HP OpenVMS Systems Documentation

The directory SYSMSG contains the following files:

Directory SYS$SYSDEVICE:[VMS$COMMON.SYSMSG]

ADAMSG.EXE;1                                       CLIUTLMSG.EXE;1
CXXL$MSG_SHR.EXE;1                                 DBGTBKMSG.EXE;1
DBLRTLMSG.EXE;1                                    DECW$TRANSPORTMSG.EXE;1
DNS$MSG.EXE;1                                      EPC$MSG.EXE;1
FILMNTMSG.EXE;1                                    LMCP$MSG.EXE;1
LMF_MESSAGE.EXE;1                                  NETWRKMSG.EXE;1
PASMSG.EXE;1                                       PLIMSG.EXE;1
PPLMSG.EXE;1                                       PRGDEVMSG.EXE;1
RPGMSG.EXE;1                                       SCNMSG.EXE;1
SHRIMGMSG.EXE;1                                    SORTMSG.EXE;1
SYSMGTMSG.EXE;1                                    SYSMSG.EXE;1
TECOMSG.EXE;1                                      TPUMSG.EXE;1
VAXCMSG.EXE;1                                      VMSINSTAL_LANGUAGE.COM;1
VMSLICENSE_LANGUAGE.COM;1                          VVIEFMSG.EXE;1

Total of 28 files.

The directory SYSTEST contains the following files:

Directory SYS$SYSDEVICE:[VMS$COMMON.SYSTEST]

DECDTM_IVP.EXE;1                                   TCNTRL.CLD;1
UETCDRO00.EXE;1                                    UETCLIG00.COM;1
UETCLIG00.DAT;1                                    UETCLIG00.EXE;1
UETCOMS00.EXE;1                                    UETDISK00.EXE;1
UETDMPF00.EXE;1                                    UETDNET00.COM;1
UETDNET00.DAT;1                                    UETDR1W00.EXE;1
UETDR7800.EXE;1                                    UETFORT01.DAT;1
UETFORT01.EXE;1                                    UETFORT02.EXE;1
UETFORT03.EXE;1                                    UETINIT00.EXE;1
UETINIT01.EXE;1                                    UETLOAD00.DAT;1
UETLOAD02.COM;1                                    UETLOAD03.COM;1
UETLOAD04.COM;1                                    UETLOAD05.COM;1
UETLOAD06.COM;1                                    UETLOAD07.COM;1
UETLOAD08.COM;1                                    UETLOAD09.COM;1
UETLOAD10.COM;1                                    UETLOAD11.COM;1
UETLPAK00.EXE;1                                    UETMA7800.EXE;1
UETMEMY01.EXE;1                                    UETNETS00.EXE;1
UETP.COM;1                                         UETPHAS00.EXE;1
UETRSXFOR.EXE;1                                    UETSUPDEV.DAT;1
UETTAPE00.COM;1                                    UETTAPE00.EXE;1
UETTTYS00.EXE;1                                    UETUNAS00.EXE;1
UETVECTOR.COM;1                                    UETVECTOR.EXE;1

Total of 44 files.

The directory SYSUPD contains the following files:

Directory SYS$SYSDEVICE:[VMS$COMMON.SYSUPD]

AUTOGEN.COM;1                                      BOOTUPD.COM;1
CONSCOPY.COM;1                                     CREATE_IDX.EXE;1
DECW$KITBLD.DAT;1                                  DECW$KITBLD.IDX;1
DECW$MKFONTDIR.COM;1                               DECW$OBSOLETE.DAT;1
DECW$OBSOLETE.IDX;1                                DECW$TAILOR.EXE;1
DECW$TAILOR_ON.TEMPLATE;1                          DXCOPY.COM;1
INSTALLED_PRDS.COM;1                               LIBDECOMP.COM;1
NETCONFIG_UPDATE.COM;1                             PCSI$CREATE_ACCOUNT.COM;1
PCSI$CREATE_NETWORK_OBJECT.COM;1                   PCSI$CREATE_RIGHTS_IDENTIFIER.COM;1
PCSI$DELETE_ACCOUNT.COM;1                          PCSI$DELETE_NETWORK_OBJECT.COM;1
PCSI$DELETE_RIGHTS_IDENTIFIER.COM;1                PCSI$REGISTER_PRODUCT.COM;1
REGISTER_PRIVILEGED_IMAGE.COM;1                    SETDEFBOO.COM;1
SPKITBLD.COM;1                                     STABACKIT-TABLE.DAT;1
STABACKIT.COM;1                                    SWAPFILES.COM;1
TAILOR_ON.TEMPLATE;1                               UPDATE_CONSOLE.COM;1
VMS$ROLLING_UPGRADE.COM;1                          VMS$SYSTEM_IMAGES.COM;1
VMSINSTAL.COM;1                                    VMSINSTAL_LMFGROUPS.COM;1
VMSKITBLD.COM;1                                    VMSKITBLD.DAT;1
VMSKITBLD.IDX;1                                    VMSLICENSE.COM;1
VMSTAILOR.EXE;1                                    VMSUPDATE.COM;1
VMS_VERSION_OVERRIDE.DAT;1                         VVIEF$DEINSTAL.COM;1
VVIEF$INSTAL.COM;1

Total of 43 files.

The directory VUE$LIBRARY contains the following files:

Directory SYS$SYSDEVICE:[VMS$COMMON.VUE$LIBRARY]

SYSTEM.DIR;1                                   [SYSTEM]    (RWE,RWE,RE,RE)
USER.DIR;1                                     [SYSTEM]    (RWE,RWE,RE,RE)

Total of 2 files.

Directory SYS$SYSDEVICE:[VMS$COMMON.VUE$LIBRARY.SYSTEM]

MACRO$DWCI.EXE;1                               [SYSTEM]    (RWED,RWED,RWED,RE)
MACRO$DWCI.UID;1                               [SYSTEM]    (RWED,RWED,RWED,RE)

Total of 2 files.

Grand total of 35 directories, 2055 files.

This appendix describes how to operate an OpenVMS operating system in a C2 environment. C2 is a United States government rating of the security of an operating system; it identifies OpenVMS VAX and OpenVMS Alpha as an operating system that meets the criteria of a Division C, class 2 system, as described in Section C.1.1. Terminology used in this appendix is drawn from the United States government's evaluation criteria.

Those versions of OpenVMS that have been evaluated by the National Computer Security Center (NCSC) are listed in the Evaluated Products List, which is available from the following source:

National Computer Security Center
9800 Savage Road
Fort George G. Meade
Maryland 20755-6000

This information is also available on the World Wide Web site at:

http://www.radium.NCSC.mil/tpep/epl/index.html

The security protection provided by OpenVMS VAX Version 6.1 and OpenVMS AXP Version 6.1 has been evaluated by the National Computer Security Center (NCSC) against the requirements specified by the "Department of Defense Trusted Computer System Evaluation Criteria" dated December 1985. OpenVMS VAX Version 6.1 and OpenVMS AXP Version 6.1 have been given a C2 rating.

C.1 Introduction to C2 Systems

This section describes the requirements for a C2 system and explains the documentation that the OpenVMS product provides to support such a system.

C.1.1 Definition of the C2 Environment

A C2 environment is one that meets the United States Defense Department's criteria for trusted computer systems and that contains only those hardware and software components of the trusted computing base (TCB) that were included in the government's evaluation of the OpenVMS operating system.

The criteria for C2 systems are defined in the Department of Defense Trusted Computer System Evaluation Criteria, published by the Department of Defense Computer Security Center (DOD 5200.28-STD). They include the following:

• Access controls, which if used, can identify individual users as well as groups of users
• User accountability through login procedures that clearly identify a user
• Auditing of security-relevant events
• Resource isolation so objects are erased before being reallocated

The trusted facility manual is intended for the system administrator. The C2 trusted facility manual includes the following:

• Chapters 5--13 and the appendixes of this manual
• OpenVMS System Management Utilities Reference Manual, Audit Analysis utility section
• OpenVMS AXP Version 6.1 Upgrade and Installation Manual
• OpenVMS VAX Version 6.1 Upgrade and Installation Manual
• OpenVMS AXP Version 6.1 Release Notes
• OpenVMS AXP Version 6.1 Release Notes Addendum
• OpenVMS VAX Version 6.1 Release Notes
• OpenVMS VAX Version 6.1 Release Notes Addendum

Part 1 and Part 2 of this guide constitute the security features user's guide and should be made available to all users.

C.2 Trusted Computing Base (TCB) for C2 Systems

The federal government's evaluation of a computer system measures the trusted computing base (TCB) against the criteria summarized in Section C.1.1. The TCB is a combination of computer hardware and an operating system that enforces a security policy.

C.2.1 Hardware in the TCB

The architectural design of VAX processors prevent competing programs from interfering with the data of another program. VAX hardware prevents one program from interfering with the memory of another program.

The security features described in this guide apply to any VAX processor in the evaluated hardware configurations and to all supported mass storage and communications devices. The Final Evaluation Report, Compaq Equipment Corporation, OpenVMS VAX and SEVMS Version 6.1 provides a full listing of the evaluated hardware.

C.2.2 Software in the TCB

In OpenVMS operating systems, the TCB encompasses much of the operating system. It includes the entire executive and file system, all other system components that do not execute in user mode (such as device drivers, RMS, and DCL), most system programs installed with privilege, and a variety of other utilities used by system managers to maintain data relevant to the TCB.

As a convenience to customers, the OpenVMS operating system ships with more than the base operating system. The software package includes save sets and supportive images for layered products typically run on OpenVMS operating systems. Yet only the base operating system was evaluated as a C2 system. Layered products, such as DECwindows software and Display PostScript support, were not part of the evaluation. For this reason, the C2 rating does not extend to OpenVMS VAX systems running the software listed in Table C-1. The exclusion of these software components in no way implies they are insecure; it only means that they were not part of the evaluated system. After the introduction of any such software, the base system must be accredited for its particular usage.

Site-specific additions to the evaulated TCB hardware and software discussed in Section C.2.1 and Section C.2.2 include any of the following:

• Hardware, including modems, not on the evaluated product list (see Section C.2.1).
• Software installed with a security-relevant privilege. Images can be installed with a privilege in the Normal or Devour category (see Table C-2).
• Software installed as shared/protected, such as user-written system services.
• Software executing in supervisor, executive, or kernel mode.
• Software linked into a TCB executable with the SYSMAN command SYS_LOADABLE.
• Software used for system administration by a privileged user.

Typical site additions may include DECwindows software, LOGINOUT callouts, and other privileged Compaq or third-party products.

Before you add layered products, become familiar with the behavior of these products and understand their impact on your existing system. Also study the the SYSMAN database, from which layered products can be started, in the context of a C2 environment.

All site-specific additions to the trusted computing base (TCB) must be controlled. The C2 rating applies only to the software and hardware components described in the Final Evaluation Report, Compaq Equipment Corporation, OpenVMS VAX and SEVMS Version 6.1. If additional software or hardware is added to the TCB, the new TCB must go through a system certification to demonstrate its compliance with the C2 criteria.

C.3 Protecting Objects

The OpenVMS operating system controls access to objects that contain information. Protected objects include ODS-2 disk files, common event flag clusters, devices, all group and system global sections, logical name tables, queues, resource domains, and ODS-2 disk volumes. The capability object and the security class object enjoy full discretionary access protection but they are not objects according to the C2 evaluation criteria.

Chapter 4 and Chapter 5 describe object protection and explain how the operating system provides template profiles so all new objects have UICs, protection codes and, possibly, ACLs. Section 4.4.7, Section 4.5.6, and Section 8.8, in particular, explain how to set default protection for newly created objects.

The default protections assigned to global section and mailbox objects are less restrictive than those assigned to other objects. This is due to the fact that certain software products assume that mailbox and global section objects are created, by default, with the less restrictive protections. You can modify the template profiles for these objects so they have more stringent protection, but do keep in mind that some software products may be adversely affected.

To change the default protection, you need to modify both the template profile for the object and any existing object. For example, the following command modifies the MAILBOX template for the device class:

$ SET SECURITY/CLASS=SECURITY_CLASS/PROFILE=TEMPLATE=MAILBOX -
_$ /PROTECTION=(S:RWPL,O:RWPL,G,W) DEVICE

The operating system applies this value to all new mailboxes. The protection on each existing mailbox still has to be made more restrictive using the SET SECURITY command. For example:

$ SET SECURITY/CLASS=DEVICE -
_$ /PROTECTION=(S:RWPL,O:RWPL,G,W) mailbox_name

The default object protections specified in security templates survive system shutdown and reboot, so rebooting the system automatically ensures that all objects created after the reboot are created with the new default protections unless an object's creator specifies an alternate protection.

C.4 Protecting the TCB

The code and data that make up the OpenVMS TCB reside in files and, in part, in the address space of the running operating system. They are protected by the use of file access controls and memory page protection. Memory page protection is set up by the operating system as it executes and is normally not of concern to the system manager.

C.4.1 Protecting Files

The files that make up the TCB are correctly protected when the operating system is installed; however, sufficiently privileged users can alter the protection. Appendix B of this guide describes the correct file protection of operating system files.

When installing an OpenVMS operating system, avoid modifying any system files except those specific to your site. You want to maintain the security of the base operating system.

C.4.2 Privileges for Trusted Users

Certain privileges allow the holder to bypass normal file and memory access controls directly or indirectly and, therefore, must not be granted to persons other than the system manager, security administrator, or other trusted users. Privileges in four categories are appropriate only for trusted users: Objects, All, System, and Group. Refer to Table 8-2 for the privileges belonging to each of these categories. The privileges themselves are described in detail in Appendix A.

Privileges in the Objects and All categories allow the holder to violate the isolation of the TCB from untrusted users. Privileges in the System category allow the holder to interfere with normal system operation and cause denial of service, but they do not allow the holder to actually violate object access controls. Some privileges in the System category also allow access controls to be ultimately bypassed.

Privileges in the Group category permit the holder to interfere with the operations of others in the same group. The GRPPRV privilege, in particular, permits the holder to violate normal access controls within that holder's group because it grants access (through the system field of the protection code) to objects owned by subjects sharing the same group UIC.

All trusted users should be familiar with all the effects of any operations they perform. In particular, they need to know all software products an operation might use because a trusted user's privileges can allow untrusted software to perform operations that OpenVMS security policy would otherwise preclude.

C.4.3 Privileges for Untrusted Users

Untrusted users can hold any privilege in the Normal and Devour category with the exception of GRPNAM. Exercise caution in granting privileges from the Devour category; however, for they permit the holder to consume resources without limit, thereby causing possible denial of service and interference with the operations of other users on the system. Table C-2 lists privileges allowed to untrusted users.