This appendix tells how to use LJK/Security in complying with US Department of Defense Instruction 8500.2 published February 6, 2003.

For the February 6, 2003 of DoD Instruction 8500.2, LJK/Security V3.0 provides command procedure templates to set up policies covering only those controls that are susceptible to testing via the Automatic method under a running copy of the VMS (OpenVMS) operating system.

O.2 An Easy Start for DoD Instruction 8500.2 Assessments

If you are new to LJK/Security the vast array of capabilities can seem daunting. To get some quick results, use the following steps.

O.2.1 Setting Up the Environment

1. Have the VMS system manager install LJK/Security as described in Section 2.2, Installation on the Master Node.
2. Have the person who grants privileges¹ issue the commands

   $ SET DEFAULT SYS$SYSTEM $ MCR AUTHORIZE GRANT/IDENTIFIER LJK$SECURITY_ALL <your-user-name>

3. Log into a fresh session with your user name (this is required)

4. Create a policy that will describe the particular DoD Instruction 8500.2 controls required for your system. Use a command like:

   $ LJK/SECURITY CREATE POLICY MY_8500_2_POLICY $ @LJK$SECURITY_EXAMPLES:POLICY_NULL.COM MY_8500_2_POLICY

   Note If you are not a touch typist, you can open this document on screen and copy and paste many of the commands as you need them.

5. Use JUST ONE of the following commands to specify the Mission Assurance Category and Confidentiality Level that apply to your system:

   $ @LJK$SECURITY_EXAMPLES:POLICY_DODI_8500_2_MACI_CLASSIFIED.COM MY_8500_2_POLICY

   $ @LJK$SECURITY_EXAMPLES:POLICY_DODI_8500_2_MACII_CLASSIFIED.COM MY_8500_2_POLICY

   $ @LJK$SECURITY_EXAMPLES:POLICY_DODI_8500_2_MACIII_CLASSIFIED.COM MY_8500_2_POLICY

   $ @LJK$SECURITY_EXAMPLES:POLICY_DODI_8500_2_MACI_SENSITIVE.COM MY_8500_2_POLICY

   $ @LJK$SECURITY_EXAMPLES:POLICY_DODI_8500_2_MACII_SENSITIVE.COM MY_8500_2_POLICY

   $ @LJK$SECURITY_EXAMPLES:POLICY_DODI_8500_2_MACIII_SENSITIVE.COM MY_8500_2_POLICY

   $ @LJK$SECURITY_EXAMPLES:POLICY_DODI_8500_2_MACI_PUBLIC.COM MY_8500_2_POLICY

   $ @LJK$SECURITY_EXAMPLES:POLICY_DODI_8500_2_MACII_PUBLIC.COM MY_8500_2_POLICY

   $ @LJK$SECURITY_EXAMPLES:POLICY_DODI_8500_2_MACIII_PUBLIC.COM MY_8500_2_POLICY

6. Use the DIRECTORY command to look at the list of policy modifications for particular VMS versions

   $ DIRECTORY/FULL LJK$SECURITY_EXAMPLES:POLICY_VMS_SHA1_*.COM;

   The names of those command procedures indication the version of VMS to which each one applies.
   

7. Customize your policy for your version of VMS by invoking the proper command procedure

   $ @LJK$SECURITY_EXAMPLES:POLICY_VMS_SIMPLE_AXP_07_3_2.COM MY_8500_2_POLICY

   
   

   Note You can Copy and Paste portions of that command line, but be sure to specify the proper command procedure name for your version of VMS.

8. Start LJK/Security in subsystem mode for easier typing

   $ LJK/SECURITY/NOSMG/INTERFACE=CHARACTER_CELL

   
   You may want to create a DCL symbol in your LOGIN.COM file if you are going to use command mode on a regular basis.

9. Create an assessment

   LJKS> CREATE ASSESSMENT MY_8500_2_ASSESSMENT LJKS> MODIFY ASSESSMENT MY_8500_2_ASSESSMENT/NODE=<this-node>/POLICY=MY_8500_2_POLICY

10. Run the assessment omitting resource-intensive facilities

    LJKS> RUN MY_8500_2_ASSESSMENT /METHODS=QUICK

11. Take a break
12. Come back and check results

    LJKS> REPORT MY_8500_2_ASSESSMENT/STATUS_ONLY

13. When that indicates the assessment has completed, extract a summary and a detailed report

    LJKS> REPORT MY_8500_2_ASSESSMENT/SUMMARY=COMMENTS/OUTPUT=8500_2_SUMMARY.TXT LJKS> REPORT MY_8500_2_ASSESSMENT/OUTPUT=8500_2_DETAILS.TXT

14. Start a full assessment running while you study the results of the quick assessment

    LJKS> RUN MY_8500_2_ASSESSMENT

15. Exit from LJK/Security subsystem mode

    LJKS> [Ctrl/Z]

You can specify which conditions are actually acceptable by customizing your policy. Then subsequent assessment runs will produce a proper "management by exception" report.

O.2.3 Choosing a User Interface

To customize your policy will take more interaction and be an ongoing activity as personnel and requirements change. You might want to use a different user interface. You have your choice of three

1. Window
   Described in Section 3.3.3, Adding an Exemption
2. Menu
   Described in Section 4.2.3, Adding an Exemption
3. Command
   Described in MODIFY POLICY within Chapter 5, Command Interface

Use your choice of interface to add exemptions to your policy as follows

• Add an exemption to the test (UAF, PRIVLEVEL, ABSOLUTHI) for username SYSTEM to have all privileges. Username SYSTEM must have full privileges for the proper operation of VMS.
• Add exemptions to the test (UAF, PRIVLEVEL, ABSOLUTHI) for usernames that have been properly authorized under the organization's policy for access to particular VMS privileges.
• Add exemptions to the test (DISK, INSTALLED, PROHIBITED) for files that have been properly authorized under the organization's policy to be installed as a part of the Trusted Computing Base (TCB).
• Add exemptions to the test (DISK, INSTPRIV, PRIVPROHIB) for files that have been properly authorized under the organization's policy to be installed as privileged in the Trusted Computing Base (TCB). Be sure those exemptions are only for the particular privileges the organization's policy allows.
• Add exemptions to the test (DISK, INSTPROT, PROHIBITED) for files that have been properly authorized under the organization's policy to be installed as protected in the Trusted Computing Base (TCB).
• Add exemptions to the test (DISK, CHECKSUM, SIMPLE) or (DISK, CHECKSUM, SHA1) for files given exemptions in the previous three steps. This will detect unauthorized changes in those files which have been installed in the Trusted Computing Base (TCB). Ideally the organization would publish the proper checksum value when authorizing the exemptions above, but if that does not happen it will take one assessment run to determine the proper value for the CHECKSUM exemption.
• Add other exemptions authorized under the organization's policy.

O.3 Saving Time on ECMT Conformance Monitoring and Testing

• ECMT-* Conformance Monitoring and Testing
• VIVM-1 Vulnerability Management

DoD Instruction 8500.2 controls ECMT-2 and ECMT-1 require periodic unannounced in-depth monitoring at all Confidentiality Levels:

Organizations following DoD Instruction 8500.2 can save considerable effort if the periodic conformance testing required for control ECMT-2 or ECMT-1 make use of exemptions prepared as part of the LJK/Security assessments run in support of the VIVM-1 Vulnerability Management control.

The technique described involves creating a LJK/Security policy for ECMT Conformance Monitoring using two different techniques:

• Limits
  determined without regard to VIVM-1 Vulnerability Management
• Exemptions
  selected through careful review of exemptions already in use for VIVM-1 Vulnerability Management

As one considers the question of which controls should be subjected to that ongoing assessment, an ancillary question will arise about what effort is required for this continuous monitoring. There is no good reason to avoid continuous monitoring of a control if the effort required is minimal. By definition testing those controls that LJK/Security can test takes minimal effort, because the testing is automated. So for most VMS systems, testing controls related to the protection of every file on every disk once a week and other controls daily or hourly is quite reasonable. For special situations like warfighting systems it might be preferable to run that continuous monitoring only during a designated maintenance period, particularly if a realtime device must be manipulated by the VMS system with millisecond response times.

O.3.2 LJK/Security Document Naming for ECMT-* and VIVM-1

There can be only one copy of the LJK/Security software installed on a particular running instance of the VMS operating system. There is a single name space for policy documents which must be shared by all those who have been authorized to run LJK/Security. Organization-specific naming conventions provide an easy way to distinguish between documents used for VIVM-1 Vulnerability Management on a day-to-day basis and documents used for the unannounced in-depth ECMT-* Conformance Monitoring and Testing. For instance, in an organization where a team from the Office of the Inspector General conducts the unannounced in-depth ECMT-* Conformance Monitoring and Testing, files they create could all have names starting with a particular string of characters, like "OIG_". A different scheme might use "OIG_FY06_" one year and "OIG_FY07_" the next year.

O.3.3 Using VIVM-1 Exemptions for ECMT-* Assessments

In setting limits within a policy, those conducting the separate ECMT-* Conformance Monitoring and Testing will want to create a policy from scratch, perhaps carrying in policy settings prepared in advance or used for ECMT-* Conformance Monitoring and Testing on some other system operated by the organization. Another option would be:

1. Create a new policy compatible with DoD Instruction 8500.2 by using the command procedures that ship with LJK/Security as described in:
   • Section K.1.4.3, Command Procedures for Possible Combinations
   • Section K.1.6, Exemptions for the VMS Trusted Computing Base
2. make particular changes for those controls where the policy of the organization mandates a different value in the policy from that created by the command procedures described in the Sections listed above.

But the situation is different in the case of exemptions in the new policy. Exemptions are used in LJK/Security to indicate special cases where abnormal values are permitted based on management approval. For instance a typical limit says that no individuals should have privileges assigned to their VMS username. Then exemptions are entered for the VMS usernames of those assigned to system management duties, so that violation reports are not generated for those usernames authorized to have privilege. To recreate the exemptions appropriate to a system would be time consuming, so a better tactic is:

1. Extract the exemptions (but not the limits) from the appropriate VIVM-1 policy (or policies) with a command like

   $ LJK/Security SHOW POLICY vivmpolicyname - /EXEMPTIONS /NOLIMITS /COMMAND_PROCEDURE - /OUTPUT=REVIEW.TXT

   creating a command procedure for applying those exemptions to some other policy. Each line in the command procedure contains an entire command for establishing one exemption, so some of those lines will be quite long.

2. Use a text editor to inspect each exemption in the resulting command procedure and decide whether it was properly granted. On lines where the exemption is not appropriate, comment out the line with an initial exclamation point (!). This has the same effect as deleting the line, but leaves a better record of what actions are taken. For an even better record, one can follow that exclamation point with brief text (on a single line) indicating the reason for the decision.
3. Apply the resulting batch of exemptions to the ECMT-* policy with a command like

   $ @REVIEW.TXT ecmtpolicyname

   where ecmtpolicyname is the name of the policy created earlier with the current limits for the organization.

4. Use the resulting policy for the unannounced in-depth ECMT-* Conformance Monitoring and Testing.

Depending on the organization's policy some manual reporting of inappropriate exemptions found in step 2 above might be in order.

In the following sections, we discuss various considerations for proposed exemptions, depending on the LJK/Security facility in which the exemptions are located. The examples are based on limits specified in the POLICY_DODI_8500_2_*.COM files provided in directory LJK$SECURITY_EXAMPLES. Your own organization's limits may be different.

O.3.3.1 Example of an Exemption Based on Node

For LJK/Security test (VMS,ANNOUNCE,CONTAINS)² the value specified in the limit is the system use notification to be displayed to authorized users on login. This means a violation will be reported for any Node where this notification is not provided. An exemption might be present allowing a particular Node to skip this message if it is exclusively for public use. Questions that might be asked about such an exemption include:

• Does the organization's policy allow exemptions for this test ?
• Is the value specified for this exemption within a range allowed for exemptions to this test by the organization's policy ?
• Does the comment field of this exemption provide tracking information required to determine that the procedure for issuing exemptions under the organization's policy was followed ?
• Does following that tracking information show that the organization's policy was followed for this exemption and that the exemption still conforms to the organization's policy with the passage of time ?

For LJK/Security test (DISK, FILEPROT, ABSOLUTHI)³ the value specified in the limit is (SYSTEM:RWED,OWNER:RWED,GROUP:RE,WORLD), meaning a violation will be reported for each file which has a more permissive protection mask.

For LJK/Security test (DISK, FILEPROT,PERCENTHI)⁴ and selector READ, the limit specified has a value of 10 meaning a violation will be reported for each file to which more than 10 percent of users have read access.

Often exemptions will be used for those two tests with respective values of (SYSTEM:RWED, OWNER:RWED,GROUP:RE,WORLD:RE) and 100 percent for a VMS system-wide login command procedure, since that must be executed on behalf of each user at login. Questions that might be asked about such exemptions include:

• Does the organization's policy allow exemptions for this test ?
• Is the file one for which the organization's policy allows such exemptions ?
• Is the value specified for this exemption within a range allowed for exemptions to this test by the organization's policy ?
• Does the comment field of this exemption provide tracking information required to determine that the procedure for issuing exemptions under the organization's policy was followed ?
• Does following that tracking information show that the organization's policy was followed for this exemption and that the exemption still conforms to the organization's policy with the passage of time ?
• If the file is one accessed via a logical name like SYS$SYLOGIN, is it canonically specified to use that logical name, such as "SYS$SYLOGIN,SYS$COMMON:[SYSMGR]SYLOGIN.COM" ?