CXL - Securing your mid-range systems.

unix, os400 vms security reviews
OS/400 security reviews
Oracle security reviews
unix, os400 vms security reviews
Purchase azscan
unix, os400 vms security reviews
Unix security reviews
unix, os400 vms security reviews
AZScan users
unix, os400 vms security reviews
VMS reviews security
unix, os400 vms security reviews
unix, os400 vms security reviews


The _EDP AUDITOR JOURNAL_ (Volume 1, 1993) addresses issues pertinent to auditing VAX/VMS systems, and offers guidelines on how to conduct such audits.

A sample audit program for VAX/VMS is included in this posting (see below). Anyone is welcome to improve this audit program for the benefit of all auditors concerned.

Hope this will help those gearing up to perform VAX/VMS audits....

-- slemo warigon east texas state university

VAX/VMS AUDIT PROGRAM -- Prepared by Joseph L. Oringel

This is a suggested outline for a review of VAX/VMS security. It should be customized based on audit scope, objectives, and the auditor's experience. Concepts outlined in this program can be expanded upon using considerable detail to provide assistance for the less experienced auditor. Individual with more experience in performing system software reviews, particularly VAX/VMS architecture, should find this outline sufficient to conduct interviews and construct security recommendations.

1 Determine Scope:
A. Change Management
B. Problem Management
C. Media Management
D. Job Scheduling
E. Application Systems
F. Overall Systems Security:

1. Strategy and system configuration
2. Telecommunications
3. Access Control Services
4. System Management Tools, and
5. Backup and Recovery Tools

2. Establish Expectations:
A. Auditing against Company policy or strategy
B. Contractual requirements
C. Government regulations, and
D. Accepted good practices for the environment

3. Data Gathering:
A. Identify key personnel:
  1. Management (CIO. CFO, security officer, IS manager, lead analyst)
  2. Staff (programmer, analyst, security administrator, operator), and
  3. Users (application users, data entry and supervisory)

B. Identify and gather required business reports:
  1. Organization charts for the information systems department
  2. Organization for security administration group
  3. Job descriptions for IS and security personnel
  4. IS policies, standards, and procedure documentation, and
  5. Security administration policies, standards, and procedures

C. Identify and gather VAX/VMS System Reports:
  1. User profile information from the User Authorization File (SYSUAF.DAT)
  2. Network proxy information from the Network Proxy Authorization File (NETPROXY.DAT)
  3. Access Control Lists from the rights database file (RIGHTSLIST.DAT)
  4. Network Control Reports, showing network nodes, lines, circuits, and links
  5. Selected audit options, from the VMS_AUDIT_SERVER
  6. Selected startup and login files, and
  7. Global options from VMSPARAMS.DAT, PARAMS.DAT, and other SYSGEN options

4. Review Security Policy/Strategy. Determine if:
A. Data is classified for security purposes
B. Responsibility for security administration is assigned
C. Procedures for security administration are clearly defined
D. Security reporting requirements are established, and
E. Programmer access restrictions are identified

5. Plan interviews:
A. Identify interview topics based on evaluation of policy and reports
B. Schedule interviews with key personnel, and
C. Prepare initial interview questions

6. Conduct interviews. Review and document controls for Strategy and System Configuration:
A. Obtain hardware descriptions and:
  1. Identify communication links between VAX and non-VAX processors Document communication system, protocol, etc.
  2. Identify VAX cluster configuration. Ensure clusters use a shared UAF, so users have assigned privileges only on authorized processors
  3. Identify PC to VAX connections to determine if upload/ download criteria are appropriate
  4. Identify smart terminals and ensure programmable function keys are not used to store account names, passwords or other login data.

B. Obtain software descriptions and:
  1. Ensure the same version of VMS is used for all processors
  2. Ensure the VMS version used is current and still supported by DEC
  3. Review VMS system software modifications for propriety
  4. Review RWED access authority to system software libraries (recommended values are READ for selected tech   support  personnel and WRITE authority for a single account with dual password control)
  5. Evaluate system software upgrade procedures, and
  6. Evaluate bootstrapping procedures

C. Identify key application subsystems and:
  1. Ensure application security uses VMS account security, or
     o Provides other means for encrypted user passwords
     o Provides other means for individual user accountability, and
     o Adequately protects key application resources
  2. Evaluate application security matrices

7. Conduct Interviews. Review and document controls for telecommunications:
A. Review access to telephone lines:
  1. Determine if phone number is known only to authorized users
  2. Determine if appropriate security measures are enabled (dial-back, port passwords, modem passwords, channel   selectors, etc.)
  3. Identify how and how often modem access logs are reviewed

B. Review users accounts of DECnet users:
  1. Ensure all privileges except NETMBX and TMPMBX are removed
  2. Review account names and ensure passwords options are appropriately set
  3. Ensure WORLD access to the network database is set to NONE
  4. Inquire regarding stored or embedded user account and password names
  5. Review proxy accounts

C. Determine if proxy accounts are encouraged:
  1. Determine if accuntability for proxy usage is maintained
  2. Ensure proxy accounts have no excessive privileges

8. Conduct interviews. Review and document controls for Access Control Services:
A. Determine if a system password is used
B. Determine if a terminal timeout is used

C. Review access to DCL. Determine if:
  1. Most users are CAPTIVE
  2. System startup files contain no exits to DCL, and
  3. Powerful DCL commands are appropriately restricted (by renaming, RWED, or ACL use)
D. Review account naming conventions and password option settings:
E. Ensure DEC supplied user accounts are disabled or removed
F. Review intruder detection (LGI_BRK and LGI_RETRY)
G. Review default file protection for new objects, and
H. Review assignment of powerful privileges

9. Conduct interviews. Review and document controls for System Management Tools:
A. Identify security logging and reporting mechanisms used
B. Perform selected review of ANALYZE/AUDIT results
C. Review VMS accounting rules (if used), and
D. Evaluate use of automated tools (Security Toolkit, DECinspect, etc)

10. Conduct interviews. Review and document controls for Backup and Recovery Tools:
A. Evaluate and document backup/recovery procedures
B. Identify if VMS features are appropriately used:
  1. Volume shadowing for key disk volumes
  2. Roll-forward, roll-back procedures for on-line transactions DECdtm)
  3. RMS journalling of key files, and
  4. High-water marking, erase-on-delete, etc.