INTRODUCTION
This
program is designed to enable the auditor to examine and test the effectiveness
of general controls, procedures, and security for DEC VAX/VMS operating
system/logical security.
The
auditor's study of internal controls includes two phases:
" Obtaining knowledge and understanding of the procedures and methods
prescribed.
" Obtaining reasonable satisfaction that the prescribed procedures
are in use and operating as planned.
Where AZScan-VMS/AZScan can assist
in this work, the section is marked in red.
DEC VAX/VMS Operating System/Logical Security Controls
OBJECTIVES
"
To ensure that adequate protection against intentional or unintentional
damage to data files, libraries, and other resources exists, using DEC
VAX/VMS security features.
" To ensure that controls are present to limit users, operators,
and programmers to only those operations necessary to perform their
duties.
Introduction
The
DEC VAX Open VMS environment often consists of a large integrated system
with several VAX computers connected through a network link (i.e., DECnet).
Users share a variety of system resources including application programs,
data files, and network terminals to meet their data processing needs.
DEC
VAX/VMS security contains many features and options which may be turned
on or off depending on the security and performance requirements of
the particular installation.
DEC
VAX Open VMS OS System accounts
The
DEC VAX Open VMS Operating System has several VMS Accounts (vms_account_name)
pertinent to audit review, of which the system accounts are the most
important:
SYSTEM
- allows the system administrator to log in with full privileges to
the system, thus overriding UIC or ACL security. Default password is
MANAGER.
FIELD - allows DEC field services personnel to check out a system and
run diagnostics. Default password is SERVICE.
SYSTEST - sets up appropriate environment for running the User Environment
Test Package (UETP). Default password is UETP.
SYSTEST_CLIG - used by UETP in cluster testing for a network login test.
Account is delivered disabled.
DECNET - default DECnet account permits access to a system from remote
nodes without specifying the account and password information. Account
is used for file transfer and network management. Default password is
DECNET.
1.
Determine if the "SYSTEM" account is being used. Verify that
the default password, "MANAGER" has been changed.
AZScan-VMS Section 4.1 AC-SYSTEM system account
2.
Evaluate use of the SYSTEM account and associated SYSTEM account controls
regarding the use of:
" PWDMINIMUM.
" PWDLIFETIME.
" REMOTE.
" NETWORK.
" DIALUP.
" Default Privileges.
" Enabled Auditing.
AZScan-VMS Section 4.1 AC-SYSTEM system account
3.
Determine if the "FIELD" account is being used. Verify that
the default password, "SERVICE" has been changed. Evaluate
use of the FIELD account. It should be provided only on an "as-needed
basis" through the DISUSER setting in the account. Network access
for this account is not normally required (NETWORK, DIALUP, and REMOTE)
and should be removed.
AZScan-VMS Section 4.2 AC-FIELD field account
4.
Determine if the "SYSTEST" account is being used. Verify that
the default password, "UETP" has been changed. Evaluate use
of the SYSTEST account. It should be provided only on an "as-needed
basis" through the DISUSER setting in the account.
5.
Determine if the "SYSTEST_CLIG" account is being used. Test
to ensure that the account has been set-up as password protected. Evaluate
use of the SYSTEST_CLIG account. It should be provided only on an "as-needed
basis" through the DISUSER setting in the account.
6.
The DECNET account should be controlled to minimize the possibility
of remote users gaining unauthorized access to local system privileges.
The DECNET account should be provided only on an "as-needed basis"
through the DISUSER setting in the account or flagged as "RESTRICTED".
Determine
if the DECNET account is used. Test to ensure that the default password,
"DECNET" has been changed by attempting to log-in to the system.
Evaluate its use, and whether it has been set-up with the following
restrictions which are used to ensure an appropriate level of control
for this account:
LOGIN disabled?
NON-PRIVILEGED?
Is FAL (File access listener) disabled?
Are all special privilege (I.e., OPER, BYPASS, WORLD) removed from the
DECNET account? Only default privileges should be included (NETMBX,
TMPMBX).
DEC VAX Open VMS OS Management accounts
7.
Determine if the "DEFAULT" account is being used. Test to
ensure that the default password, (e.g. "DEFAULT") has been
changed by attempting to log-in to the system. Evaluate use of the DEFAULT
account. It should be provided only on an "as-needed basis"
through the DISUSER setting in the account.
8.
Determine if GUEST Accounts are used and evaluate their use. (GUEST
accounts do not require a password).
9.
CAPTIVE accounts are used to restrict a user's control access to theVMS
OS DCL prompt (aka the Command Line) via restrictions to a particular
command procedure upon login. Determine whether CAPTIVE accounts are
used, evaluate their use, and evaluate the use of the following restrictions
to control such accounts:
have the CAPTIVE and DISCTRLY flags been set in the CAPTIVE account?
have the LOCKPWD, DEFCLI, DISWELCOME, DSMAIL, and DISNEWMAIL flags been
set?
Has the login command file, LGICMD, been defined in the captive account?
Is PRCLM = 0 (limits the number of subprocesses that can be spawned)?
Compensating controls: Flags set = DISMAIL, DISNEWMAIL
Is the group UIC for the captive account unique?
AZScan-VMS Section 5.9 CAPTIVE non-captive
AZScan-VMS Section 8.1 CAPTIVE captive
RESTRICTED
accounts are similar to CAPTIVE accounts and are used to restrict a
user's control access to theVMS OS DCL prompt (aka the Command Line)
via restrictions to a particular command procedure upon login. Restricted
accounts may be used instead of CAPTIVE accounts because some vendor
software packages/languages spawn sub-processes which the CAPTIVE accounts
cannot process appropriately. Determine whether RESTRICTED accounts
are used and evaluate their use.
AZScan-VMS Section 8.12 RESTRICTED flag - restricted
10.
PROXY accounts are recommended in DEC VAX Open VMS as an alternative
to straight DECNET access - user name and password information in the
DECNET command line travels accross the network in clear ASCII form.
If an intruder gains access to a system with PROXY accounts, he/she
can gain access to multiple systems through the use of PROXY accounts
on each system. PROXY login permits a user logged in at a remote node
to be logged in automatically to a specific account at a local node,
without having to supply access control (e.g., user ID/password) information.
The remote user must have a PROXY account on the remote node that maps
to a local user account. The remote user assumes the same file access
rights and default privileges of the local account. To limit access,
the local account for the remote PROXY user should have only normal
privileges (i.e., NETMBX and TMPMBX) to limit access. The existence
of NETUAF.DAT is necessary before PROXY accounts can be added. Determine
if PROXY accounts (non-privileged accounts) are used and evaluate their
use.
11.
FAL (File Access Listener) accounts are used to provide authorized access
to the file system of a DECNET node on behalf of processes executing
on any node in the network. Determine whether FAL accounts are used,
evaluate their use, and evaluate the use of the following restrictions
which are used to ensure an appropriate level of control for such accounts:
Is the FAL account password protected and doesn't use an easily guessed
password such as FAL?
Is the group code in the UIC for the FAL account different from every
other account in the system?
Is the FAL account set-up with only TMPMBX and NETMBX privileges?
Is the FAL account set-up to have only NETWORK access authorized?
Is the FAL directory set-up with the access set of (S:RWE,O:RWE,G:RWE,W),
thus restricting access by the DECNET account?
12.The
default DECNET account and the TASK 0 object, together, enable an outsider
to become a non-privileged user on the system. Once in the system, a
knowledgeable user could use the COPY command procedure to copy to a
remote node and then use the TYPE command procedure to immediately cause
it to execute. This method has been used for virus attacks. Many system
administrators find TASK 0 to be very useful (e.g., for managing multiple
systems). If TASK 0 is used , controls should be implemented to limit
access by unauthorized users.
Determine
whether TASK 0 is used, evaluate its use, and evaluate the use of the
following restrictions which are used to ensure an appropriate level
of control for such accounts:
Are different accounts, directories, and UICs used for the FAL object
and default DECNET account?
Is the name of the FAL directory greater than 12 characters?
Has owner-delete permission been removed from the FAL directory?
13.
Determine whether SERVER accounts are used, evaluate their use, and
evaluate the use of the following restrictions which are used to ensure
an appropriate level of control for such accounts:
Is the SERVER account password protected and doesn't use an easily guessed
password such as SERVER?
Is the SERVER account set-up with only TMPMBX and NETMBX privileges?
Is the SERVER account set-up to have only NETWORK access authorized?
14.
Determine if the ALLIN1 account is used, evaluate its use, and verify
that the password is not set to MANAGER or ALLIN1 which are commonly
used passwords for this account.
15.
Determine if the MRGATE account is used, evaluate its use, and verify
that the password is not set to VMSMAIL which is a commonly used password
for this account.
16.
Determine if the MRMANAGER account is used, evaluate its use, and verify
that the password is not set to USPS which is a commonly used password
for this account.
DEC VAX Open VMS OS Micro VAX (Pathworks) accounts
17.
Determine if the USER account is used, evaluate its use, and determine
if it is password protected (USER account is delivered without a password).
If USER account is password protected, verify that the password is not
set to USER which is a commonly used password for this account.
18.
Determine if the USERP account is used, evaluate its use, and determine
if it is password protected (USERP account is a privileged account which
is delivered without a password). If USERP account is password protected,
verify that the password is not set to USERP which is a commonly used
password for this account.
DEC VAX Open VMS OS System Files
Determine
if the following system files are used and evaluate controls (system
files typically should be accessible only to system-level accounts/users).
To ensure that access is restricted to system-level users only, the
following privileges should be set for the system files listed in steps
19 - 24: (S:RWED,O:RWED,G,W) which indicates that the system and owner
have READ, WRITE, EXECUTE, and DELETE privileges, while the group and
world do not have any privileges associated with the file.
19.
SYS$SYSTEM:AUTHORIZE.EXE
20. SYS$SYSTEM:NETUAF.DAT (or NETPROXY.DAT for V5)
Examine
the NETUAF.DAT (NETPROXY.DAT for V5) and determine if the access set
is equal to(S:RWED,O:RWED,G,W)?
21.
SYS$SYSTEM:SYSUAF.DAT
System
User Authorization File (SYSUAF) identifies users and associated restrictions.
Each User has a corresponding record in the SYSUAF file. Record entries
control users' access types/privileges and restrictions. Examine the
SYSUAF.DAT file for group or shared accounts that may possess other
than basic DEC VAX Open VMS privileges.
22.
SYS$SYSTEM:FTSVQUEUE.DAT
23. SYS$MANAGER:VAXNOTES$STARTUP.COM
24. SYS$SYSTEM:FTSVACC.DAT
Determine if the following system files are used and evaluate controls.
Generally these system files should be restricted from having WORLD
WRITE access.
25.
SYS$SYSTEM:TDMSEDIT.COM
26. SYS$SYSTEM:TMDSTRTUP.COM
27. SYS$SYSTEM:MODPARAMS.DAT
28. SYS$MANAGER:SYSHUTDWN.COM
29. SYS$MANAGER:SYLOGIN.COM
30. SYS$MANAGER:SYSTARTUP.COM (SYSTARTUP_V5.COM)
31. SYS$MANAGER:LOGIN.COM
32. SYS$MANAGER:STARTNET.COM
33. SYS$MANAGER:LOADNET.COM
34. SYS$MANAGER:RTTLOAD.COM
DEC
VAX Open VMS OS VAX/VMS User Privileges
The
DEC VAX Open VMS OS controls User access/privileges through a variety
of mechanisms, which must be evaluated:
User
Identification Codes (UICs) - the auditor needs to review the organization's
security scheme relative to the formation of UIC groups and assignments
of users within those groups/assignments. UIC protection is a system
of codes that define the type of access a user has to files or programs.
These codes can be numeric or alphanumeric. The UIC identifies which
group the user falls into.
AZScan-VMS Section 6.1 SHUICS shared uics
AZScan-VMS Section 6.2 LOWUICS low value uics
Access
Control Lists (ACLs), segregating users into UIC groups is sufficient
for most files or objects on the system. Sometimes, a user must have
access to a file within another user's group. Instead of giving someone
unlimited access to all files within the UIC, ACLs are used. ACLs are
a group of entries in the Rights Data Base (RIGHTS.DAT) specifying Access
Attributes. Each entry in the ACL is known as an access control entry.
ACLs can be defined for files, directories, or physical devices (e.g.,
disk drives). In addition, specific system-defined identifiers correspond
directly with the types of log-ins allowed (e.g., dial-up or network
log-in types).
Object
Ownership, requires that a UIC be assigned to an object (i.e., a file
or directory), and then extends flexibility in specifying the type of
user access to that object. Object ownership allows the System Administrator
to specify user access according to four types of ownership, which are:
- System (S) - all users with system privilege;
- Owner (O) - the user who created the object;
- Group (G) - all users within the same UIC group;
- World (W) - all users.
Note:
The following privileges refer only to file objects, however, access
to other objects (e.g., directories or volumes) is similar.
For each of these categories, an Access Type can be assigned:
- Read (R) - the user can read, print, or copy a file;
- Write (W) - the user can change or update the file;
- Execute (E) - the user can execute a file that is an executable program
or image;
- Delete (D) - the user can delete files;
- Control (C) - the user can change the access type, or protection setting,
on a file or object.
DEC
VAX Open VMS OS Assigning User Identifcation Codes (UICs)
UICs
protection is a system of codes that can define the type of access a
user has to files or programs. The UICs on a system must be controlled
to ensure that a unique UIC is assigned to each user. The UIC consists
of a group number and a member number in the format [group,member].
The SYSGEN parameter MAXSYSGRP is used to define the set of UIC group
numbers that is used to grant the user system privileges. Any UIC group
number less than (<) or equal to (=) MAXSYSGRP has SYSTEM privileges.
The value of MAXSYSGRP should range from 1 - 10 for most systems. In
most VAX Open VMS shops, the default of MAXSGROUP is 8.
35.
Determine what is value of the MAXSGROUP systems generation parameter
and evaluate control of UICs relative to its setting.
36.
Evaluate the account structure design established for UIC groups, as
a control mechanism.
37.
Determine if security procedures prohibit system administrators from
reusing UICs of removed users. If a UIC is reused, the new user could
inherit the access rights of the old user through existing ACL entries.
AZScan-VMS Section 6.1 SHUICS shared
uics
AZScan-VMS Section 6.2 LOWUICS low value uics
DEC
VAX Open VMS OS Default User Authorization File (UAF)
38.
The UAF contains a record for each user. The default UAF is used as
a template from which all other user accounts are made. When the ADD
command is used to create a new account, the default UAF is automatically
used. Therefore, it is important that the parameters within this account
be carefully set. Review the default UAF record for the following:
no security problem qualifiers e.g.,/PRIVILEGES=SYSPRV;
LOGIN FLAGS - suggested values are: GENPWD
NODISREPORT PWD_EXPIRED
PWDMINIMUM - suggested values are 6 to 8;
PWDLIFETIME - less than or equal to 180 days;
PWDCHANGE - should be Pre-expired;
AUTHORIZED PRIVILEGES - should be: TMPMBX NETMBX
DEFAULT PRIVILEGES - should be: TMPMBX NETMBX
AZScan-VMS Section 4.3 AC-DEFAULT default account
39.
Determine if security procedures address the adding of users, granting
of privileges beyond default level (Authorized vs. Default), and the
removal of users.
40.
DEC VAX Open VMS OS allows privileges that generally should be limited
to only system administrators and security officers. Review user accounts
& evaluate use of the following privileges:
BYPASS
- allows a user to read, write, execute, or delete any file on the system.
All UIC and ACL protections are ignored.
AZScan-VMS Section 10.5 BYPASS privilege - bypass
CMKRNL
- allows a user's process to change its access mode to kernal, execute
a specified routine, and then return to the access mode that was orginally
in effect.
AZScan-VMS Section 10.7 CMKRNL privilege - cmkrnl
GRPPRV
- allows a user's process access to a file using the file's SYSTEM protection
when the group number of the process matches the group number of the
file owner. With this privilege a user can indirectly acquire privileges
granted to other group members.
AZScan-VMS Section 10.13 GRPPRV privilege - grpprv
LOG_IO
and PHY_IO - allows a user to read and write directly to devices. Users
with these privileges could destroy information on the system device,
destroy user data, intercept user passwords, and expose information
to unauthorized persons.
AZScan-VMS Section 10.14 LOGIO privilege - logio
AZScan-VMS Section 10.19 PHYIO privilege - phyio
PFNMAP
- allows a user's process to map to special physical pages of memory
no matter who is using those pages.
AZScan-VMS Section 10.18 PFNMAP privilege - pfnmap
READALL
- permits a user to bypass existing restrictions placed on files, allowing
the file to be READ and the protections on the file to be changed. Allowing
the modification of file protections could lead to deletion or modification
of the file.
AZScan-VMS Section 10.24 READALL privilege - readall
SETPRV
- allows the user to grant himself/herself any privilege using the SET
PROCESS/PRIVILEGES command.
AZScan-VMS Section 10.26 SETPRV privilege - setprv
SYSNAM
- allows a user to insert names into and delete names from the system
logical name table. With this privilege, the user could redefine critical
system logical names, such as SYS$SYSTEM and SYSUAF, thus gaining control
of the system.
AZScan-VMS Section 10.31 SYSNAM privilege - sysnam
SYSPRV
- gives a user the privileges of a system UIC when accessing files.
AZScan-VMS Section 10.32 SYSPRV
privilege - sysprv
DEC
VAX Open VMS OS User-Owned Files (ACL-Based) Protection
It
is important that proper protection attributes be associated with directories,
files, and devices. A sytem administrator can define default-protection
Access Control List Entries (ACEs) that are associated with the directory
within which the files are created. Since there could be more than one
entry for a directory or file, an Access Control List (ACL) of all entries
is used. The ACL specifies UIC, identifier, and alarm protection attributes
associated with all files created within a given directory.
41.
Verify with the Systems Manager if ACLs are used to protect at the device
level. Also, identify if production data files and system directories
are secured by ACLs. (NOTE: ACL overrides UIC protection).
42.
Determine whether VMS procedures exist to identify which files are controlled
by ACLs and the intent of the control.
43.
Evaluate whether ACL Alarms are being utilized to monitor violations
against Access Control Entries.
44.
Evaluate how clusters are structured from a security stand-point
45.
Evaluate use of ACL's within high risk clusters and determine the appropriateness
of their use within the system.
46.
Are default protection ACEs used on user directories?
47.
Are identifier ACEs used to restrict access to a user or group of users?
48.
Are identifier ACEs used to restrict access to devices?
Determine
if the following system files are used. Evaluate the level of WRITE
access allowed. WRITE access to system files should be limited. If WRITE
access is allowed, are ACL's used to audit WRITE access to these system
files:
49.
SYS$SYSTEM:SYS.EXE?
50. SYS$SYSTEM:F11BXQP.EXE?
51. SYS$SYSTEM:LOGINOUT.EXE?
52. SYS$SYSTEM:DCL..EXE?
53. SYS$SYSTEM:JOBCTL.EXE?
54. SYS$SYSTEM:JBCSYSQUE.EXE?
55. SYS$SYSTEM:SYSUAF.EXE or SYS$SYSTEM:SYSUAF.DAT or SYS$SYSTEM:AUTHORIZE.EXE?
56. SYS$SYSTEM:NETUAF.DAT (or NETPROXY.DAT for V5)?
57. SYS$SYSTEM:RIGHTSLIST.DAT?
58. SYS$SYSTEM:STARTUP.COM?
59. SYS$LIBRARY:SECURESHR.EXE?
60. SYS$MANAGER:SYSTARTUP.COM?
61. SYS$MANAGER:VMSIMAGES?
62. SYS$SYSROOT:[000000]SYSEXE.DIR?
63. SYS$SYSROOT:[000000]SYSLIB.DIR?
64. SYS$SYSROOT:[000000]SYSMGR.DIR?
65. SYS$SYSROOT:[000000]SYS$LDR.DIR (for V5)?
DEC
VAX Open VMS OS Protection for Files & Directories
66.
Evaluate if UIC default protection that has been established for file
protection and its appropriateness.
67.
Evaluate all key production data files that they have appropriate protection.
Explain any file with "W:RWED". (NOTE: It means read, write,
execute, and delete access to the world.). The following systems should
be reviewed, if applicable:
Customer Master;
Vendor Master;
Human Resources/Payroll;
Cost;
Price;
Part.
68.
Evaluate protection set for key system directories and explain any directory
with "W:RWED", e.g. examples:
DECNET no more than W:RE;
SYSMGR no more than W:RE;
SYSSEXE no more than W:RE.
69.
Determine if there are adequate audit trails for identifying, reviewing,
and reporting in regards to programs/files access.
Determine
if additional controls have been established for a number of incorrect
password attempts. Examples of such controls include setting special
flags for a number of incorrect passwords. Examples are:
" 5 incorrect passwords; ID is flagged and reported in Operator
Log audit trail as a "suspect". Also logs server and port
in addition to ID.
" 6 incorrect passwords; ID is flagged and reported in Operator
Log audit trail as a "intruder". Also logs server and port
in addition to ID. ID is locked out of system. Need to contact DP Security
to reset.
DEC
VAX Open VMS OS Individual Accountability
The
DEC VAX Open VMS OS enforces individual accountability if the following
restrictions are applied:
Unique
UICs must be used for all users. The UIC is used as an internal identifier
for each user; therefore, unique UICs are important for accountability
of actions and UIC-based access control. AZScan-VMS
Section 6.1 SHUICS shared uics
A
password must be used on each account on the system.
Each
user must have a unique account (i.e., no sharing of accounts) for individual
accountability (except for captive accounts).
The
autologin feature cannot be used since it associates an account with
a particular terminal instead of a person.
70.
Are all users assigned unique UICs?
AZScan-VMS Section 6.1 SHUICS shared uics
AZScan-VMS Section 6.2 LOWUICS low value uics
71.
Are users controlled by login date per the UAF provisions?
72.
Are passwords assigned to validate user authorization? Are procedures
associated with the setting of initial passwords appropriate?
73.
Are passwords generated by the user?
74.
Are passwords changed at frequent intervels?
AZScan-VMS Section 2.1 PWDLIFE password life
AZScan-VMS Section 2.3 PWDCHANGES distribution of password changes
75.
Are passwords masked at log-in?
76.
Several SYSGEN parameters are used to enable the detection and subsequent
action of a possible break-in attempt. Evaluate controls regarding the
recommended values as follows:
LGI_BRK_LIM less than or equal to 3;
LGI_BRK_TMO less than 300 seconds;
LGI_BRK_DISUSER = 1;
LGI_RETRY_LIM = 2;
LGI_RETRY_TMO less than 20 seconds.
77.
Evaluate the policy and procedures in use over:
Minimum Password Length (PWDMINIMUM);
Password Expiration Date (PWDCHANGE);
Last Change Date (PWDLIFETIME).
AZScan-VMS Section 2.2 PWDLENU users password length
AZScan-VMS Section 2.4 PWDLEN password length
78.
Evaluate the procedures in use to DisUser accounts that have not been
used for periods of time.
AZScan-VMS Section 8.9 DISUSER flag - disuser
79.
Evaluate controls over embedded passwords, if applicable.
80.
Evaluate controls over duplicate UIC's (same UIC with same user but
multiple user accounts.)
AZScan-VMS Section 6.1 SHUICS shared uics
81.
Evaluate controls over LOGIN access restrictions like times and days.
AZScan-VMS Section 5.1 LINOI non-interactive logins
AZScan-VMS Section 5.2 LIBOT both types of login
AZScan-VMS Section 5.3 LIINT interactive logins
AZScan-VMS Section 5.4 LLOGINS last logins
AZScan-VMS Section 5.5 LIFAIL login failures
82.
Determine if there is any limit to the number of incorrect password
attempts and what the results are.
83.
Is autologin restricted from use?
DEC
VAX Open VMS OS Terminal Security
Terminals
are the only means of establishing a communication with the system and
thus classifying it as the first stepping stone for control and security.
84.
Are operator consoles designated to monitor the system activity located
in a physically secure area?
85.
Is access to the terminals limited to business hours?
86.
If any terminals are located in unsecured areas, are login protection
methods used such as either :
secure terminal servers;
system passwords.
87.
Do terminals lock after a period of inactivity via the use of the "LOCK"
feature or otherwise?
88.
Identify the Master Terminal or System Console and ensure that it is
well controlled and secured from unauthorized access. The physical access
to the terminal would depend on a person's access to the building. His/her
terminal usage could be controlled through specifying time and days
in the User Authorization File.
89.
Are terminal services being used? If yes, has the default terminal password
"SYSTEM" been changed? Are "Dedicated Services"
used where appropriate?
DEC
VAX Open VMS OS VAX/VMS Security Mechanisms
90.
Identify the "accounting events" that have been enabled and
evaluate for appropriateness.
91.
Are audit alarms and/or accounting utility features used to determine
system security access:
LOGIN failures;
Break-in attempts;
Modifications to the audit file
Determine whether procedures are in place to monitor changes to accounting/alarm
events are adequate.
92.
Ensure that appropriate file protection and retention is established
over the SYS$MANAGER Operator.Log.
93.
Evaluate whether procedures exist to regularly archive the current audit
log file:
"SYS$MANAGER SECURITY_AUDIT.AUDIT$JOURNAL" on a scheduled
basis.
94.
Identify whether appropriate security have been established over all
audit log files (default, archived, and binary).
95.
Review the SET AUDIT events associated with the FILE_ACCESS flag for
READALL, BYPASS, SYSPRV, and GRPPRV alarms (e.g. the CONTROL alarm for
READALL should be enabled since it provides the ability to change file
protection).
96.
Identify whether procedures are in place to generate and review on a
regular basis, ANALYZE/AUDIT security reports.
DEC
VAX Open VMS OS Miscellaneous Exposures
97.
Evaluate control over the UAFALTERNATE parameter, if used.
Description of liability - use of UAFALTERNATE:
Indicates
whether the system should be bootstrapped using an alternate User Authorization
File.
Access to this parameter can violate all security enabled on the system.
Identifying an Alternate UAF when one does not exist will allow the
user to login with the first username and password entered following
the boot, but does not create a UAF file.
To
audit the use of the UAFALTERNATE parameter, invoke the SYSGEN utility
and verify the value associated with UAFALTERNATE.
$
RUN SYS$SYSTEM:SYSGEN
SYSGEN> SHOW UAFALTERNATE
RUN
SYS$SYSTEM:SYSMAN
SYSMAN> PARAMETER SHOW UAFALTERNATE