OpenVMS Guide to System Security

Document revision date: 19 July 1999

OpenVMS Guide to System Security

Contents

Index

Chapter 11
Securing a Cluster

This chapter describes concerns for security administrators of clustered systems. Clustered systems refer to those systems using hardware and software that permits sharing of disks, resources, and a common operating system among various computers. Clusters of VAX processors are said to be joined in a VAXcluster environment, whereas clusters including both Alpha processors and VAX processors are said to be joined in a VMScluster environment. To properly secure your cluster, you should be familiar with the information in OpenVMS Cluster Systems.

OpenVMS Cluster Systems describes the tasks of the cluster manager. The cluster manager's job is the same as that of any system manager, but the cluster manager has to implement changes across many nodes. The security administrator for a cluster generally requires the same training and skills as a cluster manager, and at some cluster sites, the same person serves in the role of security administrator as well as cluster manager. At other sites, there may be one or more security administrators in addition to a cluster management team.

When a site separates the security administrator function from the cluster management function, coordination, cooperation, and communication between these functions becomes vital. As in previous chapters, this chapter uses the title of security administrator to refer to individuals who have the responsibility for system security, regardless of what other responsibilities they hold.

11.1 Overview of Clusters

Clustered systems provide a uniform computing environment that is highly scalable, highly available, and secure. It is critical that there be a single set of authorized users and that these users be able to have processes executing on any cluster member.

To achieve a uniform computing environment, a cluster relies on the following components operating across all cluster members:

Lock manager system services ($ENQ/$DEQ) (to provide a framework for building distributed applications)
File and record management subsystems (coordinated through the lock manager)
Batch and print services
Process control system services
Security auditing system

Within a cluster, authorization data for users and the security profiles of objects must be consistent across all nodes so that each cluster member makes the same access control decision when presented with a particular user's access request for a particular object. Section 11.2 and Section 11.3 describe how to achieve a single security domain.

11.2 Building a Common Environment

Within a cluster, access control is mediated by individual nodes using a common set of authorization information. In the single security domain model, a process, acting on behalf of an authorized individual, requests access to a cluster-visible object, and a coordinating node determines the outcome by comparing its copy of the common authorization database with the security profile for the object being accessed. This model enforces security only when the authorization information and the object security profiles are consistent across all nodes in the cluster.

To achieve data consistency within the cluster, a site needs to:

Maintain a common set of data, as described in Section 11.2.1, Section 11.2.2, and Section 11.2.3
Execute changes to system parameters consistently When changing any LGI system parameters, use the System Management utility (SYSMAN) (see Section 11.7).

11.2.1 Required Common System Files

The easiest way to ensure a single security domain is to maintain a single copy of each of the files listed in Table 11-1 on one or more cluster-mounted disks. As soon as any required file is created on one node, it must be created or commonly referenced on all remaining cluster members. When a cluster is configured with multiple system disks, system logical names can be used to ensure that only a single copy of each file exists.

The files in Table 11-1 contain data that must be synchronized. If your site chooses to maintain multiple versions of these files, you must synchronize the data, as Section 11.2.3 explains.

Table 11-1 System Files That Must Be Common in a Cluster
File Description

NETOBJECT.DAT Contains the DECnet object database. Among the information contained in this file is the list of known DECnet server accounts and passwords.

NETPROXY.DAT
NET$PROXY.DAT Contains the network proxy database. This file is maintained by the Authorize utility (AUTHORIZE).

QMAN$MASTER.DAT Contains the master queue manager database. This file contains the security information for all shared batch and print queues. A single copy of this file must be maintained on a shared disk if two or more nodes intend to participate in a shared queuing system.

RIGHTSLIST.DAT Contains the rights identifier database. This file is maintained by AUTHORIZE and by various rights identifier system services.

SYSALF.DAT Contains the system autologin file. This file is maintained by the System Management utility (SYSMAN).

SYSUAF.DAT Contains the system user authorization file. This file is maintained by AUTHORIZE and modifiable through the Set User Authorization Information ($SETUAI) system service.

SYSUAFALT.DAT Contains the system alternate user authorization file. This file serves as a backup to SYSUAF.DAT and is enabled through the SYSUAFALT system parameter.

VMS$OBJECTS.DAT Contains the cluster-visible object database. Among the information contained in this file are the security profiles for all cluster-visible objects.

**Table 11-1 System Files That Must Be Common in a Cluster**
File	Description
NETOBJECT.DAT	Contains the DECnet object database. Among the information contained in this file is the list of known DECnet server accounts and passwords.
NETPROXY.DAT NET$PROXY.DAT	Contains the network proxy database. This file is maintained by the Authorize utility (AUTHORIZE).
QMAN$MASTER.DAT	Contains the master queue manager database. This file contains the security information for all shared batch and print queues. A single copy of this file must be maintained on a shared disk if two or more nodes intend to participate in a shared queuing system.
RIGHTSLIST.DAT	Contains the rights identifier database. This file is maintained by AUTHORIZE and by various rights identifier system services.
SYSALF.DAT	Contains the system autologin file. This file is maintained by the System Management utility (SYSMAN).
SYSUAF.DAT	Contains the system user authorization file. This file is maintained by AUTHORIZE and modifiable through the Set User Authorization Information ($SETUAI) system service.
SYSUAFALT.DAT	Contains the system alternate user authorization file. This file serves as a backup to SYSUAF.DAT and is enabled through the SYSUAFALT system parameter.
VMS$OBJECTS.DAT	Contains the cluster-visible object database. Among the information contained in this file are the security profiles for all cluster-visible objects.

11.2.2 Recommended Common System Files

Although Compaq does not require that the files listed in Table 11-2 be common to all cluster members, it does recommend that the data in the files be fully synchronized. Table 11-3 explains how to coordinate these files and suggests possible consequences of poor synchronization.

Some of the recommended files are created only on request and may not exist in all configurations. Note that a file may be absent on one node only if it is absent on all other nodes. As soon as any required file is created on one node, it must be created or commonly referenced on all remaining cluster members.

Table 11-2 System Files Recommended to Be Common
File Description

VMS$AUDIT_SERVER.DAT Contains information related to security auditing, such as enabled security-auditing events and the destination of the system security audit log file.

VMS$PASSWORD_HISTORY.DATA Contains the system password history database. This file is maintained by the SET PASSWORD utility.

VMSMAIL_PROFILE.DATA Contains the system mail database. This file is maintained by the Mail utility (MAIL). It holds mail profiles for all system users as well as a list of all mail forwarding addresses in use on the system.

VMS$PASSWORD_DICTIONARY.DATA Contains the system password dictionary. The system password dictionary is a list of English words and phrases that cannot be used as account passwords.

VMS$PASSWORD_POLICY Contains any site-specific password filters. This file is created and installed by the security administrator or system manager. (See Section 7.3.3.3 for details on password filters.)

**Table 11-2 System Files Recommended to Be Common**
File	Description
VMS$AUDIT_SERVER.DAT	Contains information related to security auditing, such as enabled security-auditing events and the destination of the system security audit log file.
VMS$PASSWORD_HISTORY.DATA	Contains the system password history database. This file is maintained by the SET PASSWORD utility.
VMSMAIL_PROFILE.DATA	Contains the system mail database. This file is maintained by the Mail utility (MAIL). It holds mail profiles for all system users as well as a list of all mail forwarding addresses in use on the system.
VMS$PASSWORD_DICTIONARY.DATA	Contains the system password dictionary. The system password dictionary is a list of English words and phrases that cannot be used as account passwords.
VMS$PASSWORD_POLICY	Contains any site-specific password filters. This file is created and installed by the security administrator or system manager. (See Section 7.3.3.3 for details on password filters.)

11.2.3 Synchronizing Multiple Versions of Files

Using shared files is not the only way of achieving a single security domain. Some sites may have requirements for multiple copies of one or more of these system files on different nodes in a cluster. As long as the security information available to each node in the cluster is exactly the same, these sites operate in a single security domain.

Table 11-3 lists the files that require coordination, explains when to update these files, and suggests possible consequences of poor synchronization.

Table 11-3 Using Multiple Versions of Required Cluster Files
File Coordination Required Result of Poor Synchronization

VMS$AUDIT_SERVER.DAT Update after any SET AUDIT command. Possible partitioning of auditing domains

NETOBJECT.DAT Update all versions after any NCP SET OBJECT or DEFINE OBJECT command. Unexplained network login failures and unauthorized network access

NETPROXY.DAT
NET$PROXY.DAT Update all versions after any AUTHORIZE proxy command. Unexplained network login failures and unauthorized network access

RIGHTSLIST.DAT Update all versions after any change to any identifier or holder records. Possible unauthorized system access and unauthorized access to protected objects

SYSALF.DAT Update all versions after any SYSMAN ALF command. Unexplained login failures and unauthorized system access

SYSUAF.DAT Update all versions so the fields listed in Table 11-4 are synchronized for each user record. Possible unexplained login failures and unauthorized system access.

SYSUAFALT.DAT Update all versions after any change to any authorization records in this file. Possible unexplained login failures and unauthorized system access

VMS$OBJECTS.DAT Update all versions after any change to the security profile of a cluster-visible object or after new cluster-visible objects are created. (See Section 11.5 for details.) Possible unauthorized access to protected objects

VMSMAIL_PROFILE.DATA Update all versions after any changes to mail forwarding parameters. Possible authorized disclosure of information

VMS$PASSWORD_HISTORY.DATA Update all versions after any password change. Possible violation of the system password policy

VMS$PASSWORD_DICTIONARY.DATA Update all versions after any site-specific additions. Possible violation of the system password policy

VMS$PASSWORD_POLICY Install common version on all nodes. Possible violation of the system password policy

**Table 11-3 Using Multiple Versions of Required Cluster Files**
File	Coordination Required	Result of Poor Synchronization
VMS$AUDIT_SERVER.DAT	Update after any SET AUDIT command.	Possible partitioning of auditing domains
NETOBJECT.DAT	Update all versions after any NCP SET OBJECT or DEFINE OBJECT command.	Unexplained network login failures and unauthorized network access
NETPROXY.DAT NET$PROXY.DAT	Update all versions after any AUTHORIZE proxy command.	Unexplained network login failures and unauthorized network access
RIGHTSLIST.DAT	Update all versions after any change to any identifier or holder records.	Possible unauthorized system access and unauthorized access to protected objects
SYSALF.DAT	Update all versions after any SYSMAN ALF command.	Unexplained login failures and unauthorized system access
SYSUAF.DAT	Update all versions so the fields listed in Table 11-4 are synchronized for each user record.	Possible unexplained login failures and unauthorized system access.
SYSUAFALT.DAT	Update all versions after any change to any authorization records in this file.	Possible unexplained login failures and unauthorized system access
VMS$OBJECTS.DAT	Update all versions after any change to the security profile of a cluster-visible object or after new cluster-visible objects are created. (See Section 11.5 for details.)	Possible unauthorized access to protected objects
VMSMAIL_PROFILE.DATA	Update all versions after any changes to mail forwarding parameters.	Possible authorized disclosure of information
VMS$PASSWORD_HISTORY.DATA	Update all versions after any password change.	Possible violation of the system password policy
VMS$PASSWORD_DICTIONARY.DATA	Update all versions after any site-specific additions.	Possible violation of the system password policy
VMS$PASSWORD_POLICY	Install common version on all nodes.	Possible violation of the system password policy

11.3 Synchronizing Authorization Data

On a cluster, all elements of the user authorization data should exist in a common database. These authorization elements include the system user authorization files (SYSUAF.DAT and its backup SYSUAFALT.DAT), the rights database (RIGHTSLIST.DAT), the network authorization file (NETPROXY.DAT) and its object database file (NETOBJECTS.DAT), which are present on all OpenVMS systems, and optionally, the autologin file, SYSALF.DAT.

A secure cluster requires that the authorization data be synchronized across all nodes. If a site chooses to maintain multiple versions of these files, then you must synchronize the data. Each user should have the same UIC, group number, and set of identifiers defined on every node. Coordination of privileges and access rights is also critical. A shared disk is protected only as much as its least protected node. If you maintain separate authorization files on each node in the cluster, ensure that user privileges are common across all copies of the system user authorization file (SYSUAF.DAT). Table 11-4 lists the fields of SYSUAF.DAT that must be identical on each node.

Table 11-4 Fields in SYSUAF.DAT Requiring Synchronization
Internal Name $SETUAI Item Code

UAF$R_DEF_CLASS UAI$_DEF_CLASS

UAF$Q_DEF_PRIV UAI$_DEF_PRIV

UAF$B_DIALUP_ACCESS_P UAI$_DIALUP_ACCESS_P

UAF$B_DIALUP_ACCESS_S UAI$_DIALUP_ACCESS_S

UAF$B_ENCRYPT UAI$_ENCRYPT

UAF$B_ENCRYPT2 UAI$_ENCRYPT2

UAF$Q_EXPIRATION UAI$_EXPIRATION

UAF$L_FLAGS UAI$_FLAGS

UAF$B_LOCAL_ACCESS_P UAI$_LOCAL_ACCESS_P

UAF$B_LOCAL_ACCESS_S UAI$_LOCAL_ACCESS_S

UAF$B_NETWORK_ACCESS_P UAI$_NETWORK_ACCESS_P

UAF$B_NETWORK_ACCESS_S UAI$_NETWORK_ACCESS_S

UAF$B_PRIME_DAYS UAI$_PRIMEDAYS

UAF$Q_PRIV UAI$_PRIV

UAF$Q_PWD UAI$_PWD

UAF$Q_PWD2 UAI$_PWD2

UAF$Q_PWD_DATE UAI$_PWD_DATE

UAF$Q_PWD2_DATE UAI$_PWD2_DATE

UAF$B_PWD_LENGTH UAI$_PWD_LENGTH

UAF$Q_PWD_LIFETIME UAI$_PWD_LIFETIME

UAF$B_REMOTE_ACCESS_P UAI$_REMOTE_ACCESS_P

UAF$B_REMOTE_ACCESS_S UAI$_REMOTE_ACCESS_S

UAF$R_MAX_CLASS UAI$_MAX_CLASS

UAF$R_MIN_CLASS UAI$_MIN_CLASS

UAF$W_SALT UAI$_SALT

UAF$L_UIC Not applicable

**Table 11-4 Fields in SYSUAF.DAT Requiring Synchronization**
Internal Name	$SETUAI Item Code
UAF$R_DEF_CLASS	UAI$_DEF_CLASS
UAF$Q_DEF_PRIV	UAI$_DEF_PRIV
UAF$B_DIALUP_ACCESS_P	UAI$_DIALUP_ACCESS_P
UAF$B_DIALUP_ACCESS_S	UAI$_DIALUP_ACCESS_S
UAF$B_ENCRYPT	UAI$_ENCRYPT
UAF$B_ENCRYPT2	UAI$_ENCRYPT2
UAF$Q_EXPIRATION	UAI$_EXPIRATION
UAF$L_FLAGS	UAI$_FLAGS
UAF$B_LOCAL_ACCESS_P	UAI$_LOCAL_ACCESS_P
UAF$B_LOCAL_ACCESS_S	UAI$_LOCAL_ACCESS_S
UAF$B_NETWORK_ACCESS_P	UAI$_NETWORK_ACCESS_P
UAF$B_NETWORK_ACCESS_S	UAI$_NETWORK_ACCESS_S
UAF$B_PRIME_DAYS	UAI$_PRIMEDAYS
UAF$Q_PRIV	UAI$_PRIV
UAF$Q_PWD	UAI$_PWD
UAF$Q_PWD2	UAI$_PWD2
UAF$Q_PWD_DATE	UAI$_PWD_DATE
UAF$Q_PWD2_DATE	UAI$_PWD2_DATE
UAF$B_PWD_LENGTH	UAI$_PWD_LENGTH
UAF$Q_PWD_LIFETIME	UAI$_PWD_LIFETIME
UAF$B_REMOTE_ACCESS_P	UAI$_REMOTE_ACCESS_P
UAF$B_REMOTE_ACCESS_S	UAI$_REMOTE_ACCESS_S
UAF$R_MAX_CLASS	UAI$_MAX_CLASS
UAF$R_MIN_CLASS	UAI$_MIN_CLASS
UAF$W_SALT	UAI$_SALT
UAF$L_UIC	Not applicable

Use SYSMAN if you choose to create an autologin file and maintain the file in the common authorization database with your authorization files and rights database. On clustered systems, the autologin file must include the cluster node name as a prefix to the terminal name. For example, the terminal TTA0 on node WILLOW would be represented as WILLOW$TTA0. See Section 11.7 for an overview of SYSMAN.

11.4 Managing the Audit Log File

The audit server database VMS$AUDIT_SERVER.DAT contains information about events to be audited, the location of the audit log file, and information used to monitor its consumption of resources.

The audit log file resides in SYS$COMMON:[SYSMGR]. If you should decide to redirect the audit log off the system disk, it is important to redirect it uniformly across all nodes on the cluster. You use the command SET AUDIT/JOURNAL=SECURITY/DESTINATION=filename. Make sure that the file name you assign resolves to the same file throughout the cluster, not a file unique to each node. OpenVMS Cluster Systems describes the procedure in detail.

11.5 Protecting Objects

A single security domain is one in which each cluster member must make the same access control decision when presented with a particular user's access request for a particular object. The operating system provides this level of protection for files, queues, other cluster-visible objects: devices, disk and tape volumes, and resource domains. Table 11-5 summarizes the behavior of each object class and explains where each stores security profiles. See Chapter 5 for a description of each object class.

Table 11-5 Summary of Object Behavior in a Cluster
Class Visibility in Cluster Location of Profile

Capabilities Visible only to local node. Stored on local node.

Devices Some can be visible
clusterwide. Profiles stored in VMS$OBJECTS.

Files Visible clusterwide. Stored in file header.

Global sections Visible only to local node. Stored on local node.

Logical name tables Visible only to local node. Stored on local node.

Queues Visible clusterwide. Stored in job-controller queue database (see Table 11-1).

Resource domains Visible clusterwide. Stored in VMS$OBJECTS.

Security class Visible clusterwide. Stored in VMS$OBJECTS.

Volumes Can be visible clusterwide. Stored on the volume.

**Table 11-5 Summary of Object Behavior in a Cluster**
Class	Visibility in Cluster	Location of Profile
Capabilities	Visible only to local node.	Stored on local node.
Devices	Some can be visible clusterwide.	Profiles stored in VMS$OBJECTS.
Files	Visible clusterwide.	Stored in file header.
Global sections	Visible only to local node.	Stored on local node.
Logical name tables	Visible only to local node.	Stored on local node.
Queues	Visible clusterwide.	Stored in job-controller queue database (see Table 11-1).
Resource domains	Visible clusterwide.	Stored in VMS$OBJECTS.
Security class	Visible clusterwide.	Stored in VMS$OBJECTS.
Volumes	Can be visible clusterwide.	Stored on the volume.

11.6 Storing Profiles and Auditing Information

The audit server creates and maintains the security elements of clusterwide objects in a database called VMS$OBJECTS.DAT, located in SYS$COMMON:[SYSEXE]. You should ensure that the object database is present on each node in the cluster by specifying a file name that resolves to the same file through the cluster, not to a file that is unique to each node.

To reestablish the logical name after each system boot, define the logical in SYSECURITY.COM. The command procedure SYSECURITY.COM has to be defined before the audit server starts up.

The object database contains the following information:

Audit and alarm settings for all objects, established through the DCL command SET AUDIT
Template profiles for all security profiles, as described in Chapter 5
Security profiles for all resource domain objects, all security class objects, and all cluster-visible devices (see Section 11.5)

This database is updated whenever characteristics are modified, and the information is distributed so that all nodes participating in the cluster share a common view of the objects.

Ordinarily, it is not possible to change security profiles or create protected objects when the object server is absent and cannot update the cluster database VMS$OBJECTS.DAT. However, you can modify the system parameter SECURITY_POLICY to allow security profile changes to protected objects on a local node (bit 4) or the creation of protected objects on a local node (bit 5).

11.7 Using the System Management Utility

The System Management utility (SYSMAN) is a facility supporting the cluster work of the security administrator. Through its centralized management of nodes and clusters, SYSMAN lets you perform system management tasks from your local node that the utility executes on all nodes in the target environment.

To use SYSMAN requires OPER privilege on the local node and authorization for the OPER privilege on any remote node. The utility does not require a password when you are operating within a cluster in your own account. The operating system audits any logical link connections or any operation in which the utility requires a password.

System managers using SYSMAN should be careful that logical names are set to the same name on each node.

11.8 Managing Cluster Membership

Clustered systems use a group number and a cluster password to allow multiple independent clustered systems to coexist on the same extended local area network (LAN) and to prevent accidental access to a cluster by unauthorized computers. The group number uniquely identifies each cluster system on a LAN. The cluster password serves as an additional check to ensure the integrity of individual clusters on the same LAN that accidentally use identical group numbers. The password also prevents an intruder who discovers the group number from joining the cluster.

The cluster group number and password (in encrypted form) are maintained in the cluster authorization file, SYS$COMMON:[SYSEXE]CLUSTER_AUTHORIZE.DAT. This file is created during installation of the operating system if you indicate that you want to set up a local area or mixed interconnect cluster. The installation procedure then prompts you for the cluster group number and password.

Under normal conditions, you need not alter records in the CLUSTER_AUTHORIZE.DAT file interactively. However, if you suspect a security breach, you may want to change the cluster password. In that case, you use SYSMAN to make the change. The file is accessible only to users with the SYSPRV privilege. Note that if you change either the group number or the password, you must reboot the entire cluster.

If your configuration has multiple system disks, each disk must have a copy of CLUSTER_AUTHORIZE.DAT. You must run SYSMAN to update all copies.

The following command sequence illustrates the use of SYSMAN to change the cluster password:

SYSMAN> SET CLUSTER_AUTHORIZATION/GROUP_NUMBER=65353 SYSMAN> SET ENVIRONMENT/CLUSTER/NODE21 SYSMAN> SET PROFILE /PRIVILEGE=SYSPRV SYSMAN> CONFIGURATION SET CLUSTER_AUTHORIZATION/PASSWORD=HOOVER %SYSMAN-I-CAFOLDGROUP, existing group will not be changed %SYSMAN-I-GRPNOCHG, Group number not changed %SYSMAN-I-CAFREBOOT, cluster authorization file updated The entire cluster should be rebooted.

Contents

Index

privacy and legal statement

6346PRO_026.HTML

OpenVMS Guide to System Security

Chapter 11Securing a Cluster

11.2.1 Required Common System Files

Chapter 11
Securing a Cluster