
|
Autologin specifies a Username that does not exist or is disabled
|
|
PRIVPROHIB
|
Autologin is used to a privileged username
|
|
ABSOLUTHI
|
Autologin is used to a privileged username
|
Description
Entries in the autologin file can be used to automatically log a
particular terminal in to a designated account when the carriage-return
key is pressed. Such accounts can be set up either with or without
passwords, but even when passwords are required, the automatic choice
of username can provide an interloper "part of the puzzle".
The purpose of these tests are to ensure that any entries in the
autologin file complies with organization-wide security policy.
Default policy
No use of the autologin file is permitted
Customizing
Establish exemptions based on individual terminal
names to permit limited use of autologin files. Change the
limits to permit unrestricted use of autologin files.
selector
Limits and exemptions for
test TERM_AUTOLOGIN_PRIVPROHIB can take a
selector consisting of a privilege name.
Thus, each can be set once for each possible privilege. When using the
Command Interface if you do not specify a selector
when changing the limit or exemptions
your change applies to all privileges.
Limits
| Constraint |
Value |
Default |
|
ENTRY
|
FALSE or TRUE
|
TRUE
|
|
NONCAPTIVE
|
FALSE or TRUE
|
TRUE
|
|
NOPASSWORD
|
FALSE or TRUE
|
TRUE
|
|
NOSUCHUSER
|
FALSE or TRUE
|
TRUE
|
|
PRIVPROHIB
|
FALSE or TRUE
|
TRUE *
|
|
ABSOLUTHI
|
Category-None---Category-All
|
Category-Normal
|
* FALSE value for privilege TMPMBX.
Exemptions
| Constraint |
Value |
Parameters |
|
ENTRY
|
FALSE or TRUE
|
<node>,<device-name>
|
|
NONCAPTIVE
|
FALSE or TRUE
|
<node>,<device-name>
|
|
NOPASSWORD
|
FALSE or TRUE
|
<node>,<device-name>
|
|
NOSUCHUSER
|
FALSE or TRUE
|
<node>,<device-name>
|
|
PRIVPROHIB
|
FALSE or TRUE
|
<node>,<device-name>
|
|
ABSOLUTHI
|
Category-None---Category-All
|
<node>,<device-name>
|
Practical considerations
Manual methods must be used to ensure that
named terminals are actually in their putative locations. Assumptions
can be readily thwarted by cabling changes.
The test ABSOLUTHI is sufficient to express simpler
limitations based on privilege level.
If a more complicated selection of privileges is required, it may be
necessary to use the test PRIVPROHIB. �
BROADCAST
Determine whether enable state for broadcast messages conforms to
policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Broadcast messages are enabled in violation of policy
|
|
REQUIRED
|
Broadcast messages are disabled in violation of policy
|
Description
In certain situations the permanent characteristics of terminals to
enable or disable reception of broadcast messages can have security
implications.
These tests are intended to allow reporting when permanent terminal
characteristics do not conform to policy.
Default policy
Enabling of broadcast messages is neither prohibited nor
required
Customizing
You can set limits to indicate a general policy,
and exemptions on an individual basis. The most likely situation would
be to have the limits require broadcast messages be enabled and set
exemptions for other cases
Selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>, <device-name>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>, <device-name>
|
Practical considerations
The permanent terminal broadcast setting is
only one factor in the delivery of broadcast messages. It can be
overridden by the user logged in at a terminal (without privilege). The
types of messages delivered can be subsetted by that user through the
SET BROADCAST command.
�
DIALUP
Determine whether designation as dialup conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Designated as dialup in violation of policy
|
|
REQUIRED
|
Designated as non-dialup in violation of policy
|
Description
VMS provides the capability to designate certain terminal lines as
"dialup" and restrict system access to particular usernames
or particular files based on whether the access is coming over a
"dialup" line.
Trusting the "dialup" designation in the permanent characteristics of a
terminal can be illusory, since a non-dialup line can have a modem
attached
to it.
On the other hand, some sites use the "dialup" designation for other
meanings which are either not relevant to security or do not have the
same risk of spoofing.
Default policy
Designation as dialup is prohibited
Customizing
Customization is in order if your organization has some other use for
the "dialup" designation. It also may be required in cases
where a higher governing authority mandates such a distinction
Selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
TRUE
|
|
REQUIRED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>, <device-name>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>, <device-name>
|
Practical considerations
Keeping track of which lines are dialup also
means tracking all changes in wiring schemes for various nodes.
�
DISCONNECT
Determine whether enabling of virtual terminals conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Disconnect allowed is enabled in violation of policy
|
|
REQUIRED
|
Disconnect allowed is disabled in violation of policy
|
Description
Provision of virtual terminals allows a user whose session is
interrupted by circuit disconnection to continue the existing session
by supplying the appropriate password after connecting again. This
was originally developed as a continuity-of-service feature.
Since then as concern about security has grown, the manual
DISCONNECT command has become more important as a method for
achieving what various security disciplines call "Session
Lock".
Some sites may have specific requirements mandating that virtual
terminals not be enabled.
Default policy
Enabling of disconnection is neither prohibited nor
required
Customizing
Customize here if you have the need to ensure
uniformity across all nodes owned by your organization
Selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>, <device-name>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>, <device-name>
|
Practical considerations
The length of time a disconnected process will
remain available can be
controlled on a node-by-node basis. �
HANGUP
Determine whether forcing hangup on logout conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Hangup on logout is enabled in violation of policy
|
|
REQUIRED
|
Hangup on logout is disabled in violation of policy
|
Description
Forcing hangup on logout is generally viewed as an
availability-of-service
feature, since it frees dialup lines for use by another caller. Most
sites combine it with allowing users to use the /NOHANGUP qualifier on
a particular
logout, since the goal is to defend against unknowing failure to
properly terminate a call.
Default policy
Hangup on logout is required
Customizing
In most cases,
provision of the MODHANGUP capability is sufficient to
meet user needs and no customization of this test is required
Selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>, <device-name>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>, <device-name>
|
Practical considerations
Use of an application which performs process
deletion rather than allowing
the user to invoke LOGOUT may require that hangup on logout not be
enabled.
�
MODEM
Determine whether specification of modem control conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Modem control is enabled in violation of policy
|
|
REQUIRED
|
Modem control is disabled in violation of policy
|
Description
Enabling modem control specifies that VMS will provide and expect
proper modem signalling on a particular terminal line. It does
not
necessarily have anything to do with dialup modems, as many other types
of
data communications equipment require and provide modem control signals.
Default policy
Enabling of modem control is neither prohibited nor
required
Customizing
In most cases, enforcement of particular modem
control settings is not required since equipment will not work if the
setting is wrong
Selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>, <device-name>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>, <device-name>
|
Practical considerations
Cases where modem control is not provided when
it might seem to be needed may indicate situations where modem cabling
has been modified so as not to
require such signals. This generally results in reduced information
flow regarding the state of calls, and reduced security. �
MODHANGUP
Determine whether allowing user modification of hangup on logout
conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
User modification of hangup on logout is enabled in violation of policy
|
|
REQUIRED
|
User modification of hangup on logout is disabled in violation of policy
|
Description
Enabling user modification of hangup on logout allows knowledgeable
users to avoid having to redial calls when logging in to another
session. Most
sites enable it, using the hangup on logout feature of VMS only to
protect against authorized but forgetful users from tying up lines
after they are
finished.
Default policy
Allowing user modification of hangup on logout is
neither prohibited nor required
Customizing
Abuse of the
LOGOUT/NOHANGUP feature may require MODHANGUP be prohibited
Selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>, <device-name>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>, <device-name>
|
Practical considerations
Although the LOGOUT/NOHANGUP feature is
supposed to be used only in cases where it is needed, some users might
define DCL symbols to change every LOGOUT command into a
LOGOUT/NOHANGUP command, thereby violating the spirit
of the feature. �
NETDEVICE
Determine whether designation as network device conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Set as network device in violation of policy
|
|
REQUIRED
|
Set as interactive device in violation of policy
|
Description
When terminal lines are used for asynchronous DECnet, they are
automatically designated as network devices. These tests can be used to
check for unauthorized asynchronous DECnet connections, if a site
has sufficient staff to track all changes in network connections.
Default policy
Designation as a network device is neither prohibited
nor required
Customizing
An aggressive program of tracking network
connections would require setting
both limits TRUE and then setting an exemption for
every line (or group of lines via wildcard exemptions)
Selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>, <device-name>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>, <device-name>
|
Practical considerations
Dynamic (dialup) asynchronous DECnet allows
certain lines to change their
state between network and terminal devices. �
OPERATOR
Determine whether enabling for operator messages conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Enabled for operator messages in violation of policy
|
|
REQUIRED
|
Disabled from operator messages in violation of policy
|
Description
Certain terminals at a site are generally designated as operator
terminals
to receive user and program requests for operator assistance. These
tests
can be used to ensure that no unauthorized terminals are so enabled and
to
ensure that required terminals are enabled.
Default policy
Enabling as an operator terminal is prohibited
Customizing
Establish PROHIBITED exemptions for authorized operator
terminals.
If you want to ensure that certain terminals are enabled, set
the REQUIRED limit TRUE and establish exemptions for
all the "other" terminals (a tall order)
Selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
TRUE
|
|
REQUIRED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>, <device-name>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>, <device-name>
|
Practical considerations
Enabling a terminal for operator messages does
not grant any ability to control anything, merely to receive
information. In that light, you may not care what terminals are enabled
and may prefer to relax the default PROHIBITED limit
to FALSE. �