tihor@acfcluster.nyu.edu (03/27/91)
Please respond to: Stephen Tihor 251 Mercer Street NY, NY 10012 (212) 998 3052 (212) 995 4121 (fax) TIHOR@ACFcluster.NYU.EDU (Internet) TIHOR@NYUACF (BITNET) TIHOR (DCS) TIHOR (DECUSERVE) with your prioritizations and comments. Security BOF Wish List Notes Based on discussions at the Security SIG BOF Wish List Meeting, and includes useful comments by Larry Kilgallen of LJK Inc., Robert Clyde of Clyde Associates, ______ of Demax Associates, Glen Everhart and others. They have not checked this draft, and are, of course, not responsible for any transcription errors and/or mis-statements. Transcribed by, and some comments by, Saul Rosenberg, Riverside Research Institute. Items are not listed in any priority order. 1. Permit UAF files files to be searched / reported on by standard relational data base products. Problem: The DEC SYSUAF and associated files for Proxies, Rights, etc. have a variable field format that is not amenable to many data base programs. Searching and sorting through these files is a part of a system manager's job, and should be made as easy as possible. Workarounds: DEC has responded to this problem by incrementally adding utilities and lexical functions to access selected info in the manner they think people want. There are also ad-hoc programs for this function on the SIG tapes. However, this is not as flexible as letting the system manager extract info using his/her favorite database query tool. Requested solution: Provide a conversion utility that maps SYSUAF, NETUAF, NETPROXY and RIGHTSLIST into a relational database with fixed size fields. Note: a static conversion program is sufficient. Dynamic on-line searches are not required. Access via CDD / Datatrieve would be sufficient for many sites. This would permit the system manager to roll his/her own procedures, even automatic ones, without depending on a critical system file format that may change over time. 2. Provide a High-level ACL List Management Table Problem: With multiple projects on one disk volume, ACL's must be stored on a per file basis. This creates many problems in trying to update all ACL's in a simple, reliable manner. Also, files restored from BACKUP may have incorrect ACL's that were never updated. Workarounds: Virtual Disks with Volume ACL's on the DECUS tape, by G.#Everhart and P.#Sorenson. The drawback is that it prevents projects from dynamically sharing available disk space. Requested Solution: Provide a high-level table of ACL's, on a per-volume basis. Permit an ACE to indirectly reference a high-level table which may contain multiple ACE's that apply to that file. This would permit labeling each file with a generic High-level ACL table, which would be the single point of update for all files of that type. A drawback of this solution would be the potential for another disk access to bring in the ACL table. Presumably, these would be cached. Side benefits: any files that are restored would automatically have the correct ACL applied. Also, a trivial ACL file update would not leave half the files on a volume with their file modification dates changed. 3. Image Accounting Should Store Original Name of File Problem: Users can run images under other filenames, which can mislead a security / system auditor concerning their actual activities. This subverts one of the purposes of Image Accounting. Requested Solution: Store the name of the file under which a program was originally linked in addition to the name under which it was run. A simple scan through the accounting file would detect this problem. (Note that this may not be a bulletproof solution as a sophisticated user might still be able to directly modify the file header.) 4. Add a System Call to Enable/Disable Audit on a Per Process Basis for the Rest of the Life of that Process Problem: If an application decides that a user's actions justify auditing, such as by requesting an action that requires privilege to initiate, there is no convenient way to audit that particular process. Turning on the audit flag within SYSUAF would be too late. Workarounds: Turn on auditing for any process that might potentially need to be audited, regardless of their primary activity. This generates large audit files. Requested Solution Provide a standard supported manner to modify the in-memory copy of the SYSUAF flag within the job header. Note that calling the system service to disable the memory based flag should be an audited event. 5. Selectively Enable Audit of Network File Access Problem: Network file accesses, for many sites, are considered less trustworthy than local site access. Some sites want to monitor just file access via networks, without incurring the overhead of auditing all file accesses. Workarounds: 1) Place an ACE referencing NETWORK with an ALARM entry on selected files. Problem: maintaining this ACE on many different files. 2) Audit all accesses to selected files. Problem: this can flood the audit file. 3) Setup a FAL Log procedure. This can also generate a huge disk audit file. (e.g.: Define/Exec FAL$LOG=1/DISABLE=8 and FAL$OUTPUT=logfilename). Requested Solution: Separate Audit Event to be Network File Access. 6. Notify Both the Local AND Remote System of File Access Alarms that Occur over a Network Problem: If a remote user probes someone else's system over a network, any file access alarms that are detected are sent only to the local host. If the probing is done during off-hours, the host system manager will not know to contact the remote system manager until at least the next day, by which time the prober may be long gone or have covered his/her tracks. Workarounds: None Requested Solution: DECNet should notify both the local and remote systems of file access alarm's. This greatly increases the chance that an alert system manager can catch someone in the act. Also, considering that each system manager is in some degree responsible for the actions of people using his/her system, it gives him/her a chance to respond in a timely fashion. 7. Condense File Access Alarms to the Lowest Level File Only Problem: Access to a file six levels down in a directory path may set off up to six audit alarm records. This increases the size of the audit file, and requires people to wade through records with essentially duplicate information. Workarounds: Run a program to selectively winnow the audit file. Requested Solution: The RMS file system and the Audit server should cooperate in storing only one audit alarm record. (Selected) Items Mentioned During VMS Security Update Session 8. Permit VMS INSTALL to Run Without Requiring Any Privileges Problem: It is convenient for Third Party software to be distributed using VMS INSTALL. However, this involves running on the SYSTEM account with privileges available to software that may not be entirely trusted or that does not need all privileges. Workarounds: Carefully inspect all procedures, where feasible. Requested Solution: VMS INSTALL should be able to operate from a non-privileged user account. 9. Accounting Records Should Show Terminal Server Port Name Problem: There is a serious problem with lack of exact accountability to a specific physical port, since the port name is not recorded in the Accounting file. Workarounds: None Requested Solution: Accounting should include the Terminal Server Port Name. 10. Audit Should Handle Low-Disk Space Message in a Sane Manner Problem: When the System Disk free space drops below 1,000 blocks, the audit server starts generating messages that disk space is low. After a short period, these can blow away any remaining disk space. If the system manager is able to free some disk space, queued up messages from other CPUs on the cluster will quickly consume it. There does not seem to be any way to get out of this vicious cycle short of crashing the cluster. Workarounds: No effective ones. Don't let disk space become critical. Make sure batch jobs don't run away. Requested Solution: The central audit server recording audit events should discard audit events (after the first one) concerning low disk space that occurred prior to the situation being corrected. Minimal information would have to be retained. This would not affect the current desired behavior for those sites that want a crash when the audit file can no longer be written 11. Provide Method to Test if a WorkStation is Paused Problem: Many sites have idle interactive process killers. However, a workstation that is paused should be treated differently than an idle terminal. There is no remote method to test if the WS is paused or idle and vulnerable. Workarounds: Call the person on the phone. Requested Solution: Provide a remote method of determining WorkStation status. The following additional items were raised in other forums than the Wish List and have been trascribed and expand by Stephen Tihor of New York University. 12 Improve VMS patch distribution (a) VMS patch distribution should take advantage of all electronic channels. Customers with direct email connections to DEC recieved the ANALYZE/PROCESS_DUMP security item a week late by email standards. Even customers with DSNlink (DEC's dial in support service) got the item as late as five days after it was dated, four after it appeared on the network and three after the emergency response team messages were sent out. (b) VMS fixes in this category (workaround known and implementatble by any user from description) should be MAXIMUM DISTRIBUTION rather than (copyright) Digital and you may not redistribute except as provided by your contract which states no redistribute WORKAROUND: Wait for some kind soul to violate his contract or take advantage of non-standard channels to get the information out. REQUESTED SOLUTION: Mark all such items as MAXIMUM DISTRIBUTION you may freely redistribute this item in its current form with all attached notices. Include a public key signature to validate the item. Include a reference to advise customers receiving this by non-standard channels how the standard and confirmed information is being distributed until all customers have access to public key verification technology. 13 Provide for file access rights that differentiate between ALL USERS ON NODE and ALL USERS IN NETWORK without the overhead of adding ACLs to all files beign restricted. Currently the world access right encompases all processes onthe current node, including those coming in over the network. In many cases however only a subset of all files should be visible to processes acting on the behalf of remote users. COMMENTS: Expanding the SOGW protection mask to include a LOCAL NODE set: SOGLW would address the requirements being discussed. For many sites W could map to either node or universe and the other could be specified by a default protection mask overridden by an explicit ACE. 14 Provide techniques to validate the origin of FIS, Distribution kits, and patches. 15 Network access controls allowing restrictions of NODE crossed by OBJECT crossed by direction 16 audio tape 17 audio tape 18 see audio tape .. higher level quotas 19 A timeout to automatically lock "Pause" workstations if left idle for too long 20 provide a user hook in LOGINOUT to allow code supporting additional authentication tools (for example) challenge response systems 21 Scrolling and Zooming interface to read audit logs on VMS 22 Add security to DSNlink The DSNlink product has great potential for improving system security and adding new service options. In its current incarnation it is more of a security hole than solution. Security through obscurity has been proven inadequate. It is only (barely) preferable to no security at all. A strong authentication scheme is needed to prevent spoofing. An encryption scheme is needed to prevent evesdropping. Requirement: Encryption based authentication or proof that the DSNlink scheme is more secure. Encryption to preserve privacy against passive tappers and injection of misleading requests. Observation: DF242 modems support call back. Given documentation similar to the clyde digital manuals for their callback product this capability does enhance security. Requirement: It should be used when it will bypass a potential compromise channel. Observation: DSNlink version 1.0 uses BYPASS privilege to write outgoing mail. Requirement: The DSN software should only need standard user privilieges plus enough of the capbilities refered to as protected subsystems to support its private communications channel and set ownership of files in its work areas is set appropriately. 23 Better identification of the real user in PCSA work Identifiying information from the source PC might be sufficient but PCSA is currently BREAKIN DETECTION hostile. 24 Provide ACLs and Identifiers in ULTRIX 25 increase the granularity of VMS privileges (eg OPER) 26 provide exactly the privilege need to write a backup without any addition rights: READ all files plus WRITE BACKUP DATE in file header. 27 Security READ (REPLY/ENABLE=SECURITY) <> Security CONTROL (SET AUDIT...)
tihor@acfcluster.nyu.edu (03/28/91)
Note: (a) these are not my personal suggestions as one person (GAVRON) seemed to think they are the result of the people who expressed concerns at the last symposium. (b) I will accept all forms of input on these addition material expanding the later suggestions is a good start, Other items are possibilities too. The goal is to converge reasonable people on some reasonable items both as input to the DEC developers which is often lacking and to spot they key items that we should collectively bang on hard.