CONTENTS Title Page Copyright Page Preface 1 Introduction 1.1 Types of Computer Security Problems 1.1.1 User Irresponsibility 1.1.2 User Probing 1.1.3 User Penetration 1.2 Levels of Security Requirements 1.3 The Secure System Environment 2 Overview 2.1 The Reference Monitor Concept 2.2 The Reference Monitor and VMS 2.2.1 Subjects 2.2.2 Objects 2.2.3 Authorization Database 2.2.4 Audit Trail 2.2.5 Reference Monitor Mechanism 2.3 Summary 3 Security for the User 3.1 Logging In to the System 3.1.1 Types of Logins 3.1.1.1 Local Logins 3.1.1.2 Dialup Logins 3.1.1.3 Remote Logins 3.1.1.4 Network Logins 3.1.1.5 Batch Logins 3.1.1.6 Detached Process Login 3.1.1.7 Subprocess Login 3.1.2 Interactive Login Informational Messages 3.1.2.1 Announcement Message 3.1.2.2 Disconnected Job Messages 3.1.2.3 Welcome Message 3.1.2.4 Last Login Messages 3.1.2.5 Message Suppression 3.1.3 Introduction to Passwords 3.1.3.1 System Passwords 3.1.3.2 User Passwords 3.1.3.3 Changing Your Password 3.1.3.4 Password Expiration Time 3.1.3.5 Minimum Password Lengths 3.1.3.6 Selecting Secure Passwords 3.1.3.7 Primary and Secondary Passwords 3.1.3.8 Avoiding Programs That Steal Passwords 3.1.3.9 Protecting Your Password 3.1.3.10 Summary of Password Guidelines 3.1.4 Account Expiration Times 3.1.5 Causes of Login Failures 3.1.5.1 System Password Failures 3.1.5.2 Login Class Restrictions 3.1.5.3 Shift Restrictions 3.1.5.4 Dialup Login Failures 3.1.5.5 Break-In Evasion Has Been Activated 3.2 Network Security Considerations for Users 3.2.1 Network Access Control Strings 3.2.2 Proxy Logins 3.2.2.1 Multiple Proxy Accounts 3.2.3 Using the VMS Mail Utility 3.3 Logging Out of the System 3.3.1 Logging Out from Video Terminals 3.3.2 Logging Out from Hardcopy Terminals 3.3.3 Logging Out from Disconnected Processes 3.3.4 Logging Out from a Dialup Login 3.4 Summary of Recommended User Practices 4 Object Protection Features 4.1 How the System Determines Access 4.2 Standard UIC-Based Protection 4.2.1 UICs and Protection 4.2.2 Specifying UICs 4.2.2.1 Numeric Format UICs 4.2.2.2 Alphanumeric Format UICs 4.2.2.3 UIC Translation and Storage 4.2.3 How UIC-Based Protection Controls Access 4.2.4 Protection Code Syntax 4.2.5 How Privileges Affect Protection 4.2.6 How the System Interprets a Protection Code 4.2.7 How the System Interprets Object Access Types 4.2.7.1 Disk Files 4.2.7.2 Directory Files 4.2.7.3 Volumes 4.2.7.4 Global Sections 4.2.7.5 Devices 4.2.7.6 Logical Name Tables 4.2.7.7 Queues 4.2.8 Establishing and Changing UIC-Based Protection 4.2.8.1 Volume Protection 4.2.8.2 Directory Protection 4.2.8.3 File Protection 4.2.8.4 Global Section Protection 4.2.8.5 Device Protection 4.2.8.6 Logical Name Table Protection 4.2.8.7 Queue Protection 4.3 Access Control Lists (ACL) 4.3.1 ACLs, Identifiers, and the Reference Monitor 4.3.2 Creating and Maintaining ACLs 4.3.2.1 Global Sections 4.3.2.2 Devices 4.3.2.3 Logical Name Tables 4.3.2.4 Queues 4.3.3 Identifiers 4.3.3.1 UIC Identifiers 4.3.3.2 General Identifiers 4.3.3.3 System-Defined Identifiers 4.3.4 Access Control List Entries 4.3.4.1 Identifier ACE 4.3.4.2 Default Protection ACE 4.3.4.3 Security Alarm ACE 4.3.5 Summary of ACLs 4.4 Establishing and Changing Object Ownership 4.4.1 Understanding the Role of Identifier Attributes 4.4.1.1 Resource Attribute 4.4.1.2 Dynamic Attribute 4.4.2 Defining Ownership Privileges 4.4.3 Establishing and Changing Volume Ownership 4.4.4 Establishing and Changing Directory Ownership 4.4.5 Establishing and Changing File Ownership 4.5 Propagation of Protection Defaults 4.5.1 Default Directory File Protection 4.5.1.1 Default UIC-Based Directory File Protection 4.5.1.2 Default ACL Protection 4.5.2 Default File Protection 4.5.2.1 Default UIC-Based Protection 4.5.2.2 Default ACL Protection 4.6 Summary of Access Request Evaluation 4.7 Protecting Purged or Deleted Data from Disk Scavenging 4.7.1 Erasure Patterns 4.7.2 Highwater Marking 4.8 User Auditing 4.8.1 Noting Your Last Login Time 4.8.2 Tools for Detecting System Abuse 4.8.2.1 Security Alarms 4.8.2.2 Auditing Access to Sensitive Files 4.9 Managing Your Files for Optimum Security 5 System Security Implementation 5.1 Security Management Account 5.2 Considerations for Establishing User Accounts 5.2.1 Introduction to Group Design 5.2.1.1 Limitations to UIC Group Design 5.2.2 Introduction to ACL Design and Identifiers 5.2.3 Some Special-Purpose Identifiers 5.2.4 Creating and Maintaining a Rights Database 5.2.4.1 Adding Identifiers 5.2.4.2 Adding Holders of Identifiers 5.2.4.3 Removing Identifiers and Holders 5.2.4.4 Displaying the Rights Database 5.2.5 Setting Protection and Ownership Defaults for Users 5.2.5.1 Adjusting Protection Defaults 5.2.5.2 Setting Up a Project Account 5.2.6 Password Management 5.2.6.1 Initial Passwords 5.2.6.2 System Passwords 5.2.6.3 Primary and Secondary Passwords 5.2.6.4 Enforcing Minimum Password Standards 5.2.6.5 Screening New Passwords 5.2.6.6 Requiring the Password Generator 5.2.6.7 Specifying a Password Algorithm 5.2.6.8 Protecting Passwords 5.2.7 Login Options 5.2.7.1 Controlling the Announcement Message 5.2.7.2 Controlling the Welcome Message 5.2.7.3 Controlling the Last Login Messages 5.2.7.4 Controlling New Mail Announcements 5.2.7.5 Controlling Disconnected Processes 5.2.7.6 Controlling the Number of Retries on Dialups 5.2.7.7 Controlling Break-In Detection and Evasion 5.2.7.8 Using the Secure Server 5.2.8 Using the Automatic Login Facility 5.2.8.1 Adding New Records 5.2.8.2 Deleting Records 5.2.8.3 Displaying Records 5.2.8.4 Restricting ALF Users 5.2.8.5 Logging In to an Automatic Login Terminal 5.2.8.6 Protecting Automatic Login Accounts 5.3 Authorizing Usage 5.3.1 Restricting Devices 5.3.1.1 Restricting Terminal Use 5.3.1.2 Restricting Disk Volumes 5.3.1.3 Applications Terminals and Miscellaneous Devices 5.3.2 Restricting Work Times 5.3.3 Restricting Mode of Operation 5.3.4 Restricting DCL Command Usage 5.3.5 Restricting Account Duration 5.3.6 Granting User Privileges 5.3.6.1 Limiting User Privileges 5.3.6.2 Suggested Privilege Allocations 5.3.6.3 Controlling Privileged Accounts 5.3.6.4 Special Purpose Privileged Captive Accounts 5.3.7 Examples of Establishing User Accounts 5.3.7.1 A System Manager's Account 5.3.7.2 A Typical Interactive User's Account 5.3.7.3 A Production Account 5.3.8 Training the New User 5.4 Protecting Information 5.4.1 Restricting Command Outputs 5.4.2 Protecting System Programs and Databases 5.4.3 Precautions to Take When Installing New Software 5.4.3.1 Protecting Programs and Directories 5.4.3.2 Installing Programs with Privilege 5.5 File Encryption 5.6 Disk Maintenance Considerations 5.7 Methods for Discouraging Disk Scavenging 5.7.1 Erasing Techniques 5.7.2 Prevention Through Highwater Marking 5.7.3 Summary of Prevention Techniques 5.8 Restricting the Environment-Limited-Access Accounts 5.8.1 Creating a Captive Account 5.8.2 Creating a Restricted Account 5.8.3 Use of the DISIMAGE Flag in Limited-Access Accounts 5.8.4 Summary of Captive and Restricted Accounts 5.8.5 Guest Accounts 5.8.6 Proxy Login Accounts 5.9 Ongoing Tasks 6 Security Auditing 6.1 Overview of VMS Security Auditing 6.2 Security Auditing Components 6.2.1 Audit Server Process 6.2.1.1 Audit Server Database 6.2.1.2 Disabling OPCOM and AUDIT_SERVER 6.2.1.3 Changing the Audit Server Flush Rates 6.2.2 Operator Communication Manager 6.2.3 System Security Audit Log File 6.2.3.1 Creating a New Version of the Security Audit Log File 6.2.3.2 Relocating the Security Audit Log File 6.2.4 Security Archive File 6.2.4.1 Enabling Remote Security Archiving 6.2.4.2 Analyzing the Security Archive File 6.2.5 Listener Device 6.3 Defining Security Events to Be Audited 6.3.1 Enabling a Security Operator Terminal 6.4 Analyzing Security Auditing Information 6.4.1 Specifying the Audit Analysis Output Format 6.4.2 Displaying Selective Security Auditing Information 6.5 Monitoring Security Auditing Resources 6.5.1 Overflowing the OPCOM Mailbox 6.5.2 Running Out of Disk Space 6.5.2.1 Changing Disk Monitoring Resource Thresholds 6.5.2.2 Adding Processes to the Process Exclusion List 6.5.2.3 Disabling Disk Resource Monitoring 6.5.3 Running Out of Virtual Memory 6.5.4 Losing the Link to the Remote Security Archive File 6.6 Auditing a Terminal Session 6.6.1 Enforcing a Terminal Session Audit 6.7 Other Audit Data 7 When Your System Security Has Been Breached 7.1 Indications of Trouble 7.1.1 Reports from Users 7.1.2 Monitoring the System 7.2 Routine System Surveillance 7.2.1 Accounting Log 7.2.2 Security Auditing 7.3 Handling a Security Breach 7.3.1 Unsuccessful Break-In Attempts 7.3.1.1 Detection of the Unsuccessful Break-In Attempt 7.3.1.2 Identifying the Perpetrator 7.3.1.3 Prevention of Break-In Attempts 7.3.1.4 Repair After an Unsuccessful Break-In 7.3.2 Successful Break-In Attempts 7.3.2.1 Identification of Break-In Perpetrator 7.3.2.2 Prevention of Break-In Attempts 7.3.2.3 Repair After a Break-In 8 Security for a DECnet Node 8.1 The Reference Monitor in a Network 8.1.1 Establishing Subject Correspondence 8.1.2 Specifying Authorizations 8.1.3 Protecting Communications 8.1.4 Summary of VMS Network Security and the Reference Monitor 8.2 DECnet-VAX Accounts 8.3 The DECnet-VAX Database 8.4 Network Laws and Regulations 8.5 Specifying DECnet Object Accounts 8.5.1 Summary of Network Objects 8.5.2 Configuring Network Objects Automatically 8.5.3 Configuring Network Objects Manually 8.5.3.1 Creating a Top-Level Directory for an Object 8.5.3.2 Creating an Account for a Network Object 8.5.3.3 Defining the Network Object Account Name and Password 8.5.3.4 Removing Default DECnet Access to the System 8.5.3.5 Rebooting the System 8.6 Proxy Logins 8.6.1 Setting Up Proxy Logins 8.6.1.1 Using the VMS Authorize Utility 8.6.1.2 Proxy Account Example 8.6.1.3 Using the VMS Network Control Program (NCP) Utility 8.6.1.4 Conditions for Proxy Access 8.6.2 Special Proxy Access Considerations 8.7 Sharing Files in the Network Environment 8.7.1 Remote Users Seek Access for a Single Task 8.7.2 Remote Users from One Node Require Single Account Access 8.7.3 Remote Users Require Multiple Account Access 9 Security Concerns on a Cluster 9.1 Overview of Clusters and Security Considerations 9.2 Authorization Database Considerations 9.3 Building a Common User Environment 9.4 File Sharing Considerations 9.5 Using DECnet Between Cluster Nodes 9.6 Summary A Privileges A.1 User Privileges A.1.1 ACNT Privilege A.1.2 ALLSPOOL Privilege A.1.3 ALTPRI Privilege A.1.4 BUGCHK Privilege A.1.5 BYPASS Privilege A.1.6 CMEXEC Privilege A.1.7 CMKRNL Privilege A.1.8 DETACH Privilege A.1.9 DIAGNOSE Privilege A.1.10 EXQUOTA Privilege A.1.11 GROUP Privilege A.1.12 GRPNAM Privilege A.1.13 GRPPRV Privilege A.1.14 LOG_IO Privilege A.1.15 MOUNT Privilege A.1.16 NETMBX Privilege A.1.17 OPER Privilege A.1.18 PFNMAP Privilege A.1.19 PHY_IO Privilege A.1.20 PRMCEB Privilege A.1.21 PRMGBL Privilege A.1.22 PRMMBX Privilege A.1.23 PSWAPM Privilege A.1.24 READALL Privilege A.1.25 SECURITY Privilege A.1.26 SETPRV Privilege A.1.27 SHARE Privilege A.1.28 SHMEM Privilege A.1.29 SYSGBL Privilege A.1.30 SYSLCK Privilege A.1.31 SYSNAM Privilege A.1.32 SYSPRV Privilege A.1.33 TMPMBX Privilege A.1.34 VOLPRO Privilege A.1.35 WORLD Privilege B Using the User Data Areas in UAF Records B.1 Obsolete Method for Storing User Data in the UAF C Protection for VMS System Files D Running VMS in a C2 Environment E Alarm Messages E.1 File and Global Section Alarms E.2 Alarms Requested by an ACL E.3 INSTALL Alarms E.4 Alarms Resulting from Modifications to the Rights Database E.5 Alarms Resulting from Changes to SYSUAF or NETPROXY E.6 Alarms Resulting from Password Changes E.7 Break-In Attempt Alarms E.8 Login Alarms E.9 Login Failure Alarms E.10 Logout Alarms E.11 Volume Mount and Dismount Alarms E.12 Alarms Resulting from Execution of SET AUDIT Command Glossary EXAMPLES 3-1 Local Login Messages 5-1 A Sample Security/System Manager's Account 5-2 A Typical Interactive User Account 5-3 A Production Account 5-4 A Sample Captive Command Procedure 5-5 Sample Restricted Procedure for Privileged Accounts 8-1 UAF Record for MAIL$SERVER Account 8-2 A Sample Proxy Account 8-3 Protected File Sharing in a Network C-1 Protection Codes and Ownership of System Files FIGURES 2-1 Reference Monitor Diagram 3-1 File Sharing over a Network 4-1 Illustrating User Categories with a UIC of [100,100] 4-2 Example of an Access Matrix 4-3 Previous Matrix with Labeled Crosspoints 4-4 Flowchart of Access Request Evaluation 5-1 Flowchart of File Creation 6-1 Security Auditing on a VMS System 6-2 Areas of Potential Security Auditing Resource Problems 6-3 Resource Monitoring Thresholds 8-1 Simple Diagram of Reference Monitor in a Network 8-2 Advanced Diagram of the Reference Monitor in a Network TABLES 1-1 Event Tolerance as a Measure of Security Requirements 3-1 Classes and Types of Logins 3-2 Causes of Login Failure 5-1 Employee Grouping by Department and Function 5-2 Defaults for Password History List 5-3 VMS Privileges 5-4 Minimum Privileges for System Users 5-5 DCL Commands Used to Protect Files 6-1 Security Auditing Components 6-2 Default Resource Monitoring Thresholds 6-3 Audit Server Final Action Keywords 7-1 System Files Benefiting from ACL-Based File Access Auditing 8-1 Network Object Defaults 8-2 Executor Proxy Parameter Values