Updated: 11 December 1998 |
OpenVMS Guide to System Security
Previous | Contents | Index |
Although a site may enable the process event class, the operating system does not report every event in this class. It suppresses the following types of audits:
Applications and system programs can contribute security event information by calling the following system services:
Audit Event ($AUDIT_EVENT) System Service
The operating system calls the $AUDIT_EVENT system service every time a security-relevant event occurs on the system. By looking at the SET AUDIT settings, the system service determines whether you enabled auditing for the event. When the event is enabled for alarms or audits, $AUDIT_EVENT generates an audit record that identifies the process (subject) involved and lists event information supplied by its caller.
Check Privilege ($CHECK_PRIVILEGE) System Service
The operating system calls the $CHECK_PRIVILEGE system service any time a user attempts to perform a privileged function. (The current set of OpenVMS privileges is listed in Appendix A.) The system service performs the privilege check and looks at the SET AUDIT settings to determine whether you enabled privilege auditing. When privilege auditing is enabled, $CHECK_PRIVILEGE generates an audit record. The audit record identifies the process (subject) and privilege involved, provides the result of the privilege check, and lists supplemental event information supplied by its caller. Privilege audit records usually contain the DCL command line or system service name associated with the privilege check.
Check Protection ($CHKPRO) and Check Access ($CHECK_ACCESS) System Services
The operating system calls the $CHKPRO system service any time a process (subject) attempts to access a protected object. The system service performs the access arbitration according to the rules described in Section 4.3. By looking at the SET AUDIT settings for the associated object class, the service also determines whether you enabled auditing for the associated object access event. When an alarm or an audit is required, $CHKPRO generates an audit record that identifies the process (subject) and object involved and includes the final outcome and any supplemental event information supplied by its caller.
Privileged server processes use the $CHECK_ACCESS system service to
determine whether their clients should be allowed access to the
protected objects being served. The $CHECK_ACCESS system service
provides a calling interface appropriate for servers and is layered on
top of the $CHKPRO service. As a result, it performs object access
auditing in the same manner as $CHKPRO.
9.3 Developing an Auditing Plan
As system manager or site security administrator, you have to determine
the level of security required at your site before you can understand
which security events to audit.
9.3.1 Assessing Your Auditing Requirements
Assessing your auditing requirements is a two-step process:
After developing a general notion of your site requirements, you need to consider how much security reporting is realistic. Balance the suggestions in Table 9-4 with the following site factors:
Low | Medium | High | |
---|---|---|---|
Goal | Monitor local events with high impact | Track changes to system definition |
Monitor database changes; track use of process control system services
Monitor network connections through DECnet Phase IV (VAX only) |
Classes to Enable as Alarms | ACL, authorization, break-in (all types), logfailure (all types) | Same as low category plus use of SECURITY privilege | Same as medium category plus INSTALL, time, SYSGEN, unsuccessful privilege use |
Classes to Enable as Audits | ACL, authorization, breakin (all types), logfailure (all types) | All of low category plus INSTALL; time; SYSGEN; privilege; logins (all types); logouts (all types); access of files through BYPASS, SYSPRV, and READALL privileges; unsuccessful access to files, devices, and volumes | All of medium category plus identifier, process, unsuccessful access to protected objects, NCP, connection (VAX only) |
In Table 9-4, the event classes suggested for a low-security site are the default settings for the operating system. If these classes are not the current defaults on your system, you can enable them with the following command:
$ SET AUDIT/ALARM/AUDIT/ENABLE=(ACL,AUTHORIZATION,BREAKIN:ALL,LOGFAILURE:ALL) |
In a site with moderate security requirements, you want to audit events that can redefine your system. You watch for changes to system files, system time, or system parameters. You also monitor image installations and the use of privilege. Example 9-3 shows the auditing setting for a site with moderate security requirements.
Example 9-3 Auditing Events for a Site with Moderate Security Requirements |
---|
System security alarms currently enabled for: Authorization Breakin: dialup,local,remote,network,detached System security audits currently enabled for: ACL Authorization INSTALL Time SYSGEN Breakin: dialup,local,remote,network,detached Login: batch,dialup,local,remote,network,subprocess,detached Logfailure: batch,dialup,local,remote,network,subprocess,detached Logout: batch,dialup,local,remote,network,subprocess,detached Privilege use: ACNT ALLSPOOL ALTPRI AUDIT BUG BYPASS CMEXEC CMKRNL DIAGNOSE DOWNGRADE EXQUOTA GROUP GRPNAM GRPPRV IMPORT IMPERSONATE LOG_IO MOUNT NETMBX OPER PFNMAP PHY_IO PRMCEB PRMGBL PRMMBX PSWAPM READALL SECURITY SETPRV SHARE SHMEM SYSGBL SYSLCK SYSNAM SYSPRV TMPMBX UPGRADE VOLPRO WORLD Privilege failure: ACNT ALLSPOOL ALTPRI AUDIT BUGCHK BYPASS CMEXEC CMKRNL DIAGNOSE DOWNGRADE EXQUOTA GROUP GRPNAM GRPPRV IMPORT IMPERSONATE LOG_IO MOUNT NETMBX OPER PFNMAP PHY_IO PRMCEB PRMGBL PRMMBX PSWAPM READALL SECURITY SETPRV SHARE SHMEM SYSGBL SYSLCK SYSNAM SYSPRV TMPMBX UPGRADE VOLPRO WORLD FILE access: SYSPRV: read,write,execute,delete,control BYPASS: read,write,execute,delete,control READALL: read,write,execute,delete,control |
To enable the settings for a moderate level of auditing, assuming the default events are already in effect, enter the following set of commands:
$ SET AUDIT/ALARM/AUDIT/ENABLE=PRIVILEGE=(SUCCESS:SECURITY,FAILURE:SECURITY) $ SET AUDIT/AUDIT/ENABLE=(INSTALL,SYSGEN,TIME,PRIVILEGE=(SUCCESS,FAILURE)) $ SET AUDIT/AUDIT/ENABLE=ACCESS=(BYPASS,SYSPRV,READALL)/CLASS=FILE $ SET AUDIT/AUDIT/ENABLE=ACCESS=FAILURE/CLASS=(FILE,DEVICE,VOLUME) |
A site with high security requirements expands its auditing breadth to include network activity. It needs to monitor changes to the network database, network connections (VAX only), the use of identifiers as privileges, and privileged file access. Monitor all file access through SYSPRV, BYPASS, or READALL privilege, and watch both successful and unsuccessful file access through GRPPRV privilege. To enable the settings for a high level of auditing, assuming a medium level is in effect, enter the following set of commands:
$ SET AUDIT/ALARM/ENABLE=(INSTALL,SYSGEN,TIME,PRIVILEGE=(FAILURE:ALL)) $ SET AUDIT/AUDIT/ENABLE=(CONNECTION,IDENTIFIER,NCP,PROCESS:ALL) $ SET AUDIT/AUDIT/ENABLE=ACCESS=FAILURE/CLASS=* |
$ SET AUDIT/AUDIT/ENABLE=ALL/CLASS=* |
$ SET AUDIT/AUDIT/DISABLE=ALL/CLASS=* |
See Section 10.3.2 for more suggestions of event classes to enable.
9.3.2 Selecting a Destination for the Event Message
The operating system can report a security event as either an alarm or an audit (see Section 9.2.1.1). Which form you select depends on the nature of the event. Real-time events or events that should be treated immediately, such as break-in attempts or changes to the system user authorization file (SYSUAF.DAT), are classes to enable as both alarms and audits. Less critical events can be enabled just as audits. Unless you have a hardcopy operator terminal, the alarm record is quickly superseded by other system messages. Audit event records, which are written to the system security audit log, are saved so you can study them in volume.
There is an advantage to studying event messages. Many times an
isolated auditing message offers little insight, but numerous audit
records reveal a pattern of activity that might indicate security
violations. With auditing of object access, for example, a security
administrator can see a pattern of time, types of objects being
accessed, and other system information that, in total, paint a complete
picture of system activity. Section 9.5 describes how to produce
reports from audit log files.
9.3.3 Considering the Performance Impact
The default auditing performed by the operating system primarily tracks changes to the authorization databases. System events like changes to the system user authorization file (SYSUAF.DAT) or the installation of images do not occur too frequently and therefore are not a drain on system resources.
Auditing additional event classes, particularly access events and privilege events, can consume significant system resources if a site enables the event classes without understanding how their system is used and without evaluating the value of the audit information. In this respect, implementation of the audit reporting system is similar to system tuning: it takes a little while to reach the appropriate level of reporting that is free of spurious details. For this reason, Compaq recommends you turn auditing on in phases, not all at once, and gradually add or subtract event classes until you reach a satisfactory balance. Use the following guidelines:
Two commands in particular generate a large number of audit messages:
The operating system can send event messages to an audit log file or to
an operator terminal. If a site wants additional copies, it can send
duplicate messages to a remote log file or an application listener
mailbox.
9.4.1 Using an Audit Log File
The operating system writes all security event messages to the latest version of the security audit log file. This log file is created by default during system startup in the SYS$COMMON:[SYSMGR] directory and named SECURITY.AUDIT$JOURNAL. Table 9-5 describes some of its more notable characteristics.
Ordinarily, all cluster events are written to a single audit log file. The use of one security audit log file in a cluster results in a single record of all security-relevant events on the system. For this reason, one clusterwide log file is preferable to node-specific audit logs, which lose the interrelationship of events across the cluster, thus producing an incomplete analysis of security events. You can, if you wish, create node-specific audit logs (see Section 9.4.1.1), but this is not the recommended procedure.
Characteristic | Advantage |
---|---|
Binary | A binary file requires the least amount of disk space. |
Clusterwide | A clusterwide file, when processed by the Audit Analysis utility, results in one report of security-relevant events in the cluster. |
Sequential record format | A sequential record format is easily analyzed by user-written programs. See the OpenVMS System Management Utilities Reference Manual for a description of the message format of the security audit log file. |
The usefulness of the security audit log file depends upon the procedures you adopt:
The security audit log file continues to grow until action is taken, so you must devise a plan for maintaining it.
Typically, sites rename each day's log file and create a new one. To open a new, clusterwide version of the security audit log file, use the following command:
$ SET AUDIT/SERVER=NEW_LOG |
To create a new, node-specific log, precede the SET AUDIT/SERVER=NEW_LOG command with the command SET AUDIT/DESTINATION=filespec where the file specification includes a logical name that resolves to a node-specific file (for example, SYS$SPECIFIC:[SYSMGR]SECURITY).
Once you have opened the new log, rename the old version with a name that incorporates a beginning or ending date for the data.
To save space on the system disk, you may want to copy the file to another disk and delete the log from the system disk. Even sites with a dedicated auditing disk, which is common to environments with high security requirements, may want to relocate the old version to make space for future messages.
Once you archive the file, run the Audit Analysis utility on the old
log (see Section 9.5.2). By archiving this file, you maintain a
clusterwide history of auditing messages. If you ever discover a
security threat on the system, you can analyze the archived log files
for a trail of suspicious user activity during a specified period of
time.
9.4.1.2 Moving the File from the System Disk
To relocate the file from the SYS$COMMON:[SYSMGR] directory, edit the command procedure SYSECURITY.COM. This procedure executes each time the system is rebooted, before the audit server is started.
To relocate the file, perform the following steps:
$ IF .NOT. F$GETDVI("$1$DUA2","MNT") - _$ THEN MOUNT/SYSTEM $1$DUA2 AUDIT AUDIT$ /NOREBUILD |
$ DEFINE/SYSTEM/EXEC VMS$AUDIT_SERVER AUDIT$:[AUDIT]VMS$AUDIT_SERVER.DAT |
$ SET AUDIT/JOURNAL=SECURITY - _$ /DESTINATION=AUDIT$:[AUDIT]SECURITY |
The operating system sends alarm messages to terminals enabled for security class messages. In most cases, these security alarms appear on the system console by default. Because messages scroll quickly off the screen, it is good practice to enable a separate terminal for security class messages and disable message delivery to the system console. Choose either a terminal in a secure location that provides hardcopy output or have dedicated staff to monitor the security operator terminal. Any number of terminals can be enabled as security operators.
To set up a terminal to receive security class alarms, enter the following DCL command from the designated terminal:
$ REPLY/ENABLE=SECURITY |
For long-term use of a specific terminal, you can modify your site-specific startup command procedure to automatically enable the terminal. For example, the following command lines in a startup command procedure disable the delivery of security alarms to the system console and enable alarms on terminal TTA3:
$ DEFINE/USER SYS$COMMAND OPA0: $ REPLY/DISABLE=SECURITY $ DEFINE/USER SYS$COMMAND TTA3: $ REPLY/ENABLE=SECURITY |
The authorization and SYSGEN event classes occasionally produce such
lengthy alarm messages that the messages get truncated. For this
reason, it is best to enable these classes for both alarms and audits.
When an alarm message is truncated, the text indicates it is
incomplete. As long as you have enabled the classes for audit messages,
you can use ANALYZE/AUDIT to display the complete message.
9.4.3 Secondary Destinations for Event Messages
The operator terminal and the audit log file are the primary destinations for security event messages. A site can choose to send copies of audit messages to a remote log file (called an archive file) or a listener mailbox.
Previous | Next | Contents | Index |
Copyright © Compaq Computer Corporation 1998. All rights reserved. Legal |
6346PRO_022.HTML
|