OpenVMS Guide to System Security

Document revision date: 19 July 1999

OpenVMS Guide to System Security

Contents

Index

Chapter 5

5 Descriptions of Object Classes

     5.1     Capabilities

         5.1.1         Naming Rules

         5.1.2         Types of Access

         5.1.3         Template Profile

         5.1.4         Kinds of Auditing Performed

         5.1.5         Permanence of the Object

     5.2     Common Event Flag Clusters

         5.2.1         Naming Rules

         5.2.2         Types of Access

         5.2.3         Template Profile

         5.2.4         Privilege Requirements

         5.2.5         Kinds of Auditing Performed

         5.2.6         Permanence of the Object

     5.3     Devices

         5.3.1         Naming Rules

         5.3.2         Types of Access

         5.3.3         Access Requirements for I/O Operations

         5.3.4         Template Profile

         5.3.5         Setting Up Profiles for New Devices

         5.3.6         Privilege Requirements

         5.3.7         Kinds of Auditing Performed

         5.3.8         Permanence of the Object

     5.4     Files

         5.4.1         Naming Rules

         5.4.2         Types of Access

         5.4.3         Access Requirements

         5.4.4         Creation Requirements

         5.4.5         Profile Assignment

             5.4.5.1             Rules for Assigning Ownership

             5.4.5.2             Rules for Assigning a Protection Code and ACL

             5.4.5.3             Using the COPY and RENAME Commands

         5.4.6         Kinds of Auditing Performed

         5.4.7         Protecting Information When Disk Space Is Reassigned

             5.4.7.1             Overwriting Disk Blocks

             5.4.7.2             Setting a High-water Mark

             5.4.7.3             Accessibility of Data in a File

         5.4.8         Suggestions for Optimizing File Security

     5.5     Global Sections

         5.5.1         Naming Rules

         5.5.2         Types of Access

         5.5.3         Template Profile

         5.5.4         Privilege Requirements

         5.5.5         Kinds of Auditing Performed

         5.5.6         Permanence of the Object

     5.6     Logical Name Tables

         5.6.1         Naming Rules

         5.6.2         Types of Access

         5.6.3         Template Profile

         5.6.4         Privilege Requirements

         5.6.5         Kinds of Auditing Performed

         5.6.6         Permanence of the Object

     5.7     Queues

         5.7.1         Naming Rules

         5.7.2         Types of Access

         5.7.3         Template Profile

         5.7.4         Privilege Requirements

         5.7.5         Kinds of Auditing Performed

         5.7.6         Permanence of the Object

     5.8     Resource Domains

         5.8.1         Naming Rules

         5.8.2         Types of Access

         5.8.3         Template Profile

         5.8.4         Privilege Requirements

         5.8.5         Kinds of Auditing Performed

         5.8.6         Permanence of the Object

     5.9     Security Classes

         5.9.1         Naming Rules

         5.9.2         Types of Access

         5.9.3         Template Profile

         5.9.4         Kinds of Auditing Performed

         5.9.5         Permanence of the Object

     5.10     Volumes

         5.10.1         Naming Rules

         5.10.2         Types of Access

         5.10.3         Template Profile

         5.10.4         Privilege Requirements

         5.10.5         Kinds of Auditing Performed

         5.10.6         Permanence of the Object

Part III

Part III Security for the System Administrator

Chapter 6

6 Managing the System and Its Data

     6.1     Role of a Security Administrator

     6.2     Site Security Policies

     6.3     Tools for Setting Up a Secure System

     6.4     Account Requirements for a Security Administrator

     6.5     Training the New User

     6.6     Logging a User's Session

     6.7     Ongoing Tasks to Maintain a Secure System

Chapter 7

7 Managing System Access

     7.1     Defining Times and Conditions for System Access

         7.1.1         Restricting Work Times

         7.1.2         Restricting Modes of Operation

         7.1.3         Restricting Account Duration

         7.1.4         Disabling Accounts

         7.1.5         Restricting Disk Volumes

         7.1.6         Marking Accounts for External Authentication

     7.2     Assigning Appropriate Accounts to Users

         7.2.1         Types of System Accounts

             7.2.1.1             Interactive Account Example

             7.2.1.2             Limited-Account Example

         7.2.2         Privileged Accounts

         7.2.3         Interactive Accounts

         7.2.4         Captive Accounts

             7.2.4.1             Setting Up Captive Accounts

             7.2.4.2             Guidelines for Captive Command Procedures

         7.2.5         Restricted Accounts

         7.2.6         Automatic Login Accounts

         7.2.7         Guest Accounts

         7.2.8         Proxy Accounts

         7.2.9         Externally Authenticated Accounts

     7.3     Using Passwords to Control System Access

         7.3.1         Types of Passwords

             7.3.1.1             Primary Passwords

             7.3.1.2             System Passwords

             7.3.1.3             Secondary Passwords

             7.3.1.4             Console Passwords

             7.3.1.5             Authentication Cards

         7.3.2         Enforcing Minimum Password Standards

             7.3.2.1             Expiring Passwords

             7.3.2.2             Enforcing Change of Expired Password

             7.3.2.3             Requiring a Minimum Password Length

             7.3.2.4             Generated Passwords

             7.3.2.5             Site Password Algorithms

         7.3.3         Screening New Passwords

             7.3.3.1             System Dictionary

             7.3.3.2             History Lists

             7.3.3.3             Site-Specific Filters

         7.3.4         Password Protection Checklist

     7.4     Enabling External Authentication

         7.4.1         Overriding External Authentication

         7.4.2         Setting a New Password

         7.4.3         Case Sensitivity in Passwords and User Names

         7.4.4         User Name Mapping and Password Verification

         7.4.5         Password Synchronization

         7.4.6         Specifying the SYS$SINGLE_SIGNON Logical Name Bits

     7.5     Controlling the Login Process

         7.5.1         Informational Display During Login

             7.5.1.1             Announcement Message

             7.5.1.2             Welcome Message

             7.5.1.3             Last Login Messages

             7.5.1.4             New Mail Announcements

         7.5.2         Limiting Disconnected Processes

         7.5.3         Providing Automatic Login

         7.5.4         Using the Secure Server

         7.5.5         Detecting Intruders

         7.5.6         Understanding the Intrusion Database

             7.5.6.1             How Intrusion Detection Works

             7.5.6.2             Setting the Exclusion Period

             7.5.6.3             System Parameters Controlling Login Attempts

         7.5.7         Security Server Process

Chapter 5
5	Descriptions of Object Classes
5.1	Capabilities
5.1.1	Naming Rules
5.1.2	Types of Access
5.1.3	Template Profile
5.1.4	Kinds of Auditing Performed
5.1.5	Permanence of the Object
5.2	Common Event Flag Clusters
5.2.1	Naming Rules
5.2.2	Types of Access
5.2.3	Template Profile
5.2.4	Privilege Requirements
5.2.5	Kinds of Auditing Performed
5.2.6	Permanence of the Object
5.3	Devices
5.3.1	Naming Rules
5.3.2	Types of Access
5.3.3	Access Requirements for I/O Operations
5.3.4	Template Profile
5.3.5	Setting Up Profiles for New Devices
5.3.6	Privilege Requirements
5.3.7	Kinds of Auditing Performed
5.3.8	Permanence of the Object
5.4	Files
5.4.1	Naming Rules
5.4.2	Types of Access
5.4.3	Access Requirements
5.4.4	Creation Requirements
5.4.5	Profile Assignment
5.4.5.1	Rules for Assigning Ownership
5.4.5.2	Rules for Assigning a Protection Code and ACL
5.4.5.3	Using the COPY and RENAME Commands
5.4.6	Kinds of Auditing Performed
5.4.7	Protecting Information When Disk Space Is Reassigned
5.4.7.1	Overwriting Disk Blocks
5.4.7.2	Setting a High-water Mark
5.4.7.3	Accessibility of Data in a File
5.4.8	Suggestions for Optimizing File Security
5.5	Global Sections
5.5.1	Naming Rules
5.5.2	Types of Access
5.5.3	Template Profile
5.5.4	Privilege Requirements
5.5.5	Kinds of Auditing Performed
5.5.6	Permanence of the Object
5.6	Logical Name Tables
5.6.1	Naming Rules
5.6.2	Types of Access
5.6.3	Template Profile
5.6.4	Privilege Requirements
5.6.5	Kinds of Auditing Performed
5.6.6	Permanence of the Object
5.7	Queues
5.7.1	Naming Rules
5.7.2	Types of Access
5.7.3	Template Profile
5.7.4	Privilege Requirements
5.7.5	Kinds of Auditing Performed
5.7.6	Permanence of the Object
5.8	Resource Domains
5.8.1	Naming Rules
5.8.2	Types of Access
5.8.3	Template Profile
5.8.4	Privilege Requirements
5.8.5	Kinds of Auditing Performed
5.8.6	Permanence of the Object
5.9	Security Classes
5.9.1	Naming Rules
5.9.2	Types of Access
5.9.3	Template Profile
5.9.4	Kinds of Auditing Performed
5.9.5	Permanence of the Object
5.10	Volumes
5.10.1	Naming Rules
5.10.2	Types of Access
5.10.3	Template Profile
5.10.4	Privilege Requirements
5.10.5	Kinds of Auditing Performed
5.10.6	Permanence of the Object
Part III
Part III	Security for the System Administrator
Chapter 6
6	Managing the System and Its Data
6.1	Role of a Security Administrator
6.2	Site Security Policies
6.3	Tools for Setting Up a Secure System
6.4	Account Requirements for a Security Administrator
6.5	Training the New User
6.6	Logging a User's Session
6.7	Ongoing Tasks to Maintain a Secure System
Chapter 7
7	Managing System Access
7.1	Defining Times and Conditions for System Access
7.1.1	Restricting Work Times
7.1.2	Restricting Modes of Operation
7.1.3	Restricting Account Duration
7.1.4	Disabling Accounts
7.1.5	Restricting Disk Volumes
7.1.6	Marking Accounts for External Authentication
7.2	Assigning Appropriate Accounts to Users
7.2.1	Types of System Accounts
7.2.1.1	Interactive Account Example
7.2.1.2	Limited-Account Example
7.2.2	Privileged Accounts
7.2.3	Interactive Accounts
7.2.4	Captive Accounts
7.2.4.1	Setting Up Captive Accounts
7.2.4.2	Guidelines for Captive Command Procedures
7.2.5	Restricted Accounts
7.2.6	Automatic Login Accounts
7.2.7	Guest Accounts
7.2.8	Proxy Accounts
7.2.9	Externally Authenticated Accounts
7.3	Using Passwords to Control System Access
7.3.1	Types of Passwords
7.3.1.1	Primary Passwords
7.3.1.2	System Passwords
7.3.1.3	Secondary Passwords
7.3.1.4	Console Passwords
7.3.1.5	Authentication Cards
7.3.2	Enforcing Minimum Password Standards
7.3.2.1	Expiring Passwords
7.3.2.2	Enforcing Change of Expired Password
7.3.2.3	Requiring a Minimum Password Length
7.3.2.4	Generated Passwords
7.3.2.5	Site Password Algorithms
7.3.3	Screening New Passwords
7.3.3.1	System Dictionary
7.3.3.2	History Lists
7.3.3.3	Site-Specific Filters
7.3.4	Password Protection Checklist
7.4	Enabling External Authentication
7.4.1	Overriding External Authentication
7.4.2	Setting a New Password
7.4.3	Case Sensitivity in Passwords and User Names
7.4.4	User Name Mapping and Password Verification
7.4.5	Password Synchronization
7.4.6	Specifying the SYS$SINGLE_SIGNON Logical Name Bits
7.5	Controlling the Login Process
7.5.1	Informational Display During Login
7.5.1.1	Announcement Message
7.5.1.2	Welcome Message
7.5.1.3	Last Login Messages
7.5.1.4	New Mail Announcements
7.5.2	Limiting Disconnected Processes
7.5.3	Providing Automatic Login
7.5.4	Using the Secure Server
7.5.5	Detecting Intruders
7.5.6	Understanding the Intrusion Database
7.5.6.1	How Intrusion Detection Works
7.5.6.2	Setting the Exclusion Period
7.5.6.3	System Parameters Controlling Login Attempts
7.5.7	Security Server Process

Contents

Index

privacy and legal statement

6346PRO_CONTENTS_001.HTML