The following command procedure presumes:

• the names of the tributary nodes are "BOSTON" and "DENVER"
• the logical names for the directory used to store requests to be sent to the tributary nodes are "IA_BOSTON" and "IA_DENVER"
• the logical name for the directory where results are received from tributary nodes is "IA_RESULT"

$ ! $ ! LJK$SECURITY_EXAMPLES:LJK$SECURITY_TCPIP_MASTER.COM $ ! $ ! To use this command procedure, copy it to another directory $ ! before changing the sections surrounded by rows of asterisks. $ ! That way local modifications will not be wiped out when you $ ! upgrade to the next version of LJK/Security. $ ! $ ! This command procedure will copy any LJK/Security request files $ ! it finds on the master node out to the appropriate tributary node. $ ! $ ! Then it will invoke LJK/Security to process any result files $ ! it finds on the master node to create the final result file. $ ! $ ! The process under which this command procedure executes must $ ! have whatever rights are required to transfer files between $ ! nodes and must have one of the identifiers: $ ! $ ! LJK$SECURITY_REMOTE $ ! LJK$SECURITY_ROLE_STARTUP $ ! LJK$SECURITY_ALL $ ! $ ON WARNING THEN GOTO RESUBMIT $ ! $ ! When run interactively, this command procedure just submits itself. $ ! The sole parameter is the optional name of a batch queue to use. $ ! $ IF F$MODE() .NES. "BATCH" THEN GOTO RESUBMIT $ ! $ ! A list of the logical names pointing to the directories $ ! in which requests are stored $ ! $ ! ********************************************************* $ ! ********************************************************* $ ! $ REQUEST_LIST ="IA_BOSTON,IA_DENVER" $ ! $ ! ********************************************************* $ ! ********************************************************* $ ! $ ! --------------------------------------------------------- $ ! $ ! Ship any any REQUEST file pending for tributary nodes. $ ! This example relies upon a textual relationship between $ ! the logical name and the DECnet node name. Your command $ ! procedure might use a different technique. $ ! $ TRIBUTARY_INDEX = -1 $ TRIBUTARY_LOOP: $ TRIBUTARY_INDEX = TRIBUTARY_INDEX + 1 $ NEXT_TRIBUTARY = F$ELEMENT(TRIBUTARY_INDEX,",",REQUEST_LIST) $ IF NEXT_TRIBUTARY .EQS. "," THEN GOTO TRIBUTARY_DONE $ ! $ ! Look for request files in this area $ ! $ NEXT_REQUEST = F$SEARCH("",321) $ REQUEST_LOOP: $ NEXT_REQUEST = F$SEARCH(NEXT_TRIBUTARY+":LJK_SECURITY.DAT;-0",321) $ IF NEXT_REQUEST .EQS. "" THEN GOTO REQUEST_DONE $ ! $ ! Ensure it is complete by getting exclusive access. If the $ ! oldest version is still being written, wait for the next run. $ ! $ OPEN EXCLUSIVE_CHAN/APPEND/ERROR=REQUEST_DONE 'NEXT_REQUEST' $ CLOSE EXCLUSIVE_CHAN $ ! $ ! We have found a complete request file -- copy it to the Tributary Node $ ! $ ! ********************************************************* $ ! ********************************************************* $ ! *** This command uses a DECnet copy utilizing DECnet *** $ ! *** proxy logins. Replace it with a COPY/TCP or *** $ ! *** other command suitable to your environment. *** $ ! ********************************************************* $ ! ********************************************************* $ ! $ DEFINE/USER TRIBUTARY 'F$ELEMENT(1,"_",NEXT_TRIBUTARY)':: $ COPY/LOG 'NEXT_REQUEST' TRIBUTARY::IA_REQUEST:; $ DELETE 'NEXT_REQUEST' $ ! $ ! ********************************************************* $ ! ********************************************************* $ ! $ GOTO REQUEST_LOOP $ REQUEST_DONE: $ ! $ GOTO TRIBUTARY_LOOP $ TRIBUTARY_DONE: $ ! $ ! --------------------------------------------------------- $ ! $ ! Process any result file copied onto this master node $ ! $ NEXT_RESULT = F$SEARCH("",321) $ RESULT_LOOP: $ NEXT_RESULT = F$SEARCH("IA_RESULT:LJK_SECURITY.DAT;-0",321) $ IF NEXT_RESULT .EQS. "" THEN GOTO RESULT_DONE $ ! $ ! Ensure it is complete by getting exclusive access. If the $ ! oldest version is still being written, wait for the next run. $ ! $ OPEN EXCLUSIVE_CHAN/APPEND/ERROR=RESULT_DONE 'NEXT_RESULT' $ CLOSE EXCLUSIVE_CHAN $ ! $ ! We have found a complete Result file -- process the request $ ! $ ! ********************************************************* $ ! ********************************************************* $ ! $ DEFINE/USER NEXT_RESULT 'NEXT_RESULT' ! 15 or fewer characters $ MCR LJK$SECURITY REMOTE NEXT_RESULT $ DELETE 'NEXT_RESULT' $ ! $ ! ********************************************************* $ ! ********************************************************* $ ! $ GOTO RESULT_LOOP $ RESULT_DONE: $ ! $ ! --------------------------------------------------------- $ ! $ RESUBMIT: $ ! $ ! When run interactively, this command procedure just submits itself. $ ! The sole parameter is the optional name of a batch queue to use. $ ! $ PROC = F$ENVIRONMENT("PROCEDURE") ! Our command procedure $ PROC = PROC - F$PARSE(PROC,,,"VERSION") ! but the latest version $ ! $ ! Use any queue specified in P1 $ ! $ QUEUE = F$GETQUI("DISPLAY_JOB","QUEUE_NAME",,"THIS_JOB") $ IF P1 .NES. "" THEN QUEUE = P1 $ IF QUEUE .NES. "" THEN QUEUE = "/QUEUE=" + QUEUE $ show symbol queue $ ! $ submit 'PROC' - /AFTER="+00:05:00.00" - ! Every 5 minutes /NONOTIFY - ! do not bother the humans /PARAMETERS="''P1'" - !! Preserve any queue name specified /NOPRINTER - ! Do not print log file 'QUEUE' - ! Specified or existing queue /RESTART - ! Restart-enabled /RETAIN=ERROR ! Track failures $ ! $ EXIT $STATUS ! From LJK$SECURITY_TCPIP_MASTER.COM $ !

This appendix offers guidance for use of LJK/Security in complying with the US National Institute of Standards and Technology (NIST) Special Publication 800-53a.

If you are new to LJK/Security the vast array of capabilities can seem daunting. To get some quick results, use the following steps.

M.1.1 Setting Up the Environment

1. Have the VMS system manager install LJK/Security as described in Section 2.2, Installation on the Master Node.
2. Have the person who grants privileges¹ issue the commands

   $ SET DEFAULT SYS$SYSTEM $ MCR AUTHORIZE GRANT/IDENTIFIER LJK$SECURITY_ALL <your-user-name>

3. Log into a fresh session with your user name (this is required)

4. Create a policy that describes NIST controls

   $ LJK/SECURITY CREATE POLICY MY_NIST_POLICY $ @LJK$SECURITY_EXAMPLES:POLICY_NIST_SP_800_53A_HIGH.COM MY_NIST_POLICY

   Note If you are not a touch typist, you can open this document on screen and copy and paste many of the commands as you need them.

5. Use the DIRECTORY command to look at the list of policy modifications for particular VMS versions

   $ DIRECTORY LJK$SECURITY_EXAMPLES:POLICY_VMS_SHA1_*.COM; $ DIRECTORY LJK$SECURITY_EXAMPLES:POLICY_VMS_SIMPLE_*.COM;

   The names of those command procedures indication the version of VMS to which each one applies.
   The SIMPLE command procedures will provide the fastest initial test. Depending on your organization's rules, you may be required to switch to SHA-1 later.

6. Customize your policy for your version of VMS by invoking the chosen command procedure

   $ @LJK$SECURITY_EXAMPLES:POLICY_VMS_SIMPLE_AXP_07_3_2.COM MY_NIST_POLICY

   
   You can Copy and Paste portions of that command line, but be sure to specify the proper command procedure name for your version of VMS.

7. Start LJK/Security in subsystem mode for easier typing

   $ LJK/SECURITY/NOSMG/INTERFACE=CHARACTER_CELL

   
   You may want to create a DCL symbol in your LOGIN.COM file if you are going to use command mode on a regular basis.

8. Create an assessment

   LJKS> CREATE ASSESSMENT MY_NIST_ASSESSMENT LJKS> MODIFY ASSESSMENT MY_NIST_ASSESSMENT/NODE=<this-node>/POLICY=MY_NIST_POLICY

9. Run the assessment omitting resource-intensive facilities

   LJKS> RUN MY_NIST_ASSESSMENT /METHODS=QUICK

10. Take a break
11. Come back and check results

    LJKS> REPORT MY_NIST_ASSESSMENT/STATUS_ONLY

12. When that indicates the assessment has completed, extract a summary and a detailed report

    LJKS> REPORT MY_NIST_ASSESSMENT/SUMMARY=COMMENTS/OUTPUT=NIST_SUMMARY.TXT LJKS> REPORT MY_NIST_ASSESSMENT/OUTPUT=NIST_DETAILS.TXT

13. Start a full assessment running while you study the results of the quick assessment

    LJKS> RUN MY_NIST_ASSESSMENT

14. Exit from LJK/Security subsystem mode

    LJKS> [Ctrl/Z]

You can specify which conditions are actually acceptable by customizing your policy. Then subsequent assessment runs will produce a proper "management by exception" report.

M.1.3 Choosing a User Interface

To customize your policy will take more interaction and be an ongoing activity as personnel and requirements change. You might want to use a different user interface. You have your choice of three

1. Window
   Described in Section 3.3.3, Adding an Exemption
2. Menu
   Described in Section 4.2.3, Adding an Exemption
3. Command
   Described in MODIFY POLICY within Chapter 5, Command Interface

Use your choice of interface to add exemptions to your policy as follows

• Add an exemption to the test (UAF, PRIVLEVEL, ABSOLUTHI) for username SYSTEM to have all privileges. Username SYSTEM must have full privileges for the proper operation of VMS.
• Add exemptions to the test (UAF, PRIVLEVEL, ABSOLUTHI) for usernames that have been properly authorized under the organization's policy for access to particular VMS privileges.
• Add exemptions to the test (DISK, INSTALLED, PROHIBITED) for files that have been properly authorized under the organization's policy to be installed as a part of the Trusted Computing Base (TCB).
• Add exemptions to the test (DISK, INSTPRIV, PRIVPROHIB) for files that have been properly authorized under the organization's policy to be installed as privileged in the Trusted Computing Base (TCB). Be sure those exemptions are only for the particular privileges the organization's policy allows.
• Add exemptions to the test (DISK, INSTPROT, PROHIBITED) for files that have been properly authorized under the organization's policy to be installed as protected in the Trusted Computing Base (TCB).
• Add exemptions to the test (DISK, CHECKSUM, SIMPLE) or (DISK, CHECKSUM, SHA1) for files given exemptions in the previous three steps. This will detect unauthorized changes in those files which have been installed in the Trusted Computing Base (TCB). Ideally the organization would publish the proper checksum value when authorizing the exemptions above, but if that does not happen it will take one assessment run to determine the proper value for the CHECKSUM exemption.
• Add other exemptions authorized under the organization's policy.

M.2 Saving Time on Annual NIST Security Assessments

Organizations subject to NIST Special Publication 800-53 can save considerable effort if annual NIST Security Assessments required for control CA-2 make use of data collected for Continuous Monitoring required for control CA-7. This is easily done when one can determine that assessments for CA-7 cover all 800-53 controls, since subsetting is allowed for CA-7 Continuous Monitoring but not for CA-2 Security Assessment.

In other cases it will be necessary to create a separate policy for CA-2 Security Assessment, but effort that has gone into CA-7 Continuous Monitoring can still be leveraged as shown below to minimize the work required for annual CA-2 Security Assessment. The technique described involves creating a LJK/Security policy for CA-2 Security Assessment using two different techniques:

• Limits
  determined without regard to CA-7 Continuous Monitoring
• Exemptions
  selected through careful review of exemptions already in use for CA-7 Continuous Monitoring

Use of LJK/Security varies according to each assessment method chosen in the MODIFY ASSESSMENT or RUN command:

• /METHODS=(AUTOMATIC_TESTING) (D)
  The original LJK/Security method of Automatic Testing measures those security controls that can be tested under a running copy of the VMS (OpenVMS) operating system. High speed scanning of protections on all disk files is handled in this fashion.
  In most cases, the measurements that LJK/Security makes correspond to what NIST 800-53 calls Technical Controls and violations that are reported will fall into those categories. But there are other cases: for instance, testing how recently files have been backed up, which NIST 800-53 tracks under Operational Controls, in particular CP-3. Of course in this case, LJK/Security is not measuring whether the system is configured (via command procedure design) to be backed up according to schedule, but whether that backup really happens.
• /METHODS=(COMPENSATING_CONTROLS)
  The COMPENSATING_CONTROLS method is not a measurement at all. It is just a mechanism for noting exceptions to NIST 800-53 controls that have been fully planned and considered by the organization. In the case of predefined 800-53 command procedures from LJK Software, they represent aspects of VMS that are not well represented by NIST 800-53.
• /METHODS=(INTERVIEWS)
  The INTERVIEWS method involved discussion with organizational people to investigate compliance with NIST 800-53 controls.
• /METHODS=(INVASIVE_TESTING)
  The INVASIVE_TESTING method requires extensive work to verify the proper operation of particular activities or hardware/software mechanisms. In the case of software mechanisms that are part of VMS itself, a considerable reduction in the work required is afforded by using an evaluated version of VMS. But in cases where the INVASIVE_TESTING method is still needed, generally the testing should be on a separate test machine running the same software, rather than directly on the production machine.
• /METHODS=(MANUAL_EXAMINATION)
  The MANUAL_EXAMINATION method involves examination of items external to the computer system that cannot be accomplished automatically. Some examples are policy documents, fire alarm wiring and the way backup tape transfer to an offsite location is handled.

For the INTERVIEW, INVASIVE_TESTING and MANUAL_EXAMINATION methods an organization with multiple VMS systems will typically designate many of the groups within each method as "Common Controls". For each such groups the organization will conduct the assessment on one node and then use the commands:

$ LJK/Security ASSIGN <target-assessment> <source-assessment-1> /INTERVIEW /GROUP=PA17 $ LJK/Security ASSIGN <target-assessment> <source-assessment-2> /INTERVIEW /GROUP=QUIZ* $ LJK/Security ASSIGN <target-assessment> <source-assessment-3> /INVASIVE_TESTING /GROUP=*

to propagate those assessment results for use in other assessments.

Examples of groups where common controls are appropriate would be:

• Organization-wide propagation of results for assessing organization security policy documents.
• Site-wide propagation of results for assessing visitor access controls and fire alarms systems.

The ALL and QUICK methods are derivatives of the other methods.

M.2.2 The Multi-faceted Nature of NIST Assessment

• CA-2 Security Assessment
• CA-7 Continuous Monitoring

NIST 800-53 Control CA-2 says in part "The organization conducts an assessment of the security controls in the information system [Assignment: organization-defined frequency, at least annually]". This appendix will use the term "annual" for what in some cases might actually be "quarterly" or some other period, but the interaction issues below are the same.

M.2.2.2 800-53 CA-7 Continuous Monitoring

NIST 800-53 Control CA-7 says in part "The organization monitors the security controls in the information system on an ongoing basis", and also "selects a subset of the security controls employed within the information system for purposes of continuous monitoring". It says continuous monitoring activities include "ongoing assessment of security controls".

As one considers the question of which controls should be subjected to that ongoing assessment, an ancillary question will arise about what effort is required for this continuous monitoring. There is no good reason to avoid continuous monitoring of a control if the effort required is minimal. By definition using the LJK/Security Automatic Testing method to test controls takes minimal effort, because the testing is automated. So for most VMS systems, testing controls related to the protection of every file on every disk once a week and other controls daily or hourly is quite reasonable. For special situations like process control it might be preferable to run that continuous monitoring only during a designated maintenance period, particularly if a realtime device must be manipulated by the VMS system with millisecond response times.

M.2.2.3 Are CA-7 Assessments Adequate For CA-2 ?

In some cases agency Inspector General staff or independent outsiders will be charged with conducting the annual CA-2 Security Assessment as specified by control enhancement CA-2 (1), while regular Information Security personnel will handle the CA-7 Continuous Monitoring. In such cases, one question that immediately arises is whether a separate CA-2 Security Assessment must be conducted or whether results from the ongoing CA-7 Continuous Monitoring will suffice.

In the context of LJK/Security assessment of NIST 800-53 controls, the answer to that question involves several issues:

1. Is CA-7 Continuous Monitoring being conducted ?
   Control CA-7 calls for ongoing assessment of security controls, but there is a possibility that requirement is not being met. Those responsible for conducting CA-2 Security Assessment must always determine whether there is a program of ongoing assessment in order to determine what separate CA-2 Security Assessment work is required.
2. Is the CA-7 Continuous Monitoring policy complete ?
   Control CA-7 says that an organization selects a subset of security controls for continuous monitoring, but control CA-2 requires that the complete set of NIST 800-53 controls be evaluated. So depending on CA-7 Continuous Monitoring to fulfill the requirements for CA-2 Security Assessment requires that the "subset" chosen includes the full set of NIST 800-53 controls, such as suggested in Section M.2.2.2.
3. Are the CA-7 Continuous Monitoring limits accurate ?
   It is possible that after the policy used for CA-7 Continuous Monitoring was created, the organization has changed its view of appropriate limits to implement the controls of NIST 800-53.
   Those responsible for CA-2 Security Assessment can readily extract a text file of limits from the policy used for CA-7 Continuous Monitoring. Using the VMS command DIFFERENCES, it is easy to see if that policy conforms to a master file of the organization's current approved policy.
4. Are the CA-7 Continuous Monitoring exemptions reasonable ?
   At a minimum, a quick visual review of the exemptions used for CA-7 Continuous Monitoring is in order. The rest of this appendix discusses how to perform a more exhaustive check of the exemptions being used for CA-7 Continuous Monitoring.