             Software           Product            Description              Safety V1.5 9           Comprehensive Data Safety for your VMS systems.   -           from General Cybernetic Engineering              Executive Summary:  J           There are many perils your data faces, and loss of data can costD           time, money, and jobs. Intruders, disgruntled insiders, orI           hidden flaws in installed software can destroy records. What is 1           more, mistaken losses occur constantly.   E           Safety protects your system and your critical data in three            ways:   I           1. A comprehensive security system adds extra checks for access B           to VMS files so that access by intruders or by people inJ           non-job-required ways can be regulated or prevented. This allowsG           your business - critical data to finally be protected against A           misuse, tampering, or abuse. Access from programs doing J           background dirty work (viruses, Trojans, worms, and the like, orB           even programs with security holes which can be exploitedD           remotely (like Java browsers)) can also be blocked withoutJ           damaging normal use. This active protection works three ways: byC           checking integrity    of your files against tampering, by I           preventing of  untrusted images from  gaining privilege, and by H           regulating what other parts of the system an image may access.  J           2. A deletion protection system provides a way to undelete filesF           which were deleted by mistake and to optionally copy deletedI           files to backup facilities before removal. Unlike all other VMS H           "undelete" programs on the market, this facility does not relyA           on finding the disk storage that contained the file and H           reclaiming it before it is overwritten. Rather, it changes theD           semantics of the file system delete to use a "wastebasket"F           system and captures the file intact. Thus, this system worksH           reliably. No others do. This facility is also useful where youI           have a requirement to keep all files of a certain set of types, E           since the backup function can be used to capture such files I           while permitting otherwise normal system function. The shelving C           or linking functions are also available for moving copies I           offline if this is desired. The  Safety protection features are C           fully integrated with the DPS subsystem, so that deletion ?           protection does not involve destroying file security.   E           3.  When space runs out, hasty decisions about what to keep H           online often must be made, and the risk of accidentally losingI           something important is high.   Safety protects you from running E           out of space. Space can be monitored and older items in the C           wastebasket deleted if it is becoming low, without manual I           intervention. In addition, Safety  is able to "shelve" files so H           that they are stored anywhere else desired on your system, andD           they are brought back automatically when accessed. Thus noJ           manual arrangements need be made for reloading them.  Safety canI           also keep the files on secondary storage, keeping a "soft link" I           to the files at their original site so they will be accessed on H           the secondary storage instead. Also,    Safety can store filesI           compressed, or can store them on secondary storage so that read J           access is done on the secondary storage, but write access causesG           the file to be copied back to its original site. Standard VMS G           utilities are used for all file movement, and moved files are G           also directly accessible in their swapped sites with standard H           VMS utilities. The VMS file system remains completely valid at           all times.  G           Safety gives you a full complement of tools  for dealing with I           space issues automatically according to your site policy. These E           facilities are safe and easily understood.  A comprehensive I           utility is provided by which you set your site policy to select F           which files are and are not eligible for automatic shelving.C           Also you are provided with screen oritented utilities for F           selecting files to shelve at any time. Access to the shelvedJ           files of course causes unshelving if the normal shelving-by-copyC           mode is used. Also, a simple set of rules permit locating D           shelved or softlink target files at any time, even withoutC           Safety running.   Safety at no time invalidates your file E           structures for normal VMS access...not even for an instant.   H           In addition Safety contains functions to speed file access and%           inhibit disk fragmentation.   ?           The major subsystems of Safety will now be described.   '           The Security Function System:            Summary:E           Managing access to data critical to your business using ACL A           facilities in native VMS can be cumbersome and still is E           vulnerable to intruders or people acting in excess of their            authority.  I           Want to be sure your critical records can't be accessed save at B           authorized places, times, and with the programs that are>           supposed to access them (instead of, say, COPY.EXE)?  E           Want to have protection against privileged users bypasssing            access controls?  ?           Want to be able to password protect individual files?   ?           Want to be able to invisibly hide selected files from !           unauthorized intruders?   J           Have you read that attacks on machines can happen because a JavaF           browser points at a web site that damages the system (as hasF           been reported in the press)? Want to be able to protect your           systems?  G           The Safety security subsystem builds in facilities permitting J           all of these, and is not vulnerable to intruders who disable theJ           AUDIT facility as all other commercial packages which purport to           monitor access are.   G           Description: When your business depends on critical files, or =           when you are obliged by law or contract to maintain C           confidentiality of data on your system, in most cases the J           options provided by VMS for securing this data can be cumbersome%           and far too coarse-grained.   G           The problem is that certain kinds of access to data are often J           needed by people in a shop, but other access should be preventedJ           and audited. Moreover, the wide system access that can come as aH           result of having system privileges often does not mean that itI           should be used to browse or disclose data stored on the system. E           A system manager will in general not, for example, have any G           valid reason to browse the customer contact file, the payroll G           database, or a contract negotiation file, save in a few cases I           where these files need to be repaired or reloaded from backups. I           Likewise, a payroll clerk may need read and write access to the J           payroll file, but not in general with the COPY utility, nor fromG           a modem, nor in most cases at 4AM. Finally, a person who must J           have privileges to design a driver and test it should ordinarily6           not have the run of the file system as well.  B           Given examples like these, it is easy to see that simpleJ           authorization of user access to files is inadequate. While it isJ           possible to build systems that grant identifiers to attempt someD           extra control, these can be circumvented by privilege, andJ           create very long ACLs which become impossible to administer over-           a long period as users come and go.   A           What is needed is a mechanism that is secure, cannot be E           circumvented by turning on privileges, and which provides atE           simple to administer and fine grained control that lets you G           specify who can get at your critical files, with what images, J           when, from where, and with what privileges. It is also desirableH           to be able to control what privileges the images ever see, andB           to be able to check critical command files or images forI           tampering before use, so that they cannot be used as back doorss?           to your system. It should be possible to demand extraaG           authentication for particular files as well, and to prevent atF           malicious user from even seeing a particularly critical file,           unless he can be permitted access.  H           The Safety security subsystem is a VMS add-in security packageF           which provides abilities to control security problems due toB           intruders, to damage or loss by system "insiders" (usersC           exceeding their authority), and to covert code (worms and E           viruses). It provides a much easier management interface to @           handle security permissions than bare VMS and providesA           facilities permitting control over even privileged filesD           accesses, for cases where there are privileged users whoseG           access should be limited. Unlike systems which only interceptaF           the AUDIT output, EACF can and does protect against ANY fileJ           accesses, and can protect files against deletion by unauthorizedD           people or programs in real time as well as against access.  J           The Safety security subsystem offers the following capabilities:  I           * Files can be  password protected individually. If a file openoI           or delete is attempted for such a file and no password has been ,           entered, the open or delete fails.  J           * Access can be controlled by time of day. Added protections canF           be in place only some of the time, access can be denied someI           times of day, write accesses can be denied at certain times, or <           various other modalities of access can be allowed.  J           * You can control  who may access a file, where  they may be (orH           may not be),  with what images  they may or may not access theI           file, and with what privileges  the file may be accessed. Thus,lD           for instance, it is trivial to allow a clerk access to theI           payroll file with the payroll programs, but    not with COPY oreF           BACKUP, not on dialup lines, and not if they have unexpectedI           privileges. The privilege checks can be helpful where there arewH           consultants working on a system who should be denied access toD           sensitive corporate information but who need privileges toI           develop programs, or in similar circumstances. You specify whatrF           privileges are permitted for opening the file, and a processJ           with excess privileges is prevented  from access. Vital businessD           data access should not always be implied by someone havingF           privilege. With this system you can be sure your proprietaryF           plans or data stay in house, and are available only to thoseE           with business reasons to need them, not to everyone needing H           system privileges for unrelated reasons. Unlike packages usingG           the VMS Audit facility's output (which can be silently turned I           off by public domain code),   Safety cannot  be circumvented byaJ           well known means. Its controls are designed to leave evidence of*           what was done with them as well.  I           * You can specify that images able to run portable code (appletrB 	  viewing programs or programs with powerful scripting languages); 	  trigger a "paranoid mode" system. When this is triggered @ 	  (normally when the "loading" image is active), all file opens@ 	  by the process running the triggering image are filtered by a? 	  script. This script can be different for different programs,t; 	  and is site customized. The furnished sample script williB 	  broadcast the identity of user and of files being opened. It isB 	  trivial to arrange to limit this to unusual files or filesystemB 	  areas.  The script can also veto the open. Thus the recommendedB 	  way to treat web browsers is to limit their file access so theyA 	  may read system areas and a scratch area, and may write only ae@ 	  scratch area. (The script is informed whether the open is for? 	  read or for write.) This "low-integrity-image" mode in whicheA 	  all file opens are checked with a site script which can reportn? 	  or veto access. This can be used to track or regulate what am> 	  Java applet can do, in case someone happens to browse a webB 	  site which exploits a Java hole to browse your system or damage 	  it.  H           * You can  hide files from unauthorized access. If someone notJ           authorized to access a file tries to open it, they can be set toI           open instead some other file anywhere on the system. Meanwhile,cH           Safety generates alarms and can execute site specific commandsJ           to react to the illegal access before it can happen. This can beC           helpful in gathering evidence of what a saboteur is up to H           without exposing real sensitive files to danger. Normal access%           goes through transparently.h  J           * You can arrange that opening a file  grants identifiers to theA           process that opens it and that closing it revokes theseeH           identifiers. Set an interpretive file to do this and set it toF           be openable only by the interpreter and you have a protectedJ           subsystem capability that works for 4GLs which are interpretive.G           (Safety identifier granting, privilege modification, and base =           priority alteration is protected by a cryptographics;           authenticator preventing forging or duplication.)t  J           * You can actively prevent covert code ( viruses and worms) fromI           running in two ways. First,   Safety can attach a cryptographicaG           checksum to a file such that the file will not open if it hasoI           been tampered with. Second,  Safety can attach a privilege mask J           to a file which will replace all privilege masks for the processJ           that opens it. By setting such a mask to minimal privileges, youB           can ensure that an untrusted image will never see a veryD           privileged environment, and thus will be unable to performH           privilege-based intrusions into your system even if run from a$           privileged user's account.  I           * You can  control base priority by image. Thus, a particularly J           CPU intensive image can be made to run at lower than normal base3           priority even if it is run interactively.n  H           * You can run a site-chosen script to further refine selectionH           criteria. (Some facilities for doing additional checking while$           an image runs exist also.)  A           Safety  allows you to exempt certain images (e.g., diskcH           defragmenters) from access checks, and it is possible to put aG           process into a temporary override mode also (leaving a recordaI           this was done) where this is needed.     Safety  facilities are J           controllable per disk, and impose generally negligible overhead.H           Safety  will work with any VMS file structure using the normalH           driver interfaces. Also,   Safety  marking information residesE           sufficiently in kernel space that it cannot be removed from,D           lower access modes, yet it uses a limited amount of memory$           regardless of volume size.  J           Best of all, the Safety  protection is provided  within the fileD           system  and does not depend on the audit facility. Thus itH           prevents file access or loss   before it happens, and does notG           have to react to it afterwards.      Safety allows all of itsd@           security provisions to be managed together in a simpleI           screen-oriented display in which files, or groups of files, caniC           be tagged with the desired security profiles or edited asaJ           desired.  Safety  protections are in addition to normal VMS fileF           protections, which are left completely intact. Therefore, noJ           existing security is broken or even altered. Safety  simply addsE           additional checking which finally provides a usable machineuD           encoding of "need to know" for the files where it matters.      3           The Safety Deletion Protection Subsystem.n    I           Description: The Safety  Deletion Protection System is designedsI           to provide protection against accidental deletion of file typeseD           chosen by the site, and to allow files to be routed by theI           system to backup media before they are finally removed from theuJ           system. This is accomplished by an add-in to the VMS file systemC           so that security holes are not introduced by the system'se           action.   I           The user interface is an  UNDELETE command which permits one oraH           more files to be restored to their original locations providedC           it is issued within the site-chosen time window after theoJ           undesired deletion took place. In addition, an   EXPUNGE command?           is provided which allows files to be deleted at once, H           irretrievably, where space for such is required. Provision forD           automatic safe-storing of files prior to final deletion is%           present also in Safety DPS.a  E           Safety DPS is implemented as a VMS file system add-in whichiI           functions by intercepting the DELETE operation and allowing thelG           file to be deleted to be copied or renamed to a "wastebasket"nG           holding area pending final action, and to be disposed of by a H           disposal agent. The supplied agent will allow a site script toI           save the files if this is desired, and then finally deletes any G           files which have been deleted more than some number N seconds J           ago. If the UNDELETE command is given, the file(s) undeleted areH           replaced in their original sites. The supplied system can alsoH           be configured to rename files to a wastebasket area or to copyF           them directly, for undeletion by systems people only. (These@           options are faster than the site command file option.)  F           Safety DPS can be configured to omit certain file types fromE           deletion protection (for example, *.LIS* or *.MAP* could be H           omitted), to include only certain files in the protected sets,I           or both. This can reduce the overhead of saving files which are F           likely to be easily recreated, or tailor the system for suchB           actions as saving all mail files (by selecting *.MAI for           inclusion).a  J           In addition, Safety DPS monitors free space on disks, and when aJ           file create or extend would cause space exhaustion,   Safety DPSE           runs a site script. By setting this script to perform finalsH           deletions, Safety DPS can be run in a purely automatic mode inF           which deleted files are saved as long as possible, but never@           less than some minimum period (e.g., 5 or 10 minutes).  F           Safety DPS files can be stored in any location accessible toJ           VMS. If they are renamed, they must reside on the same disk theyG           came from. Otherwise they can be stored in any desired place.s  H           Safety DPS is installed and configured using a screen oriented@           configuration utility to set it up, and basically runs$           unattended once installed.        0           The Safety Storage Migration Subsystem               Description:  G           Safety has the ability to move files to secondary storage andsJ           automatically retrieve them when they are accessed. This backingG           can be similar to what HSM systems call "shelving", though itgJ           can be done in multiple levels, or it can be done in a way whichJ           permits files moved to secondary storage to be accessed there asJ           though the files remained online. This resembles what are called>           "soft links" in Unix systems, in that file opens areB           transparently redirected to a file stored somewhere elseH           reachable on the system, and the channel reset to the originalG           device on close. A "readonly link" mode acts like a soft linkwJ           for readonly access, and like an unshelve operation where a fileI           is opened read/write, should this be desired. Full control overe3           this shelving and unshelving is provided.e  G           This provides a great deal of flexibility in reclaiming space I           when the Safety space monitoring function detects that space iseH           needed. Not only can previously deleted files be finally movedH           to backup destinations and deleted, but the system can migrateF           seldom accessed files to nearline storage transparently. TheG           site policy can drive this, or utilities provided can be usedb           instead.  I           Where it is chosen to run  Safety in a lights-out fashion (withpJ           Safety reacting to low disk situations by emptying older deletedE           files from the wastebasket and/or file migration to backinggC           store), the policy chosen for controlling such setting ishD           handled by a full-screen, easily used, tool which sets theI           policy. Should still greater flexibility be needed, the scriptsnF           used for a number of operations are supplied together with aJ           full description of the command line interface of the underlyingH           software. This facilitates linking      Safety file management?           functions with other packages should such be desired.r  C           Safety can be run in a mode where there is essentially noeF           overhead at all imposed (just a few instructions added alongI           some paths and no disk access) for any files except those whichsI           need softlinks or possible unshelving. There is no limit to howeJ           many files may be so marked on a disk. A fullscreen setup scriptJ           allows one to select the   Safety run modes. Even if   Safety isD           forced to examine all files for its markings, the overheadG           imposes no added disk access and costs only a tiny added timetI           (typically a percent or two) in open intensive applications. IniI           addition, Safety can be turned off or back on at any convenient H           point should this be desired. (This must be done using specialI           tools provided for use by those specially authorized to do so.)e             Support:  J           Safety runs on VAX VMS 5.5 or greater or AXP VMS 6.1 or greater.C           The same facilities exist across all systems. HSM must befJ           installed on each cluster node of a VMScluster where it is to beI           used but imposes no restrictions on types of disk it works for. J           Safety will work with any file structure used by VMS, so long asH           a disk class device is used to hold it. It is specifically NOT*           limited to use with ODS-2 disks.    ? 	  The enclosed version of Safety is freely available but comese> 	  with no support. Support can be arranged by contacting the = 	  address below. There is a more advanced version whose softe? 	  links are more complete and which has a few other advantageseA 	  over this one; contact GCE also if you are interested in this.e  &           Safety  is brought to you by  (           General Cybernetic Engineering           Glenn C. Everhartl           156 Clark Farm Roado            Smyrna, Delaware 19977           302 659 0460 voice           302 659 5870 fax  A           For orders, contact the above address or Sales@GCE.COM.s8           For technical information contact Info@GCE.Com    -           For support contact Support@GCE.Com      Note on testing:C This version of Safety has been tested for basic function under VMSo@ 7.2-1 and found workable. Odd corners of functionality should beE tried before attempting to rely on them. Safety will not set identityaG related things (identifiers, privs etc.) in multiple personna programs,eB but only affects the "natural" personna. It is suggested that suchA programs be set up as exempt from Safety checks if their internalc checks are adequate. Glenn Everhart (October 2000)i