VAX/VMS SYSTEM AUDIT PROGRAM


The _EDP AUDITOR JOURNAL_ (Volume 1, 1993) addresses issues pertinent
to auditing VAX/VMS systems, and offers guidelines on how to conduct
such audits. The Journal is essentially dedicated to DEC and their
operating system, VMS.

Six feature articles in this issue of the Journal are as follows:
    (1) "Open VMS VAX Security Architecture" by Donald Holden
    (2) "Technical Implementation of VAX/VMS Security" by Ray Kaplan
        and Joe Kovara
    (3) "Good Security Practices in a VAX/VMS Environment" by Todd
        J. Whiting and Robert A. Clyde
    (4) "Auditing VAX/VMS Systems" by Joseph L. Oringel
    (5) "Security Considerations for Interconnected VAX/VMS Systems"
        by Ray Kaplan and Joe Kovara
    (6) "New Security Features in VAX/VMS V6.0" by Lawrence J. Kilgallen

The Journal also includes some war stories related to DECnet. A sample
audit program for VAX/VMS is included in this posting (see below) for
the benefit of those who might not have the Journal. Anyone is welcome
to improve this audit program for the benefit of all auditors concerned.

Hope this will help those gearing to perform VAX/VMS audits....

-- slemo warigon
   east texas state university

---------------------------------------------------------
VAX/VMS AUDIT PROGRAM   --  Prepared by Joseph L. Oringel
---------------------------------------------------------
This is a suggested outline for a review of VAX/VMS security. It
should be customized based on audit scope, objectives, and the
auditor's experience. Concepts outlined in this program can be expanded
upon using considerable detail to provide assistance for the less
experienced auditor. Individual with more experience in performing
system software reviews, particularly VAX/VMS architecture, should
find this outline sufficient to conduct interviews and construct
security recommendations.

I.   Determine Scope:
     A.  Change Management
     B.  Problem Management
     C.  Media Management
     D.  Job Scheduling
     E.  Application Systems
     F.  Overall Systems Security:
         1.  Strategy and system configuration
         2.  Telecommunications
         3.  Access Control Services
         4.  System Management Tools, and
         5.  Backup and Recovery Tools

II.  Establish Expectations:
     A.  Auditing against Company policy or strategy
     B.  Contractual requirements
     C.  Government regulations, and
     D.  Accepted good practices for the environment

III. Data Gathering:
     A.  Identify key personnel:
         1.  Management (CIO. CFO, security officer, IS manager,
             lead analyst)
         2.  Staff (programmer, analyst, security administrator,
             operator), and
         3.  Users (application users, data entry and supervisory)
     B.  Identify and gather required business reports:
         1.  Organization charts for the information systems department
         2.  Organization for security administration group
         3.  Job descriptions for IS and security personnel
         4.  IS policies, standards, and procedure documentation, and
         5.  Security administration policies, standards, and procedures
     C.  Identify and gather VAX/VMS System Reports:
         1.  User profile information from the User Authorization File
             (SYSUAF.DAT)
         2.  Network proxy information from the Network Proxy
             Authorization File (NETPROXY.DAT)
         3.  Access Control Lists from the rights database file
             (RIGHTSLIST.DAT)
         4.  Network Control Reports, showing network nodes, lines,
             circuits, and links
         5.  Selected audit options, from the VMS_AUDIT_SERVER
         6.  Selected startup and login files, and
         7.  Global options from VMSPARAMS.DAT, PARAMS.DAT, and other
             SYSGEN options

IV.  Review Security Policy/Strategy. Determine if:
     A.  Data is classified for security purposes
     B.  Responsibility for security administration is assigned
     C.  Procedures for security administration are clearly defined
     D.  Security reporting requirements are established, and
     E.  Programmer access restrictions are identified

V.   Plan interviews:
     A.  Identify required interview topics based on evaluation of
         policy and reports
     B.  Schedule interviews with key personnel, and
     C.  Prepare initial interview questions

VI.  Conduct interviews. Review and document controls for Strategy
     and System Configuration:
     A.  Obtain hardware descriptions and:
         1.  Identify communication links between VAX and non-VAX
             processors Document communication system, protocol, etc.
         2.  Identify VAX cluster configuration. Ensure clusters use
             a shared UAF, so users have assigned privileges only on
             authorized processors
         3.  Identify PC to VAX connections to determine if upload/
             download criteria are appropriate
         4.  Identify smart terminals and ensure programmable function
             keys are not used to store account names, passwords or
             other login data.
     B.  Obtain software descriptions and:
         1.  Ensure the same version of VMS is used for all processors
         2.  Ensure the VMS version used is current and still
             supported by DEC
         3.  Review VMS system software modifications for propriety
         4.  Review RWED access authority to system software libraries
             (recommended values are READ for selected tech support
             personnel and WRITE authority for a single account with
             dual password control)
         5.  Evaluate system software upgrade procedures, and
         6.  Evaluate bootstrapping procedures
     C.  Identify key application subsystems and:
         1.  Ensure application security uses VMS account security, or
             o  Provides other means for encrypted user passwords
             o  Provides other means for individual user accountability,
                and
             o  Adequately protects key application resources
         2.  Evaluate application security matrices

VII. Conduct Interviews. Review and document controls for
     telecommunications:
     A.  Review access to telephone lines:
         1.  Determine if phone number is known only to authorized users
         2.  Determine if appropriate security measures are enabled
             (dial-back, port passwords, modem passwords, channel
             selectors, etc.), and
         3.  Identify how and how often modem access logs are reviewed
     B.  Review users accounts of DECnet users:
         1.  Ensure all privileges except NETMBX and TMPMBX are removed
         2.  Review account names and ensure passwords options are
             appropriately set
         3.  Ensure WORLD access to the network database is set to NONE
         4.  Inquire regarding stored or embedded user account and
             password names, and
         5.  Review proxy accounts
     C.  Determine if proxy accounts are encouraged:
         1.  Determine if accuntability for proxy usage is maintained,
             and
         2.  Ensure proxy accounts have no excessive privileges

VIII.Conduct interviews. Review and document controls for Access Control
     Services:
     A.  Determine if a system password is used
     B.  Determine if a terminal timeout is used
     C.  Review access to DCL. Determine if:
         1.  Most users are CAPTIVE
         2.  System startup files contain no exits to DCL, and
         3.  Powerful DCL commands are appropriately restricted (by
             renaming, RWED, or ACL use)
     D.  Review account naming conventions and password option settings:
     E.  Ensure DEC supplied user accounts are disabled or removed
     F.  Review intruder detection (LGI_BRK and LGI_RETRY)
     G.  Review default file protection for new objects, and
     H.  Review assignment of powerful privileges

IX.  Conduct interviews. Review and document controls for System
     Management Tools:
     A.  Identify security logging and reporting mechanisms used
     B.  Perform selected review of ANALYZE/AUDIT results
     C.  Review VMS accounting rules (if used), and
     D.  Evaluate use of automated tools (Security Toolkit,
         DECinspect, etc)

X.   Conduct interviews. Review and document controls for Backup and
     Recovery Tools:
     A.  Evaluate and document backup/recovery procedures
     B.  Identify if VMS features are appropriately used:
         1.  Volume shadowing for key disk volumes
         2.  Roll-forward, roll-back procedures for on-line
             transactions (DECdtm)
         3.  RMS journalling of key files, and
         4.  High-water marking, erase-on-delete, etc.

XI.  Conclude and Report:
     A.  Develop draft report based on interview results
     B.  Confirm draft findings with field management, and
     C.  Deliver final report.