tihor@acfcluster.nyu.edu (03/27/91)
Please respond to:
Stephen Tihor
251 Mercer Street
NY, NY 10012
(212) 998 3052
(212) 995 4121 (fax)
TIHOR@ACFcluster.NYU.EDU (Internet)
TIHOR@NYUACF (BITNET)
TIHOR (DCS)
TIHOR (DECUSERVE)
with your prioritizations and comments.
Security BOF Wish List Notes
Based on discussions at the Security SIG BOF Wish List Meeting,
and includes useful comments by Larry Kilgallen of LJK Inc.,
Robert Clyde of Clyde Associates, ______ of Demax Associates,
Glen Everhart and others. They have not checked this draft, and
are, of course, not responsible for any transcription errors
and/or mis-statements.
Transcribed by, and some comments by, Saul Rosenberg, Riverside
Research Institute.
Items are not listed in any priority order.
1. Permit UAF files files to be searched / reported on by
standard relational data base products.
Problem:
The DEC SYSUAF and associated files for Proxies, Rights,
etc. have a variable field format that is not amenable to many
data base programs. Searching and sorting through these files
is a part of a system manager's job, and should be made as easy
as possible.
Workarounds:
DEC has responded to this problem by incrementally
adding utilities and lexical functions to access selected info
in the manner they think people want. There are also ad-hoc
programs for this function on the SIG tapes. However, this is
not as flexible as letting the system manager extract info using
his/her favorite database query tool.
Requested solution:
Provide a conversion utility that maps SYSUAF, NETUAF,
NETPROXY and RIGHTSLIST into a relational database with fixed
size fields. Note: a static conversion program is sufficient.
Dynamic on-line searches are not required. Access via CDD /
Datatrieve would be sufficient for many sites. This would permit
the system manager to roll his/her own procedures, even
automatic ones, without depending on a critical system file
format that may change over time.
2. Provide a High-level ACL List Management Table
Problem:
With multiple projects on one disk volume, ACL's must be
stored on a per file basis. This creates many problems in
trying to update all ACL's in a simple, reliable manner. Also,
files restored from BACKUP may have incorrect ACL's that were
never updated.
Workarounds:
Virtual Disks with Volume ACL's on the DECUS tape, by
G.#Everhart and P.#Sorenson. The drawback is that it prevents
projects from dynamically sharing available disk space.
Requested Solution:
Provide a high-level table of ACL's, on a per-volume
basis. Permit an ACE to indirectly reference a high-level table
which may contain multiple ACE's that apply to that file. This
would permit labeling each file with a generic High-level ACL
table, which would be the single point of update for all files
of that type. A drawback of this solution would be the potential
for another disk access to bring in the ACL table. Presumably,
these would be cached.
Side benefits: any files that are restored would
automatically have the correct ACL applied. Also, a trivial ACL
file update would not leave half the files on a volume with
their file modification dates changed.
3. Image Accounting Should Store Original Name of File
Problem:
Users can run images under other filenames, which can
mislead a security / system auditor concerning their actual
activities. This subverts one of the purposes of Image Accounting.
Requested Solution:
Store the name of the file under which a program was
originally linked in addition to the name under which it was
run. A simple scan through the accounting file would detect
this problem. (Note that this may not be a bulletproof solution
as a sophisticated user might still be able to directly modify
the file header.)
4. Add a System Call to Enable/Disable Audit on a Per Process
Basis for the Rest of the Life of that Process
Problem:
If an application decides that a user's actions justify
auditing, such as by requesting an action that requires
privilege to initiate, there is no convenient way to audit that
particular process. Turning on the audit flag within SYSUAF
would be too late.
Workarounds:
Turn on auditing for any process that might potentially
need to be audited, regardless of their primary activity. This
generates large audit files.
Requested Solution
Provide a standard supported manner to modify the
in-memory copy of the SYSUAF flag within the job header. Note
that calling the system service to disable the memory based flag
should be an audited event.
5. Selectively Enable Audit of Network File Access
Problem:
Network file accesses, for many sites, are considered
less trustworthy than local site access. Some sites want to
monitor just file access via networks, without incurring the
overhead of auditing all file accesses.
Workarounds:
1) Place an ACE referencing NETWORK with an ALARM entry on
selected files. Problem: maintaining this ACE on many different
files.
2) Audit all accesses to selected files. Problem: this can
flood the audit file.
3) Setup a FAL Log procedure. This can also generate a huge
disk audit file. (e.g.: Define/Exec FAL$LOG=1/DISABLE=8 and
FAL$OUTPUT=logfilename).
Requested Solution:
Separate Audit Event to be Network File Access.
6. Notify Both the Local AND Remote System of File Access
Alarms that Occur over a Network
Problem:
If a remote user probes someone else's system over a
network, any file access alarms that are detected are sent only
to the local host. If the probing is done during off-hours, the
host system manager will not know to contact the remote system
manager until at least the next day, by which time the prober
may be long gone or have covered his/her tracks.
Workarounds:
None
Requested Solution:
DECNet should notify both the local and remote systems
of file access alarm's. This greatly increases the chance that
an alert system manager can catch someone in the act. Also,
considering that each system manager is in some degree
responsible for the actions of people using his/her system, it
gives him/her a chance to respond in a timely fashion.
7. Condense File Access Alarms to the Lowest Level File Only
Problem:
Access to a file six levels down in a directory path may
set off up to six audit alarm records. This increases the size
of the audit file, and requires people to wade through records
with essentially duplicate information.
Workarounds:
Run a program to selectively winnow the audit file.
Requested Solution:
The RMS file system and the Audit server should
cooperate in storing only one audit alarm record.
(Selected) Items Mentioned During VMS Security Update Session
8. Permit VMS INSTALL to Run Without Requiring Any Privileges
Problem:
It is convenient for Third Party software to be
distributed using VMS INSTALL. However, this involves running
on the SYSTEM account with privileges available to software that
may not be entirely trusted or that does not need all
privileges.
Workarounds:
Carefully inspect all procedures, where feasible.
Requested Solution:
VMS INSTALL should be able to operate from a
non-privileged user account.
9. Accounting Records Should Show Terminal Server Port Name
Problem:
There is a serious problem with lack of exact
accountability to a specific physical port, since the port name
is not recorded in the Accounting file.
Workarounds:
None
Requested Solution:
Accounting should include the Terminal Server Port Name.
10. Audit Should Handle Low-Disk Space Message in a Sane Manner
Problem:
When the System Disk free space drops below 1,000
blocks, the audit server starts generating messages that disk
space is low. After a short period, these can blow away any remaining
disk space. If the system manager is able to free some disk
space, queued up messages from other CPUs on the cluster will
quickly consume it. There does not seem to be any way to get
out of this vicious cycle short of crashing the cluster.
Workarounds:
No effective ones. Don't let disk space become critical.
Make sure batch jobs don't run away.
Requested Solution:
The central audit server recording audit events should
discard audit events (after the first one) concerning low disk
space that occurred prior to the situation being corrected.
Minimal information would have to be retained. This would not
affect the current desired behavior for those sites that want a
crash when the audit file can no longer be written
11. Provide Method to Test if a WorkStation is Paused
Problem:
Many sites have idle interactive process killers.
However, a workstation that is paused should be treated
differently than an idle terminal. There is no remote method to
test if the WS is paused or idle and vulnerable.
Workarounds:
Call the person on the phone.
Requested Solution:
Provide a remote method of determining WorkStation
status.
The following additional items were raised in other forums than the Wish List
and have been trascribed and expand by Stephen Tihor of New York University.
12 Improve VMS patch distribution
(a) VMS patch distribution should take advantage of all electronic channels.
Customers with direct email connections to DEC recieved the
ANALYZE/PROCESS_DUMP security item a week late by email standards. Even
customers with DSNlink (DEC's dial in support service) got the item as late as
five days after it was dated, four after it appeared on the network and three
after the emergency response team messages were sent out.
(b) VMS fixes in this category (workaround known and implementatble by any user
from description) should be MAXIMUM DISTRIBUTION rather than
(copyright) Digital and you may not redistribute except as
provided by your contract which states no redistribute
WORKAROUND:
Wait for some kind soul to violate his contract or take advantage of
non-standard channels to get the information out.
REQUESTED SOLUTION:
Mark all such items as MAXIMUM DISTRIBUTION you may freely redistribute this
item in its current form with all attached notices.
Include a public key signature to validate the item.
Include a reference to advise customers receiving this by non-standard
channels how the standard and confirmed information is being distributed
until all customers have access to public key verification technology.
13 Provide for file access rights that differentiate between
ALL USERS ON NODE and ALL USERS IN NETWORK without the overhead
of adding ACLs to all files beign restricted.
Currently the world access right encompases all processes onthe current node,
including those coming in over the network. In many cases however only a
subset of all files should be visible to processes acting on the behalf of
remote users.
COMMENTS:
Expanding the SOGW protection mask to include a LOCAL NODE set: SOGLW would
address the requirements being discussed. For many sites W could map to
either node or universe and the other could be specified by a default
protection mask overridden by an explicit ACE.
14 Provide techniques to validate the origin of FIS, Distribution
kits, and patches.
15 Network access controls allowing restrictions of NODE crossed by
OBJECT crossed by direction
16 audio tape
17 audio tape
18 see audio tape .. higher level quotas
19 A timeout to automatically lock "Pause" workstations if left idle for
too long
20 provide a user hook in LOGINOUT to allow code supporting
additional authentication tools (for example) challenge
response systems
21 Scrolling and Zooming interface to read audit logs on VMS
22 Add security to DSNlink
The DSNlink product has great potential for improving system
security and adding new service options. In its current
incarnation it is more of a security hole than solution.
Security through obscurity has been proven inadequate.
It is only (barely) preferable to no security at all.
A strong authentication scheme is needed to prevent
spoofing. An encryption scheme is needed to prevent
evesdropping.
Requirement:
Encryption based authentication or proof that the DSNlink
scheme is more secure.
Encryption to preserve privacy against passive tappers and
injection of misleading requests.
Observation:
DF242 modems support call back. Given documentation similar
to the clyde digital manuals for their callback product this
capability does enhance security.
Requirement:
It should be used when it will bypass a potential compromise
channel.
Observation: DSNlink version 1.0 uses BYPASS privilege to
write outgoing mail.
Requirement:
The DSN software should only need standard user privilieges
plus enough of the capbilities refered to as protected
subsystems to support its private communications channel and
set ownership of files in its work areas is set
appropriately.
23 Better identification of the real user in PCSA work
Identifiying information from the source PC might be
sufficient but PCSA is currently BREAKIN DETECTION hostile.
24 Provide ACLs and Identifiers in ULTRIX
25 increase the granularity of VMS privileges (eg OPER)
26 provide exactly the privilege need to write a backup without any
addition rights: READ all files plus WRITE BACKUP DATE
in file header.
27 Security READ (REPLY/ENABLE=SECURITY) <> Security CONTROL (SET
AUDIT...)
tihor@acfcluster.nyu.edu (03/28/91)
Note: (a) these are not my personal suggestions as one person (GAVRON) seemed to think they are the result of the people who expressed concerns at the last symposium. (b) I will accept all forms of input on these addition material expanding the later suggestions is a good start, Other items are possibilities too. The goal is to converge reasonable people on some reasonable items both as input to the DEC developers which is often lacking and to spot they key items that we should collectively bang on hard.