| Previous | Contents | Index |
For result transmission, when the assessment has been completed on the tributary node LJK/Security will issue a MOUNT request to write results onto the specified medium. (Be sure to have at least one terminal enabled as an operator terminal for the appropriate medium (disk or tape) using the VMS command REPLY/ENABLE, or transmission of the results will be delayed.
After the medium has been transported to the master node, any user with the the facility-specific identifier 2 LJK$SECURITY_ROLE_STARTUP or LJK$SECURITY_REMOTE can issue the command:
$ SUBMIT SYS$SYSTEM:LJK$SECURITY/PARAMETER=ddcu: |
2 On systems prior to VAX VMS V6.0 or systems which do not have a Rights Database (RIGHTSLIST.DAT), you must have the SECURITY privilege. |
Various shops have various policies regarding the labels encoded on
removable media, some for instance, always want labels preserved. For
this reason, LJK/Security takes a very cautious attitude toward
labels: labels are never rewritten for request or result transmission.
10.5.1 No File Deletion
Because local removable media labeling policy is not known,
LJK/Security request or result transmission does not delete files from
removable media or reinitialize removable media. Users should ensure
that media provided in response to LJK/Security mount requests have
been initialized.
10.5.2 Avoiding Premounted Media
As a safeguard against possibly writing on a tape left on a drive, LJK/Security always attempts an initial mount with the /NOASSIST qualifier. If that succeeds, it then dismounts the medium and requests another mount to force human intervention.
This chapter contains hints on how to use LJK/Security in certain specific settings.
11.1 Generating "Work Papers" for Auditors
The design philosophy of LJK/Security is to report only violations of policy, to effect "management by exception". There are instances where auditors wish to create "work papers" listing compliant as well as non-compliant test results.
The general approach to creating such a report is to make a policy which sets mutually exclusive goals. If a policy, for instance, requires that every username have the CMKRNL privilege and also prohibits every username from having the CMKRNL privilege, one violation or the other will be reported for every username. A similar approach can be taken for numeric tests by setting low end limits for a given element higher than high end limits for the same element.
See Section 7.6 and Section 7.7 for another explanation.
11.2 Tracking Usernames
In some environments it may be desirable to maintain central tracking
of usernames added to tributary nodes. This can be
accomplished by
modifying a limit in a policy to set
mutually exclusive goals and then setting up
exemptions for each authorized username. A recommended
method of setting such mutually exclusive goals LJK Software calls
"tracking username presence", while a more refined method
LJK Software calls
"tracking username enabling".
11.2.1 Tracking Username Presence
For the simplest approach, you can set limits for test (UAF, DISUSER, PROHIBITED) and test (UAF, DISUSER, REQUIRED) both to be true. This will generate a violation report for all usernames which do not have exemptions for those tests. By adding exemptions for the authorized usernames, you ensure that the only violation reports are for unauthorized usernames.
Thus if the mutually exclusive goal of having (UAF, DISUSER) both
prohibited and required were established for a node, a
violation would be reported
for all usernames. If SMITH and JONES were the only two approved
usernames for the node, then establishing exemptions
for SMITH and JONES in the policy on the
master node would prevent the reporting of
violations for those usernames. Any unapproved
usernames added to the node, however, would trigger
violation reports.
11.2.2 Tracking Username Enabling
When usernames are no longer needed, careful system managers will leave the usernames on the system but disabled for a period of time. In this manner, attempts to log in to the username in question will result in the username being included in the VMS accounting and audit logs (whereas for usernames which do not exist, the username is not recorded with the login failure).
If this approach is being used, the limit for
test (UAF, DISUSER, PROHIBITED) should be set to
FALSE, and the exemptions should be removed when
usernames are disabled.
11.3 Operating in a Classified Environment
Unlike the rest of the manual, this section assumes some knowledge of US government rules for handling classified information on computers. |
In situations where there are a number of nodes each operating at a different security level, it should still be possible to use LJK/Security, but with an additional degree of complexity.
11.3.1 No DECnet
Just as DECnet is presumably unavailable between machines operating at
different security levels for normal purposes, it is presumably
unavailable
between the master node and tributary
nodes.
(Such a connection would only be allowed if the master
node
were at the same level as all of the tributary nodes,
which would mean that all tributary nodes would be at
the same level as each other, which is contrary to the stated premise.)
11.3.2 Requests Must be Generated at the Lowest Security Level
In order to have a single master node generate
requests for a common assessment for all nodes, that
master node must be operating at or below the lowest
security level at which any of
the tributary nodes operate.
In order to have a single master node report results
from a common assessment for all nodes, that
master node must be operating at or above the highest
security level at which any of
the tributary nodes operate.
11.3.3.1 Recommended Technique: Period Processing on the Master Node
The solution LJK Software suggests is to maintain two copies of the master node (either on separate disks or on separate machines), one at low classification for generating requests and one at high classification for receiving reports. This is most easily done with removable disk packs, which are typically used in classified processing anyway.
Initially the HIGH copy of the master node can be created by copying the system disk from the LOW copy. Thereafter no data ever leaves the HIGH copy. The data added to the HIGH copy will be:
LJK$SECURITY_RESULT_AREA:assessment-name.LJK$SECURITY_RESULT |
When results are received, they are read into the HIGH copy of the master node for reporting purposes. Because of the special file copied over from the LOW copy of the master node, the HIGH copy of the master node is set up as though it had generated the assessment run request.
Although the procedure described properly handles information from different classifications, considerable work might be involved to get it approved by your Designated Accrediting Authority.
This appendix shows a sample installation of LJK/Security on a master node.
$ @SYS$UPDATE:VMSINSTAL * DISK$LJK_SEC_030:[LJK_SECURITY030.KIT]
OpenVMS AXP Software Product Installation Procedure V7.3-1
It is 11-JUN-2006 at 15:50.
Enter a question mark (?) at any time for help.
%VMSINSTAL-W-NOTSYSTEM, You are not logged in to the SYSTEM account.
%VMSINSTAL-W-ACTIVE, The following processes are still active:
DECW$SERVER_0
DECW$TE_00AF
_FTA1:
_FTA2:
_FTA3:
_FTA4:
_FTA6:
_FTA7:
_FTA8:
* Do you want to continue anyway [NO]? YES
* Are you satisfied with the backup of your system disk [YES]? YES
The following products will be processed:
LJK_SECURITY V3.0
Beginning installation of LJK_SECURITY V3.0 at 15:50
%VMSINSTAL-I-RESTORE, Restoring product save set A ...
%VMSINSTAL-I-RELMOVED, Product's release notes have been moved to SYS$HELP.
Username LJK$SECURITY must be assigned to a unique UIC group on
this node (or VAXcluster). The UIC value [n,1] will be assigned,
where n is the octal number between 11 and 37776 which you specify.
* What UIC group should be used for username LJK$SECURITY: 25
A simplified LJK/Security installation dialog will use the following
defaults or values from a previous installation:
DECnet object 200 for Request transmissions
DECnet object 201 for Result transmissions
Only this node can act as Master Node
LJK/Security data is stored at SYS$SYSDEVICE:[LJK$SECURITY_POLICY]
LJK/Security DECwindows interface is available
Bookreader documentation is moved to the data storage area
An answer of YES will use the default values or values from
previous installations as listed above.
An answer of NO will cause individual questions to be asked
for each installation decision.
* Would you like the simplified installation dialog [YES]? YES
The following files will be added or replaced:
SYS$COMMON:[SYSEXE]LJK$SECURITY.COM;
SYS$COMMON:[SYSEXE]LJK$SECURITY_AXP.EXE;
SYS$COMMON:[SYSEXE]LJK$SECURITY_VAX.EXE;
SYS$COMMON:[SYSMSG]LJK$MESSAGES_AXP.EXE;
SYS$COMMON:[SYSMSG]LJK$MESSAGES_VAX.EXE;
SYS$COMMON:[SYSHLP]LJK$SECURITY_030.RELEASE_NOTES;
SYS$COMMON:[SYSHLP]LJK$SECURITY_BUGFIX_030.RELEASE_NOTES;
SYS$COMMON:[SYSHLP]LJK$SECURITY_DECWHELP.HLB;
SYS$COMMON:[SYSLIB]LJK$SECURITY_SHARE_AXP.EXE;
SYS$COMMON:[SYSLIB]LJK$SECURITY_SHARE_VAX.EXE;
SYS$COMMON:[SYSLIB]LJK$SECURITY_TEXT_SHARE_AXP.EXE;
SYS$COMMON:[SYSLIB]LJK$SECURITY_TEXT_SHARE_VAX.EXE;
SYS$COMMON:[SYSLIB]LJK$SECURITY_VMS_SHARE_AXP.EXE;
SYS$COMMON:[SYSLIB]LJK$SECURITY_VMSV010_SHARE_AXP.EXE;
SYS$COMMON:[SYSLIB]LJK$SECURITY_VMSV015_SHARE_AXP.EXE;
SYS$COMMON:[SYSLIB]LJK$SECURITY_VMSV061_SHARE_AXP.EXE;
SYS$COMMON:[SYSLIB]LJK$SECURITY_VMSV070_SHARE_AXP.EXE;
SYS$COMMON:[SYSLIB]LJK$SECURITY_VMSV071_SHARE_AXP.EXE;
SYS$COMMON:[SYSLIB]LJK$SECURITY_VMSV072_SHARE_AXP.EXE;
SYS$COMMON:[SYSLIB]LJK$SECURITY_VMSV073_SHARE_AXP.EXE;
SYS$COMMON:[SYSLIB]LJK$SECURITY_VMS_SHARE_VAX.EXE;
SYS$COMMON:[SYSLIB]LJK$SECURITY_VMSV040_SHARE_VAX.EXE;
SYS$COMMON:[SYSLIB]LJK$SECURITY_VMSV050_SHARE_VAX.EXE;
SYS$COMMON:[SYSLIB]LJK$SECURITY_VMSV054_SHARE_VAX.EXE;
SYS$COMMON:[SYSLIB.LJK$SECURITY_AXP_ADA_EXE]ADAMSG.EXE;
SYS$COMMON:[SYSLIB.LJK$SECURITY_AXP_ADA_EXE]ADARTL.EXE;
SYS$COMMON:[SYSLIB.LJK$SECURITY_AXP_ADA_EXE]CMA$RTL.EXE;
SYS$COMMON:[SYSLIB.LJK$SECURITY_AXP_ADA_EXE]CMA$TIS_SHR.EXE;
SYS$COMMON:[SYSLIB.LJK$SECURITY_AXP_ADA_EXE]DEFINE_ADA_LOGICALS.COM;
SYS$COMMON:[SYSLIB.LJK$SECURITY_AXP_ADA_EXE]DEASSIGN_ADA_LOGICALS.COM;
SYS$COMMON:[SYSLIB]LJK$SECURITY_DECW_SHARE_AXP.EXE;
SYS$COMMON:[SYSLIB]LJK$SECURITY_DECW_SHARE_VAX.EXE;
SYS$COMMON:[SYSLIB]LJK$SECURITY_DECW.UID;
SYS$COMMON:[SYSHLP.EXAMPLES.LJK$SECURITY]POLICY_NULL.COM;
SYS$COMMON:[SYSHLP.EXAMPLES.LJK$SECURITY]POLICY_NIST_SP_800_53.COM;
SYS$COMMON:[SYSHLP.EXAMPLES.LJK$SECURITY]POLICY_VMS_SHA1_AXP_*.COM;
SYS$COMMON:[SYSHLP.EXAMPLES.LJK$SECURITY]POLICY_VMS_SHA1_VAX_*.COM;
SYS$COMMON:[SYSHLP.EXAMPLES.LJK$SECURITY]POLICY_VMS_SIMPLE_AXP_*.COM;
SYS$COMMON:[SYSHLP.EXAMPLES.LJK$SECURITY]POLICY_VMS_SIMPLE_VAX_*.COM;
SYS$COMMON:[SYSTEST]LJK$SECURITY_IVP.COM;
SYS$COMMON:[SYS$STARTUP]LJK$SECURITY_STARTUP.COM;
SYS$COMMON:[VUE$LIBRARY.USER]LJK$SECURITY_VUE.COM; (if possible)
SYS$SYSDEVICE:[LJK$SECURITY_POLICY]LIBRARY.DECW$BOOKSHELF;
SYS$SYSDEVICE:[LJK$SECURITY_POLICY]LJK$SECURITY_BASE.DAT;
SYS$SYSDEVICE:[LJK$SECURITY_POLICY]LJK$SECURITY_WORDS.DAT;
SYS$SYSDEVICE:[LJK$SECURITY_POLICY]LJK$SECURITY_LJKS-REF-V030.DECW$BOOK;
The following files will be modified:
SYS$COMMON:[SYSHLP]HELPLIB.HLB;
SYS$COMMON:[SYSLIB]DCLTABLES.EXE; (new version created)
SYS$COMMON:[SYS$STARTUP]VMS$LAYERED.DAT;
All questions have been asked.
%VMSINSTAL-I-RESTORE, Restoring product save set B ...
%VMSINSTAL-I-RESTORE, Restoring product save set C ...
%VMSINSTAL-I-RESTORE, Restoring product save set D ...
The remainder of the installation will take 5 minutes
on a stand-alone MicroVAX-II.
%VMSINSTAL-I-SYSDIR, This product creates system directory [SYSLIB.LJK$SECURITY_AXP_ADA_EXE].
%LJK_SECURITY-I-DCLTABLES, Adding command LJK/Security to DCL tables
%LJK_SECURITY-I-STARTUP, Adding LJK$SECURITY_STARTUP.COM to VMS Startup database
%VMSINSTAL-I-ACCOUNT, This installation updates an ACCOUNT named LJK$SECURITY.
%UAF-I-MDFYMSG, user record(s) updated
%VMSINSTAL-I-ACCOUNT, This installation updates an ACCOUNT named LJK$SECURITY.
%UAF-I-MDFYMSG, user record(s) updated
%VMSINSTAL-I-MOVEFILES, Files will now be moved to their target directories...
%LJK_SECURITY-S-FILEVIEW, creating FileView command
%DCL-S-SPAWNED, process USER_159 spawned
%DCL-S-ATTACHED, terminal now attached to process USER_159
%LJK-I-CREATEACT, Created detached action process 57E022BF at 11-JUN-2006 15:53:01.00
%DCL-S-RETURNED, control returned to process USER
%RUN-S-PROC_ID, identification of created process is 57E022C0
Installation of LJK_SECURITY V3.0 completed at 15:53
Adding history entry in VMI$ROOT:[SYSUPD]VMSINSTAL.HISTORY
Creating installation data file: VMI$ROOT:[SYSUPD]LJK_SECURITY030.VMI_DATA
VMSINSTAL procedure done at 15:53
$
|
If you install LJK/Security on one system to run it also on other systems that share that system disk, you should issue the following command on each additional system sharing that system disk:
|
| Previous | Next | Contents | Index |