HP OpenVMS Guide to System Security

Security for the System Administrator

Controlling Access to System Data and Resources

Setting Default Protection and Ownership

Security Auditing

Added Protection for System Data and Resources  

Precautions to TakeWhen Installing New Software  

When you install new software, you must address several securityconcerns. You want to ensure that you are not admitting softwarethat will in any way corrupt or undermine your usual security precautions.You must also consider whether to install the software with anyprivileges. This section discusses the security aspects of installingnew software.

Potentially Harmful Programs  

New software can contain programs that are potentially harmfulto your system. These programs, called Trojan horse programs, aredesigned to do damage and frequently include features that do thefollowing:

• Pass privileges of the person runningthe program back to the author of the program



• Allow unauthorized access to the system



• Change protection of system files



• Patch the system (add special software to the operatingsystem)



• Create jobs that scan for easily guessed passwords

To protect your system from this type of intrusion, alwaysbuy software from reputable sources. When training new users, stressthe importance of avoiding use of software from an unknown source.

Another risk to programs and directories is known as the virus.While Trojan horse software must rely on the innocent user to unwittinglyaccept the damaging software by using it, the virus requires nouser cooperation. It is a program that takes advantage of faultyfile protection, working its way through your system and modifyingcommand procedures and executable programs. By modifying commandprocedures, it can propagate by making use of user access rightsand privileges.

Viruses are less of a problem in the OpenVMS environment thanin an environment of personal computers. The OpenVMS protectionfeatures and the environment's larger scale and diversity make virusattacks more difficult. However, no environment that permits thesharing of software and data is immune from virus attacks.

The user's login command procedure is a prime target for thistype of security breach. Login command procedures generally containeasily modified DCL commands and are executed regularly.

ACLs are also targets. File protection designed with userssharing access privileges allows this type of program to run throughmany users' programs, acquiring new privileges along the way.

Well-designed file protection is critical for protection fromthis type of security breach. Make sure that likely targets cannotbe modified by users. For example, set up file protection so thatyour login command procedure permits at most read access to allother users. Also make sure the directory containing the login command procedurepermits write access only to users in the system and owner categories.

Because most damage occurs when programs like these reacha target account with privileges, users with privileges should beespecially cautious with the protection of their root directory,executable files, and command procedures. To deter Trojan horseattacks, users should never execute a command procedure or run animage in a privileged account without inspecting the command procedureor the image's sources. Application images should be rebuilt fromsource to ensure that the binary image reflects the accompanying source.

Installing Programs with Privilege  

Some software requires privilege to run. You can extend theprivilege to all users you expect will need to run the software,or you can install the program with the required privileges. Whenyou install privileged software, you allow users to execute it whetheror not they personally possess the required privilege. In effect, youextend the privilege to the process while it runs the software.While this offers some advantages, it also introduces several security-relateddangers. Giving Users Privileges describesthese options in greater detail.

Protecting System Files  

Even on the most open system, you will want protection forthe system software. Normally, HP delivers system programs and databaseswith adequate UIC protection. However, if for any reason you aredissatisfied with the default protection, you can change it withthe techniques outlined in Protecting DataChapter 4, provided you have the necessarySYSPRV privilege. You might also add an ACL to any file that youdecide needs additional protection.

You can obtain a full listing of system files from the systemmanager's account during an OpenVMS installation with the followingDCL command:

$ DIRECTORY/SECURITY/OUTPUT=SYSTEM_FILES.LIS SYS$SYSROOT:[*...]

On Alpha systems, you can obtain a listing of system filesand their protections from the read-only compact disc distributionmedia. Your OpenVMS software should have this set of protectioncodes following a correct installation.

On VAX systems, refer to Protection for OpenVMS System Files for a listing of system files and their protections.Your OpenVMS software should have this set of protection codes followinga correct installation.

DCL Commands Used to Protect Files providesa summary of DCL commands you use to set up and display file protection;these commands are described in the HP OpenVMS DCL Dictionary.

Table 4   DCL Commands Used to Protect Files

Command	Function
DIRECTORY/ACL	Displays the ACL for thefile
DIRECTORY/OWNER	Displays the file owner'sUIC
DIRECTORY/PROTECTION	Displays the file's protectioncode
DIRECTORY/SECURITY	Combines and displays fileinformation produced by DIRECTORY/ACL, DIRECTORY/OWNER, and DIRECTORY/PROTECTION
EDIT/ACL	Invokes the access controllist editor (ACL editor)
SET PROTECTION/DEFAULT	Establishes the defaultprotection to be applied to all files subsequently created
SET SECURITY	Modifies the security profileof any object: the owner, protection code, and ACL
SHOW SECURITY	Displays the ownership, UIC protectioncode, and ACL of a protected object

The OpenVMS installation procedure does not initially installMAIL.EXE with any privileges (because MAIL.EXE does not requireprivileges to perform its functions). Prior versions of the OpenVMSoperating system did include mechanisms that allowed MAIL.EXE tocheck, ignore, grant, or override certain privileges that a systemmanager might assign when reinstalling MAIL.EXE. Because these regulatorymechanisms sometimes created unexpected or undesirable conditions,they have been removed.

If you reinstall MAIL.EXE with certain privileges,you must carefully consider possible ramifications, including thepotential for security breaches. For example, because MAIL.EXE confersits privileges on any user who invokes the Mail utility, that userwill inherit those privileges if the user creates a subprocess fromwithin Mail by specifying the SPAWN command.

You might also ask if there are cases where you do not wantsome or all of your users to be able to initialize media. If thereare, you can put an ACL to good use on the system program SYS$SYSTEM:INIT.EXE.Ensure that you grant no access to the world category in the UIC-basedprotection code. Then create an ACL for the file that grants accessto specific users.

Similarly, if a department in your company has paid for alicense to a software product, you may want to make that softwareavailable to them but not to others. Ensure that the world categoryreceives no access through the standard UIC-based protection code,and create an entry in the ACL for that file that allows accessthrough the department's identifier.

You may also find that ACL protection is relevant to protectyour applications databases, limiting the access to certain usersor to protected subsystems.

Restricting DCL Command Usage  

There are several ways that you can affect the use of DCLcommands by your users. Among them are the following:

• Impose ACLs on the system programfiles in the directories SYS$SYSROOT:[SYSEXE] and SYS$SYSROOT:[SYSLIB].



• Set the AUTHORIZE flag DISIMAGE to prevent use ofthe MCR or the RUN command. This prevents users from executing systemor user-written images or from executing images defined as foreign commands.
  
  Because the DISIMAGE flag is enforced by the DCL command languageinterpreter (CLI), you must ensure that the account for which theDISIMAGE flag is set has access to the DCL CLI only. Use the DISIMAGEflag in conjunction with the AUTHORIZE flag DEFCLI or within a restrictedaccount. (Setting the RESTRICTED flag for an account implicitlysets the DEFCLI flag.)



• Remove or modify DCL command definitions, and rebuildthe DCL tables. (The HP OpenVMS System Management UtilitiesReference Manual describes how to create command definitions.)Use the /CLITABLES qualifier in the user's UAF record to specifythe modified tables. Also specify /FLAGS=DEFCLI to ensure that theuser can log in only with the specified command language interpreter(CLI) and tables. Protect the original DCL tables from unauthorizedaccess by imposing ACLs on the system program files in the directoriesSYS$SYSROOT:[SYSEXE] and SYS$SYSROOT:[SYSLIB]. In particular, protectSYS$LIBRARY:DCLTABLES.EXE and SYS$SYSTEM:CDU.EXE.

Encrypting Files  

File encryption refers to the processof applying an algorithm to data to conceal its content. Decryption reversesthe operation and converts encoded information back to its originalcontent. If you need to copy proprietary software onto media forremoval to another site, you might use file encryption. The softwareon the media is useless without the correct decryption code.

Different file encryption systems, both software and hardware,are available. Consult your HP support channel for information onwhich products are available in your country.

Protecting Disks  

Disk scavenging is the process of reading magnetic imprintsof data after deletion of the file header following a purge or deleteoperation. (When users delete files from the system, only the fileheader is deleted.) Until the data is overwritten, it is a potentialtarget for disk scavenging. Sites with medium or high security needs shouldbe concerned about this procedure.

After establishing overall security features, restrict accessto disks containing valuable information by using UIC-based volumeprotection. Because disk scavenging is frequently performed by authorizedusers, consider implementing erasure patterns and high-water marking,as described in the following sections.

Erasing Techniques  

There are several ways to implement erasing of disks.

• The inclusion of the /ERASE qualifierwith the DELETE or the PURGE command causes the system to writean erasure pattern of zeros over the entire file location when youdelete or purge that file. You can encourage users to use this qualifiervoluntarily or make inclusion automatic by including the following commanddefinitions in the system login command procedure (usually SYS$MANAGER:SYLOGIN.COM):

  DEL*ETE :== "DELETE/ERASE"PUR*GE :== "PURGE/ERASE"

  However, any user can bypass these definitions by adding the/NOERASE qualifier to the DELETE or the PURGE command.



• To guarantee erase-on-delete,turn on the feature for the entire volume by using the DCL command SETVOLUME/ERASE_ON_DELETE. When files are deleted, this command overwritesall files on the volume with the erasure pattern of zeros.



• To completely erase the volume and enable erase-on-deletefor the volume at volume initialization, use the DCL command INITIALIZE/ERASE.
  
  By default, when erase-on-deleteis enabled, the operating system writes a default datasecurity erase (DSE) pattern of zeros, applied duringa single write operation over the area. If you feel that the default patternof zeros or the single rather than multiple number of erasures doesnot suit your requirements, you can use the $ERAPAT (Get SecurityErase Pattern) system service to write a customized erasure pattern.See the description of $ERAPAT in the HP OpenVMS SystemServices Reference Manual for more information.

For sites with high-level security requirements, a randompattern is preferable to a fixed pattern. The technology is alreadyavailable that can detect and use faint residual magnetic impressions.Thus, if you conclude there is sufficient danger that a disk mightbe removed and read using some of this specialized analysis equipment,you may need to rewrite the erasure pattern several times. You canlearn how to customize the data security erase pattern to fit yourneeds by studying the information provided in the file SYS$EXAMPLES:DOD_ERAPAT.MAR.

Employ erasing patterns only on disks where the security needsare the greatest. Erasures are time-consuming and affect systemperformance.

Prevention Through High-Water Marking  

High-watermarking refers to a technique that tracks the furthest extent towhich each file has been written and prohibits user attempts atreading data beyond that point.

The operating system implements true high-water marking forall sequential, exclusively accessed files, such as the set of filesoutput from various text editors, compilers, and linkers, that is,most files a process writes. The high-water mark is updated in thefile header whenever the logical end-of-file mark is updated (usually whenthe file is closed).

For shared files (both indexed and sequential), the operatingsystem uses the principle of erase-on-allocate toachieve a result similar to true high-water marking. When a fileis about to be created or extended, the system determines how muchdisk space (the extent of the file) is required and applies thesecurity erasure pattern of zeros to the areas (extents) it allocatesfor writing. The file is then written into the area just erased forit. Thus, if any user gains access to the file (including its fullextent) and attempts to read the area beyond where the file hasbeen written, only the data security erase pattern is readable.

By default, the operating system turns on high-water markingfor all volumes. High-water marking is a deterrentto disk scavenging attempts. However, it does require additionalI/O, which affects system performance.

You can turn off high-water marking and erase-on-allocateon a volume-by-volume basis by specifying the DCL command SET VOLUME/NOHIGHWATER_MARKING.

Summary of Prevention Techniques  

As security administrator, you can apply the following controlsto discourage disk scavengers:

• Provide tight physical security, particularlyon those disks with the most valuable information.



• Provide tight volume protection through UIC-basedprotection.



• Encourage the use of the /ERASE qualifier when keyfiles are purged or deleted through user participation or volumeenforcement.



• Permit default high-water marking on your most valuabledisks.

Protecting Backup Media  

You can guard against data loss or corruption by creatingcopies of your files, directories, and disks. In case of a problem,you can restore the backup copy and continue your work. Secure mediastorage and controlled access to media are essential parts of theprocess. It is best to store backup media off site.

Backing Up Disks  

Having an effective backup schedule is critical to protectyour data. By performing regularly scheduled backup operations,you prevent the loss of accidentally deleted or damaged files.

Refer to the HP OpenVMS System Management UtilitiesReference Manual for information about performing backupsand setting up backup schedules. Be aware that the Backup utility(BACKUP) does not implement security policy; you must direct itexplicitly. It runs with the security profile of the operator, whichcan often be privileged.

Protecting a Backup Save Set  

Limiting access to backup save sets is an important part ofsystem security. The file system treats a backup save set as a singlefile, whether it is stored on disk or on magnetic tape. Therefore,anyone with access to a save set can read any file in the save set.BACKUP does not check protection on individual files.

To maintain system security, it is crucial that you protectsave sets adequately. Assign restrictive protection to save setson disk and to magnetic tape volumes by using the output save-setqualifiers /BY_OWNER and /PROTECTION. Sufficient protection canprevent nonprivileged users from mounting a save-set volume or fromreading files from a save set. You should also take physical securityprecautions with save sets stored off line by keeping backup mediain locked cabinets.

When you write a save set to a Files--11 disk or a sequentialdisk and do not specify the /PROTECTION qualifier, BACKUP appliesthe process default protection to the save set. If you specify /PROTECTION,any protection categories that you do not specify default to yourdefault process protection.

Protection information is written to the volume header recordof a magnetic tape and applies to all save sets stored on the tape.Therefore, the output save-set qualifiers /BY_OWNER and /PROTECTIONare effective on magnetic tape save sets only if you specify theoutput save-set qualifier /REWIND. This qualifier allows the tapeto rewind to its beginning, to write the protection data to thevolume header record, and to initialize the tape. If you specify/PROTECTION, any protection categories that you do not specify defaultto your default process protection. If you do not specify /REWINDwith the /PROTECTION and /BY_OWNER qualifiers, the magnetic taperetains its existing protection. However, specifying /REWIND aloneresults in a magnetic tape without any protection.

The following example illustrates how a directory is backedup to tape:

$  BACKUP_FROM:  [PAYROLL]_TO: MFA2:KNOX.BCK/LABEL=BANK01 - _$ /REWIND/BY_OWNER_UIC=[030,003] - _$ /TAPE_EXPIRATION=15-JAN-2001 - _$ /PROTECTION=(S:RWE,O:RWED,G:RE,W) 

1. The contents of the directory [PAYROLL]is copied to file KNOX.BCK on the magnetic tape drive MFA2. Theoutput save-set qualifier /LABEL provides the label BANK01 for thetape.
2. The output save-set qualifier /BY_OWNER assignsan owner UIC of [030,003] to the save set.
3. The output save-set qualifier /TAPE_EXPIRATION assignsan expiration date of January 15, 2001 to the tape.
4. The output save-set qualifier /PROTECTION assignsthe owner of the volume read, write, execute, and delete access.System users are assigned read, write, and execute access; groupusers are assigned read and execute access; world users are assignedno access.

Retrieving Files from Backup Save Sets  

Anyone who has access to a save set can read any file in thesave set. Never give a copy of your backup media to a user; a malicioususer could restore the files from the tape or disk and compromisethe security of the system.

When a nonprivileged user wants to restore a particular file,do not lend the volume containing the save set. You could give awayaccess to all the files on the volume. The safest way to restorea particular file is to restore the file selectively, as shown inthe following example:

$ BACKUP MTA0:JULY.BCK/SELECT=[JONES.TEXTPROC]LASTMONTH.DAT -_$ [*...]/BY_OWNER=ORIGINAL

Protecting Terminals  

The next sections describe the controls available for restrictingthe use of terminals.

Restricting Terminal Use  

Through the device object class template TERMINAL, the operatingsystem sets up terminals to be accessible to the SYSTEM accountonly. When a user logs in, the operating system transfers ownershipfrom a system UIC to the UIC of the current process.

You can limit logins on specificterminals in the following ways:

• Assign a system password.



• Set the terminal to /NOTYPE_AHEAD, making it impossibleto log in.

The application of system passwords limits the use of thoseterminals to users who know the system password.

Restricting Application Terminals and MiscellaneousDevices  

To make terminals accessible to certain users as applicationterminals, you may want to change any or all of the device's securitycharacteristics. You can include the DCL command SET SECURITY/CLASS=DEVICE forspecific terminals (with appropriate protection codes) in the commandprocedure SYS$MANAGER:SYSTARTUP_VMS.COM. This DCL command can limitaccess to any device that is not file structured. You might alsoplace an ACL on the device to limit user access.

Configuring Terminal Lines for Modems  

When configuring terminal lines for modems, never set the/COMMSYNC qualifier to the DCL command SET TERMINAL (or the TT$M_COMMSYNCcharacteristic for the TTDRIVER interface) on a line with a modem hookupthat is intended for interactive use.

The qualifier disables the modem terminal characteristic thatdisconnects a user process from the terminal line in case of a modemphone line failure. With the /COMMSYNCH qualifier enabled, the nextcall on the terminal line could be attached to the previous user'sprocess. The /COMMSYNC qualifier is intended to allow connectionof asynchronous printers and other devices to terminal ports byusing modem signals as flow control.

Setting Default Protection and Ownership

Security Auditing