VMS SES Security Manager's Guide Version 5.3-1

This document serves as a guide for security managers, detailing the concepts and configurable features of the Version 5.3-1 VMS Security Enhancement Service (SEVMS). SEVMS augments the standard VMS discretionary access controls by implementing a system-wide mandatory access control (MAC) policy.

The core of SEVMS is a lattice security model, which assigns "secrecy" and "integrity" classifications to both subjects (processes) and objects (files, devices, etc.). This model dictates that a subject cannot read data classified higher than its own secrecy level, nor write data classified lower than its own secrecy level (to prevent unauthorized disclosure). While an integrity model is also present, its full utility and support are currently limited.

Key areas covered include:

• Access Determination: How SEVMS checks a subject's classification against an object's classification to grant or deny access, complemented by traditional VMS discretionary controls.
• User Interaction: How users log into the system with a specific session classification, how process classifications are displayed, and how users interact with classified objects.
• Security Management: Comprehensive guidance for security managers on defining secrecy levels and categories, setting classification ranges for critical objects (disks, terminals, printers, logical name tables, mailboxes), and managing user accounts within the mandatory control environment.
• Privileges: A detailed explanation of specific VMS privileges (e.g., BYPASS, DOWNGRADE, UPGRADE, READALL) that can bypass or modify mandatory access checks, highlighting the need for careful privilege assignment.
• Networking and Utilities: How SEVMS handles DECnet connections, file transfers, mail, and the BACKUP utility in a classified environment, ensuring data protection across various operations.
• Auditing: SEVMS-specific auditing features that expand upon VMS's capabilities to track security-relevant events related to mandatory access controls, including file access and classification changes, with corresponding commands and alarm messages.
• Secure Print Facility: Description of the secure print symbiont, which ensures printed output is appropriately labeled based on classification and that files are only printed on authorized devices, using customizable templates.

The document stresses that SEVMS controls are additive to VMS security and require thorough familiarity with VMS security practices for effective implementation.