|
 HP OpenVMS Guide to System Security |
|
| |
access control Restrictions on the ability of a subject (user orprocess) to use the system or an object in the computing system.Authentication of the user name and password controls access tothe system, while protection codes, access control lists, and privilegesregulate access to protected objects in that system.
access control entry (ACE) An entry in an access control list (ACL). Accesscontrol entries may specify identifiers and the access rights tobe granted or denied the holders of the identifiers, default protectionfor directories, or security details. ACLs for each object can holdmany entries, limited only by overall space and performance considerations. Seealso access control list, identifier .
access control list (ACL) A list that defines the kinds of access to be grantedor denied to users of an object. Access control lists can be createdfor all protected objects such as files, devices, and logical nametables. Each ACL consists of one or more entries known as accesscontrol entries (ACEs). See also access control entry .
access control string A character string used in remote logins. It consistsof the user name for the remote account and the user's passwordenclosed within quotation marks.
access matrix A table that lists subjects on one axis and objectson the other. Each crosspoint in the matrix thus represents theaccess that one subject has to one object.
access type The capability required to perform an operationon a protected object. OpenVMS security policy can require multiplecapabilities to complete an operation. The most commonly accessedobject, a file, can require read, write, execute, delete, or controlaccess.
ACE See access control entry.
ACL See access control list.
ACL editor An OpenVMS utility that helps users create and maintainaccess control lists. See also access control list.
alarm See security alarm.
ALF file See automatic login.
alphanumeric UIC A format of a user identification code (UIC). Thegroup and member names can each contain up to 31 alphanumeric characters,at least one of which is alphabetic. The other format of a UIC isnumeric: it contains a group number and a member number. See also user identificationcode, numeric UIC .
attribute In the security context, a characteristic of anidentifier or the holder of an identifier. Attributes can enhanceor limit the rights granted with an identifier; for example, a userholding an identifier with the Resource attribute can charge diskspace to the identifier.
audit See security audit.
auditing Recording the occurrence of security-relevant eventsas they occur on the system and, later, examining system activityfor possible security violations or improper use of the system. Security-relevantevents include activities such as logins, break-ins, changes tothe authorization database, and access to protected objects. Event messagescan be sent as alarms to an operator terminal or written as auditrecords to a log file. See also security audit, securityalarm .
audit trail A pattern of security-relevant activity sometimesfound in the audit log file. The audit log file maintains a recordof security-relevant events, such as access attempts, successfulor not, as required by the authorization database. See also securityaudit.
authentication The act of establishing the identity of users whenthey start to use the system. OpenVMS systems (and most other commercial operatingsystems) use passwords as the primary authentication mechanism.See also password .
authorization database A database that contains the security attributesof subjects and objects. From these attributes, the reference monitordetermines what kind of access (if any) is authorized.
authorization file See system user authorization file.
automatic login A feature that permits users to log in without specifyinga user name. The operating system associates the user name withthe terminal (or terminal server port) and maintains these assignmentsin the file SYS$SYSTEM:SYSALF.DAT, referred to as the automaticlogin file or the ALF file.
breach A break in the system security that results in accessto system resources or objects in violation of the system's securitypolicy.
break-in attempt An effort made by an unauthorized source to gainaccess to the system. Because the first system access is achievedthrough logging in, intrusion attempts primarily refer to attemptsto log in illegally. These attempts focus on supplying passwordsfor users known to have accounts on the system through informedguesses or other trial-and-error methods. See also evasive action .
C2 system A U.S. government rating of the security of an operatingsystem; it identifies an operating system as one that meets thecriteria of a Division C, class 2 system.
capability A resource to which the system controls access;currently, the only defined capability is the vector processor.
OpenVMS security policy protects vector processors from improperaccess. An operation can require use or control access.
captive account A type of account that confines the user to thecaptive login command procedure. The use of Ctrl/Y is disabled.If errors in the captive command procedure cause the procedure to terminateand attempt to return the user to the DCL command level, the processis deleted. (This type of account is synonymous with a turnkey ortied account.)
common event flag cluster A set of 32 event flags that enable cooperatingprocesses to post event notifications to each other.
OpenVMS security policy protects common event flag clustersfrom improper access. An operation can require associate, delete,or control access.
control access The right to modify an object's security profile.Control access is granted explicitly in an ACL and implicitly ina protection code. (All users qualifying for system or owner categorieshave control access.)
decryption The process that restores encoded information toits original unencoded form. The information was encoded by usingencryption.
Default attribute An option added to an ACE that indicates the ACEis to be included in the ACL of any files created within a directory.When the entry is propagated, the Default attribute is removed from theACE of the created file. An Identifier ACE with the Default attributehas no effect on access. See also access control entry, IdentifierACE.
device A class of peripherals connected to a processorthat are capable of receiving, storing, or transmitting data.
OpenVMS security policy protects devices from improper access.An operation can require read, write, physical, logical, or controlaccess.
discretionary access controls Security controls that are applied at the user'soption; that is, they are not required. Access control lists (ACLs)are typical of such optional security features. Discretionary controlsare the opposite of mandatory controls.
disk scavenging Any method of obtaining information from a diskthat the owner intended to discard. The information, although nolonger accessible to the original owner by normal means, retainsa sufficient amount of its original magnetic encoding that it canbe retrieved and used by one of the scavenging methods. See also erase-on-allocate, erase-on-delete, erasurepattern.
encryption A process of encoding information so that its contentis no longer immediately obvious to anyone who obtains a copy ofit. The information is decoded using decryption.
environmental identifier One of four classes of identifiers. Environmentalidentifiers are provided by the system to identify groups of usersaccording to their usage of the system. Environmental identifiers correspondto login classes. For example, all users who access the system bydialing up receive the dialup identifier. See also identifier.
erase-on-allocate A technique that applies an erasure pattern whenevera new area is allocated for a file's extent. The new area is erasedwith the erasure pattern so that subsequent attempts to read thearea can yield only the erasure pattern and not some valuable remainingdata. This technique is used to discourage disk scavenging. Seealso disk scavenging, erase-on-delete, erasurepattern, high-water marking.
erase-on-delete A technique that applies an erasure pattern whenevera file is deleted or purged. This technique is used to discouragedisk scavenging. See also disk scavenging, erase-on-allocate,erasure pattern.
erasure pattern A character string that can be used to overwritemagnetic media for the purpose of erasing the information that waspreviously stored in that area.
evasive action A responsive behavior performed by the operatingsystem to discourage break-in attempts when they appear to be inprogress. The operating system has a set of criteria it uses to detectthat an intrusion attempt may be underway. Typically, once the operatingsystem becomes suspicious that an unauthorized user is attempting tolog in, the evasive action consists of locking out all login attemptsby the offender for a limited period of time.
event classes Categories of security-relevant events. The operatingsystem audits several event classes by default, and the securityadministrator can enable additional ones, if desired.
event messages In terms of security, any notification that hasto do with a user's access to the system or to a protected objectwithin the system. The operating system can record both successfuland unsuccessful events so the security administrator can know whensecurity-relevant activity occurs on the system.
facility identifier An identifier whose binary value contains the facilitycode of the application defining the identifier. See also identifier.
file A set of data elements arranged in a structure significantto the user. A file is any named, stored program or data, or both,to which the system has access. Access can be of two types: read-only, meaningthe file is not to be altered, and read/write, meaning the contentsof the file can be altered. See also volume.
OpenVMS security policy protects files from improper access.An operation can require read, write, execute, delete, or controlaccess.
file encryption See encryption.
general identifier One of four possible types of identifiers that specifyone or more groups of users. The general identifier is alphanumericand typically is a convenient term that symbolizes the functionof the group of users. For example, typical general identifiersmight be PAYROLL for all users allowed to run payroll applicationsor RESERVATIONS for operators at the reservations desk. See also identifier.
global section A shared memory area (for example, Fortran globalcommon) potentially available to all processes in the system. Aglobal section can provide access to a disk file (called a file-backedglobal section), provide access to dynamically created storage (calleda page file-backed global section), or provide access to specificphysical memory (called a page frame number [PFN] global section).See also group global section, system global section.
group A set of users in a system. Any user whose groupUIC is identical to the group UIC of the object qualifies for theaccess rights granted through a protection code. The group nameappears as the first field of a user identification code (UIC): [group,member].
group global section A shareable memory section potentially availableto all processes in the same group.
OpenVMS security policy protects group global sections fromimproper access. Operations on file-backed sections require read,write, execute, delete, or control access. Operations on other typesof sections require read, write, execute, or control access. Seealso global section, system global section.
group number The number or its alphanumeric equivalent in thefirst field of a user identification code (UIC): [group,member].
Hidden attribute An option added to an access control entry thatindicates the ACE should be changed only by the application thatadds it. Although the Hidden attribute is valid for any ACE type,its intended use is to hide Application ACEs. See also accesscontrol entry.
high-water mark A mark identifying the highest file address written,beyond which the user cannot read.
high-water marking A technique for discouraging disk scavenging. Thistechnique tracks the furthest extent that the owner of a file haswritten into the file's allocated area (the high-water mark). Itthen prohibits any attempts at reading beyond the written area,on the premise that any information that exists beyond the currentlywritten limit is information some user had intended to discard.The operating system accomplishes the goals of high-water markingwith a combination of true high-water marking and an erase-on-allocate strategy.See also erase-on-allocate.
holder A user who possesses a particular identifier. Usersand the identifiers they hold are recorded in the rights database.Whenever an object requires an accessor to hold an identifier, thesystem checks the process rights list (which is built from the rights database)in processing the access request.
identifier An alphanumeric string representing a user or groupof users recorded in the rights database and used by the systemin checking access requests. There are four types of identifiers: environmental,facility, general, and UIC. See also environmental identifier,facility identifier, general identifier, resource identifier, UICidentifier.
Identifier ACE An access control entry that controls the type ofaccess allowed to a particular user or group of users.
journal Name of the auditing log file where the system recordsevents with security implications, such as logins, break-ins, orchanges to the authorization database.
locked password A password that cannot be changed by the account'sowner. Only system managers or users with the SYSPRV privilege can changelocked passwords.
log A record of performance or system-relevant events.
logical I/O access Right to perform a set of I/O operations that allowrestricted direct access to device-level I/O operations using logicalblock addresses.
logical name table A shareable table of logical names and their equivalencenames for the operating system or a particular group.
OpenVMS security policy protects logical name tables fromimproper access. An operation can require read, write, create, delete,or control access.
login The series of actions involved in authenticatinga user to the system and creating a process that runs on the user'sbehalf.
login class A user's method of logging into the system. Systemmanagers can control system access based on the login class: local,dialup, remote, batch, or network.
mandatory access controls Security controls that are imposed by the systemupon all users. There are no examples of mandatory controls withinthe OpenVMS system. Access controls on this operating system areoptional (discretionary). SEVMS, the security enhanced version ofOpenVMS, provides mandatory access controls (MAC) and enhanced securityauditing for secure standalone or clustered OpenVMS systems.
NETPROXY See network proxy authorization file.
network proxy authorization file (NETPROXY.DATor NET$PROXY.DAT [VAX only]) A file containing an entry for each user authorizedto connect to the local system from a remote node in the network.
nondiscretionary controls See mandatory controls.
nonprivileged Describes a type of account with no privilege otherthan TMPMBX and NETMBX and a user identification code (UIC) greaterthan the system parameter MAXSYSGROUP.
Nopropagate attribute An option added to an access control entry thatindicates the ACE cannot be copied by operations that usually propagate ACEs,such as SET SECURITY/LIKE. See also access control entry.
numeric UIC A format of a user identification code (UIC) thatspecifies the user's group and member number in numeric form. Thegroup number is an octal number in the range of 1 through 37776;the member number is an octal number in the range of 0 through 177776.
object A passive repository of information to which thesystem controls access. Access to an object implies access to theinformation it contains. See also capability, common eventflag cluster, device, file, group global section, logical name table,queue, resource domain, security class, system global section, volume.
object class A set of protected objects with common characteristics.For example, all files belong to the file class; whereas all devicesbelong to the device class.
object security profile A set of security elements that defines access requirements.The elements include an owner (UIC), a UIC-based protection code,and, possibly, an ACL. See also access control list, owner,protection code.
open accounts Accounts that do not require passwords.
operator terminal A terminal attended by a system operator. The systemcan send system event messages to the terminal, provided the eventclass is enabled.
owner A user with the same user identification code (UIC)as the protected object. An owner always has control access to theobject and can therefore modify the object's security profile. Whenthe operating system processes an access request from an owner,it considers the access rights in the owner field of a protectioncode.
password A character string that users provide at login timeto validate their identity and as a form of proof of their authorizationto access the account. There are system passwords and user passwords. Userpasswords include both primary and secondary passwords. See also primarypassword, secondary password, system password, user password.
physical I/O access The right to perform a set of I/O functions thatallows access to all device-level I/O operations except maintenancemode using physical block addresses.
primary password A type of user password that is the first user passwordrequested from the user. Systems may optionally require a secondary password.A primary or a secondary password must be associated with the username in the user authorization file. See also secondarypassword.
privileges A means of protecting the use of certain systemfunctions that can affect system resources and integrity. Systemmanagers grant privileges according to users' needs and deny themto users as a means of restricting their access to the system.
process security profile The set of security elements the system assignsto a process at creation. Elements include the process UIC plusall of its identifiers and privileges. See also identifier, privileges,user identification code.
Protected attribute An option added to an access control entry thatindicates the ACE is protected against casual deletion. It can bedeleted by using the ACL editor or by specifying the ACE explicitly whendeleting it.
protected object An object containing shareable information to whichthe system controls access. See also object.
protected subsystem An application with enhanced access control. Whileusers run the application, their process rights list contains identifiersgiving them access to objects owned by the subsystem. As soon asthe users exit the application, these identifiers and, therefore,access rights to objects are taken away.
protection The attributes of an object that limit the typeof access available to users. See also access controllist, protection code, useridentification code.
protection code A code defining the type of access that users areallowed to objects, based on the user's relationship to the object'sowner. The code defines four sets of users: those with system rights,those with ownership rights, those belonging to the same group,and all users on the system, who are called world users. See also group,owner, system, world.
proxy login A type of login that permits a user from a remotenode to effectively log in to a local node as if the user ownedan account on the local node. However, the user does not specifya password in the access control string. The remote user may ownthe account or share the account with other users.
pseudodevice An entity like a mailbox that is treated as an I/Odevice by the user or system, although it is not any particularphysical device.
queue A set of jobs to be processed. There are four typesof execution queues: batch, terminal, server, and print.
OpenVMS security policy protects queues from improper access.An operation can require read, submit, manage, delete, or controlaccess.
reference monitor The control center within the operating system thatauthenticates subjects and implements and enforces the securitypolicy for every access to an object by a subject.
Resource attribute An option specified when an identifier is addedto the rights database, and later when the identifier is grantedto a user. When a user holds the identifier with the Resource attribute,that user can charge disk space to the identifier.
resource domain A namespace controlling access to OpenVMS distributedlock management resources.
OpenVMS security policy protects resource domains from improperaccess. An operation can require read, write, lock, or control access.
resource identifier An identifier with the Resource attribute. Thus,holders of the identifier can charge disk space to the identifier.
restricted account A type of account with a secure login procedure.The user is not allowed to use the Ctrl/Y key sequence during thesystem or process login command procedure. Control may be turned overto the user following execution of the login command procedures.
rights database The collection of data the system maintains anduses to define identifiers and associate identifiers with the holdersof the identifiers.
rights identifier See identifier.
rights list The list associated with each process that includesall the identifiers the process holds.
RWED The abbreviation for read, write, execute, delete,which are types of access to data files and directory files.
secondary password A user password that may be required at login timeimmediately after the primary password has been submitted correctly.Primary and secondary passwords can be known by separate users toensure that more than one user is present at the login. A less commonuse is to require a secondary password as a means of increasingthe password length so that the total number of combinations ofcharacters makes password guessing more time-consuming. See also primary password.
secure terminal server Operating system software designed to ensure thatusers can log in only to terminals that are already logged out.When the user presses the Break key on a terminal, the secure server(if enabled) responds by first disconnecting any logged-in processand then initiating a login. If no process is logged in at the terminal,the login can proceed immediately.
security administrator The person or persons responsible for implementingand maintaining the organization's security policy. This role issometimes performed by the same person who functions as a systemmanager. It requires the same skills as the system manager as wellas knowledge of the security features provided with the operatingsystem.
security alarm A message sent to an operator terminal that is enabledto receive messages pertaining to security events. Security alarmsare triggered by the occurrence of an event previously designatedas worthy of the alarm because of its security implications.
security audit An auditing message written to the security auditlog file. These messages report the occurrence of events with securityimplications, such as logins, break-ins, and changes to the authorizationdatabase. A system administrator uses the log file to examine systemactivity for possible security violations or improper use of the system.
security auditing See auditing.
security class The object class whose members are all object classes.Each member defines the object templates and management routinesfor its object class.
OpenVMS security policy protects security classes from improperaccess. An operation can require read, write, or control access.
security officer See security administrator.
security operator terminal A class of terminal that has been enabled to receivemessages sent by OPCOM to security operators. These messages are securityalarm messages. Normally such a terminal is a hardcopy terminalin a protected room. The output provides a log of security-relatedevents and details that identify the source of the event.
security profile A set of elements that describe either an object'saccess requirements or a subject's access rights. See also objectsecurity profile , process security profile .
social engineering The act of gaining unauthorized access to or informationabout computer systems and resources by enlisting the aid of unwittingusers or operators. Often involves impersonation or other fraud.
subject A prinicpal, either a user process or an application,that accesses information or is prevented from accessing information.The operating system controls access to any object that containsshareable information. Therefore, subjects must be authorized toaccess objects. See also process security profile.
system In the context of a protection code, identifiesa set of users in a system. System users typically have a UIC isin the range 1 through 10 (octal); however, the exact range of asystem UIC is determined by the system parameter MAXSYSGROUP. Otherways to become a system user include having SYSPRV privilege orbeing in the same group as the owner and holding GRPPRV. Systemoperators and system managers are usually system users.
system-defined identifier See environmental identifier.
system global section A shareable memory section potentially availableto all processes in the system.
OpenVMS security policy protects system global sections fromimproper access. Operations on file-backed sections require read,write, execute, delete, or control access. Operations on other typesof sections require read, write, execute, or control access.
system password A password controlling access to particular terminals.System passwords are usually necessary to control access to terminalsthat might be targets for unauthorized use, such as dialup and publicterminal lines. After an authorized person enters the system password,a user can enter his user password. See also user password.
system user authorization file (SYSUAF.DAT) A file containing an entry for every user that the systemmanager authorizes to gain access to the system. Each entry identifiesthe user name, password, default account, user identification code (UIC),quotas, limits, and privileges assigned to individuals who use thesystem.
SYSUAF See system user authorization file.
TCB See trusted computing base.
template profile The default set of security elements applied tonew objects of a class. See also object security profile.
tied account See captive account.
trap door An illicit piece of software or software modificationin an operating system that allows access in violation of the system'sestablished security policy.
Trojan horse program A program that gains access to otherwise securedareas through its pretext of serving one purpose when its real intentis far more devious and potentially damaging. When an authorizeduser performs an legitimate operation using a program, the unauthorizedprogram within it (the Trojan horse) performs an unauthorized function.
trusted computing base (TCB) A combination of computer hardware and operatingsystem software that enforces a security policy.
In OpenVMS systems, the TCB includes the entire executiveand file system, all other system components that do not executein user mode (such as device drivers, RMS, and DCL), most system programsinstalled with privilege, and a variety of other utilities usedby system managers to maintain data relevant to the TCB.
turnkey account See captive account.
UAF See system user authorization file.
UIC See user identification code.
UIC identifier An identifier in alphanumeric format that is basedon a user's identification code (UIC). Such an identifier can appearwith or without brackets. See also identifier.
UIC protection code See protection code.
user category One of four fields in a protection code. The codedefines the access rights for four categories of users: (a) theowner, (b) the users who share the same group UIC as the owner (thegroup category), (c) all users on the system (the world category),and (d) those with system privileges or rights (the system category).A code lists access rights in a fixed order: System, Owner, Group, World.
user identification code (UIC) A 32-bit value assigned to users that tells whatgroup users belong to on the system and what their unique identificationis within that group. Any UIC specification is enclosed in brackets,but it can be in either an alphanumeric or a numeric format. For example,the UIC [SALES,JONES] identifies Jones as a member of the Salesgroup. Protected objects like files also have UICs. In most cases,their UICs come from the users who created them.
user irresponsibility Situations where the user purposely or accidentallycauses some noticeable damage on a computer system.
user name The name a user enters to log in to the system.Together with a password, the user name identifies and authenticatesa person as a valid user of the system. See also password,user password.
user password A character string recorded in a user's record inthe system user authorization file. The password and the user'sname must be correctly supplied when the user attempts to log inso that the user is authenticated for access to the system. The twotypes of user passwords are known as primary and secondary; theterms also represent the sequence in which they are entered. Seealso primary password, secondary password, system password.
user penetration Situations where the user exploits defects in thesystem software or system administration to break through securitycontrols to gain access to the computer system.
user probing Situations where a user exploits insufficientlyprotected parts of a computer system.
virus A command procedure or executable image writtenand placed on the system for the sole purpose of seeking unauthorizedaccess to files and accounts on the system. The virus seeks accessto a user file through a flaw in the file protection. If successful,the virus modifies the file so that it carries a copy of the virus.Each time an unsuspecting user executes the code that contains thevirus, the virus attempts to propagate itself into other poorlyprotected procedures or images. The virus seeks to find its wayinto a procedure that will be run from a privileged account so thatthe virus can inflict damage to the system.
volume A mass storage medium, such as a disk or tape, thatis in ODS-2 or ODS-5 format. Volumes contain files and may be mountedon devices.
OpenVMS security policy protects volumes from improper access.An operation can require read, write, create, delete, or controlaccess.
world A category of users whose access rights to an objectare identified in the last field of a protection code. The worldcategory encompasses all users or applications on the system, includingsystem operators, system managers, and users both in the owner'sgroup and any other group.
worm A procedure that replicates itself over many nodesin a network, typically using default network access or known securityflaws. The usual effect of a worm is severe performance degradationas replicas of the worm saturate the computing capacity and bandwidthof the network. In contrast to a virus, which spreads by modifyingexisting programs and executing when some user runs the program,a worm stands by itself, operates in its own process context, andinitiates its own offspring.
|
