LJK/Security Reference Manual
CLIDCL
Determine whether specification of DCL as command language conforms to
policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Default CLI is DCL in violation of policy
|
|
REQUIRED
|
Default CLI is not DCL in violation of policy
|
Description
DCL (Digital Command Language) is generally the language for which
login command procedures have been written. If alternate command
languages are
used, equivalent login command procedures must be provided in order to
force execution of particular functions on login.
Default policy
Default CLI of DCL is required
Customizing
Customization will be required if you make use of the MCR or DEC/Shell
command language interpreters, or any custom written CLI
Selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>, <username>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>, <username>
|
Practical considerations
The procedure for writing a custom command
language interpreter is not
documented by DEC, so it is unlikely your organization has implemented
one. �
CLIMCR
Determine whether specification of MCR as command language conforms to
policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Default CLI is MCR in violation of policy
|
|
REQUIRED
|
Default CLI is not MCR in violation of policy
|
Description
DCL (Digital Command Language) is generally the language for which
login command procedures have been written. If alternate command
languages are
used, equivalent login command procedures must be provided in order to
force execution of particular functions on login.
Default policy
Default CLI of MCR is prohibited
Customizing
Customization will be required if you make use of the MCR command
language interpreters
Selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
TRUE
|
|
REQUIRED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>, <username>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>, <username>
|
Practical considerations
The MCR command language interpreter is used
for RSX11 compatibility mode. It is not required for use of
the DCL command MCR to issue
foreign commands to programs.
�
CLIOTHER
Determine whether specification of something other than DCL, MCR or
DECshell as command language conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Default CLI is other than DCL, MCR or DEC/Shell in violation of policy
|
|
REQUIRED
|
Default CLI is DCL, MCR or DEC/Shell in violation of policy
|
Description
DCL (Digital Command Language) is generally the language for which
login command procedures have been written. If alternate command
languages are
used, equivalent login command procedures must be provided in order to
force execution of particular functions on login.
Default policy
Default CLI other than DCL, MCR or DEC/Shell is
prohibited
Customizing
Customization will be required if you make use
of any custom written CLI
Selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
TRUE
|
|
REQUIRED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>, <username>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>, <username>
|
Practical considerations
The procedure for writing a custom command
language interpreter is not
documented by DEC, so it is unlikely your organization has implemented
one. �
CLISHELL
Determine whether specification of DEC/Shell as command language
conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Default CLI is SHELL in violation of policy
|
|
REQUIRED
|
Default CLI is other than SHELL in violation of policy
|
Description
DCL (Digital Command Language) is generally the language for which
login command procedures have been written. If alternate command
languages are
used, equivalent login command procedures must be provided in order to
force execution of particular functions on login.
Default policy
Default CLI of DEC/Shell is prohibited
Customizing
Customization will be required if you make use of the DEC/Shell command
language interpreter
Selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
TRUE
|
|
REQUIRED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>, <username>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>, <username>
|
Practical considerations
The DEC/Shell command language interpreter is
also provided as part of the VNXset combination product from DEC.
�
DAYMUSTBE
Determine whether designation of primary and secondary days conforms to
policy.
Violation reports
| Constraint |
Nature of the violation |
|
PRIMARY
|
Failure to designate day PRIMARY violates policy
|
|
SECONDARY
|
Failure to designate day SECONDARY violates policy
|
Description
The concepts of Primary and Secondary days are defined on a
per-username basis, so if a uniform meaning for these terms is
required, these tests should be applied to detect deviations.
Default policy
Monday through Friday must be primary days while
Saturday and Sunday must be secondary days
Customizing
Customization
is required only if you want to allow specific deviation from the
default designations. In most cases it would be sufficient to establish
HOURSPRI and HOURSSEC limits and
exemptions as being the same. selector
Limits for this test can take a
selector consisting of the name of a day of the week.
Thus, each can be set once for each possible day of the week. For a
particular day of the week, that limit applies. If you
do not specify a selector when changing
limits, your change applies to all days of the week.
Limits
| Constraint |
Value |
Default |
|
PRIMARY
|
FALSE or TRUE
|
M-F TRUE, S-S FALSE
|
|
SECONDARY
|
FALSE or TRUE
|
M-F FALSE, S-S TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PRIMARY
|
FALSE or TRUE
|
<node>, <username>
|
|
SECONDARY
|
FALSE or TRUE
|
<node>, <username>
|
Practical considerations
Customization may be appropriate for very
predictable differences in schedule, such as those governed by
long-term work schedules. �
DEFCLI
Determine whether restriction to default command language conforms to
policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Restriction to default CLI is enabled in violation of policy
|
|
REQUIRED
|
Restriction to default CLI is disabled in violation of policy
|
Description
If users are allowed to specify their command language on login, they
may be able to escape some administrator-specified login command
procedure
actions. The UAF flag DEFCLI can be set to restrict a username to its
default command language. The UAF flag CAPTIVE performs the same
restriction
along with others.
Default policy
Restriction to the default command language is required
Customizing
Exemptions are appropriate for developers
who switch back freely
between command language interpreters, but most users do not require
them
Selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>, <username>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>, <username>
|
Practical considerations
The CAPTIVE indication for an username also
has the effect of restricting the user to the default command language.
�
DEFCLSVAL
Determine whether validity of default classification conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Default classification is valid in violation of policy
|
|
REQUIRED
|
Default classification is not valid in violation of policy
|
Description
The DEFCLSVAL authorization flag indicates that the default
classification field for the user authorization file record is valid.
Default policy
Validity of the default classification is neither
required nor prohibited
Customizing
If only some of your nodes use
SEVMS, set both limits to TRUE and use exemptions as appropriate, or
consider the TRY value for the PROHIBITED constraint
Selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE, TRUE or TRY
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>, <username>
|
|
REQUIRED
|
FALSE, TRUE or TRY
|
<node>, <username>
|
Practical considerations
The default classification is only relevant to
systems running Mandatory Access Controls, as implemented with the
SEVMS (Security Enhanced VMS) software available from DEC. �
DIALUP
Determine whether login dependence is being placed on dialup
indications.
Violation reports
| Constraint |
Nature of the violation |
|
DEPEND
|
Access does not depend on dialup condition
|
|
DISTRUST
|
Access depends on dialup condition
|
Description
VMS provides the capability to designate certain terminal lines as
"dialup" and restrict system access to particular usernames
or particular files based on whether the access is coming over a
"dialup" line.
Restricting access of particular usernames based on whether a given
line is "dialup"1
or not can be an illusory form of protection. The provision of lines to
private offices provides tremendous opportunity for connection via
modems which are unauthorized from the computer-security
standpoint, but may in fact be set up to "get the job done"
with the best of intentions.
On the other hand, some security people prefer to depend upon the
dialup indication for access control.
Finally, sometimes access dependencies based on the dialup indication
are not really for security purposes at all. So long as no reliance is
placed on the indication for security purposes, there should be no
problem.
The purpose of this test is to determine whether any reliance is being
placed on the dialup indication.
Default policy
Limit DEPEND is set to FALSE and
limit DISTRUST is set to TRUE, indicating that
reliance should never be placed on dialup indications
Customizing
By
setting limit DEPEND and limit
DISTRUST both to FALSE, you can ignore results of this test, allowing
but not requiring dependence on dialup indications.
By setting limit DEPEND to TRUE and
limit DISTRUST to FALSE, you can require that
usernames have an access dependence on dialup indications, if you
disagree with the default
Selector
Limits
| Constraint |
Value |
Default |
|
DEPEND
|
FALSE or TRUE
|
FALSE
|
|
DISTRUST
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
DEPEND
|
FALSE or TRUE
|
<node>, <username>
|
|
DISTRUST
|
FALSE or TRUE
|
<node>, <username>
|
Practical considerations
Access dependencies aside, the designation of
certain lines as DIALUP can be useful in non-security aspects of VMS
operation, since the result is a general identifier which can be tested
(through provision of a suitably
protected file) to govern which set of menus are provided or some other
non-security function. �
Note
1 Under VMS, the designation of a line
as "dialup" is independent of the specification that a line
is to receive modem control signals.
|
DISCTLY
Determine whether disabling of control/Y on login conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
Control/Y is disabled on login in violation of policy
|
|
REQUIRED
|
Control/Y is not disabled on login in violation of policy
|
Description
Disabling the use of Control/Y during login is a step to prevent users
from breaking out of captive command procedures or login command
procedures.
Tests from this element are not
conducted on Usernames not allowed Interactive access.
Default policy
Disabling of Control/Y on login is required
Customizing
In cases where login command procedures (either system-wide or
individual) are not used for security purposes, relaxation of the
REQUIRED limit may be in order. An
exemption may be required for individuals who
regularly debug system-wide login command procedures.
selector Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
TRUE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>, <username>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>, <username>
|
Practical considerations
If users are to be permitted the use of
Control/Y after an initial login command procedure has executed, that
command procedure should enable Control/Y rather than requiring users
to do so manually. �
DISIMAGE
Determine whether prevention of user-specified access to images
conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
User-specified image access is disabled in violation of policy
|
|
REQUIRED
|
User-specified image access is enabled in violation of policy
|
Description
The DISIMAGE authorization flag prevents use of the RUN or MCR commands
and prevents the activation of images through the DCL foreign command
mechanism.
The Disimage authorization flag was added to VMS effective with V5.2,
so user-specified image access always tests as enabled in prior
versions of VMS.
Default policy
User-specified image access is neither prohibited nor
required
Customizing
Set limit PROHIBITED to be TRUE
to prohibit the disabling of user-specified image access.
Set limit REQUIRED to be TRY to require user-specified
image access only on those versions of VMS where such image access can
be prevented (VMS V5.2 or greater).
selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE, TRUE or TRY
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE, TRUE or TRY
|
<node>
|
Practical considerations
Use of the DISIMAGE authorization flag is only
effective when combined with steps to prevent users from changing their
DCL command tables.
In most cases better security is provided by proper protection of
objects than by attempting to prevent users from executing certain
commands. �