HP OpenVMS Systems Documentation
OpenVMS Guide to System Security
This glossary provides definitions of security-related terms used in
access control: Restrictions on the ability of a
subject (user or process) to use the system or an object in the
computing system. Authentication of the user name and password controls
access to the system, while protection codes, access control lists, and
privileges regulate access to protected objects in that system.
access control entry (ACE): An entry in an access
control list (ACL). Access control entries may specify identifiers and
the access rights to be granted or denied the holders of the
identifiers, default protection for directories, or security details.
ACLs for each object can hold many entries, limited only by overall
space and performance considerations. See also access control list,
access control list (ACL): A list that defines the
kinds of access to be granted or denied to users of an object. Access
control lists can be created for all protected objects such as files,
devices, and logical name tables. Each ACL consists of one or more
entries known as access control entries (ACEs). See also access
access control string: A character string used in
remote logins. It consists of the user name for the remote account and
the user's password enclosed within quotation marks.
access matrix: A table that lists subjects on one axis
and objects on the other. Each crosspoint in the matrix thus represents
the access that one subject has to one object.
access type: The capability required to perform an
operation on a protected object. OpenVMS security policy can require
multiple capabilities to complete an operation. The most commonly
accessed object, a file, can require read, write, execute, delete, or
ACE: See access control entry.
ACL: See access control list.
ACL editor: An OpenVMS utility that helps users create
and maintain access control lists. See also access control
alarm: See security alarm.
ALF file: See automatic login.
alphanumeric UIC: A format of a user identification
code (UIC). The group and member names can each contain up to 31
alphanumeric characters, at least one of which is alphabetic. The other
format of a UIC is numeric: it contains a group number and a member
number. See also user identification code, numeric UIC.
attribute: In the security context, a characteristic
of an identifier or the holder of an identifier. Attributes can enhance
or limit the rights granted with an identifier; for example, a user
holding an identifier with the Resource attribute can charge disk space
to the identifier.
audit: See security audit.
auditing: Recording the occurrence of
security-relevant events as they occur on the system and, later,
examining system activity for possible security violations or improper
use of the system. Security-relevant events include activities such as
logins, break-ins, changes to the authorization database, and access to
protected objects. Event messages can be sent as alarms to an operator
terminal or written as audit records to a log file. See also
security audit, security alarm.
audit trail: A pattern of security-relevant activity
sometimes found in the audit log file. The audit log file maintains a
record of security-relevant events, such as access attempts, successful
or not, as required by the authorization database. See also
authentication: The act of establishing the identity
of users when they start to use the system. OpenVMS systems (and most
other commercial operating systems) use passwords as the primary
authentication mechanism. See also password.
authorization database: A database that contains the
security attributes of subjects and objects. From these attributes, the
reference monitor determines what kind of access (if any) is authorized.
authorization file: See system user authorization
automatic login: A feature that permits users to log
in without specifying a user name. The operating system associates the
user name with the terminal (or terminal server port) and maintains
these assignments in the file SYS$SYSTEM:SYSALF.DAT, referred to as the
automatic login file or the ALF file.
breach: A break in the system security that results in
access to system resources or objects in violation of the system's
break-in attempt: An effort made by an unauthorized
source to gain access to the system. Because the first system access is
achieved through logging in, intrusion attempts primarily refer to
attempts to log in illegally. These attempts focus on supplying
passwords for users known to have accounts on the system through
informed guesses or other trial-and-error methods. See also evasive
C2 system: A U.S. government rating of the security of
an operating system; it identifies an operating system as one that
meets the criteria of a Division C, class 2 system.
capability: A resource to which the system controls access; currently, the only defined capability is the vector processor.
OpenVMS security policy protects vector processors from improper
access. An operation can require use or control access.
captive account: A type of account that confines the
user to the captive login command procedure. The use of Ctrl/Y is
disabled. If errors in the captive command procedure cause the
procedure to terminate and attempt to return the user to the DCL
command level, the process is deleted. (This type of account is
synonymous with a turnkey or tied account.)
common event flag cluster: A set of 32 event flags that enable cooperating processes to post event notifications to each other.
OpenVMS security policy protects common event flag clusters from
improper access. An operation can require associate, delete, or control
control access: The right to modify an object's
security profile. Control access is granted explicitly in an ACL and
implicitly in a protection code. (All users qualifying for system or
owner categories have control access.)
decryption: The process that restores encoded
information to its original unencoded form. The information was encoded
by using encryption.
Default attribute: An option added to an ACE that
indicates the ACE is to be included in the ACL of any files created
within a directory. When the entry is propagated, the Default attribute
is removed from the ACE of the created file. An Identifier ACE with the
Default attribute has no effect on access. See also access control
entry, Identifier ACE.
device: A class of peripherals connected to a processor that are capable of receiving, storing, or transmitting data.
OpenVMS security policy protects devices from improper access. An
operation can require read, write, physical, logical, or control access.
discretionary controls: Security controls that are
applied at the user's option; that is, they are not required. Access
control lists (ACLs) are typical of such optional security features.
Discretionary controls are the opposite of mandatory controls.
disk scavenging: Any method of obtaining information
from a disk that the owner intended to discard. The information,
although no longer accessible to the original owner by normal means,
retains a sufficient amount of its original magnetic encoding that it
can be retrieved and used by one of the scavenging methods. See also
erase-on-allocate, erase-on-delete, erasure
encryption: A process of encoding information so that
its content is no longer immediately obvious to anyone who obtains a
copy of it. The information is decoded using decryption.
environmental identifier: One of four classes of
identifiers. Environmental identifiers are provided by the system to
identify groups of users according to their usage of the system.
Environmental identifiers correspond to login classes. For example, all
users who access the system by dialing up receive the dialup
identifier. See also identifier.
erase-on-allocate: A technique that applies an erasure
pattern whenever a new area is allocated for a file's extent. The new
area is erased with the erasure pattern so that subsequent attempts to
read the area can yield only the erasure pattern and not some valuable
remaining data. This technique is used to discourage disk scavenging.
See also disk scavenging, erase-on-delete,
erasure pattern, high-water marking.
erase-on-delete: A technique that applies an erasure
pattern whenever a file is deleted or purged. This technique is used to
discourage disk scavenging. See also disk scavenging,
erase-on-allocate, erasure pattern.
erasure pattern: A character string that can be used
to overwrite magnetic media for the purpose of erasing the information
that was previously stored in that area.
evasive action: A responsive behavior performed by the
operating system to discourage break-in attempts when they appear to be
in progress. The operating system has a set of criteria it uses to
detect that an intrusion attempt may be underway. Typically, once the
operating system becomes suspicious that an unauthorized user is
attempting to log in, the evasive action consists of locking out all
login attempts by the offender for a limited period of time.
event classes: Categories of security-relevant events.
The operating system audits several event classes by default, and the
security administrator can enable additional ones, if desired.
event messages: In terms of security, any notification
that has to do with a user's access to the system or to a protected
object within the system. The operating system can record both
successful and unsuccessful events so the security administrator can
know when security-relevant activity occurs on the system.
facility identifier: An identifier whose binary value
contains the facility code of the application defining the identifier.
See also identifier.
file: A set of data elements arranged in a structure significant to the user. A file is any named, stored program or data, or both, to which the system has access. Access can be of two types: read-only, meaning the file is not to be altered, and read/write, meaning the contents of the file can be altered. See also volume.
OpenVMS security policy protects files from improper access. An
operation can require read, write, execute, delete, or control access.
file encryption: See encryption.
general identifier: One of four possible types of
identifiers that specify one or more groups of users. The general
identifier is alphanumeric and typically is a convenient term that
symbolizes the function of the group of users. For example, typical
general identifiers might be PAYROLL for all users allowed to run
payroll applications or RESERVATIONS for operators at the reservations
desk. See also identifier.
global section: A shared memory area (for example,
Fortran global common) potentially available to all processes in the
system. A global section can provide access to a disk file (called a
file-backed global section), provide access to dynamically created
storage (called a page file-backed global section), or provide access
to specific physical memory (called a page frame number [PFN] global
section). See also group global section, system global section.
group: A set of users in a system. Any user whose
group UIC is identical to the group UIC of the object qualifies for the
access rights granted through a protection code. The group name appears
as the first field of a user identification code (UIC): [group,member].
group global section: A shareable memory section potentially available to all processes in the same group.
OpenVMS security policy protects group global sections from improper
access. Operations on file-backed sections require read, write,
execute, delete, or control access. Operations on other types of
sections require read, write, execute, or control access. See also
global section, system global section.
group number: The number or its alphanumeric
equivalent in the first field of a user identification code (UIC):
Hidden attribute: An option added to an access control
entry that indicates the ACE should be changed only by the application
that adds it. Although the Hidden attribute is valid for any ACE type,
its intended use is to hide Application ACEs. See also access
high-water mark: A mark identifying the highest file
address written, beyond which the user cannot read.
high-water marking: A technique for discouraging disk
scavenging. This technique tracks the furthest extent that the owner of
a file has written into the file's allocated area (the high-water
mark). It then prohibits any attempts at reading beyond the written
area, on the premise that any information that exists beyond the
currently written limit is information some user had intended to
discard. The operating system accomplishes the goals of high-water
marking with a combination of true high-water marking and an
erase-on-allocate strategy. See also erase-on-allocate.
holder: A user who possesses a particular identifier.
Users and the identifiers they hold are recorded in the rights
database. Whenever an object requires an accessor to hold an
identifier, the system checks the process rights list (which is built
from the rights database) in processing the access request.
identifier: An alphanumeric string representing a user
or group of users recorded in the rights database and used by the
system in checking access requests. There are four types of
identifiers: environmental, facility, general, and UIC. See also
environmental identifier, facility identifier, general identifier,
resource identifier, UIC identifier.
Identifier ACE: An access control entry that controls
the type of access allowed to a particular user or group of users.
journal: Name of the auditing log file where the
system records events with security implications, such as logins,
break-ins, or changes to the authorization database.
locked password: A password that cannot be changed by
the account's owner. Only system managers or users with the SYSPRV
privilege can change locked passwords.
log: A record of performance or system-relevant events.
logical I/O access : Right to perform a set of I/O
operations that allow restricted direct access to device-level I/O
operations using logical block addresses.
logical name table: A shareable table of logical names and their equivalence names for the operating system or a particular group.
OpenVMS security policy protects logical name tables from improper
access. An operation can require read, write, create, delete, or
login: The series of actions involved in
authenticating a user to the system and creating a process that runs on
the user's behalf.
login class: A user's method of logging into the
system. System managers can control system access based on the login
class: local, dialup, remote, batch, or network.
mandatory controls: Security controls that are imposed
by the system upon all users. There are no examples of mandatory
controls within the OpenVMS system. Access controls on this operating
system are optional (discretionary).
NETPROXY: See network proxy authorization
network proxy authorization file (NETPROXY.DAT or NET$PROXY.DAT
[VAX only]): A file containing an entry for each user
authorized to connect to the local system from a remote node in the
nondiscretionary controls: See mandatory
nonprivileged: Describes a type of account with no
privilege other than TMPMBX and NETMBX and a user identification code
(UIC) greater than the system parameter MAXSYSGROUP.
Nopropagate attribute: An option added to an access
control entry that indicates the ACE cannot be copied by operations
that usually propagate ACEs, such as SET SECURITY/LIKE. See also
access control entry.
numeric UIC: A format of a user identification code
(UIC) that specifies the user's group and member number in numeric
form. The group number is an octal number in the range of 1 through
37776; the member number is an octal number in the range of 0 through
object: A passive repository of information to which
the system controls access. Access to an object implies access to the
information it contains. See also capability, common event flag
cluster, device, file, group global section, logical name table, queue,
resource domain, security class, system global section, volume.
object class: A set of protected objects with common
characteristics. For example, all files belong to the file class;
whereas all devices belong to the device class.
object security profile: A set of security elements
that defines access requirements. The elements include an owner (UIC),
a UIC-based protection code, and, possibly, an ACL. See also access
control list, owner, protection code.
open accounts: Accounts that do not require passwords.
operator terminal: A terminal attended by a system
operator. The system can send system event messages to the terminal,
provided the event class is enabled.
owner: A user with the same user identification code
(UIC) as the protected object. An owner always has control access to
the object and can therefore modify the object's security profile. When
the operating system processes an access request from an owner, it
considers the access rights in the owner field of a protection code.
password: A character string that users provide at
login time to validate their identity and as a form of proof of their
authorization to access the account. There are system passwords and
user passwords. User passwords include both primary and secondary
passwords. See also primary password, secondary password, system
password, user password.
physical I/O access: The right to perform a set of I/O
functions that allows access to all device-level I/O operations except
maintenance mode using physical block addresses.
primary password: A type of user password that is the
first user password requested from the user. Systems may optionally
require a secondary password. A primary or a secondary password must be
associated with the user name in the user authorization file. See also
privileges: A means of protecting the use of certain
system functions that can affect system resources and integrity. System
managers grant privileges according to users' needs and deny them to
users as a means of restricting their access to the system.
process security profile: The set of security elements
the system assigns to a process at creation. Elements include the
process UIC plus all of its identifiers and privileges. See also
identifier, privileges, user identification code.
Protected attribute: An option added to an access
control entry that indicates the ACE is protected against casual
deletion. It can be deleted by using the ACL editor or by specifying
the ACE explicitly when deleting it.
protected object: An object containing shareable
information to which the system controls access. See also
protected subsystem: An application with enhanced
access control. While users run the application, their process rights
list contains identifiers giving them access to objects owned by the
subsystem. As soon as the users exit the application, these identifiers
and, therefore, access rights to objects are taken away.
protection: The attributes of an object that limit the
type of access available to users. See also access control
list, protection code, user identification code.
protection code: A code defining the type of access
that users are allowed to objects, based on the user's relationship to
the object's owner. The code defines four sets of users: those with
system rights, those with ownership rights, those belonging to the same
group, and all users on the system, who are called world users. See
also group, owner, system, world.
proxy login: A type of login that permits a user from
a remote node to effectively log in to a local node as if the user
owned an account on the local node. However, the user does not specify
a password in the access control string. The remote user may own the
account or share the account with other users.
pseudodevice: An entity like a mailbox that is treated
as an I/O device by the user or system, although it is not any
particular physical device.
queue: A set of jobs to be processed. There are four types of execution queues: batch, terminal, server, and print.
OpenVMS security policy protects queues from improper access. An
operation can require read, submit, manage, delete, or control access.
reference monitor: The control center within the
operating system that authenticates subjects and implements and
enforces the security policy for every access to an object by a subject.
Resource attribute: An option specified when an
identifier is added to the rights database, and later when the
identifier is granted to a user. When a user holds the identifier with
the Resource attribute, that user can charge disk space to the
resource domain: A namespace controlling access to OpenVMS distributed lock management resources.
OpenVMS security policy protects resource domains from improper access.
An operation can require read, write, lock, or control access.
resource identifier: An identifier with the Resource
attribute. Thus, holders of the identifier can charge disk space to the
restricted account: A type of account with a secure
login procedure. The user is not allowed to use the Ctrl/Y key sequence
during the system or process login command procedure. Control may be
turned over to the user following execution of the login command
rights database: The collection of data the system
maintains and uses to define identifiers and associate identifiers with
the holders of the identifiers.
rights identifier: See identifier.
rights list: The list associated with each process
that includes all the identifiers the process holds.
RWED: The abbreviation for read, write, execute,
delete, which are types of access to data files and directory files.
secondary password: A user password that may be
required at login time immediately after the primary password has been
submitted correctly. Primary and secondary passwords can be known by
separate users to ensure that more than one user is present at the
login. A less common use is to require a secondary password as a means
of increasing the password length so that the total number of
combinations of characters makes password guessing more time-consuming.
See also primary password.
secure terminal server: Operating system software
designed to ensure that users can log in only to terminals that are
already logged out. When the user presses the Break key on a terminal,
the secure server (if enabled) responds by first disconnecting any
logged-in process and then initiating a login. If no process is logged
in at the terminal, the login can proceed immediately.
security administrator: The person or persons
responsible for implementing and maintaining the organization's
security policy. This role is sometimes performed by the same person
who functions as a system manager. It requires the same skills as the
system manager as well as knowledge of the security features provided
with the operating system.
security alarm: A message sent to an operator terminal
that is enabled to receive messages pertaining to security events.
Security alarms are triggered by the occurrence of an event previously
designated as worthy of the alarm because of its security implications.
security audit: An auditing message written to the
security audit log file. These messages report the occurrence of events
with security implications, such as logins, break-ins, and changes to
the authorization database. A system administrator uses the log file to
examine system activity for possible security violations or improper
use of the system.
security auditing: See auditing.
security class: The object class whose members are all object classes. Each member defines the object templates and management routines for its object class.
OpenVMS security policy protects security classes from improper access.
An operation can require read, write, or control access.
security officer: See security administrator.
security operator terminal: A class of terminal that
has been enabled to receive messages sent by OPCOM to security
operators. These messages are security alarm messages. Normally such a
terminal is a hardcopy terminal in a protected room. The output
provides a log of security-related events and details that identify the
source of the event.
security profile: A set of elements that describe
either an object's access requirements or a subject's access rights.
See also object security profile, process security
social engineering: The act of gaining unauthorized
access to or information about computer systems and resources by
enlisting the aid of unwitting users or operators. Often involves
impersonation or other fraud.
subject: A prinicpal, either a user process or an
application, that accesses information or is prevented from accessing
information. The operating system controls access to any object that
contains shareable information. Therefore, subjects must be authorized
to access objects. See also process security profile.
system: In the context of a protection code,
identifies a set of users in a system. System users typically have a
UIC is in the range 1 through 10 (octal); however, the exact range of a
system UIC is determined by the system parameter MAXSYSGROUP. Other
ways to become a system user include having SYSPRV privilege or being
in the same group as the owner and holding GRPPRV. System operators and
system managers are usually system users.
system-defined identifier: See environmental
system global section: A shareable memory section potentially available to all processes in the system.
OpenVMS security policy protects system global sections from improper
access. Operations on file-backed sections require read, write,
execute, delete, or control access. Operations on other types of
sections require read, write, execute, or control access.