OpenVMS Guide to System Security

encryption: A process of encoding information so that its content is no longer immediately obvious to anyone who obtains a copy of it. The information is decoded using decryption.

environmental identifier: One of four classes of identifiers. Environmental identifiers are provided by the system to identify groups of users according to their usage of the system. Environmental identifiers correspond to login classes. For example, all users who access the system by dialing up receive the dialup identifier. See also identifier.

erase-on-allocate: A technique that applies an erasure pattern whenever a new area is allocated for a file's extent. The new area is erased with the erasure pattern so that subsequent attempts to read the area can yield only the erasure pattern and not some valuable remaining data. This technique is used to discourage disk scavenging. See also disk scavenging, erase-on-delete, erasure pattern, high-water marking.

erase-on-delete: A technique that applies an erasure pattern whenever a file is deleted or purged. This technique is used to discourage disk scavenging. See also disk scavenging, erase-on-allocate, erasure pattern.

erasure pattern: A character string that can be used to overwrite magnetic media for the purpose of erasing the information that was previously stored in that area.

evasive action: A responsive behavior performed by the operating system to discourage break-in attempts when they appear to be in progress. The operating system has a set of criteria it uses to detect that an intrusion attempt may be underway. Typically, once the operating system becomes suspicious that an unauthorized user is attempting to log in, the evasive action consists of locking out all login attempts by the offender for a limited period of time.

event classes: Categories of security-relevant events. The operating system audits several event classes by default, and the security administrator can enable additional ones, if desired.

event messages: In terms of security, any notification that has to do with a user's access to the system or to a protected object within the system. The operating system can record both successful and unsuccessful events so the security administrator can know when security-relevant activity occurs on the system.

facility identifier: An identifier whose binary value contains the facility code of the application defining the identifier. See also identifier.

file: A set of data elements arranged in a structure significant to the user. A file is any named, stored program or data, or both, to which the system has access. Access can be of two types: read-only, meaning the file is not to be altered, and read/write, meaning the contents of the file can be altered. See also volume.

OpenVMS security policy protects files from improper access. An operation can require read, write, execute, delete, or control access.

file encryption: See encryption.

general identifier: One of four possible types of identifiers that specify one or more groups of users. The general identifier is alphanumeric and typically is a convenient term that symbolizes the function of the group of users. For example, typical general identifiers might be PAYROLL for all users allowed to run payroll applications or RESERVATIONS for operators at the reservations desk. See also identifier.

global section: A shared memory area (for example, Fortran global common) potentially available to all processes in the system. A global section can provide access to a disk file (called a file-backed global section), provide access to dynamically created storage (called a page file-backed global section), or provide access to specific physical memory (called a page frame number [PFN] global section). See also group global section, system global section.

group: A set of users in a system. Any user whose group UIC is identical to the group UIC of the object qualifies for the access rights granted through a protection code. The group name appears as the first field of a user identification code (UIC): [group,member].

group global section: A shareable memory section potentially available to all processes in the same group.

OpenVMS security policy protects group global sections from improper access. Operations on file-backed sections require read, write, execute, delete, or control access. Operations on other types of sections require read, write, execute, or control access. See also global section, system global section.

group number: The number or its alphanumeric equivalent in the first field of a user identification code (UIC): [group,member].

Hidden attribute: An option added to an access control entry that indicates the ACE should be changed only by the application that adds it. Although the Hidden attribute is valid for any ACE type, its intended use is to hide Application ACEs. See also access control entry.

high-water mark: A mark identifying the highest file address written, beyond which the user cannot read.

high-water marking: A technique for discouraging disk scavenging. This technique tracks the furthest extent that the owner of a file has written into the file's allocated area (the high-water mark). It then prohibits any attempts at reading beyond the written area, on the premise that any information that exists beyond the currently written limit is information some user had intended to discard. The operating system accomplishes the goals of high-water marking with a combination of true high-water marking and an erase-on-allocate strategy. See also erase-on-allocate.

holder: A user who possesses a particular identifier. Users and the identifiers they hold are recorded in the rights database. Whenever an object requires an accessor to hold an identifier, the system checks the process rights list (which is built from the rights database) in processing the access request.

identifier: An alphanumeric string representing a user or group of users recorded in the rights database and used by the system in checking access requests. There are four types of identifiers: environmental, facility, general, and UIC. See also environmental identifier, facility identifier, general identifier, resource identifier, UIC identifier.

Identifier ACE: An access control entry that controls the type of access allowed to a particular user or group of users.

journal: Name of the auditing log file where the system records events with security implications, such as logins, break-ins, or changes to the authorization database.

locked password: A password that cannot be changed by the account's owner. Only system managers or users with the SYSPRV privilege can change locked passwords.

log: A record of performance or system-relevant events.

logical I/O access : Right to perform a set of I/O operations that allow restricted direct access to device-level I/O operations using logical block addresses.

logical name table: A shareable table of logical names and their equivalence names for the operating system or a particular group.

OpenVMS security policy protects logical name tables from improper access. An operation can require read, write, create, delete, or control access.

login: The series of actions involved in authenticating a user to the system and creating a process that runs on the user's behalf.

login class: A user's method of logging into the system. System managers can control system access based on the login class: local, dialup, remote, batch, or network.

mandatory controls: Security controls that are imposed by the system upon all users. There are no examples of mandatory controls within the OpenVMS system. Access controls on this operating system are optional (discretionary).

NETPROXY: See network proxy authorization file.

network proxy authorization file (NETPROXY.DAT or NET$PROXY.DAT [VAX only]): A file containing an entry for each user authorized to connect to the local system from a remote node in the network.

nondiscretionary controls: See mandatory controls.

nonprivileged: Describes a type of account with no privilege other than TMPMBX and NETMBX and a user identification code (UIC) greater than the system parameter MAXSYSGROUP.

Nopropagate attribute: An option added to an access control entry that indicates the ACE cannot be copied by operations that usually propagate ACEs, such as SET SECURITY/LIKE. See also access control entry.

numeric UIC: A format of a user identification code (UIC) that specifies the user's group and member number in numeric form. The group number is an octal number in the range of 1 through 37776; the member number is an octal number in the range of 0 through 177776.

object: A passive repository of information to which the system controls access. Access to an object implies access to the information it contains. See also capability, common event flag cluster, device, file, group global section, logical name table, queue, resource domain, security class, system global section, volume.

object class: A set of protected objects with common characteristics. For example, all files belong to the file class whereas all devices belong to the device class.

object security profile: A set of security elements that define access requirements. The elements include an owner (UIC), a UIC-based protection code, and, possibly, an ACL. See also access control list, owner, protection code.

open accounts: Accounts that do not require passwords.

operator terminal: A terminal attended by a system operator. The system can send system event messages to the terminal, provided the event class is enabled.

owner: A user with the same user identification code (UIC) as the protected object. An owner always has control access to the object and can therefore modify the object's security profile. When the operating system processes an access request from an owner, it considers the access rights in the owner field of a protection code.

password: A character string that users provide at login time to validate their identity and as a form of proof of their authorization to access the account. There are system passwords and user passwords. User passwords include both primary and secondary passwords. See also primary password, secondary password, system password, user password.

physical I/O access: The right to perform a set of I/O functions that allows access to all device-level I/O operations except maintenance mode using physical block addresses.

primary password: A type of user password that is the first user password requested from the user. Systems may optionally require a secondary password. A primary or a secondary password must be associated with the user name in the user authorization file. See also secondary password.

privileges: A means of protecting the use of certain system functions that can affect system resources and integrity. System managers grant privileges according to users' needs and deny them to users as a means of restricting their access to the system.

process security profile: The set of security elements the system assigns to a process at creation. Elements include the process UIC plus all of its identifiers and privileges. See also identifier, privileges, user identification code.

Protected attribute: An option added to an access control entry that indicates the ACE is protected against casual deletion. It can be deleted by using the ACL editor or by specifying the ACE explicitly when deleting it.

protected object: An object containing shareable information to which the system controls access. See also object.

protected subsystem: An application with enhanced access control. While users run the application, their process rights list contains identifiers giving them access to objects owned by the subsystem. As soon as the users exit the application, these identifiers and, therefore, access rights to objects are taken away.

protection: The attributes of an object that limit the type of access available to users. See also access control list, protection code, user identification code.

protection code: A code defining the type of access that users are allowed to objects, based on the user's relationship to the object's owner. The code defines four sets of users: those with system rights, those with ownership rights, those belonging to the same group, and all users on the system, who are called world users. See also group, owner, system, world.

proxy login: A type of login that permits a user from a remote node to effectively log in to a local node as if the user owned an account on the local node. However, the user does not specify a password in the access control string. The remote user may own the account or share the account with other users.

pseudodevice: An entity like a mailbox that is treated as an I/O device by the user or system, although it is not any particular physical device.

queue: A set of jobs to be processed. There are four types of execution queues: batch, terminal, server, and print.

OpenVMS security policy protects queues from improper access. An operation can require read, submit, manage, delete, or control access.

reference monitor: The control center within the operating system that authenticates subjects and implements and enforces the security policy for every access to an object by a subject.

Resource attribute: An option specified when an identifier is added to the rights database, and later when the identifier is granted to a user. When a user holds the identifier with the Resource attribute, that user can charge disk space to the identifier.

resource domain: A namespace controlling access to OpenVMS distributed lock management resources.

OpenVMS security policy protects resource domains from improper access. An operation can require read, write, lock, or control access.

resource identifier: An identifier with the Resource attribute. Thus, holders of the identifier can charge disk space to the identifier.

restricted account: A type of account with a secure login procedure. The user is not allowed to use the Ctrl/Y key sequence during the system or process login command procedure. Control may be turned over to the user following execution of the login command procedures.

rights database: The collection of data the system maintains and uses to define identifiers and associate identifiers with the holders of the identifiers.

rights identifier: See identifier.

rights list: The list associated with each process that includes all the identifiers the process holds.

RWED: The abbreviation for read, write, execute, delete, which are types of access to data files and directory files.

secondary password: A user password that may be required at login time immediately after the primary password has been submitted correctly. Primary and secondary passwords can be known by separate users to ensure that more than one user is present at the login. A less common use is to require a secondary password as a means of increasing the password length so that the total number of combinations of characters makes password guessing more time-consuming. See also primary password.

secure terminal server: Operating system software designed to ensure that users can log in only to terminals that are already logged out. When the user presses the Break key on a terminal, the secure server (if enabled) responds by first disconnecting any logged-in process and then initiating a login. If no process is logged in at the terminal, the login can proceed immediately.

security administrator: The person or persons responsible for implementing and maintaining the organization's security policy. This role is sometimes performed by the same person who functions as a system manager. It requires the same skills as the system manager as well as knowledge of the security features provided with the operating system.

security alarm: A message sent to an operator terminal that is enabled to receive messages pertaining to security events. Security alarms are triggered by the occurrence of an event previously designated as worthy of the alarm because of its security implications.

security audit: An auditing message written to the security audit log file. These messages report the occurrence of events with security implications, such as logins, break-ins, and changes to the authorization database. A system administrator uses the log file to examine system activity for possible security violations or improper use of the system.

security auditing: See auditing.

security class: The object class whose members are all object classes. Each member defines the object templates and management routines for its object class.

OpenVMS security policy protects security classes from improper access. An operation can require read, write, or control access.

security officer: See security administrator.

security operator terminal: A class of terminal that has been enabled to receive messages sent by OPCOM to security operators. These messages are security alarm messages. Normally such a terminal is a hardcopy terminal in a protected room. The output provides a log of security-related events and details that identify the source of the event.

security profile: A set of elements that describe either an object's access requirements or a subject's access rights. See also object security profile, process security profile.

social engineering: The act of gaining unauthorized access to or information about computer systems and resources by enlisting the aid of unwitting users or operators. Often involves impersonation or other fraud.

subject: A prinicpal, either a user process or an application, that accesses information or is prevented from accessing information. The operating system controls access to any object that contains shareable information. Therefore, subjects must be authorized to access objects. See also process security profile.

system: In the context of a protection code, identifies a set of users in a system. System users typically have a UIC is in the range 1 through 10 (octal); however, the exact range of a system UIC is determined by the system parameter MAXSYSGROUP. Other ways to become a system user include having SYSPRV privilege or being in the same group as the owner and holding GRPPRV. System operators and system managers are usually system users.

system-defined identifier: See environmental identifier.

system global section: A shareable memory section potentially available to all processes in the system.

OpenVMS security policy protects system global sections from improper access. Operations on file-backed sections require read, write, execute, delete, or control access. Operations on other types of sections require read, write, execute, or control access.

system password: A password controlling access to particular terminals. System passwords are usually necessary to control access to terminals that might be targets for unauthorized use, such as dialup and public terminal lines. After an authorized person enters the system password, a user can enter his user password. See also user password.

system user authorization file (SYSUAF.DAT): A file containing an entry for every user that the system manager authorizes to gain access to the system. Each entry identifies the user name, password, default account, user identification code (UIC), quotas, limits, and privileges assigned to individuals who use the system.

SYSUAF: See system user authorization file.

TCB: See trusted computing base.

template profile: The default set of security elements applied to new objects of a class. See also object security profile.

tied account: See captive account.

trap door: An illicit piece of software or software modification in an operating system that allows access in violation of the system's established security policy.

Trojan horse program: A program that gains access to otherwise secured areas through its pretext of serving one purpose when its real intent is far more devious and potentially damaging. When an authorized user performs an legitimate operation using a program, the unauthorized program within it (the Trojan horse) performs an unauthorized function.

trusted computing base (TCB): A combination of computer hardware and operating system software that enforces a security policy.

In OpenVMS systems, the TCB includes the entire executive and file system, all other system components that do not execute in user mode (such as device drivers, RMS, and DCL), most system programs installed with privilege, and a variety of other utilities used by system managers to maintain data relevant to the TCB.

turnkey account: See captive account.

UAF: See system user authorization file.

UIC: See user identification code.

UIC identifier: An identifier in alphanumeric format that is based on a user's identification code (UIC). Such an identifier can appear with or without brackets. See also identifier.

UIC protection code: See protection code.

user category: One of four fields in a protection code. The code defines the access rights for four categories of users: (a) the owner, (b) the users who share the same group UIC as the owner (the group category), (c) all users on the system (the world category), and (d) those with system privileges or rights (the system category). A code lists access rights in a fixed order: System, Owner, Group, World.

user identification code (UIC): A 32-bit value assigned to users that tells what group users belong to on the system and what their unique identification is within that group. Any UIC specification is enclosed in brackets, but it can be in either an alphanumeric or a numeric format. For example, the UIC [SALES,JONES] identifies Jones as a member of the Sales group. Protected objects like files also have UICs. In most cases, their UICs come from the users who created them.

user irresponsibility: Situations where the user purposely or accidentally causes some noticeable damage on a computer system.

user name: The name a user enters to log in to the system. Together with a password, the user name identifies and authenticates a person as a valid user of the system. See also password, user password.

user password: A character string recorded in a user's record in the system user authorization file. The password and the user's name must be correctly supplied when the user attempts to log in so that the user is authenticated for access to the system. The two types of user passwords are known as primary and secondary; the terms also represent the sequence in which they are entered. See also primary password, secondary password, system password.

user penetration: Situations where the user exploits defects in the system software or system administration to break through security controls to gain access to the computer system.

user probing: Situations where a user exploits insufficiently protected parts of a computer system.

virus: A command procedure or executable image written and placed on the system for the sole purpose of seeking unauthorized access to files and accounts on the system. The virus seeks access to a user file through a flaw in the file protection. If successful, the virus modifies the file so that it carries a copy of the virus. Each time an unsuspecting user executes the code that contains the virus, the virus attempts to propagate itself into other poorly protected procedures or images. The virus seeks to find its way into a procedure that will be run from a privileged account so that the virus can inflict damage to the system.

volume: A mass storage medium, such as a disk or tape, that is in ODS-2 format. Volumes contain files and may be mounted on devices.

OpenVMS security policy protects volumes from improper access. An operation can require read, write, create, delete, or control access.

world: A category of users whose access rights to an object are identified in the last field of a protection code. The world category encompasses all users or applications on the system, including system operators, system managers, and users both in the owner's group and any other group.

worm: A procedure that replicates itself over many nodes in a network, typically using default network access or known security flaws. The usual effect of a worm is severe performance degradation as replicas of the worm saturate the computing capacity and bandwidth of the network. In contrast to a virus, which spreads by modifying existing programs and executing when some user runs the program, a worm stands by itself, operates in its own process context, and initiates its own offspring.

  6346P029.HTM
  OSSG Documentation
  22-NOV-1996 13:05:37.41

Legal