Remove LJK/Security software from a node.

Format

$ MCR LJK$SECURITY REMOVE

restrictions

• You must have full system management privileges as well as the identifier LJK$SECURITY_ROLE_STARTUP, LJK$SECURITY_REMOVE or LJK$SECURITY_ALL.
• On systems prior to VAX VMS V6.0 or systems which do not have a Rights Database (RIGHTSLIST.DAT), you must have the SECURITY privilege and also full system management privileges.

Parameters

None.

Description

Remove LJK/Security software from a node.

Before attempting to remove the LJK/Security software, all use of it should be completed on the node and any nodes with which it shares a system disk.

The REMOVE command will automatically perform an orderly shutdown of the LJK/Security master process on the local node, but it does not do so for other nodes which might share the system disk.

This command takes a different form than other commands because it is also supported on tributary nodes, where the command form LJK/SECURITY is not available.

Note Do not use the SYSMAN utility to issue this command between nodes, since that command does not fully replicate the normal process context and only a partial removal will be achieved.

Shared System Disks For shared system disks, use the SHUTDOWN command first on all nodes to avoid problems. Some residue will be cleaned up by the next disk rebuild, typically the next time the nodes are rebooted.

Qualifiers

None.

Reserved to LJK Software for use in starting LJK/Security software over DECnet connections.

Format

$ LJK/SECURITY REMOTE

or

LJKSÑ REMOTE

restrictions

• You must have the facility-specific identifier LJK$SECURITY_ROLE_STARTUP, LJK$SECURITY_REMOTE or LJK$SECURITY_ALL.
• On systems prior to VAX VMS V6.0 or systems which do not have a Rights Database (RIGHTSLIST.DAT), you must have the SECURITY privilege.

Parameters

None.

Description

This command is used by LJK Software to start LJK/Security software over DECnet connections.

Qualifiers

None.

Give the results of a completed assessment.

Format

$ LJK/SECURITY REPORT -

assessment-name

or

LJKSÑ REPORT -

assessment-name

restrictions

• You must have the facility-specific identifier LJK$SECURITY_ROLE_REVIEW, LJK$SECURITY_REPORT or LJK$SECURITY_ALL.
• On systems prior to VAX VMS V6.0 or systems which do not have a Rights Database (RIGHTSLIST.DAT), you must have the SECURITY privilege.

Parameters

assessment-name

Name of the assessment.

Description

Give the results of a completed assessment. Along with each report of a test failure is included any /COMMENT value specified in setting the value of the LIMIT (not exemptions¹ for that test.

The command

$ LJK/SECURITY REPORT <assessment-name>

may return to DCL the special non-failure status

%LJK-I-NOTCOMPLETE, This assessment has not completed on all nodes

indicating a later check might be appropriate. That situation can be checked with the DCL test

$ IF $SEVERITY .EQ. 3

Qualifiers

/FORMAT=(node-name,...)

Specifies the format in which report output is to be generated.

• /FORMAT=TEXT
  Sequential file output to the screen or /OUTPUT=filespec.
• /FORMAT=HTML
  Requires that /OUTPUT= specify an empty directory.
• /FORMAT=CUSTOM
  Invokes shareable image LJK$SECURITY_CUSTOM_REPORT.

/NODE=(node-name,...)

Specifies particular tributary nodes to be included in the report.

/OMIT_NODE=(node-name,...)

Specifies particular tributary nodes to be excluded from the report.

/OUTPUT (D)

/OUTPUT=file-spec

/NOOUTPUT

Specifies the destination of the output listing. If /OUTPUT is specified without a value (the default) the listing is sent to SYS$OUTPUT.

/REMEDIATION

/NOREMEDIATION (D)

The report is to contain steps necessary to remedy violations found in assessing the system.

/STATUS_ONLY

/NOSTATUS_ONLY (D)

The report is to contain only indications as to the completion of the assessment. The /SUMMARY and /STATUS_ONLY qualifiers cannot be used together.

/SUMMARY=(COMMENT,TEST)

/SUMMARY=COMMENT

/SUMMARY=TEST (D)

Specifies that just a summary of assessment results should be given, showing the total number of violations found:

• /SUMMARY=COMMENT
  Summarize according to the full text of /COMMENT values.
  
• /SUMMARY=(COMMENT,TEST)
  Summarize first according to the full text of /COMMENT values and second according to test names.
  
• /SUMMARY=TEST
  Summarize according to test names.

The /SUMMARY and /STATUS_ONLY qualifiers cannot be used together.

/TESTNAMES (D)

/NOTESTNAMES

The report is to contain names of LJK/Security tests in addition to the result text.

Example

$ LJK/SECURITY REPORT
      

Display a report on the user terminal.

$ LJK/SECURITY REPORT/OUTPUT=SYS$LOGIN:RESULTS.LIS
      

Store a report in the specified file on disk.

RUN

Start the collection of security data from tributary nodes.

Format

$ LJK/SECURITY RUN -

assessment-name

or

LJKSÑ RUN -

assessment-name

restrictions

• You must have the facility-specific identifier LJK$SECURITY_ROLE_OPERATE, LJK$SECURITY_RUN or LJK$SECURITY_ALL.
• On systems prior to VAX VMS V6.0 or systems which do not have a Rights Database (RIGHTSLIST.DAT), you must have the SECURITY privilege.

Parameters

assessment-name

Name of the assessment.

Description

Start the collection of security data from tributary nodes.

Qualifiers

/AFTER=absolute-time

/NOAFTER (D)

Requests that the specified assessment not be made until the specified time. If the specified time has already passed, the assessment is started immediately.

You can specify either an absolute time or a combination of absolute and delta times. See the VMS documentation for complete information on specifying time values.

/INTERVAL=delta-time

/NOINTERVAL (D)

Requests that the specified assessment be re-run at regular intervals. See the VMS documentation for complete information on specifying delta time values.

If you specify both /AFTER=absolute-time and /INTERVAL=delta-time, the first assessment will be made at <absolute-time> and after that subsequent assessments will be made every <delta-time>.

When specifying /INTERVAL=delta-time you should ensure that <delta-time> is long enough to allow one run of an assessment to complete before the next run of that assessment is to start.

/METHODS=(ALL)

/METHODS=([NO]AUTOMATIC_TESTING) (D)

/METHODS=([NO]COMPENSATING_CONTROLS)

/METHODS=([NO]INTERVIEWS)

/METHODS=([NO]INVASIVE_TESTING)

/METHODS=([NO]MANUAL_EXAMINATION)

/METHODS=(QUICK)

Specifies the assessment methods to be used by default for one or more nodes in an assessment:

• ALL
  Include all the assessment methods below.
• AUTOMATIC_TESTING
  Include all automatic testing (the method used before LJK/Security V3.0).
• COMPENSATING_CONTROLS
  Include compensating control information in assessment results.
• MANUAL_EXAMINATION
  Include the manual examination method, requiring designated individuals to review documents, physical security, etc.
• INTERVIEWS
  Include the interview examination method, requiring designated individuals to ask questions of particular sets of people.
• INVASIVE_TESTING
  Include the invasive testing examination method, requiring extensive effort at testing mechanisms (particularly for non-evaluated versions of VMS) and activities.
• QUICK
  Include only that automatic testing which can be done quickly, omitting the DISK and USAGE facilities.

This qualifier can accept a list of methods inside the parentheses, such as:

/METHODS=(QUICK,INVASIVE_TESTING)

Example

$ LJK/SECURITY RUN MY_SPECIAL/AFTER="21:00"
      

Run assessment MY_SPECIAL today at 9 pm.

$ LJK/SECURITY RUN WEEKLY_FULL/AFTER="TOMORROW+0-03"/INTERVAL="7-"
      

Run assessment WEEKLY_FULL at 3 am tomorrow and every week thereafter.

Display node, policy and transport-medium associations from an existing assessment.

Format

$ LJK/SECURITY SHOW ASSESSMENT -

assessment-name

or

LJKSÑ SHOW ASSESSMENT -

assessment-name

restrictions

• You must have the facility-specific identifier LJK$SECURITY_ROLE_REVIEW, LJK$SECURITY_ROLE_POLICY, LJK$SECURITY_SHOW_ASSESSMENT or LJK$SECURITY_ALL.
• On systems prior to VAX VMS V6.0 or systems which do not have a Rights Database (RIGHTSLIST.DAT), you must have the SECURITY privilege.

Parameters

assessment-name

Name of the assessment to be modified.

As described in Section H.8, DCL Symbol Processing, DCL symbol substitution may be used for this parameter, even when using the Subsystem Command Format.

Description

• If the assessment name includes wildcard characters:
  Displays a list of all assessment names.
• If the assessment name gives an exact name:
  Reads a assessment from disk and displays its node, policy and transport-medium associations.

Qualifiers

/AUDIT

/NOAUDIT (D)

Specifies whether information about assessment changes is displayed.

/HISTORY

/NOHISTORY (D)

Specifies that historical assessment contents be displayed in addition to current ones. By default only current assessment contents are displayed.

/OUTPUT[=SYS$OUTPUT] (D)

/OUTPUT=file-spec

/NOOUTPUT

Specifies the destination of the output listing. If /OUTPUT is specified without a value (the default) the listing is sent to SYS$OUTPUT.

Example

$ LJK/SECURITY SHOW ASSESSMENT MY_ASSESSMENT
      

Display the node, policy and transport-medium associations for the subject assessment.

$ LJK/SECURITY SHOW ASSESSMENT *_TEMP/OUTPUT=ASSESSMENT.LIS
      

Create a list of the names of all assessments that end in "_TEMP".

Display information about tributary nodes currently authorized for this copy of LJK/Security.

Format

$ LJK/SECURITY SHOW NODES

or

LJKSÑ SHOW NODES

restrictions

• You must have the facility-specific identifier LJK$SECURITY_ROLE_REVIEW, LJK$SECURITY_ROLE_POLICY, LJK$SECURITY_SHOW_NODES or LJK$SECURITY_ALL.
• On systems prior to VAX VMS V6.0 or systems which do not have a Rights Database (RIGHTSLIST.DAT), you must have the SECURITY privilege.

Parameters

None.

Description

The LJK/Security license terms say a license can be moved to another node as often as each 30 days. If you want to move LJK/Security from one tributary to another, use the command SHOW NODES to see which tributary nodes have had LJK/Security installed for more than 30 days.

Qualifiers

/OUTPUT[=SYS$OUTPUT] (D)

/OUTPUT=file-spec

/NOOUTPUT

Specifies the destination of the output listing. If /OUTPUT is specified without a value (the default) the listing is sent to SYS$OUTPUT.

Example

$ LJK/SECURITY SHOW NODES/OUTPUT=NODES.LIS
      

Create a list of the nodes currently occupying LJK/Security license slots.

$ LJK/SECURITY SHOW NODES
%LJK-I-NODENOW, node ATHENS license slot can be freed now by:
        a. removing LJK/Security from the node
                and
        b. modifying assessments /NOPOLICY for the node
%LJK-I-NODENOW, node PLUTO license slot can be freed now by:
        a. removing LJK/Security from the node
                and
        b. modifying assessments /NOPOLICY for the node
%LJK-I-NODENOW, node RQ54J license slot can be freed now by:
        a. removing LJK/Security from the node
                and
        b. modifying assessments /NOPOLICY for the node
%LJK-I-NODELATER, node TESTME license slot can be freed after after 22-FEB-2005 19:23:55.50
%LJK-I-NODELATER, node NEWVAX license slot can be freed after after 22-FEB-2005 19:40:59.03
      

Display a list of the nodes currently occupying LJK/Security license slots. The listing of each node indicates whether or not it has been occupying its license slot for the required 30 days.

Display the limits and/or exemptions of an existing policy.

Format

$ LJK/SECURITY SHOW POLICY -

policy-name

or

LJKSÑ SHOW POLICY -

policy-name

restrictions

• You must have the facility-specific identifier LJK$SECURITY_ROLE_REVIEW, LJK$SECURITY_ROLE_POLICY, LJK$SECURITY_SHOW_POLICY or LJK$SECURITY_ALL.
• On systems prior to VAX VMS V6.0 or systems which do not have a Rights Database (RIGHTSLIST.DAT), you must have the SECURITY privilege.

Parameters

policy-name

Name of the policy to be modified.

As described in Section H.8, DCL Symbol Processing, DCL symbol substitution may be used for this parameter, even when using the Subsystem Command Format.

Description

• If the policy name includes wildcard characters:
  Displays a list of all policy names.
• If the policy name gives an exact name:
  Reads a policy from disk and displays its limits and/or exemptions.

Qualifiers

/AUDIT

/NOAUDIT (D)

Specifies whether information about policy changes is displayed.

/COMMAND_PROCEDURE

/NOCOMMAND_PROCEDURE (D)

Specifies whether the policy information is displayed in the format of a command procedure that could be edited to apply the same policy elements to another policy, as discussed in Section 7.9, SHOW POLICY/COMMAND_PROCEDURE. This qualifier is most useful in conjunction with the /OUTPUT= qualifier or with a particular /TEST= specification.

/EXEMPTIONS (D)

/NOEXEMPTIONS

Specifies that exemptions be displayed (the default).

/HISTORY

/NOHISTORY (D)

Specifies that historical limits and/or exemptions be displayed in addition to current ones. By default only current limits and/or exemptions are displayed.

/LIMITS (D)

/NOLIMITS

Specifies that limits be displayed (the default).

/OUTPUT[=SYS$OUTPUT] (D)

/OUTPUT=file-spec

/NOOUTPUT

Specifies the destination of the output listing. If /OUTPUT is specified without a value (the default) the listing is sent to SYS$OUTPUT.

/SELECTOR=value

/NOSELECTOR (D)

Specifies that only limits and exemptions for a particular selector be displayed.

/TEST=(facility,element,constraint)

Specifies the name of a single test whose limits and/or exemptions are to be shown.

Example

$ LJK/SECURITY SHOW POLICY MY_POLICY
      

Show all limits and exemptions of the specified policy.

$ LJK/SECURITY SHOW POLICY MY_POLICY/TEST=(UAF,PWDMINLEN,ABSOLUTLO)/EXEMPTIONS
      

Show only limits and exemptions of the specified test within the specified policy.