3.5.5 Examining an assessment entry
Select the Show command from the Edit menu of the Assessment window to
create a Read-Only assessment dialog box. Attempts to modify records
using the resulting dialog box will not be effective.
| Previous | Contents | Index |
The Control Menu contains a command to close the Result Window.
The Edit menu contains commands to transfer information to the clipboard.
The Help menu contains commands to get further information on operation of the LJK/Security Window Interface.
3.5 Using the Window Interface for Day-to-Day Tasks
This section gives a sampling of some of the tasks which can be
performed with the LJK/Security Window Interface. The choice of
examples is intended to demonstrate aspects of the Window Interface
which are particularly useful but were not already covered in
Section 3.3, Using the Window Interface on a New Installation.
For information on specific portions of LJK/Security Window Interface displays, use the mechanism described in Section 3.2, Context Sensitive Help.
3.5.1 Viewing Multiple Assessments
Using the commands from the File menu of the Main Window, you can open
multiple assessments and policies at the same time, to the limit
permitted by the quotas authorized by your VMS account. (Exact quota
values required depend on VMS versions and other
variables---experimentation is
the best method to determine what quota settings support your required
pattern of operation.)
3.5.2 Copying an entry to another assessment
You can select one or more lines in an assessment window and use the
Copy command from the Edit menu to copy them to the clipboard.
After the records have been copied to the DECwindows clipboard, they can be pasted back into a different assessment window by using the Paste command from the Edit menu of the target assessment window. The information copied is the full detailed assessment record, not just what is displayed in the assessment window.
Note that when a Paste command is used on an LJK/Security window, a dialog box is created asking for entry into the comment field. Whether such a field must be filled in depends on your local rules, but in any case, LJK/Security does keep track of which user performed the Paste operation, since that is the same as modifying a record directly.
Information copied to the clipboard from LJK/Security Assessment Windows can also be pasted into text windows of other DECwindows applications. That information is passed to those applications in summary text form (as shown in the assessment window) rather than in the binary form used between LJK/Security windows.
For advanced DECwindows users, all four forms of QuickCopy are also available between LJK/Security assessment windows. See the DECwindows documentation from VMS Development for details.
3.5.3 Removing an entry from an assessment
The mechanism for removing records from an assessment with the Window
Interface is to select the desired record(s) and then use the Cut
command from the Edit menu of the Assessment window.
The Cut command also copies the record to the clipboard, but if those contents of the clipboard never get pasted anywhere that effect is immaterial.
Note that records cut from an LJK/Security assessment window still are displayed in that window, but with only the Node text field showing. This is to allow a security officer to review the history of record deletions, as discussed in Section 3.5.4.
3.5.4 Modification based on an assessment history record
When you have created an assessment dialog box with the Modify command
from the Edit Menu (or by double-clicking on a line in the assessment
window), there is a vertical scroll bar along the right edge. You can
examine any previous versions of records for the subject node by
dragging the scroll bar slider toward the top.
While viewing any previous version, you can use it as the basis for further modifications by making any desired changes, such as the Comment field, and clicking on the Apply (or OK) button.
3.5.5 Examining an assessment entry
Select the Show command from the Edit menu of the Assessment window to
create a Read-Only assessment dialog box. Attempts to modify records
using the resulting dialog box will not be effective.
3.5.6 Modifying policy values
Methods available for modifying the value in a policy limit or
exemption dialog box vary depending on the data type of the value. In
all cases, however, you can type text into the value field if you do
not want to use one of the more specialized methods.
3.5.6.1 Boolean
Boolean values have radio buttons for True and False.
3.5.6.2 Scale
Numeric values have a scale whose slider can be dragged left or right.
This works best for scales where the range of possible values are limited, such as percentages or hours in the day. Moving a slider between 0 and 2,147.483,647 to exactly 1,236 is quite difficult! In such a case, typing the desired number into the value field is best.
In the future, LJK Software may reduce the range of those wide-ranging scales so that only the more popular values can be set using the scale and character typing must be used for extreme values. |
3.5.6.3 Protection
For file or device protections, you can modify an array of toggle
buttons covering the protection field values.
3.5.6.4 Privilege Level
For Privilege Levels, select one of the seven radio buttons which are
displayed.
3.5.7 Modifying a policy disable
For each LJK/Security facility, the first policy record shown is a
disable record which can be used to disable or enable
testing of that facility. The dialog box for those records has two
radio buttons, similar to that for boolean values.
3.5.8 Cutting a policy only removes exemptions
When records are cut from a policy, all selected records are moved (to
the clipboard, for example), but only exemptions are deleted from the
policy window. This is because there must always be some record for
disables and limits.
As with assessments, (exemption) records cut from a policy are still available in the policy window to allow examination of history records. Compared to assessment entries, deleted policy exemptions have more fields still visible (only the value is erased), so the effect of the Cut command may seem less obvious.
This chapter describes how to control LJK/Security using a character cell display terminal.
The menu interface provides user-friendly, visually oriented access to LJK/Security functions, compatible with character-cell video terminals back to the VT100 series.
4.1 How to Use the Menu Interface
$ LJK/Security |
This section discusses the minimal set of actions required for a security officer to set up LJK/Security on a new system using the Menu Interface. The description presumes the system manager has already installed the software using VMSINSTAL, as described in steps a-e of Section 2.2, Installation on the Master Node.
Tremendous numbers of violation reports can be generated by the DISK facility, so as a brand new user of LJK/Security you will likely have an easier time devising your initial policies if you start with the DISK facility disabled. Enable the DISK facility again after you are happy with results from the rest of your policy.
4.2.1 Starting LJK/Security
Use the command LJK/SECURITY to start LJK/Security with the Menu
Interface. Providing your terminal has at least the VT100 level of
features (and those features have been so indicated with the VMS
command SET TERMINAL), the main menu will be displayed:
To run at a VAXstation or Alpha Workstation entirely in a terminal emulator window using the Menu Interface, use the qualifier /INTERFACE=. The possible values are:
/INTERFACE=DECWINDOWS
or
/INTERFACE=CHARACTER_CELL
|
You can specify use of the Command Interface rather than the Menu Interface by using the qualifier /NOSMG in addition to the /INTERFACE=CHARACTER_CELL qualifier.
4.2.2 Creating a Policy
Each master node running LJK/Security must have at
least one policy to contain the rules against which
VMS system security will be measured.
Use the [up arrow] and [down arrow] keys to highlight Customize on the
LJK/Security menu and then use the [Return] or
[Enter] key to bring up the
Customize Menu.
The Customize Menu offers a selection between the various actions which can be applied to customize assessments and policies.
Use the [up arrow] and [down arrow] keys to highlight Create Policy on the
Customize menu and then use the [Return] or
[Enter] key to select
policy creation.
In the popup box, enter the name1 you want to use for the new policy, followed by the [Return] key.
Subsequent menus offer choices of:
4.2.3 Adding an Exemption
Limits for individual tests within an LJK/Security
policy set the overall standard against which testing
will be done, but in certain cases more lenient standards should be set
up through use of an exemption. For example, the test
(UAF, PRIVLEVEL, ABSOLUTHI) generally prohibits assignment of powerful
VMS privileges. In the case of the username "SYSTEM",
however, such privileges are required, for instance to allow proper
operation of system management batch jobs which might be submitted as
part of the system startup procedure.
This section shows how to add such an exemption for the username "SYSTEM".
Use the [up arrow] and [down arrow] keys to highlight Modify Policy on the
Customize menu and then use the [Return] or
[Enter] key to select
policy modification.
The available policies will be displayed in a menu.
Use the [up arrow] and [down arrow] keys to highlight the policy
you want on the Modify Policy menu and then use the [Return]
or [Enter] key to select that
policy.
In subsequent menus you should select:
In the value popup box, enter the value you want to use for the exemption, followed by the [Return] key. The possible values for each test are described in Chapter 6,LJK/Security Tests. In the case of this example, the proper value is "Category-All".
In the Exemption Argument 1 popup box, enter what you want to use for the first exemption argument, followed by the [Return] key. The first exemption argument is always a node name or the wildcard character "*", as described in Chapter 6,LJK/Security Tests. In the case of this example, the proper value is "*", to indicate that the exemption is to apply to all nodes.
In the Exemption Argument 2 popup box, enter what you want to use for the second exemption argument, followed by the [Return] key. The use of the second exemption argument varies according to the facility being tested and is described for each facility in Chapter 6,LJK/Security Tests. In the case of this example, the proper value is "SYSTEM", to indicate that the username SYSTEM is the one for which the exemption is desired.
Subsequent menus offer choices of:
4.2.4 Creating an Assessment
The specification of which policies apply to which
tributary nodes is stored as an LJK/Security
assessment. The assessment thus also
provides a list of which nodes are to be tested, excluding for
instance, any which do not have the LJK/Security software installed.
Use the [up arrow] and [down arrow] keys to highlight Create Assessment on the
Customize menu and then use the [Return] or
[Enter] key to select
assessment creation.
In the popup box, enter the name2 you want to use for the new assessment, followed by the [Return] key.
Subsequent menus offer choices of:
The assessment just created, however, lacks any indication of specific nodes to be assessed.
Use the [up arrow] and [down arrow] keys to highlight Modify Assessment on the
Customize menu and then use the [Return] or
[Enter] key to select
assessment modification.
The available assessments will be displayed in a menu.
Use the [up arrow] and [down arrow] keys to highlight the
assessment you want on the Modify Assessment menu and
then use the [Return] or [Enter] key to select that assessment.
In the next menus you should select:
Use the [up arrow] and [down arrow] keys to highlight Policy on the Named Node menu and then use the [Return] or [Enter] key.
The available policies will be displayed in a menu.
Use the [up arrow] and [down arrow] keys to highlight the policy you want on the Policy For Node menu and then use the [Return] or [Enter] key to select that policy.
In the next menus you should select:
In the Comment popup box, enter any information you want to store about the modification, followed by the [Return] key.
In the final menu you should select:
4.2.5 Running the Assessment
With both an assessment and a policy
in place, you are now ready to run. From your own user process you will
issue the command, but the actual testing on the master
node and transmission of a request to tributary
nodes takes place behind the scenes. This frees up your
process for doing other work (or for logging out if you are leaving the
area).
Use the [up arrow] and [down arrow] keys to highlight Run Assessment on the
LJK/Security menu and then use the [Return] or
[Enter] key to bring up the Run
Assessment menu.
The available assessments will be displayed in a menu.
Use the [up arrow] and [down arrow] keys to highlight the
assessment you want on the Run Assessment menu and
then use the [Return] or [Enter] key to select that assessment.
4.2.6 Reviewing Assessment Results
You can review the report of LJK/Security results at any time, and if
testing is not yet completed the report will so indicate. The time
required to complete an assessment varies depending
upon your particular policy selections and how busy
the tributary nodes are with other work. After a while
you will develop a feeling for how long it it takes to complete testing
on all your tributary nodes. For a very simple
policy with the Disk facility disabled and minimal
password guessing it might be as little as 5 minutes. For more
extensive testing, especially on heavily loaded machines, it might take
several hours.
Use the [up arrow] and [down arrow] keys to highlight Report Assessment on the
LJK/Security menu and then use the [Return] or
[Enter] key to bring up the
Report Assessment menu.
In the Report Assessment menu you should select:
Use the [up arrow] and [down arrow] keys to highlight the
assessment you want on the Run Assessment menu and
then use the [Return] or [Enter] key to select that assessment.
In the next menu you should select:
The assessment results will be displayed on the screen. Use the [up arrow] and [down arrow] keys to browse through the assessment results.
When browsing through assessment results the [PF1] key can be used to "fast forward" or "fast reverse" over all violations for a particular test to get to those for the next test. Pressing the [PF1] key, followed by the [up arrow] or [down arrow] key, will add the "fast" attribute to the arrow key action. This is useful when you decide that multiple single violations will be addressed with a single corrective measure (or a single policy change).
1 Naming rules are in Section 5.3, Name Formats.2 Naming rules are in Section 5.3, Name Formats.3 Specification of node names is discussed in Section 8.1, Adding and Removing Nodes from the Assessment. |
| Previous | Next | Contents | Index |