HP OpenVMS Guide to System Security

 » Table of Contents

 » Glossary

 » Index

spacerspacerspacer
spacer
spacer
   
 

HP Part Number: AA-Q2HLG-TE

September 2003

© Copyright 2003 Hewlett-Packard Development Company, L.P.

Table of Contents

Preface
Intended Audience
Document Structure
Related Documents
Reader's Comments
How to Order Additional Documentation
Conventions
I Security Overview
1 Understanding System Security
Types of Computer Security Problems
Levels of Security Requirements
Building a Secure System Environment
Common Data Security Architecture (CDSA)
Secure Sockets Layer (SSL)
Kerberos
2 OpenVMS Security Model
Structure of a Secure Operating System
Reference Monitor Concept
How the Reference Monitor Enforces Security Rules
Implementation of the Reference Monitor
Subjects
Objects
Authorization Database
Audit Trail
Reference Monitor
Authorization Database Represented as an Access Matrix
Summary: System Security Design
II Security for the User
3 Using the System Responsibly
Choosing a Password for Your Account
Obtaining Your Initial Password
Observing System Restrictions on Passwords
Knowing What Type of Password to Use
Entering a System Password
Entering a Secondary Password
Password Requirements for Different Types of Accounts
Types of Logins and Login Classes
Logging In Interactively: Local, Dialup, and Remote Logins
Logging In Using External Authentication
Reading Informational Messages
When the System Logs In for You: Network and Batch Logins
Login Failures: When You Are Unable to Log In
Using a Terminal That Requires a System Password
Observing Your Login Class Restrictions
Using an Account Restricted to Certain Days and Times
Failing to Enter the Correct Password During a Dialup Login
Knowing When Break-In Evasion Procedures Are in Effect
Changing Your Password
Selecting Your Own Password
Using Generated Passwords
Changing a Secondary Password
Changing Your Password As You Log In
Password and Account Expiration Times
Changing an Expired Password
Renewing an Expired Account
Guidelines for Protecting Your Password
Network Security Considerations
Protecting Information in Access Control Strings
Using Proxy Login Accounts to Protect Passwords
Auditing Access to Your Account and Files
Observing Your Last Login Time
Adding Access Control Entries to Sensitive Files
Asking Your Security Administrator to Enable Auditing
Logging Out Without Compromising System Security
Clearing Your Terminal Screen
Disposing of Hardcopy Output
Removing Disconnected Processes
Breaking the Connection to a Dialup Line
Turning Off a Terminal
Checklist for Contributing to System Security
4 Protecting Data
Contents of a User's Security Profile
Per-Thread Security
Persona Security Block Data Structure (PSB)
Previous Security Model
Per-Thread Security Model
User Identification Code (UIC)
Rights Identifiers
Privileges
Security Profile of Objects
Definition of a Protected Object
Contents of an Object's Profile
Displaying a Security Profile
Modifying a Security Profile
Specifying an Object's Class
Access Required to Modify a Profile
How the System Determines If a User Can Access a Protected Object
Controlling Access with ACLs
Using Identifier Access Control Entries (ACEs)
Granting Access to Particular Users
Preventing Users from Accessing an Object
Limiting Access to a Device
Limiting Access to an Environment
Ordering ACEs Within a List
Establishing an Inheritance Scheme for Files
Displaying ACLs
Adding ACEs to an Existing ACL
Deleting an ACL
Deleting ACEs from an ACL
Replacing Part of an ACL
Restoring a File's Default ACL
Copying an ACL
Controlling Access with Protection Codes
Format of a Protection Code
Types of Access in a Protection Code
Processing a Protection Code
Changing a Protection Code
Enhancing Protection for Sensitive Objects
Providing a Default Protection Code for a Directory Structure
Restoring a File's Default Security Profile
Understanding Privileges and Control Access
How Privileges Affect Protection Mechanisms
Using Control Access to Modify an Object Profile
Object-Specific Access Considerations
Auditing Protected Objects
Kinds of Events the System Audits
Enabling Auditing for a Class of Objects
Adding Security-Auditing ACEs
5 Descriptions of Object Classes
Capabilities
Naming Rules
Types of Access
Template Profile
Kinds of Auditing Performed
Permanence of the Object
Common Event Flag Clusters
Naming Rules
Types of Access
Template Profile
Privilege Requirements
Kinds of Auditing Performed
Permanence of the Object
Devices
Naming Rules
Types of Access
Access Requirements for I/O Operations
Template Profile
Setting Up Profiles for New Devices
Privilege Requirements
Kinds of Auditing Performed
Permanence of the Object
Files
Naming Rules
Types of Access
Access Requirements
Creation Requirements
Profile Assignment
Kinds of Auditing Performed
Protecting Information When Disk Space Is Reassigned
Suggestions for Optimizing File Security
Global Sections
Naming Rules
Types of Access
Template Profile
Privilege Requirements
Kinds of Auditing Performed
Permanence of the Object
Logical Name Tables
Naming Rules
Types of Access
Template Profile
Privilege Requirements
Kinds of Auditing Performed
Permanence of the Object
Queues
Naming Rules
Types of Access
Template Profile
Privilege Requirements
Kinds of Auditing Performed
Permanence of the Object
Resource Domains
Naming Rules
Types of Access
Template Profile
Privilege Requirements
Kinds of Auditing Performed
Permanence of the Object
Security Classes
Naming Rules
Types of Access
Template Profile
Kinds of Auditing Performed
Permanence of the Object
Volumes
Naming Rules
Types of Access
Template Profile
Privilege Requirements
Kinds of Auditing Performed
Permanence of the Object
III  Security for the System Administrator
6 Managing the System and Its Data
Role of a Security Administrator
Site Security Policies
Tools for Setting Up a Secure System
Account Requirements for a Security Administrator
Training the New User
Logging a User's Session
Ongoing Tasks to Maintain a Secure System
7 Managing System Access
Defining Times and Conditions for System Access
Restricting Work Times
Restricting Modes of Operation
Restricting Account Duration
Disabling Accounts
Restricting Disk Volumes
Marking Accounts for External Authentication
Assigning Appropriate Accounts to Users
Types of System Accounts
Privileged Accounts
Interactive Accounts
Captive Accounts
Restricted Accounts
Automatic Login Accounts
Guest Accounts
Proxy Accounts
Externally Authenticated Accounts
Using Passwords to Control System Access
Types of Passwords
Enforcing Minimum Password Standards
Screening New Passwords
Password Protection Checklist
Enabling External Authentication
Overriding External Authentication
Impact on Layered Products and Applications
Setting a New Password
Case Sensitivity in Passwords and User Names
User Name Mapping and Password Verification
Password Synchronization
Specifying the SYS$SINGLE_SIGNON Logical Name Bits
Authentication and Credentials Management Extensions (ACME) Subsystem
Controlling the Login Process
Informational Display During Login
Limiting Disconnected Processes
Providing Automatic Login
Using the Secure Server
Detecting Intruders
Understanding the Intrusion Database
Security Server Process
8 Controlling Access to System Data and Resources
Designing User Groups
Example of UIC Group Design
Limitations to UIC Group Design
Naming Individual Users in ACLs
Defining Sharing of Rights
Conditionalizing Identifiers for Different Users
Designing ACLs
Populating the Rights Database
Displaying the Database
Adding Identifiers
Restoring the Rights Database
Assigning Identifiers to Users
Removing Holder Records
Removing Identifiers
Customizing Identifiers
Modifying a System or Process Rights List
Giving Users Privileges
Categories of Privilege
Suggested Privilege Allocations
Limiting User Privileges
Installing Images with Privilege
Restricting Command Output
Setting Default Protection and Ownership
Controlling File Access
Setting Defaults for Objects Other Than Files
Added Protection for System Data and Resources
Precautions to Take When Installing New Software
Protecting System Files
Restricting DCL Command Usage
Encrypting Files
Protecting Disks
Protecting Backup Media
Protecting Terminals
9 Security Auditing
Overview of the Auditing Process
Reporting Security-Relevant Events
Ways to Generate Audit Information
Kinds of System Activity the Operating System Can Report
Sources of Event Information
Developing an Auditing Plan
Assessing Your Auditing Requirements
Selecting a Destination for the Event Message
Considering the Performance Impact
Methods of Capturing Event Messages
Using an Audit Log File
Enabling a Terminal to Receive Alarms
Secondary Destinations for Event Messages
Analyzing a Log File
Recommended Procedure
Invoking the Audit Analysis Utility
Providing Report Specifications
Using the Audit Analysis Utility Interactively
Examining the Report
Managing the Auditing Subsystem
Tasks Performed by the Audit Server
Disabling and Reenabling Startup of the Audit Server
Changing the Point in Startup When the Operating System Initiates Auditing
Choosing the Number of Outstanding Messages That Trigger Process Suspension
Reacting to Insufficient Memory
Maintaining the Accuracy of Message Time-Stamping
Adjusting the Transfer of Messages to Disk
Allocating Disk Space for the Audit Log File
Error Handling in the Auditing Facility
10 System Security Breaches
Forms of System Attacks
Indications of Trouble
Reports from Users
Monitoring the System
Routine System Surveillance
System Accounting
Security Auditing
Handling a Security Breach
Unsuccessful Intrusion Attempts
Successful Intrusions
11 Securing a Cluster
Overview of Clusters
Building a Common Environment
Required Common System Files
Recommended Common System Files
Synchronizing Multiple Versions of Files
Synchronizing Authorization Data
Managing the Audit Log File
Protecting Objects
Storing Profiles and Auditing Information
Clusterwide Intrusion Detection
Using the System Management Utility
Managing Cluster Membership
Using DECnet Between Cluster Nodes
12 Security in a Network Environment
Managing Network Security
Requirements for Achieving Security
Auditing in the Network
Hierarchy of Access Controls
Using Explicit Access Control
Using Proxy Logins
Using Default Application Accounts
Proxy Access Control
Special Security Measures with Proxy Access
Setting Up a Proxy Database
Example of a Proxy Account
Using DECnet Application (Object) Accounts
Summary of Network Objects
Configuring Network Objects Manually
Removing Default DECnet Access to the System
Setting Privilege Requirements for Remote Object Connections
Specifying Routing Initialization Passwords
Establishing a Dynamic Asynchronous Connection
Sharing Files in a Network
Using the Mail Utility
Setting Up Accounts for Local and Remote Users
Admitting Remote Users to Multiple Accounts
13 Using Protected Subsystems
Advantages of Protected Subsystems
Applications for Protected Subsystems
How Protected Subsystems Work
Design Considerations
System Management Requirements
Building the Subsystem
Enabling Protected Subsystems on a Trusted Volume
Giving Users Access
Example of a Protected Subsystem
Protecting the Top-Level Directory
Protecting Subsystem Directories
Protecting the Images and Data Files
Protecting the Printer
Command Procedure for Building the Subsystem
A Assigning Privileges
ACNT Privilege (Devour)
ALLSPOOL Privilege (Devour)
ALTPRI Privilege (System)
AUDIT Privilege (System)
BUGCHK Privilege (Devour)
BYPASS Privilege (All)
CMEXEC Privilege (All)
CMKRNL Privilege (All)
DIAGNOSE Privilege (Objects)
DOWNGRADE Privilege (All)
EXQUOTA Privilege (Devour)
GROUP Privilege (Group)
GRPNAM Privilege (Devour)
GRPPRV Privilege (Group)
IMPERSONATE Privilege (All) (Formerly DETACH)
IMPORT Privilege (Objects)
LOG_IO Privilege (All)
MOUNT Privilege (Normal)
NETMBX Privilege (Normal)
OPER Privilege (System)
PFNMAP Privilege (All)
PHY_IO Privilege (All)
PRMCEB Privilege (Devour)
PRMGBL Privilege (Devour)
PRMMBX Privilege (Devour)
PSWAPM Privilege (System)
READALL Privilege (Objects)
SECURITY Privilege (System)
SETPRV Privilege (All)
SHARE Privilege (All)
SHMEM Privilege (Devour)
SYSGBL Privilege (Files)
SYSLCK Privilege (System)
SYSNAM Privilege (All)
SYSPRV Privilege (All)
TMPMBX Privilege (Normal)
UPGRADE Privilege (All)
VOLPRO Privilege (Objects)
WORLD Privilege (System)
B Protection for OpenVMS System Files
Standard Ownership and Protection
Listing of OpenVMS System Files
Files in Top-Level Directories
Files in SYS$KEYMAP
Files in SYS$LDR
Files in SYS$STARTUP and SYS$ERR
Files in SYSEXE
Files in SYSHLP
Files in SYSLIB
Files in SYSMGR
Files in SYSMSG
Files in SYSTEST
Files in SYSUPD
Files in VUE$LIBRARY
C Running an OpenVMS System in a C2 Environment
Introduction to C2 Systems
Definition of the C2 Environment
Trusted Computing Base (TCB) for C2 Systems
Hardware in the TCB
Software in the TCB
Protecting Objects
Protecting the TCB
Configuring a C2 System
Checklist for Generating a C2 System
D Alarm Messages
Glossary
Index

List of Figures

2-1 Reference Monitor
2-2 Authorization Access Matrix
2-3 Authorization Access Matrix with Labeled Cross-Points
4-1 Previous Per-Thread Security Model
4-2 Per-Thread Security Profile Model
4-3 Flowchart of Access Request Evaluation
4-4 Flowchart of Access Request Evaluation (cont’d)
4-5 Flowchart of Access Request Evaluation (cont’d)
4-6 Flowchart of Access Request Evaluation (cont’d)
4-7 Flowchart of Access Request Evaluation (cont’d)
8-1 Flowchart of File Creation
8-2 Flowchart of File Creation
8-3 Flowchart of File Creation
8-4 Security Class Object
12-1 The Reference Monitor in a Network
12-2 A Typical Dynamic Asynchronous Connection
13-1 How Protected Subsystems Differ from Normal Access Control
13-2 Directory Structure of the Taylor Company's Subsystem

List of Tables

1-1 Event Tolerance as a Measure of Security Requirements
2-1 Objects Protected by Security Controls
2-2 Security Auditing Overview
3-1 Secure and Insecure Passwords
3-2 Types of Passwords
3-3 Reasons for Login Failure
4-1 Major Types of Rights Identifiers
4-2 Classes of Protected Objects
6-1 Example of a Site Security Policy
7-1 Authorize Qualifiers Controlling Login Times and Conditions
7-2 Login Qualifiers Not Allowed by Captive Accounts
7-3 Qualifiers Required to Define Captive Accounts
7-4 Defaults for Password History List
7-5 SYS$SINGLE_SIGNON Logical Name Bits
7-6 Intrusion Example
7-7 Parameters for Controlling Login Attempts
8-1 Employee Grouping by Department and Function
8-2 OpenVMS Privileges
8-3 Minimum Privileges for System Users
8-4 DCL Commands Used to Protect Files
9-1 Event Classes Audited by Default
9-2 Access Control Entries (ACEs) for Security Auditing
9-3 Kinds of Security Events the System Can Report
9-4 Events to Monitor Depending on a Site's Security Requirements
9-5 Characteristics of the Audit Log File
9-6 Qualifiers for the Audit Analysis Utility
9-7 Controlling the Flow of Audit Event Messages
10-1 System Files Benefiting from ACL-Based Auditing
11-1 System Files That Must Be Common in a Cluster
11-2 System Files Recommended to Be Common
11-3 Using Multiple Versions of Required Cluster Files
11-4 Fields in SYSUAF.DAT Requiring Synchronization
11-5 Summary of Object Behavior in a Cluster
12-1 AUTHORIZE Commands for Managing Network Proxy Access
12-2 Network Object Defaults
B-1 Exceptions to Standard OpenVMS System File Protection
C-1 Software Not Included in the C2-Evaluated System
C-2 Privileges for Untrusted Users

List of Examples

3-1 Local Login Messages
4-1 Authorized Versus Default Process Privileges
6-1 Sample Security Administrator's Account
7-1 Creating a Typical Interactive User Account
7-2 Creating a Limited-Access Account
7-3 Sample Captive Procedure for Privileged Accounts
7-4 Sample Captive Command Procedure for Unprivileged Accounts
7-5 Intrusion Database Display
9-1 Sample Alarm Message
9-2 Audit Generated by an Object Access Event
9-3 Auditing Events for a Site with Moderate Security Requirements
9-4 Brief Audit Report
9-5 One Record from a Full Audit Report
9-6 Summary of Events in an Audit Log File
9-7 Identifying Suspicious Activity in the Audit Report
9-8 Scrutinizing a Suspicious Record
9-9 Default Characteristics of the Audit Server
12-1 Sample Proxy Account
12-2 UAF Record for MAIL$SERVER Account
12-3 Sample Commands for a Dynamic Asynchronous Connection
12-4 Protected File Sharing in a Network
13-1 Setting Up Identifiers and Application Access for Managing Membership List
13-2 Protection of SUPPLIERS_SUBSYSTEM.DIR
13-3 Protection of SYS$SYSDEVICE:[SUPPLIERS_SUBSYSTEM]
13-4 Access to Subsystem's Images ORDERS.EXE and PAYMENTS.EXE
13-5 Queue Protection
13-6 Subsystem Command Procedure
B-1 Files in SYS$KEYMAP
B-2 Files in SYS$LDR
B-3 Files in SYS$STARTUP and SYS$ERR
B-4 Files in SYSEXE
B-5 Files in SYSHLP
B-6 Files in SYSLIB
B-7 Files in SYSMGR
B-8 Files in SYSMSG
B-9 Files in SYSTEST
B-10 Files in SYSUPD
B-11 Files in VUE$LIBRARY
   


Preface