6346pro.htm

Document revision date: 24 June 2002

OpenVMS Guide to System Security

AA--Q2HLF--TE

This manual supersedes the OpenVMS Guide to System Security, Version 7.3

OpenVMS Alpha Version 7.3–1

OpenVMS VAX Version 7.3

June 2002

Compaq Computer Corporation

Houston Texas

© 2002 Compaq Information Technologies Group, L.P.

This guide describes the security features available through the OpenVMS operating system. It explains the purpose and proper application of each feature in the context of specific security needs.

Compaq, the Compaq logo, Alpha, OpenVMS, Tru64, VAX, VMS, and the DIGITAL logo are trademarks of Compaq Information Technologies Group, L.P. in the U.S. and/or other countries.

Microsoft, MS-DOS, Visual C++, Windows, and Windows NT are trademarks of Microsoft Corporation in the U.S. and/or other countries.

Intel, Intel Inside, and Pentium are trademarks of Intel Corporation in the U.S. and/or other countries.

Motif, OSF/1, and UNIX are trademarks of The Open Group in the U.S. and/or other countries.

Java and all Java-based marks are trademarks or registered trademarks of Sun Microsystems, Inc., in the U.S. and other countries.

All other product names mentioned herein may be trademarks of their respective companies.

Confidential computer software. Valid license from Compaq required for possession, use, or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s standard commercial license.

Compaq shall not be liable for technical or editorial errors or omissions contained herein. The information in this document is provided "as is" without warranty of any kind and is subject to change without notice. The warranties for Compaq products are set forth in the express limited warranty statements accompanying such products. Nothing herein should be construed as constituting an additional warranty.

ZK6346

The Compaq OpenVMS documentation set is available on CD-ROM.

Contents

OpenVMS Guide to System Security

Intended Audience

Document Structure

Related Documents

Reader’s Comments

How to Order Additional Documentation

Part I Security Overview

Chapter 1 Understanding System Security

1.1 Types of Computer Security Problems

1.2 Levels of Security Requirements

1.3 Building a Secure System Environment

Chapter 2 OpenVMS Security Model

2.1 Structure of a Secure Operating System

2.1.1 Reference Monitor Concept

2.1.2 How the Reference Monitor Enforces Security Rules

2.2 Implementation of the Reference Monitor

2.2.3 Authorization Database

2.2.4 Audit Trail

2.2.5 Reference Monitor

2.2.6 Authorization Database Represented as an Access Matrix

2.3 Summary: System Security Design

Part II Security for the User

Chapter 3 Using the System Responsibly

3.1 Choosing a Password for Your Account

3.1.1 Obtaining Your Initial Password

3.1.2 Observing System Restrictions on Passwords

3.2 Knowing What Type of Password to Use

3.2.1 Entering a System Password

3.2.2 Entering a Secondary Password

3.3 Password Requirements for Different Types of Accounts

3.4 Types of Logins and Login Classes

3.4.1 Logging In Interactively: Local, Dialup, and Remote Logins

3.4.2 Logging In Using External Authentication

3.4.3 Reading Informational Messages

3.4.4 When the System Logs In for You: Network and Batch Logins

3.5 Login Failures: When You Are Unable to Log In

3.5.1 Using a Terminal That Requires a System Password

3.5.2 Observing Your Login Class Restrictions

3.5.3 Using an Account Restricted to Certain Days and Times

3.5.4 Failing to Enter the Correct Password During a Dialup Login

3.5.5 Knowing When Break-In Evasion Procedures Are in Effect

3.6 Changing Your Password

3.6.1 Selecting Your Own Password

3.6.2 Using Generated Passwords

3.6.3 Changing a Secondary Password

3.6.4 Changing Your Password As You Log In

3.7 Password and Account Expiration Times

3.7.1 Changing an Expired Password

3.7.2 Renewing an Expired Account

3.8 Guidelines for Protecting Your Password

3.9 Network Security Considerations

3.9.1 Protecting Information in Access Control Strings

3.9.2 Using Proxy Login Accounts to Protect Passwords

3.10 Auditing Access to Your Account and Files

3.10.1 Observing Your Last Login Time

3.10.2 Adding Access Control Entries to Sensitive Files

3.10.3 Asking Your Security Administrator to Enable Auditing

3.10.3.1 Auditing File Access

3.10.3.2 Additional Events to Audit

3.11 Logging Out Without Compromising System Security

3.11.1 Clearing Your Terminal Screen

3.11.2 Disposing of Hardcopy Output

3.11.3 Removing Disconnected Processes

3.11.4 Breaking the Connection to a Dialup Line

3.11.5 Turning Off a Terminal

3.12 Checklist for Contributing to System Security

Chapter 4 Protecting Data

4.1 Contents of a User’s Security Profile

4.1.1 Per-Thread Security

4.1.2 Persona Security Block Data Structure (PSB)

4.1.3 Previous Security Model

4.1.4 Per-Thread Security Model

4.1.5 User Identification Code (UIC)

4.1.5.1 Format of a UIC

4.1.5.2 Guidelines for Creating a UIC

4.1.5.3 How Your Process Acquires a UIC

4.1.6 Rights Identifiers

4.1.6.1 Types of Identifiers

4.1.6.2 Process and System Rights Lists

4.1.6.3 Displaying the Rights Identifiers of Your Process

4.1.6.4 How Rights Identifiers Appear in the Audit Trail

4.1.7 Privileges

4.2 Security Profile of Objects

4.2.1 Definition of a Protected Object

4.2.2 Contents of an Object’s Profile

4.2.2.2 Protection Code

4.2.2.3 Access Control List (ACL)

4.2.3 Displaying a Security Profile

4.2.4 Modifying a Security Profile

4.2.5 Specifying an Object’s Class

4.2.6 Access Required to Modify a Profile

4.3 How the System Determines If a User Can Access a Protected Object

4.4 Controlling Access with ACLs

4.4.1 Using Identifier Access Control Entries (ACEs)

4.4.2 Granting Access to Particular Users

4.4.3 Preventing Users from Accessing an Object

4.4.4 Limiting Access to a Device

4.4.5 Limiting Access to an Environment

4.4.6 Ordering ACEs Within a List

4.4.7 Establishing an Inheritance Scheme for Files

4.4.8 Displaying ACLs

4.4.9 Adding ACEs to an Existing ACL

4.4.10 Deleting an ACL

4.4.11 Deleting ACEs from an ACL

4.4.12 Replacing Part of an ACL

4.4.13 Restoring a File’s Default ACL

4.4.14 Copying an ACL

4.5 Controlling Access with Protection Codes

4.5.1 Format of a Protection Code

4.5.2 Types of Access in a Protection Code

4.5.3 Processing a Protection Code

4.5.4 Changing a Protection Code

4.5.5 Enhancing Protection for Sensitive Objects

4.5.6 Providing a Default Protection Code for a Directory Structure

4.5.7 Restoring a File’s Default Security Profile

4.6 Understanding Privileges and Control Access

4.6.1 How Privileges Affect Protection Mechanisms

4.6.2 Using Control Access to Modify an Object Profile

4.6.3 Object-Specific Access Considerations

4.7 Auditing Protected Objects

4.7.1 Kinds of Events the System Audits

4.7.2 Enabling Auditing for a Class of Objects

4.7.3 Adding Security-Auditing ACEs

Chapter 5 Descriptions of Object Classes

5.1 Capabilities

5.1.1 Naming Rules

5.1.2 Types of Access

5.1.3 Template Profile

5.1.4 Kinds of Auditing Performed

5.1.5 Permanence of the Object

5.2 Common Event Flag Clusters

5.2.1 Naming Rules

5.2.2 Types of Access

5.2.3 Template Profile

5.2.4 Privilege Requirements

5.2.5 Kinds of Auditing Performed

5.2.6 Permanence of the Object

5.3.1 Naming Rules

5.3.2 Types of Access

5.3.3 Access Requirements for I/O Operations

5.3.4 Template Profile

5.3.5 Setting Up Profiles for New Devices

5.3.6 Privilege Requirements

5.3.7 Kinds of Auditing Performed

5.3.8 Permanence of the Object

5.4.1 Naming Rules

5.4.2 Types of Access

5.4.3 Access Requirements

5.4.4 Creation Requirements

5.4.5 Profile Assignment

5.4.5.1 Rules for Assigning Ownership

5.4.5.2 Rules for Assigning a Protection Code and ACL

5.4.5.3 Using the COPY and RENAME Commands

5.4.6 Kinds of Auditing Performed

5.4.7 Protecting Information When Disk Space Is Reassigned

5.4.7.1 Overwriting Disk Blocks

5.4.7.2 Setting a High-water Mark

5.4.7.3 Accessibility of Data in a File

5.4.8 Suggestions for Optimizing File Security

5.5 Global Sections

5.5.1 Naming Rules

5.5.2 Types of Access

5.5.3 Template Profile

5.5.4 Privilege Requirements

5.5.5 Kinds of Auditing Performed

5.5.6 Permanence of the Object

5.6 Logical Name Tables

5.6.1 Naming Rules

5.6.2 Types of Access

5.6.3 Template Profile

5.6.4 Privilege Requirements

5.6.5 Kinds of Auditing Performed

5.6.6 Permanence of the Object

5.7.1 Naming Rules

5.7.2 Types of Access

5.7.3 Template Profile

5.7.4 Privilege Requirements

5.7.5 Kinds of Auditing Performed

5.7.6 Permanence of the Object

5.8 Resource Domains

5.8.1 Naming Rules

5.8.2 Types of Access

5.8.3 Template Profile

5.8.4 Privilege Requirements

5.8.5 Kinds of Auditing Performed

5.8.6 Permanence of the Object

5.9 Security Classes

5.9.1 Naming Rules

5.9.2 Types of Access

5.9.3 Template Profile

5.9.4 Kinds of Auditing Performed

5.9.5 Permanence of the Object

5.10.1 Naming Rules

5.10.2 Types of Access

5.10.3 Template Profile

5.10.4 Privilege Requirements

5.10.5 Kinds of Auditing Performed

5.10.6 Permanence of the Object

Part III Security for the System Administrator

Chapter 6 Managing the System and Its Data

6.1 Role of a Security Administrator

6.2 Site Security Policies

6.3 Tools for Setting Up a Secure System

6.4 Account Requirements for a Security Administrator

6.5 Training the New User

6.6 Logging a User’s Session

6.7 Ongoing Tasks to Maintain a Secure System

Chapter 7 Managing System Access

7.1 Defining Times and Conditions for System Access

7.1.1 Restricting Work Times

7.1.2 Restricting Modes of Operation

7.1.3 Restricting Account Duration

7.1.4 Disabling Accounts

7.1.5 Restricting Disk Volumes

7.1.6 Marking Accounts for External Authentication

7.2 Assigning Appropriate Accounts to Users

7.2.1 Types of System Accounts

7.2.1.1 Interactive Account Example

7.2.1.2 Limited-Account Example

7.2.2 Privileged Accounts

7.2.3 Interactive Accounts

7.2.4 Captive Accounts

7.2.4.1 Setting Up Captive Accounts

7.2.4.2 Guidelines for Captive Command Procedures

7.2.5 Restricted Accounts

7.2.6 Automatic Login Accounts

7.2.7 Guest Accounts

7.2.8 Proxy Accounts

7.2.9 Externally Authenticated Accounts

7.3 Using Passwords to Control System Access

7.3.1 Types of Passwords

7.3.1.1 Primary Passwords

7.3.1.2 System Passwords

7.3.1.3 Secondary Passwords

7.3.1.4 Console Passwords

7.3.1.5 Authentication Cards

7.3.2 Enforcing Minimum Password Standards

7.3.2.1 Expiring Passwords

7.3.2.2 Enforcing Change of Expired Password

7.3.2.3 Requiring a Minimum Password Length

7.3.2.4 Generated Passwords

7.3.2.5 Site Password Algorithms

7.3.3 Screening New Passwords

7.3.3.1 System Dictionary

7.3.3.2 History Lists

7.3.3.3 Site-Specific Filters

7.3.4 Password Protection Checklist

7.4 Enabling External Authentication

7.4.1 Overriding External Authentication

7.4.2 Setting a New Password

7.4.3 Case Sensitivity in Passwords and User Names

7.4.4 User Name Mapping and Password Verification

7.4.5 Password Synchronization

7.4.6 Specifying the SYS$SINGLE_SIGNON Logical Name Bits

7.4.7 Authentication and Credentials Management Extensions (ACME) Subsystem

7.4.7.1 ACME Subsystem Overview

7.4.7.1.1 ACME Agent Operational Environment

7.4.7.1.2 ACME Agent Ordering

7.4.7.2 Authentication Policies

7.4.7.2.1 OpenVMS Policy

7.4.7.2.2 Microsoft Policy

7.4.7.3 ACME Subsystem Controls

7.4.7.3.1 SET and SHOW SERVER ACME Commands

7.4.7.3.2 New SYSUAF Flags

7.4.7.3.3 New System Parameter SECURITY_POLICY Bit Mask Values

7.5 Controlling the Login Process

7.5.1 Informational Display During Login

7.5.1.1 Announcement Message

7.5.1.2 Welcome Message

7.5.1.3 Last Login Messages

7.5.1.4 New Mail Announcements

7.5.2 Limiting Disconnected Processes

7.5.3 Providing Automatic Login

7.5.4 Using the Secure Server

7.5.5 Detecting Intruders

7.5.6 Understanding the Intrusion Database

7.5.6.1 How Intrusion Detection Works

7.5.6.2 Setting the Exclusion Period

7.5.6.3 System Parameters Controlling Login Attempts