RA60 RC25 RK06 RK07 RL01 RL02 RM03 RM05 RP04 RP05 RP06 RX01 RX02 RX33 RX50

/RESULT=DECnet (D)

device-name-or-type

MT16

TK50

TK70

In addition to the device types listed above, the following device types may be specified:

RA60 RC25 RK06 RK07 RL01 RL02 RM03 RM05 RP04 RP05 RP06 RX01 RX02 RX33 RX50

/TITLE=title-string

Example

$ LJK/SECURITY MODIFY ASSESSMENT WEEKLY/NODE=OLDVAX/POLICY=MY_POLICY
      

Specify that for assessment WEEKLY policy MY_POLICY is to be used for assessing the security of node OLDVAX.

$ LJK/SECURITY MODIFY ASSESSMENT WEEKLY/NODE=OLDVAX - 
/POLICY=MY_POLICY,WEEKLY/NODE=NEWAXP/POLICY=MY_POLICY/RESULT=MT16
      

Specify that for assessment WEEKLY policy MY_POLICY is to be used for assessing the security of node OLDVAX, and also for node NEWAXP but that in the latter case assessment results are to be returned to the master node via magtape.

$ LJK/SECURITY MODIFY ASSESSMENT WEEKLY/NODE=OLDVAX - 
/METHOD=(BRIEF,COMPENSATING_CONTROLS)
      

Specify that for assessment WEEKLY when assessing the security of node OLDVAX the only methods to be used are BRIEF and COMPENSATING_CONTROLS.

• Modify a policy to change disables, limits or exemptions.
• Modify a policy by adding an item for a non-automatic method (Compensating Control, Interview, Invasive Testing, or Manual Examination).

Format

$ LJK/SECURITY MODIFY POLICY -

policy-name

or

LJKS„ MODIFY POLICY -

policy-name

restrictions

• You must have the facility-specific identifier LJK$SECURITY_ROLE_POLICY, LJK$SECURITY_MODIFY_POLICY or LJK$SECURITY_ALL.
• On systems prior to VAX VMS V6.0 or systems which do not have a Rights Database (RIGHTSLIST.DAT), you must have the SECURITY privilege.

Parameters

policy-name

Name of the policy to be modified.

As described in Section H.8, DCL Symbol Processing, DCL symbol substitution may be used for this parameter, even when using the Subsystem Command Format.

Description

1. Modifies a policy to change a limit or an exemption associated with a particular automatic test.
   Disable or enable testing for a particular automatic facility.
   Establish or remove suspension of testing for a particular facility.
   Qualifiers associated with this command in general cannot be used in combination. The exceptions are:
   • /TEST can (and must) be used with /EXEMPTION, /LIMIT or /REMOVE_EXEMPTION.
   • /VALUE can (and must) be used with /EXEMPTION or /LIMIT.
2. Establish all or part of a non-automatic Interview, Invasive Testing, or Manual Examination question or a Compensating control. For this usage, the first command for a given method and group must contain all except /TEXT= and /REMEDIATION=. Subsequent lines can contain only /TEXT=, /REMEDIATION, along with the qualifiers specifying the method andgroup.

Qualifiers

/AUDIT (D)

/NOAUDIT

Specifies that the contents of policy records created should be displayed, including audit information.

/COMMENT=comment-text

/NOCOMMENT (D)

Comment of up to 80 characters to be associated with modification(s) made to the policy. For limits (not exemptions¹ or disables), the comment you enter will be included in violation reports when you run an assessment. This makes the comment facility useful for citing an authority for a policy settings such as an internal memo or an external set of requirements like Payment Card Industry Data Security Standard (PCI DSS), NIST Special Publication 800-53, CNSS Instruction 1253 or DoD Instruction 8500.2.

If you divide a comment into segments with commas, reports will successively combine the first segment with each of the other segment, covering cases where a single test covers multiple rules from your external set of requirements.

If no /COMMENT= qualifier is provided, any existing value will be preserved for MODIFY POLICY commands with the qualifier:

• /LIMIT
  in all cases.
• /EXEMPTION
  when the /TEST= qualifier specifies (DISK,DISK_CHECKPROT,<any-valid-value>).

/COMPENSATING_CONTROL=item-name

Indicates that a Compensating Control statement is being added to the policy specified by the parameter.

A Compensating Control should be used where a system does not follow the rules of a particular discipline exactly and other measures must be taken to make up for that.

For situations where VMS systems automatically meet the requirements and you want to document that without asking a question, use one of the preordained formats:

• /FORMAT=YES=YES
• /FORMAT=NO=NO

/DISABLE=facility

/NODISABLE (D)

Indicates for the Automatic method that the specified facility is not to be tested under the subject policy.

/ENABLE=facility

/NOENABLE (D)

Indicates for the Automatic method that the specified facility is to be tested under the subject policy.

/EXEMPTION=(argument,...)

/NOEXEMPTION (D)

Specifies for the Automatic method that an exemption is to be set in the policy. Successive arguments in the list give the test-specific information regarding which violations are to be exempt.

/FORMAT=format-description

Specifies the answer required for a particular question being added to the policy specified by the parameter.

• Date related:
  • /FORMAT=DATE=MAXPRIOR=LIMIT=(facility,element,constraint)
  • /FORMAT=DATE=MAXPRIOR=VALUE=number
• Image checksum
  • /FORMAT=IMAGE_TESTED
• Numeric
  • /FORMAT=NUMBER=MINIMUM=LIMIT=(facility,element,constraint)
  • /FORMAT=NUMBER=MINIMUM=VALUE=number
  • /FORMAT=NUMBER=MAXIMUM=LIMIT=(facility,element,constraint)
  • /FORMAT=NUMBER=MAXIMUM=VALUE=number
  • /FORMAT=NUMBER=MATCH=LIMIT=(facility,element,constraint)
  • /FORMAT=NUMBER=MATCH=VALUE=number
• Operating system evaluation
  • /FORMAT=VMS_VERSION_EVALUATED
  • /FORMAT=SEVMS_VERSION_EVALUATED
• Preordained
  • /FORMAT=YES=YES
  • /FORMAT=NO=NO
  Questions get a presumed answer rather than being asked. This is useful where the answer to a question is inherent in the nature of VMS.
  Using a question with a preordained format in a predicate pair is not particularly useful.
• Boolean
  • /FORMAT=YES_NO=YES
  • /FORMAT=YES_NO=YES_OR_UNASKED
  • /FORMAT=YES_NO=NO
  • /FORMAT=YES_NO=NO_OR_UNASKED
  • /FORMAT=YES_NO=IMMATERIAL
  • /FORMAT=YES_NO=LIMIT=(facility,element,constraint)

In larger organizations questions for the non-automatic methods are asked on a single node under one assessment and those answers are used in other assessments since they apply to multiple nodes. Examples of collections of nodes that share answers for non-automatic methods would be all those in a given computer room, all those subject to a particular personnel regime, etc.

There are a few deviations from that general design, where particular /FORMAT= values result in a question being sent to all nodes and silently answered to be sure the set of answers used in common can be properly applied to the nodes that use it as a common control:

1. /FORMAT=IMAGE_TESTED
2. /FORMAT=VMS_VERSION_EVALUATED
3. /FORMAT=SEVMS_VERSION_EVALUATED

Thus failures for non-automatic items using those /FORMAT= values are based on not matching the results from other nodes rather than being based on not matching a human-specified value.

/GROUP=group-name

Indicates the name of the group to be used for the subject item within its method (Compensating Control, Interview, Invasive Testing, or Manual Examination).

If no group by that name exists for the method, such a group will be created.

The group is the handle by which questions are assigned to particular individuals for answering and by which those individuals select the set of questions they will ask at a particular time. It is also the boundary within which /IFANSWER= predicate item names are valid. A given group is unique to a particular method and using the same name for a different method refers to a different group.

The total number of questions included in a single group is limited by the VMS virtual address space of the process in which the LJK/SECURITY ANSWER command is given. If there is insufficient virtual address space, the user who issued the LJK/SECURITY ANSWER command will get the error:

%SYSTEM-F-STKOVF, stack overflow, PC=00000000, PS=00000000

Groups of 30 questions are reasonable - groups of 100 questions are not. That aligns well with what a human assessor is likely to find acceptable.

/IFANSWER=(predicate-condition-pair-list)

A series of up to 5 predicate pairs consisting of:

1. Item Name from the same method and group.
2. Condition proper value for that prior Item.

indicating the answer to that previous item that will cause the new question to be asked.

Valid values for the Condition half of the predicate pair are:

• YES The antecedent item must have gotten a YES answer.
• YES_OR_UNASKED The antecedent item must have gotten a YES answer or not been asked.
• NO The antecedent item must have gotten a NO answer.
• NO_OR_UNASKED The antecedent item must have gotten a NO answer or not been asked.

Note that in addition to the obvious handling of Boolean /FORMAT questions, the following /FORMAT questions also provide an antecedent value:

• /FORMAT=VMS_VERSION_EVALUATED Running an evaluated version of the operating system version means YES.
• /FORMAT=SEVMS_VERSION_EVALUATED Running an evaluated version of the operating system version means YES. is evaluated.
• /FORMAT=IMAGE_TESTED Image checksum matching that for the system on which questions were answered means YES.
• Date related:
  • /FORMAT=DATE=MAXPRIOR=LIMIT=(facility,element,constraint)
  • /FORMAT=DATE=MAXPRIOR=VALUE=number
  YES means the date entered met the criterion.
• Numeric
  • /FORMAT=NUMBER=MINIMUM=LIMIT=(facility,element,constraint)
  • /FORMAT=NUMBER=MINIMUM=VALUE=number
  • /FORMAT=NUMBER=MAXIMUM=LIMIT=(facility,element,constraint)
  • /FORMAT=NUMBER=MAXIMUM=VALUE=number
  • /FORMAT=NUMBER=MATCH=LIMIT=(facility,element,constraint)
  • /FORMAT=NUMBER=MATCH=VALUE=number
  YES means the number entered met the criterion.

Independent of the antecedent values described above, there is also a success value inherited by questions which do not get asked due to specification of an antecedent in one of the predicate pairs.

/INTERVIEW=item-name

Indicates that a Interview question is being added to the policy specified by the parameter.

/INVASIVE_TESTING=item-name

Indicates that an Invasive Testing question is being added to the policy specified by the parameter.

/LIMIT

/NOLIMIT (D)

Specifies for the Automatic method that a limit is to be set in the policy.

/LOG

/NOLOG (D)

Specifies that the contents of policy records created should be displayed.

/MANUAL_EXAMINATION=item-name

Indicates that a Manual Examination question is being added to the policy specified by the parameter.

/NEW

Indicates the start of a new non-automatic item (as distinguished from the continuation of an existing non-automatic item).

Every MODIFY POLICY command line containing the /NEW qualifier must also contain the /GROUP= /FORMAT= and /RESPONSIBILITY= qualifiers.

The /IFANSWER= /GROUP= /FORMAT= and /RESPONSIBILITY= qualifiers cannot be used in a command line that lacks the /NEW qualifier.

/REMOVE_EXEMPTION=(argument,...)

/NOREMOVE_EXEMPTION (D)

Specifies for the Automatic method that an exemption is to be set in the policy. Specifies that an exemption is to be removed from the policy. Successive arguments in the list give the test-specific information regarding which violations are to be exempt.

/RESPONSIBILITY=(TEAM=unit,TIMES=(activity,...))

Specifies two parameters of remediation:

1. TEAM=unit specifies the individual or group responsible for Remediation of violations of the question:
   • ACCSTAFF individuals managing accounts (usernames)
   • APPSTAFF individuals managing applications
   • ASSSTAFF individuals conducting security assessments
   • AUDSTAFF individuals managing auditing
   • CFGSTAFF individuals responsible for configuration control
   • CTGSTAFF individuals responsible for contingency planning
   • FACSTAFF individuals responsible for the physical facility
   • HDWSTAFF individuals responsible for hardware
   • INCSTAFF individuals involved in incident response
   • MEDSTAFF individuals involved in media handling and storage
   • NETSTAFF individuals managing network security
   • OPRSTAFF computer operators
   • PERSTAFF individuals handling personnel matters
   • POLSTAFF individuals responsible for policy
   • PT3STAFF individuals employed by third parties
   • PURSTAFF individuals performing purchasing
   • SECSTAFF individuals on the security staff
   • SYSSTAFF system managers
   • TRNSTAFF individuals devising and performing training
   • USRSTAFF users of the system
   • X01STAFF site-specific purpose
   • X02STAFF site-specific purpose
   • X03STAFF site-specific purpose
   • X04STAFF site-specific purpose
   • X05STAFF site-specific purpose
   • X06STAFF site-specific purpose
   • X07STAFF site-specific purpose
   • X08STAFF site-specific purpose
   • X09STAFF site-specific purpose
   • X10STAFF site-specific purpose
   • X11STAFF site-specific purpose
   • X12STAFF site-specific purpose Reports generated from an assessment will specify the Responsibility for each of those values by using the (VMS, REPORT, xxxxxxxxx) text value from your policy.
   • TIMES=(activity,...) specifies the classes of activities which must be completed to remediate the problem:
     • CHANGES - days to change an application
     • CONFIGURE - days to modify system parameters
     • INITIALIZE - days to distribute and acknowledge defects
     • MAXIMUM - days until all applications on the system get used
     • MEDIAN - days until half the applications on the system get used
     • VERIFY - days to rerun automatic tests to verify remediation
     • Y01DAYS - days for a site-specific purpose
     • Y02DAYS - days for a site-specific purpose
     • Y03DAYS - days for a site-specific purpose
     • Y04DAYS - days for a site-specific purpose
     • Y05DAYS - days for a site-specific purpose
     • Y06DAYS - days for a site-specific purpose
     The times the organization takes (on average) to complete each of those classes of activities is added together to calculate the expected completion date of the remediation. The times are added because the effort must be sequential, except for MEDIAN and MAXIMUM. For remediation that requires a complex access control change, it can take up to MAXIMUM before the effect of the change on all applications can be measured. The remediation CHANGES can potentially start after MEDIAN when at least a good portion of the affected applications can be identified. Variations in this process are more than swamped by typical abilities to estimate the time required for CHANGES.
     Reports generated from an assessment will calculate the duration for each remediation by using the (VMS, REMEDIATE, xxxxxxxxx) numeric values from your policy.

/REMEDIATION=remediation-text

Text of the remediation steps to follow for Interview, Invasive Testing, or Manual Examination) being added to the policy specified by the parameter.

The /REMEDIATION= qualifier can be used on successive lines, specifying the same Compensating Control, Interview, Invasive Testing, or Manual Examination and starting the /REMEDIATION= string with a plus sign to indicate a continuation of the string previously entered. This allows longer strings than are permitted by the limits of DCL.

/SELECTOR=argument

/NOSELECTOR (D)

Specifies for the Automatic method that only limits or exemptions for a particular selector be modified.

/TEST=(facility,element,constraint)

Specifies for the Automatic method the name of the test which is to be modified.

/TEXT=question-text

Text of the statement for method Compensating Control or the question to ask for Methods Interview, Invasive Testing, or Manual Examination.

The /TEXT= qualifier can be used on successive lines, specifying the same Compensating Control, Interview, Invasive Testing, or Manual Examination and starting the /TEXT= string with a plus sign to indicate a continuation of the string previously entered. This allows longer strings than are permitted by the limits of DCL.

/VALUE=value

/NOVALUE (D)

Specifies for the Automatic method the value to be associated with the limit or exemption being added to a test.

EXAMPLES FOR AUTOMATIC METHOD

The data types for the /EXEMPTION, /REMOVE_EXEMPTION and /VALUE qualifiers, as well as the number of values for the /EXEMPTION and /REMOVE_EXEMPTION qualifiers depend upon which test is being modified.

$  LJK/SECURITY MODIFY POLICY MY_POLICY - 
/LIMIT/TEST=(UAF,PWDMINLEN,ABSOLUTLO)- 
/SELECTOR=(SYSPRV)/VALUE=9
      

Specify that the UAF test PWDMINLEN lower limit (ABSOLUTLO) shall be 9 for usernames with the explicit or implicit privilege SYSPRV.

$  LJK/SECURITY MODIFY POLICY MY_POLICY - 
/EXEMPTION=(BIGVAX,JONES)- 
/TEST=(UAF,PWDMINLEN,ABSOLUTLO)/VALUE=12
      

Allow user JONES on node BIGVAX to have a minimum password length as low as 12 rather than the limit specified by the general policy.

The exemptions can only be to loosen standards, not to tighten them. Within the DISK facility, the CHECKPROT element has tests that can be used to measure against a tighter standard.

EXAMPLES FOR NON-AUTOMATIC METHODS

Unlike Automatic Tests, Non-Automatic items cannot be modified once they have been inserted into a policy - a new policy must be created. For that reason, they can only be entered via DCL, typically as part of a pre-written command procedure that can be rerun after changes. Many users of LJK/Security will never create their own sets of Non-Automatic items, instead relying on those LJK Software provides for NIST, CNSS, 8500.2, PCI DSS, etc. But for those with a need to write their own, the examples below should help, particularly while also looking at the command procedures supplied by LJK Software as described in Section K.1, Example Command Procedures .

Note 1 Except for exemptions in the special exemption-driven tests of facility DISK element CHECKPROT.

---

Previous

Next

Contents

Index