HP OpenVMS Systems Documentation
OpenVMS Guide to System Security
|NETOBJECT.DAT||Contains the DECnet object database. Among the information contained in this file is the list of known DECnet server accounts and passwords.|
|Contains the network proxy database. This file is maintained by the Authorize utility (AUTHORIZE).|
|QMAN$MASTER.DAT||Contains the master queue manager database. This file contains the security information for all shared batch and print queues. If two or more nodes intend to participate in a shared queuing system, a single copy of this file must be maintained on a shared disk.|
|RIGHTSLIST.DAT||Contains the rights identifier database. This file is maintained by AUTHORIZE and by various rights identifier system services.|
|SYSALF.DAT||Contains the system autologin file. This file is maintained by the System Management utility (SYSMAN).|
|SYSUAF.DAT||Contains the system user authorization file. This file is maintained by AUTHORIZE and modifiable through the Set User Authorization Information ($SETUAI) system service.|
|SYSUAFALT.DAT||Contains the system alternate user authorization file. This file serves as a backup to SYSUAF.DAT and is enabled through the SYSUAFALT system parameter.|
|VMS$OBJECTS.DAT||Contains the cluster-visible object database. Among the information contained in this file are the security profiles for all cluster-visible objects.|
Although Compaq does not require that the files listed in Table 11-2 be common to all cluster members, it does recommend that the data in the files be fully synchronized. Table 11-3 explains how to coordinate these files and suggests possible consequences of poor synchronization.
Some of the recommended files are created only on request and may not exist in all configurations. Note that a file may be absent on one node only if it is absent on all other nodes. As soon as any required file is created on one node, it must be created or commonly referenced on all remaining cluster members.
|VMS$AUDIT_SERVER.DAT||Contains information related to security auditing, such as enabled security-auditing events and the destination of the system security audit log file.|
|VMS$PASSWORD_HISTORY.DATA||Contains the system password history database. This file is maintained by the SET PASSWORD utility.|
|VMSMAIL_PROFILE.DATA||Contains the system mail database. This file is maintained by the Mail utility (MAIL). It holds mail profiles for all system users as well as a list of all mail forwarding addresses in use on the system.|
|VMS$PASSWORD_DICTIONARY.DATA||Contains the system password dictionary. The system password dictionary is a list of English words and phrases that cannot be used as account passwords.|
|VMS$PASSWORD_POLICY||Contains any site-specific password filters. This file is created and installed by the security administrator or system manager. (See Section 220.127.116.11 for details on password filters.)|
Using shared files is not the only way of achieving a single security domain. Some sites may have requirements for multiple copies of one or more of these system files on different nodes in a cluster. As long as the security information available to each node in the cluster is exactly the same, these sites operate in a single security domain.
Table 11-3 lists the files that require coordination, explains when to update these files, and suggests possible consequences of poor synchronization.
|File||Coordination Required||Result of Poor Synchronization|
|VMS$AUDIT_SERVER.DAT||Update after any SET AUDIT command.||Possible partitioning of auditing domains|
|NETOBJECT.DAT||Update all versions after any NCP SET OBJECT or DEFINE OBJECT command.||Unexplained network login failures and unauthorized network access|
|Update all versions after any AUTHORIZE proxy command.||Unexplained network login failures and unauthorized network access|
|RIGHTSLIST.DAT||Update all versions after any change to any identifier or holder records.||Possible unauthorized system access and unauthorized access to protected objects|
|SYSALF.DAT||Update all versions after any SYSMAN ALF command.||Unexplained login failures and unauthorized system access|
|SYSUAF.DAT||Update all versions so the fields listed in Table 11-4 are synchronized for each user record.||Possible unexplained login failures and unauthorized system access.|
|SYSUAFALT.DAT||Update all versions after any change to any authorization records in this file.||Possible unexplained login failures and unauthorized system access|
|VMS$OBJECTS.DAT||Update all versions after any change to the security profile of a cluster-visible object or after new cluster-visible objects are created. (See Section 11.5 for details.)||Possible unauthorized access to protected objects|
|VMSMAIL_PROFILE.DATA||Update all versions after any changes to mail forwarding parameters.||Possible authorized disclosure of information|
|VMS$PASSWORD_HISTORY.DATA||Update all versions after any password change.||Possible violation of the system password policy|
|VMS$PASSWORD_DICTIONARY.DATA||Update all versions after any site-specific additions.||Possible violation of the system password policy|
|VMS$PASSWORD_POLICY||Install common version on all nodes.||Possible violation of the system password policy|
On a cluster, all elements of the user authorization data should exist in a common database. These authorization elements include the system user authorization files (SYSUAF.DAT and its backup SYSUAFALT.DAT), the rights database (RIGHTSLIST.DAT), the network authorization file (NETPROXY.DAT) and its object database file (NETOBJECTS.DAT), which are present on all OpenVMS systems, and optionally, the autologin file, SYSALF.DAT.
A secure cluster requires that the authorization data be synchronized across all nodes. If a site chooses to maintain multiple versions of these files, then you must synchronize the data. Each user should have the same UIC, group number, and set of identifiers defined on every node. Coordination of privileges and access rights is also critical. A shared disk is protected only as much as its least protected node. If you maintain separate authorization files on each node in the cluster, ensure that user privileges are common across all copies of the system user authorization file (SYSUAF.DAT). Table 11-4 lists the fields of SYSUAF.DAT that must be identical on each node.
|Internal Name||$SETUAI Item Code|
Use SYSMAN if you choose to create an autologin file and maintain the
file in the common authorization database with your authorization files
and rights database. On clustered systems, the autologin file must
include the cluster node name as a prefix to the terminal name. For
example, the terminal TTA0 on node WILLOW would be represented as
WILLOW$TTA0. See Section 11.8 for an overview of SYSMAN.
11.4 Managing the Audit Log File
The audit server database VMS$AUDIT_SERVER.DAT contains information about events to be audited, the location of the audit log file, and information used to monitor its consumption of resources.
The audit log file resides in SYS$COMMON:[SYSMGR]. If you should decide
to redirect the audit log off the system disk, it is important to
redirect it uniformly across all nodes on the cluster. You use the
command SET AUDIT/JOURNAL=SECURITY/DESTINATION=filename. Make
sure that the file name you assign resolves to the same file throughout
the cluster, not a file unique to each node. The OpenVMS Cluster
Systems Manual describes the procedure in detail.
11.5 Protecting Objects
A single security domain is one in which each cluster member must make the same access control decision when presented with a particular user's access request for a particular object. The operating system provides this level of protection for files, queues, and other cluster-visible objects such as devices, disk and tape volumes, and resource domains. Table 11-5 summarizes the behavior of each object class and explains where each stores security profiles. See Chapter 5 for a description of each object class.
|Class||Visibility in Cluster||Location of Profile|
|Capabilities||Visible only to local node.||Stored on local node.|
Some can be visible
|Profiles stored in VMS$OBJECTS.|
|Files||Visible clusterwide.||Stored in file header.|
|Global sections||Visible only to local node.||Stored on local node.|
|Logical name tables||Visible only to local node.||Stored on local node.|
|Queues||Visible clusterwide.||Stored in job-controller queue database (see Table 11-1).|
|Resource domains||Visible clusterwide.||Stored in VMS$OBJECTS.|
|Security class||Visible clusterwide.||Stored in VMS$OBJECTS.|
|Volumes||Can be visible clusterwide.||Stored on the volume.|
The audit server creates and maintains the security elements of clusterwide objects in a database called VMS$OBJECTS.DAT, located in SYS$COMMON:[SYSEXE]. You should ensure that the object database is present on each node in the cluster by specifying a file name that resolves to the same file through the cluster, not to a file that is unique to each node.
To reestablish the logical name after each system boot, define the logical in SYSECURITY.COM. The command procedure SYSECURITY.COM has to be defined before the audit server starts up.
The object database contains the following information:
This database is updated whenever characteristics are modified, and the information is distributed so that all nodes participating in the cluster share a common view of the objects.
You cannot change security profiles or create protected objects when
the object server is absent and cannot update the cluster database
VMS$OBJECTS.DAT. However, you can modify the system parameter
SECURITY_POLICY to allow security profile changes to protected objects
on a local node (bit 4) or the creation of protected objects on a local
node (bit 5).
11.7 Cluster-Wide Intrusion Detection
Cluster-wide intrusion detection extends protection against attacks of all types throughout the cluster. Intrusion data and information from each system is integrated to protect the cluster as a whole.
You can set the SECURITY_POLICY system parameter on the member systems in your cluster to maintain either a local or a cluster-wide intrusion database of unauthorized attempts and the state of any intrusion events.
If bit 7 in SECURITY_POLICY is cleared, all cluster members are made aware if a system is under attack or has any intrusion events recorded. Events recorded on one system can cause another system in the cluster to take restrictive action. (For example, users attempting to log in are monitored more closely and are limited to a certain number of login retries within a limited period of time. Once users exceed either the retry or time limitation, they cannot log in.)
For information on the system services $DELETE_INTRUSION, $SCAN_INTRUSION, and $SHOW_INTRUSION, see the OpenVMS System Services Reference Manual.