LJK/Security Reference Manual

Chapter 11
Tips for Special Situations

This chapter contains hints on how to use LJK/Security in certain specific settings.

11.1 Generating "Work Papers" for Auditors

The design philosophy of LJK/Security is to report only violations of policy, to effect "management by exception". There are instances where auditors wish to create "work papers" listing compliant as well as non-compliant test results.

The general approach to creating such a report is to make a policy which sets mutually exclusive goals. If a policy, for instance, requires that every username have the CMKRNL privilege and also prohibits every username from having the CMKRNL privilege, one violation or the other will be reported for every username. A similar approach can be taken for numeric tests by setting low end limits for a given element higher than high end limits for the same element.

See Section 7.6 and Section 7.7 for another explanation.

11.2 Tracking Usernames

In some environments it may be desirable to maintain central tracking of usernames added to tributary nodes. This can be accomplished by modifying a limit in a policy to set mutually exclusive goals and then setting up exemptions for each authorized username. A recommended method of setting such mutually exclusive goals LJK Software calls "tracking username presence", while a more refined method LJK Software calls "tracking username enabling".

11.2.1 Tracking Username Presence

For the simplest approach, you can set limits for test (UAF, DISUSER, PROHIBITED) and test (UAF, DISUSER, REQUIRED) both to be true. This will generate a violation report for all usernames which do not have exemptions for those tests. By adding exemptions for the authorized usernames, you ensure that the only violation reports are for unauthorized usernames.

Thus if the mutually exclusive goal of having (UAF, DISUSER) both prohibited and required were established for a node, a violation would be reported for all usernames. If SMITH and JONES were the only two approved usernames for the node, then establishing exemptions for SMITH and JONES in the policy on the master node would prevent the reporting of violations for those usernames. Any unapproved usernames added to the node, however, would trigger violation reports.

11.2.2 Tracking Username Enabling

When usernames are no longer needed, careful system managers will leave the usernames on the system but disabled for a period of time. In this manner, attempts to log in to the username in question will result in the username being included in the VMS accounting and audit logs (whereas for usernames which do not exist, the username is not recorded with the login failure).

If this approach is being used, the limit for test (UAF, DISUSER, PROHIBITED) should be set to FALSE, and the exemptions should be removed when usernames are disabled.

11.3 Operating in a Classified Environment

Note

Unlike the rest of the manual, this section assumes some knowledge of US government rules for handling classified information on computers.

In situations where there are a number of nodes each operating at a different security level, it should still be possible to use LJK/Security, but with an additional degree of complexity.

11.3.1 No DECnet

Just as DECnet is presumably unavailable between machines operating at different security levels for normal purposes, it is presumably unavailable between the master node and tributary nodes. (Such a connection would only be allowed if the master node were at the same level as all of the tributary nodes, which would mean that all tributary nodes would be at the same level as each other, which is contrary to the stated premise.)

11.3.2 Requests Must be Generated at the Lowest Security Level

In order to have a single master node generate requests for a common assessment for all nodes, that master node must be operating at or below the lowest security level at which any of the tributary nodes operate.

Note

Tributary nodes which do period processing at different security classifications for different times of the day count as separate nodes at each classification for LJK/Security licensing purposes.

11.3.3 Results Must be Reported at the Highest Security Level

In order to have a single master node report results from a common assessment for all nodes, that master node must be operating at or above the highest security level at which any of the tributary nodes operate.

11.3.3.1 Recommended Technique: Period Processing on the Master Node

The solution LJK Software suggests is to maintain two copies of the master node (either on separate disks or on separate machines), one at low classification for generating requests and one at high classification for receiving reports. This is most easily done with removable disk packs, which are typically used in classified processing anyway.

Initially the HIGH copy of the master node can be created by copying the system disk from the LOW copy. Thereafter no data ever leaves the HIGH copy. The data added to the HIGH copy will be:

Copies of LJK/Security files from the LOW copy
Results from tributary nodes

Each time an assessment is run, magnetic media will be written on the LOW copy of the master node for each tributary node. When that is completed, the file:

LJK$SECURITY_RESULT_AREA:assessment-name.LJK$SECURITY_RESULT

should be copied from the LOW copy of the master node to the HIGH copy of the master node.

When results are received, they are read into the HIGH copy of the master node for reporting purposes. Because of the special file copied over from the LOW copy of the master node, the HIGH copy of the master node is set up as though it had generated the assessment run request.

Note

It is not necessary to copy policy and assessment files from the low copy of the master node to the high copy of the master node because the result file is created with the necessary data for processing exemptions and viewing the results.

In cases where multiple interactive invocations of the result file are anticipated, however, having a copy of the policy file will improve performance of LJK/Security (provided no changes have been made to the policy since the assessment request was issued.

The policy file is:

LJK$SECURITY_POLICY_AREA:policy-name.LJK$SECURITY_POLICY

Although the procedure described properly handles information from different classifications, considerable work might be involved to get it approved by your Designated Accrediting Authority.

Chapter 12
Answering Questions for Non-Automated Assessment Methods

This chapter tells someone who has no other exposure to LJK/Security how to answer questions required by non-automatic assessment methods.

As someone performing non-automated aspects of security assessments, you will be assigned certain sets of questions to answer in reporting your findings. You will answer those question using your VMS (OpenVMS) username on a particular VMS node ¹ or set of nodes, where the answers you provide apply at least to that node and possibly to many others. For instance, if you are physically examining door lock mechanisms on a computer room, your answers will apply to all the systems in that computer room, not just the particular VMS node in that room on which you enter the answers. Similarly, if your assessment task involves examining an organization policy document, your answers will apply to all systems covered by that policy.

The basic command you will use to answer questions on a VMS node is

$ MCR LJK$SECURITY ANSWER

with various qualifiers (discussed below).

Note

¹ By node we mean a single machine running VMS. You might informally refer to it as a "system", but this document does not use that term because for certain security assessment disciplines like NIST Special Publication 800-53 a "system" may be a larger entity such as a VMScluster or a network containing multiple nodes.

12.1 Finding Questions Assigned to You

If you want to know what groups of questions have been assigned to you for answers, use the command

$ MCR LJK$SECURITY ANSWER

with nothing else on the line. It will list the commands you can use to answer specific groups of questions that have been assigned to you.

There are three types of groups of questions that might be assigned to you, each requiring different types of assessment activity.

Manual Examination This may require looking at documents, physical environments, source code or mechanical devices. If you are assigned both Manual Examination and Interview question groups that are related to each other, it is best to perform the Manual Examination first so you are well grounded when it comes time to conduct Interviews.
Interview This involves discussion with people (sometimes a particular percentage of the population) with specific responsibilities.
Invasive Testing This involves testing equipment, software or organizational processes, and often requires use of a separate test system because the testing would disturb the production environment.

Some people will have only a single type of groups of questions assigned to them, while others might be assigned multiple types of groups of questions.

12.1.1 Automatic Notification of Questions Assigned to You

If you regularly log into a VMS node anyway and want to be informed of any new assignments, you can include a command in your VMS LOGIN.COM command procedure to notify you. Rather than the raw command above, if you include the command

$ MCR LJK$SECURITY ANSWER /SILENCE_IS_GOLDEN

there will be no output telling you about the absence of such assignments, only notifying you in the case where there is an assignment.

As with many other VMS commands, "/SILENCE_IS_GOLDEN" can be abbreviated, such as "/SILENCE". But "/SILENCE_IS_GOLDEN" will typically be used only within a command procedure, so spelling it out may give a better hint later on regarding the purpose.

12.2 Specifying Particular Assessment Methods

If you want to deal first with questions for a particular assessment method, use one of the commands

$ MCR LJK$SECURITY ANSWER /MANUAL_EXAMINATION $ MCR LJK$SECURITY ANSWER /INTERVIEW $ MCR LJK$SECURITY ANSWER /INVASIVE_TESTING

As with many other VMS commands, /MANUAL_EXAMINATION, /INTERVIEW and /INVASIVE_TESTING can be abbreviated such as /MANUAL, /INTER or /INVASIVE. But it is considered bad form to have the abbreviated version in documentation.

12.3 Specifying a Particular Question Group

When you have specified a particular assessment method as above, you can further specify a particular question group with the /GROUP= qualifier, such as

$ MCR LJK$SECURITY ANSWER /INTERVIEW /GROUP=PHYSICAL_SECURITY

You will be asked just the questions for that group within that assessment method. The group names are defined by those who wrote the policy (typically LJK Software) and should indicate the nature of the group such as "POLICY", "BACKUPS" or "PERSONNEL". You will see the group names that have been assigned to you when you use the command

$ MCR LJK$SECURITY ANSWER

12.4 Answering All Questions Regardless of Assessment Method

To answer all assessment questions regardless of assessment method or group, use the command

$ MCR LJK$SECURITY ANSWER /ALL

You will be asked all outstanding questions that have been assigned to you, divided by question groups. You can exit at any point by using the key combination [Ctrl/Z], and answers for groups you had already completed will be preserved.

12.5 Confirmation After Answering a Group of Questions

After you have answered all the questions from a particular group, you will be asked if you are satisfied with your answers. If you answer with your Username, those answers will be filed away. Otherwise those answers will be discarded and you will be able to run the program again to answer the questions for that group (typically when you have more information).

12.6 Seeing the Questions in Advance

If you are not planning on answering questions but just want to see what the questions will be, specify /PREVIEW as part of the initial command

$ MCR LJK$SECURITY ANSWER /INTERVIEW /GROUP=PHYSICAL_SECURITY /PREVIEW

or to put the results in a file

$ SPAWN/OUT=<filename> MCR LJK$SECURITY ANSWER /INTERVIEW /GROUP=PHYSICAL_SECURITY /PREVIEW

This can be useful if you want to determine in advance whether you have all the information that will be needed to answer the questions.

12.7 Adding Free-Form Remarks to Your Answers

All answers to the questions you are asked must follow strict syntax rules, according to the nature of the question. If you want to include a brief free-form remark elaborating on your answer to a question, finish your answer with the string "/REMARK". After pressing carriage-return you will then be prompted for the remark you want to enter. The length of your remark is limited to about 150 characters - if that is insufficient you can use the 150 characters to refer to an external document.

If you know you will want to enter remarks for a substantial percentage of the questions you will answer, you can specify /REMARK as part of the initial MCR LJK$SECURITY ANSWER command, causing a prompt for a remark to be issued after each answer you enter.

Appendices

Each appendix gives ancillary information about a miscellaneous aspect of LJK/Security operation.

Appendix A
Master Node Installation

This appendix shows a sample installation of LJK/Security on a master node.

$ @SYS$UPDATE:VMSINSTAL * DISK$LJK_SEC_030:[LJK_SECURITY030.KIT] OpenVMS AXP Software Product Installation Procedure V7.3-1 It is 11-JUN-2010 at 15:50. Enter a question mark (?) at any time for help. %VMSINSTAL-W-NOTSYSTEM, You are not logged in to the SYSTEM account. %VMSINSTAL-W-ACTIVE, The following processes are still active: DECW$SERVER_0 DECW$TE_00AF _FTA1: _FTA2: _FTA3: _FTA4: _FTA6: _FTA7: _FTA8: * Do you want to continue anyway [NO]? YES * Are you satisfied with the backup of your system disk [YES]? YES The following products will be processed: LJK_SECURITY V3.0 Beginning installation of LJK_SECURITY V3.0 at 15:50 %VMSINSTAL-I-RESTORE, Restoring product save set A ... %VMSINSTAL-I-RELMOVED, Product's release notes have been moved to SYS$HELP. Username LJK$SECURITY must be assigned to a unique UIC group on this node (or VAXcluster). The UIC value [n,1] will be assigned, where n is the octal number between 11 and 37776 which you specify. * What UIC group should be used for username LJK$SECURITY: 25 A simplified LJK/Security installation dialog will use the following defaults or values from a previous installation: DECnet object 200 for Request transmissions DECnet object 201 for Result transmissions Only this node can act as Master Node LJK/Security data is stored at SYS$SYSDEVICE:[LJK$SECURITY_POLICY] LJK/Security DECwindows interface is available Bookreader documentation is moved to the data storage area An answer of YES will use the default values or values from previous installations as listed above. An answer of NO will cause individual questions to be asked for each installation decision. * Would you like the simplified installation dialog [YES]? YES The following files will be added or replaced: SYS$COMMON:[SYSEXE]LJK$SECURITY.COM; SYS$COMMON:[SYSEXE]LJK$SECURITY_AXP.EXE; SYS$COMMON:[SYSEXE]LJK$SECURITY_VAX.EXE; SYS$COMMON:[SYSMSG]LJK$MESSAGES_AXP.EXE; SYS$COMMON:[SYSMSG]LJK$MESSAGES_VAX.EXE; SYS$COMMON:[SYSHLP]LJK$SECURITY_030.RELEASE_NOTES; SYS$COMMON:[SYSHLP]LJK$SECURITY_BUGFIX_030.RELEASE_NOTES; SYS$COMMON:[SYSHLP]LJK$SECURITY_DECWHELP.HLB; SYS$COMMON:[SYSLIB]LJK$SECURITY_SHARE_AXP.EXE; SYS$COMMON:[SYSLIB]LJK$SECURITY_SHARE_VAX.EXE; SYS$COMMON:[SYSLIB]LJK$SECURITY_TEXT_SHARE_AXP.EXE; SYS$COMMON:[SYSLIB]LJK$SECURITY_TEXT_SHARE_VAX.EXE; SYS$COMMON:[SYSLIB]LJK$SECURITY_VMS_SHARE_AXP.EXE; SYS$COMMON:[SYSLIB]LJK$SECURITY_VMSV010_SHARE_AXP.EXE; SYS$COMMON:[SYSLIB]LJK$SECURITY_VMSV015_SHARE_AXP.EXE; SYS$COMMON:[SYSLIB]LJK$SECURITY_VMSV061_SHARE_AXP.EXE; SYS$COMMON:[SYSLIB]LJK$SECURITY_VMSV070_SHARE_AXP.EXE; SYS$COMMON:[SYSLIB]LJK$SECURITY_VMSV071_SHARE_AXP.EXE; SYS$COMMON:[SYSLIB]LJK$SECURITY_VMSV072_SHARE_AXP.EXE; SYS$COMMON:[SYSLIB]LJK$SECURITY_VMSV073_SHARE_AXP.EXE; SYS$COMMON:[SYSLIB]LJK$SECURITY_VMS_SHARE_VAX.EXE; SYS$COMMON:[SYSLIB]LJK$SECURITY_VMSV040_SHARE_VAX.EXE; SYS$COMMON:[SYSLIB]LJK$SECURITY_VMSV050_SHARE_VAX.EXE; SYS$COMMON:[SYSLIB]LJK$SECURITY_VMSV054_SHARE_VAX.EXE; SYS$COMMON:[SYSLIB.LJK$SECURITY_AXP_ADA_EXE]ADAMSG.EXE; SYS$COMMON:[SYSLIB.LJK$SECURITY_AXP_ADA_EXE]ADARTL.EXE; SYS$COMMON:[SYSLIB.LJK$SECURITY_AXP_ADA_EXE]CMA$RTL.EXE; SYS$COMMON:[SYSLIB.LJK$SECURITY_AXP_ADA_EXE]CMA$TIS_SHR.EXE; SYS$COMMON:[SYSLIB.LJK$SECURITY_AXP_ADA_EXE]DEFINE_ADA_LOGICALS.COM; SYS$COMMON:[SYSLIB.LJK$SECURITY_AXP_ADA_EXE]DEASSIGN_ADA_LOGICALS.COM; SYS$COMMON:[SYSLIB]LJK$SECURITY_DECW_SHARE_AXP.EXE; SYS$COMMON:[SYSLIB]LJK$SECURITY_DECW_SHARE_VAX.EXE; SYS$COMMON:[SYSLIB]LJK$SECURITY_DECW.UID; SYS$COMMON:[SYSHLP.EXAMPLES.LJK$SECURITY]POLICY_NULL.COM; SYS$COMMON:[SYSHLP.EXAMPLES.LJK$SECURITY]POLICY_NIST_SP_800_53.COM; SYS$COMMON:[SYSHLP.EXAMPLES.LJK$SECURITY]POLICY_VMS_SHA1_AXP_*.COM; SYS$COMMON:[SYSHLP.EXAMPLES.LJK$SECURITY]POLICY_VMS_SHA1_VAX_*.COM; SYS$COMMON:[SYSHLP.EXAMPLES.LJK$SECURITY]POLICY_VMS_SIMPLE_AXP_*.COM; SYS$COMMON:[SYSHLP.EXAMPLES.LJK$SECURITY]POLICY_VMS_SIMPLE_VAX_*.COM; SYS$COMMON:[SYSTEST]LJK$SECURITY_IVP.COM; SYS$COMMON:[SYS$STARTUP]LJK$SECURITY_STARTUP.COM; SYS$COMMON:[VUE$LIBRARY.USER]LJK$SECURITY_VUE.COM; (if possible) SYS$SYSDEVICE:[LJK$SECURITY_POLICY]LIBRARY.DECW$BOOKSHELF; SYS$SYSDEVICE:[LJK$SECURITY_POLICY]LJK$SECURITY_BASE.DAT; SYS$SYSDEVICE:[LJK$SECURITY_POLICY]LJK$SECURITY_WORDS.DAT; SYS$SYSDEVICE:[LJK$SECURITY_POLICY]LJK$SECURITY_LJKS-REF-V030.DECW$BOOK; The following files will be modified: SYS$COMMON:[SYSHLP]HELPLIB.HLB; SYS$COMMON:[SYSLIB]DCLTABLES.EXE; (new version created) SYS$COMMON:[SYS$STARTUP]VMS$LAYERED.DAT; All questions have been asked. %VMSINSTAL-I-RESTORE, Restoring product save set B ... %VMSINSTAL-I-RESTORE, Restoring product save set C ... %VMSINSTAL-I-RESTORE, Restoring product save set D ... The remainder of the installation will take 5 minutes on a stand-alone MicroVAX-II. %VMSINSTAL-I-SYSDIR, This product creates system directory [SYSLIB.LJK$SECURITY_AXP_ADA_EXE]. %LJK_SECURITY-I-DCLTABLES, Adding command LJK/Security to DCL tables %LJK_SECURITY-I-STARTUP, Adding LJK$SECURITY_STARTUP.COM to VMS Startup database %VMSINSTAL-I-ACCOUNT, This installation updates an ACCOUNT named LJK$SECURITY. %UAF-I-MDFYMSG, user record(s) updated %VMSINSTAL-I-ACCOUNT, This installation updates an ACCOUNT named LJK$SECURITY. %UAF-I-MDFYMSG, user record(s) updated %VMSINSTAL-I-MOVEFILES, Files will now be moved to their target directories... %LJK_SECURITY-S-FILEVIEW, creating FileView command %DCL-S-SPAWNED, process USER_159 spawned %DCL-S-ATTACHED, terminal now attached to process USER_159 %LJK-I-CREATEACT, Created detached action process 57E022BF at 11-JUN-2006 15:53:01.00 %DCL-S-RETURNED, control returned to process USER %RUN-S-PROC_ID, identification of created process is 57E022C0 Installation of LJK_SECURITY V3.0 completed at 15:53 Adding history entry in VMI$ROOT:[SYSUPD]VMSINSTAL.HISTORY Creating installation data file: VMI$ROOT:[SYSUPD]LJK_SECURITY030.VMI_DATA VMSINSTAL procedure done at 15:53 $

Installing on Shared System Disks

If you install LJK/Security on one system to run it also on other systems that share that system disk, you should issue the following command on each additional system sharing that system disk:

$ MCR SYSMAN STARTUP ADD FILE LJK$SECURITY_STARTUP.COM/MODE=DIRECT/PHASE=END

Contents

Index

LJK/Security Reference Manual

Chapter 11Tips for Special Situations

11.3.3 Results Must be Reported at the Highest Security Level

Chapter 12Answering Questions for Non-Automated Assessment Methods

12.1.1 Automatic Notification of Questions Assigned to You

Appendices

Appendix AMaster Node Installation

Chapter 11
Tips for Special Situations

Chapter 12
Answering Questions for Non-Automated Assessment Methods

Appendix A
Master Node Installation