💾 Archived View for gemini.spam.works › mirrors › textfiles › hacking › VMS › practica.txt captured on 2022-06-12 at 08:53:13.
-=-=-=-=-=-=-
A Practical Exercise in Securing an OpenVMS System Rob McMillan Prentice Centre The University Of Queensland Now at Griffith University E-Mail: R.McMillan@itc.gu.edu.au Phone: 07 875 6557 Postal: Information Technology Services Griffith University Nathan Qld 4111 A Practical Exercise In Securing An OpenVMS System Abstract _________________________________________________________ OpenVMS machines have many features that can be used to defend them from attack. To properly defend your machine, you need to make use of these features from the moment of delivery. In this paper, I present the series of steps taken by a typical systems programmer (namely the author) in tuning the defense mechanisms of an OpenVMS machine, and outline some non-standard mechanisms employed in the defence of this machine. All too often, emphasis is placed on particular accents, such as access prevention, or reactive examination and monitoring after attack. This paper attempts a more holistic approach to the host-based mechanisms that could be employed to defend a machine. Access control mechanisms (such as passwords, user authorisation parameters, and access control wrappers) and activity logging mechanisms (such as audit trails, terminal monitors and FAL logging) are considered. _________________________________________________________ The information contained in this paper is given freely as an account of my own experience, and may be used by the reader as the reader sees fit. No responsibility or liability will be accepted by the author for any damages caused by direct or indirect use of the information or functionality described in this paper. Introduction 1.1 Assumptions This paper will discuss some of the features that can be used to defend an OpenVMS machine from outside attack. The ideas presented in this paper are the result of an exercise in configuring a machine in a university department used for a sensitive research project. All of the mechanisms I consider in this paper can be classed as host based mechanisms. However, the defence of an computer system is not limited to these measures only. Measures that should be used, but that I don't discuss in this paper are: * network based security, * backups, and * physical security. This paper is not intended to present an "expert's view" of securing an OpenVMS machine. The reason for this is simple - whilst my knowledge of OpenVMS security is quite solid, I would not put myself in the "expert" category. Therefore this paper should not be seen as the canonical guide to OpenVMS security - rather, it should be seen as the series of measures that programmers should typically consider in defending their machine. There is absolutely no substitute for reading the Guide to VAX/VMS System Security manual. Finally, this paper is concerned with the defence of a machine. I do not personally make any attempt to crack machines. I will not present any information on how to crack an OpenVMS machine. 1.2 What This Paper Contains The following topics are those considered during the configuration of the machine referred to above. This list is not exhaustive. * System Mechanisms For Configuring The Machine To Control Access : * SYS$MANAGER Command Files * Welcome Messages * Accounts To Disable, Passwords To Change, And Objects To Modify * System Logicals And Logical Definitions * System Passwords * The UAF File * File Protections * ACLs * Tailoring UCX * Proxies * System Mechanisms For Configuring The Machine To Log Activity : * Accounting * Auditing * FAL and Poor Man's Routing * Using Homegrown Or Publicly Available Software : * Wrappers * Single Use PINs * Terminal Monitors * Monitoring The Use of The Machine : * The SHOW INTRUSION Command * Daily Activities * Having a Live Console System Mechanisms For Configuring The Machine To Control Access 2.1 SYS$MANAGER Command Files There are three files in SYS$MANAGER: that are of importance in terms of this paper. They are SYSTARTUP_V5.COM, SYLOGIN.COM and SYLOGICALS.COM. I have left comments about SYLOGICALS.COM for Section 2.4, System Logicals And Logical Definitions. 2.1.1 SYSTARTUP_V5.COM There are several different things to be done here. As discussed in Section 2.5, System Passwords, a system password should be installed. A system password means that the user must enter a password before the login prompt appears. The procedure for doing this is discussed in Section 2.5. However, this is the change you could make in SYSTARTUP_V5.COM to ensure that a console user does not need to enter the password. (The console should be located in a physically secure area.) $! No system password required for console. $ write sys$output "[Modifying console settings]" $ SET TERMINAL OPA0: /PERMANENT /NOSYSPASSWORD This ensures that should the user log in from the console, a system password will not be required. This prevents situations where you are locked out from the machine should the password be changed or forgotten. $! The following commands turn off account logging and $! delete the account log. $! To keep an account log on your system, delete the $! following 5 command lines. $! $! IF (.NOT. MICROVAX) THEN GOTO SKIP_ACCOUNTING $! SET ACCOUNTING/DISABLE $! IF F$SEARCH("SYS$MANAGER:ACCOUNTNG.DAT") .NES. "" THEN - $! DELETE SYS$MANAGER:ACCOUNTNG.DAT;* $!SKIP_ACCOUNTING: When the operating system is installed, this code is not commented out. That is, account logging is not enabled by default. It is good practice to use all logging facilities available to you, and system accounting is one of those facilities that is strongly recommended. You need accounting to provide an extra audit trail on the system. To enable accounting, comment out these lines, as shown on the following page. $! The following commands purge the operator and network $! logs to two versions. $! $! IF (.NOT. MICROVAX) THEN GOTO SKIP_PURGING $! IF F$SEARCH("SYS$MANAGER:OPERATOR.LOG;-1") .NES. "" THEN - $! PURGE SYS$MANAGER:OPERATOR.LOG $! IF F$SEARCH("SYS$MANAGER:EVL.LOG;-1") .NES. "" THEN - $! PURGE SYS$MANAGER:EVL.LOG $!SKIP_PURGING: Here the machine is trying to make a guess about how much information should be saved as current information (the tradeoff being information currency and usefulness against disk space). A more reasonable figure is 10 versions (working on the basis of a new file per day). To implement this, do the following: * Comment out the lines above. * Create artificial OPERATOR.LOG and EVL.LOG files, each 1 version higher than the logs currently open and in use by the system. * Issue SET FILE OPERATOR.LOG /VERSION_LIMIT=10 and SET FILE EVL.LOG /VERSION_LIMIT=10. This is done against the files just created, as the SET FILE command will fail against the logs open and in use by the system. When new files are opened for use by the system, they will be created with a version number of one higher than the logs created artificially, but will inherit the version limit. $! This command defines a message to be displayed before $! each user logs in. $! $! DEFINE /SYSTEM SYS$ANNOUNCE " Welcome to VAX/VMS ''F$GETSYI("VERSION")'" $ DEFINE /SYSTEM SYS$ANNOUNCE "@SYS$MANAGER:ANNOUNCE.TXT" $! $! This command defines a message or file to be $! displayed after each user logs in. $! $ DEFINE /SYSTEM SYS$WELCOME "@SYS$MANAGER:WELCOME.TXT" $! For legal reasons, as set out in SERT Advisory SA-93.03 (See Appendix 1, SERT Advisory SA-93.03, Suggested Login Banner) give people fair warning of the consequences of misuse. The contents of the files ANNOUNCE.TXT and WELCOME.TXT are discussed in Section 2.2, Welcome Messages. To make these files appear, the definitions above are used. 2.1.2 SYLOGIN.COM SYLOGIN.COM is a command file executed when any user logs in. This is the ideal place to install mechanisms to universally check a user's credentials (such as username, source of login, time, terminal or knowledge- based authenticators). The first three lines of SYLOGIN.COM should be as follows (but aren't in the supplied file). $ SET NOON $ SET NOCONTROL_Y $ SET NOVERIFY This prevents a user (and hence crackers in the first instance) from seeing what mechanisms you have installed, and also interrupting the execution of this file to avoid these mechanisms. $! Place your site-specific LOGIN commands below $! $! If they get this far, then there may have been a breakin, $! but at least we can stop them at this point. $! Call the wrapper. $! $ @LOCAL$WRAP:INTERACTIVE.COM $ IF ($Status .NE. %x10000001) $ THEN $ STOP/ID=0 $ ENDIF As the comments outline, we use a command procedure at this point to check credentials. This may or may not involve interactive exchanges. If the person logging in fails to pass the tests, then they are logged out. (You will need to define LOCAL$WRAP, for example, in SYLOGICALS.COM.) 2.2 Welcome Messages For legal reasons, as set out in SERT Advisory SA-93.03 (See Appendix 1, SERT Advisory SA-93.03, Suggested Login Banner) give people fair warning of the consequences of misuse. By default, there is no SYS$WELCOME issued, and SYS$ANNOUNCE welcomes the person logging in. SYS$WELCOME needs to be enabled, and point to a file, and SYS$ANNOUNCE should also point to a file (as shown in Section 2.1.1, SYSTARTUP_V5.COM). These files should outline to people conditions of use, and legal consequences of misuse. SYS$ANNOUNCE is the message or banner that appears immediately before the login prompt (but after the system password has been entered). SYS$WELCOME is the message or banner that appears immediately after the person has logged in. In this way, users should normally see this warning before and after logging in. This message should appear in SYS$MANAGER:ANNOUNCE.TXT: ----- Warning Message ----- ***** This service is for authorised staff only ***** ************************************************************************* * * * WARNING: It is a criminal offence to: * * i. Obtain access to data without authority * * (Penalty 2 years imprisonment) * * ii Damage, delete, alter or insert data without authority * * (Penalty 10 years imprisonment) * * * ************************************************************************* The following message should appear in SYS$MANAGER:WELCOME.TXT. This is {nodename} (VAX/VMS V5.5-2) - Unauthorised access prohibited! ***** This service is for authorised staff only ***** ************************************************************************* * * * WARNING: It is a criminal offence to: * * i. Obtain access to data without authority * * (Penalty 2 years imprisonment) * * ii Damage, delete, alter or insert data without authority * * (Penalty 10 years imprisonment) * * * ************************************************************************* 2.3 Accounts To Disable, Passwords To Change, And Objects To Modify 2.3.1 Accounts VMS is supplied with a number of default accounts. It should be assumed that crackers will attempt to compromise a machine using default account names and passwords. This principle applies to any operating system. The following default accounts should have their passwords changed, and the accounts disabled: DEFAULT, FIELD, MIRRO$SERVER, SYSTEST, SYSTEST_CLIG. The accounts can be disabled thus: $ MCR AUTHORIZE UAF> MODIFY DEFAULT /FLAGS=DISUSER UAF> MODIFY FIELD /FLAGS=DISUSER UAF> MODIFY MIRRO$SERVER /FLAGS=DISUSER UAF> MODIFY SYSTEST /FLAGS=DISUSER UAF> MODIFY SYSTEST_CLIG /FLAGS=DISUSER UAF> EXIT $ Depending upon how you wish to execute batch jobs and carry out general system administration, you may also wish to either similarly treat the SYSTEM account, or alternative apply strict access controls on this account on the UAF file (See Section 2.6, The UAF File). 2.3.2 Objects There are several objects that needed tailoring. Some of the tailoring is to prevent simple security breaches, whereas others (like the modifications to PHONE, TASK and FAL) are to prevent breaches that could occur in whole or in part to Poor Man's Routing (See Section 3.3, FAL and Poor Man's Routing). In the first stage, the PHONE and TASK objects are disabled. In the PHONE application, the directory command can be used to obtain a directory listing of users on remote DECNet nodes. It is essentially a default "finger". Whilst security through obscurity is no security at all, any access to system details should be suppressed where possible. The TASK object is used to execute jobs on your node from remote nodes. Since this is not a desired feature on the machine used in the preparation of this paper, this object was disabled. Alternatively, the object could have been loaded with false information into the permanent database. These objects are created at boot time using default information if there is no information about them in the NCP permanent database. Therefore, a job can be run immediately after booting to remove these objects. The objects can be removed thus: $ MCR NCP CLEAR OBJECT PHONE ALL $ MCR NCP PURGE OBJECT PHONE ALL $ MCR NCP CLEAR OBJECT TASK ALL $ MCR NCP PURGE OBJECT TASK ALL They could alternatively be modified thus: $ MCR NCP SET OBJECT TASK USER ILLEGAL PASSWORD DISABLED $ MCR NCP SET OBJECT TASK PROXY NONE $ MCR NCP SET OBJECT TASK ALIAS INCOMING DISABLED $ MCR NCP SET OBJECT TASK ALIAS OUTGOING DISABLED $ MCR NCP DEFINE OBJECT TASK USER ILLEGAL PASSWORD DISABLED $ MCR NCP DEFINE OBJECT TASK PROXY NONE $ MCR NCP DEFINE OBJECT TASK ALIAS INCOMING DISABLED $ MCR NCP DEFINE OBJECT TASK ALIAS OUTGOING DISABLED $ MCR NCP SET OBJECT PHONE USER ILLEGAL PASSWORD DISABLED $ MCR NCP SET OBJECT PHONE PROXY NONE $ MCR NCP SET OBJECT PHONE ALIAS INCOMING DISABLED $ MCR NCP SET OBJECT PHONE ALIAS OUTGOING DISABLED $ MCR NCP DEFINE OBJECT PHONE USER ILLEGAL PASSWORD DISABLED $ MCR NCP DEFINE OBJECT PHONE PROXY NONE $ MCR NCP DEFINE OBJECT PHONE ALIAS INCOMING DISABLED $ MCR NCP DEFINE OBJECT PHONE ALIAS OUTGOING DISABLED In the second stage below, objects are modified so that they are still usable, but subject to tighter controls than the default. The simplest change is made to the MIRROR object by disabling the MIRRO$SERVER account in the User Authorisation File. The MIRROR object should be kept to allow loopback testing should it become necessary. The account is disabled since it serves no useful purpose (other than for loopback testing), and should be disabled unless in use. The MAIL object should be modified thus according to the VMS v5.5-2 release notes, Section 2.8.7, to restrict outgoing access on the mail server. In v5.5-2, MAIL enables system privileges when it opens a DECnet connection to a remote mail server. By restricting outgoing access on the mail server object (as below), unauthorised users are prevented from placing connections on the mail server object. $ MCR NCP SET OBJECT MAIL OUTGOING CONNECT PRIVILEGE SYSPRV $ MCR NCP DEFINE OBJECT MAIL OUTGOING CONNECT PRIVILEGE SYSPRV This can be undone by executing the same commands with "NOSYSPRV". MAIL_SERVER.EXE (the executable associated with the MAIL object) is installed as a privileged image. Wrappers should also be installed for the FAL and NML objects. The executable images for these are, by default, normally FAL.EXE and NML.EXE respectively. Modify the object database as shown below. $ MCR NCP SET OBJECT FAL FILE LOCAL$WRAP:FAL.COM $ MCR NCP DEFINE OBJECT FAL FILE LOCAL$WRAP:FAL.COM $ MCR NCP SET OBJECT NML FILE LOCAL$WRAP:NML.COM $ MCR NCP DEFINE OBJECT NML FILE LOCAL$WRAP:NML.COM The contents of the wrappers are discussed in Section 4.1, Wrappers. 2.4 System Logicals And Logical Definitions SYS$MANAGER:SYLOGICALS.COM is used to establish important site-specific logical names across the entire system. You can put meaningful local definitions in here as well as the definitions already supplied with the delivered system. $! Undocumented feature to disable poor man's routing $ DEFINE /SYSTEM /EXEC FAL$LOG "03/DISABLE=8" Poor Man's Routing is explained in Section 3.3, FAL and Poor Man's Routing. That section also explains the significance of this definition. It's relevance to this section is merely that it is centrally defined in SYLOGICALS.COM. $! Make network server processes die after 10 seconds $! (to give separate NETSERVER.LOG files for $! each distinct operation) $ DEFINE /SYSTEM /EXEC NETSERVER$TIMEOUT "0000 00:00:10" This forces network server processes to die after 10 seconds of lying idle, thus creating separate NETSERVER.LOG files for each essentially distinct operation. The tradeoff for these distinct files is the price that must be paid in terms of process creation on each network connection. $! System databases $ DEFINE /SYSTEM /EXEC LMF$LICENSE SYS$SYSTEM:LMF$LICENSE.LDB $ DEFINE /SYSTEM /EXEC NETNODE_REMOTE SYS$SYSTEM:NETNODE_REMOTE.DAT $ DEFINE /SYSTEM /EXEC NETPROXY SYS$SYSTEM:NETPROXY.DAT $ DEFINE /SYSTEM /EXEC NETUAF SYS$SYSTEM:NETUAF.DAT $ DEFINE /SYSTEM /EXEC RIGHTSLIST SYS$SYSTEM:RIGHTSLIST.DAT $ DEFINE /SYSTEM /EXEC SYSUAF SYS$SYSTEM:SYSUAF.DAT $ DEFINE /SYSTEM /EXEC VMSMAIL SYS$SYSTEM:VMSMAIL_PROFILE.DAT If these aren't defined, and a user attempts operations on them, new ones can be created by that user. These definitions prevent this. Note file protections for these files in Section 2.7, File Protections. Other system-wide logical symbols (such as LOCAL$WRAP) would also be defined in this file. 2.5 System Passwords VMS systems can have what is called a "system password". This is a password that must be typed BEFORE the host prompts you for login information. So when you initially connect to a system with a "system password", you don't get any prompting on the screen. Once you have typed in the password, the normal prompt message appears. The system password will appear or not depending on the value of the sysgen parameter TTY_DEFCHAR2. A value of %X80000 (i.e. Hex) enables system password. This parameter is not dynamic. The SYSGEN parameter TTY_DEFCHAR2 (bit represented by %X80000) enables system password by default for all terminals (including LAT, X.25 and telnet terminals). The default value for TTY_DEFCHAR2 is 4098 (decimal): $ RUN SYS$SYSTEM:SYSGEN SYSGEN> USE DEFAULT SYSGEN> SHO TTY_DEFCHAR2 Parameter Name Current Default Min. Max. Unit Dynamic -------------- ------- ------- ------ ------ ---- ------- TTY_DEFCHAR2 4098 4098 0 -1 Bit-Encode The correct value can be set by modifying SYS$SYSTEM:MODPARAMS.DAT, and AUTOGENing the system. The required value in MODPARAMS.DAT is set by adding the following lines (amongst other values): TTY_DEFCHAR2 = %X80000 + %X1000 + %X2 ! = 528386 ! %X80000 (bit 19) TT2$M_SYSPWD System password ! %X1000 (bit 12) TT2$M_EDITING Cmd line editing ! %X2 (bit 1) TT2$M_AUTOBAUD Autobaud The actual system password can be set either by DCL or by AUTHORIZE. $ SET PASSWORD /SYSTEM or else by $ RUN SYS$SYSTEM:AUTHORIZE UAF> MODIFY /SYSTEM_PASSWORD={password} Terminals can be set /NOSYSPWD /PERM or /SYSPWD. See Section 2.1.1 SYSTARTUP_V5.COM for an example. 2.6 The UAF File This is an extremely useful file for tuning security on an OpenVMS machine. The UAF file (and associated files) allow you to control access to the system and allocate resources to users. For the purposes of this paper, there are several fields worth considering. Specifically, the ones that can be used include (but are not restricted to) access control fields, password control fields and the rights list. On the particular machine used in the preparation of this paper, there are several accounts that are used for specific purposes, and should be used only within specific time frames. For instance, consider an account (the "USER1" account for the purposes of this example) which should only be used interactively during the hours of 8am to 7pm on primary days (Monday to Friday), but can run batch jobs at any time on any day. All other access is to be denied. This is achieved by the following commands: $ RUN SYS$SYSTEM:AUTHORIZE UAF> MODIFY USER1 /NONETWORK /NODIALUP - /LOCAL=(PRIMARY:8-18) /REMOTE=(PRIMARY:8-18) This results in an access control matrix like the one below. Primary days: Mon Tue Wed Thu Fri Secondary days: Sat Sun Primary 000000000011111111112222 Secondary 00000000001111111111222 Day Hours 012345678901234567890123 Day Hours 012345678901234567890123 Network: ----- No access ------ ----- No access ------ Batch: ##### Full access ###### ##### Full access###### Local: --------###########----- ----- No access ------ Dialup: ----- No access ------ ----- No access ------ Remote: --------###########----- ----- No access ------ Full access can be restored using: $ RUN SYS$SYSTEM:AUTHORIZE UAF> MODIFY USER1 /ACCESS=(PRIMARY:0-24,SECONDARY:0-24) Passwords are historically a weak point in computer systems. A weak password on a single account leaves the entire system vulnerable to attack. (See Appendix 2, SERT Advisory SA-93.04, Guidelines For Developing A Sensible Password Policy.) You must therefore ensure that all accounts have a minimum password length of 8 characters, and that they expire at regular intervals. In addition, privileged accounts should have password lengths greater than that, and passwords should be set using the MODIFY {accountname} /GENERATE_PASSWORD command. The other important use of the AUTHORIZE utility is creating rights list identifiers and using these in conjunction with ACLs to control access to files and devices at individual levels. For instance, on the machine used while preparing this paper, there is a particular device and a directory that should only ever be accessed by a small group of people. This device is used for a research project, and the results are kept in the directory. The entire group of people involved with the experiment needed to read the results (kept in the DISKE:[EXPERIMENT1] directory), whereas only a few people needed write access to this directory. Furthermore, because they were all in the same project team, they were all allocated the same group number. Finally, there was a restricted number of people in this group who were authorised to access the device used in the experiment in question. The first step in controlling this is to create various rights list identifiers, and granting them to people who should access them. The rights list identifiers are created as follows: $ RUN SYS$SYSTEM:AUTHORIZE UAF> ADD /IDENTIFIER EXP1_READ UAF> ADD /IDENTIFIER EXP1_WRITE UAF> ADD /IDENTIFIER EXP1_CONTROL UAF> EXIT Users 1..10 are allowed read access to the results; users 5, 6 and 7 are allowed write access and users 6 and 7 are allowed to control the transducer. $ RUN SYS$SYSTEM:AUTHORIZE UAF> GRANT /IDENTIFIER EXP1_READ USER1 UAF> GRANT /IDENTIFIER EXP1_READ USER2 UAF> GRANT /IDENTIFIER EXP1_READ USER3 UAF> GRANT /IDENTIFIER EXP1_READ USER4 UAF> GRANT /IDENTIFIER EXP1_READ USER8 UAF> GRANT /IDENTIFIER EXP1_READ USER9 UAF> GRANT /IDENTIFIER EXP1_READ USER10 UAF> GRANT /IDENTIFIER EXP1_WRITE USER5 UAF> GRANT /IDENTIFIER EXP1_WRITE USER6 UAF> GRANT /IDENTIFIER EXP1_WRITE USER7 UAF> GRANT /IDENTIFIER EXP1_CONTROL USER6 UAF> GRANT /IDENTIFIER EXP1_CONTROL USER7 UAF> EXIT $ ACLs and protection are then set on the device and directory as set out in Section 2.8, ACLs. Finally, great care has been taken in the allocation of privileges to individual user accounts. In particular, the default privileges must be kept to the minimum required. 2.7 File Protections File protection is an important aspect in preventative security. Checks should be periodically carried out for world-writeable files and directories, and appropriate action taken. In addition, various sensitive files should be confirmed as having the following protection. <disk>:[000000]000000.DIR (S:RWE,O:RWE,G:RE,W:E) <disk>:[000000]INDEXF.SYS (S:RWE,O:RWE,G:RE,W) * This prevents unauthorised users from finding directory and file names. SYS$SYSTEM:AUTHORIZE.EXE (S:RWE,O:RWE,G:RWE,W) SYS$SYSTEM:NCP.EXE (S:RWE,O:RWE,G:RWE,W) * This ensures that unauthorised users cannot change the NCP and authorisation databases through the use of these programs. Note that merely protecting these programs does not prevent modification of the data files - it is imperative that the data files themselves are protected. SYS$SYSTEM:NETCIRC.DAT (S:RWE,O:RWE,G:RWE,W) SYS$SYSTEM:NETCONF.DAT (S:RWE,O:RWE,G:RWE,W) SYS$SYSTEM:NETLINE.DAT (S:RWE,O:RWE,G:RWE,W) SYS$SYSTEM:NETLOGING.DAT (S:RWE,O:RWE,G:RWE,W) SYS$SYSTEM:NETNODE_LOCAL.DAT (S:RWE,O:RWE,G:RWE,W) SYS$SYSTEM:NETNODE_REMOTE.DAT (S:RWE,O:RWE,G:RWE,W) SYS$SYSTEM:NETOBJECT.DAT (S:RWE,O:RWE,G:RWE,W) SYS$SYSTEM:NETPROXY.DAT (S:RWE,O:RWE,G:RWE,W) SYS$SYSTEM:NETUAF.DAT (S:RWE,O:RWE,G:RWE,W) SYS$SYSTEM:NETX25.DAT (S:RWE,O:RWE,G:RWE,W) SYS$SYSTEM:NETX29.DAT (S:RWE,O:RWE,G:RWE,W) * This ensures that unauthorised users cannot change information in these databases, nor gain information about other users or system configuration from these files. SYS$SYSTEM:RIGHTSLIST.DAT (S:RWE,O:RWE,G:RE,W:RE) SYS$SYSTEM:SYSUAF.DAT (S:RWE,O:RWE,G:RWE,W) ACL=(NETWORK,ACCESS=EXECUTE) SYS$SYSTEM:VMSMAIL.DAT (S:RWE,O:RWE,G:RWE,W) SYS$SYSTEM:VMSMAIL_PROFILE.DATA (S:RWE,O:RWE,G:RWE,W) * This ensures that unauthorised users cannot change information in these databases, nor gain information about other users from these files. For more details on File Protections, see Managing Security in a Multi-Vendor Network by Ron Tencati, and also the Guide to VAX/VMS System Security manual. 2.8 ACLs This section, is a continuation of the example supplied in Section 2.6, The UAF File, about access control using rights list identifiers. In a particular experiment, experimental results are being kept in the DISKE:[EXPERIMENT1] directory. The results are obtained using a transducer controlled on device RCD0:. Various rights list identifiers to read results (EXP1_READ), write a file to the results directory (EXP1_WRITE) and control the transducer (EXP1_CONTROL) have been created. These rights identifiers are used in the the creation of access control lists to enforce these access control principles. The transducer is the first object so modified: $ SET ACL /OBJECT=DEVICE /ACL=( - (IDENTIFIER=SYSTEM,ACCESS=READ+WRITE+EXECUTE+DELETE+CONTROL), - (IDENTIFIER=EXP1_CONTROL,ACCESS=READ+WRITE+DELETE+CONTROL), - (IDENTIFIER=[*,*],ACCESS=NONE)) RCD0: $ SHOW DEVICE RCD0: /FULL : {Device details on NODE1$RCD0: deleted} : device, error logging is enabled. Error count 0 Operations completed 26 Owner process "" Owner UIC [0,0] Owner process ID 00000000 Dev Prot S:RWED,O:RWED,G:RWED,W:RWED Reference count 0 Default buffer size 2048 Density unknown Format {deleted} Volume status: {deleted} Device access control list: (IDENTIFIER=[SYSTEM],ACCESS=READ+WRITE+EXECUTE+DELETE+CONTROL) (IDENTIFIER=EXP1_CONTROL,ACCESS=READ+WRITE+EXECUTE+DELETE+CONTROL) (IDENTIFIER=[*,*],ACCESS=NONE) On the machine used for preparing this paper, the nature of the device prevented us from changing the protection using the SET PROTECTION/DEVICE command. However, the ACL is sufficient to control access to this device. The next step is to protect the directory (and files under it). An ACL is applied to the directory file usinfg the commands on the next page. $ SET ACL /OBJECT=FILE /ACL=( - (IDENTIFIER=EXP1_WRITE,ACCESS=READ+WRITE+EXECUTE+DELETE+CONTROL), - (IDENTIFIER=EXP1_READ, ACCESS=READ+EXECUTE), - (IDENTIFIER=SYSTEM, ACCESS=READ+EXECUTE), - (IDENTIFIER=[*,*], ACCESS=NONE)) DISKE:[000000]EXPERIMENT1.DIR $ $ SET PROTECTION DISKE:[000000]EXPERIMENT1.DIR /PROTECTION=(S,O,G,W) $ $ DIR DISKE:[000000]EXPERIMENT1.DIR /SECURITY Directory DISKE:[000000] EXPERIMENT1.DIR;1 4 17-JUN-1992 11:19:27.01 [SYSTEM] (,,,) (IDENTIFIER=EXP1_WRITE,ACCESS=READ+WRITE+EXECUTE+DELETE+CONTROL) (IDENTIFIER=EXP1_READ,ACCESS=READ+EXECUTE) (IDENTIFIER=[SYSTEM],ACCESS=READ+EXECUTE) (IDENTIFIER=[*,*],ACCESS=NONE) Total of 1 file, 4 blocks. This means that only people who specifically possess the EXP1_WRITE rights list identifier can write to this directory. Users who possess the EXP1_READ identifier can read the contents of the directory as can the SYSTEM account (but not system privileged accounts or system UIC group members). All other access is denied. Note that action is taken on the first match of the ACL. So, for example, if the SYSTEM account is being used to access data in DISKE:[EXPERIMENT1], and the system account has the EXP1_READ right, then SYSTEM can read the data by virtue of this right as opposed to being the system account. The reason for this is that the EXP1_READ identifier occurs before [SYSTEM] in the ACL. Any directories created in this directory after the creation of this ACL will inherit this ACL. 2.9 SYSGEN Parameters There are various SYSGEN parameters that must be considered and/or changed during configuration. Many of these are related to system performance and are not within the scope of this paper. Parameters that must be considered from a security point of view are listed below, with extracts from the SYSGEN HELP facility on their use. (See SYSGEN> HELP PARAMETERS for more details.) TTY_DEFCHAR2: Bit 19 (TT2$M_SYSPWD) is set to allow the use of system passwords. The password was set using the AUTHORIZE utility (see Section 2.5, System Passwords), and the console is modified such that the password is not required when logging on from that source (using SET TERMINAL OPA0: /PERMANENT /NOSYSPASSWORD). (See Section 2.1.1, SYSTARTUP_V5.COM.) All other terminals must enter the system password before the login prompt is issued. This parameter (TTY_DEFCHAR2). amongst others, can be set in SYS$SYSTEM:MODPARAMS.DAT with a single line: TTY_DEFCHAR2 = %X80000 + %X1000 + %X2 ! = 528386 ! %X80000 (bit 19) TT2$M_SYSPWD System password ! %X1000 (bit 12) TT2$M_EDITING Cmd line editing ! %X2 (bit 1) TT2$M_AUTOBAUD Autobaud LGI_PWD_TMO: Period of time, in seconds, a user has to correctly enter the system password on a terminal on which the system password is in effect. LGI_BRK_TMO: Specifies the number of seconds that a user, terminal, or node is permitted to attempt a login before the system assumes that a breakin attempt is occurring and evasive action is required. LGI_BRK_LIM: Specifies the number of failures that may occur at login time before the system will take action against a possible breakin. LGI_RETRY_TMO: Specifies the number of seconds allowed between login retry attempts after a login failure. LGI_RETRY_LIM: Specifies the number of retry attempts allowed for users attempting to login over dialup lines. LGI_HID_TIM: Specifies the number of seconds that evasive action will persist following the detection of a possible breakin attempt. The evasive action consists of refusing to allow any logins during this period, regardless of whether a valid user name and password are specified. LGI_BRK_DISUSER: When set, turns on the DISUSER flag in the UAF record when an attempted breakin is detected, thus permanently locking out that account. LGI_BRK_TERM: Causes the terminal name to be part of the association string for the terminal mode of breakin detection. Note that if parameters are changed using SYSGEN, modify both the CURRENT image and the ACTIVE, running system. Leave DEFAULT as it is. 2.10 Tailoring UCX The machine being configured required only incoming telnet access, and outgoing telnet and ftp. SMTP is handled by a dedicated mail package (MX). Other services like SNMP, NFS and Berkeley "r" commands are not required (or, in fact, desirable). Services not required are shutdown thus: $! -- Shutdown what we don't need $! $ @SYS$MANAGER:RPC$UCX_SHUTDOWN.COM $ @SYS$MANAGER:UCX$LPD_SHUTDOWN.COM $ @SYS$MANAGER:UCX$NFS_SHUTDOWN.COM $ @SYS$MANAGER:UCX$SMTP_SHUTDOWN.COM $ @SYS$MANAGER:UCX$SNMP_SHUTDOWN.COM $! $! -- Disable incoming connections on other services $! $ UCX DISABLE SERVICE FTP $ UCX DISABLE SERVICE REXEC $ UCX DISABLE SERVICE RLOGIN $ UCX DISABLE SERVICE RSH In addition, the relevant UCX accounts are disabled in the User Authorization File (using UAF> MODIFY <account> /flag=DisUser): UCX$FTP, UCX$NFS, UCX$REXEC, UCX$RSH, UCX$SNMP, UCX_LPD, UCX_SMTP. Telnet (interactive) access should be monitored using a wrapper (as discussed in Section 4.1, Wrappers). 2.11 Proxies Proxies should not be allowed if they are not required! If a net proxy is required for file transfer, the proxy must be created on the remote machine, and the required command issued on the local machine. The theory here is that the local machine is less likely to be compromised than an outside machine, and the use of proxies will reduce the instances of access information being transmitted over a network connection. Only allow proxy access to a non-privileged account on the target system. System Mechanisms For Configuring The Machine To Log Activity There are several facilities available to the system administrator to achieve effective logging. Specifically these are accounting and auditing. There is also scope for development of local tools. In this section, I will outline the use of the standard facilities, while homegrown mechanisms will be considered in the next section. Firstly, it will be useful to have a brief look at accounting and auditing. System accounting is a facility for recording information about the use of the machine from a normal system accounting perspective, whereas the system audit logger records similar information, but from a system security perspective. Both of these can be used to construct audit trails of activity. Information from the system audit logger can be gleaned not only from the audit journal, but also from the operator log, as the auditor also sends it's messages to OPCOM. Consider, for example, a situation in which a user (USER1) has made a modification to USER2's entry in the User Authorization File. The audit logger returns the following information: Security alarm (SECURITY) and security audit (SECURITY) on NODE1, system id: 1072 / System UAF record modification Event time: 27-JUL-1993 12:15:17.47 PID: 0000005F Username: USER1 Image name: NODE1$DKA0:[SYS0.SYSCOMMON.][SYSEXE]AUTHORIZE.EXE Object name: SYS$COMMON:[SYSEXE]SYSUAF.DAT;1 Object type: file User record modified: USER2 Fields modified: FLAGS,PRIVILEGES The accounting facility contains this: AUTHORIZE Image Termination --------------------------- Username: USER1 UIC: [STAFF,USER1] Account: STAFF Finish time: 27-JUL-1993 12:15:27.79 Process ID: 0000005F Start time: 27-JUL-1993 12:14:51.23 Owner ID: Elapsed time: 0 00:00:36.56 Terminal name: RTA1: Processor time: 0 00:00:00.22 Remote node addr: 1038 Priority: 4 Remote node name: NODE2 Privilege <31-00>: 10148001 Remote ID: USER2 Privilege <63-32>: 00000040 Queue entry: Final status code: 00000001 Queue name: Job name: Final status text: %SYSTEM-S-NORMAL, normal successful completion Page faults: 238 Direct IO: 32 Page fault reads: 9 Buffered IO: 58 Peak working set: 631 Volumes mounted: 0 Peak page file: 1166 Images executed: 244 Image name: NODE1$DKA0:[SYS0.SYSCOMMON.][SYSEXE]AUTHORIZE.EXE Both facilities tell us that USER1 ran the AUTHORIZE utility successfully under PID 5F at 12:15 pm on 27-Jul- 1993. From the accounting, we can see at a glance where USER1 logged in from. The audit logger tells us exactly what USER1 did whilst running this utility. Consider another example, in which a computer cracker has logged in from an X.25 network address in an attempt to maintain anonymity. The audit server has recorded the following information in the operator log: %%%%%%%%%%% OPCOM 27-Jul-1993 19:38:23.60 %%%%%%%%%%% Message from user AUDIT$SERVER on NODE1 Security alarm (SECURITY) and security audit (SECURITY) on NODE1, system id: 1038 Auditable event: Dialup interactive login Event time: 27-Jul-1993 19:38:23.59 PID: 20205316 Username: USER1 Terminal name: _VTA1514 ({X.25 address deleted}) The system accounting record from the same user logging out returns the following information: LOGINOUT Image Termination -------------------------- Username: USER1 UIC: [STAFF,USER1] Account: STAFF Finish time: 27-Jul-1993 03:36:17.69 Process ID: 20205316 Start time: 27-Jul-1993 19:38:07.19 Owner ID: Elapsed time: 0 07:58:10.50 Terminal name: VTA1514 Processor time: 0 00:00:46.14 Remote node addr: Priority: 4 Remote node name: Privilege <31-00>: 00108000 Remote ID: Privilege <63-32>: 00000000 Queue entry: Final status code: 00000001 Queue name: Job name: Final status text: %SYSTEM-S-NORMAL, normal successful completion Page faults: 4716 Direct IO: 20927 Page fault reads: 208 Buffered IO: 85056 Peak working set: 970 Volumes mounted: 0 Peak page file: 4813 Images executed: 28 Image name: NODE1$DKA0:[SYS0.SYSCOMMON.][SYSEXE]LOGINOUT.EXE The two records act as a useful cross check for each other. The audit logger shows the X.25 address from which the user logged in from (which is not available in this accounting record). The accounting facility shows the length of time that the user was on the system. When this information is collated with the network accounting information, then the cost of the connection can be calculated. Furthermore the accounting records and audit records can be examined to aid in determining the extent of the damage caused by the attacker. 3.1 Accounting Confirm that required system accounting is enabled thus: $ SET ACCOUNTING /ENABLE[=(Keyword...)] The command above enables logging of all activities on the system in the accounting file. Accounting can be enabled to log the following activities. PROCESS any process termination IMAGE image execution INTERACTIVE interactive job termination LOGIN_FAILURE login failures SUBPROCESS subprocess termination DETACHED detached job termination BATCH batch job termination NETWORK network job termination PRINT all print jobs MESSAGE user messages Each day, a new accounting file should be created in order to keep the accounting files of a manageable size, using the command - $ SET ACCOUNTING /NEW_FILE 3.2 Auditing The auditor can be configured to log the following events: ACL Event requested by an Access Control List Item AUTHORIZATION Modification of the system user authorization file BREAKIN Occurrence of a breakin attempt (from various sources) FILE_ACCESS File or global section access (by various methods) INSTALL Occurrence of any INSTALL operation LOGFAILURE Occurrence of a login failure (from various sources) LOGIN A login attempt (from various sources) LOGOUT Occurrence of a logout MOUNT Issuance of a mount or dismount request This is done using SET AUDIT /ENABLE=(keyword[,...]). The /ALARM qualifier is also used to raise an alarm to all terminals enabled as security operators. You can examine the configuration of your system audit server using SHOW AUDIT /ALL. The categories that should be carefully considered are the auditing server characteristics, the alarm failure mode, and the enabled security alarms. Note that within the auditing server characteristics, the default final resource action is to crash the system if the system runs out of virtual memory. This means that if the disk containing the audit journal log is full, the system will crash, thus exposing the system to denial of service attacks. When configuring the audit server, you should carefully consider the final resource action parameter. It can be set using the SET AUDIT command. $ SET AUDIT /SERVER=FINAL_ACTION=action (where action can be one of CRASH, IGNORE_NEW or PURGE_OLD) As with system accounting, a new audit journal should be created each day: $ SET AUDIT /SERVER=NEW_LOG 3.3 FAL and Poor Man's Routing In order to properly explain the step taken in this phase, it is necessary to understand what Poor Man's Routing is, and how it is linked with the File Access Listener (FAL) object and the logical FAL$LOG. The FAL object (File Access Listener) is the DECnet object that allows a remote user to access files on your node. It can be used to browse your node, or perform file transfers. For legitimate users, this is extremely useful - unfortunately, people with malintent also find it useful if your system is not protected. In the context of DECnet networking operations (and specifically FAL), "Poor Man's Routing (PMR) refers to the technique of supplying an explicit path to the required target, rather than letting assigned DECnet routers pick the most optimal path" [Tencati]. When PMR is used, a process is created on each node in the path to forward the connection to the next node in the path. Each of these nodes (including the destination node) only sees the connection from it's path predecessor. It is therefore very difficult to ascertain from the destination node where the connection originated from. The legitimate use of this is in cases where the source node may not know anything about the remote note. Unfortunately, people with malintent can use the properties described above to create a convoluted path to the node they wish to attack (possibly via several timezones and countries) to hide themselves effectively. PMR can also be used to defeat the hiding of DECnet subnets. There is a parameter in the NCP database called the maximum area (see NCP> HELP SET EXECUTOR MAXIMUM AREA). This parameter specifies the largest area number known to an executor's routing layer. If used carefully, this parameter can be used to hide subnets. PMR can be used to circumvent this technique if the attacker has appropriate information about your network design. (The lesson here is to never trust security through obscurity - always rely on robust, proactive methods rather than ignorance.) Ron Tencati's Managing Security in a Multi- Vendor Network gives a good explanation of PMR, and the use of Area Routing. You can configure FAL by use of the logical symbol FAL$LOG. In the machine used in the preparation of this paper, this logical was configured to do two things: * refuse connections made by PMR * supply audit trail information in NETSERVER.LOG files in the case of successful FAL connections. The logical name FAL$LOG translates to a string of the form xx_yy where: * xx is a hexadecimal number representing a longword string value * yy is a hexadecimal number specifying how many bytes of each DAP message are to be displayed in the log file (SYS$OUTPUT:). The hexadecimal flags are: 0001 - log filename/function requests 0002 - log throughput statistics 0004 - log individual DAP messages 0008 - log DAP message packet AST requests (logged at AST level) 0010 - log DAP message packet QIO requests 0020 - reserved 0040 - disable DAP message blocking 0080 - disable DAP CRC error checking In SYS$MANAGER:SYLOGICALS.COM, FAL$LOG should be defined to be the character string "03/DISABLE=8" (See Section 2.4, System Logicals And Logical Definitions). By setting this logical to this value, the following is achieved: * PMR is disabled ("/DISABLE=8") * filename/function requests and throughput statistics are logged (the setting "03" being the addition of "01" and "02" Consider an example where NODE1::USER1 is executing a directory on NODE2::USER2's home directory. In the file NETSERVER.LOG in USER2's directory, we would see the following results. With no definition for FAL$LOG: -------------------------------------------------------- Connect request received at 28-JUL-1993 15:36:45.78 from remote process NODE1::"0=USER1" for object "SYS$COMMON:[SYSEXE]FAL.EXE" -------------------------------------------------------- With FAL$LOG defined to be "03/DISABLE=8", extra information is appended: -------------------------------------------------------- Connect request received at 28-JUL-1993 15:55:40.28 from remote process NODE1::"0=USER1" for object "SYS$COMMON:[SYSEXE]FAL.EXE" -------------------------------------------------------- ======================================================== FAL V5.1-D3 started execution on 28-JUL-1993 15:55:41.12 with SYS$NET = NODE1::"0=USER1" and with FAL$LOG = 03 Logical link was established on 28-JUL-1993 15:55:41.13 Requested file access operation: Directory List Specified file: DISKE:[USER2]L*.*;* Resultant file: DISKE:[USER2]LOGIN.COM;3 Resultant file: DISKE:[USER2]LWK_PERSONAL.LINKBASE;1 Logical link was terminated on 28-JUL-1993 15:55:41.18 Total connect time for logical link was 0 00:00:00.05 Total CPU time used for connection was 0 00:00:00.02 File Access Statistics for RECV-Side XMIT-Side Composite -------------------------- --------- --------- -------- # DAP Message QIO Calls 2 2 4 # DAP Messages Exchanged 2 14 16 # User Records/Blocks 0 0 0 NETSERVER.LOG (continued) # Bytes of User Data 0 0 0 # Bytes in DAP Layer 49 310 359 User Data Throughput (bps) 0 0 0 DAP Layer Throughput (bps) 7840 49600 57440 Average Record/Block Size 0 0 0 % User Data in DAP Layer 0.0% 0.0% 0.0% -------------------------- --------- --------- --------- Negotiated DAP buffer size = 1060 bytes Buffered I/O count during connection = 13 Direct I/O count during connection = 0 Peak working set size for process = 470 pages Successful Start Transaction Branch = 0 Start Transaction Branch loops = 0 FAL terminated execution on 28-JUL-1993 15:55:41.21 ======================================================== Using Homegrown Or Publicly Available Software 4.1 Wrappers A "wrapper" is a piece of software that monitors an attempt to use a service, and based on the details about the source of the attempt (such as remote host and user, time, and connection type), determine whether to allow the use of the service or not. This is the feature that a wrapper has available to it over and above standard system logging software: the use of the wrapper gives the system manager freedom to make decisions whether to allow the use of the machine from a remote site in addition to simply logging that use. Wrappers should be constructed for the NML and FAL objects, and also for interactive logins. Section 2.1.2, SYLOGIN.COM and Section 2.3.2, Objects gives the details on how to install these wrappers. Because the NML and FAL wrappers need to handle DECnet connections only, they are more simple than the interactive login wrapper. The DECnet object wrappers evaluate the connection by comparing the remote node and user combination against a set of rules. The set of rules is described in two files: AllowFile which describes which combinations may make the connection, and DenyFile which describes which combinations may not make the connection. Wildcards are allowed. The general algorithm is: Main () { RemoteUser = f$trnlnm("SYS$REM_ID") RemoteNode = f$trnlnm("SYS$REM_NODE") ConnectionOkay = CheckRules(RemoteNode, RemoteUser) if (ConnectionOkay = Allow) /* ConnectionOkay = Allow|Deny */ then write successful connection record to wrapper log request/to=(network,security) "<Succesful connection details>" run SYS$SYSTEM:FAL.EXE else write failed connection record to wrapper log request/to=(network,security) "<Failed connection details>" logout endif } end Main CheckRules (RemoteNode, RemoteUser) { if ((result = CheckCombination(RemoteNode, RemoteUser)) != Unknown) then return result if ((result = CheckCombination(RemoteNode, "*")) != Unknown) then return result if ((result = CheckCombination("*", "*")) != Unknown) then return result return Deny } end CheckRules CheckCombination (RemoteNode, RemoteUser) { Search AllowFile for RemoteNode::RemoteUser if found then return Allow Search DenyFile for RemoteNode::RemoteUser if found then return Deny return Unknown } end CheckCombination The search commands used above should be such that a wildcard search matches the literal "*" in a file, not any string (in a similar manner to the VMS "SEARCH" command). Hence the wildcard value of "*" is placed in the file by the system manager. The general philosophy that should be adopted is to use a blanket denial (a single line of "*::*" in the deny file) with specific allowed node::user combinations in the allow file. The interactive connection wrapper is similar, with only a slightly more complicated top level algorithm: Main () { | Establish RemoteUser | Establish RemoteNode ConnectionOkay = CheckRules(RemoteNode, RemoteUser) if (ConnectionOkay = Allow) /* ConnectionOkay = Allow|Deny */ then write successful connection record to wrapper log request/to=(network,security) "<Succesful connection details>" | exit(Success) else write failed connection record to wrapper log request/to=(network,security) "<Failed connection details>" | exit(Failure) endif } end Main The main problem here is to establish remote user and node identities. Interactive access may take place using DECnet, LAT, TCP/IP and so on. System values used to find this information are: * F$TRNLNM("SYS$REM_ID") * F$TRNLNM("SYS$REM_NODE") * F$GETDVI("SYS$COMMAND","TT_ACCPORNAM") * the DECnet database * the local terminal type of the connection * information from F$TRNLNM("DECW$DISPLAY") Connections are then evaluated not only on remote node and user (if provided by the protocol), but also by the protocol used for the connection and local characteristics (such as the time). It is important to note that any reading from AllowFile or DenyFile, and writing to the wrapper log should be carried out by installed, protected images, and that the command file(s) and executable(s) used are writeable only by system privileged accounts. This prevents modification of behaviour and recorded results by potential attackers. Example code and configuration files appear in Appendix 3, Wrapper Example. 4.2 Single Use PINs A Personal Identification Number (PIN) is simply the numerical equivalent of a text-based password. Unlike a normal password system, though, a single use PIN relies on algorithmic knowledge rather than static value knowledge. The system works thus: when a user logs in, system and user passwords must be supplied as described in previous sections. A numerical challenge is then issued. The user must supply the correct reply to this challenge, or the login will be denied. The correct reply is some permutation of the original challenge. The challenge must be randomly generated, so that every time the user logs in, a different numerical challenge is supplied, requiring a unique reply - only the algorithm used to deduce the reply from the challenge is static. Furthermore, this algorithm is different for each user. The software which issues the challenge and receives the reply must be robust, so that an attacker cannot simply "crash" the software and hence bypass this mechanism. Such systems are available commercially. A smart-card is usually supplied with such systems. The user keys the challenge supplied by the host into the smartcard using the keypad. The smartcard then displays the response, and the user enters this as the reply to the host. A cheaper alternative is to write such a system locally, fulfilling all of these criteria. A usage policy must be in place to effectively manage this system. 4.3 Terminal Monitors Terminal monitors are useful utilities for providing help to users who may be working remotely, or may not be reachable by telephone and require some type of help in real-time (i.e. electronic mail would not suffice). Where such utilities are available on the system, they must be adequately protected to ensure that unauthorised users can neither use them nor copy them. Care must be taken to ensure that explicit permission is sought by the legitimate users concerned or a relevant authority when such a utility is used. Similar principles apply when using system software for capturing a process's recall buffer in order to examine the commands issued by that process. Monitoring The Use Of The Machine It is essential to carry out monitoring on any machine in order to evaluate the health of the system. In addition to checks that should be carried out on a regular basis, steps should be taken to be allow for investigation of unusual security related events as soon as possible. 5.1 The SHOW INTRUSION Command Use the command SHOW INTRUSION regularly. This command displays the contents of the break-in database, providing a quick technique for checking if there have been attempts to break into your system in the immediate past. When using the SHOW INTRUSION command, you must first get some idea if the host has detected any potential breakins: $ SET PROC/PRIV=(CMKRNL,SYSPRV) $ SHOW INTRUSION Intrusion Type Count Expiration Source NETWORK SUSPECT 6 16:32:23.03 NODE2::USER2 TERM_USER SUSPECT 3 16:18:14.16 USER1 In this case, there are two suspect incidents. The records below show that the first was an attempt by USER2 on node NODE2 to login as USER1 on the local host (NODE1) via DECnet. The second is an attempt to login as USER1 on the local host using telnet from NODE3 (which in this case was actually the localhost - 127.0.0.1). The accounting records show the following: LOGIN FAILURE ------------- Username: USER1 UIC: [SYSTEM] Account: <login> Finish time: 3-AUG-1993 16:02:28.80 Process ID: 2080D073 Start time: 3-AUG-1993 16:02:19.59 Owner ID: Elapsed time: 0 00:00:09.21 Terminal name: RTA3: Processor time: 0 00:00:00.23 Remote node addr: 1038 Priority: 4 Remote node name: NODE2 Privilege <31-00>: 0010C000 Remote ID: USER2 Privilege <63-32>: 00000000 Queue entry: Final status code: 10D380FC Queue name: Job name: Final status text: %LOGIN-F-INVPWD, invalid password Page faults: 234 Direct IO: 24 Page fault reads: 5 Buffered IO: 40 Peak working set: 287 Volumes mounted: 0 Peak page file: 1474 Images executed: 1 LOGIN FAILURE ------------- Username: USER1 UIC: [SYSTEM] Account: <login> Finish time: 3-AUG-1993 16:03:20.85 Process ID: 2080D878 Start time: 3-AUG-1993 16:03:11.77 Owner ID: Elapsed time: 0 00:00:09.08 Terminal name: VTA3959 Processor time: 0 00:00:00.21 Remote node addr: Priority 4 Remote node name: Privilege <31-00>: FFFFFFFF Remote ID: Privilege <63-32>: FFFFFFFF Queue entry: Final status code: 10D380FC Queue name: Job name: Final status text: %LOGIN-F-INVPWD, invalid password Page faults: 235 Direct IO: 18 Page fault reads: 5 Buffered IO: 41 Peak working set: 284 Volumes mounted: 0 Peak page file: 1474 Images executed: 1 The audit records show the following: Security alarm (SECURITY) and security audit (SECURITY) on NODE1, system id: 1072 / Remote interactive login failure Event time: 3-AUG-1993 16:02:19.59 PID: 00000D33 Username: USER1 Terminal name: _RTA1: Remote nodename: NODE2 Remote node id: 1184 Remote username: USER2 Status: %LOGIN-F-INVPWD, invalid password Security alarm (SECURITY) and security audit (SECURITY) on NODE1, system id: 1072 / Remote interactive login failure Event time: 3-AUG-1993 16:03:11.77 PID: 00000CB4 Username: USER1 Terminal name: _TNA7: Remote nodename: 127.0. Remote node id: 2130706433 Remote username: TELNET_7F000001 Status: %LOGIN-F-INVPWD, invalid password Note that the remote nodename is always truncated to six characters. The remote node id is a numerical representation of the remote address. Notice from the failed telnet login above that the remote username is given as TELNET_7F000001. This equates to the IP address 127.0.0.1 thus: 7 * 16 + F = 127 0 * 16 + 0 = 0 0 * 16 + 0 = 0 0 * 16 + 1 = 1 Hence if this attempt had come from the Network Information Centre (nic.ddn.mil, Internet address 192.112.36.5), the remote username would have appeared TELNET_C0702405. 5.2 Daily Activities A batch file must be written in order to carry out regular activities on a daily basis. Amongst these activities should be various checks on log files. These are listed below. $ SEARCH/OUTPUT=BREAKIN_CHECK.TMP SYS$MANAGER:OPERATOR.LOG;-1 - "Security alarm"/WINDOW=(3,8) $ ANALYZE/AUDIT/BRIEF/SUMMARY/NOINTERACTIVE/OUTPUT=BREAKIN_CHECK.TMP - SYS$MANAGER:SECURITY_AUDIT.AUDIT$JOURNAL;-1 $ ACCOUNT/LOG/SORT=(TYPE,STARTED)/OUTPUT=BREAKIN_CHECK.TMP ACCOUNTNG;-1 Any one of these can be used for obtaining information about the life of the system. The amount and type of information required should be used to determine which. When any record from the output of these files reveals an incident that appears unusual, then further checking is required. The daily summary returned by any one of the commands above should only be used to indicate that this action is required - you should not rely on just the summary information returned by these commands. $ SHOW AUDIT/ALL/OUTPUT=AUDIT_CHECK.TMP Check daily that the security auditing characteristics you require are in place, and have not been changed. $ ANALYZE/ERROR/SINCE="-1 0:0:0.0"/OUTPUT=ERROR_CHECK.TMP Examine the error log daily as well. This will not necessarily alert you to a security incident, but it will draw your attention to any system problems that could potentially hinder your efforts to recover from disaster. (You could also put the "SHOW ERROR" command in your LOGIN.COM file.) $ MAIL/NOSELF/NOEDIT LOCAL$WRAP:INTERACTIVE.LOG - "@SYS$SYSROOT:[SYSMGR.MAIL]DAILY_BATCH.DIS" - /SUBJECT:"Logged interactive logins" Wrappers were discussed in Section 4.1, Wrappers. As part of your daily checking, you should mail to yourself, and other relevant users, the output from these wrappers on a daily basis. The example above mentions only output from the interactive wrapper log - the implication is that all logs should be checked. 5.3 Having a Live Console Don't rely simply on on-line sinks (such as OPERATOR.LOG) for your security oriented output. In the event of a system compromise, it is quite likely that an attacker will attempt to delete or modify information in system files. A good idea is to enable a security operator's terminal. In addition to (or even instead of) the normal system console (usually OPA0:), you should consider using a security operator's terminal one that provides hardcopy output and is located in a secure location. (A word of caution: even an unsuccessful attack could seriously disrupt your system if the hardcopy printer runs out of paper.) Using the example from the Guide to VMS System Security manual, consider an example where such a terminal (TTA3:) has been designated, and security messages are to be disabled on the console. This can be achieved thus: $ DEFINE/USER SYS$COMMAND OPA0: $ REPLY/DISABLE=SECURITY $ DEFINE/USER SYS$COMMAND TTA3: $ REPLY/ENABLE=SECURITY You can, of course, enable other message classes to this terminal as well. Acknowledgements Most of the undocumented material in this paper is a mixture of my own work and other material that has been passed on to me by various colleagues at The University Of Queensland. The original idea for the wrapper was inspired by Ron Tencati, and Wietse Venema's public domain tcp_wrapper for UNIX systems. References VAX/VMS Documentation manuals: DEC TCP/IP Services for VMS System Management Guide to VAX/VMS System Security Access Control List Editor Utility Accounting Utility Audit Analysis Utility Authorize Utility Guide to Maintaining a VMS System Network Control Program Manual Networking Manual Ron Tencati, Ken Coar and E Eugene Schultz Managing Security in a Multi-Vendor Network, 1992 Appendix 1 SERT Advisory SA-93.03, Suggested Login Banner ============================================================================= SA-93:03A SERT Advisory 31-May-1993 Suggested Login Banner ----------------------------------------------------------------------------- On 7-May-1993, the Security Emergency Response Team released Advisory SA-93:03. Since then, it has been brought to our attention that the word "permission" could be considered ambiguous as Unix file systems use "permission" bits to specify if access is granted to a file or not. Further advice from the Commonwealth Director of Public Prosecutions indicates: "'Permit' does seem to include a meaning of 'allow or let happen even by accident or carelessness'." "'Authority' or 'authorisation' suggest that someone has deliberately turned their mind to an action and formally approved that action." "In light of the fact that there does appear to be a difference in meaning between words 'permit or permission' and 'authority or authorisation' and the fact that computer scientists refer to 'permission' bits on Unix files, it does appear desirable that the words 'authority' or 'authorisation' be used instead of the word 'permission'." Therefore, the Security Emergency Response Team has reissued SA-93:03 as SA-93:03A taking into account the new recommendations. The new Advisory is included below. ---------------------------------------------------------------------------- The SERT team wishes to thank Kate Lance at the University of Newcastle for bringing this problem to our attention. ---------------------------------------------------------------------------- ---------------------------------------------------------------------------- Body of SERT Advisory SA-93:03A ---------------------------------------------------------------------------- The Security Emergency Response Team has received information that a successful prosecution of a computer cracker has taken place in New South Wales. The prosecution was aided by the use of an appropriate login banner. The following is an extract from a letter by the Australian Federal Police: "A major factor, commented upon by the magistrate, was the repeated warning message displayed at logon to your system. Your agreement to implement this feature has certainly started to pay dividends and demonstrates a certain willingness to accept [that] tertiary institutions are not fair game." A recommended login banner is: ----- Warning Message ----- ***** This service is for authorised clients only *****