| Previous | Contents | Index |
Displays information to assist in using the command interface.
$ HELP LJK/SECURITY [keyword...]
or$ LJK/SECURITY HELP [keyword...]
orLJKSÑ HELP [keyword...]
None.
keyword...
Specifies one or more keywords that refer to topics (typically commands) in the system help library for LJK/Security.If you use an asterisk in place of any keyword, the HELP command displays all information available at the level the asterisk replaces. For example, LJK/SECURITY HELP RUN * displays all the subtopics under the topic RUN.
If you use an ellipsis immediately after any keyword, HELP displays all the information on the specified topic and all subtopics of that topic. For example, LJK/SECURITY HELP RUN... displays information on the RUN topic as well as any information on all the subtopics under RUN.
You can use percent signs and asterisks in the keyword as wildcard characters.
As with other uses of the VMS HELP facility, you can give additional keywords to get further detail after the Topic? prompt.
| Topic? | keyword... |
Display information to assist in using the command interface to LJK/Security.
None.
$ LJK/SECURITY HELP MODIFY POLICY /TEST
|
Display information about the /TEST qualifier to the command MODIFY POLICY.
$ LJK/SECURITY HELP CREATE POLICY *
|
Display information about all subtopics for the CREATE POLICY command.
Create one or more LJK/Security software kits for installation on tributary nodes.
$ LJK/SECURITY KIT_BUILD
orLJKSÑ KIT_BUILD
None.
Writes a VMSINSTAL-compatible installation kit onto disk or tape. This kit is then used to install the LJK/Security software onto tributary nodes.In the case of installation kits written to tape, the tape is carried to the tributary node. For installation kits written to disk, the tributary node accesses the installation kit over DECnet before the VMSINSTAL command procedure is run on the tributary node.
/COPIES=number
/NOCOPIES (D)
Write the kit onto multiple tapes or disks./DEVICE=device
/DEVICE=device-type
MT16
TK50
TK70
/NODEVICE (D)
Write the kit(s) onto the specified magnetic disk drive or disk drive type. If a generic device name is specified (such as DU), any drive of the specified type may be used.This is for cases where the medium will be removed and carried to the tributary node. To leave a kit for transfer over DECnet, see the /FILE qualifier.
In addition to the device types listed above, the following removable media device types may be specified:
RA60 RC25 RK06 RK07 RL01 RL02 RM03 RM05 RP04 RP05 RP06 RX01 RX02 RX33 RX50/FILE=directory-spec
/NOFILE (D)
Writes the kit onto disk as the specified filespec. This is the qualifier one would use to leave a kit for loading over DECnet, whereas /DEVICE=disk-device-name would be used with removable disks to be carried to the tributary node./REWIND (D)
/NOREWIND
Replace previous contents of the tape or disk. This qualifier is not compatible with /FILE.
$ LJK/SECURITY KIT_BUILD/TAPE=TK50/COPIES=7
|
Write a copy of the tributary node software on each of 7 TK50 cartridges.
$ LJK/SECURITY KIT_BUILD/FILE=DISK$PUBLIC:[KITS]
|
Write a single copy of the tributary node software onto disk.
Add or modify action an assessment specifies for a particular tributary node.
$ LJK/SECURITY MODIFY ASSESSMENT -
assessment-name
orLJKSÑ MODIFY ASSESSMENT -
assessment-name
assessment-name
Name of the assessment to be modified.As described in Section H.8, DCL Symbol Processing, DCL symbol substitution may be used for this parameter, even when using the Subsystem Command Format.
Add or modify action an assessment specifies for a particular tributary node. If the assessment contains a previous disabled entry (one without a policy) for the specified node, fields from that entry will be used as defaults for any qualifiers not specified in this command.
/AUDIT (D)
/NOAUDIT
Specifies that the contents of assessment records created should be displayed, including audit information./COMMENT=comment-text
/NOCOMMENT (D)
Comment of up to 80 characters to be associated with modification(s) made to the assessment./ENCRYPT=(REQUEST,RESULT)
/ENCRYPT=REQUEST
/ENCRYPT=RESULT
/NOENCRYPT=(REQUEST,RESULT) (D)
/NOENCRYPT=REQUEST
/NOENCRYPT=RESULT
Specifies that encryption be used for transmissions with the subject nodes. (No effect for transmissions to the same node.)/LOG
/NOLOG (D)
Specifies that the contents of assessment records created should be displayed./METHODS=(ALL)
/METHODS=([NO]AUTOMATIC_TESTING) (D)
/METHODS=([NO]COMPENSATING_CONTROLS)
/METHODS=([NO]INTERVIEWS)
/METHODS=([NO]INVASIVE_TESTING)
/METHODS=([NO]MANUAL_EXAMINATION)
/METHODS=(QUICK)
Specifies the assessment methods to be used by default for one or more nodes in an assessment:This qualifier can accept a list of methods inside the parentheses, such as:
- ALL
Include all the assessment methods below.- AUTOMATIC_TESTING
Include all automatic testing (the method used before LJK/Security V3.0).- COMPENSATING_CONTROLS
Include compensating control information in assessment results.- MANUAL_EXAMINATION
Include the manual examination method, requiring designated individuals to review documents, physical security, etc.- INTERVIEWS
Include the interview examination method, requiring designated individuals to ask questions of particular sets of people.- INVASIVE_TESTING
Include the invasive testing examination method, requiring extensive effort at testing mechanisms (particularly for non-evaluated versions of VMS) and activities.- QUICK
Include only that automatic testing which can be done quickly, omitting the DISK and USAGE facilities.
/METHODS=(QUICK,INVASIVE_TESTING)/NODE=node-name
/NONODE
Indicates the name of the node whose assessment state is to be modified.Use of wildcard characters (* and %) within values specified with the /NODE= qualifier is supported, in two distinct fashions:
- If the assessment currently has some nodes specified, the wildcard specification is used to select certain of those nodes for the modification.
- If the assessment has no nodes specified and the master node is running DECnet Phase IV, the wildcard specification is used to select nodes for addition from all known nodes in the volatile DECnet database. This is of use in setting up new assessments. If the number of nodes selected would be greater than the number of nodes covered by the LJK/Security license, none are added.
Note
On master nodes without DECnet, the master node should be specified as "0" when adding it to an assessment./POLICY=policy-name
/NOPOLICY
Indicates the name of the policy to be used for assessing security of the specified node. If the qualifier /NOPOLICY is specified, then an existing entry for the specified node is disabled./PROTOTYPE (D)
/NOPROTOTYPE
Specifies that the PROTOTYPE assessment record should be modified./REQUEST=DECnet (D)
device-name-or-type
MT16
TK50
TK70
Indicates the method to be used for transporting assessment requests to the tributary node from the master node. If DECnet connections are available, this method is easiest, although the possibility of tampering with messages on an intermediate node (particularly if VMS Encryption is not available on both the master node and the tributary node) may cause some to prefer physical transport of magnetic media.In addition to the device types listed above, the following removable media device types may be specified:
RA60 RC25 RK06 RK07 RL01 RL02 RM03 RM05 RP04 RP05 RP06 RX01 RX02 RX33 RX50
/RESULT=DECnet (D)
device-name-or-type
MT16
TK50
TK70
Indicates the method to be used for transporting assessment results to the master node from the tributary node. If DECnet connections are available, this method is easiest, although the possibility of tampering with messages on an intermediate node (particularly if VMS Encryption is not available on both the master node and the tributary node) may cause some to prefer physical transport of magnetic media.In addition to the device types listed above, the following device types may be specified:
RA60 RC25 RK06 RK07 RL01 RL02 RM03 RM05 RP04 RP05 RP06 RX01 RX02 RX33 RX50
$ LJK/SECURITY MODIFY ASSESSMENT OLDVAX/POLICY=MY_POLICY
|
Specify that policy MY_POLICY is to be used for assessing the security of node OLDVAX.
$ LJK/SECURITY MODIFY ASSESSMENT OLDVAX-
/POLICY=MY_POLICY,NEWAXP/POLICY=MY_POLICY/RESULT=MT16
|
Specify that policy MY_POLICY is to be used for assessing the security of node OLDVAX, and also for node NEWAXP but that in the latter case assessment results are to be returned to the master node via magtape.
Modify a policy to change disables, limits or exemptions.
$ LJK/SECURITY MODIFY POLICY -
policy-name
orLJKSÑ MODIFY POLICY -
policy-name
policy-name
Name of the policy to be modified.As described in Section H.8, DCL Symbol Processing, DCL symbol substitution may be used for this parameter, even when using the Subsystem Command Format.
Modifies a policy to change a limit or an exemption associated with a particular test.Disable or enable testing for a particular facility.
Establish or remove suspension of testing for a particular facility.
Qualifiers associated with this command in general cannot be used in combination. The exceptions are:
- /TEST can (and must) be used with /EXEMPTION, /LIMIT or /REMOVE_EXEMPTION.
- /VALUE can (and must) be used with /EXEMPTION or /LIMIT.
/AUDIT (D)
/NOAUDIT
Specifies that the contents of policy records created should be displayed, including audit information./COMMENT=comment-text
/NOCOMMENT (D)
Comment of up to 80 characters to be associated with modification(s) made to the policy. For limits (not exemptions1 or disables), the comment you enter will be included in violation reports when you run an assessment. This makes the comment facility useful for citing an authority for a policy settings such as an internal memo or an external set of requirements like NIST Special Publication 800-53 (for FISMA) or DoD Instruction 8500.2./DISABLE=facility
/NODISABLE (D)
Indicates the specified facility is not to be tested under the subject policy./ENABLE=facility
/NOENABLE (D)
Indicates the specified facility is to be tested under the subject policy./EXEMPTION=(argument,...)
/NOEXEMPTION (D)
Specifies that an exemption is to be set in the policy. Successive arguments in the list give the test-specific information regarding which violations are to be exempt./LIMIT
/NOLIMIT (D)
Specifies that a limit is to be set in the policy./LOG
/NOLOG (D)
Specifies that the contents of policy records created should be displayed./REMOVE_EXEMPTION=(argument,...)
/NOREMOVE_EXEMPTION (D)
Specifies that an exemption is to be set in the policy. Specifies that an exemption is to be removed from the policy. Successive arguments in the list give the test-specific information regarding which violations are to be exempt./SELECTOR=argument
/NOSELECTOR (D)
Specifies that only limits or exemptions for a particular selector be modified./TEST=(facility,element,constraint)
/NOTEST (D)
Specifies the name of the test which is to be modified./VALUE=value
/NOVALUE (D)
Specifies the value to be associated with the limit or exemption being added to a test.
The data types for the /EXEMPTION, /REMOVE_EXEMPTION and /VALUE qualifiers, as well as the number of values for the /EXEMPTION and /REMOVE_EXEMPTION qualifiers depend upon which test is being modified.
$ LJK/SECURITY MODIFY POLICY MY_POLICY-
/LIMIT/TEST=(UAF,PWDMINLEN,ABSOLUTLO)-
/SELECTOR=(SYSPRV)/VALUE=9
|
Specify that the UAF test PWDMINLEN lower limit (ABSOLUTLO) shall be 9 for usernames with the explicit or implicit privilege SYSPRV.
$ LJK/SECURITY MODIFY POLICY MY_POLICY-
/EXEMPTION=(BIGVAX,JONES)-
/TEST=(UAF,PWDMINLEN,ABSOLUTLO)/VALUE=12
|
Allow user JONES on node BIGVAX to have a minimum password length as low as 12 rather than the limit specified by the general policy.
The exemptions can only be to loosen standards, not to tighten them.
1 Not even for exemptions in the special exemption-driven tests of DISK elements CHECKPROT and CHECKSUM. |
| Previous | Next | Contents | Index |