LJK/Security Reference Manual

MVTIMEOUT

Determine how long VMS will wait for mount verification in case of a device error.

Violation reports

Constraint	Nature of the violation
ABSOLUTLO	Timeout period is shorter than policy allows.
ABSOLUTHI	Timeout period is longer than policy allows.

Description

System parameter MVTIMEOUT controls how long VMS will stall a process while waiting for a device error to be cleared. After that time period, an error is returned to the user.

Default policy The default limits are set to widely bracket the VMS default value of 3600 for system parameter MVTIMEOUT. Customizing If local policy is to change the VMS defaults, it should be reflected in limits or exemptions

A limit or exemption with a value of zero means there is no value which is considered unacceptable. selector

Limits

Constraint	Value	Default
ABSOLUTLO	0---64,000 (seconds)	300
ABSOLUTHI	0---64,000 (seconds)	64,000

Exemptions

Constraint	Value	Parameters
ABSOLUTLO	0---64,000 (seconds)	<node>
ABSOLUTHI	0---64,000 (seconds)	<node>

Practical considerations Excessively long timeout periods delay detection of errors and leave user processes hung with no indication of the problem. Excessively short timeout periods reduce the chance that a device error can be corrected without aborting user transactions.

OPCOM

Determine whether OPCOM state conforms to policy.

Violation reports

Constraint	Nature of the violation
PROHIBITED	OPCOM is started in violation of policy
REQUIRED	OPCOM is stopped in violation of policy

Description

Security alarm transmission to operators uses the OPCOM process, and if that process is not running there will be no notification. In addition, for versions of VMS prior to V5.2, the OPCOM process is required in order to record security alarms on disk.

Default policy The OPCOM process must be running. Customizing Add an exemption to the REQUIRED test for any node which you wish to exempt from requirements to run the OPCOM process. selector

Limits

Constraint	Value	Default
PROHIBITED	FALSE or TRUE	FALSE
REQUIRED	FALSE or TRUE	TRUE

Exemptions

Constraint	Value	Parameters
PROHIBITED	FALSE or TRUE	<node>
REQUIRED	FALSE or TRUE	<node>

Practical considerations Future versions of VMS (after V5.4) may provide an alternative method of operator notification without requiring the OPCOM process.

PWDHISTORY

Determine whether password history parameters conform to policy.

Violation reports

Constraint	Nature of the violation
MINLIFE	Password history lifetime is shorter than policy allows.
MAXLIFE	Password history lifetime is longer than policy allows.
MINLIMIT	Password history entry limit is less than policy allows.
MAXLIMIT	Password history entry limit is more than policy allows.

Description

Logical names SYS$PASSWORD_HISTORY_LIFETIME and SYS$PASSWORD_HISTORY_LIMIT can be used to alter the VMS defaults of 365 days and 60 entries respectively.
Regardless of whether those logical names are used or not, tests for this element will determine if the values in effect on the system conform to policy.

Default policy By default, the VMS default values of 365 days and 60 entries is required. Customizing Add exemptions or modify limits in your policy if you want to permit deviations from the VMS default.

A limit or exemption with a value of zero means there is no value which is considered unacceptable. selector

Limits

Constraint	Value	Default
MINLIFE	0---3650	365
MAXLIFE	0---3650	365
MINLIMIT	2---255	60
MAXLIMIT	2---255	60

Exemptions

Constraint	Value	Parameters
MINLIFE	0---3650	<node>
MAXLIFE	0---3650	<node>
MINLIMIT	2---255	<node>
MAXLIMIT	2---255	<node>

Practical considerations In most cases, the VMS defaults are adequate and this test merely ensure there are no local deviations.

PWDPOLICY

Determine whether site-specific password policy on disk conforms to policy.

Violation reports

Constraint	Nature of the violation
LOADPWDPRO	Loading site code is enabled in violation of policy.
LOADPWDREQ	Loading site code is disabled in violation of policy.
PWDEXEPRO	Site-specific password policy is provided in violation of policy.
PWDEXEREQ	Site-specific password policy is absent in violation of policy.
HASHPWDPRO	Site-specific password algorithm is provided in violation of policy.
HASHPWDREQ	Site-specific password algorithm is absent in violation of policy.

Description

Tests VMS_LOADPWDPRO and VMS_LOADPWDREQ test whether system parameter LOAD_PWD_POLICY is set.
Tests VMS_PWDEXEPRO and VMS_PWDEXEREQ test whether the image SYS$LIBRARY:VMS$PASSWORD_POLICY.EXE is provided.
Tests VMS_HASHPWDPRO and VMS_HASHPWDREQ test whether the image SYS$LOADABLE_IMAGES:SYS$HASH_PASSWORD.EXE is provided. This capability is provided only on VMS V5.4 or greater.
System parameter LOAD_PWD_POLICY is only available on VMS V5.4 or greater.

Default policy By default, password policy options are prohibited, since they could be used as the basis for further efforts by a successful attacker. Customizing Limits and exemptions for tests VMS_LOADPWD* and VMS_PWDEXE* should be set in concert, since the parameter setting and image presence must be coordinated to have the desired effect. selector

Limits

Constraint	Value	Default
LOADPWDPRO	FALSE or TRUE	TRUE
LOADPWDREQ	FALSE, TRUE or TRY	FALSE
PWDEXEPRO	FALSE or TRUE	TRUE
PWDEXEREQ	FALSE, TRUE or TRY	FALSE
HASHPWDPRO	FALSE or TRUE	TRUE
HASHPWDREQ	FALSE, TRUE or TRY	FALSE

Exemptions

Constraint	Value	Parameters
LOADPWDPRO	FALSE or TRUE	<node>
LOADPWDREQ	FALSE, TRUE or TRY	<node>
PWDEXEPRO	FALSE or TRUE	<node>
PWDEXEREQ	FALSE, TRUE or TRY	<node>
HASHPWDPRO	FALSE or TRUE	<node>
HASHPWDREQ	FALSE, TRUE or TRY	<node>

Practical considerations The tests in the element do nothing to test whether the site-specific code provided is the correct code.

It is important that no unauthorized site specific password policy be in use, since it might have been left as a back door into the system by an attacker who successfully gained privileged access. Attackers in the past have gone so far as to patch the LOGINOUT image, and this mechanism, though useful for its stated purpose, could be hazardous if an attacker gains control. Among other tactics used in the past, collecting the cleartext passwords of individual users has sometimes given attackers some help in guessing what passwords were chosen by the same users on systems in the same network which have not yet been compromised.

REBLDSYS

Determine whether the system disk will be rebuilt after a system crash.

Violation reports

Constraint	Nature of the violation
PROHIBITED	System parameter ACP_REBLDSYSD is 1 in violation of policy
REQUIRED	System parameter ACP_REBLDSYSD is 0 in violation of policy

Description

Free space bit maps on various disks may be incorrect after a system crash. For most disks, this is corrected by the (default) MOUNT/REBUILD qualifier. For the system disk, however, rebuilding is controlled by the system parameter ACP_REBLDSYSD.

Default policy By default, rebuilding is required. Customizing To ensure that system disks are rebuilt, you should set REQUIRED to TRUE. Setting PROHIBITED to TRUE will allow faster reboots. Setting both limits to FALSE will allow local discretion. selector

Limits

Constraint	Value	Default
PROHIBITED	FALSE or TRUE	FALSE
REQUIRED	FALSE or TRUE	TRUE

Exemptions

Constraint	Value	Parameters
PROHIBITED	FALSE or TRUE	<node>
REQUIRED	FALSE or TRUE	<node>

Practical considerations Rebuilding the system disk can be time-consuming, denying service to some extent, depending on local standards.

Generally, the worst outcome of failing to rebuild the system disk (or any other disk, in fact) is just the unavailability of some free space on the disk. This is due to the "careful write" methods of the VMS file system. If denial of service time is more onerous than denial of disk space at your site, you might prefer to set PROHIBITED to TRUE and REQUIRED to FALSE.

SAVEDUMP

Determine whether crash dumps written to a page file are preserved until they can be analyzed.

Violation reports

Constraint	Nature of the violation
PROHIBITED	System parameter SAVEDUMP is 1 in violation of policy
REQUIRED	System parameter SAVEDUMP is 0 in violation of policy

Description

On systems that do not have a separate dump file, crash dumps will be written into the paging file. These tests check whether the crash information will be preserved until it is analyzed.
VMS SAVEDUMP element tests PROHIBITED and REQUIRED never report violations if a dump file is present on the tributary node (since the SAVEDUMP parameter only affects saving dumps in the page file, in the absence of a dump file).

Default policy By default, the preserving crash dump information is required. Customizing If analysis of system failures is important at your site, set REQUIRED to TRUE. If system parameter DUMPBUG is 0, this test will be skipped. This test will also be skipped if a separate dump file exists. selector

Limits

Constraint	Value	Default
PROHIBITED	FALSE or TRUE	FALSE
REQUIRED	FALSE or TRUE	TRUE

Exemptions

Constraint	Value	Parameters
PROHIBITED	FALSE or TRUE	<node>
REQUIRED	FALSE or TRUE	<node>

Practical considerations Analysis of each crash dump can help you to track down the cause of the crash and suggest ways of avoiding future crashes. A dump takes up disk space, so it is desirable to analyze each crash quickly and release the space that it used. Unless analysis is timely (or unless page file space is plentiful), preserving a crash dump can be a threat to continuity of service.

This puts a security manager in a bind between system availability requirements and disk space requirements. Therefore, if no one in your organization is prepared to do timely crash dump analysis, requiring this might be a futile effort.

SECPOLICY

Ensure bit settings in system parameter SECURITY_POLICY conform to policy.

Violation reports

Constraint	Nature of the violation
PROHIBITED	allowed in violation of policy
REQUIRED	prevented in violation of policy

Description

These bits in VMS V6.0 and beyond control overall system security, including whether deviations from C2 evaluated components is allowed.

Default policy By default, DECwindows access is permitted to allow behavior which was allowed under prior versions of VMS, while other items are prohibited. Customizing These tests are primarily of interest to government sites which require running under evaluated software. selector Limits for this test can take a selector indicating a security policy bit:

Table 6-1 Selectors for Security Policy Bits
Selector Name VMS Security Policy Bit Meaning

DPS ALLOW_DISPLAY_POSTSCRIPT allow display postscript extensions

MULTIDECW ALLOW_MULTIPLE_DECW_USERS allow multiple username to connect to DECW$SERVER

TRANSPORTS ALLOW_ALTERNATE_TRANSPORTS allow unevaluated transports

CROSSJOB ALLOW_SPAN_JOB_TREES allow $SIGPRC to span job trees

LOCPROFILE LOCAL_UPDATE allow local profile changes

LOCOBJECT LOCAL_PROFILE allow local object creation

CAPTIVESPAWN ALLOW_CAPTIVE_SPAWN allow SPAWN or LIB$SPAWN in CAPTIVE accounts

COMPRESSMAC COMPRESS_MAC_STRINGS compress MAC category strings (SEVMS)

UPPERCASEINPUT UPPERCASE_INPUT as prior to VMS V7.1

GUARDPASSWORDS GUARD_PASSWORDS ACMEs shall not share

DOIAUTHORIZATION DOI_AUTHORIZATION_ONLY prevent feature mixing

IGNOREEXTAUTH IGNORE_EXTAUTH ignore user-specific EXTAUTH and VMSAUTH restrictions

INTRUSIONSLOCAL INTRUSIONS_ARE_LOCAL consider local intrusions onlywhen set

USEPOSIXUIDGID USE_POSIX_UID_GID perform UID/GID lookup in tcpip proxy database

**Table 6-1 Selectors for Security Policy Bits**
Selector Name	VMS Security Policy Bit	Meaning
DPS	ALLOW_DISPLAY_POSTSCRIPT	allow display postscript extensions
MULTIDECW	ALLOW_MULTIPLE_DECW_USERS	allow multiple username to connect to DECW$SERVER
TRANSPORTS	ALLOW_ALTERNATE_TRANSPORTS	allow unevaluated transports
CROSSJOB	ALLOW_SPAN_JOB_TREES	allow $SIGPRC to span job trees
LOCPROFILE	LOCAL_UPDATE	allow local profile changes
LOCOBJECT	LOCAL_PROFILE	allow local object creation
CAPTIVESPAWN	ALLOW_CAPTIVE_SPAWN	allow SPAWN or LIB$SPAWN in CAPTIVE accounts
COMPRESSMAC	COMPRESS_MAC_STRINGS	compress MAC category strings (SEVMS)
UPPERCASEINPUT	UPPERCASE_INPUT	as prior to VMS V7.1
GUARDPASSWORDS	GUARD_PASSWORDS	ACMEs shall not share
DOIAUTHORIZATION	DOI_AUTHORIZATION_ONLY	prevent feature mixing
IGNOREEXTAUTH	IGNORE_EXTAUTH	ignore user-specific EXTAUTH and VMSAUTH restrictions
INTRUSIONSLOCAL	INTRUSIONS_ARE_LOCAL	consider local intrusions onlywhen set
USEPOSIXUIDGID	USE_POSIX_UID_GID	perform UID/GID lookup in tcpip proxy database

Limits

Constraint	Value	Default
PROHIBITED	FALSE or TRUE	TRUE*
REQUIRED	FALSE or TRUE	FALSE*

* except for DPS, MULTIDECW, TRANSPORTS and GUARDPASSWORDS selectors.

Exemptions

Constraint	Value	Parameters
PROHIBITED	FALSE or TRUE	<node>
REQUIRED	FALSE or TRUE	<node>

Practical considerations The CAPTIVESPAWN bit will be of the most interest to commercial sites.

SETTIME

Determine whether VMS will delay on boot for the time to be entered.

Violation reports

Constraint	Nature of the violation
PROHIBITED	System parameter SETTIME is 1 in violation of policy
REQUIRED	System parameter SETTIME is 0 in violation of policy

Description

If system parameter SETTIME is 1, VMS will wait for the time to be entered on each boot.

Default policy By default, prompting on every boot is prohibited. Customizing LJK Software recommends that you leave the limits for these tests at their default value.

If you have particular systems which are supposed to have system parameter SETTIME set to 1, you can add exemptions for those nodes to the PROHIBITED constraint.

A more thorough approach in situations where some nodes must have the system parameter SETTIME set to 1 would be to set both the PROHIBITED and the REQUIRED limits to TRUE and then establish exemptions for all nodes. selector

Limits

Constraint	Value	Default
PROHIBITED	FALSE or TRUE	TRUE
REQUIRED	FALSE or TRUE	FALSE

Exemptions

Constraint	Value	Parameters
PROHIBITED	FALSE or TRUE	<node>
REQUIRED	FALSE or TRUE	<node>

Practical considerations Except for the MicroVAX I and the VAX 11/730, systems which run VMS have built-in time-of-year clocks. With such a clock, system parameter SETTIME should be 0, and the default values for these tests will be sufficient.

While waiting for time to be input on boot is a threat to continuity of service, running with the software clock incorrectly set can lead to improper operation of applications, also an undesirable condition.

SYSTEMLGI

Ensure that ability to log into the SYSTEM account conforms to policy.

Violation reports

Constraint	Nature of the violation
PROHIBITED	allowed in violation of policy
REQUIRED	prevented in violation of policy

Description

For reasons of accountability it is generally best to allow username SYSTEM to log in only via Batch. System administrative tasks are then performed in privileged accounts which can be traced to individuals.

Default policy By default, username SYSTEM is required to be able to log in for batch and prohibited all other login methods. Customizing Exemptions for individual nodes are generally better than an organization-wide relaxation of limits, so that over time nodes can be converted back one-by-one. selector Limits for this test can take a selector consisting of a login type: LOCAL, DIALUP, REMOTE, NETWORK or BATCH.

Thus, each can be set once for each possible login type. If you do not specify a selector when changing limits, your change applies to all login types.

Note

The availability of separate selector values for LOCAL and DIALUP should not be taken as a suggestion that the DIALUP indication associated with terminals be trusted to accurately represent whether or not a dialup line is actually in use. It is provided, however, for sites which use the DIALUP indication to denote some aspect of a terminal which can be determined with certainty, such as whether or not a given terminal connection is via an X.25 circuit.

Limits

Constraint	Value	Default
PROHIBITED	FALSE or TRUE	TRUE*
REQUIRED	FALSE or TRUE	FALSE*

Contents

Index