From: CRDGW2::CRDGW2::MRGATE::"SMTP::CRVAX.SRI.COM::RELAY-INFO-VAX" 24-MAR-1992 01:06:27.48 To: ARISIA::EVERHART CC: Subj: Security software evaluation - Summary From: RELAY-INFO-VAX@CRVAX.SRI.COM@SMTP@CRDGW2 To: Everhart@Arisia@MRGATE Received: by crdgw1.ge.com (5.57/GE 1.123) id AA27755; Tue, 24 Mar 92 00:22:20 EST Received: From ucbvax.Berkeley.EDU ([128.32.133.1]) by CRVAX.SRI.COM with TCP; Mon, 23 MAR 92 21:15:04 PST Received: by ucbvax.Berkeley.EDU (5.63/1.43) id AA17751; Mon, 23 Mar 92 21:09:46 -0800 Received: from USENET by ucbvax.Berkeley.EDU with netnews for info-vax@kl.sri.com (info-vax@kl.sri.com) (contact usenet@ucbvax.Berkeley.EDU if you have questions) Date: 23 Mar 92 14:46:00 GMT From: eagle!mars.lerc.nasa.gov!uugblum@ucbvax.Berkeley.EDU (Scientific VAXcluster Administrator) Organization: NASA Lewis Research Center Subject: Security software evaluation - Summary Message-Id: <23MAR199210465719@mars.lerc.nasa.gov> Sender: info-vax-request@kl.sri.com To: info-vax@kl.sri.com VAX/VMS Security Software Computer system security awareness is an important issue at NASA. Over 2 years ago, all employees received computer security training which proved to be a benefit when the Michaelangelo virus was announced. The devastating effects of a virus were understood by the user community. Virus detection software was distributed and run on over 4000 PCs prior to the attack date. Security training did increase my awareness of system security. In addition to the NASA training, I also attended a class on Unix security and completed the class with a severe case of security paranoia. Be glad you're working with VMS :-). Besides operating system software integrity, "Computer Security" also includes limiting physical access to the computer system, maintaining disk backups for file recovery, and preventing theft or disclosure of confidential information, all of which I'm not going to discuss (Cheers from one of the reviewers!). People who don't have a good understanding of security tend to ignore it. I remember getting a call from a user a few years ago who complained about changing his password. He said he really liked a computer system he used to work on because he could use "M" as the password and never had to change it. I laughed at that one for a while. After we upgraded to VMS 5.4, several users complained about not being able to reuse passwords. Well, maybe the security class should be held again... Security guidelines are applicable to any operating system. For example, passwords should not be easy to guess and should be changed on a regular basis. Also, users should not share accounts. All of these items are covered in the Department of Defense Password Management Guideline "Green Book". Starting with VMS 5.4, new passwords are compared to a list of common or previously used words and are rejected if found. The VMS operating system has a number of other features which can be configured to enforce system security. These include file and device protection, identifiers and ACLs, Sysgen parameters, the AUDIT_SERVER process, Accounting, etc. The VAX/VMS "Guide to VMS System Security", DEC Part # AA-LA40B-TE, shows how to configure these features. However, it doesn't discuss how to audit the system. The ANALYZE/AUDIT utility, added in VMS 5.2, offers reports on selected information contained in the security audit file. This is the only utility specifically designed to produce security reports. However, login failure reporting is only a small part of system security. For example, it would be beneficial to produce a report showing all of the user accounts which have not been used in over a year. Additionally, a report containing all files on a disk which have world write access would be very useful. You can write DCL command procedures that parse and sort output from various VMS utilities to produce specialized reports. However, these take time to develop. Third-party VMS security software packages provide an alternative to DCL command procedures. I was aware of several, but I didn't know which one was the best. What did they test? How did they work? Twice this year, I posted questions on USENET concerning VMS system security software and obtained very little response. Since no one confessed to comparing security software packages and I haven't run into anyone at the local VAXSIG who is using security software, I set out to do my own research. Demo software was obtained from Braintree, Demax, and Raxco in two days or less after I requested it. However, I had to visit the local DEC office in order to have a peek at DECinspect. To aid in my product evaluation, I decided to create a product comparison report organized by the specific operating system items the software checked. This turned out to be quite difficult since each vendor has his own idea of what security items are important. Also, one product might provide a menu pick to produce a specific report, whereas another product may require selecting several options to generate a similar report. Another major difference was the type of "baseline" report supported by the product. Braintree's Auditor Plus, Demax's SecureMAX, and Raxco's Security Toolkit allow you to produce ad-hoc reports. These products also include a Prior Period Comparison Baseline test. To obtain initial data, a snapshot of the current system is taken. This could include the contents of SYSUAF.DAT and RIGHTSLIST.DAT, and protection on devices, disk files, etc. Later, another snapshot is taken and compared against the first. Only the differences between the two are reported. A disadvantage to this process is that you have to interpret the report to determine if a security problem exists. In contrast to the three products mentioned above, DECinspect and Raxco's Baseline generate reports which only contain items that fail the security policy you have set. DECinspect uses parameter-based comparison baseline testing which allows the user to specify the comparison value of the parameter or disable the test. Raxco's Baseline uses rule-based comparison baseline testing which provides more flexibility over parameter based testing. Rules can be defined for almost any item which needs to be checked in order to satisfy the site's security standard. DECinspect is very easy to use and is intended for very large networks, but it is limited to checking items for which DEC provides tests. At this time, I would like to make several disclaimers and notes. First, the purpose of this report is to point out security items which could be checked. I consider some security software reports less useful than others, but I left my personal preferences out of this report. I felt that each site has its own security requirements and that you should decide what is useful for your site. Also, since the security products are very similar, the user interface may turn out to be the deciding factor. In some cases, it was difficult to determine if a product supported a particular test. Thus, I relied on the vendor's support staff to provide this information. Also, I haven't double-checked this report, so there could be mistakes. Please keep in mind that new features could have been added since I wrote this report. If you need a particular feature, it is best to contact the vendor and find out if it will be available in the near future. There were two features I was interested in which none of the products currently supported. All security products had an SMG or DECforms menu interface, but a DECwindows interface would make the menus easier to use. Also, does the vendor have a similar package for Unix workstations which could be managed by the VAX/VMS security product. After reviewing the security packages, one of the determinations I made was that I need two security products. First, an ad-hoc reporting product is needed to generate any type of security report on demand. This is useful for initially setting up system protection and performing security maintenance. Second, I also require a set-and-forget baseline type product which will run periodically and report only those items which fail my security policy. For additional information on security products, you might check Ray Kaplan's individual security product reviews in "Digital News". In a USENET posting he made on March 16, he mentioned a lengthy article in the next issue of "Info Security Products News", a free publication. FAX (508)872-1153. ISPNews -498 Concord Street - Framingham, MA 01701-2357. Last but not least, I would like to thank the product support people at Braintree, DEC, Demax, and Raxco for the hours they spent on the phone answering questions about their packages. Greg Blumers Sverdrup Technology, Inc. March 23, 1992 VAX/VMS Security Software Features Key to codes ------------------------------------------------ Y = Implemented y = Implemented by setting/selecting options P = Partially implemented B = Implemented in the Baseline report b = Implemented in the Baseline report by setting/selecting options N = Not implemented O = Capability is available in optional software v--------------- Raxco Security Toolkit V3.1 v v------------ Braintree Auditor Plus V1.2 v v v--------- Demax SecureMax 4.0e v v v v------ DECinspect V2.1 v v v v v--- Raxco Baseline V2.0 GENERAL INFORMATION Y Y Y Y Y - Menu driven. Y Y Y Y Y - Menu context sensitive help. Y N Y P Y - Command interface. Y N Y Y Y - Online help library. y N Y N N - Report generated by menu displays the DCL command. Y Y N N N - Batch command procedures can be created from menu. N Y Y N b - Print results of the last report run. N Y N N N - Display last report runtime statistics. Y Y Y O B - Supports query of remote nodes. N y N N N - Single status report for entire VAXcluster. N Y O O N - Single status report for several network nodes. N N N O N - Multi-level consolidated reporting. Token passed to next level node. N N N B B - Report from remote node contains pass/fail information. Y Y Y B b - Report on remote node contains detailed information. N N N O N - Security manager information is available to the central reporting node. N N N B B - Several baseline reports can be defined. N B N B B - Baseline tests can be enabled or disabled. N p N p B - User designed baseline tests are supported. N B N B B - Baseline parameters can be changed. N N N B N - Scheduled baseline inspections are not started immediately when a system is booted. N N N N Y - Baseline test is guaranteed to be run at regular intervals. N y O N N - Automatic actions based on baseline/comparison reports. N N N B B - Create corrective action procedure based on security audit. Action items must be reviewed/approved before being executed. N Y O N N - User defined action routines are supported. v--------------- Raxco Security Toolkit V3.1 v v------------ Braintree Auditor Plus V1.2 v v v--------- Demax SecureMax 4.0e v v v v------ DECinspect V2.1 v v v v v--- Raxco Baseline V2.0 N Y N N N - Security software uses encrypted password. N Y N N N - Passive/Active/Group Security access. O Y N N O - Terminal is locked after a set period of inactivity. N Y N N N - Batch procedure files are protected against change. N P Y P N - Baseline files are protected against change. O Y N N O - Terminal lock program. N Y N N N - Provides restricted SYSUAF access to user group managers. Y y Y N B - SYSUAF data cached Y N Y N B - RIGHTSLIST data cached Y N Y N B - NETPROXY data cached Y Y Y N B - Output file name can be specified. y Y y B B - Report can be mailed. SYSUAF.DAT - Security Audits Y Y P B B - All reports have base values which can be changed. Y Y N B B - Complex reporting (keying on two SYSUAF parameters). YB Y YB N N - SYSUAF changes N Y Y B b - Compare default account settings ( access, priv, proxy) to other account(s). Y Y N N B - SYSUAF flags (Selective) N N YB N N - SYSUAF flags (Non-Selective) Y N N N N - SYSUAF flag summary by privilege class Y B Y B N - Check for duplicate UICs. Y N N N N - Duplicate UIC summary report by privilege class. y N y B b - Check that non-privileged accounts have UICs > MAXSYSGROUP Y N N B N - Check that privileged users don't share UIC groups with non- privileged users. Y Y PB N b - System access (Interactive, batch, etc. & times) Y YB YB N b - Login failures Y Y YB N b - Captive/Restrictive accounts (Captive/Restrictive flags) Y Y YB N b - Disabled accounts (Disuser flag) Y Y YB N b - Account expiration N B N N N - Report shared user directories. y B Y B N - Check existence and ownership of privileged user directories. Y B Y N N - Check existence and ownership of user directories. v--------------- Raxco Security Toolkit V3.1 v v------------ Braintree Auditor Plus V1.2 v v v--------- Demax SecureMax 4.0e v v v v------ DECinspect V2.1 v v v v v--- Raxco Baseline V2.0 SYSUAF.DAT - Password Checking N N Y N N - Password Summary Report Y Y YB B b - Minimum password length (/PWDMINIMUM) Y Y YB B b - Password lifetime (/PWDLIFETIME) Y Y YB N b - Accounts which must use generated passwords (GENPWD flag) Y Y YB N b - Accounts which can not change their password (LOCKPWD flag) Y Y Y N b - Accounts not forced to change password (DISFORCE_PWD_CHANGE) Y Y YB N b - Accounts which must use secondary passwords (/PASSWORD) Y N Y N N - Accounts with pre-expired passwords (/PWDEXPIRE) Y N Y N b - Accounts with old passwords (Based on password change date) Y Y Y N b - Accounts with expired passwords (PWD_EXPIRED flag) Y Y Y B b - Accounts with history-based password filter disabled (DISPWDHIS). Y Y Y B b - Accounts with dictionary password filter disabled (DISPWDDIC). Y N Y N N - Accounts which have an alternate Hash algorithm (/ALGORITHM) YB Y YB N N - Accounts with no password (SYSALF file). Y B Y N B - Check passwords against guessable passwords Y Y Y N N - Compare passwords against user defined password list N Y N N N - Compare passwords against DEC password dictionary y B y N b - Check passwords for standard VMS accounts (SYSTEM, FIELD, etc.) Y y Y N N - Accounts with pre-expired secondary passwords (/PWDEXPIRE) Y b Y N b - Check secondary passwords against guessable passwords Y y Y N N - Compare secondary passwords against user defined password list N y N N N - Compare secondary passwords against DEC password dictionary v--------------- Raxco Security Toolkit V3.1 v v------------ Braintree Auditor Plus V1.2 v v v--------- Demax SecureMax 4.0e v v v v------ DECinspect V2.1 v v v v v--- Raxco Baseline V2.0 SYSUAF.DAT - Privileges Y B YB N N - Privilege summary report Y Y N N b - Privileges granted to users (And) Y Y Y N b - Privileges granted to users (Or) Y N y N b - Privileges not granted to users SYSUAF.DAT - Other Y N Y N N - User account overview (totals) Y Y Y N N - User account summary (similar AUTH SHOW/BRIEF) Y N N N N - System access summary by privilege class N Y NB N b - Base priority. N N N N b - Queue priority (QUEPRIO is not currently used). N Y NB N b - Process quotas. Y Y Y B b - Accounts never used. Y Y Y B b - Inactive accounts (last login date). y y y B b - Inactive system support accounts (last login date). N B NB N b - Accounts which have CLITABLES set to a value other than DCL N B N N b - Accounts with unlimited CPU time N B NB N b - Check LGICMD value SYSUAF.DAT - Special reports Y Y N N N - Login failure report based on accounting data RIGHTSLIST.DAT AUDITS YB Y yB N N - RIGHTSLIST changes Y N Y N N - Identifier summary report (Holders not displayed). Y Y Y N N - Holder of an identifier. Y Y Y N b - Identifiers held by a user. Y B N N N - Ungranted identifiers. N B N N b - Users which do not have a valid identifier. Y N N N B - System identifier integrity check (INTERACTIVE, BATCH, etc.) VMSMAIL_PROFILE.DATA AUDITS N B N N N - Check VMSMAIL entries if mail forwarding is defined. v--------------- Raxco Security Toolkit V3.1 v v------------ Braintree Auditor Plus V1.2 v v v--------- Demax SecureMax 4.0e v v v v------ DECinspect V2.1 v v v v v--- Raxco Baseline V2.0 DISK AUDITS Y B YB N b - Check ownership and protection of selected disks. N Y N N N - Disk quota audit N Y N N N - Disk scavenge for access control strings Y Y O N N - Volume directory tree Y N O N N - Volume file statistics (# have ACLs, # not-owned by parent dir) FILE AUDITS Y Y Y N b - Files which match specified UIC mask. Selection and negation, full or partial mask match supported. N Y Y N b - Files which can be accessed by a specific user(s). N Y N N N - Files owned by privileged user. Y Y YB N N - Files owned by a different identifier that the directory owner. N N Y N N - Files owned by a different identifier that the directory owner, files with an ACL, or files with different protection. Y Y Y N N - Files owned by an undefined identifier (orphaned file). N N Y N N - Files with a specific protection and/or identifier ACL(s). N N Y N b - Files with/without an ACL which is on a specified file. YB B Y N b - Check ownership and protection of selected files. y y YB N b - Protection of all directory files on a disk. Y Y Y N N - Find all users that have access to a specified file(s). UIC mask is compared. N Y y N N - Find all users that have access to a specified file(s). UIC mask and ACE identifiers are compared. N Y Y N N - File access summary. # users which can/can't access file(s). Y y y N N - Files which have poor protection against privileged users. Y y y N N - Files which have poor protection against users in the same UIC group. Y y y N N - Files which have poor protection against any user. y y Y N b - Check for wormholes, directories & files with world write access Y y Y B N - Check privileged account's LOGIN.COM for access by non-priv user. y y Y B b - Examine user directory files, *.COM, and *.EXE files for files with world write. Y yB Y B b - Report all VMS system files [SYS*...] which have poor protection and wrong ownership. y y y B B - Check specific system files in SYS$MANAGER and SYS$SYSTEM for world access. N N Y N N - Experiment with device/file protection. Report users which can access a file. v--------------- Raxco Security Toolkit V3.1 v v------------ Braintree Auditor Plus V1.2 v v v--------- Demax SecureMax 4.0e v v v v------ DECinspect V2.1 v v v v v--- Raxco Baseline V2.0 FILE AUDITS (Continued) YB Y YB N N - Files with an ACL. Y Y Y N N - Files with a specific ACE identifier. Y B Y N N - Files with ACLs with an invalid ACE. N N Y N N - Files with ACL but no wildcard (catchall) ACE. Y N N N N - Files with/without a wildcard (catchall) ACE. Y N N N N - Files starting/not starting with a specific ACL. Y N N N N - Files containing/not containing a specific ACL. Y N N N N - Files ending/not ending with a specific ACL. y Y Y N N - Files with a wildcard (catchall) ACE which is not the last ACL. Y Y Y N N - Files with Alarm ACL. Y N Y N N - Files with an Application ACE. y Y y N N - Files granted/revoked access via system identifiers ACEs (Interactive, batch, etc.) Y N Y N N - Directory files with default ACEs. N Y N N N - Set ACLs on all files on volume/directory to be the same. N YB N N N - Create a command procedure to restore ACLs to previous value. Y Y N N N - Files marked nobackup. N Y N N N - Files marked erase on delete. N Y N N N - Expired files. N Y N N N - Old files (over x days old) N Y N N N - New files (less than x days old) Y Y Y N N - Aliased files (multiple entries) N Y N N N - Hidden executables (images which don't have .EXE) YB y B N N - Recently deleted directory files YB Y N N N - Recently deleted files N YB B N N - Checksum of images B N B N N - CRC of files Y B N N N - Hidden directory files. N B N N N - Check for hidden SYSUAF.DAT file. N B N N N - Check for SYSUAF and RIGHTSLIST listing files. N N N B b - Check for alarm ACE on the system accounting file. N N N B b - Check for alarm ACE on all system mail directories. N N N B b - Check for alarm ACE on the operator log file. N N N B b - Check for alarm ACE on the RIGHTSLIST.DAT file. N N N B b - Check for alarm ACE on the SYSUAF.DAT file. N N N B b - Check for alarm ACE on the SYSUAF.LIS file. N N N B b - Check for alarm ACE on the NETPROXY.DAT file. v--------------- Raxco Security Toolkit V3.1 v v------------ Braintree Auditor Plus V1.2 v v v--------- Demax SecureMax 4.0e v v v v------ DECinspect V2.1 v v v v v--- Raxco Baseline V2.0 SYSTEM PARAMETERS YB YB YB B B - Check LGI_ security Sysgen parameters. YB N YB P b - Check other security related Sysgen parameters. Y YB YB B B - Security auditing features which are enabled. N B Y B b - Check that the AUDIT SERVER process is running. y y N B N - Check for breakin attempts. y y N B N - Check for login failures. y y N B N - Check for unsuccessful attempts to access files. N y Y B N - Check length of password history file. N y Y B N - Check password history file lifetime parameter. Y y N N N - Run ANALYZE/AUDIT Y YB Y B B - VMS accounting parameters enabled N YB N N N - Images installed with image accounting. N YB YB N N - Images installed with privilege. Y N N N N - Run ACCOUNTING Y Y Y N N - Queue and device summary report (SHOW QUEUE/FULL owner/prot) N Y N N N - Users which have access to a queues or devices Y B YB N B - Check batch queue protection Y B YB N B - Check print queue protection Y b YB N b - Check terminal protection Y b YB N b - Check other device protection N b N B B - Check that the OPCOM process is running. N b YB N N - System logicals Y B N N N - Check system file logicals (SYSUAF, RIGHTSLIST, etc.) N YB N N N - Global sections NETWORK PARAMETERS Y Y YB B B - Executor characteristics. Y YB YB B N - Known DECnet nodes. Y Y YB B B - Known DECnet objects. Y YB N N N - Known circuits. Y YB N N N - Known lines. YB YB YB N N - Proxy entries. y YB N B N - Check that privileged accounts do not have proxy access. N Y N B b - DECnet account parameters. y YB N b b - Inhibit DECnet from being used as non-privileged userid. N PB N B b - Network object account parameters. N YB N N N - LAT ports and services. Y YB N N N - Packetnet System Interface (PSI). SECURITY AUDIT MONITOR N Y N N N - Report security events on a regular basis. (Uses mailbox to AUDIT$SERVER process) N Y N N N - Take action on security alarms as they occur. Limited to predefined actions. Evaluation Notes -------------------------------------------------------------------------------- BrainTree Auditor Plus V1.2 - Auditor Plus includes three notable programs which the other vendors don't include. 1) A keyboard lock program. This can be invoked by command and is also used by Auditor Plus to lock the keyboard after 5 minutes of inactivity. 2) A program which provides decentralized SYSUAF administration. 3) A detached process which summarizes selected security events on a regular basis and mails a report if any events are found. - The arrow keys can't be used to move the cursor in all menus. I used the arrow keys in the main menu which caused the program to lock up and the terminal to continuously beep with no way to abort the program. The support person said the problem would be corrected. -------------------------------------------------------------------------------- RAXCO/CLYDE Security Toolkit V3.1 - The optional BASELINE software product provides additional baseline auditing capability. - The optional KBLOCK software product allows users to lock keyboards. - "HELP and how to get it" from the Main Menu does not display a list of valid subtopics. -------------------------------------------------------------------------------- DEMAX SecureMAX V4.0e - The optional SYSTEM DETECTIVE AO software product provides additional security features. - The optional PAKMANAGER software product provides additional file management features. - Context sensitive help available from the menu interface scrolled off the screen. Other products presented a page of information at a time. - It was hard to find information in the manual for menu selections. -------------------------------------------------------------------------------- DECinspect V2.1 - DECinspect requires a DECforms Runtime license. - The optional DECsrf software product offers additional reporting capability, including the ability to collect and analyze remote nodes. DECsrf requires a RALLY runtime license ($$$$). - The optional DECdetect software product offers checksum file checking. -------------------------------------------------------------------------------- The opinions expressed are my own, and not that of my employer. Greg Blumers Sverdrup Technology, Inc. VAXcluster Administrator c/o NASA Lewis Research Center (216)433-6777 or FTS 297-6777 Mail Stop 142-2 21000 Brookpark Road uugblum@scivax.lerc.nasa.gov Cleveland, OH 44135 --------------------------------------------------------------------------------