LJK/Security Reference Manual

RUN

Start the collection of security data from tributary nodes.

Format

$ LJK/SECURITY RUN -

assessment-name

or
LJKS„ RUN -

assessment-name

Command Qualifiers	Defaults
/[NO]AFTER=absolute-time	/NOAFTER
/[NO]INTERVAL=delta-time	/NOINTERVAL
/METHOD=(...)
/TITLE=title-string	None.

restrictions

You must have the facility-specific identifier LJK$SECURITY_ROLE_OPERATE, LJK$SECURITY_RUN or LJK$SECURITY_ALL.
On systems prior to VAX VMS V6.0 or systems which do not have a Rights Database (RIGHTSLIST.DAT), you must have the SECURITY privilege.

Parameters

assessment-name
Name of the assessment.

Description

Start the collection of security data from tributary nodes.

Qualifiers

/AFTER=absolute-time

/NOAFTER (D)
Requests that the specified assessment not be made until the specified time. If the specified time has already passed, the assessment is started immediately.
You can specify either an absolute time or a combination of absolute and delta times. See the VMS documentation for complete information on specifying time values.
/INTERVAL=delta-time

/NOINTERVAL (D)
Requests that the specified assessment be re-run at regular intervals. See the VMS documentation for complete information on specifying delta time values.
If you specify both /AFTER=absolute-time and /INTERVAL=delta-time, the first assessment will be made at <absolute-time> and after that subsequent assessments will be made every <delta-time>.
When specifying /INTERVAL=delta-time you should ensure that <delta-time> is long enough to allow one run of an assessment to complete before the next run of that assessment is to start.
/METHOD=(ALL)

/METHOD=(AUTOMATIC_TESTING)

/METHOD=(COMPENSATING_CONTROLS)

/METHOD=(INTERVIEW)

/METHOD=(INVASIVE_TESTING)

/METHOD=(MANUAL_EXAMINATION)

/METHOD=(QUICK)
Specifies the assessment methods to be used for one or more nodes in an assessment, overriding that assigned by the MODIFY ASSESSMENT command:

ALL
Include all the assessment methods below.
AUTOMATIC_TESTING
Include all automatic testing (the method used before LJK/Security V3.0).
COMPENSATING_CONTROLS
Include compensating control information in assessment results.
MANUAL_EXAMINATION
Include the manual examination method, requiring designated individuals to review documents, physical security, etc.
INTERVIEW
Include the interview examination method, requiring designated individuals to ask questions of particular sets of people.
INVASIVE_TESTING
Include the invasive testing examination method, requiring extensive effort at testing mechanisms (particularly for non-evaluated versions of VMS) and activities.
QUICK
Include only that automatic testing which can be done quickly, omitting the DISK and USAGE facilities.
This qualifier can accept a list of methods inside the parentheses, such as:
/METHODS=(QUICK,INVASIVE_TESTING)
If only one method is being specified, the parentheses are not required.
/TITLE=title-string
Specifies the title-string that should be used on reports from this assessment.

Example


$ LJK/SECURITY RUN MY_SPECIAL/AFTER="21:00"

Run assessment MY_SPECIAL today at 9 pm.


$ LJK/SECURITY RUN WEEKLY_FULL/AFTER="TOMORROW+0-03"/INTERVAL="7-"

Run assessment WEEKLY_FULL at 3 am tomorrow and every week thereafter.


$ LJK/SECURITY RUN WEEKLY_FULL/METHOD=ALL

Run assessment WEEKLY_FULL now for all methods.

SET PROGRESS

Store information to be displayed when the key combination [Ctrl/T] is pressed.

Format

$ LJK/SECURITY SET PROGRESS -

assessment-name

or
LJKS„ SET PROGRESS -

assessment-name

Command Qualifiers	Defaults
/PERCENTAGE=number
/TEXT=string

restrictions

None.

Parameters

None.

Description

Store information to be displayed when the key combination [Ctrl/T] is pressed.
This command allows you to provide progress information throughout a long command procedure and make it available to the user on demand.

Qualifiers

/PERCENTAGE=number
Specifies a numeric percentage.
/TEXT=string
Specifies a text string.

Example


$ LJK/SECURITY SET PROGRESS /PERCENT=23 /TEXT="percent of command procedure is completed."

Set that text to be displayed when the key combination [Ctrl/T] is pressed.

SET TEMPLATE

Indicate that subsequent commands during this image activation are from a policy template command procedure.

Format

LJKS„ SET TEMPLATE

Command Qualifiers	Defaults
None.	None.

restrictions

None.

Parameters

None.

Description

In general, users never need to manually issue this command, but its effects are:

If a MODIFY POLICY command is applied to a test with the "from template" flag set, that flag is preserved.
If a MODIFY POLICY command is applied to a test with the "from vendor" flag set, that flag is replaced with the "from template" flag.
If a MODIFY POLICY command is applied to a test without the "from vendor" or "from template" set the value of the test is not changed, but the /COMMENT= field is updated (if provided).
Those effects apply only to MODIFY POLICY commands with the /LIMIT qualifier or with the /EXEMPTION= qualifier and a /TEST=(DISK,DISK_CHECKPROT,<any-valid-value>) qualifier.

Qualifiers

None.

Example


LJKS„ SET TEMPLATE

Indicate all subsequent policy modifications in this image activation are from a policy template command procedure.

SHOW ASSESSMENT

Display node, policy, transport-medium associations and default mechanisms from an existing assessment.

Format

$ LJK/SECURITY SHOW ASSESSMENT -

assessment-name

or
LJKS„ SHOW ASSESSMENT -

assessment-name

Command Qualifiers	Defaults
/ASSIGNMENTS=(...)
/AUDIT	None.
/HISTORY	None.
/OUTPUT[=file-spec]	/OUTPUT=SYS$OUTPUT

restrictions

You must have the facility-specific identifier LJK$SECURITY_ROLE_REVIEW, LJK$SECURITY_ROLE_POLICY, LJK$SECURITY_SHOW_ASSESSMENT or LJK$SECURITY_ALL.
On systems prior to VAX VMS V6.0 or systems which do not have a Rights Database (RIGHTSLIST.DAT), you must have the SECURITY privilege.

Parameters

assessment-name
Name of the assessment to be modified.
As described in Section H.8, DCL Symbol Processing, DCL symbol substitution may be used for this parameter, even when using the Subsystem Command Format.

Description

If the assessment name includes wildcard characters:
Displays a list of matching assessment names.
If the assessment name gives an exact name:
Reads a assessment from disk and displays its node, policy, transport-medium associations and default mechanisms.

Qualifiers

/ASSIGNMENTS=(INTERVIEW)

/ASSIGNMENTS=(INVASIVE_TESTING)

/ASSIGNMENTS=(MANUAL_EXAMINATION)
Specifies that assignments of various groups for the specified methods are to be shown. If the qualifier /ASSIGNMENTS is specified without a value, assignments for the groups of all methods will be shown.
/AUDIT

None.
Specifies whether information about assessment changes is displayed.
/HISTORY

/NOHISTORY (D)
Specifies that historical assessment contents be displayed in addition to current ones. By default only current assessment contents are displayed.
/OUTPUT[=SYS$OUTPUT] (D)

/OUTPUT=file-spec

/NOOUTPUT
Specifies the destination of the output listing. If /OUTPUT is specified without a value (the default) the listing is sent to SYS$OUTPUT.

Example


$ LJK/SECURITY SHOW ASSESSMENT MY_ASSESSMENT

Display the node, policy, transport-medium associations and default mechanisms for the subject assessment.


$ LJK/SECURITY SHOW ASSESSMENT *_TEMP/OUTPUT=ASSESSMENT.LIS

Create a list of the names of all assessments that end in "_TEMP".

SHOW NODES

Display information about tributary nodes currently authorized for this copy of LJK/Security.

Format

$ LJK/SECURITY SHOW NODES

or
LJKS„ SHOW NODES

Command Qualifiers	Defaults
/[NO]OUTPUT[=file-spec]	/OUTPUT=SYS$OUTPUT

restrictions

You must have the facility-specific identifier LJK$SECURITY_ROLE_REVIEW, LJK$SECURITY_ROLE_POLICY, LJK$SECURITY_SHOW_NODES or LJK$SECURITY_ALL.
On systems prior to VAX VMS V6.0 or systems which do not have a Rights Database (RIGHTSLIST.DAT), you must have the SECURITY privilege.

Parameters

None.

Description

The LJK/Security license terms say a license can be moved to another node as often as each 30 days. If you want to move LJK/Security from one tributary to another, use the command SHOW NODES to see which tributary nodes have had LJK/Security installed for more than 30 days.

Qualifiers

/OUTPUT[=SYS$OUTPUT] (D)

/OUTPUT=file-spec

/NOOUTPUT
Specifies the destination of the output listing. If /OUTPUT is specified without a value (the default) the listing is sent to SYS$OUTPUT.

Example


$ LJK/SECURITY SHOW NODES/OUTPUT=NODES.LIS

Create a list of the nodes currently occupying LJK/Security license slots.


$ LJK/SECURITY SHOW NODES %LJK-I-NODENOW, node ATHENS license slot can be freed now by: a. removing LJK/Security from the node and b. modifying assessments /NOPOLICY for the node %LJK-I-NODENOW, node PLUTO license slot can be freed now by: a. removing LJK/Security from the node and b. modifying assessments /NOPOLICY for the node %LJK-I-NODENOW, node RQ54J license slot can be freed now by: a. removing LJK/Security from the node and b. modifying assessments /NOPOLICY for the node %LJK-I-NODELATER, node TESTME license slot can be freed after after 22-FEB-2005 19:23:55.50 %LJK-I-NODELATER, node NEWVAX license slot can be freed after after 22-FEB-2005 19:40:59.03

$ LJK/SECURITY SHOW NODES
%LJK-I-NODENOW, node ATHENS license slot can be freed now by:
        a. removing LJK/Security from the node
                and
        b. modifying assessments /NOPOLICY for the node
%LJK-I-NODENOW, node PLUTO license slot can be freed now by:
        a. removing LJK/Security from the node
                and
        b. modifying assessments /NOPOLICY for the node
%LJK-I-NODENOW, node RQ54J license slot can be freed now by:
        a. removing LJK/Security from the node
                and
        b. modifying assessments /NOPOLICY for the node
%LJK-I-NODELATER, node TESTME license slot can be freed after after 22-FEB-2005 19:23:55.50
%LJK-I-NODELATER, node NEWVAX license slot can be freed after after 22-FEB-2005 19:40:59.03

Display a list of the nodes currently occupying LJK/Security license slots. The listing of each node indicates whether or not it has been occupying its license slot for the required 30 days.

SHOW POLICY

Display the limits and/or exemptions of an existing policy along with the non-automatic items of that policy.

Format

$ LJK/SECURITY SHOW POLICY -

policy-name

or
LJKS„ SHOW POLICY -

policy-name

Command Qualifiers	Defaults
/AUDIT	None.
/COMMAND_PROCEDURE	None.
/COMPENSATING_CONTROLS	None.
/EXEMPTIONS	/EXEMPTIONS
/HISTORY	None.
/INTERVIEW	None.
/INVASIVE_TESTING	None.
/LIMITS	/LIMITS
/MANUAL_EXAMINATION	None.
/OUTPUT[=file-spec]	/OUTPUT=SYS$OUTPUT
/SELECTOR=value	None.
/TEST=(facility,element.constraint)	None.

restrictions

You must have the facility-specific identifier LJK$SECURITY_ROLE_REVIEW, LJK$SECURITY_ROLE_POLICY, LJK$SECURITY_SHOW_POLICY or LJK$SECURITY_ALL.
On systems prior to VAX VMS V6.0 or systems which do not have a Rights Database (RIGHTSLIST.DAT), you must have the SECURITY privilege.

Parameters

policy-name
Name of the policy to be modified.
As described in Section H.8, DCL Symbol Processing, DCL symbol substitution may be used for this parameter, even when using the Subsystem Command Format.

Description

If the policy name includes wildcard characters:
Displays a list of all policy names.
If the policy name gives an exact name:
Reads a policy from disk and displays its limits and/or exemptions.

Qualifiers

/AUDIT

None.
Specifies whether information about policy changes is displayed.
/COMMAND_PROCEDURE

None.
Specifies whether the policy information is displayed in the format of a command procedure that could be edited to apply the same policy elements to another policy , as discussed in Section 7.9, SHOW POLICY/COMMAND_PROCEDURE . This qualifier is most useful in conjunction with the /OUTPUT= qualifier or with a particular /TEST= specification.
/COMPENSATING_CONTROLS
Specifies that compensating controls be displayed.
/EXEMPTIONS (D)
Specifies that exemptions be displayed (the default).
/HISTORY
Specifies that historical limits and/or exemptions be displayed in addition to current ones. By default only current limits and/or exemptions are displayed.
/INTERVIEW
Specifies that interviews be displayed.
/INVASIVE_TESTING
Specifies that invasive testing be displayed.
/LIMITS (D)
Specifies that limits be displayed (the default).
/MANUAL_EXAMINATION
Specifies that manual examination be displayed.
/OUTPUT[=SYS$OUTPUT] (D)

/OUTPUT=file-spec
Specifies the destination of the output listing. If /OUTPUT is specified without a value (the default) the listing is sent to SYS$OUTPUT.
/SELECTOR=value
Specifies that only limits and exemptions for a particular selector be displayed.
/TEST=(facility,element,constraint)
Specifies the name of a single test whose limits and/or exemptions are to be shown.

Example


$ LJK/SECURITY SHOW POLICY MY_POLICY

Show all limits and exemptions of the specified policy.


$ LJK/SECURITY SHOW POLICY MY_POLICY/TEST=(UAF,PWDMINLEN,ABSOLUTLO)/EXEMPTIONS

Show only limits and exemptions of the specified test within the specified policy.

SHUTDOWN

Perform an orderly shutdown of the LJK/Security master process.

Format

$ LJK/SECURITY SHUTDOWN

or
LJKS„ SHUTDOWN

Command Qualifiers	Defaults
None.	None.

restrictions

You must have the facility-specific identifier LJK$SECURITY_ROLE_STARTUP, LJK$SECURITY_SHUTDOWN or LJK$SECURITY_ALL.
On systems prior to VAX VMS V6.0 or systems which do not have a Rights Database (RIGHTSLIST.DAT), you must have the SECURITY privilege.

Parameters

None.

Description

LJK/Security starts a permanent detached master process on each master node, typically with a process name of "LJK/Security".
When a new version of LJK/Security is installed, this command is automatically invoked by the installation command procedure to shut down the master process which is running the previous version.
Although this command is available for explicit use, there are no particular circumstances in which SHUTDOWN is recommended by LJK Software.

Qualifiers

None.

Contents

Index