|
|
||||||||
DEC VAX/VMS Operating System Security Review Following was contributed by (Rey LeClerc) rey@mass-usa.net
Objectives: (1) Perform a limited review of the DEC VAX/VMS operating
system to assess the adequacy of control. General VAX Information and Security A. How VMS security determines access
ACLS are based on identifiers. In the rights database (RIGHTS.DAT) there is a file associating users with special names, called identifiers, which they are allowed to hold. An identifier may represent a user's username and UIC, or it may represent a more general name held by many users (for group users). There are three types of identifiers: When you login, the identifiers you hold in the rights database are copied into a rights list that is part of your login process. VMS uses the rights lists to perform all protection checks. Additional identifiers may be added to your rights list either by the VMS login software or by software specific to your location. The security manager decides what kinds of access to specific
objects should be granted to holders of each identifier. Often there are
many identifiers attach to an object, and there may be access control
lists with many entries created. There are three types of ACE as follows: Note that an identifier ACE may be UIC-based, general or system-defined (batch, network, interactive, local, dialup, and remote). Also note that the stem stops searching at the first match, which means that a matchup occurring further down the line has no effect. It is crucial, therefore, to make sure that ACEs identifying specific users should appear before ACEs identifying groups. ACLs can be used to monitor the system, e.g. used with security auditor, to send alarm when an object is accessed, and to initiate an alarm that generates a security record in the security log.
Regardless of the format, the system translate the UIC into a 32-bit value representing a group number and a member number. The 32-bit numeric UIC is stored in the system rights database. The system rights database is a file containing information pertaining to the access rights and attributes associated with identifiers and holders of those identifiers. When a user attempts to access any object, the system usually compares the user's UIC with that of the object. The only exception to this generalization is when the object is protected by an ACL that immediately grants the user access. Upon requesting access to a given object, VMS compares the user's UIC to that of the object. It then determines what category the user belongs to. For example: o SYSTEM 1. All users who have access to the system privilege (SYSPRV).
o GROUP All users, including the owner, who have the same group number in their UICs as the object's owner.
Each category of users can be further controlled (access allowed or denied) via access protection codes or RWED access. Specifically: o R(READ) Provides the right to examine (read), print,
or copy the file. Note that control is omitted because this is never specified in the standards UIC-based protection code. However, it can be specified in an ACL and is automatically granted to certain user categories which UIC-based protection is evaluated. CONTROL access grants the user all the privileges of the objects actual owner, and allows the user to change the protection and file characteristics. D. Digital Network Security o Proxy Account. This option requires the target reference
monitor to maintain a table of source subjects and corresponding local
user names. The advantages of a proxy account is twofold: o DECnet-VAX Account. This option permits certain types
of access to the system from remote nodes without requiring account and
password information. Instead, this information is specified in the DECnet-VAX
executor and object o DECnet-VAX Database. This facility provides access and
control over other computers which are connected to your computer. Security
considerations when using this option include the following:
F. DEC VAX Command Procedures
A. System Configuration and Defaults Obtain a listing of the active system parameters, options, and defaults. Ascertain that the active settings provide an appropriate level of control, auditability, and integrity over the VMS environment. Perform and print the following: I. SHOW commands SHOW ACCOUNTING - This will display items for which accounting is enabled. The items of concern are the logging of login failures and job terminations (batch, interactive, network, detached, etc.) SHOW AUDIT - This will display which security auditing features and alarms have been enabled (e.g., system break-ins, file access violations, usage of the BYPASS privilege, etc.) SHOW INTRUSION - This displays the content of the break-in database. The database, if active, contains information about login failures and the aversive action taken by VMS. SHOW NETWORK - This displays information on the availability of the local node as member of the network and the addresses and names of all nodes that are currently accessible to the local node. SHOW CLUSTER - This displays information on cluster activity and performance and the current VMS version number. Clustered systems permit the sharing of disks, resources, and operating systems. SHOW LOGICAL - This displays the logical names which have been assigned to any physical units. II. Run and print the SYSGEN utility Run and print the SYSGEN utility and determine that installation selected values are appropriate. To run the SYSGEN utility: $LOGON Items of particular concern are: MAXSYSGROUP=X - This parameter defines the range of system accounts (group numbers from 1 o X are system accounts). LGI_BRK_LIM - This parameter specifies the number of failures that may occur at login time before the system will take action. LGI_BRK_DISUSER - This parameter is used to flag in UAF record when an attempted break-in is detected. LGI_BRK_TMO - This parameter specifies the number of seconds that a user or node is permitted to attempt a login (after an unsuccessful one) before the system forgets that a break-in attempt has occurred. This time is cumulative (added on for each unsuccessful attempt). LGI_BRK_TERM - This parameter specifies that the terminal name is to be part of the associated string for the terminal node of the break-in detection. LGI_RETRY_LIM - This parameter specifies the number of retry attempts allowed for users attempting to login over dial-up lines. LGI_RETRY_TWO - This parameter specifies the number of seconds allowed between login retry attempts after a login failure. LGI_PWD_TMO - This parameter specifies the period of time, in seconds, a user has to correctly enter the system password on a terminal on which the system password is in effect. LGI_HID_TIM - This parameter determines the number of seconds that evasive action will persist following the detection of a possible break-in attempt. The evasive action consists of refusing to allow any logins during this period, regardless of whether a valid user name and password are specified. (This number is multiplied by a random value from 1 to 1.5 to specify he actual amount of time).
I. Obtain a full user authorization file (UAF) listing and ascertain that user access to the system and data has been provided on a need-to-know basis. To obtain the UAF, execute the following commands: $LOGON
II. Review the UAF user profiles and ascertain that special user attributes and/or privileges have been assigned only to personnel who have a legitimate need for them. Items of particular concern are: Login Controls Ascertain that appropriate login controls are in effect which restrict system access to authorize users via classes and types of logins, times and functions. Review the following login fields: - LOGINCMD - LOGINFLAGS - PRIMARY AND SECONDARY DAYS - TYPES OF LOGINS - LOGIN RESTRICTIONS Note that special consideration should be given to accounts with login flags set to NOPASSWORD option. The NOPASSWORD option allows login without a password, just the user- ID. Ascertain that the location is currently not permitting automatic logins. To determine if automatic login is active perform the following: a. Determine where the file SYSALF.DAT resides (default location is SYS$SYSTEM:SYSALF.DAT). b. Use the DIRECTORY/ directory.name.SYSALF.DAT command. Note that the SYS$MANAGER: ALFMAINT.COM is used to maintain the automatic login feature (ALF). Note that this command will inform you whether the file is being used or empty. If it is being used , identify the users allowed to automatically login (i.e. without specifying the password) into the system. Evaluate whether or not the access is appropriate, adequately controlled and that the associated devices is physically secured. If the location has implemented menu security via the login command procedure, perform the following: a. Ascertain that the CTRL/Y function has been disabled in the login command procedure. Note that disabling CTRL/Y does not permit the user to suspend execution of the current image and invoke the command interpreter. Thus forcing the execution of the complete login command procedure whenever a user logins in. b. Review the login command procedure and ascertain that
embedded logon-IDs and passwords are used, ensure that access (read and
write) to the command procedure has been properly restricted. To determine
occurrences of password $SEARCH SYS$SYSTEM:*COM;*/WINDOW=(2,2) Note that this will provide a listing of all occurrences of the above two lines before and after these occurrences. System Accounts Identify the users within the group number that is within the range specified in the MAXSYSGROUP parameter by performing the following: - SHOW {*.UIC.GROUP} command, where the UIC-group is MAXSYSGROUP maximum number, and - Scan the UIC-group section of the SYSUAF/BRIEF listing (in UIC order) for duplicate UICs. Password Controls Determine if the site uses a DECserver to communicate
with other VAXs. If so, ascertain that the DECserver's password has been
changed. To perform this test, type the following at the LOCAL> prompt
SET PRIVILEGE and when the Ascertain that the default passwords for the mail and the terminal server facilities have been changed. Determine whether the DEC SERVICE and other specialized accounts are disabled or restricted appropriate access time. Ascertain that appropriate digital password control features have been implemented. Parameters of particular concern are: PWDMIN - password minimum length PWDLIFETIME - number of days before a password change is forced PWDCHANGE - date the password was last changed User Privileges BYPASS - allows full access regardless of an object's protection. SETPRIV - allows a user to set his privileges to whatever he/she desires (e.g. BYPASS, SYSPRIV, SYSTEM, READALL, DETACHED, CONTROL, etc.) Providing full access to the system and resources. READALL - allows read and control access to the object, even if such access is denied by the ACL or UIC-based protection. In addition, the user may receive any other access granted by the protection code. SYSPRIV - allows the same access granted to users in the SYSTEM category. GRPPRIV - allows a user whose UIC matches the group of an object the same access as users in the same category. DETACHED - allows the user's process to create a detached
process. There is no restriction on the UIC that can be specified for
a detached process. Thus, there are no restrictions on the files and directories
to which a detached DEVOUR - Users with this privilege can seriously impact system integrity and performance. Other Security Matters Ask to see the Digital Site Manager's Guide. This binder will usually be filled out by DEC's field service representative (FSR) following a visit. It provides a service record for each processor. Frequently the FSR writes down the password to the field service account in this binder.
ACL-based protection - To determine if ACL exists perform
the following commands: To obtain a listing of identifier(s) on the system and
the user associated with the identifier(s), perform the following: UIC-based protection - To determine what UIC-based protection masks are used perform the following: For a file: For a device: System and Security Files Directory Files Ensure that he following compilers do not exist in the
production (non-system) executable program directory. These should not
be available to any user in the production environment other that the
user responsible for moving files into production: Perform a DIR/PROT of the files to determine if key files
have security alarms Note that they should reside in the system pack and that they should be restricted from the world.
If privileges provided to the auditor are limited, perform
the following to verify that ACL protection is in place for the above
named files by performing the following: Those files that are ACL-protected will have the following
message displayed: Review the DEC/VAX violation reports and evaluate whether the report is being utilized and the steps taken for its review. Evaluate how security violation are tracked and obtain a copy of the log (if maintained) for review.
Execute the following utilities and examine the parameters
specified. Note that LIST is for permanent parameters and SHOW is for
volatile or temporary parameters. The Network Control Program (NCP) can
be run entering the following: >SHOW (or LIST) EXECUTOR CHARACTERISTICS Determine whether or not default proxy or DECnet default access are permitted for both incoming and outcoming access. Determine if proxy login access is enabled or disabled for both the subject and the object databases. To perform this test, execute the following commands: Ascertain that remote nodes (synchronous and nonsynchronous circuits) are required to send a routing initialization password. Determine if network logins are controlled via proxy accounts. If not, determine what controls are in effect that prevents passwords from being echoed-in at the terminal, recorded on system log files, or from being intercepted in an unencrypted form. Examine the UAF (User Authorization File) for proxy accounts
and ascertain whether or not they are adequately controlled. To perform
this test execute the following commands: F. Dial-in Security Otherwise anyone accessing the system via dial-up lines may be able to connect to a previous (privileged) process. An example of the SYSTRARTUP statement is SET TERM/PERM/HANGUP/MODEM Ascertain that the dial-up ports the modem option
in the port definition is set to ENABLE. If the modem option is disabled/not
used, the server will view the port/line as a non-dialup port potentially
allowing established security/procedures to be bypassed.
|
||||||||
www.cxlsecure.com |