HP OpenVMS Systems Documentation

This glossary provides definitions of security-related terms used in this guide.

access control: Restrictions on the ability of a subject (user or process) to use the system or an object in the computing system. Authentication of the user name and password controls access to the system, while protection codes, access control lists, and privileges regulate access to protected objects in that system.

access control entry (ACE): An entry in an access control list (ACL). Access control entries may specify identifiers and the access rights to be granted or denied the holders of the identifiers, default protection for directories, or security details. ACLs for each object can hold many entries, limited only by overall space and performance considerations. See also access control list, identifier.

access control list (ACL): A list that defines the kinds of access to be granted or denied to users of an object. Access control lists can be created for all protected objects such as files, devices, and logical name tables. Each ACL consists of one or more entries known as access control entries (ACEs). See also access control entry.

access control string: A character string used in remote logins. It consists of the user name for the remote account and the user's password enclosed within quotation marks.

access matrix: A table that lists subjects on one axis and objects on the other. Each crosspoint in the matrix thus represents the access that one subject has to one object.

access type: The capability required to perform an operation on a protected object. OpenVMS security policy can require multiple capabilities to complete an operation. The most commonly accessed object, a file, can require read, write, execute, delete, or control access.

ACE: See access control entry.

ACL: See access control list.

ACL editor: An OpenVMS utility that helps users create and maintain access control lists. See also access control list.

alarm: See security alarm.

ALF file: See automatic login.

alphanumeric UIC: A format of a user identification code (UIC). The group and member names can each contain up to 31 alphanumeric characters, at least one of which is alphabetic. The other format of a UIC is numeric: it contains a group number and a member number. See also user identification code, numeric UIC.

attribute: In the security context, a characteristic of an identifier or the holder of an identifier. Attributes can enhance or limit the rights granted with an identifier; for example, a user holding an identifier with the Resource attribute can charge disk space to the identifier.

audit: See security audit.

auditing: Recording the occurrence of security-relevant events as they occur on the system and, later, examining system activity for possible security violations or improper use of the system. Security-relevant events include activities such as logins, break-ins, changes to the authorization database, and access to protected objects. Event messages can be sent as alarms to an operator terminal or written as audit records to a log file. See also security audit, security alarm.

audit trail: A pattern of security-relevant activity sometimes found in the audit log file. The audit log file maintains a record of security-relevant events, such as access attempts, successful or not, as required by the authorization database. See also security audit.

authentication: The act of establishing the identity of users when they start to use the system. OpenVMS systems (and most other commercial operating systems) use passwords as the primary authentication mechanism. See also password.

authorization database: A database that contains the security attributes of subjects and objects. From these attributes, the reference monitor determines what kind of access (if any) is authorized.

authorization file: See system user authorization file.

automatic login: A feature that permits users to log in without specifying a user name. The operating system associates the user name with the terminal (or terminal server port) and maintains these assignments in the file SYS$SYSTEM:SYSALF.DAT, referred to as the automatic login file or the ALF file.

breach: A break in the system security that results in access to system resources or objects in violation of the system's security policy.

break-in attempt: An effort made by an unauthorized source to gain access to the system. Because the first system access is achieved through logging in, intrusion attempts primarily refer to attempts to log in illegally. These attempts focus on supplying passwords for users known to have accounts on the system through informed guesses or other trial-and-error methods. See also evasive action.

C2 system: A U.S. government rating of the security of an operating system; it identifies an operating system as one that meets the criteria of a Division C, class 2 system.

capability: A resource to which the system controls access; currently, the only defined capability is the vector processor.

OpenVMS security policy protects vector processors from improper access. An operation can require use or control access.

captive account: A type of account that confines the user to the captive login command procedure. The use of Ctrl/Y is disabled. If errors in the captive command procedure cause the procedure to terminate and attempt to return the user to the DCL command level, the process is deleted. (This type of account is synonymous with a turnkey or tied account.)

common event flag cluster: A set of 32 event flags that enable cooperating processes to post event notifications to each other.

OpenVMS security policy protects common event flag clusters from improper access. An operation can require associate, delete, or control access.

control access: The right to modify an object's security profile. Control access is granted explicitly in an ACL and implicitly in a protection code. (All users qualifying for system or owner categories have control access.)

decryption: The process that restores encoded information to its original unencoded form. The information was encoded by using encryption.

Default attribute: An option added to an ACE that indicates the ACE is to be included in the ACL of any files created within a directory. When the entry is propagated, the Default attribute is removed from the ACE of the created file. An Identifier ACE with the Default attribute has no effect on access. See also access control entry, Identifier ACE.

device: A class of peripherals connected to a processor that are capable of receiving, storing, or transmitting data.

OpenVMS security policy protects devices from improper access. An operation can require read, write, physical, logical, or control access.

discretionary controls: Security controls that are applied at the user's option; that is, they are not required. Access control lists (ACLs) are typical of such optional security features. Discretionary controls are the opposite of mandatory controls.

disk scavenging: Any method of obtaining information from a disk that the owner intended to discard. The information, although no longer accessible to the original owner by normal means, retains a sufficient amount of its original magnetic encoding that it can be retrieved and used by one of the scavenging methods. See also erase-on-allocate, erase-on-delete, erasure pattern.

encryption: A process of encoding information so that its content is no longer immediately obvious to anyone who obtains a copy of it. The information is decoded using decryption.

environmental identifier: One of four classes of identifiers. Environmental identifiers are provided by the system to identify groups of users according to their usage of the system. Environmental identifiers correspond to login classes. For example, all users who access the system by dialing up receive the dialup identifier. See also identifier.

erase-on-allocate: A technique that applies an erasure pattern whenever a new area is allocated for a file's extent. The new area is erased with the erasure pattern so that subsequent attempts to read the area can yield only the erasure pattern and not some valuable remaining data. This technique is used to discourage disk scavenging. See also disk scavenging, erase-on-delete, erasure pattern, high-water marking.

erase-on-delete: A technique that applies an erasure pattern whenever a file is deleted or purged. This technique is used to discourage disk scavenging. See also disk scavenging, erase-on-allocate, erasure pattern.

erasure pattern: A character string that can be used to overwrite magnetic media for the purpose of erasing the information that was previously stored in that area.

evasive action: A responsive behavior performed by the operating system to discourage break-in attempts when they appear to be in progress. The operating system has a set of criteria it uses to detect that an intrusion attempt may be underway. Typically, once the operating system becomes suspicious that an unauthorized user is attempting to log in, the evasive action consists of locking out all login attempts by the offender for a limited period of time.

event classes: Categories of security-relevant events. The operating system audits several event classes by default, and the security administrator can enable additional ones, if desired.

event messages: In terms of security, any notification that has to do with a user's access to the system or to a protected object within the system. The operating system can record both successful and unsuccessful events so the security administrator can know when security-relevant activity occurs on the system.

facility identifier: An identifier whose binary value contains the facility code of the application defining the identifier. See also identifier.

file: A set of data elements arranged in a structure significant to the user. A file is any named, stored program or data, or both, to which the system has access. Access can be of two types: read-only, meaning the file is not to be altered, and read/write, meaning the contents of the file can be altered. See also volume.

OpenVMS security policy protects files from improper access. An operation can require read, write, execute, delete, or control access.

file encryption: See encryption.

general identifier: One of four possible types of identifiers that specify one or more groups of users. The general identifier is alphanumeric and typically is a convenient term that symbolizes the function of the group of users. For example, typical general identifiers might be PAYROLL for all users allowed to run payroll applications or RESERVATIONS for operators at the reservations desk. See also identifier.

global section: A shared memory area (for example, Fortran global common) potentially available to all processes in the system. A global section can provide access to a disk file (called a file-backed global section), provide access to dynamically created storage (called a page file-backed global section), or provide access to specific physical memory (called a page frame number [PFN] global section). See also group global section, system global section.

group: A set of users in a system. Any user whose group UIC is identical to the group UIC of the object qualifies for the access rights granted through a protection code. The group name appears as the first field of a user identification code (UIC): [group,member].

group global section: A shareable memory section potentially available to all processes in the same group.

OpenVMS security policy protects group global sections from improper access. Operations on file-backed sections require read, write, execute, delete, or control access. Operations on other types of sections require read, write, execute, or control access. See also global section, system global section.

group number: The number or its alphanumeric equivalent in the first field of a user identification code (UIC): [group,member].

Hidden attribute: An option added to an access control entry that indicates the ACE should be changed only by the application that adds it. Although the Hidden attribute is valid for any ACE type, its intended use is to hide Application ACEs. See also access control entry.

high-water mark: A mark identifying the highest file address written, beyond which the user cannot read.

high-water marking: A technique for discouraging disk scavenging. This technique tracks the furthest extent that the owner of a file has written into the file's allocated area (the high-water mark). It then prohibits any attempts at reading beyond the written area, on the premise that any information that exists beyond the currently written limit is information some user had intended to discard. The operating system accomplishes the goals of high-water marking with a combination of true high-water marking and an erase-on-allocate strategy. See also erase-on-allocate.

holder: A user who possesses a particular identifier. Users and the identifiers they hold are recorded in the rights database. Whenever an object requires an accessor to hold an identifier, the system checks the process rights list (which is built from the rights database) in processing the access request.

identifier: An alphanumeric string representing a user or group of users recorded in the rights database and used by the system in checking access requests. There are four types of identifiers: environmental, facility, general, and UIC. See also environmental identifier, facility identifier, general identifier, resource identifier, UIC identifier.

Identifier ACE: An access control entry that controls the type of access allowed to a particular user or group of users.

journal: Name of the auditing log file where the system records events with security implications, such as logins, break-ins, or changes to the authorization database.

locked password: A password that cannot be changed by the account's owner. Only system managers or users with the SYSPRV privilege can change locked passwords.

log: A record of performance or system-relevant events.

logical I/O access : Right to perform a set of I/O operations that allow restricted direct access to device-level I/O operations using logical block addresses.

logical name table: A shareable table of logical names and their equivalence names for the operating system or a particular group.

OpenVMS security policy protects logical name tables from improper access. An operation can require read, write, create, delete, or control access.

login: The series of actions involved in authenticating a user to the system and creating a process that runs on the user's behalf.

login class: A user's method of logging into the system. System managers can control system access based on the login class: local, dialup, remote, batch, or network.

mandatory controls: Security controls that are imposed by the system upon all users. There are no examples of mandatory controls within the OpenVMS system. Access controls on this operating system are optional (discretionary).

NETPROXY: See network proxy authorization file.

network proxy authorization file (NETPROXY.DAT or NET$PROXY.DAT [VAX only]): A file containing an entry for each user authorized to connect to the local system from a remote node in the network.

nondiscretionary controls: See mandatory controls.

nonprivileged: Describes a type of account with no privilege other than TMPMBX and NETMBX and a user identification code (UIC) greater than the system parameter MAXSYSGROUP.

Nopropagate attribute: An option added to an access control entry that indicates the ACE cannot be copied by operations that usually propagate ACEs, such as SET SECURITY/LIKE. See also access control entry.

numeric UIC: A format of a user identification code (UIC) that specifies the user's group and member number in numeric form. The group number is an octal number in the range of 1 through 37776; the member number is an octal number in the range of 0 through 177776.

object: A passive repository of information to which the system controls access. Access to an object implies access to the information it contains. See also capability, common event flag cluster, device, file, group global section, logical name table, queue, resource domain, security class, system global section, volume.

object class: A set of protected objects with common characteristics. For example, all files belong to the file class; whereas all devices belong to the device class.

object security profile: A set of security elements that defines access requirements. The elements include an owner (UIC), a UIC-based protection code, and, possibly, an ACL. See also access control list, owner, protection code.

open accounts: Accounts that do not require passwords.

operator terminal: A terminal attended by a system operator. The system can send system event messages to the terminal, provided the event class is enabled.

owner: A user with the same user identification code (UIC) as the protected object. An owner always has control access to the object and can therefore modify the object's security profile. When the operating system processes an access request from an owner, it considers the access rights in the owner field of a protection code.

password: A character string that users provide at login time to validate their identity and as a form of proof of their authorization to access the account. There are system passwords and user passwords. User passwords include both primary and secondary passwords. See also primary password, secondary password, system password, user password.

physical I/O access: The right to perform a set of I/O functions that allows access to all device-level I/O operations except maintenance mode using physical block addresses.

primary password: A type of user password that is the first user password requested from the user. Systems may optionally require a secondary password. A primary or a secondary password must be associated with the user name in the user authorization file. See also secondary password.

privileges: A means of protecting the use of certain system functions that can affect system resources and integrity. System managers grant privileges according to users' needs and deny them to users as a means of restricting their access to the system.

process security profile: The set of security elements the system assigns to a process at creation. Elements include the process UIC plus all of its identifiers and privileges. See also identifier, privileges, user identification code.

Protected attribute: An option added to an access control entry that indicates the ACE is protected against casual deletion. It can be deleted by using the ACL editor or by specifying the ACE explicitly when deleting it.

protected object: An object containing shareable information to which the system controls access. See also object.

protected subsystem: An application with enhanced access control. While users run the application, their process rights list contains identifiers giving them access to objects owned by the subsystem. As soon as the users exit the application, these identifiers and, therefore, access rights to objects are taken away.

protection: The attributes of an object that limit the type of access available to users. See also access control list, protection code, user identification code.

protection code: A code defining the type of access that users are allowed to objects, based on the user's relationship to the object's owner. The code defines four sets of users: those with system rights, those with ownership rights, those belonging to the same group, and all users on the system, who are called world users. See also group, owner, system, world.

proxy login: A type of login that permits a user from a remote node to effectively log in to a local node as if the user owned an account on the local node. However, the user does not specify a password in the access control string. The remote user may own the account or share the account with other users.

pseudodevice: An entity like a mailbox that is treated as an I/O device by the user or system, although it is not any particular physical device.

queue: A set of jobs to be processed. There are four types of execution queues: batch, terminal, server, and print.

OpenVMS security policy protects queues from improper access. An operation can require read, submit, manage, delete, or control access.

reference monitor: The control center within the operating system that authenticates subjects and implements and enforces the security policy for every access to an object by a subject.

Resource attribute: An option specified when an identifier is added to the rights database, and later when the identifier is granted to a user. When a user holds the identifier with the Resource attribute, that user can charge disk space to the identifier.

resource domain: A namespace controlling access to OpenVMS distributed lock management resources.

OpenVMS security policy protects resource domains from improper access. An operation can require read, write, lock, or control access.

resource identifier: An identifier with the Resource attribute. Thus, holders of the identifier can charge disk space to the identifier.

restricted account: A type of account with a secure login procedure. The user is not allowed to use the Ctrl/Y key sequence during the system or process login command procedure. Control may be turned over to the user following execution of the login command procedures.

rights database: The collection of data the system maintains and uses to define identifiers and associate identifiers with the holders of the identifiers.

rights identifier: See identifier.

rights list: The list associated with each process that includes all the identifiers the process holds.

RWED: The abbreviation for read, write, execute, delete, which are types of access to data files and directory files.

secondary password: A user password that may be required at login time immediately after the primary password has been submitted correctly. Primary and secondary passwords can be known by separate users to ensure that more than one user is present at the login. A less common use is to require a secondary password as a means of increasing the password length so that the total number of combinations of characters makes password guessing more time-consuming. See also primary password.

secure terminal server: Operating system software designed to ensure that users can log in only to terminals that are already logged out. When the user presses the Break key on a terminal, the secure server (if enabled) responds by first disconnecting any logged-in process and then initiating a login. If no process is logged in at the terminal, the login can proceed immediately.

security administrator: The person or persons responsible for implementing and maintaining the organization's security policy. This role is sometimes performed by the same person who functions as a system manager. It requires the same skills as the system manager as well as knowledge of the security features provided with the operating system.

security alarm: A message sent to an operator terminal that is enabled to receive messages pertaining to security events. Security alarms are triggered by the occurrence of an event previously designated as worthy of the alarm because of its security implications.

security audit: An auditing message written to the security audit log file. These messages report the occurrence of events with security implications, such as logins, break-ins, and changes to the authorization database. A system administrator uses the log file to examine system activity for possible security violations or improper use of the system.

security auditing: See auditing.

security class: The object class whose members are all object classes. Each member defines the object templates and management routines for its object class.

OpenVMS security policy protects security classes from improper access. An operation can require read, write, or control access.

security officer: See security administrator.

security operator terminal: A class of terminal that has been enabled to receive messages sent by OPCOM to security operators. These messages are security alarm messages. Normally such a terminal is a hardcopy terminal in a protected room. The output provides a log of security-related events and details that identify the source of the event.

security profile: A set of elements that describe either an object's access requirements or a subject's access rights. See also object security profile, process security profile.

social engineering: The act of gaining unauthorized access to or information about computer systems and resources by enlisting the aid of unwitting users or operators. Often involves impersonation or other fraud.

subject: A prinicpal, either a user process or an application, that accesses information or is prevented from accessing information. The operating system controls access to any object that contains shareable information. Therefore, subjects must be authorized to access objects. See also process security profile.

system: In the context of a protection code, identifies a set of users in a system. System users typically have a UIC is in the range 1 through 10 (octal); however, the exact range of a system UIC is determined by the system parameter MAXSYSGROUP. Other ways to become a system user include having SYSPRV privilege or being in the same group as the owner and holding GRPPRV. System operators and system managers are usually system users.

system-defined identifier: See environmental identifier.

system global section: A shareable memory section potentially available to all processes in the system.

OpenVMS security policy protects system global sections from improper access. Operations on file-backed sections require read, write, execute, delete, or control access. Operations on other types of sections require read, write, execute, or control access.