Contributed 8/29/00 by Carolann Lazurus (Clazarus@business.buffalo.edu) Digital VAX/VMS Audit Program I GENERAL OPERATING SYSTEM INFORMATION
Objective: to obtain the appropriate general information regarding the operating system to aid in the review. A. Identify DEC hardware configurations making note of all clustered CPU'S,. shared disk storage areas, and the locations of each. B. Determine and document all DEC/VAX systems, versions, releases and maintenance levels of the operating system. Include in this list any other pertinent systems software. Determine if any multiple operating Systems exist and, if so ,why. C. Identify any non DEC code which has been introduced into the operating system. Obtain documentation supporting such changes and review for appropriateness. D. Determine if problem logs are maintained for the VAX computer. If so obtain opened and closed problems for the last six months and review for processing problems of audit concern. II. SYSTEM MODIFICATIONS
Objective: To ensure that all changes to the operating system are authorized and properly tested. A. Determine whether FNSC change control procedures exist for the modifications to the operating system and are adequately adhered to. B. Document the frequency of VAX operating system changes from the vendor. How are these changes sent and installed at FNSC? c. Determine if there is a modification tracking log maintained by technical support. Ensure that this log indicates: 1. Who made the change; 2. What was changed; 3. How the change was installed (i.e., Debug Utility, command procedure, etc.) D. Determine and document in the work papers, which individuals are responsible for applying changes to the operating system. Determine if this responsibility is rotated, and if the work performed is reviewed by a supervisor on a periodic basis. E. Document the procedures for testing the modifications to the operating system (e.g., scheduling, individual participation, formal sign-offs, etc.)
F. If applicable, examine documentation to determine the justification for and approval of each non-DEC modification to the operating system noted in Step I.C. Do procedures include management approval prior to implementation, independent certification of modified code, and a review of supporting documentation? G. Is the previous version of the system configuration retained when a new one is created. Is it backed-up and sent offsite? H. Are system users & application support notified of changes to the operating system? (i.e., When is the impact on the users and applications assessed?) III. CRITICAL FILE REVIEW
Objective: To ensure that all critical / sensitive files are adequately protected against unauthorized access. A. With tech support personnel, obtain a listing of file characteristics for all system files. B. For each critical file noted in Perm, determine whether access is adequate (i.e., only authorized individuals can access these files). Document any special access control features that may be in place, such as access alarms, secondary password requirements, etc. If passwords are used, are the password files encrypted? C. Are mirrored disks used? If so, determine which disks are mirrored. Identify and review' the controls over inactivating and activating this function. IV. REVIEW OF SENSITIVE UTILITIES/PROGRAMS
Objective: To ensure that all critical/sensitive programs/utilities can only be executed by authorized individuals. A. Review security over sensitive utilities/programs to ensure that only authorized users can execute them. 1. System Users Authorization Utility (AUTHORIZE) used to control access to the system and allocate resources to users a. Determine who has access to this utility and ensure that it is adequate. 2. VMS Accounting Utility (ACCOUNTING) used to track and report system activity
a. Determine who has access to this utility and ensure that it is adequate.
3. Access Control List Editor (EDIT /ACL) used to control access to files and directories that is different from UIC-based security a. Test to see that system ACL tables can only be changed by authorized accounts. 4. Digital Control Language (DCL) Commands
a. Is access to DCL Command Level restricted by UAF flags, Login command file, or other preprogrammed routine? Document methods used and any exceptions. b. If user has access to electronic MAIL Utility, can he/she SPAWN out to DCL command level? c. Does DCL restrict access to privileged commands such as INSTALL, INITI.ALIZE/QUE, DELETE/QUE, STOP, SET AUDIT, SET UIC, etc.? Test the access to these and other sensitive commands to insure that proper privilege is required. 5. Backup and Restore - utilities that copy disk files to magnetic tape and restore files from tape to disk. a. Determine who has access to these utilities/commands and ensure that it is adequate. 6. VMS Monitor Utility (MONITOR) monitors jobs and system resource use
a. Determine who has access to this utility and ensure that it is adequate. 7. VMS Debugger Utility (DEBUG) allows runtime analysis and modification of executable jobs
a. Determine who has access to this utility and ensure that it is adequate. B. Review management trails produced from these utilities and determine if they are adequate. C. Review critical system parameters using the SYSGEN Utility. V. INITIAL LOAD AND SH1J92 DOWN PROCEDURES
Objective: To ensure that procedures and supporting documentation are in place for the VAX load and shutdown process. A. Review the existing VAX operating system load procedures and determine if they are well documented.
B. Identify the individuals that can perform the system load. Is it initiated and logged at the system console. Also identify the startup used by the system. This is achieved by executing the SYSGEN utility SHOW STARTUP.COM within the SYS$SYSTEM directory. Review ownership and access allowed to this critical command procedures as well as insuring that this command procedure is the one authorized by management. C. Determine the frequency of system gens and review the documentation of the last gen to ensure that all system directories and subdirectories are utilized. In addition. review any critical parameters during the initial load. Who has access to the system gen program. D. Review existing system shutdown procedures and determine if they are documented. Identify all critical system shutdown command procedures (i.e. *$SHTJTDOWN.COM). Review ownership and access allowed to these critical command procedures. E. Identify the controls in place to prevent system shutdown during active batch or interactive user sessions. E. Determine if users are notified of system shutdown by means of the time parameter at shutdown invocation. VI VMS SECURITY
Objective: To ensure that the VMS operating system security is adequate to control access to critical/sensitive programs/files. A. Document and review the VMS operating system security and determine whether it adequately addresses security issues. B. Review password controls in conjunction with the user UAF's and ensure the following: 1. 2. 3. 4. 5. passwords are changed periodically; the password file is properly controlled; passwords are properly issued; password requests are authorized; passwords are masked during signon and on output listings;
6. passwords are not written in user manuals, taped to operator terminals, etc.; 7. 8. 9. passwords require a minimum length; logonids and passwords are not shared; and Do terminals automatically logoff after a period of inactivity.
C. Obtain and review the current UAF listings of all non application users of all production nodes. Determine if the lists are current. Review UAF's for the following: 1. Default or authorized privileges exceeding that required for job function; 2. Review the login parameter to ensure that logins defined are in conjunction with the job function performed (i.e. local, dial-up, etc.); 3. password controls noted above;
D. Document and determine if adequate procedures are in place for creating user accounts, assigning privileges and permitting the use of the computer resources. E. F. E. Ensure that the procedures for recording and following up on unauthorized access attempts are adequate. G. H. F. Is maintenance to security (UAF) files/tables logged and reviewed? I. J. G. Identify all system directories and system files. Identify the location of all critical files. Review UIC protection over these files and ensure that word access is set to execute only to prevent unauthorized copying into any ones directory. K. L. H. Review system directory and file access control lists. Ensure that the ACL's are proper and prevent unauthorized access to the system files. M. N. I. Review system file ownership by invoking the DIRECTORY/OWNER command. Ensure that all system directories and files are owned by the system. O. P. J. Review the additional VAX/VMS "Security Auditing Plan" located in section of the Perm Binder, and perform steps, as the need requires. Q. R. K. Obtain a copy of the operator login.com procedure as identified on the LGIGMD line of the operators UAF file. Review this login command procedure for conditions that give the operator access to DCL. S. T. L. Review and document emergency logon procedures. Identify and note the emergency logonid UAF. Identify and test the controls over accessing this logonid and the associated audit trail reporting of logon activity. VII. COMMUNICATION CONTROLS
Objective: To ensure that there are adequate controls over VAX communications to restrict access to authorized individuals. A. Identify and document the communication configuration of all VAX local area networks. Also note CPU's connected to Ethernet.
B. Describe any confidential information which is being transmitted via telephone lines, and determine what controls are in place, if any, to protect this data (i.e. encryption). C. If encryption/decryption is being utilized, determine if the algorithm and keys are properly controlled and protected. D. Review the controls over VAX dial-in capabilities (i.e. Defender, modems, Security Dynamics) and determine whether they are adequate. F. Review procedures used during the NDM process. Review VAX NDM logonid and password controls over all transmission. Also identify NDM audit trail logging. VIII. CHANGE CONTROL Objective: To ensure that controls over changes to the object and source production programs are adequate. A Review and document the current procedures for software turnover into the VAX production environment. B Review a sample of VAX object/source change control forms to ensure that they are completed properly and procedures are being adequately adhered to. C. Identify the directory and file names of all software utilized in the production turnover process (LIB_!4AINT). Ensure that ownership is restricted to the system and the UIC security is appropriate. D. Determine what audit trails exist on the system for program changes and trace a sample to the program change requests. IX. VAX LOG REVIEW
Objective: To ensure that all critical and sensitive activity utilizing DCL commands is logged, creating a valid audit trail. A. Identify the various logs produced by, the VAX system.
B. Review these logs for any items of audit significance and research any unusual occurrences. C. Determine maintenance of console logs. Note the retention period of these logs, who reviews them, and if they are stored on- or off-site. X BACKUP AND RECOVERY
Objective: To ensure that the system is being properly backed up to provide the recovery capability in the event of a disaster. Also to ensure that a disaster plan has been developed and properly tested to ensure a planned transition in the event of a site disaster.
A. Document all system backup and recovery procedures. Identify daily, weekly, monthly, and annual frequencies. B. Identify the offsite rotation of system backups. Also note the generations of each and the rotation frequencies. C. Test the offsite rotation of backup tapes by perform and inventory of in house tapes and comparing them to the procedures noted X.A. D. Obtain the backup command procedures, verify to operators login.com procedures to ensure that you have the correct procedures. Identify the packs that are being backed up. Also, identify and review the method used for the incremental backups (dailys). E. Determine if a disaster recovery plan has been developed to provide offsite processing of VAX applications in the event of a disaster. E. Determine and document any tests performed relating to disaster recovery of the VAX system. XI DISK MANAGEMENT
Objective: to ensure that direct access storage devices (DASD) are managed efficiently and adequately controlled. A. Obtain an inventory of all DASD volumes along with a general description of controls, usage, ownership, and critical nature. B. Obtain applicable organizational and departmental (i.e. technical service) policies and procedures relating to DASD management. C. Review the procedures and responsibilities for DASD acquisitions. Determine the basis for present and future DASD needs. Evaluate the process and ensure that decisions are based on verifiable documentation, accurate and timely reporting, and complete data. D. Verify that DASD acquisition is approved by management only after review/analysis of DASD needs. E. Determine how DASD resources are managed. Review how space is justified and allocated. Ensure procedures are adequate to monitor usage and efficient storage. F. Review any DASD management tools (software products or service utilities, forms, reports) that are available to aid in the management function. 1. 2. Determine if tools are reasonable and satisfy specified objectives. Determine whether adequate audit trails are provided.