Terminal Security System User's Guide Prepared for Cargill Grain Lab Minneapolis, Minnesota by Cargill Grain Lab Computer Systems Group Jim Bostwick June 20, 1985 Sy42:[1,100]SCLISUG.DOC ~module~ - ~description~ Page 2 1. Introduction This document presents user's information for the terminal security system. Included in this document are descriptions of the normal operation of the secure system, including in- structions for obtaining reports of SCLI activity. Also in- cluded are descriptions of the various log entries and error messages produced by SCLI. 2. Overview The security system is designed to prevent unauthorized ac- cess to the system. It is especially intended for use with remote access (dial-up) lines. The security system places a barrier between the terminal and the RSX logon procedure (the Hello program). A potential user must first satisfy the security system before being given access to the Hello program. Because the system was specifically designed for access protection, it is essentially impossible to gain ac- cess to the system without first knowing a valid password. The security system consists of a program (SCLI), which is an "alternate command line interpreter". SCLI is config- ured at installation time to protect certain terminals (by number) in the system. SCLI will protect both dial-in (re- mote) and local lines. SCLI only affects these 'protected terminals'. SCLI receives all input to a protected terminal. If it recognizes an access command, SCLI passes control of the terminal to MCR, the normal RSX system interface. When a user logs off from a protected terminal, the RSX executive gives control of the terminal back to SCLI. SCLI records it's activity on both the console terminal and the system error log file. 3. Gaining Access It is easy to gain access to the system through SCLI - but only if the password is known. Passwords will be phrases (not single words), and will contain mixed upper and lower case. Passwords must be entered exactly. For example, if "Space Shuttle" is a password, then "space shuttle", "SPACE SHUTTLE", and so on will NOT be accepted by SCLI. When a protected port is contacted, the SCLI prompt is displayed, rather than the MCR prompt. The prompt may be ~module~ - ~description~ Page 3 changed for each site, but might be "--->". The user then enters the password, followed by a carriage return. If the password is correct, the system will greet the user, and pass control of the terminal to MCR. If the password is in- correct, the system will print a message. The following is an example logon sequence, with comments in brackets ("[]"). User input is underlined, and represents pressing the return key. [ User dials in, and contacts the modem. ] [ If the terminal has ABAUD set, press return [ several times to set baud rate and obtain [ the SCLI prompt ] _<_r_e_t_u_r_n_> _<_r_e_t_u_r_n_> [ user sees SCLI prompt, enters password, but [ makes a spelling error ] --->_S_p_a_c_e _S_h_u_t_l_e_<_r_e_t_u_r_n_> Not good enough! [ User sees message and retypes password ] _S_p_a_c_e _S_h_u_t_t_l_e_<_r_e_t_u_r_n_> Hello, there Fred. [ SCLI accepts password, and greets user ] [ user types to verify MCR prompt ] _<_r_e_t_u_r_n_> >_H_E_L_L_O _[_8_,_9_]_/_g_o_o_f_y [ MCR prompt appears, and "fred" logs in ] Note from the example that the SCLI prompt does not ap- pear following a message from SCLI. It is acceptable to simply enter the password, or, may be entered to re-display the password. If you are unsure which program (SCLI or MCR) you are talking to, press to obtain the prompt. The current CLI may also be determined by pressing CTRL-C. MCR returns a prompt of "MCR>", while SCLI returns a different prompt. Both the default and CTRL-C prompt for SCLI may be set at installation time. NOTE It is important that the user log on to RSX (using HELLO) once access is granted by SCLI. SCLI is given control of the terminal by the BYE program. Thus, if a user accesses MCR, but does not log on, the terminal is left in MCR, and the added security protection of SCLI is lost. It is obviously equally important that the user log off of the terminal when finished. ~module~ - ~description~ Page 4 A user only has a certain number of tries at entering the password correctly. The exact number is determined at installation time. If more than this number of incorrect passwords are entered, SCLI assumes that someone is trying to break in, and places the terminal in 'mumble mode'. In this state, NO passwords are accepted - even the correct ones. This prevents someone from randomly trying different passwords until one works. Once a terminal is in mumble mode, a timer is started. If no input is received within the time interval (which is several minutes), SCLI assumes that the user has given up, and resets the terminal to nor- mal mode. So, if a legitimate user accidentally triggers mumble mode (by mistyping the password too many times), his only choice is to wait the time interval, and try again. Pressing the key (or CTRL-C) to display the prompt does not count as an 'attempt', and may be done any number of times. 4. Terminal Restrictions Because SCLI is case-sensitive, it is necessary that any terminal be set to lowercase mode while connected to SCLI. If a terminal being protected by SCLI is in uppercase mode, users will be unable to enter the password correctly, and will not gain admittance to the system. A terminal may be set lowercase using MCR as follows: SET /LOWER=TTxx: where "xx" is the terminal number. This should be done in VMR for all protected terminals, to ensure that they boot up properly configured. If for any reason a user wants to set the terminal to uppercase mode (e.g., SET /NOLOWER=TTxx:), it will be necessary to reset the terminal on logout. A way to do this is to put code in SYSLOGOUT.CMD to identify a protected terminal and issue the SET /LOWER command. 5. Operating Procedures The operation of the terminal security system is completely automatic. SCLI is started up by the STARTUP.CMD file at system boot time. Thereafter, it is continuously active (although usually stopped). The only operator functions re- late to obtaining log reports, and switching between 'ver- bose' and normal logging. ~module~ - ~description~ Page 5 SCLI will always appear on the ATL command, RMDEMO, etc. as an active task. However, except when actually pro- cessing input commands, SCLI is in a stopped state, not com- peting for memory or CPU time. On a buisy system, SCLI will be checkpointed most of the time. If one or more of the terminals protected by SCLI is in mumble mode, SCLI will wake up periodically (once every few minutes) to check these terminal's status. SCLI is a small program (about 3K words), and has been designed to put a minimum load on the system. SCLI could impact system operation only in extreme conditions of high system load coupled with heavy activity on the protected ports. SCLI is built with a relatively high priority. This is done to provide timely response to input commands, even on a buisy system. It also helps SCLI to complete input process- ing and return to the stopped state as quickly as possible. It is not possible to shut down SCLI, nor should it ever be necessary to do so. The status of a protected port may be determined by is- suing the MCR DEV TTxx: command. The "CLI = SCLI" field will indicate that the terminal is under SCLI control. If a user is logged on to that terminal, his current CLI will be shown. 6. Reports SCLI records its activity in two places: the system error log file, and the console output device. In most systems, the console messages will appear on the system console, TT0:. However, it is possible to re-route all console out- put to either another terminal, a log file, or both. This is done using the MCR COLOG commands, described in the MCR Operations Manual. NOTE Do not attempt to totally suppress console logging by specifying the null device (NL:) for the log file. Doing so will will crash the system. SCLI also records most log entries on the system error log file. These entries will appear as part of the normal ~module~ - ~description~ Page 6 error log reports which should be generated by each system. SCLI error log entries are in the form of 'system messages'. If a report of just SCLI activity is desired use the /T:SYS switch to the RPT program. This will print only system mes- sages, including SCLI entries. System time changes, and some other entries could appear in this report as well. Error logging may be enabled or disabled on a system wide basis using the MCR ELI commands. It is highly recommended that error logging be started at system boot time, and left running. 6.1 Verbose Logging In situations where it is known that someone is trying to break in to a protected system, it may be desirable to re- cord each command entered to a protected terminal. Under normal circumstances, however, this would simply fill up the log file with unnecessary entries. SCLI has thus been given the ability to selectively log illegal input commands, under operator control. SCLI will normally record the command text for a com- mand which causes SCLI to establish mumble mode for a given terminal. If it is desired to log all illegal input to SCLI, verbose logging should be enabled. Disabling verbose logging will restore the default behavior. Verbose logging is enabled by the following MCR com- mand, which must be entered from a priveleged terminal. CLI /MES=SCLI:"Verbose" Since SCLI is sensitive to upper and lower case, the word "Verbose" must be entered exactly as given above. To disable verbose logging, restoring the default beha- vior, use the following MCR command. CLI /MES=SCLI:"Quiet" Again, the word "Quiet" must be entered exactly as shown above. ~module~ - ~description~ Page 7 NOTE The terminal from which these commands is entered must be set to lowercase. This can be done with the SET /LOWER=TTxx: command to MCR. 7. SCLI Errors SCLI responds to internal errors in two ways. Errors which SCLI can recover from itself are logged, and SCLI continues execution. However, SCLI cannot recover from some errors. If an unrecoverable error occurs, SCLI attempts to log the error, and then aborts itself. A register dump, along with the "Task SCLI aborted -- IOT execution" message will appear on the console. If an SCLI abort message appears, the Grain Lab should be contacted as soon as possible. The conditions under which SCLI will abort should never appear. When SCLI aborts, access protection is not lost. The executive will restart SCLI automatically when the next com- mand arrives. If SCLI cannot be restarted, or aborts again, it will be impossible to access the system through the pro- tected terminals. In short, if SCLI fails, it 'locks' the protected terminals against any access. 8. SCLI Log Messages This section briefly describes each message logged by SCLI. Each log entry is preceeded by the word "SECURE:". If COT is active, this is preceeded by the current time, as in the following example. If COT is not active, no timestamp is present. 15:04:18 SECURE: Daffy Duck Logged On TT5: If the console output task (COT) is active, an entry is also inserted in the log when the date changes. Entries in the error log file always contain date and time information. Message format is otherwise the same for console and error log entries. ~module~ - ~description~ Page 8 8.1 Logged ON This entry is used when a terminal has been identified and passed on to MCR by SCLI. Note that this is not the same as logging on to the RSX system using the HELLO task. This entry only indicates that the user was admitted to the sys- tem by SCLI. User sss Logged On terminal TTooo: sss - user id ooo - terminal number being logged on 8.2 Logged OFF When a user logs off of the RSX system (using BYE), SCLI is notified if the terminal is a protected terminal. SCLI then resumes protection for that terminal and makes this log entry. User sss Logged Off terminal TTooo: sss - user id ooo - terminal number 8.3 Mumble Mode Initiated This entry is used when SCLI triggers mumble mode for a tt. It is also logged when mumble-mode is perpetuated by the mumble timer service routine. Note that the count logged is the total number of invalid attempts since the last valid login. If these log entries appear every two or three minutes, it indicates that an unauthorized user may be attempting to break through SCLI. If the count climbs rapidly, it may in- dicate that someone is using another computer to try and discover a password. Mumble Initiated for terminal TTooo:, count = ddd ooo - terminal number ddd - accumulated foo count ~module~ - ~description~ Page 9 8.4 SCLI Initialized This entry appears when a "CLI /INIT=SCLI" command is is- sued, either by MCR, or by SCLI itself (auto-restart). This entry will appear following each system boot. It should not appear at other times. If it does, it indicates that SCLI has aborted and been restarted by the executive. Further examination should indicate the cause of the shutdown. Security System Initialized 8.5 Terminal Connected This entry is logged when a terminal is connected to SCLI. Normally, this entry appears just after a 'user logged off' entry. This indicates that SCLI successfully connected to the terminal following the user logoff. This entry may appear in the log without the companion 'logged off' message. Generally, this means that the secure system is starting up. If this entry appears just following a 'disconnected' entry (see below), it indicates that someone has attempted to bypass SCLI by issuing a MCR SET/CLI command to a pro- tected terminal. SCLI reacts to this by setting the termi- nal back to itself (SCLI). Connected to terminal TTooo: ooo - terminal number of protected terminal 8.6 Terminal Disconnected This entry indicates that SCLI has relinquished control of the terminal. It nomrmally appears just after a 'logged on' entry. Other sources of this entry are user attempting to bypass SCLI, maintenance shutdown, system shutdown (by exec). Disconnected from terminal TTooo: ooo - terminal number of protected terminal ~module~ - ~description~ Page 10 8.7 Maintenance Mode This entry logs the initiation of maintenance shutdown mode. Maintenance mode may be initiated by Grain Lab personnel in the process of re-configuring SCLI on a running system. Maintenance Mode Initiated by TTooo: ooo - terminal issuing maintenance mode command 8.8 Elimination This entry is logged when SCLI has been eliminated, either by a CLI /ELIM=SCLI, or a CLI /ELIM=* command. SCLI reacts to attempts to eliminate it by re-establishing itself. CLI Eliminated 8.9 Internal Error This entry is used to log internal SCLI errors. If it appe- ars, the Grain Lab should be contacted to diagnose the prob- lem. Internal Error ddd, params: ooo[,ooo.... ddd - error id number ooo - variable number of params 8.10 Illegal Login Attempt This entry is used to log the text of illegal login attempts. This entry will generally appear immediately fol- lowing a 'Mumble-ON' message. It will also appear for each command when verbose logging is enabled. Note that the input text is surrounded by asterisks (*). TTooo: *sss* ooo - terminal number sss - command text ~module~ - ~description~ Page 11 8.11 Unknown Terminal This entry is used when SCLI receives a command from an unk- nown terminal. This should not appear, and indicates an im- properly configured SCLI task. If this message appears, contact the Grain Lab. Message from Unknown terminal TTooo: ooo - terminal number 8.12 SCLI Exit This entry is logged just prior to SCLI exit. Issued during maintenance shutdown. Security Service Terminated APPENDIX A Annotated Console Log This appendix contains an example of console log out- put, with added notes. The notes are enclosed in brackets ("[]"). Note that not all entries in the log are from SCLI. In particular, when a user logs on or off, RSX records an entry showing the user's name, UIC, and terminal. SAMPLE SCLI CONSOLE LOG [ we turn on SCLI, simulating a system boot ] 12:52:24 SECURE: Security System Initialized 12:52:25 SECURE: Connect to TT23: 12:52:25 SECURE: Connect to TT36: [ SCLI has come on line, and taken control of the [ protected terminals, these are TT23: and TT36: ] 12:53:13 SECURE: Jim Bostwick Logged On TT23: 12:53:13 SECURE: Disconnect from TT23: 12:53:18 Login user BOSTWICK [1,5] TT23: [ The above is the normal log sequence for a user [ logon. The first entry indicates that SCLI [ identified a user, the second that SCLI has [ given control to MCR. [ The third entry is made by RSX (by HELLO), showing [ that the user logged on to RSX under UIC [1,5] ] 12:53:25 SECURE: Jim Bostwick Logged Off TT23: 12:53:26 SECURE: Connect to TT23: 12:53:25 Logout user BOSTWICK [1,5] TT23: [ The above is the normal logout sequence. Because [ BYE gives SCLI control of the terminal, SCLI's [ messages appear before the BYE log entry. ] [ next, we illustrate mumble mode, with [ verbose logging off (the default). ] 12:54:07 SECURE: Mumble-ON TT23:, count=3. 12:54:07 SECURE: TT23: *hello* [ SCLI has initiated mumble mode for tt23: after [ three invalid passwords have been entered. [ The last invalid password entered was "hello" ] 12:54:23 SECURE: Mumble-ON TT23:, count=5. [ The user kept trying. Because there was [ input during the time interval, [ SCLI restarted mumble mode. ] 12:54:50 SECURE: CSG Remote User Logged On TT23: 12:54:51 SECURE: Disconnect from TT23: Annotated Console Log Page A-2 12:55:05 Login user BOSTWICK [1,5] TT23: 12:55:15 SECURE: CSG Remote User Logged Off TT23: 12:55:15 SECURE: Connect to TT23: 12:55:15 Logout user BOSTWICK [1,5] TT23: [ By waiting quietly for the mumble timer to [ expire, we are again able to log on ] [ next, we will repeat the above example [ of mumble mode, but with verbose logging [ enabled. ] 12:55:36 SECURE: TT23: *hel* 12:55:37 SECURE: TT23: *help* 12:55:39 SECURE: Mumble-ON TT23:, count=3. 12:55:39 SECURE: TT23: *login* [ SCLI has logged the three invalid passwords. [ The third also triggers mumble mode ] 12:55:45 SECURE: TT23: *let me in* 12:55:49 SECURE: TT23: *let me in!* 12:55:55 SECURE: Mumble-ON TT23:, count=5. [ The user kept trying, even typing a valid [ password. SCLI restarts mumble mode. ] [ If anyone attempts to set a protected terminal's [ CLI to MCR, SCLI simply sets it back again ] 12:56:27 SECURE: Disconnect from TT23: 12:56:27 SECURE: Connect to TT23: [ The above sequence results from a [ SET /CLI=TT23:MCR [ command. Security is maintained, and [ the terminal remains under SCLI control. ] 12:56:48 SECURE: Jim Bostwick Logged On TT23: 12:56:48 SECURE: Disconnect from TT23: 12:56:50 Login user BOSTWICK [1,5] TT23: [ We log in again. ] [ If Grain Lab personel are reconfiguring SCLI [ while the system is running, the following [ sequence may appear. ] 12:58:44 SECURE: Maintenance ON by TT3: 12:58:49 SECURE: Disconnect from TT36: 12:58:56 SECURE: CLI Eliminated [ Maintenance mode has been turned on, allowing [ us to disconnect SCLI from a terminal, and [ eliminate it. Following whatever changes [ were made, SCLI would be restarted. ] APPENDIX B Example Error Log Report This appendix contains a sample error log report, il- lustrating SCLI entries. This report was extracted from the logs made during the same test run as the previous console log. Note that the command text entries are not made to the error logger. This is done to keep the error log as small as is practical, since the log file is normally a permanent record of system activity, while the console log file is purged regularly. The report was generated in narrow format for inclusion in this document. Normally, the wide format should be used, as it produces a more compact and readable report. There is no device information in the report, because the command line specified only system type entries. RSX-11M/M-Plus Error Logging 20-JUN-1985 13:15:15 Entry Time Stamp Entry Type Device ------- -------------------- ------------------ ------ 139.1 20-JUN-1985 12:52:24 System Message SECURE: SECURITY SYSTEM INITIALIZED 139.2 20-JUN-1985 12:52:25 System Message SECURE: CONNECT TO TT23: 139.3 20-JUN-1985 12:52:25 System Message SECURE: CONNECT TO TT36: 139.4 20-JUN-1985 12:53:13 System Message SECURE: JIM BOSTWICK LOGGED ON TT23: 140.1 20-JUN-1985 12:53:13 System Message SECURE: DISCONNECT FROM TT23: 140.2 20-JUN-1985 12:53:25 System Message SECURE: JIM BOSTWICK LOGGED OFF TT23: 140.3 20-JUN-1985 12:53:26 System Message SECURE: CONNECT TO TT23: 140.4 20-JUN-1985 12:54:07 System Message SECURE: MUMBLE-ON TT23:, COUNT=3. RSX-11M/M-Plus Error Logging System Page 2 Entry Time Stamp Entry Type Device ------- -------------------- ------------------ ------ Example Error Log Report Page B-2 141.1 20-JUN-1985 12:54:23 System Message SECURE: MUMBLE-ON TT23:, COUNT=5. 141.2 20-JUN-1985 12:54:51 System Message SECURE: CSG REMOTE USER LOGGED ON TT23: 141.3 20-JUN-1985 12:54:51 System Message SECURE: DISCONNECT FROM TT23: 141.4 20-JUN-1985 12:55:15 System Message SECURE: CSG REMOTE USER LOGGED OFF TT23 142.1 20-JUN-1985 12:55:16 System Message SECURE: CONNECT TO TT23: 142.2 20-JUN-1985 12:55:39 System Message SECURE: MUMBLE-ON TT23:, COUNT=3. 142.3 20-JUN-1985 12:55:55 System Message SECURE: MUMBLE-ON TT23:, COUNT=5. 142.4 20-JUN-1985 12:56:27 System Message SECURE: DISCONNECT FROM TT23: 143.1 20-JUN-1985 12:56:27 System Message SECURE: CONNECT TO TT23: 143.2 20-JUN-1985 12:56:48 System Message SECURE: JIM BOSTWICK LOGGED ON TT23: 143.3 20-JUN-1985 12:56:48 System Message SECURE: DISCONNECT FROM TT23: 143.4 20-JUN-1985 12:57:42 System Message SECURE: MAINTENANCE ON BY TT3: 144.1 20-JUN-1985 12:57:56 System Message SECURE: DISCONNECT FROM TT36: 144.2 20-JUN-1985 12:57:56 System Message SECURE: CONNECT TO TT36: 144.3 20-JUN-1985 12:58:17 System Message SECURE: DISCONNECT FROM TT36: 144.4 20-JUN-1985 12:58:18 System Message SECURE: CONNECT TO TT36: 145.1 20-JUN-1985 12:58:29 System Message SECURE: DISCONNECT FROM TT36: 145.2 20-JUN-1985 12:58:29 System Message SECURE: CONNECT TO TT36: 145.3 20-JUN-1985 12:58:44 System Message SECURE: MAINTENANCE ON BY TT3: 145.4 20-JUN-1985 12:58:49 System Message SECURE: DISCONNECT FROM TT36: 146.1 20-JUN-1985 12:58:56 System Message SECURE: CLI ELIMINATED 146.2 20-JUN-1985 12:59:57 System Message Example Error Log Report Page B-3 SECURE: SECURITY SYSTEM INITIALIZED 146.3 20-JUN-1985 12:59:58 System Message SECURE: CONNECT TO TT23: 146.4 20-JUN-1985 12:59:58 System Message SECURE: CONNECT TO TT36: RSX-11M/M-Plus Error Logging System Page 3 Entry Time Stamp Entry Type Device ------- -------------------- ------------------ ------ 147.1 20-JUN-1985 13:00:05 System Message SECURE: JIM BOSTWICK LOGGED ON TT23: 147.2 20-JUN-1985 13:00:06 System Message SECURE: DISCONNECT FROM TT23: 147.3 20-JUN-1985 13:00:17 System Message SECURE: JIM BOSTWICK LOGGED OFF TT23: 147.4 20-JUN-1985 13:00:18 System Message SECURE: CONNECT TO TT23: 148.1 20-JUN-1985 13:00:33 System Message SECURE: DISCONNECT FROM TT23: 148.2 20-JUN-1985 13:00:34 System Message SECURE: CONNECT TO TT23: 148.3 20-JUN-1985 13:00:49 System Message SECURE: JIM BOSTWICK LOGGED ON TT23: 148.4 20-JUN-1985 13:00:50 System Message SECURE: DISCONNECT FROM TT23: RSX-11M/M-Plus Error Logging System Page 4 Selection information: --------- ------------ Command line: SAMPLE.RPT=/DA:TODAY/W:N/T:SYS CONTENTS 1. Introduction . . . . . . . . . . . . . . . . . . 2 2. Overview . . . . . . . . . . . . . . . . . . . . 2 3. Gaining Access . . . . . . . . . . . . . . . . . 2 4. Terminal Restrictions . . . . . . . . . . . . . 4 5. Operating Procedures . . . . . . . . . . . . . . 4 6. Reports . . . . . . . . . . . . . . . . . . . . 5 6.1 Verbose Logging . . . . . . . . . . . . . 6 7. SCLI Errors . . . . . . . . . . . . . . . . . . 7 8. SCLI Log Messages . . . . . . . . . . . . . . . 7 8.1 Logged ON . . . . . . . . . . . . . . . . 8 8.2 Logged OFF . . . . . . . . . . . . . . . . 8 8.3 Mumble Mode Initiated . . . . . . . . . . 8 8.4 SCLI Initialized . . . . . . . . . . . . . 9 8.5 Terminal Connected . . . . . . . . . . . . 9 8.6 Terminal Disconnected . . . . . . . . . . 9 8.7 Maintenance Mode . . . . . . . . . . . . . 10 8.8 Elimination . . . . . . . . . . . . . . . 10 8.9 Internal Error . . . . . . . . . . . . . . 10 8.10 Illegal Login Attempt . . . . . . . . . . 10 8.11 Unknown Terminal . . . . . . . . . . . . . 11 8.12 SCLI Exit . . . . . . . . . . . . . . . . 11 A. Annotated Console Log . . . . . . . . . . . . . . . A-1 B. Example Error Log Report . . . . . . . . . . . . . . B-1