Software
Product
Description

___________________________________________________________________

PRODUCT NAME:  POLYCENTER Security Intrusion           SPD 43.08.00
               Detector for DEC OSF/1 AXP, Version 1.2

DESCRIPTION

POLYCENTER[TM] Security Intrusion Detector for DEC OSF/1[R] AXP (POLY-
CENTER Security ID) is a real-time security monitoring application for
the DEC OSF/1 AXP operating system. It performs knowledge-based anal-
ysis of the output of the audit subsystem to recognize and respond to
security-relevant activity. Violations such as attempted logins, unau-
thorized access to files, illegal setuid programs, and unauthorized
audit modifications are automatically detected and acted upon. This
frees the system or security manager to tackle more important end-user
problems.

Most security breaches involve a series of actions. Instead of look-
ing at each action individually, POLYCENTER Security ID looks at the
whole picture. Using a case method modeled after criminal investiga-
tions, POLYCENTER Security ID assigns an agent to monitor the suspect
and file evidence to the case. By analyzing each security event within
the context of a case, POLYCENTER Security ID can distinguish between
real threats and innocent behavior and, therefore, POLYCENTER Secu-
rity ID will not kick legitimate users off the system or trigger false
alarms.

POLYCENTER Security ID can be configured to take countermeasures against
intruders without human intervention. Security managers can work from
the Manager's Graphical User Interface or from the DEC OSF/1 AXP com-
mand line.




                              DIGITAL                   August 1994

                                                        AE-Q8YPA-TE

 

POLYCENTER Security ID

o  Runs on every DEC OSF/1 AXP system in a network to detect and take
   real-time action on intruders, whether malicious hackers or inex-
   perienced users.

o  Uses a built-in knowledge-base to automatically interpret the DEC
   OSF/1 AXP audit subsystem data.

o  Notifies security managers about critical security events occur-
   ring on a system, as detected from the DEC OSF/1 AXP audit subsys-
   tem. The following is a list of these events:

   -  access-control-event - A failed attempt to modify the protec-
      tion of any file and the successful modification of the protec-
      tion of a critical file

   -  account-auth-event - A modification of a user account password

   -  audit-subsystem-event - A change to the audit subsystem includ-
      ing queries to the audit state, starting or stopping of audit-
      ing, changes to system and process audit levels

   -  breakin-event - Five successive login failures

   -  file-transfer-event - An rcp-based network file copy

   -  logfail-event - A failed login

   -  login-event - A successful login

   -  obj-access-event - A failed attempt to access any file or de-
      vice and the successful modification of a critical file

   -  privileged-process-creation-event - Gaining privilege by run-
      ning a SUID-to-root program that is not registered as a crit-
      ical file, or using the su utility

   -  process-termination-event - Exiting of a monitored process

   -  program-execution-event - Execution of a critical program that
      has been recently modified

o  Has tailored automatic countermeasures that include:

   -  sending mail to designated security officers

                                 2

 

   -  resetting event auditing if it was modified

   -  re-enabling of audit data generation

   -  shutting down an offending process

o  Filters a large volume of audit data, reducing it to a manageable
   set of relevant information for the system manager to review, per-
   mits more frequent archiving of old data and ultimately means less
   disk space usage.

o  Produces daily or weekly summaries of security-relevant activity.

o  Allows the security manager to easily monitor security-relevant set-
   tings on many DEC OSF/1 AXP systems using a security management sys-
   tem.

ADDITIONAL POLYCENTER SECURITY SOFTWARE

The following is a list of related security products:

o  POLYCENTER Security Intrusion Detector for OpenVMS[TM] (SPD 41.27.xx)

o  POLYCENTER Security Intrusion Detector for ULTRIX[TM] (SPD 43.10.xx)

o  POLYCENTER Security Intrusion Detector for SunOS[TM] (SPD 43.09.xx)

o  POLYCENTER Security Compliance Manager for OpenVMS (SPD 26.N1.xx)

o  POLYCENTER Security Compliance Manager for ULTRIX (SPD 41.26.xx)

o  POLYCENTER Security Compliance Manager for SunOS (SPD 41.25.xx)

o  POLYCENTER Security Compliance Manager for HP[R]-UX (SPD 46.12.xx)

o  POLYCENTER Security Compliance Manager for AIX[R] (SPD 46.11.xx)

o  POLYCENTER Security Compliance Manager for Solaris[R] (SPD 55.87.xx)

o  POLYCENTER Security Compliance Manager for NetWare[R] (SPD 62.80.xx)

o  POLYCENTER Security Compliance Manager for DEC OSF/1 AXP (SPD 62.53.xx)

o  POLYCENTER Security Reporting Facility for OpenVMS (SPD 26.N2.xx)

                                 3

 

HARDWARE REQUIREMENTS

Processors Supported:

POLYCENTER Security ID supports the following processors:

Alpha       DEC 2000 Model 300 AXP
AXP[TM]:
            DEC 2000 Model 500 AXP

            DEC 3000 Model 300 AXP
            DEC 3000 Model 300L AXP
            DEC 3000 Model 300X AXP
            DEC 3000 Model 300LX AXP
            DEC 3000 Model 400 AXP
            DEC 3000 Model 400S AXP
            DEC 3000 Model 500 AXP
            DEC 3000 Model 500S AXP
            DEC 3000 Model 500X AXP
            DEC 3000 Model 600 AXP
            DEC 3000 Model 600S AXP
            DEC 3000 Model 800 AXP
            DEC 3000 Model 800S AXP

            DEC 4000 Model 610 AXP
            DEC 4000 Model 710 AXP

            DEC 7000 Model 610 AXP
            DEC 10000 Model 610 AXP

            DEC 2100 Server A500MP
            DEC 2100 Server A600MP

Other Hardware Required:

To install POLYCENTER Security ID software, the system must support
a CD-ROM reader.



                                 4

 

Disk Space Requirements:

Disk space required for      4,500 Kbytes
installation:

Disk space required for      4,500 Kbytes
use (permanent):

These counts refer to the disk space required on the system disk. The
sizes are approximate; actual sizes may vary depending on the user's
system environment, configuration, and software options.

SOFTWARE REQUIREMENTS

To run POLYCENTER Security ID, you must be running the DEC OSF/1 AXP
Operating System Version 2.0 or Version 3.0.

DEC OSF/1 AXP Tailoring:

To use POLYCENTER Security ID, the optional DEC OSF/1 AXP Enhanced Se-
curity Features subset must be installed. However, the system does not
have to be running ENHANCED security.

For more information on DEC OSF/1 AXP customization, refer to the DEC
OSF/1 AXP Operating System Software Product Description (SPD 41.61.xx).

SOFTWARE LICENSING

This software is furnished under the licensing provisions of Digital
Equipment Corporation's Standard Terms and Conditions. For more in-
formation about Digital's licensing terms and policies, contact your
local Digital office.

Possession, use, or copying of the software described in this publi-
cation is authorized only pursuant to a valid written license from Dig-
ital or an authorized sublicensor.



                                 5

 

License Management Facility Support

This layered product supports the DEC OSF/1 AXP License Management Fa-
cility.

License units for this product are allocated on an Unlimited System
Use basis.

For more information on the License Management Facility, refer to the
DEC OSF/1 AXP Operating System Software Product Description (SPD 41.61.xx)
or the Guide to Software Licensing in the DEC OSF/1 AXP Operating Sys-
tem documentation set.

GROWTH CONSIDERATIONS

The minimum hardware/software requirements for any future version of
this product may be different from the minimum requirements for the
current version.

DISTRIBUTION MEDIA

This product is available as part of the DEC OSF/1 AXP Consolidated
Software Distribution on CD-ROM.

The software documentation for this product is available as part of
the DEC OSF/1 AXP Online Documentation Library on CD-ROM.

ORDERING INFORMATION

Software Licenses: QL-33XA9-AA
Software Media: QA-33XAA-H*
Software Documentation: QA-33XAA-GZ
Software Product Services: QT-33XA*-**

*  Denotes variant fields. For additional information on available li-
   censes, services, and media, refer to the appropriate price book.

The above information is valid at time of release. Please contact your
local Digital office for the most up-to-date information.



                                 6

 

SOFTWARE PRODUCT SERVICES

A variety of service options are available from Digital. For more in-
formation, contact your local Digital office.

In addition to standard SPS remedial services, consulting services for
planning, designing, and implementing a custom security system are also
available. For more information, contact your local Digital office.

SOFTWARE WARRANTY

As with any security product, POLYCENTER Security ID software should
be considered part of an overall security plan. Customers are encour-
aged to follow industry-recognized security practices and not rely on
any single security product or service to provide complete protection.

Warranty for this software product is provided by Digital with the pur-
chase of a license for the product as defined in the Software Warranty
Addendum of this SPD.

[R]  AIX is a registered trademark of IBM.

[R]  HP is a registered trademark of Hewlett-Packard Company, Inc.

[R]  NetWare is a registered trademark of Novell Inc.

[TM] Solaris and SunOS are registered trademarks of Sun Microsys-
     tems, Inc.

[R]  OSF and OSF/1 are registered trademarks of the Open Software
     Foundation Inc.

[TM] The DIGITAL Logo, AXP, DEC, DECstation, DECsystem, Digital,
     OpenVMS, POLYCENTER, TK, and ULTRIX are trademarks of Digital
     Equipment Corporation.





                                 7