DIGITAL Software Product Description ___________________________________________________________________ Product Name: POLYCENTER Security Compliance Manager SPD 55.86.01 for Digital UNIX, Version 2.5 DESCRIPTION POLYCENTER Security Compliance Manager (POLYCENTER Security CM) for Digital UNIX[R] (formerly DEC OSF/1) is a software tool that a secu- rity or system manager uses to establish a custom security analysis and reporting system to manage the security of a network of distributed systems. With this tool, the security manager can implement and maintain a security standard for the Digital UNIX nodes in a distributed computing environment that is consistent with corporate security policy. Customers can purchase security consulting services that help them to design and implement a security analysis and reporting system, which balances business needs with security requirements. Local Digital[TM] offices can help customers to determined the appropriate services for their requirements. Security managers define tests to examine the settings of operating system parameters that are relevant to the security of the system. These tests ensure that the operating system parameters comply with the organization's security policy. Using POLYCENTER Security CM's menu interface, these tests are grouped into inspectors, which are run regularly to test for compliance with the security policy. POLYCENTER Security CM provides tests to examine the following cat- egories of system settings: o File and directory protections o Accounts May 1996 AE-Q44UB-TE POLYCENTER Security Compliance Manager SPD 55.86.01 for Digital UNIX, Version 2.5 o Passwords o Network access - TCP/IP - UUCP - Remote login - NFS[R] Inspectors arrange tests hierarchically into subsystems, test collec- tions, and tests. The system settings that POLYCENTER Security CM tests are defined as parameters for the tests within the inspector. When POLYCENTER Security CM executes inspectors, it generates the following: o Reports - POLYCENTER Security CM mails reports, summarizing the re- sults of the inspection, to a distribution list specified for each inspector. o Lockdown scripts - POLYCENTER Security CM generates lockdown scripts that can be used to automatically reset parameters that do not comply with the requirements of the inspector. o Unlockdown scripts - POLYCENTER Security CM generates unlockdown scripts that can be used to reverse the operation of the corresponding lockdown file. POLYCENTER Security CM generates a corresponding unlockdown script every time it generates a lockdown script. POLYCENTER Security CM also creates a corresponding unlockdown log file. o Tokens - POLYCENTER Security CM generates tokens after executing a special type of inspector. This inspector is called the Required Inspector and is described in the following paragraph. Tokens con- tain summaries of the results of the Required Inspector. POLYCEN- TER Security CM transmits these tokens to a POLYCENTER Security Re- porting Facility (POLYCENTER SRF) node. POLYCENTER SRF extracts the data from the tokens and stores it in a relational database. Des- ignated users can access this information to monitor the security compliance of all the nodes in a network. 2 POLYCENTER Security Compliance Manager SPD 55.86.01 for Digital UNIX, Version 2.5 There are two types of inspectors: the Required Inspector and customized inspectors. The Required Inspector is the inspector that POLYCENTER Security CM uses to test the compliance of the system with the security baseline in force. It defines the basic security settings that are required for compliance with an organization's baseline security standard. The POLYCENTER Security CM database contains at most one Required Inspector on each system. The database also contains several sample inspectors. Customized inspectors do not generate tokens, but the local system manager uses them for specialized testing. The following list describes some situations in which customized in- spectors may be useful: o Before executing the Required Inspector - If the Required Inspec- tor is copied to a customized inspector, the system's security com- pliance can be tested without sending tokens to the POLYCENTER SRF node. Users can correct security weaknesses before POLYCENTER Se- curity CM performs an inspection using the Required Inspector. o After installing or upgrading the operating system. o To inspect the system after changes in system software, resources, or utilities. o When it is discovered that a user is accessing the system during unusual hours. o When inexplicable modifications to file protections are discovered. o When security compromises are suspected - Inspect the system us- ing a customized inspector if daily audit reports reveal suspicious security events. o To check project file and directory permissions - Project managers who are responsible for security in their particular area can use a customized inspector to check file and directory permissions for their area. 3 POLYCENTER Security Compliance Manager SPD 55.86.01 for Digital UNIX, Version 2.5 While POLYCENTER Security CM is effective when used alone in small distributed systems, managing the security of a large number of nodes is difficult. POLYCENTER Security CM software, used with POLYCENTER SRF software, can solve this problem. POLYCENTER SRF software is designed to run on one or more nodes to support the centralized collection and management of compliance information from POLYCENTER Security CM in- stallations, which can include AIX[R], HP[R]-UX, NetWare[R], SunOS[R], ULTRIX[TM], Solaris[R] 2, Digital UNIX and OpenVMS[TM] systems. It provides centralized management for distributed POLYCENTER Security CM client nodes. POLYCENTER SRF extracts data from tokens sent by nodes running POLYCENTER Security CM and maintains this data in a relational database for management reporting. POLYCENTER SRF can provide management reports for networks of AIX, HP-UX, NetWare, SunOS, ULTRIX, So- laris 2, Digital UNIX, and OpenVMS nodes. For more information about managing network security, see the POLYCENTER SRF Software Product De- scription (SPD 26.N2.xx). Additional Security Products The following is a list of related security products: o POLYCENTER Security Console for Microsoft[R] Windows[R] (SPD 64.04.xx) o POLYCENTER Security Compliance Manager for OpenVMS (SPD 26.N1.xx) o POLYCENTER Security Compliance Manager for AIX (SPD 46.11.xx) o POLYCENTER Security Compliance Manager for HP-UX (SPD 46.12.xx) o POLYCENTER Security Compliance Manager for SunOS (SPD 41.25.xx) o POLYCENTER Security Compliance Manager for Solaris 2 (SPD 55.87.xx) o POLYCENTER Security Compliance Manager for ULTRIX (SPD 41.26.xx) o POLYCENTER Security Compliance Manager for NetWare (SPD 62.80.xx) o POLYCENTER Security Reporting Facility for OpenVMS (SPD 26.N2.xx) o POLYCENTER Security Intrusion Detector for OpenVMS (SPD 41.27.xx) o POLYCENTER Security Intrusion Detector for SunOS (SPD 43.09.xx) o POLYCENTER Security Intrusion Detector for ULTRIX (SPD 43.07.xx) 4 POLYCENTER Security Compliance Manager SPD 55.86.01 for Digital UNIX, Version 2.5 o POLYCENTER Security Intrusion Detector for Digital UNIX (SPD 43.08.xx) HARDWARE REQUIREMENTS Processors Supported POLYCENTER Security Compliance Manager for Digital UNIX runs on any Alpha processor that is capable of running the correct version of the Digital UNIX operating system. Other Hardware Required To install POLYCENTER Security Compliance Manager for Digital UNIX software, the system must support a CD-ROM reader. Disk Space Requirements Disk Space Required for Installation /usr/opt/SOA250: 4,500K bytes /var/opt/SOA250: 1210K bytes /usr/opt/SOA250 12K bytes /man: /usr/.smdb.: 150K bytes Any directory: 2,800K bytes Disk Space Required for Use (Permanent) /usr/opt/SOA250: 2,800K bytes /var/opt/SOA250: 1210K bytes /usr/opt/SOA250 12K bytes /man: /usr/.smdb.: 150K bytes All of these directories can be links to other local or NFS[R]-mounted file systems. The sizes are approximate; actual sizes may vary depending on the user's system environment, configuration, and software options. 5 POLYCENTER Security Compliance Manager SPD 55.86.01 for Digital UNIX, Version 2.5 SOFTWARE REQUIREMENTS To use POLYCENTER Security Compliance Manager for Digital UNIX, you must be running a version of the Digital UNIX (formerly DEC OSF/1) Op- erating System between version 2.0 and version 4.0. GROWTH CONSIDERATIONS The minimum hardware/software requirements for any future version of this product may be different from the requirements for the current version. DISTRIBUTION MEDIA This product is available on CD-ROM. The media for this product is also available on the Digital UNIX Software Products Library CD-ROM. The documentation is available on the Digital UNIX Online Documentation Library CD-ROM. Documentation in hardcopy format may be ordered separately. ORDERING INFORMATION Software Licenses: QL-2K8A*-** Software Media: QA-2K8A*-** Software Documentation: QA-2K8AA-GZ Software Product Services: QT-2K8A*-** * Denotes variant fields. For additional information on available licenses, services, and media, see the appropriate price book. 6 POLYCENTER Security Compliance Manager SPD 55.86.01 for Digital UNIX, Version 2.5 SOFTWARE LICENSING This software is furnished under the licensing provisions of Digital Equipment Corporation's Standard Terms and Conditions. For more in- formation about Digital's licensing terms and policies, contact your local Digital office. Possession, use, or copying of the software described in this publi- cation is authorized only pursuant to a valid written license from Digital or an authorized sublicensor. License Management Facility Support This layered product supports the Digital UNIX License Management Fa- cility. License units for this product are allocated on an Unlimited System Use basis. For more information on the License Management Facility, see the Dig- ital UNIX Operating System Software Product Description (SPD 41.61.xx) or the Guide to Software Licensing in the Digital UNIX Operating Sys- tem documentation set. SOFTWARE PRODUCT SERVICES A variety of service options are available from Digital. In addition to standard SPS remedial services, consulting services to help plan, design, and implement a custom security analysis and reporting sys- tem with the POLYCENTER Security CM and POLYCENTER SRF tools are also available. For more information, contact your local Digital office. SOFTWARE WARRANTY Warranty for this software product is provided by Digital with the purchase of a license for the product. 7 POLYCENTER Security Compliance Manager SPD 55.86.01 for Digital UNIX, Version 2.5 This product is intended to assist customers in maintaining an appro- priately secure systems environment when used in conjunction with cus- tomers' vigilant operational security practices. Digital does not guarantee or warrant that the use of these tools will provide complete security protection for customers' systems. [R] AIX is a registered trademark of International Business Ma- chines Corporation. [R] HP is a registered trademark of Hewlett-Packard Company. [R] Microsoft and Windows are registered trademarks of Microsoft Corporation. [R] NetWare is a registered trademark of Novell, Inc. [R] NFS, Solaris and SunOS are registered trademarks of Sun Mi- crosystems, Inc. [R] OSF and OSF/1 are registered trademarks of the Open Software Foundation Inc. [R] UNIX is a registered trademark in the United States and other countries, licensed exclusively through X/Open Company Ltd. [TM] The DIGITAL logo, DEC, AXP, Digital, OpenVMS, POLYCENTER, ULTRIX, and VMS are trademarks of Digital Equipment Corpora- tion. All other trademarks and registered trademarks are the property of their respective owners. ©1994, 1996 Digital Equipment Corporation. All rights reserved. 8