HP OpenVMS 8.3, OpenVMS 8.3-1H1 manual 8

Users can change their password voluntarily, or the system manager can specify how frequently passwords change, along with minimum password length, and the use of randomly generated passwords.

Operations

OpenVMS allows for varying levels of privilege to be assigned to different operators. Operators can use the OpenVMS Help Message utility to receive online descriptions of error messages. In addition, system- generated messages can be routed to different terminals based on their interest to the console operators, tape li- brarians, security administrators, and system managers.

Security auditing is provided for the selective recording of security-related events. This auditing information can be directed to security operator terminals (alarms) or to the system security audit log file (audits). Each audit record contains the date and time of the event, the identity of the associated user process, and additional information specific to each event.

OpenVMS provides security auditing for the following events:

•Login and logout

•Login failures and break-in attempts

•Object creation, access, deaccess, and deletion; se- lectable by use of privilege, type of access, and on individual objects

•Authorization database changes

•Network logical link connections for DECnet for OpenVMS, DECnet-Plus, DECwindows, IPC, and

SYSMAN

•Use of identifiers or privileges

•Installed image additions, deletions, and replace- ments

•Volume mounts and dismounts

•Use of the Network Control Program (NCP) utility

•Use or failed use of individual privileges

•Use of individual process control system services

•System parameter changes

•System time changes and recalibrations

Every security-relevant system object is labeled with the UIC of its owner along with a simple protection mask. The owner UIC consists of two fields: the user field and a group field. System objects also have a protection mask that allows read, write, execute, and delete access to the object’s owner, group, privileged system users, and to all other users. The system manager can protect system objects with access control lists (ACLs)

that allow access to be granted or denied to a list of individual users, groups, or identifiers. ACLs can also be used to audit access attempts to critical system objects.

OpenVMS applies full protection to the following system objects:

•Common event flag clusters

•Devices

•Files

•Group global sections

•Logical name tables

•Batch/print queues

•Resource domains

•Security classes

•System global sections

•ODS-2 volumes

•ODS-5 volumes

OpenVMS provides optional security solutions to protect your information and communications:

•OpenVMS Version 8.3-1H1 includes encryption for data confidentiality that ships as part of the op- erating system, thereby removing the requirement to license and install Encrypt separately. The EN- CRYPT and DECRYPT commands, now part of OpenVMS, support AES file encryption with 128, 192, or 256 bit keys. AES encryption is also sup- ported by BACKUP/ENCRYPT, allowing for the cre- ation of encrypted tapes and save-sets. The built-in encryption functionality is backward-compatible with file and backup tapes created by the former lay- ered product Encryption for OpenVMS. This layered product featured 56-bit Data Encryption Standard (DES), which continues to function today, allowing for the decryption of archived DES encrypted data. The AES encryption functionality supports Electronic Code Book (ECB) and Cipher Block Chaining (CBC) block modes of encryption. The Cipher Feedback (CFB) and Output Feedback (OFB) 8-bit character stream modes are also supported from the command line as well as by the programmatic APIs.

•Secure Sockets Layer (SSL) for OpenVMS Alpha and Integrity server systems provides secure transfer of sensitive information over the Internet

•Common Data Security Architecture (CDSA) is con- figured and initialized automatically during installa- tion and upgrades and is required for Secure Deliv- ery purposes and other security features. If you in- stall a newer version of CDSA without upgrading the base operating system, you must initalize the CDSA software, using the following command. Enter the command from an account that has both SYSPRV