The following examples are for the Invasive Testing method. The approach for Interview and Manual Examination methods is the same, while for the Compensating Control method the only difference is no support for the /REMEDIATION= qualifier.

#1
$ LJK/SECURITY MODIFY POLICY MY_POLICY /INVASIVE_TESTING=SAMP_401 /NEW - /GROUP=SAMPLE_QUESTIONS - /FORMAT=VMS_VERSION_EVALUATED - /RESPONSIBILITY=(TEAM=ASSSTAFF,TIMES=(INITIALIZE,CONFIGURE,VERIFY)) - /TEXT="Is this version of VMS evaluated ?" - /REMEDIATION="Report an error in LJK/Security."

That question gets answered automatically, and is present to set a predicate condition controlling the asking of subsequent questions. Thus the /TEXT= and /REMEDIATION= sentences are never displayed and are entered there just to allow those reading the command procedure to understand what is going on.

Likewise the /RESPONSIBILITY=TEAM= field is not directly useful, but in case something went awry it is directed to those who perform security assessments by running LJK/Security.

Finally, the /RESPONSIBILITY= times are just a hint to the reader of what would be required to change VMS versions. Items whose /FORMAT is VMS_VERSION_EVALUATED do not actually generate a violation notice.

$  LJK/SECURITY MODIFY POLICY MY_POLICY /INVASIVE_TESTING=SAMP_402 /NEW - 
/GROUP=SAMPLE_QUESTIONS /IFANSWER=(SAMP_401,NO) - 
/FORMAT=DATE=MAXPRIOR=VALUE=365 - 
/RESPONSIBILITY=(TEAM=ASSSTAFF,TIMES=(CHANGES,VERIFY)) - 
/TEXT="On what date was the testing of the VMS file protection mechanism completed ?" - 
/REMEDIATION="Rerun the testing of the VMS file protection mechanism completed ?" 
      

This question is not asked if the answer to question SAMP_401 of the INVASIVE_TESTING SAMPLE_QUESTIONS group indicates this is an evaluated version of VMS. In that case, the integrity of the VMS file protection mechanism can be relied upon, and a "no violation" status is inherited from question SAMP_401 of the INVASIVE_TESTING SAMPLE_QUESTIONS group.

The answer provided by the person doing the assessment is compared to the number 365, indicating that retesting should occur on an annual basis.

The /RESPONSIBILITY=TIMES= includes CHANGES because the time required to perform a complete testing of the file protection system for a particular version of VMS (typically on a non-production system) will be like that required for a major application change likely swamping the VERIFY timing of rerunning automatic tests.

$  LJK/SECURITY MODIFY POLICY MY_POLICY /INVASIVE_TESTING=SAMP_403 /NEW - 
/GROUP=SAMPLE_QUESTIONS /IFANSWER=(SAMP_401,NO) - 
/FORMAT=DATE=MAXPRIOR=LIMIT=(USAGE,ASSESSMENT,PERIODIC) - 
/RESPONSIBILITY=(TEAM=ASSSTAFF,TIMES=(CHANGES,VERIFY)) - 
/TEXT="On what date was the testing of the VMS file protection mechanism completed ?" - 
/REMEDIATION="Rerun the testing of the VMS file protection mechanism completed ?" 
      

This question is not asked if the answer to question SAMP_401 of the INVASIVE_TESTING SAMPLE_QUESTIONS group indicates this is an evaluated version of VMS. In that case, the integrity of the VMS file protection mechanism can be relied upon.

The answer provided by the person doing the assessment is compared to the Limit (USAGE,ASSESSMENT,PERIODIC), indicating that retesting should occur at least as often as that automatic testing.

The /RESPONSIBILITY=TIMES= includes CHANGES because the time required to perform a complete testing of the file protection system for a particular version of VMS (typically on a non-production system) will be more like that required for a major application change likely swamping the VERIFY timing of rerunning automatic tests.

Asking both question SAMP_402 and question SAMP_403 is a bit of overkill - most organizations are satisfied to measure their testing frequency against just one of those criteria. But including both questions in this list of examples shows the reader both approaches.

$  LJK/SECURITY MODIFY POLICY MY_POLICY /INVASIVE_TESTING=SAMP_404 /NEW - 
/GROUP=SAMPLE_QUESTIONS /IFANSWER=(SAMP_401,NO,SAMP_402,YES,SAMP_403,YES) - 
/FORMAT=YES=YES - 
/RESPONSIBILITY=(TEAM=ASSSTAFF,TIMES=(INITIALIZE)) - 
/TEXT="Was the original implementation of the VMS file system produced prior to 1980 ?" - 
/REMEDIATION="No remediation - automatically answered as YES." 
      

This question is not considered if the answer to question SAMP_401 of the INVASIVE_TESTING SAMPLE_QUESTIONS group indicates this is an evaluated version of VMS. In that case, the integrity of the VMS file protection mechanism can be relied upon.

This question is not considered if the answer to question SAMP_402 or question SAMP_403 indicates the most recent evaluation was not within the criteria, and a "violation" status is inherited from the failed question.

This question is not actually asked - if considered it gets an automatic answer of "NO".

INITIALIZE is the shortest time period available for this non-action.

$  LJK/SECURITY MODIFY POLICY MY_POLICY /INVASIVE_TESTING=SAMP_405 /NEW - 
/GROUP=SAMPLE_QUESTIONS /IFANSWER=(SAMP_401,NO,SAMP_402,YES,SAMP_403,YES) - 
/FORMAT=NO=NO - 
/RESPONSIBILITY=(TEAM=ASSSTAFF,TIMES=(CHANGES)) 
$  LJK/SECURITY MODIFY POLICY MY_POLICY /INVASIVE_TESTING=SAMP_405 - 
/TEXT="Is all application access to the file system mediated through a relational database ?" 
$  LJK/SECURITY MODIFY POLICY MY_POLICY /INVASIVE_TESTING=SAMP_405 - 
/REMEDIATION="The nature of VMS is to have a file system as part of the system primitives." 
$  LJK/SECURITY MODIFY POLICY MY_POLICY /INVASIVE_TESTING=SAMP_405 - 
/REMEDIATION="+Speak to higher authorities about the folly of putting such " 
$  LJK/SECURITY MODIFY POLICY MY_POLICY /INVASIVE_TESTING=SAMP_405 - 
/REMEDIATION="+an OS/400-centric question into the organizational criteria." 
      

This question is not considered if the answer to question SAMP_401 of the INVASIVE_TESTING SAMPLE_QUESTIONS group indicates this is an evaluated version of VMS. In that case, the integrity of the VMS file protection mechanism can be relied upon.

This question is not actually asked - if considered it gets an automatic answer of "NO".

This question is not considered if the answer to question SAMP_402 or question SAMP_403 indicates the most recent evaluation was not within the criteria, and a "violation" status is inherited from the failed question.

This question is split into multiple lines to avoid DCL line length limits. Subsequent lines carry only the /INVASIVE_TESTING=SAMP_405 and the /TEXT= or /REMEDIATION= qualifiers. The rest is set on the initial line.

Note that subsequent contributions to /TEXT= or /REMEDIATION= start with a plus sign.

The /RESPONSIBILITY=TIMES= is CHANGES because the time required to convince higher authorities about the folly of a policy.

$  LJK/SECURITY MODIFY POLICY MY_POLICY /INVASIVE_TESTING=SAMP_406 /NEW - 
/GROUP=SAMPLE_QUESTIONS /IFANSWER=(SAMP_401,NO,SAMP_402,YES,SAMP_403,YES) - 
/FORMAT=YES_OR_UNASKED - 
/RESPONSIBILITY=(TEAM=ASSSTAFF,TIMES=(INITIALIZE,CONFIGURE,MEDIAN,MAXIMUM,CHANGES,VERIFY)) - 
/TEXT="Does the file system source code show that file names can use 8 bit characters ?" - 
/REMEDIATION="Report the 8 bit character shortcoming to the VMS vendor and get them to fix it." 
      

This question is not asked if the answer to question SAMP_401 of the INVASIVE_TESTING SAMPLE_QUESTIONS group indicates this is an evaluated version of VMS. In that case, the integrity of the VMS file protection mechanism can be relied upon.

This question is not asked if the answer to question SAMP_402 or question SAMP_403 indicates the most recent evaluation was not within the criteria, and a "violation" status is inherited from the failed question.

The qualifier /FORMAT=YES_OR_UNASKED indicates that if predicate analysis causes this question to be skipped, it will be considered a "success" by subsequent questions naming it in a predicate pair.

The /RESPONSIBILITY=TIMES= is CHANGES because the time required to convince the VMS vendor to make a change. Some sites might prefer to use one of the Y0xDAYS activity classes to have an even longer category than CHANGES.

Used by LJK Software for use in starting LJK/Security software over DECnet connections.

Available to customers for use in LJK/Security software over TCP/IP or other connections.

Format

$ LJK/SECURITY REMOTE device-name

or

MCR LJK$SECURITY REMOTE device-name

restrictions

• You must have the facility-specific identifier LJK$SECURITY_ROLE_STARTUP, LJK$SECURITY_REMOTE or LJK$SECURITY_ALL.
• On systems prior to VAX VMS V6.0 or systems which do not have a Rights Database (RIGHTSLIST.DAT), you must have the SECURITY privilege.

Parameters

device-name

Name of the device from which the incoming transfer of a Request or Results is to be received.

The name can have a maximum of 15 characters, so attempting to receive from a disk file requires use of a logical name no longer that 15 characters whose equivalence name is the actual file specification.

Description

Used by LJK Software for use in starting LJK/Security software over DECnet connections.

Available to customers for use in LJK/Security software over TCP/IP or other connections.

On tributary nodes the MCR form of the command must be used, so most who use this in command procedures find it simpler to always use the MCR form.

Qualifiers

None.

Remove LJK/Security software from a node.

Format

$ MCR LJK$SECURITY REMOVE

restrictions

• You must have full system management privileges as well as the identifier LJK$SECURITY_ROLE_STARTUP, LJK$SECURITY_REMOVE or LJK$SECURITY_ALL.
• On systems prior to VAX VMS V6.0 or systems which do not have a Rights Database (RIGHTSLIST.DAT), you must have the SECURITY privilege and also full system management privileges.

Parameters

None.

Description

Remove LJK/Security software from a node.

Before attempting to remove the LJK/Security software, all use of it should be completed on the node and any nodes with which it shares a system disk.

The REMOVE command will automatically perform an orderly shutdown of the LJK/Security master process on the local node, but it does not do so for other nodes which might share the system disk.

The MCR LJK$SECURITY REMOVE takes a different form from most commands because it is also supported on tributary nodes, where the command form LJK/SECURITY is not available.

Note Do not use the SYSMAN utility to issue this command between nodes, since that command does not fully replicate the normal process context and only a partial removal will be achieved.

Shared System Disks For shared system disks, use the SHUTDOWN command first on all nodes to avoid problems. Some residue will be cleaned up by the next disk rebuild, typically the next time the nodes are rebooted.

Qualifiers

None.

Give the results of a completed assessment.

Format

$ LJK/SECURITY REPORT -

assessment-name

or

LJKS„ REPORT -

assessment-name

restrictions

• You must have the facility-specific identifier LJK$SECURITY_ROLE_REVIEW, LJK$SECURITY_REPORT or LJK$SECURITY_ALL.
• On systems prior to VAX VMS V6.0 or systems which do not have a Rights Database (RIGHTSLIST.DAT), you must have the SECURITY privilege.

Parameters

assessment-name

Name of the assessment.

Description

Give the results of a completed assessment. Along with each report of a test failure is included any /COMMENT value specified in setting the value of the LIMIT (not exemptions¹) for that test.

The command

$ LJK/SECURITY REPORT <assessment-name>

may return to DCL the special non-failure status

%LJK-I-NOTCOMPLETE, This assessment has not completed on all nodes

indicating a later check might be appropriate. That situation can be checked with the DCL test

$ IF $SEVERITY .EQ. 3

The exact effect of the qualifiers /DETAIL, /SUMMARY= and /REMEDIATION qualifiers depends on the Report Formatting Module, so if you provide an alternate Report Formatting Module results may differ from those documented here.

Qualifiers

/DETAIL=(COMMENT,TEST)

/DETAIL=COMMENT

/DETAIL=RESPONSIBILITY

/DETAIL=TEST (D)

/NODETAIL

Specifies that details of assessment results should be given, arranging the results by:

• /DETAIL=COMMENT
  Arrange according to the comment instances from /COMMENT values.
  
• /DETAIL=(COMMENT,TEST)
  Arrange first according to the comment instances from /COMMENT values and second according to test names.
  
• /DETAIL=RESPONSIBILITY
  Arrange according to who is responsible for Remediation.
• /DETAIL=TEST
  Arrange according to test names.

The /DETAIL and /STATUS_ONLY qualifiers cannot be used together.

/FORMAT=(report-format,...)

Specifies the format in which report output is to be generated. Multiple non-conflicting values can be included in a parenthesized list.

• /FORMAT=TYPE=TEXT (default)
  Sequential file output to the screen or /OUTPUT=filespec. This value is incompatible with /FORMAT=TYPE=HTML.
• /FORMAT=TYPE=HTML
  Requires that /OUTPUT= specify an empty directory. This value is incompatible with /FORMAT=TYPE=TEXT.
  /FORMAT=TYPE=HTML requires that /OUTPUT= specify an empty directory.
  Remaining /FORMAT= values in this list apply only in combination with /FORMAT=TYPE=HTML.
• /FORMAT=LOGO=<filespec>
  Specifies the filespec of a logo to be included on the report.
• /FORMAT=ALT=<quoted-string>
  Specifies HTML alternate text for the LOGO.
• /FORMAT=DOCUMENTATION
  Indicates that tests for which no violations are found should be linked to a copy of the product documentation included in the output directory.

Sending HTML Results to non-VMS Operating Systems To assist those who are creating HTML reports to be provided to reviewers using non-VMS systems, the HTML files created are in Stream format. This means all the *.HTML and *.GIF files created in the output subdirectory can be transferred to the non-VMS system in Binary mode. The user must take other measures to ensure VMS version numbers are removed if that is required on the target operating system. Using the version of FTP provided by the "Multinet" product, that is done with the command RETAIN OFF. In other cases, running a script on the target system might be required.

Note that interpretation of the /FORMAT qualifier depends on which Report Formatting Module is in use. For other than the default /PROCESSOR value (or when the logical name LJK$SECURITY_REPORT has been defined) consult documentation for the Report Formatting Module in use.

/OUTPUT (D)

/OUTPUT=file-spec

/NOOUTPUT

Specifies the destination of the output listing. If /OUTPUT is specified without a value (the default) the listing is sent to SYS$OUTPUT. If /OUTPUT is specified with a value for a disk file, the file will be created with protection preventing access by group and world in order to protect sensitive contents of the report.

/PROCESSOR=file-spec

/NOPROCESSOR

Specifies the Report Formatting Module that will produce the output. In lieu of using the /PROCESSOR qualifier, a user can define the logical name LJK$SECURITY_REPORT.

/REMEDIATION=DATE

/REMEDIATION=RESPONSIBILITY

/NOREMEDIATION (D)

The report is to contain steps necessary to remedy violations found in assessing the system, arranging the results by:

• /REMEDIATION=DATE
  Arrange according to the date when Remediation is due.
  
• /REMEDIATION=RESPONSIBILITY
  Arrange according to who is responsible for Remediation.

The /REMEDIATION and /STATUS_ONLY qualifiers cannot be used together.

/SHOW=(ALL)

/SHOW=(AUTOMATIC_TESTING) (D)

/SHOW=(COMPENSATING_CONTROLS)

/SHOW=(INTERVIEW)

/SHOW=(INVASIVE_TESTING)

/SHOW=(MANUAL_EXAMINATION)

/SHOW=(QUICK)

Specifies the assessment methods to be included in the report:

• ALL
  Include all the assessment methods below.
• AUTOMATIC_TESTING
  Include all automatic testing (the method used before LJK/Security V3.0).
• COMPENSATING_CONTROLS
  Include compensating control information in assessment results.
• MANUAL_EXAMINATION
  Include the manual examination method, requiring designated individuals to review documents, physical security, etc.
• INTERVIEW
  Include the interview examination method, requiring designated individuals to ask questions of particular sets of people.
• INVASIVE_TESTING
  Include the invasive testing examination method, requiring extensive effort at testing mechanisms (particularly for non-evaluated versions of VMS) and activities.
• QUICK
  Include only that automatic testing which was done quickly, omitting the DISK and USAGE facilities.

This qualifier can accept a list of methods inside the parentheses, such as:

/SHOW=(QUICK,INVASIVE_TESTING)

/STATUS_ONLY

/NOSTATUS_ONLY (D)

The report is to contain only indications as to the completion of the assessment. The /SUMMARY and /STATUS_ONLY qualifiers cannot be used together.

/SUMMARY=(COMMENT,TEST)

/SUMMARY=COMMENT

/SUMMARY=RESPONSIBILITY

/SUMMARY=TEST (D)

Specifies that a summary of assessment results should be given, showing the total number of violations found:

• /SUMMARY=COMMENT
  Summarize according to the full text of /COMMENT values.
  
• /SUMMARY=(COMMENT,TEST)
  Summarize first according to the full text of /COMMENT values and second according to test names.
  
• /SUMMARY=RESPONSIBILITY
  Summarize according to who is responsible for Remediation.
• /SUMMARY=TEST
  Summarize according to test names.

The /SUMMARY and /STATUS_ONLY qualifiers cannot be used together.

/TESTNAMES (D)

/NOTESTNAMES

The report is to contain names of LJK/Security tests in addition to the result text.

/TITLE=title-string

Specifies the title-string that should be used with this report. If this title-string is not specified, the report uses the value specified with any /TITLE qualifier used on the MODIFY ASSESSMENT command. This title-string can be overridden with the /TITLE qualifier on the RUN command.

Example

$ LJK/SECURITY REPORT <assessment-name>
      

Display a report on the user terminal.

$ LJK/SECURITY REPORT/OUTPUT=SYS$LOGIN:RESULTS.LIS <assessment-name>
      

Store a report in the specified file on disk.

$ LJK/SECURITY REPORT /REMEDIATION=DATE <assessment-name>
      

Include remediation information in the report arranged by due date.

$ LJK/SECURITY REPORT /REMEDIATION=RESPONSIBILITY <assessment-name>
      

Include remediation information in the report arranged by responsible department.

$ LJK/SECURITY REPORT /SUMMARY=COMMENT <assessment-name>
      

Produce a summary report based on comment.

$ LJK/SECURITY REPORT /SUMMARY=(TEST,COMMENT) <assessment-name>
      

Produce a summary report based on comment and then test.

$ LJK/SECURITY REPORT /SUMMARY=TEST <assessment-name>
      

Produce a summary report based on test.

$ LJK/SECURITY REPORT /DETAIL=COMMENT <assessment-name>
      

Produce a detailed report arranged by comment.

$ LJK/SECURITY REPORT /DETAIL=(TEST,COMMENT) <assessment-name>
      

Produce a detailed report arranged by comment and then test.

$ LJK/SECURITY REPORT /DETAIL=TEST <assessment-name>
      

Produce a detailed report arranged by test.