VMS SES Security Manager's Guide Version 5.2

This document serves as a guide for the VMS Security Enhancement Service (VMS SES), a software security consulting package from Digital Equipment Corporation. It primarily focuses on SEVMS, the licensed software component, which provides mandatory (non-discretionary) access controls and security auditing for the VMS operating system. These controls augment, rather than replace, standard VMS discretionary access mechanisms.

SEVMS implements a lattice security model using "secrecy" and "integrity" classifications for both active subjects (processes) and passive objects (files, devices, etc.). Secrecy ensures confidentiality by preventing "read up" and "write down" access, while integrity aims to assure data trustworthiness by preventing "read down" and "write up" access. Classifications are defined by hierarchical levels (0-255) and non-hierarchical categories (up to 128 for secrecy, 64 for integrity) and are represented internally as "classification blocks" and externally as human-readable "classification strings" that can specify ranges.

The guide details SEVMS's protection features, outlining how access is determined by comparing subject clearance (Access Rights Block) with object classification (Object's Rights Block). It describes specific checks for read and write access, the role of privileges (e.g., BYPASS, DOWNGRADE, UPGRADE) in overriding these checks, and the propagation of classifications to newly created objects. File protection covers various I/O operations, and a secure print symbiont ensures printed output classifications fall within the target printer's range.

For users, the document explains how session classifications are established during login, how to display object classifications, and strategies for organizing classified directories. For security managers, it covers the critical tasks of defining secrecy levels and categories, establishing classification ranges for system resources (disks, terminals, printers, user accounts), and configuring the secure print facility. It also addresses network security in a classified environment, detailing how DECnet handles classification information and how remote access can be restricted. Special notes are provided for the backup utility, mail, and DECwindows, the latter being restricted to unclassified sessions in this version.

Finally, SEVMS enhances VMS's auditing capabilities with specific commands and qualifiers to monitor mandatory access control events, generate alarms for security breaches, and record detailed audit information, including classification changes and print symbiont activity. The secure print facility utilizes customizable templates to ensure proper labeling of all printed output.