LJK/Security Reference Manual

Order Number: LJKS-REF-V031 This software is intended to assist in security assessment of VMS systems. It is not a substitute for a trained professional conducting periodic security assessments, but rather is intended to aid and assist that individual in performing the assessments on a more frequent and thorough basis than would otherwise be possible.

Information generated by this software should be treated on a confidential basis, since it constitutes a list of security vulnerabilities of your computer systems.

Revision/Update Information: Supercedes LJKS-REF-V030

Operating System and Version: VAX/VMS Version 4.2 or higher
MicroVMS Version 4.2 or higher
OpenVMS AXP Version 1.0 or higher

Software Version: LJK/Security V3.1

2010

Copyright ©1988-2010 by LJK Software, 233 Needham Street, Suite 300, Newton, MA 02464-1502

The following are trademarks of LJK Software:

LJK/Security
the LJK/Security logo

The following are trademarks of Hewlett Packard:

AXP
DEC
DECnet
DECwindows
DEC/Shell
DEC/Test Manager
MicroVAX
P.S.I.
SEVMS
VAX
VAXstation
VAXcluster
VMS
VMS Encryption
VMScluster

The following is a trademarks of Process Software:

Multinet

Contents Index

Preface

If you are a first-time reader interested in making productive use of the software as soon as possible, you should concentrate on the Overview Part.

Document Structure

This manual describes LJK/Security software and how it can be used in assessing security of VMS systems.

Overview Part

Chapter 1, Introduction, describes the overall operational concepts of LJK/Security and gives a tutorial-order explanation of various terms (denoted in boldface throughout this manual) that have specialized meanings within the context of LJK/Security.
Chapter 2, Installing LJK/Security, describes those steps which must be taken by the VMS system manager to get LJK/Security up and running in your environment..

User Interfaces Part

Chapter 3, Window Interface describes how to control LJK/Security using the DECwindows graphic user interface.
Chapter 4, Menu Interface, describes how to control LJK/Security using a character cell display terminal.
Chapter 5, Command Interface, lists the commands available for traditional DCL-style control of LJK/Security.

Tests Part

Chapter 6,LJK/Security Automatic Tests, lists each of the tests that can be performed by LJK/Security for the Automatic method.

Site-Specific Customization Part

Chapter 7, Policy Modification, discusses the uses of policy modification.
Chapter 8, Assessment Modification, discusses the uses of assessment modification.
Chapter 9, Using Program Call Interfaces, describes how to access LJK/Security from programs you have written in VMS programming languages.
Chapter 10, Using LJK/Security With Removable Media, describes the differences involved in using magnetic tape or removable disks rather than DECnet for communication between the master node and tributary nodes.
Chapter 11, Tips for Special Situations, contains hints on how to use LJK/Security in certain specific settings.
Chapter 12, Answering Questions for Non-Automated Assessment Methods, tells someone who has no other exposure to LJK/Security how to answer questions required by non-automatic assessment methods.

Appendices

Appendix A, Master Node Installation, shows a sample installation of LJK/Security on a master node.
Appendix B, Tributary Node Installation, shows a sample installation of LJK/Security on a tributary node.
Appendix C, Moving the Software, tells how to move the software to a different node.
Appendix D, Demonstration, describes an LJK/Security demonstration license offered at certain Trade Shows.
Appendix E, Other VMS Security Considerations, lists VMS security considerations not amenable to generalized automatic processing by products such as lreference PRODUCTLJK/Security.
Appendix F, Files Created by LJK/Security, lists the files created by LJK/Security installation and operation.
Appendix G, Bug Reports, tells how to report problems to LJK Software.
Appendix H, Hints and Kinks, gives information not of general interest, such as discussion of internal operation of LJK/Security .
Appendix I, Use of Privilege by LJK/Security, lists the use of privilege by LJK/Security.
Appendix J, Security of LJK/Security, describes steps taken to ensure the security of LJK/Sec urity itself.
Appendix K, Creating Policies Based on Examples, explains the example policies provided by LJK/Security for published requirement lists such as NIST Special Publication 800-53.
Appendix M, Quick Start Guide to NIST SP 800-53/800-53a Security Assessments, offers guidance for use of LJK/Security in complying with the US National Institute of Standards and Technology (NIST) Special Publication 800-53a.
Appendix N, Quick Start Guide to PCI DSS Security Assessments, offers guidance for use of LJK/Security in complying with the P ayment Card Industry Data Security Standard (PCI DSS).
Appendix O, Quick Start Guide to DoD Instruction 8500.2 Vulnerability Assessments, tells how to use LJK/Security in complying with U S Department of Defense Instruction 8500.2 published February 6, 2003.
Appendix L, Sending LJK/Security Data Directly over TCP/IP, tells how to send LJK/Security requests and results directly over TC P/IP in environments which do not have DECnet installed.
Appendix P, Quick Start Guide to CNSS Security Assessments, offers guidance for use of LJK/Security in complying with the US Commi ttee on National Security Systems (CNSS) Instruction 1253.
Glossary gives an alphabetical-order explanation of various terms (denoted in boldface throughout this manual) that have specialized meanings within the context of LJK/Security.

Intended Audience

This manual is for use by those responsible for conducting security assessments of VMS systems using the LJK/Security software.

It is possible to use the manual and run the software without an in-depth knowledge of VMS, but when potential problems are detected, resolution will often require considerable VMS expertise on the part of the LJK/Security user, or consultation with someone else (perhaps in a system management position) who has that expertise.

LJK Software provides telephone support regarding operation of the LJK/Security software and in many cases can offer alternative methods of addressing security problems you detect. But there is often a point where security goals conflict with other goals at your site in such a fashion that considerable system management or application programming changes are required to alleviate the security weakness without unduly burdening ongoing operations. In that situation, you will need local experts with those skills.

Associated Documents

Depending upon the VMS version(s) being run, the user should be familiar with the appropriate VMS security manuals:

Guide to VAX/VMS System Security, DEC AA-Y510A-TE (VMS V4.0)
Guide to VAX/VMS System Security, DEC AA-Y510A-T1 (update for VMS V4.2)
Guide to VMS System Security, DEC AA-LA40A-TE (VMS V5.0)
Guide to VMS System Security, DEC AA-LA40B-TE (VMS V5.2)
OpenVMS AXP Guide to System Security, DEC AA-PV5SA-TE (V1.5)
OpenVMS VAX Guide to System Security, DEC AA-PV5RA-TE (V6.0)
OpenVMS Guide to System Security, DEC AA-Q2HLA-TE (V6.1)
OpenVMS Guide to System Security, DEC AA-Q2HLB-TE (V6.2)
OpenVMS Guide to System Security, DEC AA-Q2HLC-TE (V7.1)
OpenVMS Guide to System Security, Compaq AA-Q2HLD-TE (V7.2)
OpenVMS Guide to System Security, Compaq AA-Q2HLE-TE (V7.3)
OpenVMS Guide to System Security, Compaq AA-Q2HLF-TE (V7.3-1)
OpenVMS Guide to System Security, HP AA-Q2HLG-TE (V7.3-2)

For versions of VMS since V6.1 and all non-VAX versions, those documents are also available on CDROMs that came with your VMS software.

Conventions

Within LJK/Security Reference Manual, boldfaced words within normal text paragraphs have specific meanings outlined in the Glossary.

Throughout this document use of the second person ("you") or the term "user" refers to the intended reader of this manual, an individual who has been given appropriate facility-specific identifiers or is otherwise authorized to use LJK/Security as discussed in Section 5.4.

CNSS Instruction 1253 Policy Templates
New template policy command procedures are provided to support CNSS Instruction 1253.
Alignment with Newer NIST versions
Template policy command procedures for assessment according to NIST are now aligned with Revision 1 of NIST Special Publication 800-53a and thus with Revision 3 of NIST Special Publication 800-53.
Smaller Distribution Kits
CNSS and NIST template policy command procedures are now generated on site from small stub command procedures, avoiding the storage of large command procedures that will not be used.
Additional VMS Version Policy Templates
VMS Version Policy Templates for SHA1 and SIMPLE checksum algorithms are provided for VMS V8.4.
Audit Tests
New tests are provided:
- AUDIT, IMPORT, ALPROHIBIT
- AUDIT, IMPORT, ALREQUIRE
- AUDIT, IMPORT, AUPROHIBIT
- AUDIT, IMPORT, AUREQUIRE
SET TEMPLATE
A new "Template" status for policy records indicates that the value in a record comes from a template command procedure rather than being individually set at a site.
This will allow future application of template command procedures to avoid changing values set by a site while still changing comments, to indicate new relations to external regulations.
In general customers do not need to explicitly use the SET TEMPLATE command.
From Vendor
In the Window Interface, the wording "From Factory" has been changed to "From Vendor", bringing it into agreement with the corresponding wording in the Menu and Command Interfaces.
Preserving Comment Fields
A unspecified Comment field when modifying:
- Limits
- Exemptions for (DISK, CHECKPROT, *) tests
is inherited from the Comment field of the previous record.
In the case of the Window interface, the visible interface is pre-populated.
Stream HTML file output
To assist those who are creating HTML reports to be provided to reviewers using non-VMS systems, the HTML files created are now in Stream format. This means all the *.HTML and *.GIF files created in the output subdirectory can be transferred to the non-VMS system in Binary mode.
The user must take other measures to ensure VMS version numbers are removed if that is required on the non-VMS operating system. Using the version of FTP provided by the "Multinet" product, that is done with the command RETAIN OFF. In other cases, running a script on the non-VMS operating system might be required.

Overview

This gives basic information on LJK/Security.

Chapter 1
Introduction

This chapter describes the overall operational concepts of LJK/Security and gives a tutorial-order explanation of various terms (denoted in boldface throughout this manual) that have specialized meanings within the context of LJK/Security.

1.1 What LJK/Security Does

LJK/Security runs a series of tests of security-relevant conditions on VMS systems, comparing them to user-specified standards. The results are forwarded to a master node for reporting.

LJK/Security can also be used to guide security assessment staff in performing assessment steps that are not susceptible to automation, also forwarding those result to a master node for reporting.

LJK/Security control and reporting software is installed on one master node with only data-gathering software installed on other tributary nodes.

1.2 What LJK/Security Does Not Do

LJK/Security does no modification¹ to the systems being assessed. It is intended as an unbiased tool for observation of system security, without getting involved in issues of control. Although in some organizations, the same individuals may be involved both in establishing security and evaluating it, LJK/Security makes no assumption that this is the case. It is organized, rather, to support the principle of separation of duties between those who implement security and those who evaluate it.

LJK/Security makes individual assessments on a user-specified schedule, rather than on a continuous basis. Thus, its results are based on sampling rather than logging, so effective monitoring depends on selection of a schedule appropriate for the environment.

Note

¹ Aside from data files LJK/Security creates for use in its own operation

1.3 How LJK/Security is licensed

Each LJK/Security license covers one machine referred to as a master node, and some number (possibly zero) of other machines referred to as tributary nodes.

Note

The use of the term "node" does not mean that use of DECnet is required. A set of machines without DECnet can be accessed by moving removable magnetic media (e.g., tapes) back and forth, but in this document those machines are still referred to as "nodes".

If your master node is in a VAXcluster or a VMScluster, you have the option when installing LJK/Security of specifying that any machine in the cluster can serve as the master node (providing your license is large enough to cover all machines in the cluster).

1.4 Elements of the LJK/Security Control Structure

Throughout this manual there are terms (denoted by boldface type) which have a specific technical meaning within the context of LJK/Security.

1.4.1 Node

The term node refers to a single VMS system, regardless of whether or not it is connected via DECnet. Thus, a multi-processor system is one node, while a VAXcluster or VMScluster is multiple nodes. The DECnet node address used at some sites for a cluster-wide alias node name does not count as an additional node for purposes of LJK/Security.

1.4.1.1 Master Node

The master node is the one on which LJK/Security software is originally installed. All commands are issued from the master node.

1.4.1.2 Tributary Node

A tributary node is one on which LJK/Security data-gathering is conducted. In most cases a master node will also be a tributary node (and it is counted as such in license size limits).

1.4.2 Automated Tests

An automated test is an individual comparison to be made between a security-relevant condition on a node and a limit in the relevant policy. The various tests available within LJK/Security are each denoted by a set of three names: facility, element, and constraint.

1.4.2.1 Facility

Particular section of VMS or layered product being tested.

1.4.2.2 Element

Particular parameter or security-relevant item being test.

1.4.2.3 Constraint

Exact condition being tested (value too low, value too high, etc.).

1.4.3 Non-Automated Methods

In contrast to the automated test method, non-automated methods are not constrained to a particular set of measurements. The non-automated methods provide a series of questions to be assigned to various individuals for response. Besides the Automatic method (and the Quick subset of that method), there are four non-automated methods - Manual Examination, Interview, Invasive Testing, and Compensating Control.

1.4.3.1 Manual Examination

The assessor to whom a group of questions has been assigned engages in manual inspection of documents, facilities, equipment and processes, entering findings into LJK/Security for centralized reporting.

1.4.3.2 Interview

The assessor to whom a group of questions has been assigned interviews a sampling of designated staff members regarding security issues entering findings into LJK/Security for centralized reporting.

1.4.3.3 Invasive Testing

The assessor to whom a group of questions has been assigned engages in exhaustive testing of software, hardware or procedures, entering findings into LJK/Security for centralized reporting. Invasive Testing typically requires use of a test machine so as not to disrupt production computer operations.

1.4.3.4 Compensating Control

No assessor answers questions - these are statements about steps the organization (or a vendor) has taken to compensate for some rule which cannot be met exactly in the environment.

1.4.4 Policy

The term policy refers to a collection of security rules against which a single node can be evaluated.

LJK/Security allows for multiple policies within a given set of licensed nodes. This allows for a distinction to be made between nodes with varying security requirements or to account for special needs (e.g., machines used primarily to develop VMS device drivers will have an abnormally high proportion of privileged users).

Support for multiple simultaneous policy definitions also allows for variations in the security measurement process, such as running very thorough (and resource-intensive) security checks on weekends with quicker security checks each evening.

Figure 1-1 Automatic Testing Contents of a Policy

As shown in Figure 1-1, within a policy there can be three types of automated testing rules:

1.4.4.1 Disable

A rule which is used to bypass all tests for a particular facility.

This is the only type of rule which applies to more than a single test.

1.4.4.2 Limit

A rule which specifies a value which must be met by a particular test.

1.4.4.3 Exemption

A rule which permits certain failures of a particular test not to be counted as violations.

1.4.5 Assessment

The term assessment refers to a coordinated testing of a set of nodes based on (possibly diverse) specified policies. The relationships established by an assessment are shown in Figure 1-2. An assessment specifies, for each tributary node:

policy against which the tributary node is to be measured
request transmission medium
result transmission medium

For the simplest (default) case, the same policy will be applied to all nodes, and DECnet will be used for transmission of both requests and results.

Figure 1-2 Contents of an Assessment

Contents

Index