LJK/Security Reference Manual

ASSIGN

Answer questions for non-automatic methods from a node.

Format

$ LJK/SECURITY ASSIGN -

assessment-name -

authority-name

or
LJKS„ ASSIGN -

assessment-name -

authority-name

Command Qualifiers	Defaults
/GROUP=group-name	None.
/METHOD=(...)

restrictions

You must have the facility-specific identifier LJK$SECURITY_ROLE_POLICY, LJK$SECURITY_MODIFY_POLICY or LJK$SECURITY_ALL.
On systems prior to VAX VMS V6.0 or systems which do not have a Rights Database (RIGHTSLIST.DAT), you must have the SECURITY privilege.

Parameters

assessment-name
Name of the assessment being assigned.
authority-name
Name of the authority to which assignment is being made, either <node>::<user> or <assessment-name>.

Description

Assign responsibility for providing certain answers to a particular authority. An authority can be either:

<node>::<user>, e.g. DCNODE::SMITH
The specified user on that node must issue the command MCR LJK$SECURITY ANSWER and answer the questions.
<assessment-name>, e.g. FACILITY_ASSESSMENT
Answers are copied from those provided to an existing assessment. This requires that the other assessment have status COMPLETED on all nodes when this assessment is run.

Qualifiers

/GROUP=group-name
Indicates the name of the group from which you want to answer questions.
Wildcard characters ("*" and "%") can be used in the group-name for the /GROUP= qualifier. The /GROUP= qualifier is required.
/METHOD=INTERVIEW

/METHOD=INVASIVE_TESTING

/METHOD=MANUAL_EXAMINATION
Specifies that METHOD for the groups being assigned.
/INTERVIEW
Indicates that the value you specify for /GROUP= is a group within the Interview groups.
The ASSIGN command requires specifying one (and only one) of the qualifiers /MANUAL_EXAMINATION, /INTERVIEW or /INVASIVE_TESTING.
/INVASIVE_TESTING
Indicates that the value you specify for /GROUP= is a group within the Invasive Testing groups.
The ASSIGN command requires specifying one (and only one) of the qualifiers /MANUAL_EXAMINATION, /INTERVIEW or /INVASIVE_TESTING.
/MANUAL_EXAMINATION
Indicates that the value you specify for /GROUP= is a group within the Manual Examination groups.
The ASSIGN command requires specifying one (and only one) of the qualifiers /MANUAL_EXAMINATION, /INTERVIEW or /INVASIVE_TESTING.

Example


$ LJK/SECURITY ASSIGN MY_ASSESSMENT BOSTON::FIEDLER /GROUP=WIND /METHOD=INTERVIEW

Assign the Interview questions in the WIND group to user FIEDLER on node BOSTON.


$ LJK/SECURITY ASSIGN MY_ASSESSMENT MARCH_ASSESSMENT /GROUP=M%Q* /METHOD=MANUAL_EXAMINATION

Copy (when MY_ASSESSMENT is run) the answers from MARCH_ASSESSMENT for all Manual Examination questions whose Group names start with "M" and have "Q" as the third character.

CANCEL

Cancel future collection of security data from remote nodes.

Format

$ LJK/SECURITY CANCEL -

assessment-name

or
LJKS„ CANCEL -

assessment-name

Command Qualifiers	Defaults
None.	None.

restrictions

You must have the facility-specific identifier LJK$SECURITY_ROLE_OPERATE, LJK$SECURITY_CANCEL or LJK$SECURITY_ALL.
On systems prior to VAX VMS V6.0 or systems which do not have a Rights Database (RIGHTSLIST.DAT), you must have the SECURITY privilege.

Parameters

assessment-name
Name of the assessment.

Description

Cancel the future scheduled collection of security data from tributary nodes for a particular assessment.
This does not affect any current collection of the specified assessment. That is accomplished with the STOP command.

Qualifiers

None.

Example


$ LJK/SECURITY CANCEL MY_SPECIAL

Cancel future collection of assessment MY_SPECIAL from remote nodes.

CREATE ASSESSMENT

Create a new assessment.

Format

$ LJK/SECURITY CREATE ASSESSMENT -

assessment-name

or
LJKS„ CREATE ASSESSMENT -

assessment-name

Command Qualifiers	Defaults
/[NO]AUDIT	/NOAUDIT
/[NO]DEFAULT	/DEFAULT
/[NO]LOG	/NOLOG

restrictions

You must have the facility-specific identifier LJK$SECURITY_ROLE_POLICY, LJK$SECURITY_CREATE_ASSESSMENT or LJK$SECURITY_ALL.
On systems prior to VAX VMS V6.0 or systems which do not have a Rights Database (RIGHTSLIST.DAT), you must have the SECURITY privilege.

Parameters

assessment-name
Name of the assessment to be created.
As described in Section H.8, DCL Symbol Processing, DCL symbol substitution may be used for this parameter, even when using the Subsystem Command Format.

Description

Creates a new assessment with initial entries optionally taken from the assessment named DEFAULT (if there is any).

Qualifiers

/AUDIT (D)

/NOAUDIT
Specifies that the contents of assessment records automatically created should be displayed, including audit information.
/DEFAULT (D)

/NODEFAULT
Specifies that the contents of the assessment named DEFAULT are to be used for the initial contents of the assessment being created.
/LOG

/NOLOG (D)
Specifies that the contents of assessment records automatically created should be displayed.

Example


$ LJK/SECURITY CREATE ASSESSMENT MY_ASSESSMENT

Create an assessment.


$ LJK/SECURITY CREATE ASSESSMENT MY_ASSESSMENT/NODEFAULT

Create an assessment with no copying of the contents of the assessment named DEFAULT.

CREATE POLICY

Create a new policy with default limits and possibly default disables and exemptions.

Format

$ LJK/SECURITY CREATE POLICY -

policy-name

or
LJKS„ CREATE POLICY -

policy-name

Command Qualifiers	Defaults
/[NO]AUDIT	/NOAUDIT
/[NO]DEFAULT	/DEFAULT
/[NO]DISABLE	/NODISABLE
/[NO]EXEMPTIONS	/NOEXEMPTIONS
/[NO]LOG	/NOLOG

restrictions

You must have the facility-specific identifier LJK$SECURITY_ROLE_POLICY, LJK$SECURITY_CREATE_POLICY or LJK$SECURITY_ALL.
On systems prior to VAX VMS V6.0 or systems which do not have a Rights Database (RIGHTSLIST.DAT), you must have the SECURITY privilege.

Parameters

policy-name
Name of the policy to be created.
As described in Section H.8, DCL Symbol Processing, DCL symbol substitution may be used for this parameter, even when using the Subsystem Command Format.

Description

Creates a new policy with limits and exemptions taken:

Optionally from the policy named DEFAULT (if there is one) or else:
from program defaults for LJK/Security listed in Chapter 6,LJK/Security Automatic Tests .

Qualifiers

/AUDIT (D)

/NOAUDIT
Specifies that the contents of policy records automatically created should be displayed, including audit information.
/DEFAULT (D)

/NODEFAULT
Specifies that the contents of the policy named DEFAULT are to be used for the initial contents of the policy being created.
/DISABLES

/NODISABLES (D)
Specifies that any disables in the policy named DEFAULT be copied to the policy being created. By default, disables are not copied.
/EXEMPTIONS

/NOEXEMPTIONS (D)
Specifies that any exemptions in the policy named DEFAULT be copied to the policy being created. By default, exemptions are not copied.
/LOG

/NOLOG (D)
Specifies that the contents of policy records automatically created should be displayed.

Example


$ LJK/SECURITY CREATE POLICY MY_POLICY

Create a policy with no exemptions.


$ LJK/SECURITY CREATE POLICY MY_POLICY/EXEMPTIONS

Create a policy with exemptions.

EXIT

Displays information to assist in using the command interface.

Format

LJKS„ EXIT

restrictions

None.

Parameters

None.

Description

Return to DCL from LJK/Security subsystem mode.

Qualifiers

None.

Example


LJKS„ EXIT


$

HELP

Displays information to assist in using the command interface.

Format

$ HELP LJK/SECURITY [keyword...]

or
$ LJK/SECURITY HELP [keyword...]

or
LJKS„ HELP [keyword...]

restrictions

None.

Parameters

keyword...
Specifies one or more keywords that refer to topics (typically commands) in the system help library for LJK/Security.
If you use an asterisk in place of any keyword, the HELP command displays all information available at the level the asterisk replaces. For example, LJK/SECURITY HELP RUN * displays all the subtopics under the topic RUN.
If you use an ellipsis immediately after any keyword, HELP displays all the information on the specified topic and all subtopics of that topic. For example, LJK/SECURITY HELP RUN... displays information on the RUN topic as well as any information on all the subtopics under RUN.
You can use percent signs and asterisks in the keyword as wildcard characters.
As with other uses of the VMS HELP facility, you can give additional keywords to get further detail after the Topic? prompt.

prompts

Topic?

keyword...

Description

Display information to assist in using the command interface to LJK/Security.

Qualifiers

None.

Example


$ LJK/SECURITY HELP MODIFY POLICY /TEST

Display information about the /TEST qualifier to the command MODIFY POLICY.


$ LJK/SECURITY HELP CREATE POLICY *

Display information about all subtopics for the CREATE POLICY command.

KIT_BUILD

Create one or more LJK/Security software kits for installation on tributary nodes.

Format

$ LJK/SECURITY KIT_BUILD

or
LJKS„ KIT_BUILD

Command Qualifiers	Defaults
/[NO]COPIES=number	/NOCOPIES (copies=1)
/[NO]DEVICE=device	/FILE=<see description>
/[NO]DEVICE=device-type	/FILE=<see description>
/[NO]FILE=directory-spec	/FILE=<see description>
/[NO]REWIND	/REWIND

restrictions

You must have the facility-specific identifier LJK$SECURITY_ROLE_OPERATE, LJK$SECURITY_KIT_BUILD or LJK$SECURITY_ALL.
On systems prior to VAX VMS V6.0 or systems which do not have a Rights Database (RIGHTSLIST.DAT), you must have the SECURITY privilege.

Parameters

None.

Description

Writes a VMSINSTAL-compatible installation kit onto disk or tape. This kit is then used to install the LJK/Security software onto tributary nodes.
In the case of installation kits written to tape, the tape is carried to the tributary node. For installation kits written to disk, the tributary node accesses the installation kit over DECnet before the VMSINSTAL command procedure is run on the tributary node.
The files created have names of the form LJK_SECURITY000.%.

Qualifiers

/COPIES=number

/NOCOPIES (D)
Write the kit onto multiple tapes or disks.
/DEVICE=device

/DEVICE=device-type

MT16

TK50

TK70

/NODEVICE (D)
Write the kit(s) onto the specified magnetic disk drive or disk drive type. If a generic device name is specified (such as DU), any drive of the specified type may be used.
This is for cases where the medium will be removed and carried to the tributary node. To leave a kit for transfer over DECnet, see the /FILE qualifier.
In addition to the device types listed above, the following removable media device types may be specified:
RA60 RC25 RK06 RK07 RL01 RL02 RM03 RM05 RP04 RP05 RP06 RX01 RX02 RX33 RX50
/FILE=directory-spec

/NOFILE (D)
Writes the kit onto disk as the specified filespec. This is the qualifier one would use to leave a kit for loading over DECnet, whereas /DEVICE=disk-device-name would be used with removable disks to be carried to the tributary node.
/REWIND (D)

/NOREWIND
Replace previous contents of the tape or disk. This qualifier is not compatible with /FILE.

Example


$ LJK/SECURITY KIT_BUILD/TAPE=TK50/COPIES=7

Write a copy of the tributary node software on each of 7 TK50 cartridges.


$ LJK/SECURITY KIT_BUILD/FILE=DISK$PUBLIC:[KITS]

Write a single copy of the tributary node software onto disk.

MODIFY ASSESSMENT

Add or modify action an assessment specifies for a particular tributary node.

Format

$ LJK/SECURITY MODIFY ASSESSMENT -

assessment-name

or
LJKS„ MODIFY ASSESSMENT -

assessment-name

Positional Qualifiers	Defaults
/[NO]AUDIT	/NOAUDIT
/[NO]COMMENT=comment-text	/NOCOMMENT
/[NO]LOG	/NOLOG
/METHOD=(...)
/[NO]NODE=node-name	None.
/[NO]POLICY=policy-name	None.
/[NO]PROTOTYPE	/NOPROTOTYPE
/[NO]REQUEST=transport-medium	/REQUEST=DECNET
/[NO]RESULT=transport-medium	/RESULT=DECNET
/TITLE=title-string	None.

restrictions

You must have the facility-specific identifier LJK$SECURITY_ROLE_POLICY, LJK$SECURITY_MODIFY_ASSESSMENT or LJK$SECURITY_ALL.
On systems prior to VAX VMS V6.0 or systems which do not have a Rights Database (RIGHTSLIST.DAT), you must have the SECURITY privilege.

Parameters

assessment-name
Name of the assessment to be modified.
As described in Section H.8, DCL Symbol Processing, DCL symbol substitution may be used for this parameter, even when using the Subsystem Command Format.

Description

Add or modify action an assessment specifies for a particular tributary node. If the assessment contains a previous disabled entry (one without a policy) for the specified node, fields from that entry will be used as defaults for any qualifiers not specified in this command.

Qualifiers

/AUDIT (D)

/NOAUDIT
Specifies that the contents of assessment records created should be displayed, including audit information.
/COMMENT=comment-text

/NOCOMMENT (D)
Comment of up to 80 characters to be associated with modification(s) made to the assessment.
/LOG

/NOLOG (D)
Specifies that the contents of assessment records created should be displayed.
/METHOD=(ALL)

/METHOD=(AUTOMATIC_TESTING) (D)

/METHOD=(COMPENSATING_CONTROLS)

/METHOD=(INTERVIEW)

/METHOD=(INVASIVE_TESTING)

/METHOD=(MANUAL_EXAMINATION)

/METHOD=(QUICK)
Specifies the assessment methods to be used by default for one or more nodes in an assessment:

ALL
Include all the assessment methods below.
AUTOMATIC_TESTING
Include all automatic testing (the method used before LJK/Security V3.0).
COMPENSATING_CONTROLS
Include compensating control information in assessment results.
MANUAL_EXAMINATION
Include the manual examination method, requiring designated individuals to review documents, physical security, etc.
INTERVIE
Include the interview examination method, requiring designated individuals to ask questions of particular sets of people.
INVASIVE_TESTING
Include the invasive testing examination method, requiring extensive effort at testing mechanisms (particularly for non-evaluated versions of VMS) and activities.
QUICK
Include only that automatic testing which can be done quickly, omitting the DISK and USAGE facilities.
This qualifier can accept a list of methods inside the parentheses, such as:
/METHOD=(QUICK,INVASIVE_TESTING)
If only one method is being specified, the parentheses are not required.
/NODE=node-name

/NONODE
Indicates the name of the node whose assessment state is to be modified.
Use of wildcard characters (* and %) within values specified with the /NODE= qualifier is supported, in two distinct fashions:

If the assessment currently has some nodes specified, the wildcard specification is used to select certain of those nodes for the modification.
If the assessment has no nodes specified and the master node is running DECnet Phase IV, the wildcard specification is used to select nodes for addition from all known nodes in the volatile DECnet database. This is of use in setting up new assessments. If the number of nodes selected would be greater than the number of nodes covered by the LJK/Security license, none are added.

Note
On master nodes without DECnet, the master node should be specified as "0" when adding it to an assessment.

/POLICY=policy-name

/NOPOLICY
Indicates the name of the policy to be used for assessing security of the specified node. If the qualifier /NOPOLICY is specified, then an existing entry for the specified node is disabled.
/PROTOTYPE (D)

/NOPROTOTYPE
Specifies that the PROTOTYPE assessment record should be modified.
/REQUEST=DECnet (D)

device-name-or-type

MT16

TK50

TK70
Indicates the mechanism to be used for transporting assessment requests to the tributary node from the master node. If DECnet connections are available, this method is easiest, although the possibility of tampering with messages on an intermediate node may cause some to prefer physical transport of magnetic media.
In addition to the device types listed above, the following removable media device types may be specified:

Previous Next Contents Index