This chapter discusses the uses of assessment modification.

Modification of assessments gives you the ability to apply differing policies and transmission media to various nodes in your organization. It is rare that an organization which has totally uniform uses for all VMS systems, and thus it is rare than an organization has totally uniform security needs for all those systems.

Specifying the name of a node when modifying a assessment serves to add the node to that assessment.

To remove a node from an assessment modify the assessment to give the node a policy name which is blank. Technically a record of the node will remain in the file (for audit-trail purposes, if nothing else) but the node will not be included when the assessment is run.

Modifying an assessment to change the policy associated with a node will cause subsequent RUN commands for that assessment to use the new policy. Any previous RUN commands (even those specifying an AFTER or INTERVAL time) will use the policy in effect at the time the RUN command was issued.

8.3 Changing Request Media

Modifying an assessment to change the request medium associated with a node will cause subsequent RUN commands for that assessment to use the new request medium. Any previous RUN commands (even those specifying an AFTER or INTERVAL time) will use the request medium in effect at the time the RUN command was issued.

8.4 Changing Result Media

Modifying an assessment to change the result medium associated with a node will cause subsequent RUN commands for that assessment to use the new result medium. Any previous RUN commands (even those specifying an AFTER or INTERVAL time) will use the result medium in effect at the time the RUN command was issued.

8.5 Changing Default Methods

Modifying an assessment to change the default methods associated with a node will cause subsequent RUN commands for that assessment to use the new default methods. Any previous RUN commands (even those specifying an AFTER or INTERVAL time) will use the methods (default or otherwise) in effect at the time the RUN command was issued.

8.6 Audit history

The audit history mechanism can be used to show when changes were made to your assessments.

This chapter describes how to access LJK/Security from programs you have written in VMS programming languages.

As used below, names of the form LJK$SECURITY_*_xxx.EXE stand for both LJK$SECURITY_*_AXP.EXE and LJK$SECURITY_*_VAX.EXE.

9.1 Master Node Invocation Entrypoints

These entrypoints to the shareable image LJK$SECURITY_SHARE_xxx.EXE are used to invoke LJK/Security from a user program on the master node. Their use on a tributary node is not supported.

By calling these entrypoints, a user program effectively replaces the small program LJK$SECURITY_xxx.EXE which is normally used to process the command LJK/SECURITY.

In order to call these entrypoints, a user program must be linked against the shareable image SYS$LIBRARY:LJK$SECURITY_SHARE or it must invoke the entrypoints within that image by using the VMS function LIB$FIND_IMAGE_SYMBOL.

For successful invocation of anything other than a parsing function, certain privileges are required:

• Appropriate facility-specific identifiers as discussed in Section 5.4.
  Those identifiers are required by LJK/Security to ensure that the person running the program is authorized to perform security functions.
  The process running the program must have the identifier. That means the identifier must have been granted to the user before process login.
• Other privileges
  Various privileges which are outlined in Appendix I, Use of Privilege by LJK/Security, are actually used by LJK/Security in performing its functions.
  These privileges may be obtained in three ways:
  1. The user may hold the privilege
  2. The user may have the ability to set the privilege
  3. The program may be installed with the privilege
  LJK Software does not recommend approach number 3, even though it is used for the installation of LJK/Security itself. Programs which are installed with file-related privileges, however, are susceptible to being subverted by unprivileged users unless one of the following is true:
  1. They are very carefully written to avoid subversion
  2. They are so trivial as to defy subversion
  LJK$SECURITY_SHARE_xxx.EXE, the shareable image which performs the bulk of the work for LJK/Security, takes the first approach.
  LJK$SECURITY_xxx.EXE (the program being replaced by a user program which calls these entrypoints) takes the second approach. It is an extremely simple program, merely calling the entrypoints listed below. Presumably any user program replacing it will be considerably more complicated, or there would be no reason to make the replacement.

These entrypoints are used to parse LJK/Security commands in preparation for subsequent execution. If one of them is called without a subsequent call to the execution entrypoint, it serves to "test" the command for legality.

9.1.1.1 LJK$SECURITY_PARSE_DCL entry

This entrypoint takes a single parameter which is a string descriptor of the command to be parsed. It returns status in R0.

9.1.1.2 LJK$SECURITY_PARSE_CLI entry

This entrypoint takes no parameters, but parses the command which was used to invoke the program. It returns status in R0.

9.1.1.3 LJK$SECURITY_PARSE_FOREIGN entry

This entrypoint takes no parameters, but parses a foreign command which was used to invoke the program. It returns status in R0.

9.1.2 Execution Entrypoint

9.1.2.1 LJK$SECURITY_EXECUTE entry

Note that the call to a parsing routine above may produce results which cause multiple subsequent commands to be parsed within the call to the execution entrypoint. Cases where this happen include:

1. Empty command invoking "subsystem" operation
2. Empty command invoking Menu Interface

The following pages contain full descriptions of each Invocation entrypoint.

Parse the LJK/SECURITY command that is passed as a parameter, storing the results for a subsequent call.

Format

status =LJK$SECURITY_PARSE_DCL (command)

RETURNS

VMS usage:	cond_value
type:	longword (unsigned)
access:	write only
mechanism:	by value

Arguments

command

VMS usage:	char_string
type:	character string
access:	read only
mechanism:	by descriptor

The command which is to be parsed. It must start with the string "LJK/SECURITY " (ending in a space).

Description

This entrypoint takes a single parameter which is a string descriptor of the command to be parsed. It returns status in R0.

Parse the LJK/SECURITY command that was used to invoke the program, storing the results for a subsequent call.

Format

status=LJK$SECURITY_PARSE_CLI

RETURNS

VMS usage:	cond_value
type:	longword (unsigned)
access:	write only
mechanism:	by value

Arguments

None.

Description

This entrypoint takes no parameters, but parses the command which was used to invoke the program. It returns status in R0.

Parse the LJK/SECURITY command that was used to invoke the program as a foreign command, storing the results for a subsequent call.

Format

status=LJK$SECURITY_PARSE_FOREIGN

RETURNS

VMS usage:	cond_value
type:	longword (unsigned)
access:	write only
mechanism:	by value

Arguments

None.

Description

This entrypoint takes no parameters, but parses a foreign command which was used to invoke the program. It returns status in R0.

Execute the command whose parse results were stored by a previous call.

Format

status=LJK$SECURITY_EXECUTE

RETURNS

VMS usage:	cond_value
type:	longword (unsigned)
access:	write only
mechanism:	by value

Arguments

None.

Description

This entrypoint takes no parameters, but relies on values previously determined from a call to a parsing entrypoint. It returns status in R0.

Note that the call to a parsing routine above may produce results which cause multiple subsequent commands to be parsed within the call to the execution entrypoint. Cases where this happen include:

1. Empty command invoking "subsystem" operation
2. Empty command invoking in MENU interface

9.2 Master Node Report Formatting Callout Entrypoints

When provided by the customer, these callouts are used by LJK/Security to invoke customer-provided software to produce reports.

Unlike other callable interfaces to LJK/Security, the Report Formatting module provided by the user is not treated as trusted software and does not become part of the Trusted Computing Base (TCB). The user-provided Report Formatting module is run with the original privileges of the user, which must include TMPMBX.

Four of the Report Formatting entrypoints are mandatory and must be provided by every user-provided Report Formatting module. Other Report Formatting entrypoints are optional, depending on what you want to include in your report.

One important concept running through most of the entrypoint definitions is that of Policy Number, which can be used as an index into a list of multiple policies used in the assessment being reported. The Policy Number is generated at run-time, so it is specific to a single invocation of the command LJK/SECURITY REPORT and has no use after that. Even if you do not currently intend to create assessments that use multiple policies, it is important to write your Report Formatting module to handle multiple policies correctly because:

1. that is when your knowledge of writing Report Formatting modules is most clear
2. if you never get around to it, you (or your successor) may be ill-equipped to implement such a change in the face of an urgent management directive

9.2.1 Required Report Formatting Entrypoints

• INITIALIZE A single call to this entrypoint at the start of processing conveys to your Report Formatting module general characteristics of the user command to produce a report, such as what should be included.
  But another major purpose of this entrypoint is for your Report Formatting module to indicate which of the possible later calls LJK/Security should make to your entrypoints. This is done with a series of Boolean input-output parameters (passed by reference). If your Report Formatting module does not require certain input (typically based on the general characteristics of the user command to produce a report), your INITIALIZE entrypoint should clear the corresponding Boolean input-output parameter (name starting with "PROVIDE_"). Doing so minimizes the work that LJK/Security must do in preparing data for your Report Formatting module before making subsequent calls to your entrypoints, thus speeding up the LJK/SECURITY REPORT command.
  In some cases the PROVIDE_* Boolean input-output parameters will already be set to FALSE. When that is the case, attempting to set those values to True (1) will not be effective, because the limit on the set of possible calls to your Report Formatting module is based on the user command or the nature of the assessment.
  The INITIALIZE entrypoint differs from all other Report Formatting entrypoints in two regards:
  • It makes use of input-output parameters to send information back to LJK/Security.
  • It does not provide a status return. All other entrypoints require a Boolean value be returned to indicate whether processing should continue.
• POLICY_TERMS The major purpose of this entrypoint is to provide your entrypoint with a series of terms to be used in reports, according to the policies used in an assessment. As an example, what NIST 800-53 calls a "Control" PCI DSS calls a "Requirement". The strings provided to your POLICY_TERMS entrypoint allows your Report Formatting module to use the terminology chosen in the policy in the reports it produces.
  Those terms needed by your Report Formatting module should be stored away by your POLICY_TERMS entrypoint for use during calls to your other entrypoints.
  Examples include:

  Table 9-1 Example Terms

  	Terms
  Discipline	Term for Fail	Term for Remediate
  NIST 800-53	Other than Satisfied - failed	Plan of Action and Milestones
  PCI DSS	Non-Compliant	Remediation

  
  Keep in mind that LJK/Security will call your POLICY_TERMS entrypoint once for each policy used in a given assessment, which might mean multiple calls. Storage of the strings provided to your POLICY_TERMS entrypoint should be indexed according to the POLICY_NUMBER parameter provided to the call.

• POLICY_RULE_TEXT This entrypoint provides your Report Formatting module with a series of terms for the rules embodied in the test discipline for the policies used in an assessment. Examples include:

  Table 9-2 Example Rules

  	Rules
  Discipline	Rule Code	Rule Name
  NIST 800-53	SI-7	Software and Information Integrity
  PCI DSS	8	Assign a unique ID to each person with computer access

  
  Those terms needed by your Report Formatting module should be stored away by your POLICY_RULE_TEXT entrypoint for use during calls to your other entrypoints.
  Keep in mind that LJK/Security will call your POLICY_RULE_TEXT entrypoint once for each rule in each policy used in a given assessment, which will mean multiple calls. Storage of the strings provided to your POLICY_RULE_TEXT entrypoint should be indexed according to the POLICY_NUMBER parameter provided to the call.

• FINALIZE This entrypoint provides the final opportunity for processing by your Report Formatting module, perhaps to summarize data from all prior calls.
  Your Report Formatting module can also use this entrypoint to clean up temporary files, close other files, etc.
  As a "False" result returned from earlier entrypoints causes processing to stop midstream, a "False" returned from your FINALIZE entrypoint indicates a failure (for instance returning a failure status to DCL).

9.2.2.1 Total Entrypoints (optional)

• AUTOMATIC_TOTAL This entrypoint provides total numbers of the following for the Automatic Tests method:
  • Instances Number of nodes to which this call pertains.
  • Completed Number of nodes on which this test was completed.
  • Violations Number of violations found by this testing. with each call to the entrypoint summarizing the results for a single grouping (by Test, Comment Instance, Comment Instance then Test, Remediation Responsibility or Remediation Completion Date).
  • COMPENSATING_CONTROL_TOTAL This entrypoint provides total numbers of the following for the Compensating Controls method:
    • Instances Number of nodes to which this call pertains.
    • Completed Number of nodes on which this test was completed.
    • Violations Number of violations (always zero) found by this testing. with each call to the entrypoint summarizing the results for a single grouping (by Test, Comment Instance, Comment Instance then Test, Remediation Responsibility or Remediation Completion Date).
    • INTERVIEW_TOTAL This entrypoint provides total numbers of the following for the Interview method:
      • Instances Number of nodes to which this call pertains.
      • Completed Number of nodes on which this test was completed.
      • Violations Number of violations found by this testing. with each call to the entrypoint summarizing the results for a single grouping (by Test, Comment Instance, Comment Instance then Test, Remediation Responsibility or Remediation Completion Date).
      • INVASIVE_TESTING_TOTAL This entrypoint provides total numbers of the following for the Invasive Testing method:
        • Instances Number of nodes to which this call pertains.
        • Completed Number of nodes on which this test was completed.
        • Violations Number of violations found by this testing. with each call to the entrypoint summarizing the results for a single grouping (by Test, Comment Instance, Comment Instance then Test, Remediation Responsibility or Remediation Completion Date).
        • MANUAL_EXAMINATION_TOTAL This entrypoint provides total numbers of the following for the Manual Examination method:
          • Instances Number of nodes to which this call pertains.
          • Completed Number of nodes on which this test was completed.
          • Violations Number of violations found by this testing. with each call to the entrypoint summarizing the results for a single grouping (by Test, Comment Instance, Comment Instance then Test, Remediation Responsibility or Remediation Completion Date).
          • NODE_TOTAL This entrypoint provides information regarding total numbers of nodes for which processing of this assessment is in various states (e.g., Completed, Submitted, Cancelled, etc.).

          ---

          Previous

          Next

          Contents

          Index