The _EDP AUDITOR JOURNAL_ (Volume 1, 1993) addresses
issues pertinent to auditing VAX/VMS systems, and offers guidelines
on how to conduct such audits.
A sample audit
program for VAX/VMS is included in this posting (see below). Anyone
is welcome to improve this audit program for the benefit of all
auditors concerned.
Hope this will
help those gearing up to perform VAX/VMS audits....
-- slemo warigon
east texas state university
VAX/VMS AUDIT
PROGRAM -- Prepared by Joseph L. Oringel
This is a suggested
outline for a review of VAX/VMS security. It should be customized
based on audit scope, objectives, and the auditor's experience.
Concepts outlined in this program can be expanded upon using considerable
detail to provide assistance for the less experienced auditor. Individual
with more experience in performing system software reviews, particularly
VAX/VMS architecture, should find this outline sufficient to conduct
interviews and construct security recommendations.
1 Determine
Scope:
A. Change Management
B. Problem Management
C. Media Management
D. Job Scheduling
E. Application Systems
F. Overall Systems Security:
1. Strategy and system configuration
2. Telecommunications
3. Access Control Services
4. System Management Tools, and
5. Backup and Recovery Tools
2. Establish
Expectations:
A. Auditing against Company policy or strategy
B. Contractual requirements
C. Government regulations, and
D. Accepted good practices for the environment
3. Data Gathering:
A. Identify key personnel:
1. Management (CIO. CFO, security officer, IS manager, lead analyst)
2. Staff (programmer, analyst, security administrator, operator),
and
3. Users (application users, data entry and supervisory)
B. Identify and gather required business reports:
1. Organization charts for the information systems department
2. Organization for security administration group
3. Job descriptions for IS and security personnel
4. IS policies, standards, and procedure documentation, and
5. Security administration policies, standards, and procedures
C. Identify and gather VAX/VMS System Reports:
1. User profile information from the User Authorization File (SYSUAF.DAT)
2. Network proxy information from the Network Proxy Authorization
File (NETPROXY.DAT)
3. Access Control Lists from the rights database file (RIGHTSLIST.DAT)
4. Network Control Reports, showing network nodes, lines, circuits,
and links
5. Selected audit options, from the VMS_AUDIT_SERVER
6. Selected startup and login files, and
7. Global options from VMSPARAMS.DAT, PARAMS.DAT, and other SYSGEN
options
4. Review
Security Policy/Strategy. Determine if:
A. Data is classified for security purposes
B. Responsibility for security administration is assigned
C. Procedures for security administration are clearly defined
D. Security reporting requirements are established, and
E. Programmer access restrictions are identified
5. Plan interviews:
A. Identify interview topics based on evaluation of policy
and reports
B. Schedule interviews with key personnel, and
C. Prepare initial interview questions
6. Conduct
interviews. Review and document controls for Strategy and System
Configuration:
A. Obtain hardware
descriptions and:
1. Identify communication links between VAX and non-VAX processors
Document communication system, protocol, etc.
2. Identify VAX cluster configuration. Ensure clusters use a shared
UAF, so users have assigned privileges only on authorized processors
3. Identify PC to VAX connections to determine if upload/ download
criteria are appropriate
4. Identify smart terminals and ensure programmable function keys
are not used to store account names, passwords or other login data.
B. Obtain software
descriptions and:
1. Ensure the same version of VMS is used for all processors
2. Ensure the VMS version used is current and still supported by
DEC
3. Review VMS system software modifications for propriety
4. Review RWED access authority to system software libraries (recommended
values are READ for selected tech support personnel and WRITE authority
for a single account with dual password control)
5. Evaluate system software upgrade procedures, and
6. Evaluate bootstrapping procedures
C. Identify
key application subsystems and:
1. Ensure application security uses VMS account security, or
o Provides other means for encrypted user passwords
o Provides other means for individual user accountability, and
o Adequately protects key application resources
2. Evaluate application security matrices
7. Conduct
Interviews. Review and document controls for telecommunications:
A. Review access
to telephone lines:
1. Determine if phone number is known only to authorized users
2. Determine if appropriate security measures are enabled (dial-back,
port passwords, modem passwords, channel selectors, etc.)
3. Identify how and how often modem access logs are reviewed
B. Review users
accounts of DECnet users:
1. Ensure all privileges except NETMBX and TMPMBX are removed
2. Review account names and ensure passwords options are appropriately
set
3. Ensure WORLD access to the network database is set to NONE
4. Inquire regarding stored or embedded user account and password
names
5. Review proxy accounts
C. Determine
if proxy accounts are encouraged:
1. Determine if accuntability for proxy usage is maintained
2. Ensure proxy accounts have no excessive privileges
8. Conduct
interviews. Review and document controls for Access Control Services:
A. Determine if a system password is used
B. Determine if a terminal timeout is used
C. Review access to DCL. Determine if:
1. Most users are CAPTIVE
2. System startup files contain no exits to DCL, and
3. Powerful DCL commands are appropriately restricted (by renaming,
RWED, or ACL use)
D. Review account naming conventions and password option settings:
E. Ensure DEC supplied user accounts are disabled or removed
F. Review intruder detection (LGI_BRK and LGI_RETRY)
G. Review default file protection for new objects, and
H. Review assignment of powerful privileges
9. Conduct
interviews. Review and document controls for System Management Tools:
A. Identify security logging and reporting mechanisms used
B. Perform selected review of ANALYZE/AUDIT results
C. Review VMS accounting rules (if used), and
D. Evaluate use of automated tools (Security Toolkit, DECinspect,
etc)
10. Conduct interviews. Review and document controls
for Backup and Recovery Tools:
A. Evaluate and document backup/recovery procedures
B. Identify if VMS features are appropriately used:
1. Volume shadowing for key disk volumes
2. Roll-forward, roll-back procedures for on-line transactions
DECdtm)
3. RMS journalling of key files, and
4. High-water marking, erase-on-delete, etc.