[Search for users] [Overall Top Noters] [List of all Conferences] [Download this site]

Conference iamok::inspect_srf

Title:DECinspect CM, SRF, and Corporate Implementation
Notice:For FAQ see note 4.*; For CM kits see note 3.*
Moderator:KIMBLE::TMULLIGAN
Created:Thu Sep 27 1990
Last Modified:Mon May 26 1997
Last Successful Update:Fri Jun 06 1997
Number of topics:1699
Total number of notes:8580

1698.0. "PSCM for Unix - Internal Information" by POWDML::WHEELER (Chickens have no bums) Tue May 13 1997 12:45

                         Digital Internal Use Only
                            96_RI_release_notes

---------------------------------------------------------------------------
This file 96_RI_release_notes and associated files can be obtained via
anonymous ftp and DECnet copy from one of the repositories listed below.

POLYCENTER Security Compliance Manager V2.4 (PSCM V2.4) is not supported 
on Digital Unix V4.  If you're running this version, you must install 
PSCM V2.5 and import either 96_RI_osf.tar.Z (non critical systems) or 
critical_96_RI_osf.tar (critical systems).

PSCM V2.5 can be used on Unix V3.x as well as on Unix V4. If you're running
PSCM V2.4 (Unix V3.x) you must import either 95_RI_osf.tar.Z (non critical
systems) or critical_95_RI_osf.tar.Z (critical systems)

There is no difference in functionality between all these inspectors:

The following have a 28 days schedule interval

   * 95_RI_osf.tar.Z supports only PSCM V2.4
   * 96_RI_osf.tar.Z supports only PSCM V2.5

The following have a 14 days schedule interval

   * critical_95_RI_osf.tar.Z supports only PSCM V2.4
   * critical_96_RI_osf.tar.Z supports only PSCM V2.5

PFILE-IDs:

   * critical_95_RI_mips.tar.Z 009922b196b91c80ea
   * critical_95_RI_osf.tar.Z 00992e89856339004d (PSCM V2.4)
   * critical_96_RI_osf.tar.Z 009a4e364ec25480e0 (PSCM V2.5)
   * 95_RI_mips.tar.Z 0099233015549f004f
   * 95_RI_osf.tar.Z 00992e8740d69e0094 (PSCM V2.4)
   * 96_RI_osf.tar.Z 009a4e346698d90029 (PSCM V2.5)

---------------------------------------------------------------------------
Repositories:
 AMERICAS:
 =========
   Anonymous FTP from esrsrf.das.dec.com in directory /unix/v2_5_alpha

	PSCM/Unix (2.5)		inspect250-alpha.tar.Z (mandatory for Unix V4)
        RI release notes        96_RI_release_notes
        RI critical OSF         critical_96_RI_osf.tar.Z
        RI OSF                  96_RI_osf.tar.Z
        PSCM release notes      release_notes.txt
        Pak PSCM Ultrix         cm_pak_dec_internal.sh

   Anonymous FTP from esrsrf.das.dec.com in directory /unix/v2_4_alpha

	PSCM/Unix OSF (2.4)	inspect_alpha.tar.Z
        RI critical OSF         critical_95_RI_osf.tar.Z
        RI OSF                  95_RI_osf.tar.Z
        Pak PSCM Ultrix         cm_pak_dec_internal.sh

   Anonymous FTP from esrsrf.das.dec.com in directory /unix/v2_4_risc

	PSCM/Unix Risc (2.4)	inspect-risc.tar.Z 
        RI critical Risc        critical_95_RI_mips.tar.Z
        RI Risc                 95_RI_mips.tar.Z
        Pak PSCM Ultrix         cm_pak_dec_internal.sh

   Anonymous FTP from esrsrf.das.dec.com in directory /unix/v2_4_vax

	PSCM/Unix Vax (2.4)	inspect-vax.tar.Z 
        RI critical OSF         critical_96_RI_vax.tar.Z
        RI OSF                  96_RI_vax.tar.Z
        Pak PSCM Ultrix         cm_pak_dec_internal.sh

   Anonymous FTP from esrsrf.das.dec.com in directory /unix

        Patch Dnet Ph V VAX     dnet_spawner_ultrix_vax
        Patch Dnet Ph V Risc    dnet_spawner_ultrix
        Patch Dnet Ph V OSF     dnet_spawner_osf1 (applies to PSCM 2.4)
        Patch Dnet Ph V source  dnet_spawner_ultrix_vax.c
        Patch PSCM OSF V3.* doc cm_osf_v3_patch.README (applies to PSCM 2.4)
        Patch PSCM OSF V3.*     cm_osf_v3_patch (applies to PSCM 2.4)
        RI release notes        96_RI_release_notes
        Example ftpusers        95_ftpusers
        PSCM User's guide       unix-user-guide.ps
        PSCM release notes (ps) release_notes.ps
        PSCM release notes      release_notes.txt
        PSCM Install guide (ps) osf_ultrix_inst_guide.ps
        PSCM Install guide      osf_ultrix_inst_guide.txt


 EUROPE:
 =======
   Anonymous FTP from tokens.reo.dec.com in directory /inspect/kit/unix

        RI Risc V2.4                95_ri_mips.tar_z
        RI OSF V2.4                 95_ri_osf.tar_z
        RI Vax V2.4                 ri_vax_v24.tar_z
        RI OSF V2.5                 96_ri_osf.tar_z
        RI (v2.4) release notes     95_ri_release_notes.
        RI (v2.5) release notes     96_ri_release_notes.
        Patch PSCM OSF V3.*         cm_osf_v3_patch.
        Patch PSCM OSF V3.* doc     cm_osf_v3_patch.readme
        Pak PSCM Ultrix             cm_pak_dec_internal.sh
        Pak PSCM OSF                pak_osf_cm_dec_internal.sh
        RI critical Risc V2.4       critical_95_ri_mips.tar_z
        RI critical OSF  V2.4       critical_95_ri_osf.tar_z
        RI critical V2.5            critical_96_ri_osf.tar_z
        Patch Dnet Ph V VAX         dnet_spawner_ultrix_vax
        Patch Dnet Ph V Risc        dnet_spawner_ultrix
        Patch Dnet Ph V OSF         dnet_spawner_osf1 (applies to PSCM 2.4)
        Patch Dnet Ph V source      dnet_spawner_ultrix_vax.c
	PSCM/Unix OSF (2.4)	    inspect240-alpha.tar_z
	PSCM/Unix Risc (2.4)	    inspect240-mips.tar_z
	PSCM/Unix Vax (2.4)	    inspect240-vax.tar_z
	PSCM/Unix (2.5)		    inspect250-alpha.tar_z
        PSCM Install guide (ps)     osf_ultrix_inst_guide.ps
        PSCM Install guide          osf_ultrix_inst_guide.txt
        PSCM release notes (ps)     release_notes.ps
        PSCM release notes          release_notes.txt
	PSCM User's Guide           unix-user-guide.ps
                                            
 ASIA/PACIFIC:
 =============
   DECnet: SNOFS1::IT$SECURITY:[KIT.INSPECT024]

        PSCM/Ultrix Vax         INSPECT240-VAX.TAR_Z
        PSCM/Ultrix Risc        INSPECT240-RISC.TAR_Z
        PSCM/OSF (V2.4)         INSPECT240-ALPHA.TAR_Z
        RI critical Risc        CRITICAL_95_RI_MIPS.TAR_Z
        RI critical OSF         CRITICAL_96_RI_OSF.TAR_Z
        RI Risc                 95_RI_MIPS.TAR_Z
        RI OSF                  96_RI_OSF.TAR_Z
        Pak PSCM Ultrix         PAK_ULTRIX_CM_DEC_INTERNAL.
        Pak PSCM OSF            PAK_OSF_CM_DEC_INTERNAL.
        PSCM User's guide       UNIX-USER-GUIDE.PS
        PSCM release notes      RELEASE_NOTES.TXT
        PSCM Install guide      OSF_ULTRIX_INST_GUIDE.TXT

   DECnet: SNOFS1::IT$SECURITY:[KIT.UNIX_V25]  (For Unix V4.)

        PSCM/OSF                INSPECT250-ALPHA.TAR_Z
        PSCM release notes      RELEASE_NOTES.TXT
        RI release notes        96_RI_RELEASE_NOTES.
        RI OSF                  96_RI_OSF.TAR_Z
        RI critical OSF         CRITICAL_96_RI_OSF.TAR_Z

---------------------------------------------------------------------------
Picking the right "Required Inspector" to load

For critical Ultrix/RISC nodes (PSCM 2.4) load this Required Inspector
	ftp> get (in binary) critical_95_RI_mips.tar.Z 

For other Ultrix/RISC nodes (PSCM 2.4) load this Required Inspector
	ftp> get (in binary) 95_RI_mips.tar.Z 

For critical OSF nodes (PSCM 2.4) load this Required Inspector
	ftp> get (in binary) critical_95_RI_osf.tar.Z 

For other OSF nodes (PSCM 2.4) load this Required Inspector
	ftp> get (in binary) 95_RI_osf.tar.Z 

For critical OSF nodes (PSCM 2.5) load this Required Inspector
	ftp> get (in binary) critical_96_RI_osf.tar.Z 

For other OSF nodes (PSCM 2.5) load this Required Inspector
	ftp> get (in binary) 96_RI_osf.tar.Z 

You may also use Decnet to copy the file appropriate for your system:
	dcp -iv NODE::"DEVICE:[DIRECTORY]95_RI_xxx.TAR_Z" 
or 	dcp -iv NODE::"DEVICE:[DIRECTORY]CRITICAL_95_RI_xxx.TAR_Z" 

DO NOT uncompress these files

---------------------------------------------------------------------------
Instructions for loading the new "Required Inspector"

This inspector will address only Ultrix and Digital Unix (no support for
HP, SunOS Solaris...)

It has 85 tests collections, some of which are disabled intentionally as not
being implemented on the platform you're working on.

It will implement Corporate Security Standard 211.02 revision 3.0 dated 
Apr 21st 1995.

Install the required inspector on a machine already running PSCM V2.4. (2.5 if
Unix)

To install, logged in as superuser, enter inspectsetup and choose option i
give the full pathname for the RI

DO NOT RECALCULATE THE CRCs

This should create for you an inspector named "Required Inspector"
scheduled to start the day following your installation at 2AM. The
rescheduling period is 14 days for critical nodes and 28 days for other
nodes

There is currently no RI for Ultrix/VAX

It is expected that you will be able to get full compliance and the
lockdown should be able to help you in getting this compliance.

---------------------------------------------------------------------------
Known Compliance Issues: (20 Jun 95)

   * Rescheduling the RI in the future, will change the PFILE-ID making
     your token invalid.
   * Changing anything to the RI (but the distribution list) will change
     the PFILE-ID making your token invalid.
   * PCSA uses SUID and SGID bits to emulate DOS attributes. Test related
     to SUID might issue warnings.
   * /etc/hosts format must be in the form (as specified in the manpages)
     Internet_address fully_qualified_hostname [aliases]
   * guest home directory must not be writeable
   * ftp home directory must not be writeable
   * As a courtesy to system managers, this directory contains a file named
     95_ftpusers, which may be copied to /etc/ftpusers in order to pass
     this test (test 64).
   * On OSF no test on Decnet proxies: Decnet proxies have to be checked
     manually
   * On OSF no test on audit settings: audit settings have to be checked
     manually.
   * User's Umask test has been made recommended to avoid a constant
     failure on most nodes (lockdown must be done manually).
   * The standard recommends the suppression of the x permission on
     .profile, .cshrc, .login. This looks strange but it will work without
     the x permission.
   * /.rhosts is checked twice once to request permission 600, once to
     recommend to delete this file. These recommendation seem conflicting
     and should be interpreted as follow: it is recommended not to have
     /.rhost however if absolutely necessary then its permission should be
     600.
   * Buffered/unbuffered disks permission required being 640, the floppy
     (if any) will not be writeable by others.

UNRESOLVED ISSUES

   * When testing for unusable shell, only one possibility (/bin/false)
     there is unfortunately no way to accept also /bin/date, /bin/true ...
   * When looking for entries in /etc/ttys (Ultrix) or
     /etc/securettys(OSF), PSCM looks for an exact match. If there is a
     comment on the line, the test will fail
   * rexecd is recommended to be absent from /etc/inetd.conf while there is
     no recommendation on rshd - /etc/gettytab check is case sensitive when
     searching for "Unauthori[sz]ed..."
   * If home directories for some accounts are missing inspect will issue a
     warning
   * Group mem: On some OSF installations, group mem doesn't exist. the
     inspector will check for mem or kmem
   * Subsystem "Workstations", test collection "secure flag", if the test
     fails, the lockdown doesn't generate any entry even the echo "must
     lockdown manually" RI vs

STANDARD main discrepancies:

Some inconsistencies have been detected in the current version of the
standard about file ownership and group. These are not mentioned here.

Where Standard requirements cannot be completely achieved, the severity has
been set to "Recommended" in order to deliver a clean token, while keeping
the warning in the report.

The following are files for which the permission is different in the RI and
in the standard.

   * RI more stringent than the standard

/dev/MAKEDEV , Standard requires 744, RI requires 740 Buffered/unbuffered
disks , standard requires 666, RI requires 640

/etc/license , Standard requires 754, RI requires 750

   * RI less stringent than the standard

/etc/crontab , Standard requires 600, RI requires 640

/etc/rc.local , Standard requires 700, RI requires 740

/sbin/rc*.d , Standard requires 740, RI requires 750

   * RI tests not included in the standard

Permission and ownership of files in table 12-4

Accounts adm auth cron lp tcb

presence of /.forward file (root mails are recommended to be forwarded)

BUGS corrected

This new Required Inspector implements a new version of the standard. It is
expected that the system manager will have none of the problems encountered
with the previous versions.

---------------------------------------------------------------------------
Pointers for more information:

See IAMOK::INSPECT_SRF, especially the note 4 (Frequently Asked Questions)

See the IT Security web page at WWW-IS-SECURITY.MSO.DEC.COM


---------------------------------------------------------------------------
Token bit_Nr / test_Nr correspondance:

Subsystem "File and Directories"

t01 "device Special Files"
t02 "Memory Files"
t03 "Supported Shells File"
t04 "Log and Accounting File"
t05 "Group File"
t06 "Network Related Files"
t06 "Crash Dump Files"
t08 "Downline and Upline Load Files"
t09 "Configuration File"
t10 "Software Subsets"
t11 "File System Table"
t12 "Terminal Files"
t13 "Scheduled Administrative Cmds"
t14 "System Startup Cmd Scripts"
t15 "User Account Files"
t16 "Miscellaneous etc Files"
t17 "Miscellaneous System Files"
t18 "Commands"
t19 "System Directories"
t20 "World-Writable Directories"
t21 "SUID and SGID Programs"
t22 "User Environment Files"
t23 "root Environment Files"
t24 "Home Directories"
t25 "Mail ULTRIX 4.1"
t26 "Mail Aliases"

Subsystem "Shell Variables"

t27 "Current directory in root PATH"

Subsystem "Accounts"

t28 "Inactive Accounts"
t29 "Editing the passwd file"
t30 "User"
t31 "adm"
t32 "auth"
t33 "bin"
t34 "cron"
t35 "daemon"
t36 "field"
t37 "ftp"
t38 "guest"
t39 "ingres"
t40 "lp"
t41 "nfs"
t42 "news"
t43 "nobody"
t44 "nobodyV"
t45 "pcguest"
t46 "ris"
t47 "root"
t48 "sccs"
t49 "sys"
t50 "tcb"
t51 "uucp"
t52 "uucpa"

Subsystem "Passwords"

t53 "Password Selection"
t54 "Password Controls"

Subsystem "Dialup and LAT Access"

t55 "Dialup Access"

Subsystem "DECnet"

t56 "Protecting DECnet Objects"
t57 "guest dirs NOT symbolic link"
t58 "Protection for chroot fal Files"
t59 "DECnet Proxies"

Subsystem "TCP_IP"

t60 "etc hosts.equiv File"
t61 ".rhosts Files"
t62 "hosts file format"
t63 "Anonymous ftp"
t64 "Unauthorized ftp users"
t65 "Disable tftp"
t66 "Disable rexecd"

Subsystem "Network File System"

t67 "Exporting NFS Filesystems"
t68 "Importing NFS Filesystems"

Subsystem "UUCP"

t69 "UUCP Accounts"
t70 "File Access Control"
t71 "Remote Command Execution Access"
t72 "Callback"
t73 "Default USERFILE Entries"
t74 "Protection for UUCP files"

Subsystem "Auditing"

t75 "File Access Failures"
t76 "Login Failures"
t77 "Changes to User Authorizations"
t78 "Changes to Auditing"
t79 "Start Auditing"
t80 "Protection for Auditing files"

Subsystem "Workstations"

t81 "Remote Access to Workstations"
t82 "Password Expiration"
t83 "Secure Flag"

Subsystem "Miscellaneous Security Topics"

t84 "Unauthorised Access Notice" 
t85 "Batch"

                         Digital Internal Use Only
T.RTitleUserPersonal
Name
DateLines