HP OpenVMS Version 8.3 for Alpha and Integrity Servers

ManualsBrandsHP ManualsSoftwareHP OpenVMS I64 v8.3 Software

HP OpenVMS Version 8.3 for Alpha and Integrity Servers SPD 82.35.11

SECURITY

OpenVMS provides a rich set of tools to control user ac-

cess to system-controlled data structures and devices

that store information. OpenVMS employs a reference

monitor concept that mediates all access attempts be-

tween subjects (such as user processes) and security-

relevant system objects (such as ﬁles). OpenVMS also

provides a system security audit log ﬁle that records the

results of all object access attempts. The audit log can

also be used to capture information regarding a wide

variety of other security-relevant events.

User account information, privileges and quotas associ-

ated with each user account is maintained in the system

user authorization ﬁle (SYSUAF). Each user account is

assiged a user name, password, and unique user iden-

tiﬁcation code (UIC). To log in and gain access to the

system, the user must supply a valid user name and

password. The password is encoded and does not ap-

pear on terminal displays.

Users can change their password voluntarily, or the sys-

tem manager can specify how frequently passwords

change, along with minimum password length, and the

use of randomly generated passwords.

Operations

OpenVMS allows for varying levels of privilege to be

assigned to different operators. Operators can use

the OpenVMS Help Message utility to receive online

descriptions of error messages. In addition, system-

generated messages can be routed to different terminals

based on their interest to the console operators, tape li-

brarians, security administrators, and system managers.

Security auditing is provided for the selective recording

of security-related events. This auditing information can

be directed to security operator terminals (alarms) or

to the system security audit log ﬁle (audits). Each au-

dit record contains the date and time of the event, the

identity of the associated user process, and additional

information speciﬁc to each event.

OpenVMS provides security auditing for the following

events:

• Login and logout

• Login failures and break-in attempts

• Object creation, access, deaccess, and deletion; se-

lectable by use of privilege, type of access, and on

individual objects

• Authorization database changes

• Network logical link connections for DECnet for

OpenVMS, DECnet-Plus, DECwindows, IPC, and

SYSMAN

• Use of identiﬁers or privileges

• Installed image additions, deletions, and replace-

ments

• Volume mounts and dismounts

• Use of the Network Control Program (NCP) utility

• Use or failed use of individual privileges

• Use of individual process control system services

• System parameter changes

• System time changes and recalibrations

Every security-relevant system object is labeled with the

UIC of its owner along with a simple protection mask.

The owner UIC consists of two ﬁelds: the user ﬁeld

and a group ﬁeld. System objects also have a protec-

tion mask that allows read, write, execute, and delete

access to the object’s owner, group, privileged system

users, and to all other users. The system manager can

protect system objects with access control lists (ACLs)

that allow access to be granted or denied to a list of in-

dividual users, groups, or identiﬁers. ACLs can also be

used to audit access attempts to critical system objects.

OpenVMS applies full protection to the following system

objects:

• Common event ﬂag clusters

• Devices

• Files

• Group global sections

• Logical name tables

• Batch/print queues

• Resource domains

• Security classes

• System global sections

• ODS-2 volumes

• ODS-5 volumes

OpenVMS provides optional security solutions to protect

your information and communications:

• OpenVMS Version 8.3 introduces encryption for data

conﬁdentiality that ships as part of the operating

system, thereby removing the requirement to li-

cense and install Encrypt separately. The EN-

CRYPT and DECRYPT commands, now part of

OpenVMS, support AES ﬁle encryption with 128,

192, or 256 bit keys. AES encryption is also sup-

ported by BACKUP/ENCRYPT, allowing for the cre-

ation of encrypted tapes and save-sets. The built-in

encryption functionality is backward-compatible with

ﬁle and backup tapes created by the former lay-

ered product Encryption for OpenVMS. This layered

product featured 56-bit Data Encryption Standard