• Chapter 1, Introduction
• Chapter 2, Installing LJK/Security

This chapter describes the overall operational concepts of LJK/Security and gives a tutorial-order explanation of various terms (denoted in boldface throughout this manual) that have specialized meanings within the context of LJK/Security.

1.1 What LJK/Security Does

LJK/Security control and reporting software is installed on one master node with only data-gathering software installed on other tributary nodes.

1.2 What LJK/Security Does Not Do

LJK/Security does no modification¹ to the systems being assessed. It is intended as an unbiased tool for observation of system security, without getting involved in issues of control. Although in some organizations, the same individuals may be involved both in establishing security and evaluating it, LJK/Security makes no assumption that this is the case. It is organized, rather, to support the principle of separation of duties between those who implement security and those who evaluate it.

LJK/Security makes individual assessments on a user-specified schedule, rather than on a continuous basis. Thus, its results are based on sampling rather than logging, so effective monitoring depends on selection of a schedule appropriate for the environment.

1.3 How LJK/Security is licensed

Each LJK/Security license covers one machine referred to as a master node, and some number (possibly zero) of other machines referred to as tributary nodes.

Throughout this manual there are terms (denoted by boldface type) which have a specific technical meaning within the context of LJK/Security.

1.4.1 Node

The term node refers to a single VMS system, regardless of whether or not it is connected via DECnet. Thus, a multi-processor system is one node, while a VAXcluster or VMScluster is multiple nodes. The DECnet node address used at some sites for a cluster-wide alias node name does not count as an additional node for purposes of LJK/Security.

1.4.1.1 Master Node

The master node is the one on which LJK/Security software is originally installed. All commands are issued from the master node.

1.4.1.2 Tributary Node

A tributary node is one on which LJK/Security data-gathering is conducted. In most cases a master node will also be a tributary node (and it is counted as such in license size limits).

1.4.2 Test

A test is an individual comparison to be made between a security-relevant condition on a node and a limit in the relevant policy. The various tests available within LJK/Security are each denoted by a set of three names: facility, element, and constraint.

1.4.2.1 Facility

Particular section of VMS or layered product being tested.

1.4.2.2 Element

Particular parameter or security-relevant item being test.

1.4.2.3 Constraint

Exact condition being tested (value too low, value too high, etc.).

1.4.3 Policy

The term policy refers to a collection of security rules against which a single node can be evaluated.

LJK/Security allows for multiple policies within a given set of licensed nodes. This allows for a distinction to be made between nodes with varying security requirements or to account for special needs (e.g., machines used primarily to develop VMS device drivers will have an abnormally high proportion of privileged users).

Support for multiple simultaneous policy definitions also allows for variations in the security measurement process, such as running very thorough (and resource-intensive) security checks on weekends with quicker security checks each evening.

Figure 1-1 Contents of a Policy

As shown in Figure 1-1, within a policy there can be three types of rules:

1.4.3.1 Disable

A rule which is used to bypass all tests for a particular facility.

This is the only type of rule which applies to more than a single test.

1.4.3.2 Limit

A rule which specifies a value which must be met by a particular test.

1.4.3.3 Exemption

A rule which permits certain failures of a particular test not to be counted as violations.

1.4.4 Assessment

The term assessment refers to a coordinated testing of a set of nodes based on (possibly diverse) specified policies. The relationships established by an assessment are shown in Figure 1-2. An assessment specifies, for each tributary node:

• policy against which the tributary node is to be measured
• request transmission medium
• result transmission medium
• transmission medium security options (encryption)

Figure 1-2 Contents of an Assessment

This chapter describes those steps which must be taken by the VMS system manager to get LJK/Security up and running in your environment..

There are four phases involved in starting up from scratch:

1. Choosing the Master Node
2. Installation on the Master Node
3. Installation on Tributary Nodes
4. Starting Operation after a New Installation

The example shown below takes program defaults wherever possible, for instance assuming that DECnet connections will be used for all communications between the master node and the tributary nodes.

In many cases 95% of the criteria you want will be taken care of by these default values. As you gain experience you can turn to the part about Site-Specific Customization Part, but initially you should use the built-in defaults.

Control of the assessment process is done from a single node ¹ designated as the master node. Factors you should consider in selecting that node include:

• Security
  Results of LJK/Security assessments are sensitive information because they list the security vulnerabilities of your computer systems.
• Availability
  If you are using DECnet for the transport medium (the default), try to pick a master node that is usually running at hours when you plan to run assessments on the tributary nodes (the other nodes). It is usually more efficient to run them during off-peak hours.
  Another consideration regarding availability is the availability of DECnet links and routers that may be required to reach the master node from the tributary node.
  If a DECnet connection cannot be made when the results of assessments are ready to be shipped back to the master node for reporting, LJK/Security will keep trying until it is available, but trying repeatedly is less efficient than succeeding the first time.

2.2 Installation on the Master Node

To install LJK/Security on the master node you will need disk space on the system disk of the master node as shown in Table 2-1. If there is insufficient space available, the VMSINSTAL procedure will exit with an appropriate error message.

Table 2-1 Master Node Disk Space Requirements

	Maximum Options		Minimum Options
	System Disk	Data Disk	System Disk	Data Disk
peak	50,000	6000	43,000	2500
net	40,000	6000	40,000	2500

Ensure users are logged off the master node. If they remain on during the installation, one of them could be accessing the VMS help library at the moment when the VMSINSTAL command procedure tries to update it, causing the installation to fail.

Effective with VAX VMS V5.4, VMSINSTAL sends a message to all users urging them to exit help. This is transmitted at 15 second intervals up to 20 times.

Although there is a kit provided for installing LJK/Security with the PRODUCT INSTALL command, LJK Software strongly recommends the VMSINSTAL.COM method due to shortcomings and version-to-version differences in PRODUCT INSTALL.

2.2.1 Installation on the Master Node using VMSINSTAL.COM

1. Mount the LJK/Security distribution CDROM:

   $ MOUNT ddcu: LJK_SEC_030

   replacing ddcu: with the name of your CDROM drive.

2. Invoke the VMSINSTAL command procedure specifying the product CDROM:

   $ @SYS$UPDATE:VMSINSTAL * DISK$LJK_SEC_030:[LJK_SECURITY030.KIT]

3. You will be asked 2 or 8 questions. The one you should concentrate on is the first one (about UIC selection). You should choose an unused UIC group number in coordination with any UIC-assignment plan in effect at your site.

   * What UIC group should be used for username LJK$SECURITY: 25 * Would you like the simplified installation dialog [YES]? * Is that object number for transmitting REQUESTS satisfactory [YES]? * Is that object number for receiving RESULTS satisfactory [YES]? * Is that treatment of other cluster member nodes acceptable [YES]? * Is that location for LJK/Security files satisfactory [YES]? * Is that DECwindows interface decision acceptable [YES]? * Is that Bookreader documentation decision acceptable [YES]?

   Explanations of each question will be given before it is asked. You can get further information about any question by responding with a question mark (?), and for all but the first question you can respond with a carriage return to get the default behavior.
   

   Note The ability to let other cluster member nodes serve as LJK/Security master node depends on the VMS cluster alias node number feature. Therefore it will not be enabled for master nodes running VMS V4.2 or V4.3.

4. On an initial installation where file [000000]QUOTA.SYS is present, you will be reminded of the need to add disk quota for the LJK$SECURITY UIC.
   

   A disk quota file is present on the system disk, so you must ensure at least 10000 blocks of quota is given to UIC [25,1] ([LJK$SECURITY]).

5. On an initial installation under VMS V4.7 or earlier, you will also be told to insert a command in your site-specific system startup command procedure to enable LJK/Security each time the machine is booted.

   To set up LJK/Security on each system boot, your site-specific startup command file (SYS$COMMON:[SYSMGR]SYSTARTUP.COM) must contain the following line: $ @SYS$MANAGER:LJK$SECURITY_STARTUP

If you accepted the default action of installing Bookreader documentation for LJK/Security, the file LIBRARY.DECW$BOOKSHELF is installed in the area LJK$SECURITY_POLICY_AREA:, along with the actual Bookreader documentation (file type .DECW$BOOK). An individual user can access this information by defining the logical name DECW$BOOK to have an equivalence name of LJK$SECURITY_POLICY_AREA:. For longer term access it is better to make the LJK$SECURITY_POLICY_AREA: equivalence name be just one in a series of equivalence names for the logical name DECW$BOOK. This can be done as a system logical name to make the information generally available.

For experienced users of VMSINSTAL, optional features of that VMS facility are available when installing LJK/Security, with the following exceptions:

• Alternate Root
  Since the installation adds the username LJK$SECURITY to the system authorization file, VMSINSTAL mechanisms do not allow specification of alternate roots with this product.

As with other software products installed for the first time on VMS, if any other user was logged in during the installation, they will not be able to access the LJK/SECURITY command until they log out and log in again.

A complete sample script of a default installation on the master node can be found in Appendix A.

You will need disk space available on the system disk of the tributary node as shown in Table 2-2. If there is insufficient space available, the VMSINSTAL procedure will exit with an appropriate error message.

Table 2-2 Tributary Node Disk Space Requirements

	AXP	VAX
peak	20,000	21,000
net	13,000	7000

1. To permit access to the software just installed on the master node, you should log out and log back in again.
2. Log back in to the master node under a username which has appropriate facility-specific identifiers or is otherwise authorized as discussed in Section 5.4 (full privileges are not necessary for this part).
3. Build a software kit to install on tributary nodes using the following command:

   $ LJK/SECURITY KIT_BUILD/FILESPEC=LJK$SECURITY_RESULT_AREA:

4. Log into a fully privileged account on each tributary node and issue the commands:

   $ COPY node"username password"::LJK$SECURITY_RESULT_AREA:LJK_SECURITY%%%.% - SYS$LOGIN: $ @SYS$UPDATE:VMSINSTAL * SYS$LOGIN:

   where node is the name of the master node.

   Note At least as of VMS V5.4, DEC had coded the VMSINSTAL command procedure so that it cannot directly access save sets across DECnet with explicit access control strings. A separate COPY command is the recommended method (as above), on the presumption that a security-conscious site will not have default DECnet accounts established, particularly on the machine chosen for a LJK/Security master node.

   You will be asked 1 question, about UIC selection. You should choose an unused UIC group number in coordination with any UIC-assignment plan in effect at your site. This group must be unused on all nodes in the same cluster as this tributary node, but does not need to be the same as the group number used on the master node.

   * What UIC group should be used for username LJK$SECURITY: 362

   Explanations of this question will be given before it is asked. You can get further information about the question by responding with a question mark (?).

5. On an initial installation where file [000000]QUOTA.SYS is present, you will be reminded of the need to add quota for the LJK$SECURITY UIC.
   

   A disk quota file is present on the system disk, so you must ensure at least 4000 blocks of quota is given to UIC [362,1] ([LJK$SECURITY]).

6. On an initial installation under VMS V4.7 or earlier, you will also be told to insert a command in your site-specific system startup command procedure to enable LJK/Security each time the machine is booted.

   To set up LJK/Security on each system boot, your site-specific startup command file (SYS$COMMON:[SYSMGR]SYSTARTUP.COM) must contain the following line: $ @SYS$MANAGER:LJK$SECURITY_STARTUP

Magnetic media installation is described in Chapter 10, Using LJK/Security With Removable Media. That may be of interest if transmission lines are slow or if you choose to avoid DECnet for other reasons, such as security.

A complete sample script of a default installation on the tributary node can be found in Appendix B.