Software Product Description ___________________________________________________________________ PRODUCT NAME: POLYCENTER Security Intrusion Detector SPD 41.27.03 for OpenVMS VAX and OpenVMS Alpha, Ver- sion 1.2a Software Product Description ___________________________________________________________________ PRODUCT NAME: POLYCENTER Security Intrusion Detector SPD 41.27.03 for OpenVMS VAX and OpenVMS Alpha, Ver- sion 1.2a DESCRIPTION POLYCENTER [TM] Security Intrusion Detector (ID) for OpenVMS [TM] (for- merly DECinspect[TM] Intrusion Detector) is a security tool that con- stantly monitors suspicious or hostile activity and reports any such activity to the security manager. POLYCENTER Security ID operates in real time, processing audit events from the OpenVMS Audit Server as they occur and notifying the secu- rity manager via electronic mail. Furthermore, POLYCENTER Security ID can be configured to take countermeasures against intruders without human intervention. Security managers can use this version of POLYCENTER Security ID from the DCL command line. If they are running OpenVMS VAX[TM] Version 5.3 or higher but less than Version 6.0, security managers can also use this version of POLYCENTER Security ID from within the POLYCENTER Se- curity Compliance Manager for OpenVMS menu system. POLYCENTER Security ID does the following: o Notifies security managers about critical security events occur- ring on a system, as detected by the OpenVMS Audit Server. DIGITAL November 1995 AE-PQ5ED-TE The following is a list of these events: - UAF modifications - Proxy modifications - Rights list modifications - Privileged image installations - File access failures - Login successes by hostile users - Break-in events - Login failures o Mails summary or detailed reports about the security events. One or more security managers specified on the POLYCENTER Security ID security manager list receive the reports. Only some reports are sent at specified intervals. Most are sent in real time. The following is a list of reports sent in real time: - Notification of a change in the system time. - Full security reports of UAF, proxy, and rights operations. - Full security reports when audit events are modified. - Notification of password modification by users (this is enabled by the RID SET REPORT/PASSWORD_SET DCL command). - A report is sent when hostile local or remote users log in and when a user from a monitored node logs in. - A report is sent when a security manager uses the RID MONITOR DCL command (or the menu interface on OpenVMS VAX Version 5.3 or higher but less than Version 6.0) to monitor a local or re- mote user or a node. The following reports are not sent in real time: - Daily login failure summary. 2 - Full intrusion notification of break-in, install, and mount alarm messages. Repeated triggering of the same alarm by the same user causes only one mail message over the period of hours given by the MAIL_INTERVAL value. - Excessive account failure activity per day (this is the message sent when a user exceeds the total login failure threshold). o Initiates countermeasures against hostile users. - If countermeasures are enabled, POLYCENTER Security ID takes ac- tion to counteract the security event. For example, a suspected intruder process is deleted or a suspected account is disabled after an account exceeds a certain number of events. - If countermeasures are not enabled, the security manager still receives notification of the events; however, no counteraction takes place. For example, the suspected account is not disabled. - Some limited countermeasures are always performed to preserve the integrity of POLYCENTER Security ID itself. For example, if an unauthorized user disables audit events, POLYCENTER Security ID re-enables audit events automatically. Also, POLYCENTER Se- curity ID protects its own run-time parameter file and recreates it automatically if it is deleted. o Allows security managers to issue commands to POLYCENTER Security ID to monitor any suspected user and remote login sources for a spec- ified length of time. For example, this feature is used if a known local account is being used to penetrate a system and it is desired to identify the remote login sources. o Sends security event messages, known as alarm tokens, to a DECnet[TM] node running POLYCENTER Security Reporting Facility (SRF) for Open- VMS software. Upon receipt of the alarm token, POLYCENTER SRF no- tifies the POLYCENTER SRF administrator via electronic mail about the security event. 3 Alarm tokens contain information about the node's security manager, target entity, source entity, failure type, and failure limit. Stor- ing the alarm tokens, gives the administrator access to current and historical information about security events occurring on one or more nodes across a network. ADDITIONAL POLYCENTER SECURITY PRODUCTS o POLYCENTER Security Intrusion Detector for ULTRIX (SPD 43.07.xx) o POLYCENTER Security Intrusion Detector for DEC OSF/1 (SPD 43.08.xx) o POLYCENTER Security Intrusion Detector for SunOS (SPD 43.09.xx) o POLYCENTER Security Compliance Manager for OpenVMS (SPD 26.N1.xx) o POLYCENTER Security Compliance Manager for ULTRIX (SPD 41.26.xx) o POLYCENTER Security Compliance Manager for SunOS (SPD 41.25.xx) o POLYCENTER Security Compliance Manager for Solaris (SPD 55.87.xx) o POLYCENTER Security Compliance Manager for HP-UX (SPD 46.12.xx) o POLYCENTER Security Compliance Manager for AIX (SPD 46.11.xx) o POLYCENTER Security Compliance Manager for DEC OSF/1 (SPD 55.86.xx) o POLYCENTER Security Compliance Manager for NetWare (SPD 62.80.xx) o POLYCENTER Security Reporting Facility for OpenVMS (SPD 26.N2.xx) HARDWARE REQUIREMENTS Processors Supported for OpenVMS Alpha: Any Alpha system that is capable of running OpenVMS Alpha Version 6.1 or higher. Processors Supported for OpenVMS VAX: 4 Any VAX system that is capable of running OpenVMS VAX Version 5.3 or higher but less than Version 6.0. VAX systems that are capable of run- ning OpenVMS VAX V6.1 or higher are also supported. Processors Not Supported: MicroVAX I VAXstation I VAX-11/725 VAX-11/782 VAXstation 8000 In addition, POLYCENTER Security ID does not run on OpenVMS VAX Ver- sion 6.0. SOFTWARE REQUIREMENTS POLYCENTER Security ID for OpenVMS Alpha To use POLYCENTER Security ID for OpenVMS Alpha, Version 1.2a, you must be running the OpenVMS Alpha Operating System Version 6.1 or higher. POLYCENTER Security ID for OpenVMS VAX POLYCENTER Security ID for OpenVMS, Version 1.2a can exploit operat- ing system functionality which is only available in OpenVMS Version 6.1 or higher. Because of this, you receive two sets of POLYCENTER Security ID soft- ware on your distribution media. One set of software is installed on systems running OpenVMS VAX Version 5.3 or higher but less than Ver- sion 6.0. The other set of software is installed on systems running OpenVMS VAX Version 6.1 or higher. When you run the installation pro- cedure, a check is automatically carried out to determine the version of OpenVMS VAX that you are running and which version of POLYCENTER Security ID to install. To use POLYCENTER Security ID for OpenVMS VAX, Version 1.2a, you must be running one of the following: o OpenVMS VAX Operating System Version 6.1 or higher 5 o OpenVMS VAX Operating System Version 5.3 or higher but less than Version 6.0 POLYCENTER Security ID does not run on OpenVMS VAX Version 6.0. If you are running OpenVMS VAX Version 6.1 or higher, you must also be running DECnet-VAX End Node (If POLYCENTER SRF support is required). If you are running OpenVMS VAX Version 5.3 or higher but less than Ver- sion 6.0, then you must also be running the following: For Systems Using Terminals (No DECwindows[TM] Interface): o POLYCENTER Security Compliance Manager for OpenVMS o DECforms[TM] Run-Time System o DECnet-VAX End Node (if POLYCENTER SRF support is required) For Workstations Running VWS: o OpenVMS Workstation Software o POLYCENTER Security Compliance Manager for OpenVMS o DECforms Run-Time System o DECnet-VAX End Node (if POLYCENTER SRF support is required) For Workstations Running DECwindows (No DECwindows interface, use DECterm[TM]): OpenVMS Operating System (and necessary components of OpenVMS DECwin- dows) o POLYCENTER Security Compliance Manager for OpenVMS o DECforms Runtime System o DECnet-VAX End Node (if POLYCENTER SRF support is required) 6 OpenVMS Tailoring Classes For OpenVMS VAX 5.x Systems, the following OpenVMS classes are required for full functionality of POLYCENTER Security ID: o OpenVMS Required Saveset o Network Support o Secure User's Environment o Utilities For more information on OpenVMS classes and tailoring, refer to the OpenVMS Operating System Software Product Description (SPD 25.01.xx). PROCESSOR RESTRICTIONS Disk Space Requirements (Block Cluster Size = 1) Disk space required for installation is 4,000 blocks: (2.0 Megabytes (MB)) Disk space required for permanent use is 2,500 blocks: (1.3 MB) These counts refer to the disk space required on the system disk. The sizes are approximate; actual sizes may vary depending on the user's system environment, configuration, and software options. CLUSTER ENVIRONMENT This layered product is fully supported when installed on any valid and licensed OpenVMS cluster configuration without restrictions. The HARDWARE REQUIREMENTS sections of this product's Software Product De- scription detail any special hardware required by this product. Open- VMS Version 6.1 and above cluster configurations are fully described in the VMScluster[TM] Software Product Description (42.18.xx) and in- clude CI, Ethernet, and Mixed Interconnect configurations. 7 GROWTH CONSIDERATIONS The minimum hardware/software requirements for any future version of this product may be different from the minimum requirements for the current version. DISTRIBUTION MEDIA For OpenVMS VAX POLYCENTER Security ID for OpenVMS VAX is distributed on TK50 Stream- ing Tape. The tape includes two sets of binary files. See the SOFT- WARE REQUIREMENTS section of this SPD for more information. For OpenVMS Alpha POLYCENTER Security ID for OpenVMS Alpha is distributed on CD-ROM. Both POLYCENTER Security ID for OpenVMS VAX and POLYCENTER Security ID for OpenVMS Alpha are also available as part of the OpenVMS Con- solidated Software Distribution on CD-ROM. The software documentation is also available as part of the OpenVMS Online Documentation Library on CD-ROM. ORDERING INFORMATION For OpenVMS VAX: Software Licenses: QL-MRNA*-** Software Media: QA-MRNA*-** Software Documentation: QA-MRNA*-GZ Software Product Services: QT-MRNA*-** For OpenVMS Alpha: Software Licenses: QL-3SZA*-** Software Media: QA-3SZA*-** Software Documentation: QA-3SZA*-GZ Software Product Services: QT-3SZA*-** 8 * Denotes variant fields. For additional information on available li- censes, services, and media, refer to the appropriate price book. SOFTWARE LICENSING This software is furnished under the licensing provisions of Digital Equipment Corporation's Standard Terms and Conditions. For more in- formation about Digital's licensing terms and policies, contact your local Digital office. License Management Facility (LMF) Support: This layered product supports the OpenVMS License Management Facil- ity. License units for this product are allocated on an Unlimited System Use basis. For more information on the License Management Facility, refer to the OpenVMS Operating System Software Product Description (SPD 25.01.xx) or the License Management Facility manual of the OpenVMS Operating Sys- tem documentation set. SOFTWARE PRODUCT SERVICES In addition to standard Software Product Services remedial services, consulting services for planning, designing, and implementing a cus- tom security system are also available. A variety of service options are available from Digital. For more information, contact your local Digital office. SOFTWARE WARRANTY As with any security product, POLYCENTER Security ID software should be considered part of an overall security plan. Customers are encour- aged to follow industry-recognized security practices and not rely on any single security product or service to provide complete protection. 9 This product is intended to assist customers in maintaining an appro- priately secure systems environment when used in conjunction with cus- tomer's vigilant operational security practices. Digital does not guar- antee or warrant that the use of these tools will provide complete se- curity protection for customer's systems. Warranty for this software product is provided by Digital with the pur- chase of a license for the product. © Digital Equipment Corporation. 1995. All rights reserved. Digital Equipment Corporation makes no representation that the use of its products in the manner described in this publication will not in- fringe on existing or future rights, nor do the descriptions contained in this publication imply the granting of licenses to make, use, or sell equipment or software in accordance with this description. [R] HP and HP-UX are registered trademarks of Hewlett-Packard Com- pany, Inc. [R] IBM and AIX are registered trademarks of International Business Machines Corporation. [TM]SunOS and Solaris are trademarks of Sun Microsystems, Inc. [R] OSF/1 is a registered trademark of the Open Software Founda- tion, Inc. [TM]The DIGITAL logo, DEC, DECforms, DECinspect, DECnet, DECterm, DECwindows, Digital, OpenVMS, POLYCENTER, ULTRIX, VAX, VMSclus- ter are trademarks of Digital Equipment Corporation. All other trademarks and registered trademarks are the property of their respective holders. 10