This glossary provides definitions of security-related terms
used in this guide.
A |
---|
access control | | Restrictions on the ability of a subject (user or
process) to use the system or an object in the computing system.
Authentication of the user name and password controls access to
the system, while protection codes, access control lists, and privileges
regulate access to protected objects in that system.
|
---|
access control entry (ACE) | | An entry in an access control list (ACL). Access
control entries may specify identifiers and the access rights to
be granted or denied the holders of the identifiers, default protection
for directories, or security details. ACLs for each object can hold
many entries, limited only by overall space and performance considerations. See
also access control list, identifier .
|
---|
access control list (ACL) | | A list that defines the kinds of access to be granted
or denied to users of an object. Access control lists can be created
for all protected objects such as files, devices, and logical name
tables. Each ACL consists of one or more entries known as access
control entries (ACEs). See also access control entry .
|
---|
access control string | | A character string used in remote logins. It consists
of the user name for the remote account and the user's password
enclosed within quotation marks.
|
---|
access matrix | | A table that lists subjects on one axis and objects
on the other. Each crosspoint in the matrix thus represents the
access that one subject has to one object.
|
---|
access type | | The capability required to perform an operation
on a protected object. OpenVMS security policy can require multiple
capabilities to complete an operation. The most commonly accessed
object, a file, can require read, write, execute, delete, or control
access.
|
---|
ACE | | See access control entry.
|
---|
ACL | | See access control list.
|
---|
ACL editor | | An OpenVMS utility that helps users create and maintain
access control lists. See also access control list.
|
---|
alarm | | See security alarm.
|
---|
ALF file | | See automatic login.
|
---|
alphanumeric UIC | | A format of a user identification code (UIC). The
group and member names can each contain up to 31 alphanumeric characters,
at least one of which is alphabetic. The other format of a UIC is
numeric: it contains a group number and a member number. See also user identification
code, numeric UIC .
|
---|
attribute | | In the security context, a characteristic of an
identifier or the holder of an identifier. Attributes can enhance
or limit the rights granted with an identifier; for example, a user
holding an identifier with the Resource attribute can charge disk
space to the identifier.
|
---|
audit | | See security audit.
|
---|
audit trail | | A pattern of security-relevant activity sometimes
found in the audit log file. The audit log file maintains a record
of security-relevant events, such as access attempts, successful
or not, as required by the authorization database. See also security
audit.
|
---|
auditing | | Recording the occurrence of security-relevant events
as they occur on the system and, later, examining system activity
for possible security violations or improper use of the system. Security-relevant
events include activities such as logins, break-ins, changes to
the authorization database, and access to protected objects. Event messages
can be sent as alarms to an operator terminal or written as audit
records to a log file. See also security audit, security
alarm .
|
---|
authentication | | The act of establishing the identity of users when
they start to use the system. OpenVMS systems (and most other commercial operating
systems) use passwords as the primary authentication mechanism.
See also password .
|
---|
authorization database | | A database that contains the security attributes
of subjects and objects. From these attributes, the reference monitor
determines what kind of access (if any) is authorized.
|
---|
authorization file | | See system user authorization file.
|
---|
automatic login | | A feature that permits users to log in without specifying
a user name. The operating system associates the user name with
the terminal (or terminal server port) and maintains these assignments
in the file SYS$SYSTEM:SYSALF.DAT, referred to as the automatic
login file or the ALF file.
|
---|
B |
---|
breach | | A break in the system security that results in access
to system resources or objects in violation of the system's security
policy.
|
---|
break-in attempt | | An effort made by an unauthorized source to gain
access to the system. Because the first system access is achieved
through logging in, intrusion attempts primarily refer to attempts
to log in illegally. These attempts focus on supplying passwords
for users known to have accounts on the system through informed
guesses or other trial-and-error methods. See also evasive action .
|
---|
C |
---|
C2 system | | A U.S. government rating of the security of an operating
system; it identifies an operating system as one that meets the
criteria of a Division C, class 2 system.
|
---|
capability | | A resource to which the system controls access;
currently, the only defined capability is the vector processor. OpenVMS security policy protects vector processors from improper
access. An operation can require use or control access.
|
---|
captive account | | A type of account that confines the user to the
captive login command procedure. The use of Ctrl/Y is disabled.
If errors in the captive command procedure cause the procedure to terminate
and attempt to return the user to the DCL command level, the process
is deleted. (This type of account is synonymous with a turnkey or
tied account.)
|
---|
common event flag cluster | | A set of 32 event flags that enable cooperating
processes to post event notifications to each other. OpenVMS security policy protects common event flag clusters
from improper access. An operation can require associate, delete,
or control access.
|
---|
control access | | The right to modify an object's security profile.
Control access is granted explicitly in an ACL and implicitly in
a protection code. (All users qualifying for system or owner categories
have control access.)
|
---|
D |
---|
decryption | | The process that restores encoded information to
its original unencoded form. The information was encoded by using
encryption.
|
---|
Default attribute | | An option added to an ACE that indicates the ACE
is to be included in the ACL of any files created within a directory.
When the entry is propagated, the Default attribute is removed from the
ACE of the created file. An Identifier ACE with the Default attribute
has no effect on access. See also access control entry, Identifier
ACE.
|
---|
device | | A class of peripherals connected to a processor
that are capable of receiving, storing, or transmitting data. OpenVMS security policy protects devices from improper access.
An operation can require read, write, physical, logical, or control
access.
|
---|
discretionary access controls | | Security controls that are applied at the user's
option; that is, they are not required. Access control lists (ACLs)
are typical of such optional security features. Discretionary controls
are the opposite of mandatory controls.
|
---|
disk scavenging | | Any method of obtaining information from a disk
that the owner intended to discard. The information, although no
longer accessible to the original owner by normal means, retains
a sufficient amount of its original magnetic encoding that it can
be retrieved and used by one of the scavenging methods. See also erase-on-allocate, erase-on-delete, erasure
pattern.
|
---|
E |
---|
encryption | | A process of encoding information so that its content
is no longer immediately obvious to anyone who obtains a copy of
it. The information is decoded using decryption.
|
---|
environmental identifier | | One of four classes of identifiers. Environmental
identifiers are provided by the system to identify groups of users
according to their usage of the system. Environmental identifiers correspond
to login classes. For example, all users who access the system by
dialing up receive the dialup identifier. See also identifier.
|
---|
erase-on-allocate | | A technique that applies an erasure pattern whenever
a new area is allocated for a file's extent. The new area is erased
with the erasure pattern so that subsequent attempts to read the
area can yield only the erasure pattern and not some valuable remaining
data. This technique is used to discourage disk scavenging. See
also disk scavenging, erase-on-delete, erasure
pattern, high-water marking.
|
---|
erase-on-delete | | A technique that applies an erasure pattern whenever
a file is deleted or purged. This technique is used to discourage
disk scavenging. See also disk scavenging, erase-on-allocate,
erasure pattern.
|
---|
erasure pattern | | A character string that can be used to overwrite
magnetic media for the purpose of erasing the information that was
previously stored in that area.
|
---|
evasive action | | A responsive behavior performed by the operating
system to discourage break-in attempts when they appear to be in
progress. The operating system has a set of criteria it uses to detect
that an intrusion attempt may be underway. Typically, once the operating
system becomes suspicious that an unauthorized user is attempting to
log in, the evasive action consists of locking out all login attempts
by the offender for a limited period of time.
|
---|
event classes | | Categories of security-relevant events. The operating
system audits several event classes by default, and the security
administrator can enable additional ones, if desired.
|
---|
event messages | | In terms of security, any notification that has
to do with a user's access to the system or to a protected object
within the system. The operating system can record both successful
and unsuccessful events so the security administrator can know when
security-relevant activity occurs on the system.
|
---|
F |
---|
facility identifier | | An identifier whose binary value contains the facility
code of the application defining the identifier. See also identifier.
|
---|
file | | A set of data elements arranged in a structure significant
to the user. A file is any named, stored program or data, or both,
to which the system has access. Access can be of two types: read-only, meaning
the file is not to be altered, and read/write, meaning the contents
of the file can be altered. See also volume. OpenVMS security policy protects files from improper access.
An operation can require read, write, execute, delete, or control
access.
|
---|
file encryption | | See encryption.
|
---|
G |
---|
general identifier | | One of four possible types of identifiers that specify
one or more groups of users. The general identifier is alphanumeric
and typically is a convenient term that symbolizes the function
of the group of users. For example, typical general identifiers
might be PAYROLL for all users allowed to run payroll applications
or RESERVATIONS for operators at the reservations desk. See also identifier.
|
---|
global section | | A shared memory area (for example, Fortran global
common) potentially available to all processes in the system. A
global section can provide access to a disk file (called a file-backed
global section), provide access to dynamically created storage (called
a page file-backed global section), or provide access to specific
physical memory (called a page frame number [PFN] global section).
See also group global section, system global section.
|
---|
group | | A set of users in a system. Any user whose group
UIC is identical to the group UIC of the object qualifies for the
access rights granted through a protection code. The group name
appears as the first field of a user identification code (UIC): [group,member].
|
---|
group global section | | A shareable memory section potentially available
to all processes in the same group. OpenVMS security policy protects group global sections from
improper access. Operations on file-backed sections require read,
write, execute, delete, or control access. Operations on other types
of sections require read, write, execute, or control access. See
also global section, system global section.
|
---|
group number | | The number or its alphanumeric equivalent in the
first field of a user identification code (UIC): [group,member].
|
---|
H |
---|
Hidden attribute | | An option added to an access control entry that
indicates the ACE should be changed only by the application that
adds it. Although the Hidden attribute is valid for any ACE type,
its intended use is to hide Application ACEs. See also access
control entry.
|
---|
high-water mark | | A mark identifying the highest file address written,
beyond which the user cannot read.
|
---|
high-water marking | | A technique for discouraging disk scavenging. This
technique tracks the furthest extent that the owner of a file has
written into the file's allocated area (the high-water mark). It
then prohibits any attempts at reading beyond the written area,
on the premise that any information that exists beyond the currently
written limit is information some user had intended to discard.
The operating system accomplishes the goals of high-water marking
with a combination of true high-water marking and an erase-on-allocate strategy.
See also erase-on-allocate.
|
---|
holder | | A user who possesses a particular identifier. Users
and the identifiers they hold are recorded in the rights database.
Whenever an object requires an accessor to hold an identifier, the
system checks the process rights list (which is built from the rights database)
in processing the access request.
|
---|
I |
---|
identifier | | An alphanumeric string representing a user or group
of users recorded in the rights database and used by the system
in checking access requests. There are four types of identifiers: environmental,
facility, general, and UIC. See also environmental identifier,
facility identifier, general identifier, resource identifier, UIC
identifier.
|
---|
Identifier ACE | | An access control entry that controls the type of
access allowed to a particular user or group of users.
|
---|
J |
---|
journal | | Name of the auditing log file where the system records
events with security implications, such as logins, break-ins, or
changes to the authorization database.
|
---|
L |
---|
locked password | | A password that cannot be changed by the account's
owner. Only system managers or users with the SYSPRV privilege can change
locked passwords.
|
---|
log | | A record of performance or system-relevant events.
|
---|
logical I/O access | | Right to perform a set of I/O operations that allow
restricted direct access to device-level I/O operations using logical
block addresses.
|
---|
logical name table | | A shareable table of logical names and their equivalence
names for the operating system or a particular group. OpenVMS security policy protects logical name tables from
improper access. An operation can require read, write, create, delete,
or control access.
|
---|
login | | The series of actions involved in authenticating
a user to the system and creating a process that runs on the user's
behalf.
|
---|
login class | | A user's method of logging into the system. System
managers can control system access based on the login class: local,
dialup, remote, batch, or network.
|
---|
M |
---|
mandatory access controls | | Security controls that are imposed by the system
upon all users. There are no examples of mandatory controls within
the OpenVMS system. Access controls on this operating system are
optional (discretionary). SEVMS, the security enhanced version of
OpenVMS, provides mandatory access controls (MAC) and enhanced security
auditing for secure standalone or clustered OpenVMS systems.
|
---|
N |
---|
NETPROXY | | See network proxy authorization file.
|
---|
network proxy authorization file (NETPROXY.DAT
or NET$PROXY.DAT [VAX only]) | | A file containing an entry for each user authorized
to connect to the local system from a remote node in the network.
|
---|
nondiscretionary controls | | See mandatory controls.
|
---|
nonprivileged | | Describes a type of account with no privilege other
than TMPMBX and NETMBX and a user identification code (UIC) greater
than the system parameter MAXSYSGROUP.
|
---|
Nopropagate attribute | | An option added to an access control entry that
indicates the ACE cannot be copied by operations that usually propagate ACEs,
such as SET SECURITY/LIKE. See also access control entry.
|
---|
numeric UIC | | A format of a user identification code (UIC) that
specifies the user's group and member number in numeric form. The
group number is an octal number in the range of 1 through 37776;
the member number is an octal number in the range of 0 through 177776.
|
---|
O |
---|
object | | A passive repository of information to which the
system controls access. Access to an object implies access to the
information it contains. See also capability, common event
flag cluster, device, file, group global section, logical name table,
queue, resource domain, security class, system global section, volume.
|
---|
object class | | A set of protected objects with common characteristics.
For example, all files belong to the file class; whereas all devices
belong to the device class.
|
---|
object security profile | | A set of security elements that defines access requirements.
The elements include an owner (UIC), a UIC-based protection code,
and, possibly, an ACL. See also access control list, owner,
protection code.
|
---|
open accounts | | Accounts that do not require passwords.
|
---|
operator terminal | | A terminal attended by a system operator. The system
can send system event messages to the terminal, provided the event
class is enabled.
|
---|
owner | | A user with the same user identification code (UIC)
as the protected object. An owner always has control access to the
object and can therefore modify the object's security profile. When
the operating system processes an access request from an owner,
it considers the access rights in the owner field of a protection
code.
|
---|
P |
---|
password | | A character string that users provide at login time
to validate their identity and as a form of proof of their authorization
to access the account. There are system passwords and user passwords. User
passwords include both primary and secondary passwords. See also primary
password, secondary password, system password, user password.
|
---|
physical I/O access | | The right to perform a set of I/O functions that
allows access to all device-level I/O operations except maintenance
mode using physical block addresses.
|
---|
primary password | | A type of user password that is the first user password
requested from the user. Systems may optionally require a secondary password.
A primary or a secondary password must be associated with the user
name in the user authorization file. See also secondary
password.
|
---|
privileges | | A means of protecting the use of certain system
functions that can affect system resources and integrity. System
managers grant privileges according to users' needs and deny them
to users as a means of restricting their access to the system.
|
---|
process security profile | | The set of security elements the system assigns
to a process at creation. Elements include the process UIC plus
all of its identifiers and privileges. See also identifier, privileges,
user identification code.
|
---|
Protected attribute | | An option added to an access control entry that
indicates the ACE is protected against casual deletion. It can be
deleted by using the ACL editor or by specifying the ACE explicitly when
deleting it.
|
---|
protected object | | An object containing shareable information to which
the system controls access. See also object.
|
---|
protected subsystem | | An application with enhanced access control. While
users run the application, their process rights list contains identifiers
giving them access to objects owned by the subsystem. As soon as
the users exit the application, these identifiers and, therefore,
access rights to objects are taken away.
|
---|
protection | | The attributes of an object that limit the type
of access available to users. See also access control
list, protection code, user
identification code.
|
---|
protection code | | A code defining the type of access that users are
allowed to objects, based on the user's relationship to the object's
owner. The code defines four sets of users: those with system rights,
those with ownership rights, those belonging to the same group,
and all users on the system, who are called world users. See also group,
owner, system, world.
|
---|
proxy login | | A type of login that permits a user from a remote
node to effectively log in to a local node as if the user owned
an account on the local node. However, the user does not specify
a password in the access control string. The remote user may own
the account or share the account with other users.
|
---|
pseudodevice | | An entity like a mailbox that is treated as an I/O
device by the user or system, although it is not any particular
physical device.
|
---|
Q |
---|
queue | | A set of jobs to be processed. There are four types
of execution queues: batch, terminal, server, and print. OpenVMS security policy protects queues from improper access.
An operation can require read, submit, manage, delete, or control
access.
|
---|
R |
---|
reference monitor | | The control center within the operating system that
authenticates subjects and implements and enforces the security
policy for every access to an object by a subject.
|
---|
Resource attribute | | An option specified when an identifier is added
to the rights database, and later when the identifier is granted
to a user. When a user holds the identifier with the Resource attribute,
that user can charge disk space to the identifier.
|
---|
resource domain | | A namespace controlling access to OpenVMS distributed
lock management resources. OpenVMS security policy protects resource domains from improper
access. An operation can require read, write, lock, or control access.
|
---|
resource identifier | | An identifier with the Resource attribute. Thus,
holders of the identifier can charge disk space to the identifier.
|
---|
restricted account | | A type of account with a secure login procedure.
The user is not allowed to use the Ctrl/Y key sequence during the
system or process login command procedure. Control may be turned over
to the user following execution of the login command procedures.
|
---|
rights database | | The collection of data the system maintains and
uses to define identifiers and associate identifiers with the holders
of the identifiers.
|
---|
rights identifier | | See identifier.
|
---|
rights list | | The list associated with each process that includes
all the identifiers the process holds.
|
---|
RWED | | The abbreviation for read, write, execute, delete,
which are types of access to data files and directory files.
|
---|
S |
---|
secondary password | | A user password that may be required at login time
immediately after the primary password has been submitted correctly.
Primary and secondary passwords can be known by separate users to
ensure that more than one user is present at the login. A less common
use is to require a secondary password as a means of increasing
the password length so that the total number of combinations of
characters makes password guessing more time-consuming. See also primary password.
|
---|
secure terminal server | | Operating system software designed to ensure that
users can log in only to terminals that are already logged out.
When the user presses the Break key on a terminal, the secure server
(if enabled) responds by first disconnecting any logged-in process
and then initiating a login. If no process is logged in at the terminal,
the login can proceed immediately.
|
---|
security administrator | | The person or persons responsible for implementing
and maintaining the organization's security policy. This role is
sometimes performed by the same person who functions as a system
manager. It requires the same skills as the system manager as well
as knowledge of the security features provided with the operating
system.
|
---|
security alarm | | A message sent to an operator terminal that is enabled
to receive messages pertaining to security events. Security alarms
are triggered by the occurrence of an event previously designated
as worthy of the alarm because of its security implications.
|
---|
security audit | | An auditing message written to the security audit
log file. These messages report the occurrence of events with security
implications, such as logins, break-ins, and changes to the authorization
database. A system administrator uses the log file to examine system
activity for possible security violations or improper use of the system.
|
---|
security auditing | | See auditing.
|
---|
security class | | The object class whose members are all object classes.
Each member defines the object templates and management routines
for its object class. OpenVMS security policy protects security classes from improper
access. An operation can require read, write, or control access.
|
---|
security officer | | See security administrator.
|
---|
security operator terminal | | A class of terminal that has been enabled to receive
messages sent by OPCOM to security operators. These messages are security
alarm messages. Normally such a terminal is a hardcopy terminal
in a protected room. The output provides a log of security-related
events and details that identify the source of the event.
|
---|
security profile | | A set of elements that describe either an object's
access requirements or a subject's access rights. See also object
security profile , process security profile .
|
---|
social engineering | | The act of gaining unauthorized access to or information
about computer systems and resources by enlisting the aid of unwitting
users or operators. Often involves impersonation or other fraud.
|
---|
subject | | A prinicpal, either a user process or an application,
that accesses information or is prevented from accessing information.
The operating system controls access to any object that contains
shareable information. Therefore, subjects must be authorized to
access objects. See also process security profile.
|
---|
system | | In the context of a protection code, identifies
a set of users in a system. System users typically have a UIC is
in the range 1 through 10 (octal); however, the exact range of a
system UIC is determined by the system parameter MAXSYSGROUP. Other
ways to become a system user include having SYSPRV privilege or
being in the same group as the owner and holding GRPPRV. System
operators and system managers are usually system users.
|
---|
system global section | | A shareable memory section potentially available
to all processes in the system. OpenVMS security policy protects system global sections from
improper access. Operations on file-backed sections require read,
write, execute, delete, or control access. Operations on other types
of sections require read, write, execute, or control access.
|
---|
system password | | A password controlling access to particular terminals.
System passwords are usually necessary to control access to terminals
that might be targets for unauthorized use, such as dialup and public
terminal lines. After an authorized person enters the system password,
a user can enter his user password. See also user password.
|
---|
system user authorization file (SYSUAF.DAT) | | A file containing an entry for every user that the system
manager authorizes to gain access to the system. Each entry identifies
the user name, password, default account, user identification code (UIC),
quotas, limits, and privileges assigned to individuals who use the
system.
|
---|
system-defined identifier | | See environmental identifier.
|
---|
SYSUAF | | See system user authorization file.
|
---|
T |
---|
TCB | | See trusted computing base.
|
---|
template profile | | The default set of security elements applied to
new objects of a class. See also object security profile.
|
---|
tied account | | See captive account.
|
---|
trap door | | An illicit piece of software or software modification
in an operating system that allows access in violation of the system's
established security policy.
|
---|
Trojan horse program | | A program that gains access to otherwise secured
areas through its pretext of serving one purpose when its real intent
is far more devious and potentially damaging. When an authorized
user performs an legitimate operation using a program, the unauthorized
program within it (the Trojan horse) performs an unauthorized function.
|
---|
trusted computing base (TCB) | | A combination of computer hardware and operating
system software that enforces a security policy. In OpenVMS systems, the TCB includes the entire executive
and file system, all other system components that do not execute
in user mode (such as device drivers, RMS, and DCL), most system programs
installed with privilege, and a variety of other utilities used
by system managers to maintain data relevant to the TCB.
|
---|
turnkey account | | See captive account.
|
---|
U |
---|
UAF | | See system user authorization file.
|
---|
UIC | | See user identification code.
|
---|
UIC identifier | | An identifier in alphanumeric format that is based
on a user's identification code (UIC). Such an identifier can appear
with or without brackets. See also identifier.
|
---|
UIC protection code | | See protection code.
|
---|
user category | | One of four fields in a protection code. The code
defines the access rights for four categories of users: (a) the
owner, (b) the users who share the same group UIC as the owner (the
group category), (c) all users on the system (the world category),
and (d) those with system privileges or rights (the system category).
A code lists access rights in a fixed order: System, Owner, Group, World.
|
---|
user identification code (UIC) | | A 32-bit value assigned to users that tells what
group users belong to on the system and what their unique identification
is within that group. Any UIC specification is enclosed in brackets,
but it can be in either an alphanumeric or a numeric format. For example,
the UIC [SALES,JONES] identifies Jones as a member of the Sales
group. Protected objects like files also have UICs. In most cases,
their UICs come from the users who created them.
|
---|
user irresponsibility | | Situations where the user purposely or accidentally
causes some noticeable damage on a computer system.
|
---|
user name | | The name a user enters to log in to the system.
Together with a password, the user name identifies and authenticates
a person as a valid user of the system. See also password,
user password.
|
---|
user password | | A character string recorded in a user's record in
the system user authorization file. The password and the user's
name must be correctly supplied when the user attempts to log in
so that the user is authenticated for access to the system. The two
types of user passwords are known as primary and secondary; the
terms also represent the sequence in which they are entered. See
also primary password, secondary password, system password.
|
---|
user penetration | | Situations where the user exploits defects in the
system software or system administration to break through security
controls to gain access to the computer system.
|
---|
user probing | | Situations where a user exploits insufficiently
protected parts of a computer system.
|
---|
V |
---|
virus | | A command procedure or executable image written
and placed on the system for the sole purpose of seeking unauthorized
access to files and accounts on the system. The virus seeks access
to a user file through a flaw in the file protection. If successful,
the virus modifies the file so that it carries a copy of the virus.
Each time an unsuspecting user executes the code that contains the
virus, the virus attempts to propagate itself into other poorly
protected procedures or images. The virus seeks to find its way
into a procedure that will be run from a privileged account so that
the virus can inflict damage to the system.
|
---|
volume | | A mass storage medium, such as a disk or tape, that
is in ODS-2 or ODS-5 format. Volumes contain files and may be mounted
on devices. OpenVMS security policy protects volumes from improper access.
An operation can require read, write, create, delete, or control
access.
|
---|
W |
---|
world | | A category of users whose access rights to an object
are identified in the last field of a protection code. The world
category encompasses all users or applications on the system, including
system operators, system managers, and users both in the owner's
group and any other group.
|
---|
worm | | A procedure that replicates itself over many nodes
in a network, typically using default network access or known security
flaws. The usual effect of a worm is severe performance degradation
as replicas of the worm saturate the computing capacity and bandwidth
of the network. In contrast to a virus, which spreads by modifying
existing programs and executing when some user runs the program,
a worm stands by itself, operates in its own process context, and
initiates its own offspring.
|
---|