CONTENTS Title Page Copyright Page Preface 1 Introduction to SERdb 1.1 Understanding Discretionary Access Controls 1.1.1 Understanding SERdb Discretionary Access Controls 1.1.1.1 SERdb and Rdb/VMS Share the Same DAC Policy 1.1.1.2 APS Objects in SERdb and Rdb/VMS 1.1.1.3 An Object Owner Determines Access to an APS Object 1.1.1.4 Identifying Users and Their Access Rights to an APS Object 1.1.1.5 The Role of the Reference Monitor in Enforcing the DAC Policy 1.1.1.6 DAC Policy Override Privileges in SERdb 1.2 Understanding Mandatory Access Controls 1.2.1 Understanding SERdb Mandatory Access Controls 1.2.1.1 SERdb Classifications and Labels 1.2.1.2 Determining Access to Classification Objects in SERdb 1.2.1.3 Effects of Metadata with Different Classifications 1.2.1.4 Storing Rows of Different Classifications in a Table 1.2.1.5 Using Conditional Operators in Queries Involving Label Columns 1.2.1.6 The Role of the Reference Monitor in Enforcing the MAC Policy 1.2.1.7 MAC Policy Override Privileges in SERdb 1.2.1.8 The Database High and Table Low Classifications 1.2.1.9 Separate Enforcement of the MAC and DAC Policies by SERdb 2 Using SERdb Constraints 2.1 Using PRIMARY KEY and UNIQUE Constraints in Rdb/VMS and SERdb 2.1.1 Using PRIMARY KEY and UNIQUE Constraints in Rdb/VMS 2.1.2 Using PRIMARY KEY and UNIQUE Constraints in SERdb 2.1.2.1 Enforcement of PRIMARY KEY and UNIQUE Constraints When a Subject of Equal or Higher Classification DuplicateC 2.1.2.2 Preserving Data Secrecy and the Effect on Data Integrity 2.1.2.3 Preserving Data Integrity and the Effect on Data Secrecy 2.1.3 Specifying the SECURITY$CLASS Column in Constraint Definitions 2.1.4 Specifying the SECURITY$CLASS Column in PRIMARY KEY and UNIQUE Constraint Definitions 2.2 Selecting Data Secrecy or Data Integrity in SERdb UNIQUE Indexes 2.3 Making Downward References Between Metadata Objects 2.3.1 Restrictions Against Deleting Metadata Objects at a Lower Classification That Are Referred to in a Downward Refer 2.4 Specifying the SECURITY$CLASS Column in Referential Constraints 2.4.1 Deleting a Row at a Lower Classification That Is Referenced Through a FOREIGN KEY Constraint by a Row at a HigheC 2.5 Using a SINGLE LEVEL Table Constraint to Restrict Rows to a Single Classification Level 2.6 Using the METADATA IS SINGLE LEVEL Database Parameter to Prevent Polyinstantiation and Downward References 3 Mandatory Access Control Policies 3.1 SELECT MAC Policy and Policy Exceptions 3.2 INSERT MAC Policy 3.2.1 Enforcing PRIMARY KEY and UNIQUE Constraints 3.2.1.1 Effect of Specifying the SECURITY$CLASS Column in a PRIMARY KEY or UNIQUE Constraint 3.2.1.2 Effect of the INTEGRITY IS PRESERVED Database Parameter 3.2.2 Enforcing FOREIGN KEY Constraints 3.2.3 Effect of the SINGLE LEVEL Table Constraint 3.2.4 INSERT MAC Policy Exceptions 3.3 UPDATE MAC Policy 3.3.1 Enforcing PRIMARY KEY and UNIQUE Constraints 3.3.1.1 Effect of Specifying the SECURITY$CLASS Column in a PRIMARY KEY or UNIQUE Constraint 3.3.1.2 Effect of the INTEGRITY IS PRESERVED Database Parameter 3.3.2 Enforcing FOREIGN KEY Constraints 3.3.3 Effect of the SINGLE LEVEL Table Constraint 3.3.4 UPDATE MAC Policy Exceptions 3.4 DELETE MAC Policy 3.4.1 Enforcing FOREIGN KEY Constraints 3.4.2 Effect of the INTEGRITY IS PRESERVED Database Parameter 3.4.3 DELETE MAC Policy Exceptions 3.5 General Rules for SERdb Metadata Access Modes 3.6 SHOW MAC Policy 3.6.1 SHOW MAC Policy Exceptions 3.7 CREATE MAC Policy 3.7.1 Standalone Objects and Table Objects 3.7.2 Effect of the METADATA IS SINGLE LEVEL Database Parameter 3.7.3 CREATE MAC Policy Exceptions 3.8 ALTER MAC Policy 3.8.1 Effect of the METADATA IS SINGLE LEVEL Database Parameter 3.8.2 ALTER MAC Policy Exceptions 3.9 DROP MAC Policy 3.9.1 DROP MAC Policy Exceptions 3.10 Summary Tables for MAC Policies 4 SERdb Auditing 4.1 Introduction to SERdb Auditing 4.1.1 Starting SERdb Auditing 4.1.2 Auditing Rows in System Tables and Subject-Defined Tables 4.2 Auditing of the MACCESS Audit Event Type 4.2.1 SELECT MAC Auditing 4.2.2 INSERT MAC Auditing 4.2.3 UPDATE MAC Auditing 4.2.4 DELETE MAC Auditing 4.2.5 SHOW MAC Auditing 4.2.6 CREATE MAC Auditing 4.2.7 ALTER MAC Auditing 4.2.8 DROP MAC Auditing 4.3 SERdb Default Auditing 4.3.1 Default Auditing for Data Operations 4.3.1.1 Default Auditing of Integrity Violations Related to the Enforcement of Constraints and Indexes 4.3.1.2 Default Auditing of Secrecy Violations Related to the Enforcement of Constraints and Indexes 4.3.2 Default Auditing for Metadata Operations 4.3.2.1 Default Auditing of Secrecy Violations Related to the Creation of Objects 4.3.2.2 Default Auditing of Secrecy Violations Related to the Deletion of Objects 5 RMU Commands 5.1 RMU/SET AUDIT Command 5.2 RMU/SHOW AUDIT Command 6 SQL Statements 6.1 ALTER DATABASE Statement 6.2 ALTER TABLE Statement 6.3 CREATE DATABASE Statement 6.4 CREATE TABLE Statement 7 SERdb-Specific Columns in Rdb/VMS System Tables 7.1 The RDBVMS$SECURITY_CLASS Column 7.2 The RDBVMS$SECURITY_ALARM2 Column 7.3 The RDBVMS$SECURITY_AUDIT2 Column A Storing Audit Journal Records in an SERdb Table Glossary EXAMPLES 1-1 Becoming the Owner of an APS Object 1-2 A Subject's SEVMS Classification Is Also the Subject's SERdb Classification 1-3 A Classification Object Receives the Classification of the Subject That Creates It 1-4 The Definitions of the RDBVMS$SECURITY_CLASS and SECURITY$CLASS Columns Cannot Be Changed 1-5 Objects at a Higher Classification Are Hidden from a Subject 1-6 Unique Names Are Required for Each Type of Classification Object 1-7 A Subject Can Display Table Rows with the Same or a Lower Classification as the Subject 1-8 Using the DOWNGRADE Privilege to Store a Row at a Lower Classification Than the Subject's Classification 1-9 Using the DOWNGRADE Privilege to Change a Row's Classification to a Lower Classification 1-10 Using the BYPASS Privilege to Store a Row at a Higher Classification Than That of the Subject's 1-11 A Database's Database High Classification Is Equal to the Classification of the Subject That Created the Database 1-12 A Table's Table Low Classification Is Equal to the Classification of the Subject That Created the Table 2-1 An Rdb/VMS PRIMARY KEY Constraint That Restricts the Storage of Duplicate Values 2-2 An SERdb PRIMARY KEY Constraint Restricts the Storage of Duplicate Values by Subjects at the Same or Higher Classif 2-3 An Attempt by a Subject at a Lower Classification to Store a Duplicate Value for a Primary Key Column 2-4 Displaying Polyinstantiation of a Primary Key Column 2-5 The Integrity Violation Security Alarm Generated by the Polyinstantiation in Example 2-3 2-6 Displaying the Row Data That Polyinstantiated a Primary Key Column 2-7 Preserving Database Integrity with the INTEGRITY IS PRESERVED Database Parameter 2-8 A Subject Attempts to Store a Duplicate Value in a Primary Key Column and the INTEGRITY IS PRESERVED Database Param 2-9 Preserving Database Secrecy with the INTEGRITY IS NOT PRESERVED Database Parameter 2-10 Specifying the SECURITY$CLASS Column as Part of a PRIMARY KEY Constraint 2-11 How the Setting of the INTEGRITY IS PRESERVED Database Parameter Affects the Behavior of UNIQUE Indexes 2-12 Defining an UNCLASSIFIED Domain and Using the Domain in the Definition of a SECRET Table 2-13 Defining a Constraint Between a CONFIDENTIAL Table and an UNCLASSIFIED Table 2-14 Creating a Downward Reference Between a CONFIDENTIAL Row and an UNCLASSIFIED Row Using a FOREIGN KEY Constraint 2-15 Defining an UNCLASSIFIED Table and Using It in the Definition of a TOP_SECRET View 2-16 An UNCLASSIFIED Domain Used in a SECRET Table Cannot Be Deleted by an UNCLASSIFIED Subject 2-17 Using the SECURITY$CLASS Column as Part of a FOREIGN KEY Constraint to Restrict the Values That Can Be Stored in aF 2-18 How a Dangling Reference Occurs 2-19 A Subject at a Lower Classification Cannot Delete an Object at That Classification If the Object Is Referenced by P 2-20 Defining a SINGLE LEVEL Table Constraint 2-21 Violation of a SINGLE LEVEL Table Constraint 2-22 Attempting to Define a SINGLE LEVEL Table Constraint When All the Table Rows Are Not at the Table Low Classificatio 2-23 Deleting a SINGLE LEVEL Table Constraint 2-24 Creating a Database with the METADATA IS SINGLE LEVEL Database Parameter Enabled 2-25 The METADATA IS SINGLE LEVEL Database Parameter Allows Only Metadata at Database High Classification to Be Defined 4-1 An Integrity Audit Alarm Generated by Duplicate Values Stored in a PRIMARY KEY or UNIQUE Constraint Column, or in a 4-2 A Secrecy Audit Alarm Is Generated When SERdb Does Not Allow Duplicate Values to Be Stored in a PRIMARY KEY or UNID 4-3 An Integrity Violation Alarm Is Generated When a Row Referenced by a FOREIGN KEY Constraint Is Deleted 4-4 When the INTEGRITY IS NOT PRESERVED Database Parameter Is Enabled, SERdb Allows Duplicate Primary Key Values to Be 4-5 When The INTEGRITY IS PRESERVED Database Parameter Is Enabled, SERdb Does Not Allow Duplicate Primary Key Values tS 4-6 An Audit Alarm Identifies Secrecy Violations Caused by Attempts to Create Duplicate Objects 4-7 An Audit Alarm Identifies Secrecy Violations Caused by Attempts to Delete Objects A-1 How to Display Rows That Generated Audit Records or Alarms or Both A-2 Viewing the Data of a Deleted Row as It Existed Prior to the Delete Operation FIGURES 1-1 Creating Metadata and Data at Different Classification Levels in an SERdb Database 1-2 The Rdb/VMS and SERdb DAC Mechanism 1-3 A User with DAC Override Privileges Overrides the DAC Policy 1-4 The SERdb MAC Mechanism 1-5 SERdb Reference Monitor Diagram TABLES 1-1 Scalar and Set Operators 3-1 Summary of the MAC Policy for the SELECT Data Access Mode 3-2 Summary of the MAC Policy for the INSERT Data Access Mode 3-3 Summary of the MAC Policy for the UPDATE Data Access Mode 3-4 Summary of the MAC Policy for the DELETE Data Access Mode 3-5 Summary of the MAC Policy for the SHOW Metadata Access Mode 3-6 Summary of the MAC Policy for the CREATE Metadata Access Mode 3-7 Summary of the MAC Policy for the ALTER Metadata Access Mode 3-8 Summary of the MAC Policy for the DROP Metadata Access Mode 5-1 DACCESS Privileges for Database Objects 5-2 MACCESS Privileges for Database Objects A-1 Columns in a Database Table for Storing Security Audit Journal Records