[OpenVMS documentation]
[Site home] [Send comments] [Help with this site] [How to order documentation] [OpenVMS site] [Compaq site]
Updated: 11 December 1998

OpenVMS Guide to System Security


Previous Contents Index

C.4.1 Protecting Files

The files comprising the TCB are correctly protected when the operating system is installed; however, the protection can be altered by sufficiently privileged users. Appendix B of this guide describes the correct file protection of operating system files.

When installing an OpenVMS operating system, avoid modifying any system files except those specific to your site. You want to maintain the security of the base operating system.

C.4.2 Privileges for Trusted Users

Certain privileges allow the holder to bypass normal file and memory access controls directly or indirectly and, therefore, must not be granted to persons other than the system manager, security administrator, or other trusted users. Privileges in four categories are appropriate only for trusted users: Objects, All, System, and Group. Refer to Table 8-2 for the privileges belonging to each of these categories. The privileges themselves are described in detail in Appendix A.

Privileges in the Objects and All categories allow the holder to violate the isolation of the TCB from untrusted users. Privileges in the System category allow the holder to interfere with normal system operation and cause denial of service, but they do not allow the holder to actually violate object access controls. Some privileges in the System category also allow access controls to be ultimately bypassed.

Privileges in the Group category permit the holder to interfere with the operations of others in the same group. The GRPPRV privilege, in particular, permits the holder to violate normal access controls within that holder's group because it grants access (through the system field of the protection code) to objects owned by subjects sharing the same group UIC.

All trusted users should be familiar with all the effects of any operations they perform. In particular, they need to know all software products an operation might use because a trusted user's privileges can allow untrusted software to perform operations that OpenVMS security policy would otherwise preclude.

C.4.3 Privileges for Untrusted Users

Untrusted users can hold any privilege in the Normal and Devour category with the exception of GRPNAM. Exercise caution in granting privileges from the Devour category, however, for they permit the holder to consume resources without limit, thereby causing possible denial of service and interference with the operations of other users on the system. Table C-2 lists privileges allowed to untrusted users.

Table C-2 Privileges for Untrusted Users
Category Privilege Activity Permitted
Normal NETMBX
TMPMBX
Create network connections
Create temporary mailbox
Devour ACNT
ALLSPOOL
BUGCHK
EXQUOTA
PRMCEB
PRMGBL
PRMMBX
SHMEM
Disable accounting
Allocate spooled devices
Make bugcheck error log entries
Exceed disk quotas
Create/delete permanent common event flag clusters
Create permanent global sections
Create permanent mailboxes
Create/delete structures in shared memory

C.4.4 Physical Security

Physical and environmental security are critical to the secure operation of the system. All physical components of the TCB require adequate protection, or unauthorized people can jeopardize the system's security. Because the following practices and features jeopardize the security of the TCB, they must not be used in a C2 environment:

C.5 Configuring a C2 System

This section discusses C2 constraints on the use of OpenVMS features. It includes the following topics:

C.5.1 Keeping Individuals Accountable

The proper use of names, UICs, and passwords ensures that individual accountability is enforced by the OpenVMS operating system. As a general practice, Compaq recommends that you use generated passwords on privileged accounts. Because the following practices and features result in the loss of individual accountability, they must not be used in a C2 environment:

C.5.2 Managing the Auditing Trail

The security-auditing system lets you to track security-relevant activity on the system provided you manage it correctly. To follow a trail of activity in the audit logs, you must have complete and accurate records. Security event messages can be recorded in the security audit log file and on any terminal designated to receive security-class event messages. Because the following practices jeopardize a site's ability to track security-relevant events in the system, they must not be used in a C2 environment:

C.5.3 Reusing Objects

Before allocating memory or protected objects like volumes and devices to new users, sites must ensure that they are free of old data. The memory management subsystem protects against the reuse of system memory pages, and it cannot be defeated. Because the following practices jeopardize the clearing of old data from volumes and terminals before reallocation, they must not be followed in a C2 environment:

Compaq recommends that sites clear printers between jobs to ensure that print jobs do not interfere with one another. A security administrator can reset printers automatically at the start or end (or both) of each job by associating a device control library with the print queue. Consult the documentation supplied with your printer to determine the appropriate reset sequence, and then refer to the OpenVMS System Manager's Manual for directions on adding that sequence to a library and associating the library with the queue.

C.5.4 Configuring Clusters

All valid cluster configurations, when configured as common environment clusters, fully support the OpenVMS security features. Because the following practices and features result in the loss of a common environment cluster, they must not be used in a C2 environment.

Note

OpenVMS clusters can consist of VAX and Alpha nodes.

C.5.5 Starting Up and Operating the System

A C2 system is the shipped system that has been configured according to the guidelines in this appendix. When configuring your system, you must observe the following guidelines:

C.5.6 Forcing Immediate Reauthentication of a Specified Subject After a Change in Access Rights

A system or security administrator may force an untrusted subject to reauthenticate himself or herself at any time. This might be necessary when the subject's access rights have been modified. The procedure is as follows and can be performed only by a trusted subject.

  1. Make the changes to the subject's authorization record in the authorization file.
  2. Obtain the owner's UIC of the subject from the authorization file.
  3. Enter the SYSMAN utility.
  4. Use the SYSMAN utility to identify all processes owned by the subject.
    1. In an OpenVMS Cluster environment, set the SYSMAN environment clusterwide. If you are not in an OpenVMS Cluster environment, skip this step.
    2. Use SYSMAN DO SHOW SYSTEM/FULL to obtain a listing of all processes on the system or OpenVMS cluster. This command also lists the owner UIC and system PID of each process. Record this information.
  5. From SYSMAN, stop every process on every system that is owned by the subject.
    Note: Any process created by the subject after Step 4 is bound by the new access rights and does not need to be deleted. Therefore, this is not a recursive procedure.
    1. In the OpenVMS cluster environment, set the SYSMAN environment to point to only one node. If you are not in the OpenVMS cluster environment, skip this step.
    2. For each process on the system to be deleted, identify the PID from Step 2 and use the SYSMAN DO STOP/ID=pid command to stop the job.
    3. Repeat Steps a and b until all desired processes on all nodes of the cluster have been stopped.

C.6 Checklist for Generating a C2 System

The previous sections of this appendix describe the U.S. government requirements for running the OpenVMS operating system in a C2 environment. The following list reviews the government's security requirements:

Installing the System

Using Evaluated Components

Making Individuals Accountable

Managing the Audit Reporting System

Reusing Disks, Tapes, and Terminals

Building a Single Security Domain

Starting the System


Previous Next Contents Index

[Site home] [Send comments] [Help with this site] [How to order documentation] [OpenVMS site] [Compaq site]
[OpenVMS documentation]

Copyright © Compaq Computer Corporation 1998. All rights reserved.

Legal
6346PRO_038.HTML