DIGITAL Software Product Description ___________________________________________________________________ PRODUCT NAME: POLYCENTER Security Compliance Manager SPD 26.N1.05 for OpenVMS VAX and OpenVMS Alpha, Ver- sion 3.0 DESCRIPTION POLYCENTER[TM] Security Compliance Manager for OpenVMS[TM] (POLYCEN- TER Security CM) is a software tool that a security or system manager uses to establish a custom security analysis and reporting system to manage the security of a network of distributed systems. With this tool, the security manager can implement and maintain a security standard consistent with corporate security policy for the OpenVMS nodes in the distributed computing environment. FEATURES Centralised Security Management POLYCENTER Security CM Version 3.0 represents a major redesign of the product. Note: To use POLYCENTER Security CM Version 3.0, you must be running OpenVMS Version 6.1 or 6.2. If you are running OpenVMS VAX Version 5.0- Version 6.0 or OpenVMS Alpha Version 1.5, then you must use POLYCEN- TER Security CM Version 2.3. POLYCENTER Security CM now includes client-server capabilities for the central management of security on multiple OpenVMS nodes and clusters. To avail of this central management, you must also purchase and in- stall the POLYCENTER Security Console product on a PC in your network. Digital recommends that you use POLYCENTER Security Console to man- age POLYCENTER Security CM. November 1995 AE-PGBZF-TE Customers can purchase security consulting services for assistance in designing and implementing a security analysis and reporting system that balances business needs with security requirements. Local Dig- ital[TM] offices can assist customers in determining the appropriate services for their requirements. Many Test Categories POLYCENTER Security CM provides tests to examine the following cat- egories of system settings: o Accounts o Auditing o Files o Network o Passwords o SYSGEN In addition, users can create their own tests and integrate them with POLYCENTER Security CM tests. Version 3.0 includes the following improved test capability: o Tests to check for the presence or absence of a specified string in the prelogin message banner and in the postlogin message ban- ner displayed by the operating system. o Additional SYSGEN parameters are supported. o All auditing parameters are supported. o There is no longer a limit on the number of user-defined test col- lections that a system manager can include in an inspector. 2 Account Templates POLYCENTER Security CM now allows the user to create account templates which can be used to group accounts according to a user's required test criteria. Users can group accounts that share similar characteristics or they can choose to list accounts by name. Users can then apply tests to groups of accounts. For example, it is possible to use a template to specify to the system which accounts are to be considered privi- leged accounts and then to test all privileged accounts for account activity. The POLYCENTER Security Console graphical user interface (GUI) is used to create account templates. Exclusion Lists In Version 3.0 it is possible to use the POLYCENTER Security Console GUI to specify files, accounts, and account templates to exclude from some of the tests. Inspectors POLYCENTER Security CM stores tests in entities called inspectors. In- spectors arrange tests hierarchically into subsystems and test col- lections. The system settings that POLYCENTER Security CM tests are defined as test values for the test collections within the inspector. System managers can use POLYCENTER Security Console to easily create and distribute inspectors to nodes and clusters running POLYCENTER Se- curity CM. Reports POLYCENTER Security CM mails reports, summarizing the results of an inspection, to a distribution list specified for each inspector. Re- ports coded in HTML for ease of navigation, can be viewed from the POLY- CENTER Security Console GUI. You can also view reports from the Open- VMS node. Correcting Security Violations POLYCENTER Security CM generates lockdown command procedures that can be used to automatically reset parameters that do not comply with the requirements of the inspector. Users can view and run the command pro- cedures using the POLYCENTER Security Console GUI or the POLYCENTER 3 Security CM command line interface (CLI). Version 3.0 also allows users to specify that POLYCENTER Security CM is to automatically run the lock- down procedure. POLYCENTER Security CM also generates unlockdown command procedures that can be used to reverse the operation of the corresponding lock- down file. POLYCENTER Security CM generates a corresponding unlock- down command procedure every time it generates a lockdown command pro- cedure. Tokens POLYCENTER Security CM can now generate a token after executing any inspector. Tokens contain summaries of the inspection results. POLY- CENTER Security CM transmits these tokens to a POLYCENTER Security Re- porting Facility for OpenVMS node using either DECnet[TM] or TCP/IP. Data being transferred is scrambled and is never sent as clear text across the network. POLYCENTER SRF extracts the data from the tokens and stores it in a relational database. POLYCENTER SRF supports cen- tralized management for distributed POLYCENTER Security CM client nodes. Designated users can access this information to monitor the security compliance of all the nodes in a network. For more information about managing network security, see the POLY- CENTER Security Reporting Facility for OpenVMS Software Product De- scription (SPD 26.N2.xx). Additional POLYCENTER Products o POLYCENTER Security Console for MS-Windows[R] (SPD 64.04.xx) o POLYCENTER Security Compliance Manager for AIX [R] (SPD 46.11.xx) o POLYCENTER Security Compliance Manager for HP[R]-UX (SPD 46.12.xx) o POLYCENTER Security Compliance Manager for SunOS[R] (SPD 41.25.xx) o POLYCENTER Security Compliance Manager for Solaris[R] 2 (SPD 55.87.xx) o POLYCENTER Security Compliance Manager for Digital UNIX[R] (SPD 55.86.xx) o POLYCENTER Security Compliance Manager for ULTRIX[TM] (SPD 41.26.xx) 4 o POLYCENTER Security Reporting Facility for OpenVMS (SPD 26.N2.xx) o POLYCENTER Security Intrusion Detector for OpenVMS (SPD 41.27.xx) o POLYCENTER Security Intrusion Detector for SunOS (SPD 43.09.xx) o POLYCENTER Security Intrusion Detector for ULTRIX (SPD 43.07.xx) o POLYCENTER Security Intrusion Detector for Digital UNIX (SPD ) HARDWARE REQUIREMENTS Processors Supported for OpenVMS[TM] VAX[TM]: Any VAX system that is capable of running OpenVMS VAX Version 6.1 or Version 6.2 except those listed as Processors Not Supported. Processors Not Supported: MicroVAX I, VAXstation I, VAX-11/725, VAX-11/782, VAXstation 8000 Processor Restrictions A TK50 Tape Drive is required for standalone MicroVAX 2000 and VAXs- tation 2000 systems. Processors Supported for OpenVMS Alpha: Any Alpha system that is capable of running OpenVMS Alpha Version 6.1 or Version 6.2. Disk Space Requirements Block Cluster Size=1: The approximate number of blocks required on the system disk can be determined using the following table: 5 Disk Space OpenVMS OpenVMS OpenVMS VAX & Alpha VAX Alpha Disk space 23 500 20 000 43 500 blocks required for blocks blocks installation: (11.5 (9.8 (21.3 Mbytes) Mbytes) Mbytes) Disk space re- 12 000 10 000 22 000 blocks quired for use blocks blocks (permanent): (5.9 (4.9 (10.8 Mbytes) Mbytes) Mbytes) These counts refer to the disk space required on the system disk. The sizes are approximate; actual sizes may vary depending on the user's system environment, configuration, and software options. Extra disk space is also required to store inspection results. CLUSTER ENVIRONMENT This layered product is fully supported when installed on any valid and licensed OpenVMS Cluster* configuration without restrictions. * OpenVMS Cluster configurations are fully described in the OpenVMS Cluster Software Product Description (29.78.xx) and include CI, Eth- ernet, and Mixed Interconnect configurations. SOFTWARE REQUIREMENTS OpenVMS VAX or OpenVMS Alpha Operating System Version 6.1 or Version 6.2 To communicate with POLYCENTER Security Console and with POLYCENTER SRF, you also need one of the following: o DECnet[TM]/OSI o DECnet for OpenVMS VAX and Alpha 6 o DEC TCP/IP Services for OpenVMS VAX o DEC TCP/IP Services for OpenVMS Alpha o MultiNet[R] Software Restrictions To use POLYCENTER Security CM Version 3.0, you must be running Open- VMS Version 6.1 or 6.2. If you are running OpenVMS VAX Version 5.0- Version 6.0 or OpenVMS Alpha Version 1.5, then you must use POLYCEN- TER Security CM Version 2.3. GROWTH CONSIDERATIONS The minimum hardware and software requirements for any future version of this product may be different from the requirements for the cur- rent version. DISTRIBUTION MEDIA TK50 Streaming Tape (VAX only), CD-ROM (Alpha) This product is also available as part of the OpenVMS Consolidated Soft- ware Distribution on CD-ROM. The software documentation for this product is also available as part of the OpenVMS Online Documentation Library on CD-ROM. ORDERING INFORMATION Ordering requirements depend on whether you are installing POLYCEN- TER Security Compliance Manager for OpenVMS VAX or POLYCENTER Secu- rity Compliance Manager for OpenVMS Alpha. Order one of the follow- ing: o QL-GKLA9-AA: (OpenVMS VAX) o QL-2UTA9-AA: (OpenVMS Alpha) 7 These are single, generic (tier-neutral) capacity-based POLYCENTER Se- curity Compliance Manager for OpenVMS licenses orderable for any VAX or Alpha processor. Software Media: QA-GKLAA-H5 (OpenVMS VAX) QA-2UTAA-H8 (OpenVMS Alpha) Software Documen- QA-GKLAA-GZ tation: (OpenVMS VAX) QA-2UTAA-GZ (OpenVMS Alpha) Software Product QT-GKLA*-** Services: (OpenVMS VAX) QT-2UTA*-** (OpenVMS Alpha) * Denotes variant fields. For additional information on available li- censes, services, and media, refer to the appropriate price book. SOFTWARE LICENSING This software is furnished under the licensing provisions of Digital Equipment Corporation's Standard Terms and Conditions. For more in- formation about Digital's licensing terms and policies, contact your local Digital office. 8 License Management Facility Support This layered product supports the OpenVMS License Management Facil- ity. License units for this product are allocated on an Unlimited System Use Basis. For more information on the License Management Facility, refer to the OpenVMS Operating System Software Product Description (SPD 25.01.xx) or the OpenVMS Operating System documentation set. SOFTWARE PRODUCT SERVICES A variety of service options are available from Digital. For more in- formation, contact your local Digital office. In addition to standard SPS remedial services, consulting services for assistance in planning, designing, and implementing a custom security analysis and reporting system with security tools are also available. For more information, contact your local Digital office. SOFTWARE WARRANTY Warranty for this software product is provided by Digital with the pur- chase of a license for the product. This product is intended to assist customers in maintaining an appro- priately secure systems environment when used in conjunction with cus- tomers' vigilant operational security practices. Digital does not guar- antee or warrant that the use of these tools will provide complete se- curity protection for customers' systems. [R] AIX is a registered trademark of International Business Ma- chines Corporation. [R] HP-UX is a registered trademark of Hewlett-Packard Company. [R] MultiNet is a registered trademark of TGV, Inc. [R] OSF and OSF/1 are registered trademarks of the Open Software Foundation Inc. 9 [R] Solaris and SunOS are registered trademarks of Sun Microsys- tems, Inc. [R] Microsoft and Windows are registered trademarks of Microsoft Corporation. [TM] The DIGITAL logo, DEC, DECnet, DECwindows, Digital, MicroVAX, OpenVMS, POLYCENTER, ULTRIX, and VMS are trademarks of Digi- tal Equipment Corporation. [R] UNIX is a registered trademark in the United States and other countries, licensed exclusively through X/Open Company Ltd. All other trademarks and registered trademarks are the property of their respective holders. ©1992, 1995 Digital Equipment Corporation. All rights reserved. 10