This appendix lists the use of privilege by LJK/Security.

The LJK/Security software is installed with privileges, but turns those privileges off except when needed. At those times, it enables appropriate privileges, but only if the user has the appropriate facility-specific identifiers for a particular function, as discussed in Section 5.4, Privileges Required to Invoke Commands.

LJK/Security installs the following images into the TCB:

• sys$system:LJK$SECURITY_XXX.EXE /open/header with privileges NETMBX, TMPMBX, SYSPRV, READALL, VOLPRO, SYSLCK, SETPRV, OPER, CMKRNL, DETACH, CMEXEC, WORLD, SHARE
  and on suitably recent versions of VMS, privilege AUDIT
• sys$share:LJK$SECURITY_share_XXX.EXE /open/header
• LJK$SECURITY_vms_share*.EXE /open/header
• sys$message:ljk$messages_XXX.EXE /open/header
• sys$share:LJK$SECURITY_decw_share_XXX.EXE /open/header
• sys$share:LJK$SECURITY_site_share_XXX.EXE /open/header
• sys$share:LJK$SECURITY_text_share_XXX.EXE /open/header

LJK/Security uses SYSPRV privilege to read and write Policy, Assessment Result and working files stored in LJK$SECURITY_POLICY_AREA:, LJK$SECURITY_RESULT_AREA: and LJK$SECURITY_ACTION_AREA:.

I.2 Reading the User Authorization File

LJK/Security uses READALL privilege to read the User Authorization File (SYSUAF) retrieving information about usernames established on the system along with their privileges and other security-relevant information.

I.3 Getting a List of All Devices

LJK/Security uses CMKRNL privilege to determine the names of all devices on the system. As of VMS V4.2 (the earliest version under which LJK/Security can be run), DEC provided no supported interface to accomplish this.

I.4 Checking Metadata for All Disk Files

LJK/Security uses READALL and SHARE privileges to check metadata for all disk files.

I.5 Checking Disk Quota Values

LJK/Security uses READALL to check disk quota values.

I.6 Synchronizing between LJK/Security Processes

LJK/Security uses SYSLCK to synchronize between LJK/Security processes.

I.7 Setting up LJK/Security DECnet Object Database Entries

For DECnet Phase IV, LJK/Security uses OPER and BYPASS to set up LJK/Security DECnet object database entries.

For DECnet Phase V, LJK/Security uses OPER and SYSPRV to set up LJK/Security DECnet object database entries.

I.8 Reading DECnet Database Entries

For DECnet Phase IV, LJK/Security uses SYSPRV to read DECnet database entries.

For DECnet Phase V, LJK/Security uses SYSPRV and OPER to read DECnet database entries.

I.9 Creating Detached LJK/Security Processes

LJK/Security uses the IMPERSONATE (DETACH) privilege to create detached LJK/Security processes.

I.10 Reading Files for Kit Building

LJK/Security uses READALL for kit building, in case a site has modified protection of images which must be included in the kits.

I.11 Parsing the User Authorization File Specification

LJK/Security uses READALL privilege to parse the User Authorization File (SYSUAF) specification for test VMS_SYSUAF_LOCATION.

I.12 Reading Accounting State

LJK/Security uses CMEXEC privilege to read the current status of VMS Accounting for facility ACC.

I.13 Reading Audit State

LJK/Security uses CMEXEC, CMKRNL, WORLD and READALL privileges to read the current status of VMS Auditing for facility AUDIT.

I.14 Reading Device Access Control Lists

LJK/Security uses READALL and SHARE privileges to read Access Control Lists for devices.

I.15 Reading Terminal Access Control Lists

LJK/Security uses READALL and SHARE privileges to read Access Control Lists for terminals.

I.16 Reading the System Rights List

LJK/Security uses CMEXEC privilege to read the System Rights List.

I.17 Reading the list of Installed Images

LJK/Security uses CMEXEC privilege to read the VMS list of Installed Images.

I.18 Highwater Marking and Erase-on-Delete

LJK/Security uses CMKRNL privilege to read the status of disk volumes regarding Highwater Marking and volume-wide Erase-on-Delete status.

I.19 Checking Privilege

LJK/Security uses AUDIT privilege on versions of VMS which support the $CHECK_PRIVILEGE system service (e.g., VMS V6.0 and beyond) to call the $CHECK_PRIVILEGE system service and create the corresponding VMS system audit entries as specified in the local audit server configuration.

I.20 System Owned Locks

LJK/Security uses CMEXEC privilege to designate certain locks as system-owned because they hold data that persists beyond image rundown.

I.21 Creating detached processes running LOGINOUT

LJK/Security uses SETPRV privilege to create detached processes running LOGINOUT so they can set appropriate privileges for the process.

I.22 Calling SYS$IDTOASC

LJK/Security uses CMKRNL privilege to call the SYS$IDTOASC system service due to inappropriate caching (as of VMS V7.3) within VMS Executive module SYSRDBRES preventing proper access to NAME_HIDDEN identifiers.

I.23 Suppression of Detailed Auditing

On VMS Version 6.0 and later, LJK/Security uses IMPERSONATE privilege to suppress detailed auditing (for instance on each use of privilege) while conducting an assessment on tributary nodes.

I.24 Waking Detached Processes

On VMS Version 5.3 and later, LJK/Security uses WORLD privilege to identify and wake detached LJK/Security processes from user processes on tributary nodes when the command "MCR LJK$SECURITY ANSWER" has completed work on a group of questions.

I.25 Calling Report Formatting Images

LJK/Security needs the TMPMBX privilege to Spawn a subprocess for running (possibly user supplied) Report Formatting shareable images. To support the VMS Security Model properly, LJK/Security requires the user have the TMPMBX privilege. The subprocess is also given the other Authorized Privileges for the current process, just as the user had at the DCL prompt before running LJK/Security.

I.26 Checking File Presence

LJK/Security uses READALL privilege to check for the presence of the files:

• SYS$LIBRARY:VMS$PASSWORD_POLICY.EXE
• SHS$LOADABLE_IMAGES:VMS$HASH_PASSWORD.EXE

LJK/Security uses SYSPRV privilege to close Assessment files.

I.28 Open or Create Assessment Files

LJK/Security uses SYSPRV privilege to open or create Assessment files.

I.29 Close Assessment Files After Defaulting

LJK/Security uses SYSPRV privilege to open or create Assessment files.

I.30 File Creation Date and Time

LJK/Security uses SYSPRV privilege to determine the creation date and time of files.

I.31 File Modification Date and Time

LJK/Security uses SYSPRV privilege to determine the modification date and time of files.

I.32 Open and Close Assessment File for Node List

LJK/Security uses SYSPRV privilege to open and close assessment files to determine the nodes they cover.

I.33 Parse the Name of an Assessment File

LJK/Security uses SYSPRV privilege to parse the name of an assessment file.

I.34 List Assessments

LJK/Security uses SYSPRV privilege to list the names of assessment files.

I.35 Audit Log Sizes

LJK/Security uses SYSPRV privilege to determine the sizes of existing audit logs.

I.36 Audit Server Configuration

LJK/Security uses READALL privilege to read the Audit Server Configuration.

I.37 Device Lock Name

LJK/Security uses READALL privilege to determine the device lock name of arbitrary disks.

I.38 File ID

LJK/Security uses READALL privilege to determine the File ID number of arbitrary files.

I.39 Remote Result Files

LJK/Security uses SYSPRV privilege to scan for remote result files to process.

I.40 Final Result Files

LJK/Security uses SYSPRV privilege to scan for final result files to process.

I.41 Define Facility-Specific Identifiers

LJK/Security uses SYSPRV privilege to define LJK/Security facility-specific identifiers.

I.42 Delete On Close

LJK/Security uses SYSPRV privilege to enable Delete-on-Close file action to succeed on image exit.

I.43 Window Files

LJK/Security uses SYSPRV privilege to allow the window interface to get a list of files.

I.44 Node File

LJK/Security uses SYSPRV privilege to create a file of DECnet Phase IV node names.

I.45 Node File Close

LJK/Security uses SYSPRV privilege to close the file of DECnet Phase IV node names.

I.46 Phase IV Permanent

LJK/Security uses OPER privilege to obtain write access to the permanent Phase IV DECnet database.

I.47 Calling NMLSHR

LJK/Security uses SYSPRV privilege to call NMLSHR entry points.

I.48 NMLSHR Password Access

LJK/Security uses SYSPRV and OPER privileges to retrieve LJK/Security passwords from NMLSHR entrypoints.

I.49 Mapping Volume Index File

LJK/Security uses BYPASS and SHARE privileges to map volume index files.

I.50 Phase V Subprocess

LJK/Security uses SETPRV privilege to create a process to issue DCL commands for Phase V DECnet.

I.51 Reading Device Characteristics

LJK/Security uses READALL, VOLPRO and SHARE privileges to read device characteristics.

I.52 Reading Disk File Metadata

LJK/Security uses READALL privilege to read disk file metadata.

I.53 Disk Mounted /GROUP

LJK/Security uses CMKRNL privilege to determine whether a disk is mounted /GROUP (a characteristic with no program interface on earlier versions of VMS).

I.54 Normalized File Name From File ID

LJK/Security uses READALL privilege to determine a normalized file name from a file ID.

I.55 System-Owned Lock

LJK/Security uses CMEXEC privilege to convert persistent locks to be system-owned.

I.56 Monitor Locks

LJK/Security uses WORLD privilege to monitor LJK/Security lock usage.

I.57 Read Queues

LJK/Security uses OPER privilege to read metadata from batch and print queues.

I.58 Read Queues

LJK/Security uses SYSPRV privilege to read metadata from batch and print queues.

I.59 Read Usage

LJK/Security uses READALL privilege to read usage information from the audit logs.

I.60 Read SYS$ANNOUNCE

LJK/Security uses READALL privilege to read SYS$ANNOUNCE file contents.

I.61 Read SYS$LOGIN directory creation dates

LJK/Security uses READALL privilege to read the creation date of SYS$LOGIN directories for those running LJK/Security.

I.62 Create a Template Policy File

LJK/Security uses SYSPRV privilege to create a Template Policy File in area LJK$SECURITY_EXAMPLES: to replace the stub command procedure that is delivered with the kit.

This appendix describes steps taken to ensure the security of LJK/Security itself.

The following design decisions were made to enhance the security of LJK/Security:

• Disables, limits and exemptions for individual tests are stored within policies on the master node, to defend against tampering on tributary nodes.
• Result files (created when an assessment is run or scheduled to be run) contain the necessary policy and assessment data as of the time the result file was created. It is this rendition of the policies and assessment which is used in further processing, to thwart attempts at revisionist history.

It should be noted that provision of site specific code in images named LJK$SECURITY_SITE_SHARE_AXP.EXE or LJK$SECURITY_SITE_SHARE_VAX.EXE declares a high degree of trust in that site specific code, equal to that placed in LJK/Security.

That is not true for customer-written Report Formatting Modules. Those run with the normal privileges of the user, which must include TMPMBX.

This appendix explains the example policies provided by LJK/Security for published requirement lists such as NIST Special Publication 800-53.

LJK/Security creates new policies with reasonable general-purpose limits and allows full tailoring by customers. But some of that tailoring can be laborious even before one gets to locality-specific considerations.

K.1 Example Command Procedures

To ease some of that burden, the following DCL command procedures are provided on the master node in directory LJK$SECURITY_EXAMPLES: after installation. Each such command procedure takes a single parameter which is the name of the policy to which it will be applied.

K.1.1 POLICY_NULL.COM

This command procedure neutralizes any existing policy settings (such as those LJK/Security creates by default) to allow subsequent commands to work on a "clean slate". Use this command procedure before other command procedures if you want to avoid the LJK/Security default best practices recommendations.

K.1.2 NIST

These command procedures establish policy settings that follow the US Federal Information Security Management Act of 2002 as elaborated by US Federal Information Processing Standard 200 (FIPS 200) and the United States National Institute of Standards and Technology Special Publication 800-53 (initially published February 28, 2005) entitled Recommended Security Controls for Federal Information Systems. Although that publication is only directly required for US government systems, it is worth studying by anyone involved in computer security in the US private sector or in other countries.

But these command procedures are just a starter toward security assessments that comply with 800-53. That document specifies some areas in which local assignments of values must be made, and the choices made by LJK Software in these command procedures may not be the ones that are best for your organization. Furthermore, in the case of the (AUDIT,FIN*,REQUIRED) tests, these command procedures set four conflicting goals as all required. That should make it quite clear that you must make a site-specific choice of strategy in that case. Crashing VMS in the event of an audit problem could be a very bad choice, for instance in a hospital system.

These command procedures provides limits in accordance with 800-53 control SI-7, but exemptions for the VMS TCB are required to complement those limits. Use the command procedures described in Section K.1.6, according to platform (VAX or Alpha), choice of checksum algorithm (simple or SHA-1) and the particular version of VMS that is being run. Execute the NIST 800-53 command procedure from this section against a policy and then the proper command procedure from Section K.1.6 to match your local situation.

For detailed discussion regarding use of LJK/Security for NIST compliance, see Appendix M, Quick Start Guide to NIST SP 800-53/800-53a Security Assessments.

K.1.2.1 POLICY_NIST_SP_800_53A_LOW.COM

Command procedure POLICY_NIST_SP_800_53A_LOW.COM establishes a policy to test only those controls that 800-53 (as elaborated by NIST SP 800-53A) requires for systems categorized as FIPS 199 Impact Level Low and ignore other risks for which LJK/Security can test.

For a policy similar to this but taking into account the variances introduced in NIST SP 800-53 Revision 2 for SCADA/ICS systems, use POLICY_NIST_SP_800_53A_LOW_ICS.COM.

K.1.2.2 POLICY_NIST_SP_800_53A_MODERATE.COM

Command procedure POLICY_NIST_SP_800_53A_MODERATE.COM establishes a policy to test only those controls that 800-53 (as elaborated by NIST SP 800-53A) requires for systems categorized as FIPS 199 Impact Level Moderate and ignore other risks for which LJK/Security can test.

For a policy similar to this but taking into account the variances introduced in NIST SP 800-53 Revision 2 for SCADA/ICS systems, use POLICY_NIST_SP_800_53A_MODERATE_ICS.COM.