[0001]
[0002]
[0003]
[0004]
[0005]
[0006]
[0007]
[0008]
[0009]
[0010]
[0011]
[0012]
[0013]
[0014]
[0015]
[0016]
[0017]
[0018]
[0019]
[0020]
[0021]
[0022]
[0023]
[0024]
[0025]
[0026]
[0027]
[0028]
[0029]
[0030]
[0031]
[0032]
[0033]
[0034]
[0035]
[0036]
[0037]
[0038]
[0039]
[0040]
[0041]
[0042]
[0043]
[0044]
[0045]
[0046]
[0047]
[0048]
[0049]
[0050]
[0051]
[0052]
[0053]
[0054]
[0055]
[0056]
[0057]
[0058]
[0059]
[0060]
[0061]
[0062]
[0063]
[0064]
[0065]
[0066]
[0067]
[0068]
[0069]
[0070]
[0071]
[0072]
[0073]
[0074]
[0075]
[0076]
[0077]
[0078]
[0079]
[0080]
[0081]
[0082]
[0083]
[0084]
[0085]
[0086]
[0087]
[0088]
[0089]
[0090]
[0091]
[0092]
[0093]
[0094]
[0095]
[0096]
[0097]
[0098]
[0099]
[0100]
[0101]
[0102]
[0103]
[0104]
[0105]
[0106]
[0107]
[0108]
[0109]
[0110]
[0111]
[0112]
[0113]
[0114]
[0115]
[0116]
[0117]
[0118]
[0119]
[0120]
[0121]
[0122]
[0123]
[0124]
[0125]
[0126]
[0127]
[0128]
[0129]
[0130]
[0131]
[0132]
[0133]
[0134]
[0135]
[0136]
[0137]
[0138]
[0139]
[0140]
[0141]
[0142]
[0143]
[0144]
[0145]
[0146]
[0147]
[0148]
[0149]
[0150]
[0151]
[0152]
[0153]
[0154]
[0155]
[0156]
[0157]
[0158]
[0159]
[0160]
[0161]
[0162]
[0163]
[0164]
[0165]
[0166]
[0167]
[0168]
[0169]
[0170]
[0171]
[0172]
[0173]
[0174]
[0175]
[0176]
[0177]
[0178]
[0179]
[0180]
[0181]
[0182]
[0183]
[0184]
[0185]
[0186]
[0187]
[0188]
[0189]
[0190]
[0191]
[0192]
[0193]
[0194]
[0195]
[0196]
[0197]
[0198]
[0199]
[0200]
[0201]
[0202]
[0203]
[0204]
[0205]
[0206]
[0207]
[0208]
[0209]
[0210]
[0211]
[0212]
[0213]
[0214]
[0215]
[0216]
[0217]
[0218]
[0219]
[0220]
[0221]
[0222]
[0223]
[0224]
[0225]
[0226]
[0227]
[0228]
[0229]
[0230]
[0231]
[0232]
[0233]
[0234]
[0235]
[0236]
[0237]
[0238]
[0239]
[0240]
[0241]
[0242]
[0243]
[0244]
[0245]
[0246]
[0247]
[0248]
[0249]
[0250]
[0251]
[0252]
[0253]
[0254]
[0255]
[0256]
[0257]
[0258]
[0259]
[0260]
[0261]
[0262]
[0263]
[0264]
[0265]
[0266]
[0267]
[0268]
[0269]
[0270]
[0271]
[0272]
[0273]
[0274]
[0275]
[0276]
[0277]
[0278]
[0279]
[0280]
[0281]
[0282]
[0283]
[0284]
[0285]
[0286]
[0287]
[0288]
[0289]
[0290]
[0291]
[0292]
[0293]
[0294]
[0295]
[0296]
[0297]
[0298]
[0299]
[0300]
[0301]
[0302]
[0303]
[0304]
[0305]
[0306]
[0307]
[0308]
[0309]
[0310]
[0311]
[0312]
[0313]
[0314]
[0315]
[0316]
[0317]
[0318]
[0319]
[0320]
[0321]
[0322]
[0323]
[0324]
[0325]
[0326]
[0327]
[0328]
[0329]
[0330]
[0331]
[0332]
[0333]
[0334]
[0335]
[0336]
[0337]
[0338]
[0339]
[0340]
[0341]
[0342]
[0343]
[0344]
[0345]
[0346]
[0347]
[0348]
[0349]
[0350]
[0351]
[0352]
[0353]
[0354]
[0355]
[0356]
[0357]
[0358]
[0359]
[0360]
[0361]
[0362]
[0363]
[0364]
[0365]
[0366]
[0367]
[0368]
[0369]
[0370]
[0371]
[0372]
[0373]
[0374]
[0375]
[0376]
[0377]
[0378]
[0379]
[0380]
[0381]
[0382]
[0383]
[0384]
[0385]
[0386]
[0387]
[0388]
[0389]
[0390]
[0391]
[0392]
[0393]
[0394]
[0395]
[0396]
[0397]
[0398]
[0399]
[0400]
[0401]
[0402]
[0403]
[0404]
[0405]
[0406]
[0407]
[0408]
[0409]
[0410]
[0411]
[0412]
[0413]
[0414]
[0415]
[0416]
[0417]
[0418]
[0419]
[0420]
[0421]
[0422]
[0423]
[0424]
[0425]
[0426]
[0427]
[0428]
[0429]
[0430]
[0431]
[0432]
[0433]
[0434]
[0435]
[0436]
[0437]
[0438]
[0439]
[0440]
[0441]
[0442]
[0443]
[0444]
[0445]
[0446]
[0447]
[0448]
[0449]
[0450]
[0451]
[0452]
[0453]
[0454]
[0455]
[0456]
[0457]
[0458]
[0459]
[0460]
[0461]
[0462]
[0463]
[0464]
[0465]
[0466]
[0467]
[0468]
[0469]
[0470]
[0471]
[0472]
[0473]
[0474]
[0475]
[0476]
[0477]
[0478]
[0479]
[0480]
[0481]
[0482]
[0483]
[0484]
[0485]
[0486]
[0487]
[0488]
[0489]
[0490]
[0491]
[0492]
[0493]
[0494]
[0495]
[0496]
[0497]
[0498]
[0499]
[0500]
[0501]
[0502]
[0503]
[0504]
[0505]
[0506]
[0507]
[0508]
[0509]
[0510]
[0511]
[0512]
[0513]
[0514]
[0515]
[0516]
[0517]
[0518]
[0519]
[0520]
[0521]
[0522]
[0523]
[0524]
[0525]
[0526]
[0527]
[0528]
[0529]
[0530]
[0531]
[0532]
[0533]
[0534]
[0535]
[0536]
[0537]
[0538]
[0539]
[0540]
[0541]
[0542]
[0543]
[0544]
[0545]
[0546]
[0547]
[0548]
[0549]
[0550]
[0551]
[0552]
[0553]
[0554]
[0555]
[0556]
[0557]
[0558]
[0559]
[0560]
[0561]
[0562]
[0563]
[0564]
[0565]
[0566]
[0567]
[0568]
[0569]
[0570]
[0571]
[0572]
[0573]
[0574]
[0575]
[0576]
[0577]
[0578]
[0579]
[0580]
[0581]
[0582]
[0583]
[0584]
[0585]
[0586]
[0587]
[0588]
[0589]
[0590]
[0591]
[0592]
[0593]
[0594]
[0595]
[0596]
[0597]
[0598]
[0599]
[0600]
[0601]
[0602]
[0603]
[0604]
[0605]
[0606]
[0607]
[0608]
[0609]
[0610]
[0611]
[0612]
[0613]
[0614]
[0615]
[0616]
[0617]
[0618]
[0619]
[0620]
[0621]
[0622]
[0623]
[0624]
[0625]
[0626]
[0627]
[0628]
[0629]
[0630]
[0631]
[0632]
[0633]
[0634]
[0635]
[0636]
[0637]
[0638]
[0639]
[0640]
[0641]
[0642]
[0643]
[0644]
[0645]
[0646]
[0647]
[0648]
[0649]
[0650]
[0651]
[0652]
[0653]
[0654]
[0655]
[0656]
[0657]
[0658]
[0659]
[0660]
[0661]
[0662]
[0663]
[0664]
[0665]
[0666]
[0667]
[0668]
[0669]
[0670]
[0671]
[0672]
[0673]
[0674]
[0675]
[0676]
[0677]
[0678]
[0679]
[0680]
[0681]
[0682]
[0683]
[0684]
[0685]
[0686]
[0687]
[0688]
[0689]
[0690]
[0691]
[0692]
[0693]
[0694]
[0695]
[0696]
[0697]
[0698]
[0699]
[0700]
[0701]
[0702]
[0703]
[0704]
[0705]
[0706]
[0707]
[0708]
[0709]
[0710]
[0711]
[0712]
[0713]
[0714]
[0715]
[0716]
[0717]
[0718]
[0719]
[0720]
[0721]
[0722]
[0723]
[0724]
[0725]
[0726]
[0727]
[0728]
[0729]
[0730]
[0731]
[0732]
[0733]
[0734]
[0735]
[0736]
[0737]
[0738]
[0739]
[0740]
[0741]
[0742]
[0743]
[0744]
[0745]
[0746]
[0747]
[0748]
[0749]
[0750]
[0751]
[0752]
[0753]
[0754]
[0755]
[0756]
[0757]
[0758]
[0759]
[0760]
[0761]
[0762]
[0763]
[0764]
[0765]
[0766]
[0767]
[0768]
[0769]
[0770]
[0771]
[0772]
[0773]
[0774]
[0775]
[0776]
[0777]
[0778]
[0779]
[0780]
[0781]
[0782]
[0783]
[0784]
[0785]
[0786]
[0787]
[0788]
[0789]
[0790]
[0791]
[0792]
[0793]
[0794]
[0795]
[0796]
[0797]
[0798]
[0799]
[0800]
[0801]
[0802]
[0803]
[0804]
[0805]
[0806]
[0807]
[0808]
[0809]
[0810]
[0811]
[0812]
[0813]
[0814]
[0815]
[0816]
[0817]
[0818]
[0819]
[0820]
[0821]
[0822]
[0823]
[0824]
[0825]
[0826]
[0827]
[0828]
[0829]
[0830]
[0831]
[0832]
[0833]
[0834]
[0835]
[0836]
[0837]
[0838]
[0839]
[0840]
[0841]
[0842]
[0843]
[0844]
[0845]
[0846]
[0847]
[0848]
[0849]
[0850]
[0851]
[0852]
[0853]
[0854]
[0855]
[0856]
[0857]
[0858]
[0859]
[0860]
[0861]
[0862]
[0863]
[0864]
[0865]
[0866]
[0867]
[0868]
[0869]
[0870]
[0871]
[0872]
[0873]
[0874]
[0875]
[0876]
[0877]
[0878]
[0879]
[0880]
[0881]
[0882]
[0883]
[0884]
[0885]
[0886]
[0887]
[0888]
[0889]
[0890]
[0891]
[0892]
[0893]
[0894]
[0895]
[0896]
[0897]
[0898]
[0899]
[0900]
[0901]
[0902]
[0903]
[0904]
[0905]
[0906]
[0907]
[0908]
[0909]
[0910]
[0911]
[0912]
[0913]
[0914]
[0915]
[0916]
[0917]
[0918]
[0919]
[0920]
[0921]
[0922]
[0923]
[0924]
[0925]
[0926]
[0927]
[0928]
[0929]
[0930]
[0931]
[0932]
[0933]
[0934]
[0935]
[0936]
[0937]
[0938]
[0939]
[0940]
[0941]
[0942]
[0943]
[0944]
[0945]
[0946]
[0947]
[0948]
[0949]
[0950]
[0951]
[0952]
[0953]
[0954]
[0955]
[0956]
[0957]
[0958]
[0959]
[0960]
[0961]
[0962]
[0963]
[0964]
[0965]
[0966]
[0967]
[0968]
[0969]
[0970]
[0971]
[0972]
[0973]
[0974]
[0975]
[0976]
[0977]
[0978]
[0979]
[0980]
[0981]
[0982]
[0983]
[0984]
[0985]
[0986]
[0987]
[0988]
[0989]
[0990]
[0991]
[0992]
[0993]
[0994]
[0995]
[0996]
[0997]
[0998]
[0999]
[1000]
[1001]
[1002]
[1003]
[1004]
[1005]
[1006]
[1007]
[1008]
[1009]
[1010]
[1011]
[1012]
[1013]
[1014]
[1015]
[1016]
[1017]
[1018]
[1019]
[1020]
[1021]
[1022]
[1023]
[1024]
[1025]
[1026]
[1027]
[1028]
[1029]
[1030]
[1031]
[1032]
[1033]
[1034]
[1035]
[1036]
[1037]
[1038]
[1039]
[1040]
[1041]
[1042]
[1043]
[1044]
[1045]
[1046]
[1047]
[1048]
[1049]
[1050]
[1051]
[1052]
[1053]
[1054]
[1055]
[1056]
[1057]
[1058]
[1059]
[1060]
[1061]
[1062]
[1063]
[1064]
[1065]
[1066]
[1067]
[1068]
[1069]
[1070]
[1071]
[1072]
[1073]
[1074]
[1075]
[1076]
[1077]
[1078]
[1079]
[1080]
[1081]
[1082]
[1083]
[1084]
[1085]
[1086]
[1087]
[1088]
[1089]
[1090]
[1091]
[1092]
[1093]
[1094]
[1095]
[1096]
[1097]
[1098]
[1099]
[1100]
[1101]
[1102]
[1103]
[1104]
[1105]
[1106]
[1107]
[1108]
[1109]
[1110]
[1111]
[1112]
[1113]
[1114]
[1115]
[1116]
[1117]
[1118]
[1119]
[1120]
[1121]
[1122]
[1123]
[1124]
[1125]
[1126]
[1127]
[1128]
[1129]
[1130]
[1131]
[1132]
[1133]
[1134]
[1135]
[1136]
[1137]
[1138]
[1139]
[1140]
[1141]
[1142]
[1143]
[1144]
[1145]
[1146]
[1147]
[1148]
[1149]
[1150]
[1151]
[1152]
[1153]
[1154]
[1155]
[1156]
[1157]
[1158]
[1159]
[1160]
[1161]
[1162]
[1163]
[1164]
[1165]
[1166]
[1167]
[1168]
[1169]
[1170]
[1171]
[1172]
[1173]
[1174]
[1175]
[1176]
[1177]
[1178]
[1179]
[1180]
[1181]
[1182]
[1183]
[1184]
[1185]
[1186]
[1187]
[1188]
[1189]
[1190]
[1191]
[1192]
[1193]
[1194]
[1195]
[1196]
[1197]
[1198]
[1199]
[1200]
[1201]
[1202]
[1203]
[1204]
[1205]
[1206]
[1207]
[1208]
[1209]
[1210]
[1211]
[1212]
[1213]
[1214]
[1215]
[1216]
[1217]
[1218]
[1219]
[1220]
[1221]
[1222]
[1223]
[1224]
[1225]
[1226]
[1227]
[1228]
[1229]
[1230]
[1231]
[1232]
[1233]
[1234]
[1235]
[1236]
[1237]
[1238]
[1239]
[1240]
[1241]
[1242]
[1243]
[1244]
[1245]
[1246]
[1247]
[1248]
[1249]
[1250]
[1251]
[1252]
[1253]
[1254]
[1255]
[1256]
[1257]
[1258]
[1259]
[1260]
[1261]
[1262]
[1263]
[1264]
[1265]
[1266]
[1267]
[1268]
[1269]
[1270]
[1271]
[1272]
[1273]
[1274]
[1275]
[1276]
[1277]
[1278]
[1279]
[1280]
[1281]
[1282]
[1283]
[1284]
[1285]
[1286]
[1287]
[1288]
[1289]
[1290]
[1291]
[1292]
[1293]
[1294]
[1295]
[1296]
[1297]
[1298]
[1299]
[1300]
[1301]
[1302]
[1303]
[1304]
[1305]
[1306]
[1307]
[1308]
[1309]
[1310]
[1311]
[1312]
[1313]
[1314]
[1315]
[1316]
[1317]
[1318]
[1319]
[1320]
[1321]
[1322]
[1323]
[1324]
[1325]
[1326]
[1327]
[1328]
[1329]
[1330]
[1331]
[1332]
[1333]
[1334]
[1335]
[1336]
[1337]
[1338]
[1339]
[1340]
[1341]
[1342]
[1343]
[1344]
[1345]
[1346]
[1347]
[1348]
[1349]
[1350]
[1351]
[1352]
[1353]
<!DOCTYPE html>
<!-- WASDOC AXP-2.0.0 (CGILIB AXP-1.9.9) -->
<!-- wasDOC Copyright (C) 2019,2020 Mark G.Daniel - Apache-2.0 licenced -->
<!-- 3-NOV-2021 02:50 -->
<noscript>NOTE: SOME FUNCTIONALITY EMPLOYS JAVASCRIPT</noscript>
<div id="erreport1" style="display:none;"></div>
<script>
function errorReport(string) {
for (var cnt = 1; cnt <= 2; cnt++) {
var err = document.getElementById('erreport'+cnt);
err.style.display = 'block';
err.innerHTML += string;
}
}
</script>
<style type="text/css">
html { font-family: arial, verdana, sans-serif; font-size:12pt; margin:1em; }
h1 { font-size:124%; font-style:bold;
margin-top:1em; margin-bottom:0.5em; }
h2 { font-size:120%; font-style:bold;
margin-top:1.1em; margin-bottom:0.4em; }
h3 { font-size:116%; font-style:bold;
margin-top:1.0em; margin-bottom:0.3em; }
h4 { font-size:112%; font-style:bold;
margin-top:1.1em; margin-bottom:0.3em; }
h5 { font-size:112%; font-style:bold;
margin-top:1.1em; margin-bottom:0.3em; }
h6 { font-size:112%; font-style:bold; padding:0; margin:0; }
h1 .text { text-decoration:underline; }
h1 .numb { padding-right:0.8em; }
h1 .numb:empty { display:none; padding-right:0; }
h2 .numb { padding-right:0.8em; }
h2 .numb:empty { display:none; padding-right:0; }
h3 .numb { padding-right:0.8em; }
h3 .numb:empty { display:none; padding-right:0; }
h4 .numb { padding-right:0.8em; }
h4 .numb:empty { display:none; padding-right:0; }
h5 .numb { display:none; padding-right:0; }
h6 .numb { display:none; padding-right:0; }
kbd { font-family:monospace; }
noscript { font-size:1.2em; }
p { line-height:1.1em; margin-top:1em; margin-bottom:1em; }
.chunk { font-size:130%; text-decoration:underline; }
.head {}
.high {}
.bold { font-weight:bold; }
.center { text-align:center; }
.italic { font-style:italic; }
.left { text-align:left; }
.nowrap { white-space:nowrap; }
.prewrap { white-space:pre; }
.right { text-align:right; }
.strike { text-decoration:line-through; }
.under { text-decoration:underline; }
.backlight { background-color:#f2f2f2; }
.display0 { display:none; }
img { max-width:100%; }
.imglink { }
.link { }
.blank { }
.list { margin-bottom:1em; }
.list li { margin-top:0.5em; }
.list0 li { margin-top:0; }
.item {}
.tabl { border-collapse:collapse; text-align:left; margin:0.4em 2em 0.5em 2em; }
.tabu { border-collapse:collapse; text-align:right; margin:0.4em 2em 0.5em 2em; }
.tabr { vertical-align:top; }
.tabh { padding:0.2em 0 0 2em; margin:0; }
.tabd { padding:0.1em 0 0 2em; margin:0; }
.tabh:first-of-type, td:first-of-type { padding-left:0; }
.tabu .tabh,
.tabu .tabd { border:1px solid gray; padding:0.2em 0.3em 0.2em 0.3em; }
.tab0 { border:none; visibility:hidden; max-width:1em;
white-space:nowrap; overflow:hidden; }
.tabauto { margin-left:auto; margin-right:auto; }
.tabr:empty { height:0.2em; }
.tabu .tabh:empty, .tabu .tabd:empty { border:none; visibility:hidden; }
.error { font-size:110%; color:black; background-color:yellow;
font-family:sans-serif; font-weight:bold; font-style:normal;
width:95%; border:solid 1px gray; padding:0.5em 1em 0.5em 1em; }
.error::before { content:'\026a0\00a0'; }
.image { }
.page { width:98%; border:1px dashed gray; margin:1.5em 0 1.8em 0; }
.epage { width:98%; border:1px dashed black; margin:1.5em 0 1.8em 0; }
.monosp { font-family:monospace; }
.ppage { display:none; }
.simple { list-style-type:none; }
.valtop { vertical-align:top; }
.valmid { vertical-align:middle; }
.valbot { vertical-align:bottom; }
.code { border-style:solid; border-width:0 0 0 1px; padding-left:1em;
font-family:monospace; white-space:pre; }
.block { }
.blockof { margin:0.4em 2em 0.5em 2em; }
.example { border-style:dashed; border-width:0 0 0 1px; padding-left:1em;
margin-top:0.5em; margin-bottom:0.5em; white-space:pre; }
.indent { margin-left:2em; margin-right:2em; }
.noindent { margin-left:0; margin-right:0; }
.inblock { display:inline-block; }
.mono { white-space:pre; font-family:monospace; }
.note { margin:0.4em 2em 0.5em 2em; page-break-inside:avoid; }
.note h5 { margin-top:0 }
.note_hr { width:80%; border:1px solid gray; }
.prop { padding-left:1em; margin-top:0.5em; margin-bottom:0.5em; }
.quote { border-style:dashed; border-width:0 0 0 1px; padding-left:1em;
margin-top:0.5em; margin-bottom:0.5em; }
.this { display:none; }
a:link,a:visited { color:black; text-decoration:none; }
a:hover,a:active { text-decoration:underline; }
a:focus { outline:0; }
:target:before { content:''; display:block; height:0.1em; margin:-0.1em; }
a.link:link, a.link:visited,a.link:active
{ color:midnightBlue; text-decoration:underline; text-decoration-style:solid; }
.TOC1cols1 { width:80%; max-width:80%; }
.TOC1cols2 { column-count:2; width:80%; max-width:80%; }
.TOC1cols3 { column-count:3; max-width:90%; max-width:90%; }
.TOC1cols4 { column-count:4; max-width:100%; max-width:100%; }
.TOC1table { margin-left:2em; white-space:nowrap; break-inside:auto; }
.TOC1table tr { vertical-align:top; text-align:left; break-inside:avoid; break-after:auto; }
.TOC1table td+td { padding:0 0 0 0.5em; }
.TOC1table .numb { width:3em; max-width:3em; }
.TOC1table .sepr { width:5em; max-width:6em; overflow:hidden; }
.TOC1table .majr { font-weight:bold; }
.TOC1table .text { white-space:normal; }
/* These are due to Firefox (at least <= 76) recalcitrant multi-column handling.
Web search "Split table into css columns, issue in Firefox" (stackoverflow).
"Good grief, Charlie Brown!" */
.TOC1cols2 table,
.TOC1cols2 tbody,
.TOC1cols2 tr,
.TOC1cols3 table,
.TOC1cols3 tbody,
.TOC1cols3 tr,
.TOC1cols4 table,
.TOC1cols4 tbody,
.TOC1cols4 tr { display:block; padding:0; }
.TOC2cols1 { width:60%; max-width:60%; }
.TOC2cols2 { column-count:2; width:70%; max-width:70%; }
.TOC2cols3 { column-count:3; width:80%; max-width:80%; }
.TOC2cols4 { column-count:4; width:90%; max-width:90%; }
.TOC2table { margin-left:2em; white-space:nowrap; break-inside:auto; }
.TOC2table tr { vertical-align:top; text-align:left; break-inside:avoid; break-after:auto; }
.TOC2table .numb { font-weight:bold; padding-right:0.5em; }
.TOC2table .text { width:100%; white-space:normal; }
/* see "recalcitrant" above */
.TOC2cols2 table,
.TOC2cols2 tbody,
.TOC2cols2 tr,
.TOC2cols3 table,
.TOC2cols3 tbody,
.TOC2cols3 tr,
.TOC2cols4 table,
.TOC2cols4 tbody,
.TOC2cols4 tr { display:block; padding:0; }
.NAVtable { margin:0.1em 0 0 2em; }
.NAVtable td { font-size:110%; font-weight:bold; padding:0; margin:0; }
.NAVtable a { padding:0 0.5em 0 0.5em; text-decoration:none; }
.IDXcols1 { width:80%; max-width:80%; }
.IDXcols2 { column-count:2; width:90%; max-width:90%; }
.IDXcols3 { column-count:3; width:95%; max-width:95%; }
.IDXcols4 { column-count:4; width:100%; max-width:100%; }
.IDXtable { margin:1em 0 1em 2em; white-space:nowrap; break-inside:auto; }
.IDXtable tr { vertical-align:top; text-align:left; break-inside:avoid; break-after:auto; }
.IDXtable .alpha { font-weight:bold; min-width:2em; }
.IDXtable .text { width:100%; white-space:normal; }
.IDXtable .para:before { content:'\00b6\00a0'; }
/* see "recalcitrant" above */
.IDXcols2 table,
.IDXcols2 tbody,
.IDXcols2 tr,
.IDXcols3 table,
.IDXcols3 tbody,
.IDXcols3 tr,
.IDXcols4 table,
.IDXcols4 tbody,
.IDXcols4 tr { display:block; padding:0; }
.insight { background-color:cyan; font-family:monospace;
padding:0 0.2em 0 0.2em; margin:0 0.2em 0 0.2em;
font-size:100%; font-style:normal; font-weight:normal;
text-decoration:none; }
.wasdoc { font-family: "Lucida Console", Monaco, monospace;
letter-spacing:-0.07em; }
@media screen { .blank::after { content:"\2924"; }
.print { display:none; }
}
@media print {
table { page-break-inside:avoid; }
.noprint { display:none; }
.page { border:none; page-break-after: always; }
.epage { display:none; }
.ppage { page-break-after:always; }
.NAVtable { display:none; }
.NAVprint { display:block!important; }
}
@page { margin:2cm 1cm 2cm 1cm; }
</style>
<!-- source:0000_config.wasdoc -->
<style type="text/css">._smiley::after { font-size:150%; vertical-align:middle; content:'\263a' }</style>
<style type="text/css">._frowny::after { font-size:150%; vertical-align:middle; content:'\2639' }</style>
<a id="0." href="#"></a>
<title>WASD Configuration – Security Considerations</title>
<a id="3." href="#"></a>
<a id="3.securityconsiderations" href="#"></a>
<a id="securityconsiderations" href="#"></a>
<h1 class="head chunk">WASD Configuration</h1>
<h1 class="head"><span class="numb">3.</span><span class="text">Security Considerations</span></h1>
<div class="TOC2cols2">
<table class="TOC2table">
<tr><td><a href="config003.html#3.1.serverandsitetesting"><span class="numb">3.1</span><span class="text">Server and Site Testing</span></a>
<tr><td><a href="config003.html#3.2.recommendedpackagesecurity"><span class="numb">3.2</span><span class="text">Recommended Package Security</span></a>
<tr><td><a href="config003.html#3.3.maintainingpackagesecurity"><span class="numb">3.3</span><span class="text">Maintaining Package Security</span></a>
<tr><td><a href="config003.html#3.4.independentpackageandlocalresources"><span class="numb">3.4</span><span class="text">Independent Package and Local Resources</span></a>
<tr><td><a href="config003.html#3.5.configuration"><span class="numb">3.5</span><span class="text">Configuration</span></a>
<tr><td><a href="config003.html#3.5.1.directorylistings"><span class="numb">3.5.1</span><span class="text">Directory Listings</span></a>
<tr><td><a href="config003.html#3.5.2.serverreports"><span class="numb">3.5.2</span><span class="text">Server Reports</span></a>
<tr><td><a href="config003.html#3.5.3.scripting"><span class="numb">3.5.3</span><span class="text">Scripting</span></a>
<tr><td><a href="config003.html#3.5.4.serversideincludes"><span class="numb">3.5.4</span><span class="text">Server Side Includes</span></a>
<tr><td><a href="config003.html#3.6.scripting"><span class="numb">3.6</span><span class="text">Scripting</span></a>
<tr><td><a href="config003.html#3.7.authorization"><span class="numb">3.7</span><span class="text">Authorization</span></a>
<tr><td><a href="config003.html#3.8.miscellaneousissues"><span class="numb">3.8</span><span class="text">Miscellaneous Issues</span></a>
<tr><td><a href="config003.html#3.9.siteattacks"><span class="numb">3.9</span><span class="text">Site Attacks</span></a>
<tr><td><a href="config003.html#3.10.contentsecuritypolicycsp"><span class="numb">3.10</span><span class="text">Content Security Policy (CSP)</span></a>
</table>
</div>
<table class="NAVtable NAVprint"><tr>
<td><a href="javascript:window.history.back();">↩︎</a>
<td><a href="config002.html#2.">↖︎</a>
<td><a href="config000.html#0.">↑︎</a>
<td><a href="config004.html#4.">↘︎</a>
<td><a href="javascript:window.history.forward();">↪︎</a>
</table>
<p> This section does not pretend to be a complete guide to keeping the
"bad guys" out. It does provide a short guide to making a site
more-or-less liberal in the way the server supplies information about the site
and itself. The reader is also strongly recommended to a number of hard copy
and Web based resources on this topic.
<p> The WASD package had its genesis in making the VMS operating system and
associated resources, in a development environment, available via Web
technology. For this reason configurations can be made fairly liberal,
providing information of use in a technical environment, but that may be
superfluous or less-than-desirable in other, possibly commercial environments.
For instance, directory listings can contain VMS file system META information,
error reports can be generated with similar references along with reporting
source code module and line information.
<p> The example configuration files contain a fairly restrictive set of
directives. When relaxing these recommendations keep in mind that the more
information available about the underlying structure of the site the more
potential for subversion. Do not enable functionality that contributes nothing
to the fundamental usefulness of the site, or that has the real potential to
compromise any given site. This section refers to configuration directives
discussed in more detail in later chapters.
<p> It is established wisdom that the only secure computing system is one
with no users and no access, that system security is inversely proportional to
system usability, and that making something idiot-proof results in only idiots
using it. So there are some trade-offs but …
<div class="note">
<a id="3.0.0.0.1" href="#"></a>
<a id="3.dontthinkitcanthappentoyou" href="#"></a>
<a id="dontthinkitcanthappentoyou" href="#"></a>
<h5 class="head center"><span class="text">don't think it can't happen to you!</span></h5>
<hr class="note_hr">
A systematic investigation of installed WASD packages by well-known IT
professional Jean-loup Gailly during September 2002 revealed a couple of
significant implementation flaws which compounded by notable instances of
sloppy management practices on two public sites resulted in site compromise
(one was mine).
<p class="indent"> <a class="link blank" target="_blank" href="/wasd_root/doc/misc/wasd_advisory_020925.txt">WASD_ROOT:[WASDOC.MISC]WASD_ADVISORY_020925.TXT</a>
<br> <a class="link blank" target="_blank" href="https://www.cvedetails.com/cve/CVE-2002-1825">https://www.cvedetails.com/cve/CVE-2002-1825</a>
<p> This research has resulted in these server flaws being closed and package
security considerations being extensively reviewed. As a result WASD v8.1 was
much more resistent to such penetration than previous releases (and slightly
less easy to use, but that's one of those trade-offs). My assessment would be
that if Gailly did not find it then it wasn't there to find!
<p> Of course any given site's security is a function of the underlying
package's security profile, with the site's implementation of that, AND other
considerations such as local authorization and script implementations. Pay
particular and ongoing attention to site security and integrity.
<hr class="note_hr">
</div>
<a id="3.1" href="#"></a>
<a id="3.1.serverandsitetesting" href="#"></a>
<a id="serverandsitetesting" href="#"></a>
<h2 class="head"><span class="numb">3.1</span><span class="text">Server and Site Testing</span></h2>
<p> This is the merest of mentions for a topic that literally encompasses
volumes!
<p> Each site is very-much an individual combination of configurations and
applications. Each site therefore has specific potential vulnerabilities that
should be known about and addressed where possible. Especially if you have an
Internet-facing site then <span class="high bold">this mean you!</span>
<p> Many tools exist at the time of writing that didn't fifteen years before
when WASD was investigated as described above. Some are on-line, "free" site
health checks and penetration testing. Others are tools that can (often) be
used from your platform of choice, many of which are free and open-source
(FOSS). We are spoiled for choice.
<p> In WASD's earlier years tools such as <span class="high italic">Apache Bench</span>,
<span class="high italic">WASD Bench</span>, along with batched <span class="high italic">cURL</span> and
<span class="high italic">wget</span> requests were used to exercise and, in some limited fashion,
<span class="high italic">fuzz</span> the server (providing invalid, unexpected, or random request
data) in an effort to discover flaws in server code and execution.
<p> Currently the WASD development bench uses the OWASP ZAP tool to provide a
much more comprehensive exercise and test environment.
<div class="note">
<a id="3.1.0.0.1" href="#"></a>
<a id="3.1.owaspzap" href="#"></a>
<a id="owaspzap" href="#"></a>
<h5 class="head center"><span class="text">OWASP ZAP</span></h5>
<hr class="note_hr">
"Zed Attack Proxy (ZAP) is a free, open-source penetration
testing tool being maintained under the umbrella of the Open Web Application
Security Project (OWASP). ZAP is designed specifically for testing web
applications and is both flexible and extensible.
<br>…<br>
ZAP provides functionality for a range of skill levels from developers, to
testers new to security testing, to security testing specialists. ZAP has
versions for each major OS and Docker, so you are not tied to a single OS.
Additional functionality is freely available from a variety of add-ons in the
ZAP Marketplace, accessible from within the ZAP client."
<p class="indent"> <a class="link blank" target="_blank" href="https://www.zaproxy.org">https://www.zaproxy.org</a>
<hr class="note_hr">
</div>
<p> ZAP is cross-platform (Linux, macOS, Windows, other), GUI-based,
Java-implemented, and may be used effectively, though certainly not to its full
capabilities, after fifteen minutes with the introductory documentation.
<span class="high bold">ZAP is a highly recommended tool for site vulnerability
assessment.</span>
<p> ZAP is used to exercise the in-development WASD, in particular the
following aspects (not in any particular order).
<ul class="list">
<li class="item"> <span class="high bold">Traffic Loading – </span>
server behaviour under load; continuing to process correctly while not
exhibiting bottlenecks in performance, or worse, failing with soft (internal
assertion checking) or hard (e.g. ACCVIO) bugchecks. Latency in AST-based
processing often reveals subtle dependencies, race conditions, or other
timing-related issues. ZAP allows a configurable number of concurrent requests
when both spidering and vulnerability scanning.
<li class="item"> <span class="high bold">Graded Alerts – </span>
reports and counts of known attack vectors or general recommendations after
spidering or penetration scans. These are flagged as high, medium or low risk,
provide descriptions with references, and a quick overview of mitigation
strategies. Each instance encountered during the scan has the request-response
data available for analysis allowing specific cases to be identified and
mitigated.
<li class="item"> <span class="high bold">Directory Traversal – </span>
(also known as path traversal) aims to access files and directories that are
stored outside the server root, web root or web application folders. By
manipulating data that reference files with <span class="high italic">dot-dot-slash</span> (../)
sequences and its variations, or by using absolute file paths, it may be
possible to access arbitrary files and directories stored in the server or
general file system.
<li class="item"> <span class="high bold">Data Injection – </span>
covers a variety of attacks where request parameters are used to execute (CLI)
commands, SQL queries, interpreted script code (e.g. JavaScript, PHP), or
platform-executable binary code. Injecting encoded or obscured data into an
HTTP request via the query-string or header field values is a common vector.
Lack of appropriate data validation underlies injection vulnerability.
<li class="item"> <span class="high bold">Buffer Overflow – </span>
the overwriting of memory fragments of the process, which should never be
modified intentionally or unintentionally. HTTP requests with unusually large
or otherwise unintended header field values, or web application input fields
designed for small, fixed-length, or specific type data are obvious targets.
Fuzzing requests can often induce this.
<li class="item"> <span class="high bold">Request Fuzzing – </span>
where malformed or spurious data is automatically generated and injected
into the processing in an effort to induce unexpected behaviour or failure.
In web environments this can include the HTTP protocol itself, the specific
implementation of some capability of the server, and any scripting environment
or web application hosted on a server.
<li class="item"> <span class="high bold">Cross Site Scripting – </span>
where a malicious web element such as JavaScript, HTML, or other browser-side
code is injected into otherwise benign and trusted web content from a
non-same-origin, third-party source.
</ul>
<p> It should be noted that these are provided "out-of-the-box", is a
subset of that <span class="high italic">out-of-the-box</span> functionality of particular interest
in WASD development, and utilise only a tiny percentage of ZAP total
capabilities.
<a id="3.1.0.0.2" href="#"></a>
<a id="3.1.zapandhttp2" href="#"></a>
<a id="zapandhttp2" href="#"></a>
<h5 class="head"><span class="text">ZAP and HTTP/2</span></h5>
<p> At the time of writing, OWASP ZAP does not support the HTTP/2 protocol. The
solution for exercising WASD is to use the <span class="high italic">nghttpx</span> proxy utility.
<ul class="list simple list0">
<li class="item"> <a class="link blank" target="_blank" href="https://nghttp2.org/documentation/nghttpx.1.html">https://nghttp2.org/documentation/nghttpx.1.html</a>
<li class="item"> <a class="link blank" target="_blank" href="https://nghttp2.org/documentation/nghttpx-howto.html">https://nghttp2.org/documentation/nghttpx-howto.html</a>
</ul>
<p> It can be configured to accept HTTP and HTTPS connections at the front end
(ZAP) and convert HTTP/1.1 requests to HTTP/2 requests at the back end (WASD).
This introduces a proxy like this:
<div class="drawing dfont draw indent">
<style>
.dhflip { display:inline-block;transform:rotate(180deg); }
.dvflip { display:inline-block;transform:rotate(-180deg); }
.dnoflip { display:inline-block;transform:rotate(360deg); }
.dfont { font-family:monospace;font-size:1em;line-height:0.9em;line-spacing:0em; }
</style>
┌───────────┐ ┌────────────┐ ┌────────────┐<br>
│ │ │ │ │ │<br>
│ OWASP ZAP │<span class="dnoflip">◄</span>──HTTP/1.1──<span class="dhflip">◄</span>│ nghttpx │<span class="dnoflip">◄</span>───HTTP/2───<span class="dhflip">◄</span>│ WASD │<br>
│ │ │ │ │ │<br>
└───────────┘ └────────────┘ └────────────┘<br>
</div>
<p> The ZAP and <span class="high italic">nghttpx</span> can be run on the same or independent systems.
<p> On a suitable platform (Linux, macOS, MS Windows – not ported to VMS) use
this at the command-line.
<div class="blockof code">nghttpx --frontend '0.0.0.0,<span class="high italic">port</span>;no-tls' \
--backend '<span class="high italic">WASD-server</span>,443;;tls;proto=h2' --insecure \
--workers=<span class="high italic">integer</span> --backend-http2-max-concurrent-streams=<span class="high italic">integer</span>
</div>
<p> Where 0.0.0.0 is any address on the <span class="high italic">nghttpx</span> platform and <span class="high italic">port</span> the IP
port on that platform ZAP will connect to. The <span class="high italic">WASD-server</span> is the host name
or address of the WASD system with port the usual 443. The workers integer is
the number of threads used on the platform, with the maximum number of HTTP/2
back end connections maintained to the WASD system. The number of concurrent
requests is determined by ZAP concurrency.
<p> For example:
<div class="blockof code">nghttpx --frontend '0.0.0.0,1280;no-tls' \
--backend 'klaatu.private,443;;tls;proto=h2' --insecure \
--workers=5 --backend-http2-max-concurrent-streams=5
</div>
<a id="3.2" href="#"></a>
<a id="3.2.recommendedpackagesecurity" href="#"></a>
<a id="recommendedpackagesecurity" href="#"></a>
<h2 class="head"><span class="numb">3.2</span><span class="text">Recommended Package Security</span></h2>
<p> The following table provides recommended file protection settings for
package top-level directories. Subdirectories share their parents' settings.
The package tree is owned by the SYSTEM account. Directories with world READ
access have no ACLs. Other directories, not accessible to the world, but
sometimes having other degress of access to one or more accounts always have
rights identifiers (see below) and associated ACLs to control directory access,
and to propagate required access to files created beneath them. The server
selectively enables SYSPRV to provide access to some of these areas (e.g. for
log creation).
<p> Some pre-v8.1 directories are not included in this table. These are
not significant in versions from 8.1 onwards and may be deleted. They can
continue to exist however and the security procedures described below ensure
that they comply to the general post-8.1 security model. The file access
permissions indicated below are for directory contents. The directory files
themselves have settings appropriate for content access.
<a id="3.2.0.0.1" href="#"></a>
<a id="3.2.packageaccess" href="#"></a>
<a id="packageaccess" href="#"></a>
<h5 class="head"><span class="text">Package Access</span></h5>
<table class="tabl">
<tr class="tabr under">
<th class="tabh">Directory
<th class="tabh">Access<br>World
<th class="tabh">Access<br>Other
<th class="tabh">Description
<tr class="tabr">
<tr class="tabr backlight">
<td class="tabd"><span class="high monosp">[AXP-BIN]</span>
<td class="tabd">none
<td class="tabd">script:RE
<td class="tabd">Alpha executable script files
<tr class="tabr">
<td class="tabd"><span class="high monosp">[AXP]</span>
<td class="tabd">none
<td class="tabd">none
<td class="tabd">Alpha build and utility area
<tr class="tabr backlight">
<td class="tabd"><span class="high monosp">[CGI-BIN]</span>
<td class="tabd">none
<td class="tabd">script:RE
<td class="tabd">architecture-neutral script files
<tr class="tabr">
<td class="tabd"><span class="high monosp">[EXAMPLE]</span>
<td class="tabd">read
<td class="tabd">(world)
<td class="tabd">package examples
<tr class="tabr backlight">
<td class="tabd"><span class="high monosp">[EXERCISE]</span>
<td class="tabd">read
<td class="tabd">(world)
<td class="tabd">package test files
<tr class="tabr">
<td class="tabd"><span class="high monosp">[HTTP$NOBODY]</span>
<td class="tabd">none
<td class="tabd">script:RWED
<td class="tabd">scripting account default home area
<tr class="tabr backlight">
<td class="tabd"><span class="high monosp">[HTTP$SERVER]</span>
<td class="tabd">none
<td class="tabd">server:RWED
<td class="tabd">server account default home area
<tr class="tabr">
<td class="tabd"><span class="high monosp">[IA64-BIN]</span>
<td class="tabd">none
<td class="tabd">script:RE
<td class="tabd">Itanium executable script files
<tr class="tabr backlight">
<td class="tabd"><span class="high monosp">[IA64]</span>
<td class="tabd">none
<td class="tabd">none
<td class="tabd">Itanium build and utility area
<tr class="tabr">
<td class="tabd"><span class="high monosp">[INSTALL]</span>
<td class="tabd">read
<td class="tabd">(world)
<td class="tabd">installation, update and secuity procedures
<tr class="tabr backlight">
<td class="tabd"><span class="high monosp">[LOCAL]</span>
<td class="tabd">none
<td class="tabd">none
<td class="tabd">site configuration files
<tr class="tabr">
<td class="tabd"><span class="high monosp">[LOG]</span>
<td class="tabd">none
<td class="tabd">none
<td class="tabd">site access logs
<tr class="tabr backlight">
<td class="tabd"><span class="high monosp">[LOG_SERVER]</span>
<td class="tabd">none
<td class="tabd">server:RWED
<td class="tabd">server process (SYS$OUTPUT) logs
<tr class="tabr">
<td class="tabd"><span class="high monosp">[RUNTIME]</span>
<td class="tabd">read
<td class="tabd">(world)
<td class="tabd">graphics, help files, etc.
<tr class="tabr backlight">
<td class="tabd"><span class="high monosp">[SCRATCH]</span>
<td class="tabd">none
<td class="tabd">script:RWED
<td class="tabd">working file space for scripts
<tr class="tabr">
<td class="tabd"><span class="high monosp">[SCRIPT]</span>
<td class="tabd">none
<td class="tabd">none
<td class="tabd">example architecture-neutral scripts
<tr class="tabr backlight">
<td class="tabd"><span class="high monosp">[SRC]</span>
<td class="tabd">none
<td class="tabd">(world)
<td class="tabd">package source files
<tr class="tabr">
<td class="tabd"><span class="high monosp">[STARTUP]</span>
<td class="tabd">none
<td class="tabd">server:RE
<td class="tabd">package startup procedures
<tr class="tabr backlight">
<td class="tabd"><span class="high monosp">[X86_64-BIN]</span>
<td class="tabd">none
<td class="tabd">script:RE
<td class="tabd">x86-64 executable script files
<tr class="tabr">
<td class="tabd"><span class="high monosp">[X86_64]</span>
<td class="tabd">none
<td class="tabd">none
<td class="tabd">x86-64 build and utility area
<tr class="tabr backlight">
<td class="tabd"><span class="high monosp">[WASDOC]</span>
<td class="tabd">read
<td class="tabd">(world)
<td class="tabd">package documentation
</table>
<p> It is recommended site-specific directories have settings applied
appropriate to their function in comparison to similar package directories.
See below for tools to assist in this.
<p> Three rights identifiers provide selective access control to
the directory tree. Identifiers were used to allow maximum flexibility for a
site in allowing required accounts access to either execute the server or
execute scripts. Non-default account names only need to be granted one of
these identifiers to be provided with that role's access. Installation, update
and/or security utilities create and maintain these identifiers appropriately.
<a id="3.2.0.0.2" href="#"></a>
<a id="3.2.rightsidentifiers" href="#"></a>
<a id="rightsidentifiers" href="#"></a>
<h5 class="head"><span class="text">Rights Identifiers</span></h5>
<table class="tabl">
<tr class="tabr under">
<th class="tabh">Identifier
<th class="tabh">Description
<tr class="tabr">
<tr class="tabr">
<td class="tabd">WASD_HTTP_SERVER
<td class="tabd">Indicates the default server account.
<tr class="tabr">
<td class="tabd">WASD_HTTP_NOBODY
<td class="tabd">Indicates the default scripting account.
<tr class="tabr">
<td class="tabd">WASD_IGNORE_THIS
<td class="tabd">Looked for by the SECHAN utility to avoid it
changing security on site-specific files.
</table>
<p> These rights identifiers are applied to directories and files to provide
the required level of access. The following example shows the security setting
of the top-level CGI-BIN.DIR and one of it content files.
<div class="blockof code">$ DIRECTORY /SECURITY CGI-BIN.DIR
Directory WASD_ROOT:[000000]
CGI-BIN.DIR;1 [SYSTEM] (RWED,RWED,,)
(IDENTIFIER=WASD_HTTP_SERVER,ACCESS=EXECUTE)
(IDENTIFIER=WASD_HTTP_NOBODY,ACCESS=EXECUTE)
(IDENTIFIER=*,ACCESS=NONE)
(IDENTIFIER=WASD_HTTP_NOBODY,OPTIONS=DEFAULT,ACCESS=READ+EXECUTE)
(IDENTIFIER=*,OPTIONS=DEFAULT,ACCESS=NONE)
(DEFAULT_PROTECTION,SYSTEM:RWED,OWNER:RWED,GROUP:,WORLD:)
Total of 1 file.
$ DIRECTORY /SECURITY [CGI-BIN]CGI_SYMBOLS.COM
Directory WASD_ROOT:[CGI-BIN]
CGI_SYMBOLS.COM;1 [SYSTEM] (RWED,RWED,,)
(IDENTIFIER=WASD_HTTP_NOBODY,ACCESS=READ+EXECUTE)
(IDENTIFIER=*,ACCESS=NONE)
Total of 1 file.
</div>
<a id="3.3" href="#"></a>
<a id="3.3.maintainingpackagesecurity" href="#"></a>
<a id="maintainingpackagesecurity" href="#"></a>
<h2 class="head"><span class="numb">3.3</span><span class="text">Maintaining Package Security</span></h2>
<p> As noted above, WASD version 8.1 and later is much more conservative in
what it makes generally available from the package tree, and a site
administrator now has to take extraordinary measures to open up certain
sections, making it a much more difficult and deliberate action. The package
installation, update and security procedures and their associated utilities
should always be used to ensure that the installed package continues to conform
to the security baseline.
<p> Package security may be "refreshed" or reapplied at any time, and
this should be done periodically to ensure that an installed package has not
inadvertantly been opened to access where it shouldn't have. Of course this
is not a guarantee that any given site is secure. Site security is a function
of many factors; package vulnerabilities, site configuration, deployed scripts,
cracker determination and expertise, etc., etc. What refreshing the security
baseline does is provide a known secure (and WASD-community scrutinized)
starting point. It should be used as part of a well considered site security
maintenance program.
<a id="3.3.0.0.1" href="#"></a>
<a id="3.3.securecom" href="#"></a>
<a id="securecom" href="#"></a>
<h5 class="head"><span class="text">SECURE.COM</span></h5>
<p> The following DCL procedure resets the package security baseline.
<div class="blockof code">$ @WASD_ROOT:[INSTALL]SECURE.COM
</div>
<p> It guides the administrator through a number of stages
<ul class="list list0">
<li class="item"> introductory notes
<li class="item"> server account
<li class="item"> scripting account
<li class="item"> package tree security settings
</ul>
<p> of which each one may be declined. After all of these steps it searches
for and executes if found the DCL procedure WASD_ROOT:[INSTALL]SECURE.COM.
The intent of this file is to allow a site to automatically update any
site-specific security settings (and of course modify any set by the main
procedure).
<a id="3.3.0.0.2" href="#"></a>
<a id="3.3.sechanutility" href="#"></a>
<a id="sechanutility" href="#"></a>
<h5 class="head"><span class="text">SECHAN Utility</span></h5>
<p> The SECHAN utility (pronounced "session") is used by
SECURE.COM and the associated procedures to make file system security settings.
It is also available for direct use by the site administrator.
<p> One of the more useful functions of SECHAN is applied using the /IGNORE
qualifier.
<ul class="list">
<li class="item"> <span class="high bold">IGNORE – </span>
adds an ACE containing the rights identifier WASD_IGNORE_THIS to the target
file(s) which results in security settings not being applied in the future.
When applying settings the SECHAN utility first checks whether a file has this
ACE and if so ignores the file. This is an effective method for isolating
site-specific settings from changes by this utility.
<div class="blockof code">$ SECHAN /IGNORE WASD_ROOT:[CGI-BIN]MY_SCRIPT.COM
$ SECHAN /IGNORE WASD_ROOT:[LOCAL]*.DAT
$ SECHAN /IGNORE WEB:[DATA...]*.*
$ SECHAN /IGNORE WEB:[000000]DATA.DIR
</div>
<p> This ACE can be removed from a file (leaving other entries of any ACL
intact) using the /NOIGNORE qualifier. This returns the file(s) subject again
to the SECHAN utility.
<div class="blockof code">$ SECHAN /NOIGNORE WASD_ROOT:[CGI-BIN]MY_SCRIPT.COM
$ SECHAN /NOIGNORE WASD_ROOT:[LOCAL]*.DAT
</div>
<li class="item"> <span class="high bold">ALL – </span>
overrides the default behaviour of ignoring files that have been tagged using
the /IGNORE qualifier. It causes the setting to be applied to ALL files.
</ul>
<p> Other functionality may prove useful when applied to local parts of the
package or web structure.
<ul class="list">
<li class="item"> <span class="high bold">PACKAGE – </span>
used alone this qualifier results in the entire WASD_ROOT:[000000...] tree
being traversed and the default package security settings applied to all
package files. Top-level directories that the utility does not recognise as
belonging to the package are ignored.
<div class="blockof code">$ SECHAN /PACKAGE
$ SECHAN /PACKAGE /ALL
</div>
<li class="item"> <span class="high bold">ASIF=<name> – </span>
set the supplied file specification as if it was the specified, top-level WASD
directory. This allows a site-specific directory to have the same security
settings applied as the specified WASD package directory.
<div class="blockof code">$ SECHAN /ASIF=LOCAL WEB:[DATA...]*.*
$ SECHAN /ASIF=LOCAL WEB:[000000]DATA.DIR
$ SECHAN /ASIF=CGI-BIN WEB:[SCRIPTS]*.*
$ SECHAN /ASIF=CGI-BIN WEB:[000000]SCRIPTS.DIR
$ SECHAN /ASIF=DOC WEB:[HTML...]*.*
$ SECHAN /ASIF=DOC WEB:[000000]HTML.DIR
</div>
<li class="item"> <span class="high bold">NOSCRIPT – </span>
modifies the default behaviour of the /PACKAGE qualifier. This changes the
default rights identifiers applied to ACEs on files in the [CGI-BIN] and
[AXP-BIN]/[IA64-BIN]/[X86_64-BIN] directories to disallow scripting until
manually changed by site administration.
<div class="blockof code">$ SECHAN /PACKAGE /NOSCRIPT
</div>
</ul>
<p> This section provides only a basic description. More detail may be found
in the prologue to the source code.
<a id="3.4" href="#"></a>
<a id="3.4.independentpackageandlocalresources" href="#"></a>
<a id="independentpackageandlocalresources" href="#"></a>
<h2 class="head"><span class="numb">3.4</span><span class="text">Independent Package and Local Resources</span></h2>
<p> Not only does it make it easier to manage site content but is also good
security practice to keep server package and site content completely separate
(<a class="link" href="config002.html#2.2.siteorganisation">2.2 Site Organisation</a>).
<p> This can also be applied to scripts, both source and build areas. Keep
your business logic out of the package source tree and potentially prying eyes.
The script executables themselves <span class="high italic">can</span> be placed into the package
scripting directories but should be built independently from these and copied
using locally maintained DCL procedures from build into scripting areas (the
WASD_ROOT:[INSTALL]SECURE.COM procedures described above may be useful here).
<a id="3.5" href="#"></a>
<a id="3.5.configuration" href="#"></a>
<a id="configuration" href="#"></a>
<h2 class="head"><span class="numb">3.5</span><span class="text">Configuration</span></h2>
<p> Various configuration and mapping directives can be used to make the site
environment more or less liberal in the information it implicitly can provide.
<a id="3.5.1" href="#"></a>
<a id="3.5.1.directorylistings" href="#"></a>
<a id="directorylistings" href="#"></a>
<h3 class="head"><span class="numb">3.5.1</span><span class="text">Directory Listings</span></h3>
<p> Published guidelines for securing a Web site generally advise against
automatic directory listing generation. Where a home page is not available
this may leak information on other directory contents, provide parent and child
directory access, etc. Compounding this is the WASD facility to
<span class="high italic">force</span> a listing by providing a directory URL with file wildcards
(not to decry the usefulness in some environments).
<ul class="list">
<li class="item"> <span class="high bold">[DirAccess] – </span>
make "disabled" to completely remove the ability to generate directory
listings under any circumstances. Setting to "selective" means a
directory listing is <span class="high bold">only</span> available if the directory contains
a file named .WWW_BROWSABLE. When made "enabled" a directory listing
may be produced anytime it contains no home (welcome) page.
<li class="item"> <span class="high bold">[DirWildcard] – </span>
make "disabled" so that requests cannot <span class="high bold">force</span> a
directory listing by supplying a URL containing a wildcard file part (when
enabled this is provided regardless of whether a home page exists or not).
<li class="item"> <span class="high bold">[DirMetaInfo] – </span>
make "disabled" to prevent directory listing pages contain as HTML
<META> tags information about the directory, most significantly the
VMS file specification for the URL path!
</ul>
<p> The mapping rule "SET DIR=<span class="high italic">keyword</span>" can be used to
change this on a per-path basis (<a class="link" href="config010.html#10.5.5.setrule">10.5.5 SET Rule</a>).
<p> <span class="high bold">Conservative recommendation: </span> Set "[DirAccess]
selective" allowing listing for directories containing a file named
".WWW_BROWSABLE", disable [DirMetaInfo] and [DirWildcard].
<a id="3.5.2" href="#"></a>
<a id="3.5.2.serverreports" href="#"></a>
<a id="serverreports" href="#"></a>
<h3 class="head"><span class="numb">3.5.2</span><span class="text">Server Reports</span></h3>
<p> Reports are pages generated by the server, usually to indicate an error or
other non-success condition, but sometimes to indicate success (e.g. after a
successful file upload). Reports provide either basic or detailed information
about the situation. Sometimes the detailed information includes VMS file
system details, system status codes etc. To limit this information to a
minimum indication adjust the following directives.
<ul class="list">
<li class="item"> <span class="high bold">[ReportBasicOnly] – </span>
make "enabled" to limit the quantity of information to the minimum required to
advise of the situation. Such reports give only the HTTP status code and brief
explanation of the code's meaning. Note that this can also be done on a
per-path basis using mapping rules.
<li class="item"> <span class="high bold">[ReportMetaInfo] – </span>
make "disabled" to exclude information on the server software, source code
module and line number initiating the report. META information may also
contain VMS file or system specific information.
<li class="item"> <span class="high bold">[ServerSignature] – </span>
make "disabled" to prevent the inclusion of server software, host and port
information as a footer to a report.
</ul>
<p> The mapping rule "SET REPORT=<span class="high italic">keyword</span>" can be used to
change some of these on a per-path basis (<a class="link" href="config010.html#10.5.5.setrule">10.5.5 SET Rule</a>).
<p> <span class="high bold">Conservative recommendation: </span> Provide minimal error information by
enabling [ReportBasicOnly] and disabling [ReportMetaInfo]. Enable
[ServerSignature] to provide a slightly more friendly report (server software
can easily be obtained from the response header anyway).
<a id="3.5.3" href="#"></a>
<a id="3.5.3.scripting" href="#"></a>
<a id="scripting" href="#"></a>
<h3 class="head"><span class="numb">3.5.3</span><span class="text">Scripting</span></h3>
<p> If a static site is all that's required this source of compromise can simply
be avoided.
<ul class="list">
<li class="item"> <span class="high bold">[Scripting] – </span>
setting this to "disabled" prevents all scripting entirely. This includes DCL
CGI and CGIplus, DECnet-based OSU and CGI, and SSI DCL (<--#dcl -->, <--#exec
-->, etc.).
</ul>
<p> <span class="high bold">Conservative recommendation: </span> Only deploy scripts your site will actually
be using. Remove all the files associated with any other scripts. Do not
allow obsolete script environments to remain active. Be proactive.
<p> Also see <a class="link" href="config003.html#3.5.4.securingscripting">‘Securing Scripting’ in 3.5.4 Server Side Includes</a>.
<a id="3.5.4" href="#"></a>
<a id="3.5.4.serversideincludes" href="#"></a>
<a id="serversideincludes" href="#"></a>
<h3 class="head"><span class="numb">3.5.4</span><span class="text">Server Side Includes</span></h3>
<p> SSI documents are pages containing special markup directives interpreted by
the server and replaced with dynamic content. This can include detail about
the server, the file or files making up the document, and can even include DCL
commands and procedure activation for supplying content into the page. All
this by anyone who can author on the site.
<ul class="list">
<li class="item"> <span class="high bold">[SSI] – </span>
setting this to "disabled" prevents all Server Side Include processing
completely.
<li class="item"> <span class="high bold">[SSIexec] – </span>
setting this to "disabled" disallows pages from invoking DCL to supply content
for the page. WASD provides a number of levels of this and the reader is
refered elsewhere in this and other documents for further information of what
can and cannot be done, and by whom, in these processes.
</ul>
<p> The mapping rule "SET SSI=<span class="high italic">keyword</span>" can be used to
change some of this on a per-path basis (<a class="link" href="config010.html#10.5.5.setrule">10.5.5 SET Rule</a>).
<p> <span class="high bold">Conservative recommendation: </span> Disable [SsiExec].
<a id="3.5.4.0.0.1" href="#"></a>
<a id="3.5.4.securingscripting" href="#"></a>
<a id="securingscripting" href="#"></a>
<h6 class="head display0"><span class="text">Securing Scripting</span></h6>
<a id="3.6" href="#"></a>
<a id="3.6.scripting" href="#"></a>
<a id="scripting" href="#"></a>
<h2 class="head"><span class="numb">3.6</span><span class="text">Scripting</span></h2>
<p> Scripting has been a notorious source of server compromise,
particularly within Unix environments where script process shell command-line
issues require special attention. The WASD CGI scripting interface does not
pass any arguments on the command line, and is careful not to allow
substitution when constructing the CGI environment. Nevertheless, script
behaviours cannot be guaranteed and care should be exercised in their
deployment (ask me!)
<p> It is strongly recommended to execute scripts in an account distinct from
that executing the server. This should also mean that the accounts are not
members of the same group nor should it be a member of any other group. This
minimises the risk of both unintentional and malicious interference with server
operation through either Inter-Process Communication (IPC) or scripts
manipulating files used by the server. The PERSONA facility can be used to
further differentiate script activities. See "Scripting Overview" for
further detail.
<p> The default WASD installation creates two such accounts, with distinct
UICs, usernames and home directory space. Nothing should be assumed or read
into the scripting account username - it's just a username.
<a id="3.6.0.0.1" href="#"></a>
<a id="3.6.defaultaccounts" href="#"></a>
<a id="defaultaccounts" href="#"></a>
<h5 class="head"><span class="text">Default Accounts</span></h5>
<table class="tabl">
<tr class="tabr under">
<th class="tabh">Username
<th class="tabh">Description
<tr class="tabr">
<tr class="tabr">
<td class="tabd">HTTP$SERVER
<td class="tabd">Server Account
<tr class="tabr">
<td class="tabd">HTTP$NOBODY
<td class="tabd">Scripting Account
</table>
<p> During startup the server checks for the existence of the default scripting
account and automatically configures itself to use this for scripting. If it
is not present it falls-back to using the server account. Other account names
can be used if the startup procedures are modified accordingly. The default
scripting username may be overridden using the /SCRIPT=AS=<username>
qualifier (also see the "Scripting Overview").
<a id="3.6.0.0.1.1" href="#"></a>
<a id="3.6.securingauthorisation" href="#"></a>
<a id="securingauthorisation" href="#"></a>
<h6 class="head display0"><span class="text">Securing Authorisation</span></h6>
<a id="3.7" href="#"></a>
<a id="3.7.authorization" href="#"></a>
<a id="authorization" href="#"></a>
<h2 class="head"><span class="numb">3.7</span><span class="text">Authorization</span></h2>
<p> Authorization issues imply controlling access to various resources and
actions and therefore require careful planning and implementation if compromise
is to be avoided. WASD has a quite capable and versatile authorization and
authentication environment, with a significant number of considerations.
<p> WASD authorization cannot be enabled without the administrator configuring
at least three resources, and so therefore cannot easily be
"accidentally" activated. One of these is the addition of a startup
qualifier controlling where authentication information may be sourced. Another
the server configuration file. The third, mapping paths against authorization
configuration.
<p> For sites that may be particularly sensitive about inadvertant access to
some resources it is possible to use the authorization configuration file as a
type of <span class="high italic">cross-check</span> on the mapping configuration file. The server
/AUTHORIZATION=ALL startup qualifier forces all access to be authorized (even
if some are marked "none"). This means that if something
"escapes" via the mapping file it will very likely be "caught" by
an absence in the authorization file.
<a id="3.8" href="#"></a>
<a id="3.8.miscellaneousissues" href="#"></a>
<a id="miscellaneousissues" href="#"></a>
<h2 class="head"><span class="numb">3.8</span><span class="text">Miscellaneous Issues</span></h2>
<p> Although it is of limited usefulness because server identity may be deduced
from behaviour and other indicators the exact server and version may be
obscured by using the otherwise undocumented /SOFTWARE= qualifier to change the
server identification string to (basically) whatever the administrator desires.
This identification is included as part of all HTTP response headers.
<p> Historically and by default server configuration and authorization sources
are contained within the server package tree. There is no reason why they
cannot be located anywhere the site prefers. Generally all that is required is
a change to logical name definition and server startup.
<a id="3.8.0.0.1" href="#"></a>
<a id="3.8.packagetree" href="#"></a>
<a id="packagetree" href="#"></a>
<h5 class="head"><span class="text">Package Tree</span></h5>
<p> Version 8.1 and later is much more conservative in what it makes available
of the package tree via the server. The package installation, update and
security procedures and their associated utilities should always be used to
ensure that the installed package continues to conform to the security
baseline. See <a class="link" href="config003.html#3.3.maintainingpackagesecurity">3.3 Maintaining Package Security</a>.
<p> Furthermore, with many sites there may be little need to access the full,
or any of the WASD package tree. A combination of mapping and/or
authorization rules can relatively simply block or control access to it. These
examples can be easily tailored to suit a site's specific requirements.
<p> This example shows blocking all access to the /wasd_root/ tree, except for
documentation, source code, examples and exercise (performance results) areas.
<div class="blockof code"># WASD_CONFIG_MAP
pass /wasd_root/doc/*
pass /wasd_root/src/*
pass /wasd_root/example/*
pass /wasd_root/exercise/*
fail /wasd_root/*
</div>
<p> The next example forbids all access to the package tree unless authorized
(the authorization detail would vary according to the site). It also allows
modify access for the Server Administration page and to the /wasd_root/local/
area.
<div class="blockof code"># WASD_CONFIG_MAP
pass /wasd_root/*
# WASD_CONFIG_AUTH
[WASD_WEB_ADMIN=id]
/httpd/-/admin/* r+w
/wasd_root/local/* r+w
/wasd_root/* r
</div>
<div class="note">
<a id="3.8.0.0.2" href="#"></a>
<a id="3.8.becareful" href="#"></a>
<a id="becareful" href="#"></a>
<h5 class="head center"><span class="text">Be careful!</span></h5>
<hr class="note_hr">
There are often multiple paths to a single resource. For instance, it is of
little significance blocking access to say /wasd_root/doc/ if it's also possible
to access it via /doc/.
<hr class="note_hr">
</div>
<p> The following example shows how this might occur.
<div class="blockof code"># WASD_CONFIG_MAP
fail /wasd_root/doc/*
pass /* /wasd_root/*
</div>
<p> Authorization rules can be used to effectively block access to any VMS file
specification (it cannot be done during mapping because the translation from
path to file system is not performed until mapping is complete).
<div class="blockof code"># WASD_CONFIG_AUTH
if (path-translated:WASD_ROOT:[DOC]*) * none
</div>
<p> or to selectively allow access
<div class="blockof code"># WASD_CONFIG_AUTH
[[WASD_VMS_RW=id]]
if (path-translated:WASD_ROOT:[DOC]*) * read
</div>
<a id="3.9" href="#"></a>
<a id="3.9.siteattacks" href="#"></a>
<a id="siteattacks" href="#"></a>
<h2 class="head"><span class="numb">3.9</span><span class="text">Site Attacks</span></h2>
<p> This is not a treatise on Web security and the author is not a security
specialist. This is some general advice based on observation. There is little
one can do at the server itself to reduce a concerted attack against a site.
Common objectives of such attacks include the following (not an exhaustive
list).
<a id="3.9.0.0.1" href="#"></a>
<a id="3.9.platformvulnerabilities" href="#"></a>
<a id="platformvulnerabilities" href="#"></a>
<h5 class="head"><span class="text">Platform Vulnerabilities</span></h5>
<p> Where a general attack is launched directed against a specific platform
(a combination of operating system and Web server software). Often these can
be due to wide-spread infection of systems, meaning many attacks are being
launched from a large number of systems (often without the system owners'
knowlege or cooperation).
<p> WASD, and OpenVMS in particular, are generally immune to such attacks
because they are not Microsoft or Unix based. The impact of the attack
becomes one of the nuisance-value traffic as the site is probed by the
(sometimes very large number of) source systems.
<a id="3.9.0.0.2" href="#"></a>
<a id="3.9.sitevulnerabilities" href="#"></a>
<a id="sitevulnerabilities" href="#"></a>
<h5 class="head"><span class="text">Site Vulnerabilities</span></h5>
<p> Where a specific attack is made against a site in an attempt to exploit a
known vulnerability associated with that platform or environment.
<p> These are perhaps the most worrying, although the
<span class="high italic">security-by-obscurity</span> element works in favour of WASD and OpenVMS
in this case. Neither are as common as other platforms and therefore do not
receive as much attention.
<a id="3.9.0.0.3" href="#"></a>
<a id="3.9.denialofservice" href="#"></a>
<a id="denialofservice" href="#"></a>
<h5 class="head"><span class="text">Denial of Service</span></h5>
<p> (DOS) Usually comprise flooding a site with requests in an effort to
consume all available network or server resources making it unavailable for
legitimate use.
<p> These can be insidious, flooding network equipment as well as systems.
Attempts at control are best undertaken at the periphery of the network
(routers) although concerted attacks can succeed against the best prepared
network.
<a id="3.9.0.0.4" href="#"></a>
<a id="3.9.passwordcracking" href="#"></a>
<a id="passwordcracking" href="#"></a>
<h5 class="head"><span class="text">Password Cracking</span></h5>
<p> Where a systematic attempt to break into one or more accounts is
undertaken. These are often repeated, dictionary-based password-guessing
attacks.
<p> WASD's authentication functionality notes successive password validation
failures and after a reasonable number disables all access via the username for
a constantly extended period. Passwords stop being checked and so a
dictionary-based attack cannot succeed. Password validation failures can be
recorded via OPCOM.
<a id="3.9.0.0.5" href="#"></a>
<a id="3.9.authorizationholes" href="#"></a>
<a id="authorizationholes" href="#"></a>
<h5 class="head"><span class="text">Authorization Holes</span></h5>
<p> Knowing of or searching for resources that should be controlled by
authorization but are not.
<p> WASD's /AUTHORIZATION=ALL functionality may assist here
(<a class="link" href="config003.html#3.6.securingauthorisation">‘Securing Authorisation’ in 3.6 Scripting</a>).
<a id="3.9.0.0.6" href="#"></a>
<a id="3.9.strategies" href="#"></a>
<a id="strategies" href="#"></a>
<h5 class="head"><span class="text">Strategies</span></h5>
<p> There are a few strategies for reducing the load on a server experiencing a
generalized attack or probing. These can also be used to "discourage" the
source from considering the site an easy target. Unfortunately most require
request acceptance and at least some processing before taking action. The
general idea is to identify either the source site or some characteristic of
the request that indicates it could not possibly be legitimate. Most
platform-specific attacks have such a signature. For instance attacks against
Microsoft platforms often involve probes for backdoors into non-server
executables. These can be identified by the path containing strings such as
"/winnt/", "/system32/", "/cmd.exe" or variations on them. This style will be
used in examples below.
<ul class="list">
<li class="item"> If the source IP address is known then the [Reject] (and/or [Accept])
configuration directives can be used to reject the request connection very
early in the processing. The source agent receives a message about access
being rejected.
<div class="blockof code">[Reject]
131.185.250.*
the.host.name
</div>
<li class="item"> Mapping rules in combination with conditionals may be used to redirect
the request. This redirection could be to another, non-existent site, in the
hope that the source agent will use the supplied URL and thus divert some
activity away from the local site.
<div class="blockof code">if (remote-host:the.host.name)
redirect * http://the.host.name/*
endif
redirect **/winnt/** http://does.not.exist/
</div>
<li class="item"> Mapping rule redirection can also be used to just "drop" the connection
without any further interaction or processing. The source agent receives no
response, just a broken connection.
<div class="blockof code">if (remote-addr:131.185.250.*)
pass * "000 just drop it!"
endif
pass **/system32/** "000 just drop it!"
</div>
<li class="item"> The <span class="high italic">hiss</span> facility returns a stream of random alpha-numeric
characters (a sort of <span class="high italic">white-noise</span>). No response header is provided. Such
a response might cause the source agent at best some distress (perhaps
disabling it) or at least disuade it from continuing with more probes (as the
target is obviously not a Web server ;-)
<div class="blockof code">if (remote-addr:131.185.250.*) map * /hiss/*
script /hiss/* /hiss/*
map **/cmd.exe** /hiss/*/cmd.exe*
script /hiss/* /hiss/*
</div>
</ul>
<a id="3.10" href="#"></a>
<a id="3.10.contentsecuritypolicycsp" href="#"></a>
<a id="contentsecuritypolicycsp" href="#"></a>
<h2 class="head"><span class="numb">3.10</span><span class="text">Content Security Policy (CSP)</span></h2>
<p> Content Security Policy (CSP) is an added layer of security that helps to
detect and mitigate certain types of attacks, including Cross Site Scripting
(XSS) and data injection attacks.
<p class="indent"> <a class="link blank" target="_blank" href="https://en.wikipedia.org/wiki/Content_Security_Policy">https://en.wikipedia.org/wiki/Content_Security_Policy</a>
<br> <a class="link blank" target="_blank" href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP">https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP</a>
<div class="note center">
<a id="3.10.0.0.1" href="#"></a>
<a id="3.10.thissectionisnotanexplanationofcsp" href="#"></a>
<a id="thissectionisnotanexplanationofcsp" href="#"></a>
<h5 class="head center"><span class="text">This section is not an explanation of CSP</span></h5>
<hr class="note_hr">
The content of the above links and others like them must be understood to apply
CSP to a WASD site.
<hr class="note_hr">
</div>
<p> WASD provides CSP support using mapping rules. See <a class="link" href="config010.html#10.5.5.setrule">10.5.5 SET Rule</a>.
WASD allows configuration of policy using the <span class="high monosp">set response=csp=<span class="high italic">policy</span></span>
rule and reporting only of policy violations using
<span class="high monosp">set response=cspro=<span class="high italic">policy</span></span>. WASD includes a (basic) violation reporting
utility. See
<a class="link blank" target="_blank" href="../features/#cspreporter">CSPreport[er]</a> in
<a class="link blank" target="_blank" href="../features/#0.">WASD Features and Facilities</a>.
<!-- source:0600_STRINGS.WASDOC -->
<table class="NAVtable NAVprint"><tr>
<td><a href="javascript:window.history.back();">↩︎</a>
<td><a href="config002.html#2.">↖︎</a>
<td><a href="config000.html#0.">↑︎</a>
<td><a href="config004.html#4.">↘︎</a>
<td><a href="javascript:window.history.forward();">↪︎</a>
</table>