Order Number: LJKS-REF-V029 This software is intended to assist in security assessment of VMS systems. It is not a substitute for a trained professional conducting periodic security assessments, but rather is intended to aid and assist that individual in performing the assessments on a more frequent and thorough basis than would otherwise be possible.

Information generated by this software should be treated on a confidential basis, since it constitutes a list of security vulnerabilities of your computer systems.

Revision/Update Information: Supercedes LJKS-REF-V027

Operating System and Version: VAX/VMS Version 4.2 or higher
MicroVMS Version 4.2 or higher
OpenVMS AXP Version 1.0 or higher

Software Version: LJK/Security V2.9

Copyright ©1988-2005 by LJK Software, 1 Broadway, Suite 600, Cambridge, MA 02142-1100

The following are trademarks of LJK Software:

• LJK/Security
• the LJK/Security logo

The following are trademarks of Hewlett Packard:

• AXP
• DEC
• DECnet
• DECwindows
• DEC/Shell
• DEC/Test Manager
• MicroVAX
• P.S.I.
• SEVMS
• VAX
• VAXstation
• VAXcluster
• VMS
• VMScluster

The following is a trademarks of Process Software:

• Multinet

Contents

Index

If you are a first-time reader interested in making productive use of the software as soon as possible, you should concentrate on the Overview Part.

Document Structure

This manual describes LJK/Security software and how it can be used in assessing security of VMS systems.

Overview Part

• Chapter 1, Introduction, describes the overall operational concepts of LJK/Security and gives a tutorial-order explanation of various terms (denoted in boldface throughout this manual) that have specialized meanings within the context of LJK/Security.
• Chapter 2, Installing LJK/Security, describes those steps which must be taken by the VMS system manager to get LJK/Security up and running in your environment..

User Interfaces Part

• Chapter 3, Window Interface describes how to control LJK/Security using the DECwindows graphic user interface.
• Chapter 4, Menu Interface, describes how to control LJK/Security using a character cell display terminal.
• Chapter 5, Command Interface, lists the commands available for traditional DCL-style control of LJK/Security.

Tests Part

• Chapter 6,LJK/Security Tests, lists each of the tests that can be performed by LJK/Security.

Site-Specific Customization Part

• Chapter 7, Policy Modification, discusses the uses of policy modification.
• Chapter 8, Assessment Modification, discusses the uses of assessment modification.
• Chapter 9, Using Program Call Interfaces, describes how to access LJK/Security from programs you have written in VMS programming languages.
• Chapter 10, Using LJK/Security With Removable Media, describes the differences involved in using magnetic tape or removable disks rather than DECnet for communication between the master node and tributary nodes.
• Chapter 11, Tips for Special Situations, contains hints on how to use LJK/Security in certain specific settings.

Appendices

• Appendix A, Master Node Installation, shows a sample installation of LJK/Security on a master node.
• Appendix B, Tributary Node Installation, shows a sample installation of LJK/Security on a tributary node.
• Appendix C, Moving the Software, tells how to move the software to a different node.
• Appendix D, Demonstration, describes an LJK/Security demonstration license offered at certain Trade Shows.
• Appendix E, Other VMS Security Considerations, lists VMS security considerations not amenable to generalized automated processing by products such as lreference PRODUCTLJK/Security.
• Appendix F, Files Created by LJK/Security, lists the files created by LJK/Security installation and operation.
• Appendix G, Bug Reports, tells how to report problems to LJK Software.
• Appendix H, Hints and Kinks, gives information not of general interest, such as discussion of internal operation of LJK/Security .
• Appendix I, Use of Privilege by LJK/Security, lists the use of privilege by LJK/Security.
• Appendix J, Security of LJK/Security, describes steps taken to ensure the security of LJK/Sec urity itself.
• Appendix K, Creating Policies Based on Examples, explains the example policies provided by LJK/Security for published requirement lists such as NIST Special Publication 800-53.
• Glossary gives an alphabetical-order explanation of various terms (denoted in boldface throughout this manual) that have specialized meanings within the context of LJK/Security.

Intended Audience

This manual is for use by those responsible for conducting security assessments of VMS systems using the LJK/Security software.

It is possible to use the manual and run the software without an in-depth knowledge of VMS, but when potential problems are detected, resolution will often require considerable VMS expertise on the part of the LJK/Security user, or consultation with someone else (perhaps in a system management position) who has that expertise.

LJK Software provides telephone support regarding operation of the LJK/Security software and in many cases can offer alternative methods of addressing security problems you detect. But there is often a point where security goals conflict with other goals at your site in such a fashion that considerable system management or system programming effort is required to alleviate the security weakness without unduly burdening ongoing operations. In that situation, you will need local experts with those skills.

Associated Documents

Depending upon the VMS version(s) being run, the user should be familiar with the appropriate VMS security manuals:

• Guide to VAX/VMS System Security, DEC AA-Y510A-TE (VMS V4.0)
• Guide to VAX/VMS System Security, DEC AA-Y510A-T1 (update for VMS V4.2)
• Guide to VMS System Security, DEC AA-LA40A-TE (VMS V5.0)
• Guide to VMS System Security, DEC AA-LA40B-TE (VMS V5.2)
• OpenVMS AXP Guide to System Security, DEC AA-PV5SA-TE (V1.5)
• OpenVMS VAX Guide to System Security, DEC AA-PV5RA-TE (V6.0)
• OpenVMS Guide to System Security, DEC AA-Q2HLA-TE (V6.1)
• OpenVMS Guide to System Security, DEC AA-Q2HLB-TE (V6.2)
• OpenVMS Guide to System Security, DEC AA-Q2HLC-TE (V7.1)
• OpenVMS Guide to System Security, Compaq AA-Q2HLD-TE (V7.2)
• OpenVMS Guide to System Security, Compaq AA-Q2HLE-TE (V7.3)
• OpenVMS Guide to System Security, Compaq AA-Q2HLF-TE (V7.3-1)
• OpenVMS Guide to System Security, HP AA-Q2HLG-TE (V7.3-2)

Conventions

Within LJK/Security Reference Manual, boldfaced words within normal text paragraphs have specific meanings outlined in the Glossary.

Throughout this document use of the second person ("you") or the term "user" refers to the intended reader of this manual, an individual who has been given appropriate facility-specific identifiers or is otherwise authorized to use LJK/Security as discussed in Section 5.4.

1. Include the Limit comments with results
   Comments from policy limits will be included in results from assessment of tributaries. Sites can use this to indicate the authority under which a particular policy was set, such as citing a particular organization memo or some external source such as the NIST Special Publication 800-53 policy as described in Appendix K, Creating Policies Based on Examples.
   Comments on Limits are shown, but not comments on Exemptions since the effect of an Exemption is to _prevent_ results from being shown.
   
2. Display Policy as a command procedure
   Adding the qualifier /COMMAND_PROCEDURE to the SHOW POLICY command causes the output to be formatted as a command procedure. When that output is sent to a file with the /OUTPUT= qualifier, you can edit the resulting command procedure to change all instances of the string <policy-name> to be the name of some other policy to which you want the same values applied. The usefulness of this is somewhat greater when you also delete or modify some lines within the command procedure.
   The command procedure is created with each command on a single line, allowing use of VMS utilities such as SORT and SEARCH.
   
3. Password History tests
   New tests are provided:
   • VMS, PWDHISTORY, MINLENGTH
   • VMS, PWDHISTORY, MAXLENGTH
   • VMS, PWDHISTORY, MINLIMIT
   • VMS, PWDHISTORY, MAXLIMIT
   
   Testing either the VMS defaults of 365 and 60 (respectively) or the numeric values of system logical names:
   • SYS$PASSWORD_HISTORY_LENGTH
   • SYS$PASSWORD_HISTORY_LIMIT
   
   against the limits in the policy.
   
4. UAF, PWDNULL tests added
   Two additional constraints allow testing a policy that requires primary or secondary passwords based on privilege category.
   • UAF, PWDNULL, PRIMAXPRIV
   • UAF, PWDNULL, SECMAXPRIV
   
   
5. Add the following elements for new VMS UAF flag bits:
   • UAF, DEFCLSVAL, PROHIBITED
   • UAF, DEFCLSVAL, REQUIRED
6. • UAF, EXTAUTH, PROHIBITED
   • UAF, EXTAUTH, REQUIRED
7. • UAF, MIGRATEPWD, PROHIBITED
   • UAF, MIGRATEPWD, REQUIRED
8. • UAF, VMSAUTH, PROHIBITED
   • UAF, VMSAUTH, REQUIRED
9. • UAF, DISPWDSYNCH, PROHIBITED
   • UAF, DISPWDSYNCH, REQUIRED
   
   
10. TERM, TYPEAHEAD tests added
    • TERM, TYPEAHEAD, PROHIBITED
    • TERM, TYPEAHEAD, REQUIRED
    
    
11. Tests for SYS$ANNOUNCE and SYS$WELCOME
    Tests indicating text which must be present in a message.
    • VMS, ANNOUNCE, CONTAINED
    • VMS, ANNOUNCE, CONTAINS
    • VMS, ANNOUNCE, MATCH
    • VMS, WELCOME, CONTAINED
    • VMS, WELCOME, CONTAINS
    • VMS, WELCOME, MATCH
    
    
12. DEVICE, CHECKPROT tests added
    In a manner similar to CHECKSUM, this element tests only based on specified exemptions. Thus it can be used to test special protection requirements for precisely named files, including requirements for Alarm ACEs and Audit ACEs in the ACL for a file.
    • DISK, CHECKPROT, ABSOLUTLO
    • DISK, CHECKPROT, ABSOLUTHI
    • DISK, CHECKPROT, PERCENTLO (read,write,execute,delete,control)
    • DISK, CHECKPROT, PERCENTHI (read,write,execute,delete,control)
    • DISK, CHECKPROT, ALFPROHIB (read,write,execute,delete,control)
    • DISK, CHECKPROT, ALFREQUIRE (read,write,execute,delete,control)
    • DISK, CHECKPROT, ALSPROHIB (read,write,execute,delete,control)
    • DISK, CHECKPROT, ALSREQUIRE (read,write,execute,delete,control)
    • DISK, CHECKPROT, AUFPROHIB (read,write,execute,delete,control)
    • DISK, CHECKPROT, AUFREQUIRE (read,write,execute,delete,control)
    • DISK, CHECKPROT, AUSPROHIB (read,write,execute,delete,control)
    • DISK, CHECKPROT, AUSREQUIRE (read,write,execute,delete,control)
    • DISK, CHECKPROT, ACLNOGEN
    • DISK, CHECKPROT, ACLNOSYS
    • DISK, CHECKPROT, ACLNOUIC
    
    
13. Add non-alarm audit constraints to existing elements
    Those AUREQUIRE tests allow the TRY value, since the tests are not meaningful prior to VMS V5.4 where the only audit outputs were alarms.
    • AUDIT, ACL, AUPROHIBIT
    • AUDIT, ACL, AUREQUIRE
    • AUDIT, AUDIT, AUPROHIBIT
    • AUDIT, AUDIT, AUREQUIRE
    • AUDIT, AUTHORIZE, AUPROHIBIT
    • AUDIT, AUTHORIZE, AUREQUIRE
    • AUDIT, INSTALL, AUPROHIBIT
    • AUDIT, INSTALL, AUREQUIRE
    • AUDIT, MOUNT, AUPROHIBIT
    • AUDIT, MOUNT, AUREQUIRE
    
    These AUREQUIRE tests have process type Selectors, so they do not allow the TRY value, in order to provide symmetry and preserve compatibility with the corresponding ALREQUIRE tests.
    • AUDIT, BREAKIN, AUPROHIBIT
    • AUDIT, BREAKIN, AUREQUIRE
    • AUDIT, LOGFAIL, AUPROHIBIT
    • AUDIT, LOGFAIL, AUREQUIRE
    • AUDIT, LOGIN, AUPROHIBIT
    • AUDIT, LOGIN, AUREQUIRE
    • AUDIT, LOGOUT, AUPROHIBIT
    • AUDIT, LOGOUT, AUREQUIRE
    
    These AUREQUIRE tests have access type Selectors, so they do not allow the TRY value, in order to provide symmetry and preserve compatibility with the corresponding ALREQUIRE tests.
    
    • AUDIT, BYPASS, AUPROHIBIT
    • AUDIT, BYPASS, AUREQUIRE
    • AUDIT, DOWNGRADE, AUPROHIBIT
    • AUDIT, DOWNGRADE, AUREQUIRE
    • AUDIT, FAILURE, AUPROHIBIT
    • AUDIT, FAILURE, AUREQUIRE
    • AUDIT, GRPPRV, AUPROHIBIT
    • AUDIT, GRPPRV, AUREQUIRE
    • AUDIT, READALL, AUPROHIBIT
    • AUDIT, READALL, AUREQUIRE
    • AUDIT, SUCCESS, AUPROHIBIT
    • AUDIT, SUCCESS, AUREQUIRE
    • AUDIT, SYSPRV, AUPROHIBIT
    • AUDIT, SYSPRV, AUREQUIRE
    • AUDIT, UPGRADE, AUPROHIBIT
    • AUDIT, UPGRADE, AUREQUIRE
    
    
14. Failure Action Elements renamed
    The following elements have been renamed:
    • AUDIT, FAILCRASH, ALPROHIBIT becomes PROHIBITED
    • AUDIT, FAILCRASH, ALREQUIRE becomes REQUIRED
    • AUDIT, FAILIGNORE, ALPROHIBIT becomes PROHIBITED
    • AUDIT, FAILIGNORE, ALREQUIRE becomes REQUIRED
    • AUDIT, FAILWAIT, ALPROHIBIT becomes PROHIBITED
    • AUDIT, FAILWAIT, ALREQUIRE becomes REQUIRED
    
    to reflect the fact that they are not particularly more associated with Alarms than with Audits. Existing policies are preserved.
    
15. Final Resource Action Constraints added
    New tests are provided:
    • AUDIT, FINALCRASH, PROHIBITED
    • AUDIT, FINALCRASH, REQUIRED
    • AUDIT, FINALIGNORE, PROHIBITED
    • AUDIT, FINALIGNORE, REQUIRED
    • AUDIT, FINALPURGE, PROHIBITED
    • AUDIT, FINALPURGE, REQUIRED
    • AUDIT, FINALRESTART, PROHIBITED
    • AUDIT, FINALRESTART, REQUIRED
    
    
16. Additional Audit Tests
    • AUDIT, CUSTOMER, ALPROHIBIT
    • AUDIT, CUSTOMER, ALREQUIRE
    • AUDIT, CUSTOMER, AUPROHIBIT
    • AUDIT, CUSTOMER, AUREQUIRE
17. • AUDIT, CSS, ALPROHIBIT
    • AUDIT, CSS, ALREQUIRE
    • AUDIT, CSS, AUPROHIBIT
    • AUDIT, CSS, AUREQUIRE
18. • AUDIT, LP, ALPROHIBIT
    • AUDIT, LP, ALREQUIRE
    • AUDIT, LP, AUPROHIBIT
    • AUDIT, LP, AUREQUIRE
19. • AUDIT, SYSTIME, ALPROHIBIT
    • AUDIT, SYSTIME, ALREQUIRE
    • AUDIT, SYSTIME, AUPROHIBIT
    • AUDIT, SYSTIME, AUREQUIRE
20. • AUDIT, SYSGEN, ALPROHIBIT
    • AUDIT, SYSGEN, ALREQUIRE
    • AUDIT, SYSGEN, AUPROHIBIT
    • AUDIT, SYSGEN, AUREQUIRE
21. • AUDIT, IDENT, ALPROHIBIT
    • AUDIT, IDENT, ALREQUIRE
    • AUDIT, IDENT, AUPROHIBIT
    • AUDIT, IDENT, AUREQUIRE
22. • AUDIT, CONNECT, ALPROHIBIT
    • AUDIT, CONNECT, ALREQUIRE
    • AUDIT, CONNECT, AUPROHIBIT
    • AUDIT, CONNECT, AUREQUIRE
23. • AUDIT, NCP, ALPROHIBIT
    • AUDIT, NCP, ALREQUIRE
    • AUDIT, NCP, AUPROHIBIT
    • AUDIT, NCP, AUREQUIRE
24. • AUDIT, AUTHENT, ALPROHIBIT
    • AUDIT, AUTHENT, ALREQUIRE
    • AUDIT, AUTHENT, AUPROHIBIT
    • AUDIT, AUTHENT, AUREQUIRE
25. • AUDIT, PRVFAIL, ALPROHIBIT (privilege selector)
    • AUDIT, PRVFAIL, ALREQUIRE (privilege selector)
    • AUDIT, PRVFAIL, AUPROHIBIT (privilege selector)
    • AUDIT, PRVFAIL, AUREQUIRE (privilege selector)
26. • AUDIT, PRVSUCC, ALPROHIBIT (privilege selector)
    • AUDIT, PRVSUCC, ALREQUIRE (privilege selector)
    • AUDIT, PRVSUCC, AUPROHIBIT (privilege selector)
    • AUDIT, PRVSUCC, AUREQUIRE (privilege selector)
27. • AUDIT, OBJCREATE, ALPROHIBIT
    • AUDIT, OBJCREATE, ALREQUIRE
    • AUDIT, OBJCREATE, AUPROHIBIT
    • AUDIT, OBJCREATE, AUREQUIRE
28. • AUDIT, OBJDEACC, ALPROHIBIT
    • AUDIT, OBJDEACC, ALREQUIRE
    • AUDIT, OBJDEACC, AUPROHIBIT
    • AUDIT, OBJDEACC, AUREQUIRE
29. • AUDIT, OBJDELETE, ALPROHIBIT
    • AUDIT, OBJDELETE, ALREQUIRE
    • AUDIT, OBJDELETE, AUPROHIBIT
    • AUDIT, OBJDELETE, AUREQUIRE
30. • AUDIT, PRCCREPRC, ALPROHIBIT
    • AUDIT, PRCCREPRC, ALREQUIRE
    • AUDIT, PRCCREPRC, AUPROHIBIT
    • AUDIT, PRCCREPRC, AUREQUIRE
31. • AUDIT, PRCDELPRC, ALPROHIBIT
    • AUDIT, PRCDELPRC, ALREQUIRE
    • AUDIT, PRCDELPRC, AUPROHIBIT
    • AUDIT, PRCDELPRC, AUREQUIRE
32. • AUDIT, PRCSCHDWK, ALPROHIBIT
    • AUDIT, PRCSCHDWK, ALREQUIRE
    • AUDIT, PRCSCHDWK, AUPROHIBIT
    • AUDIT, PRCSCHDWK, AUREQUIRE
33. • AUDIT, PRCCANWAK, ALPROHIBIT
    • AUDIT, PRCCANWAK, ALREQUIRE
    • AUDIT, PRCCANWAK, AUPROHIBIT
    • AUDIT, PRCCANWAK, AUREQUIRE
34. • AUDIT, PRCWAKE, ALPROHIBIT
    • AUDIT, PRCWAKE, ALREQUIRE
    • AUDIT, PRCWAKE, AUPROHIBIT
    • AUDIT, PRCWAKE, AUREQUIRE
35. • AUDIT, PRCSUSPND, ALPROHIBIT
    • AUDIT, PRCSUSPND, ALREQUIRE
    • AUDIT, PRCSUSPND, AUPROHIBIT
    • AUDIT, PRCSUSPND, AUREQUIRE
36. • AUDIT, PRCRESUME, ALPROHIBIT
    • AUDIT, PRCRESUME, ALREQUIRE
    • AUDIT, PRCRESUME, AUPROHIBIT
    • AUDIT, PRCRESUME, AUREQUIRE
37. • AUDIT, PRCGRANT, ALPROHIBIT
    • AUDIT, PRCGRANT, ALREQUIRE
    • AUDIT, PRCGRANT, AUPROHIBIT
    • AUDIT, PRCGRANT, AUREQUIRE
38. • AUDIT, PRCREVOKE, ALPROHIBIT
    • AUDIT, PRCREVOKE, ALREQUIRE
    • AUDIT, PRCREVOKE, AUPROHIBIT
    • AUDIT, PRCREVOKE, AUREQUIRE
39. • AUDIT, PRCGETJPI, ALPROHIBIT
    • AUDIT, PRCGETJPI, ALREQUIRE
    • AUDIT, PRCGETJPI, AUPROHIBIT
    • AUDIT, PRCGETJPI, AUREQUIRE
40. • AUDIT, PRCFORCEX, ALPROHIBIT
    • AUDIT, PRCFORCEX, ALREQUIRE
    • AUDIT, PRCFORCEX, AUPROHIBIT
    • AUDIT, PRCFORCEX, AUREQUIRE
41. • AUDIT, PRCSIGPRC, ALPROHIBIT
    • AUDIT, PRCSIGPRC, ALREQUIRE
    • AUDIT, PRCSIGPRC, AUPROHIBIT
    • AUDIT, PRCSIGPRC, AUREQUIRE
42. • AUDIT, PRCSETPRI, ALPROHIBIT
    • AUDIT, PRCSETPRI, ALREQUIRE
    • AUDIT, PRCSETPRI, AUPROHIBIT
    • AUDIT, PRCSETPRI, AUREQUIRE
43. • AUDIT, PRCPRCTRM, ALPROHIBIT
    • AUDIT, PRCPRCTRM, ALREQUIRE
    • AUDIT, PRCPRCTRM, AUPROHIBIT
    • AUDIT, PRCPRCTRM, AUREQUIRE
44. • AUDIT, PRCCPUCAP, ALPROHIBIT
    • AUDIT, PRCCPUCAP, ALREQUIRE
    • AUDIT, PRCCPUCAP, AUPROHIBIT
    • AUDIT, PRCCPUCAP, AUREQUIRE
45. • AUDIT, PRCPRCCAP, ALPROHIBIT
    • AUDIT, PRCPRCCAP, ALREQUIRE
    • AUDIT, PRCPRCCAP, AUPROHIBIT
    • AUDIT, PRCPRCCAP, AUREQUIRE
46. • AUDIT, PRCPRCAFF, ALPROHIBIT
    • AUDIT, PRCPRCAFF, ALREQUIRE
    • AUDIT, PRCPRCAFF, AUPROHIBIT
    • AUDIT, PRCPRCAFF, AUREQUIRE
47. • AUDIT, PRCSTIMAF, ALPROHIBIT
    • AUDIT, PRCSTIMAF, ALREQUIRE
    • AUDIT, PRCSTIMAF, AUPROHIBIT
    • AUDIT, PRCSTIMAF, AUREQUIRE
48. • AUDIT, AUDILLFOR, ALPROHIBIT
    • AUDIT, AUDILLFOR, ALREQUIRE
    • AUDIT, AUDILLFOR, AUPROHIBIT
    • AUDIT, AUDILLFOR, AUREQUIRE
49. • AUDIT, PSBCREATE, ALPROHIBIT
    • AUDIT, PSBCREATE, ALREQUIRE
    • AUDIT, PSBCREATE, AUPROHIBIT
    • AUDIT, PSBCREATE, AUREQUIRE
50. • AUDIT, PSBDELETE, ALPROHIBIT
    • AUDIT, PSBDELETE, ALREQUIRE
    • AUDIT, PSBDELETE, AUPROHIBIT
    • AUDIT, PSBDELETE, AUREQUIRE
51. • AUDIT, PSBMODIFY, ALPROHIBIT
    • AUDIT, PSBMODIFY, ALREQUIRE
    • AUDIT, PSBMODIFY, AUPROHIBIT
    • AUDIT, PSBMODIFY, AUREQUIRE
    
    
52. Example Policies
    As described in Appendix K, Creating Policies Based on Examples, LJK/Security now provides command procedures in LJK$SECURITY_EXAMPLES: that can be used to create policies conforming to certain published standards such as NIST Special Publication 800-53.