This chapter discusses the uses of policy modification.

7.1 Disables

The primary use of disables is to save execution time by avoiding testing of an entire facility. If one of your nodes has an extremely large User Authorization File, for instance, you might choose to test it only once per day, while testing other facilities at the start of each 8 hour shift.

No capability is provided to disable particular tests within a facility, because the time-consuming portion of the testing process is getting the raw information, such as user authorization or file data, which is done once per data item for all the tests in a facility. For instance, once information about a particular file has been retrieved from VMS, the number of tests applied to it in memory does not have a significant effect on performance. Of course, the number of tests failed, and thus the number of violation records written, can affect performance.

Newly created policies have all facilities enabled by default.

7.1.1 Using the /METHOD=QUICK qualifier

The most common candidate facilities for disabling are those that involve extensive disk reading, such as the DISK facility that reads protection information for all files and the USAGE facility that reads all available audit logs.

But those who want to disable those facilities often want to do it only some of the time, perhaps as part of a more frequent assessment that shares a policy with a less frequent more thorough assessment. Rather than constantly modifying the policy disable to first prevent and then allow those facilities to run, you will probably want to use the /METHOD=QUICK qualifier on one of two commands:

• MODIFY ASSESSMENT
• RUN

Limits are the cornerstone of policies, setting the basic criteria by which nodes will be assessed. As supplied, LJK/Security provides a default set of limits for each policy you create, but after you have used the software for a while it is likely you will want to make some changes to suit your own organization's needs.

Newly created policies have a default value for each limit, either taken from the policy named DEFAULT or from the factory defaults. When you customize a policy by changing particular limits, all other limits retain their value unless you change them.

In general comments applied to limits (but not comments applied to disables or to exemptions) are included in violation reports created by LJK/Security. As such they can be used to indicate the authority rquiring a particular limit setting, such as a particular internal memo or some external requirement such as a particular control listed in NIST Special Publication 800-53.

In contrast, most comments applied to disables or to exemptions just provide a record for those inspecting why particular settings were made.

The major exception to the above general description is tests in the (DISK, CHECKPROT) element. For that element, comments associated with limits just provide a record for those inspecting settings, while comments associated with exemptions are included in violation reports.

Disabling tests entirely is only done on a facility-wide basis through the use of disables (see Section 7.1), but the same effect can be achieved by setting tests to be totally permissive, as is done by the command procedure described in Section K.1.1, POLICY_NULL.COM.

7.3 Exemptions

Exemptions provide a finer control over reporting of assessment results, allowing for policy deviations in specific cases. ¹

Certain exemptions are normal, since the conditions they permit are required for normal operation of VMS. These exemptions are not automatically generated by LJK/Security software, since LJK Software believes that sites should always be aware of all exemptions added to their policies. Exemptions LJK Software has identified that most sites will want to add are:

• UAF, PRIVLEVEL, ABSOLUTHI, ALL for *,SYSTEM

7.4 Audit history

The audit history mechanism can be used to show when changes were made to your policies. Preservation of this audit history is the reason why LJK/Security provides no command to delete a policy or an assessment.

7.5 Tri-valued logic

Some tests take limit and exemption values using tri-valued logic:

• TRUE
• FALSE
• TRY

Many elements have tests for exactly two boolean constraints, PROHIBITED and REQUIRED. With these two boolean tests, there are four possible limit settings:

Value of REQUIRED limit	Value of PROHIBITED limit
	FALSE	TRUE
FALSE	never report a violation	report violation if TRUE
TRUE	report violation if FALSE	always report violation

Although it departs from the LJK/Security design of management by exception, the specification to always report a violation may be useful in certain limited circumstances such as described in Section 11.1.

7.7 Numeric customization techniques

Many elements have tests for exactly two numeric constraints, ABSOLUTLO and ABSOLUTHI. If the limits for these two numeric tests are set such that the ABSOLUTHI limit is lower than the ABSOLUTLO limit, the result is to report violations in all cases, similar to setting both limits TRUE as described in Section 7.6.

7.8 Policy Performance Considerations

There are three major areas where the performance of LJK/Security is drastically affected by policy choices:

1. Password Guessing
   If your policy sets a high limit for the (UAF,PWDGUESS,TRIES) test for large numbers of users (based on how many have various privileges), assessment of tributary systems will be slowed down considerably.
   
2. General disk processing
   Scanning disk files can have considerable disk performance impact on users while LJK/Security is running on a tributary system. In some cases, assessments whose policies include the disk facility are run only during non-prime hours.
   
3. ACL evaluation
   Evaluating ACLs can take considerable CPU time. To avoid this for certain policies, turn off the following tests:
   • DEVICE,ACLIDENT - set limit FALSE
   • DEVICE,PROTECTION,PERCENTLO - set limit to 0
   • DEVICE,PROTECTION,PERCENTHI - set limit to 100
   • DISK,ACLIDENT - set limit FALSE
   • DISK,DBMSPROT,PERCENTLO - set limit to 0
   • DISK,DBMSPROT,PERCENTHI - set limit to 100
   • DISK,DIRPROT,PERCENTLO - set limit to 0
   • DISK,DIRPROT,PERCENTHI - set limit to 100
   • DISK,FILEPROT,PERCENTLO - set limit to 0
   • DISK,FILEPROT,PERCENTHI - set limit to 100
   • DISK,HELPPROT,PERCENTLO - set limit to 0
   • DISK,HELPPROT,PERCENTHI - set limit to 100
   • DISK,MAILPROT,PERCENTLO - set limit to 0
   • DISK,MAILPROT,PERCENTHI - set limit to 100
   • DISK,NOTESPROT,PERCENTLO - set limit to 0
   • DISK,NOTESPROT,PERCENTHI - set limit to 100
   • DISK,PROTECTION,PERCENTLO - set limit to 0
   • DISK,PROTECTION,PERCENTHI - set limit to 100
   • DISK,RDBVMSPROT,PERCENTLO - set limit to 0
   • DISK,RDBVMSPROT,PERCENTHI - set limit to 100
   • DISK,SYSEXEPROT,PERCENTLO - set limit to 0
   • DISK,SYSEXEPROT,PERCENTHI - set limit to 100
   • DISK,SUBSYSTEM,NOFILE - set limit FALSE
   • TERM,ACLIDENT - set limit FALSE
   • TERM,PROTECTION,PERCENTLO - set limit to 0
   • TERM,PROTECTION,PERCENTHI - set limit to 100

Finally, violation processing in general is slow. It is better to run a less ambitious policy until the most outrageous security errors are brought under control.

7.9 SHOW POLICY/COMMAND_PROCEDURE

The /COMMAND_PROCEDURE output of the SHOW POLICY command (or corresponding capabilities of the Window and Menu interfaces) produce a command procedure that can be modified to give exactly the same settings to some other policy. The strength of this capability is not in exact duplication, but rather in tailoring the output to produce a slightly different result.

• Using /OUTPUT=
  In most cases, you will want to use the /OUTPUT= qualifier in conjunction with the /COMMAND_PROCEDURE, creating a file which can then be edited.
• Selecting limits or exemptions
  If you are interested exclusively in limits or exemptions but not the other, use the appropriate qualifier on the SHOW POLICY/COMMAND_PROCEDURE command (or corresponding capabilities of the Window and Menu interfaces).
• Single line output
  In general, output from the /COMMAND_PROCEDURE qualifier consists of a single output line per constraint/selector combination. This makes the output file susceptible to convenient DCL utilities like SEARCH.
• Multiple line output from some limits and exemptions
  The constraints within the elements:
  • VMS, ACME
  • VMS, ACMEORLGI
  • VMS, ANNOUNCE
  • VMS, STARTUP
  • VMS, WELCOME
  and the constraints:
  • DISK, CHECKPROT, SUBSYSNO
  • DISK, CHECKPROT, SUBSYSYES
  • QUEUE, OPERMARKING, CONTAINS
  can have values up to 511 characters long, much more than is reasonable for a DCL command. The /COMMAND_PROCEDURE will segment output for long values into multiple lines, using the leading + character accepted as concatenation input for those constraints.
• Selecting a particular constraint
  The SHOW POLICY/COMMAND_PROCEDURE command (or corresponding capabilities of the Window and Menu interfaces) can also have a /TEST= qualifier (and for some tests a /SELECTOR= qualifier) to choose only the limit or exemptions for a single constraint.
• Selecting a particular element
  If you want output containing all the tests for all the constraints of a particular element, you can use the /COMMAND_PROCEDURE qualifier to get a complete listing file of the entire policy and then use a command like:

  $ SEARCH MY_FILE.COM "/TEST=(UAF ,PWDMINLEN ,"/OUTPUT=MY_OTHER_FILE.COM

  to select a particular element (taking care to space out the facility and element as in the file).

• Sorting the results

$ SORT MY_FILE.COM MY_FILE.COM /KEY=(POSITION=1,SIZE=60)/STABLE

This takes care of two issues:

1. Not sorting lines for a single test according to selector names, thus preserving the logical (not textual) ordering.
2. Not sorting lines for multiple lines used to compose a single limit or exemption formed using the leading "+" syntax for (VMS, ANNOUNCE) or (VMS, WELCOME).

This chapter discusses the uses of assessment modification.

Modification of assessments gives you the ability to apply differing policies and transmission media to various nodes in your organization. It is rare that an organization which has totally uniform uses for all VMS systems, and thus it is rare than an organization has totally uniform security needs for all those systems.

Specifying the name of a node when modifying a assessment serves to add the node to that assessment.

To remove a node from an assessment modify the assessment to give the node a policy name which is blank. Technically a record of the node will remain in the file (for audit-trail purposes, if nothing else) but the node will not be included when the assessment is run.

Modifying an assessment to change the policy associated with a node will cause subsequent RUN commands for that assessment to use the new policy. Any previous RUN commands (even those specifying an AFTER or INTERVAL time) will use the policy in effect at the time the RUN command was issued.

8.3 Changing Request Media

Modifying an assessment to change the request medium associated with a node will cause subsequent RUN commands for that assessment to use the new request medium. Any previous RUN commands (even those specifying an AFTER or INTERVAL time) will use the request medium in effect at the time the RUN command was issued.

8.4 Changing Result Media

Modifying an assessment to change the result medium associated with a node will cause subsequent RUN commands for that assessment to use the new result medium. Any previous RUN commands (even those specifying an AFTER or INTERVAL time) will use the result medium in effect at the time the RUN command was issued.

8.5 Changing Media Protection

Modifying an assessment to change the request or result medium protection associated with a node will cause subsequent RUN commands for that assessment to use the new request or result medium protection. Any previous RUN commands (even those specifying an AFTER or INTERVAL time) will use the request or result medium protection in effect at the time the RUN command was issued.

8.6 Audit history

The audit history mechanism can be used to show when changes were made to your assessments.