INSPECT Implementation
by Condor Woodstein
We received an internal document recently concerning security implementations on Digital's EASYnet. The employee who supplied this information wishes to be known as Condor Woodstein. We will quote some of the more interesting sections.
"Someone has written that 'failing to plan is planning to fail.' No where [sic] could this be more true than in the area of security. In an effort to improve upon our planning, a new security tool is being released for all VMS systems. This tool will run with SECURPAK, and will provide the system manager with a new level of system security testing that was never before available. Additionally, it will complete the process by providing a greater level of reporting than exists today.
"... INSPECT will be required on all VMS nodes of the EASYnet. INSPECT - Interactive Network Security Policy Examination/Compliance Toolset, has been developed to meet the rigors of Corporate Security Standard 11.1. When run, INSPECT will check a system to ensure that it is in compliance with this security standard.
"All system managers in DECnet Areas 16, 34, and 36 are being asked to install the INSPECT tool on their system by December 30, 1990. Additionally, any system manager of a system in a hidden area, i.e.: 62, 63, who is serviced by an area 16, 34, or 36 pass-thru server must also install INSPECT. INSPECT is now a required security tool, just as SECURPAK is. The XSAFE security testing tool now tests for the existence of INSPECT on your node.
"... Presently, Digital Equipment Corporation owns the 'largest proprietary computer network in the world.' This network, EASYnet, is a target for hackers, and others. The EASYnet represents a wealth of resource that is available to the Digital employee, and it is a resource that must be protected. INSPECT is a tool that will assist the system manager in safe guarding [sic] our resources.
"INSPECT is divided into two portions, inspectors and agents. Basically, inspectors are assigned a specific task. Agents are generated by the inspectors, and carry out the actual investigation. INSPECT's purpose is to check the security of your node, in an ongoing manner, and review 5 major subsystems on your system. They are:
"File Subsystem: system file ownership and protections, overall file protection, public and private, world writeable [sic] files.
"Account Subsystem: checks for privileged accounts, account ownership, proxies, system support accounts, and inactive accounts.
"Network Subsystem: checks network objects, DECnet access, dial-up and LAT protection.
"SYSGEN Subsystem: compares SYSGEN parameters for changes.
"Audit Subsystem: checks for security auditing and OPCOM.
"At a minimum, INSPECT runs automatically every 28 days, and reports the findings of these subsystems to the Security Office, as well as generates a report to be used by the system manager. This report can be used to correct potential security 'holes.'
"Furthermore, INSPECT can be run on demand by the system manager, and it is encouraged that INSPECT be run whenever there is a change made to a system, whenever unaccountable changes are found, or whenever increased activity is noticed on your system.
"... INSPECT provides reporting capabilities to both the system manager and the Security Office. As INSPECT finds potential security issues, it attempts to resolve them by creating a DCL command procedure that will 'patch the hole.' INSPECT does not apply the patch that is developed. It is up to the discretion of the individual system manager to ensure that this is performed. It becomes part of the system manager's responsibility to check for VAXmail messages from INSPECT, and take corrective action if necessary.
"Information regarding LOCKDOWN is being provided to the system manager to ensure that they understand what LOCKDOWN is and what it does. Until otherwise notified. ** LOCKDOWN SHOULD NOT BE UTILIZED ON ANY SYSTEMS **
"Perhaps one of the most misunderstood features of INSPECT is LOCKDOWN. LOCKDOWN is a default feature of INSPECT. Whenever INSPECT is run, it creates a file in the SYS$MANAGER directory. This file is named: SYS$MANAGER:INSPECT$node-name_LOCKDOWN.COM
"This file contains DCL code for each violation that INSPECT finds, and is readable by the system manager. INSPECT does not process this file, or apply any patch to your system. At the end of an INSPECTion, a VAXmail is sent to the system manager for review. The VAXmail contains all the security issues that INSPECT found. INSPECT also notifies the Security Office of the node violations by sending a token of information. This information is automatically placed in the Regional node database.
"... LOCKDOWN is run interactively, and 'suggests' values or options for the system manager to use. The system manager is always prompted to determine if a change should be made, and the LOCKDOWN procedure does not make any changes without first consulting the system manager. This is key to the understanding of LOCKDOWN. INSPECT will not change anything that you do not approve. When used in this manner, the system manager will find LOCKDOWN to be very helpful as all the necessary commands to correct a security issue have already been set up. All the system manager has to do is approve the processing of them. By regularly running INSPECT, and reviewing the LOCKDOWN file, the system manager will become familiar with what needs to be done, and should find the LOCKDOWN feature helpful.
"On a test MicroVAX, with only 8 accounts, INSPECT generated a 75 block command file of DCL code. Larger systems and clusters will generate a much larger file. System managers are encouraged to carefully read and utilize this code. Some of the items that the LOCKDOWN code can do for you by default are:
"Ensure that all non-privilege accounts have a password minimum of 8 characters.
"Ensure that privilege accounts have a password minimum of 15 characters.
"Delete SYSUAF entries for SYSTEST, SYSTEST_CLIG, and FIELD.
"Modify SYSGEN LGI (login parameters).
"Ensure that all accounts expire.
"Enables VMS Accounting and AUDIT.
"Set protections and ACL's on files in accordance with standard 11.1.
"Rename the DECnet SYSUAF entry to: DECnet$SERV
"... As indicated in the INSPECT v2 installation, the system manager is cautioned against blindly running the LOCKDOWN procedure. Careful evaluation of the procedure's contents is encouraged. It is possible that the LOCKDOWN procedure may effect other layered products on your system. For example, LOCKDOWN inserts commands to start VMS accounting. If you are running on a smaller VAX, i.e., MicroVAX or a 3100, you probably have 'lean' disk space, and probably don't want ACCOUNTING running. In this case, when you are prompted by LOCKDOWN regarding the running of VMS ACCOUNTING, you would use the default, 'N'. In this case, LOCKDOWN would not start accounting.
"... Every 28 days, at minimum, INSPECT will check your system and send a token to the 'Security Office.' The Security Office is a special node that is set up to receive these tokens of information and process them. Within Central States Region, a node is being set up that will be the focal point for INSPECT tokens. The Security Office will be able to track nodes throughout the Region, and ultimately Corporate Security will be able to track the entire EASYnet. Nodes suspected of being open to intrusion will be contacted and required to take corrective measure.
"Perhaps one of the more important features of the Security Office is its ability to generate mail messages. Security managers will be able to review the results of the INSPECT tests quicker, and can utilize the automated features of the Office to mail discrepancies to both the System Manager and the cost center manager. The office can generate 3 types of canned reports:
"1.) A report of all nodes that have issues.
"2.) Generate VAXmails directly to system managers, with a copy to the cost center manager, for every node that has an issue.
"3.) Generate mail memos sent directly to System Managers, with a copy to the cost center manager for 'Missing Tokens.' This memo indicates that INSPECT either is not running on your node, or has not been installed.
"... INSPECT will be used in conjunction with XSAFE. In fact, XSAFE now checks for the installation of INSPECT on your node. Any node that does not have INSPECT installed will be flagged by XSAFE as a violation.
"For those who may not be aware, XSAFE is an external tool used by Corporate Security to test every node on the EASYnet each quarter. XSAFE actually attempts to break into a node by logging into known accounts that should be turned off. It checks file privileges on system and network files, and performs other security tests. At the end of the test, the results are VAXmailed to the SYSTEM account where the system manager can read it and correct the issues. Additionally, the results are sent to the master XSAFE database. Quarterly, a report is generated showing the results of all XSAFE testing in the geography. Nodes which contain failures are contacted and requested to address the violation.
"... Hidden areas are actually 'small or local' DECnet areas within larger DECnet areas, and are used to place additional nodes on the network when network space becomes scarce. A single large DECnet area may have many, smaller hidden areas. The hidden area is separate from the EASYnet, but connected via a pass-through server. This server allows the hidden area users to access systems and data much as any other system, except they must pass-through the server to get to it.
"When installing INSPECT, systems in a hidden area should consider their Security Office to be their pass-through server. That is, the system that connects their hidden area to the EASYnet serves as the Security Office for that hidden area. When INSPECT is installed, merely point it to the pass-through server. System managers responsible for pass-through servers will need to install INSPECT indicating that this node is a pass-through server. This indicates that the server will need to take the INSPECT token it receives and pass it to the Central States Security Office node.
"All EASYnet nodes must continue to run SECURPAK. Nothing changes with regard to this utility. All system managers should have SECURPAK installed and running on their respective nodes, and should be reviewing the reports generated by this tool. In comparison, SECURPAK runs each daily and delivers reports to the system manager. SECURPAK looks a [sic] login failures, and other items as selected by the system manager. INSPECT, on the other hand, does not run daily, it runs as scheduled by the system manager. INSPECT digs deeper into the system, and communicates its findings to the Security Office, SECURPAK doesn't. These two tools, when combined, will make it easier for the system manager to ensure that their system is secure.
"... Any time that you suspect that your system, or the EASYnet has been compromised, do the following:
"A.) Use the VMS AUDIT command to dump the audit log: $ANAL/AUDIT/SINCE=DATE/OUTPUT=filename SYS$MANAGER:
"B.) Mail this log electronically to ANCHOR::NETWORK. Include you [sic] name, address, and DTN.
"C.) Call Network Operations and inform them of your situation.
"D.) Call Central States Regional Security.
"E.) Keep communication with regard to the incident within a close circle of individuals. Do not spread information regarding the incident that may or may not be true. You might not have a problem.
"... System managers now have both SECURPAK and INSPECT to use in securing their systems, as well as VMS Security features such as AUDIT. When combined with the external testing of XSAFE, the EASYnet will become a much more difficult target for hackers to penetrate."