There can be only one copy of the LJK/Security software installed on a particular running instance of the VMS operating system. There is a single name space for policy documents which must be shared by all those who have been authorized to run LJK/Security. Organization-specific naming conventions provide an easy way to distinguish between documents used for VIVM-1 Vulnerability Management on a day-to-day basis and documents used for the unannounced in-depth ECMT-* Conformance Monitoring and Testing. For instance, in an organization where a team from the Office of the Inspector General conducts the unannounced in-depth ECMT-* Conformance Monitoring and Testing, files they create could all have names starting with a particular string of characters, like "OIG_". A different scheme might use "OIG_FY06_" one year and "OIG_FY07_" the next year.

M.3.3 Using VIVM-1 Exemptions for ECMT-* Assessments

In setting limits within a policy, those conducting the separate ECMT-* Conformance Monitoring and Testing will want to create a policy from scratch, perhaps carrying in policy settings prepared in advance or used for ECMT-* Conformance Monitoring and Testing on some other system operated by the organization. Another option would be:

1. Create a new policy compatible with DoD Instruction 8500.2 by using the command procedures that ship with LJK/Security as described in:
   • Section K.1.3.3, Command Procedures for Possible Combinations
   • Section K.1.4, Exemptions for the VMS Trusted Computing Base
2. make particular changes for those controls where the policy of the organization mandates a different value in the policy from that created by the command procedures described in the Sections listed above.

But the situation is different in the case of exemptions in the new policy. Exemptions are used in LJK/Security to indicate special cases where abnormal values are permitted based on management approval. For instance a typical limit says that no individuals should have privileges assigned to their VMS username. Then exemptions are entered for the VMS usernames of those assigned to system management duties, so that violation reports are not generated for those usernames authorized to have privilege. To recreate the exemptions appropriate to a system would be time consuming, so a better tactic is:

1. Extract the exemptions (but not the limits) from the appropriate VIVM-1 policy (or policies) with a command like

   $ LJK/Security SHOW POLICY vivmpolicyname - /EXEMPTIONS /NOLIMITS /COMMAND_PROCEDURE - /OUTPUT=REVIEW.TXT

   creating a command procedure for applying those exemptions to some other policy. Each line in the command procedure contains an entire command for establishing one exemption, so some of those lines will be quite long.

2. Use a text editor to inspect each exemption in the resulting command procedure and decide whether it was properly granted. On lines where the exemption is not appropriate, comment out the line with an initial exclamation point (!). This has the same effect as deleting the line, but leaves a better record of what actions are taken. For an even better record, one can follow that exclamation point with brief text (on a single line) indicating the reason for the decision.
3. Apply the resulting batch of exemptions to the ECMT-* policy with a command like

   $ @REVIEW.TXT ecmtpolicyname

   where ecmtpolicyname is the name of the policy created earlier with the current limits for the organization.

4. Use the resulting policy for the unannounced in-depth ECMT-* Conformance Monitoring and Testing.

Depending on the organization's policy some manual reporting of inappropriate exemptions found in step 2 above might be in order.

In the following sections, we discuss various considerations for proposed exemptions, depending on the LJK/Security facility in which the exemptions are located. The examples are based on limits specified in the POLICY_DODI_8500_2_*.COM files provided in directory LJK$SECURITY_EXAMPLES. Your own organization's limits may be different.

M.3.3.1 Example of an Exemption Based on Node

For LJK/Security test (VMS,ANNOUNCE,CONTAINS)² the value specified in the limit is the system use notification to be displayed to authorized users on login. This means a violation will be reported for any Node where this notification is not provided. An exemption might be present allowing a particular Node to skip this message if it is exclusively for public use. Questions that might be asked about such an exemption include:

• Does the organization's policy allow exemptions for this test ?
• Is the value specified for this exemption within a range allowed for exemptions to this test by the organization's policy ?
• Does the comment field of this exemption provide tracking information required to determine that the procedure for issuing exemptions under the organization's policy was followed ?
• Does following that tracking information show that the organization's policy was followed for this exemption and that the exemption still conforms to the organization's policy with the passage of time ?

For LJK/Security test (DISK, FILEPROT, ABSOLUTHI)³ the value specified in the limit is (SYSTEM:RWED,OWNER:RWED,GROUP:RE,WORLD), meaning a violation will be reported for each file which has a more permissive protection mask.

For LJK/Security test (DISK, FILEPROT,PERCENTHI)⁴ and selector READ, the limit specified has a value of 10 meaning a violation will be reported for each file to which more than 10 percent of users have read access.

Often exemptions will be used for those two tests with respective values of (SYSTEM:RWED, OWNER:RWED,GROUP:RE,WORLD:RE) and 100 percent for a VMS system-wide login command procedure, since that must be executed on behalf of each user at login. Questions that might be asked about such exemptions include:

• Does the organization's policy allow exemptions for this test ?
• Is the file one for which the organization's policy allows such exemptions ?
• Is the value specified for this exemption within a range allowed for exemptions to this test by the organization's policy ?
• Does the comment field of this exemption provide tracking information required to determine that the procedure for issuing exemptions under the organization's policy was followed ?
• Does following that tracking information show that the organization's policy was followed for this exemption and that the exemption still conforms to the organization's policy with the passage of time ?
• If the file is one accessed via a logical name like SYS$SYLOGIN, is it canonically specified to use that logical name, such as "SYS$SYLOGIN,SYS$COMMON:[SYSMGR]SYLOGIN.COM" ?

For LJK/Security test (TERM, AUTOLOGIN, ENTRY)⁵ the value specified in the limit is True, meaning a violation will be reported for each terminal over which automatic logins are allowed by VMS. A typical policy will include exemptions for each terminal over which automatic logins are allowed by site rules. Questions that might be asked about such an exemption include:

• Does the organization's policy allow exemptions for this test ?
• Is the value specified for this exemption within a range allowed for exemptions to this test by the organization's policy ?
• Does the comment field of this exemption provide tracking information required to determine that the procedure for issuing exemptions under the organization's policy was followed ?
• Does following that tracking information show that the organization's policy was followed for this exemption and that the exemption still conforms to the organization's policy with the passage of time ?

For LJK/Security test (UAF, PRIVLEVEL, ABSOLUTHI)⁶ the value specified in the limit is Category-Normal, meaning a violation will be reported for each username that has privileges at a higher level. A typical policy will include an exemption allowing username SYSTEM to have privileges at the level Category-All. Separate exemptions would be present for individuals assigned to system management duties.

Questions that might be asked about such an exemption include:

• Does the organization's policy allow exemptions for this test ?
• Is the value specified for this exemption within a range allowed for exemptions to this test by the organization's policy ?
• Does the comment field of this exemption provide tracking information required to determine that the procedure for issuing exemptions under the organization's policy was followed ?
• Does following that tracking information show that the organization's policy was followed for this exemption and that the exemption still conforms to the organization's policy with the passage of time ?

By default, LJK/Security transmits

• assessment requests from the master node to the tributary node
• assessment requests from the tributary node to the master node

There are three major methods for achieving DECnet connections between VMS systems:

1. DECnet directly on the wire
   With this configuration, an organization can use DECnet Phase IV, which has additional security controls available beyond those in the newer DECnet Plus.
2. DECnet V over TCP/IP
   As of this writing (May 2006) running DECnet Plus actually lowers support costs compared to running DECnet Phase IV. It runs over any of the three TCP/IP stacks available for VMS:
   • TCP/IP (or UCX for older versions of VMS) from HP
   • Multinet from Process Software
   • TCPware from Process Software
3. DECnet IV over Multinet Phase IP
   This allows use of the additional security controls in DECnet Phase IV while routing over TCP/IP circuits. Those TCP/IP circuits might use IPSEC leading to the best combination: DECnet Phase IV controls along with IPSEC transmission encryption.

For those situations, using LJK/Security requires additional work on the part of the system managers to transmit the data.

N.1 Basic Approach to Transmission over TCP/IP

To run transmissions between the product master node and tributary nodes you must define in advance some systemwide logical names which are no longer than 15 characters long:

• on each tributary node, pointing to a single directory for results to be sent back to the master node
• on each tributary node, pointing to a single directory for requests received from the master node
• On the master node, pointing to a series of directories for requests to be sent to the various tributary nodes
• On the master node, pointing to a single directory for results received from the various tributary nodes

Then you write some DCL command procedures and run them on a regular basis to transmit files.

N.2 LJK/Security Command Examples

To use systemwide logical names for routing "request" and "result" files to reserved disk directories, you can use commands like:

$ LJK/Security MODIFY ASSESSMENT MY_8500_2_ASSESSMENT/POLICY=MY_8500_2_POLICY - /NODE=BOSTON/REQUEST=IA_BOSTON/RESULT=IA_RESULT $ LJK/Security MODIFY ASSESSMENT MY_8500_2_ASSESSMENT/POLICY=MY_8500_2_POLICY - /NODE=DENVER/REQUEST=IA_DENVER/RESULT=IA_RESULT

Alternatively, you could take the same action using the Menu or Window interfaces.

The IA_BOSTON and IA_DENVER systemwide logical names in the example above are defined on the master node, while the IA_RESULT systemwide logical name is defined on each tributary node. All those logical names indicate where the executing LJK/Security program is to leave the data files. The location from which the executing LJK/Security program is to read the data files on the other node after transfer is specified at the "REMOTE" command in the command procedures shown below.

Like all LJK/Security commands, you issue the ones shown above on the master node, even though the "IA_RESULT" systemwide logical names are defined on each tributary node.

N.3 Example TCP/IP Command Procedure for Each Tributary Node

• the name of the master node is "MASTER"
• the logical name for the directory where LJK/Security has stored results destined for the master node is "IA_RESULT"
• the logical name for the directory where requests are received from the master node is "IA_REQUEST"

$ ! $ ! LJK$SECURITY_EXAMPLES:LJK$SECURITY_TCPIP_TRIBUTARY.COM $ ! $ ! To use this command procedure, copy it to another directory $ ! before changing the sections surrounded by rows of asterisks. $ ! That way local modifications will not be wiped out when you $ ! upgrade to the next version of LJK/Security. $ ! $ ! This command procedure will copy any LJK/Security result files $ ! it finds on a tributary node back to the master node. $ ! $ ! Then it will invoke LJK/Security to process any request files $ ! it finds on a tributary node to create a result file. $ ! $ ! The process under which this command procedure executes must $ ! have whatever rights are required to transfer files between $ ! nodes and must have one of the identifiers: $ ! $ ! LJK$SECURITY_REMOTE $ ! LJK$SECURITY_ROLE_STARTUP $ ! LJK$SECURITY_ALL $ ! $ ON WARNING THEN GOTO RESUBMIT $ ! $ ! When run interactively, this command procedure just submits itself. $ ! The sole parameter is the optional name of a batch queue to use. $ ! $ IF F$MODE() .NES. "BATCH" THEN GOTO RESUBMIT $ ! $ ! --------------------------------------------------------- $ ! $ ! Ship back any result file created on this tributary node $ ! $ NEXT_RESULT = F$SEARCH("",321) $ RESULT_LOOP: $ NEXT_RESULT = F$SEARCH("IA_RESULT:LJK_SECURITY.DAT;-0",321) $ IF NEXT_RESULT .EQS. "" THEN GOTO RESULT_DONE $ ! $ ! Ensure it is complete by getting exclusive access. If the $ ! oldest version is still being written, wait for the next run. $ ! $ OPEN EXCLUSIVE_CHAN/APPEND/ERROR=RESULT_DONE 'NEXT_RESULT' $ CLOSE EXCLUSIVE_CHAN $ ! $ ! We have found a complete result file -- copy it to the Master Node $ ! $ ! ********************************************************* $ ! ********************************************************* $ ! *** This command uses a DECnet copy utilizing DECnet *** $ ! *** proxy logins. Replace it with a COPY/TCP or *** $ ! *** other command suitable to your environment. *** $ ! ********************************************************* $ ! ********************************************************* $ ! ********************************************************* $ ! $ COPY/LOG 'NEXT_RESULT' MASTER::IA_RESULT:; $ DELETE 'NEXT_RESULT' $ ! $ ! ********************************************************* $ ! ********************************************************* $ ! $ GOTO RESULT_LOOP $ RESULT_DONE: $ ! $ ! --------------------------------------------------------- $ ! $ ! Process any request file copied onto this tributary node $ ! $ NEXT_REQUEST = F$SEARCH("",321) $ REQUEST_LOOP: $ NEXT_REQUEST = F$SEARCH("IA_REQUEST:LJK_SECURITY.DAT;-0",321) $ IF NEXT_REQUEST .EQS. "" THEN GOTO REQUEST_DONE $ ! $ ! Ensure it is complete by getting exclusive access. If the $ ! oldest version is still being written, wait for the next run. $ ! $ OPEN EXCLUSIVE_CHAN/APPEND/ERROR=REQUEST_DONE 'NEXT_REQUEST' $ CLOSE EXCLUSIVE_CHAN $ ! $ ! ********************************************************* $ ! ********************************************************* $ ! $ ! We have found a complete request file -- process the request $ ! $ DEFINE/USER NEXT_REQUEST 'NEXT_REQUEST' ! 15 or fewer characters $ MCR LJK$SECURITY REMOTE NEXT_REQUEST $ DELETE 'NEXT_REQUEST' $ ! $ ! ********************************************************* $ ! ********************************************************* $ ! $ GOTO REQUEST_LOOP $ REQUEST_DONE: $ ! $ ! --------------------------------------------------------- $ ! $ RESUBMIT: $ ! $ ! When run interactively, this command procedure just submits itself. $ ! The sole parameter is the optional name of a batch queue to use. $ ! $ PROC = F$ENVIRONMENT("PROCEDURE") ! Our command procedure $ PROC = PROC - F$PARSE(PROC,,,"VERSION") ! but the latest version $ ! $ ! Use any queue specified in P1 $ ! $ QUEUE = F$GETQUI("DISPLAY_JOB","QUEUE_NAME",,"THIS_JOB") $ IF P1 .NES. "" THEN QUEUE = P1 $ IF QUEUE .NES. "" THEN QUEUE = "/QUEUE=" + QUEUE $ show symbol queue $ ! $ submit 'PROC' - /AFTER="+00:05:00.00" - ! Every 5 minutes /NONOTIFY - ! do not bother the humans /PARAMETERS="''P1'" - ! Preserve any queue name specified /NOPRINTER - ! Do not print log file 'QUEUE' - ! Specified or existing queue /RESTART - ! Restart-enabled /RETAIN=ERROR ! Track failures $ ! $ EXIT $STATUS ! From LJK$SECURITY_TCPIP_TRIBUTARY.COM $ !

N.4 Example TCP/IP Command Procedure for the Master Node

The following command procedure presumes:

• the names of the tributary nodes are "BOSTON" and "DENVER"
• the logical names for the directory used to store requests to be sent to the tributary nodes are "IA_BOSTON" and "IA_DENVER"
• the logical name for the directory where results are received from tributary nodes is "IA_RESULT"

$ ! $ ! LJK$SECURITY_EXAMPLES:LJK$SECURITY_TCPIP_MASTER.COM $ ! $ ! To use this command procedure, copy it to another directory $ ! before changing the sections surrounded by rows of asterisks. $ ! That way local modifications will not be wiped out when you $ ! upgrade to the next version of LJK/Security. $ ! $ ! This command procedure will copy any LJK/Security request files $ ! it finds on the master node out to the appropriate tributary node. $ ! $ ! Then it will invoke LJK/Security to process any result files $ ! it finds on the master node to create the final result file. $ ! $ ! The process under which this command procedure executes must $ ! have whatever rights are required to transfer files between $ ! nodes and must have one of the identifiers: $ ! $ ! LJK$SECURITY_REMOTE $ ! LJK$SECURITY_ROLE_STARTUP $ ! LJK$SECURITY_ALL $ ! $ ON WARNING THEN GOTO RESUBMIT $ ! $ ! When run interactively, this command procedure just submits itself. $ ! The sole parameter is the optional name of a batch queue to use. $ ! $ IF F$MODE() .NES. "BATCH" THEN GOTO RESUBMIT $ ! $ ! A list of the logical names pointing to the directories $ ! in which requests are stored $ ! $ ! ********************************************************* $ ! ********************************************************* $ ! $ REQUEST_LIST ="IA_BOSTON,IA_DENVER" $ ! $ ! ********************************************************* $ ! ********************************************************* $ ! $ ! --------------------------------------------------------- $ ! $ ! Ship any any REQUEST file pending for tributary nodes. $ ! This example relies upon a textual relationship between $ ! the logical name and the DECnet node name. Your command $ ! procedure might use a different technique. $ ! $ TRIBUTARY_INDEX = -1 $ TRIBUTARY_LOOP: $ TRIBUTARY_INDEX = TRIBUTARY_INDEX + 1 $ NEXT_TRIBUTARY = F$ELEMENT(TRIBUTARY_INDEX,",",REQUEST_LIST) $ IF NEXT_TRIBUTARY .EQS. "," THEN GOTO TRIBUTARY_DONE $ ! $ ! Look for request files in this area $ ! $ NEXT_REQUEST = F$SEARCH("",321) $ REQUEST_LOOP: $ NEXT_REQUEST = F$SEARCH(NEXT_TRIBUTARY+":LJK_SECURITY.DAT;-0",321) $ IF NEXT_REQUEST .EQS. "" THEN GOTO REQUEST_DONE $ ! $ ! Ensure it is complete by getting exclusive access. If the $ ! oldest version is still being written, wait for the next run. $ ! $ OPEN EXCLUSIVE_CHAN/APPEND/ERROR=REQUEST_DONE 'NEXT_REQUEST' $ CLOSE EXCLUSIVE_CHAN $ ! $ ! We have found a complete request file -- copy it to the Tributary Node $ ! $ ! ********************************************************* $ ! ********************************************************* $ ! *** This command uses a DECnet copy utilizing DECnet *** $ ! *** proxy logins. Replace it with a COPY/TCP or *** $ ! *** other command suitable to your environment. *** $ ! ********************************************************* $ ! ********************************************************* $ ! $ DEFINE/USER TRIBUTARY 'F$ELEMENT(1,"_",NEXT_TRIBUTARY)':: $ COPY/LOG 'NEXT_REQUEST' TRIBUTARY::IA_REQUEST:; $ DELETE 'NEXT_REQUEST' $ ! $ ! ********************************************************* $ ! ********************************************************* $ ! $ GOTO REQUEST_LOOP $ REQUEST_DONE: $ ! $ GOTO TRIBUTARY_LOOP $ TRIBUTARY_DONE: $ ! $ ! --------------------------------------------------------- $ ! $ ! Process any result file copied onto this master node $ ! $ NEXT_RESULT = F$SEARCH("",321) $ RESULT_LOOP: $ NEXT_RESULT = F$SEARCH("IA_RESULT:LJK_SECURITY.DAT;-0",321) $ IF NEXT_RESULT .EQS. "" THEN GOTO RESULT_DONE $ ! $ ! Ensure it is complete by getting exclusive access. If the $ ! oldest version is still being written, wait for the next run. $ ! $ OPEN EXCLUSIVE_CHAN/APPEND/ERROR=RESULT_DONE 'NEXT_RESULT' $ CLOSE EXCLUSIVE_CHAN $ ! $ ! We have found a complete Result file -- process the request $ ! $ ! ********************************************************* $ ! ********************************************************* $ ! $ DEFINE/USER NEXT_RESULT 'NEXT_RESULT' ! 15 or fewer characters $ MCR LJK$SECURITY REMOTE NEXT_RESULT $ DELETE 'NEXT_RESULT' $ ! $ ! ********************************************************* $ ! ********************************************************* $ ! $ GOTO RESULT_LOOP $ RESULT_DONE: $ ! $ ! --------------------------------------------------------- $ ! $ RESUBMIT: $ ! $ ! When run interactively, this command procedure just submits itself. $ ! The sole parameter is the optional name of a batch queue to use. $ ! $ PROC = F$ENVIRONMENT("PROCEDURE") ! Our command procedure $ PROC = PROC - F$PARSE(PROC,,,"VERSION") ! but the latest version $ ! $ ! Use any queue specified in P1 $ ! $ QUEUE = F$GETQUI("DISPLAY_JOB","QUEUE_NAME",,"THIS_JOB") $ IF P1 .NES. "" THEN QUEUE = P1 $ IF QUEUE .NES. "" THEN QUEUE = "/QUEUE=" + QUEUE $ show symbol queue $ ! $ submit 'PROC' - /AFTER="+00:05:00.00" - ! Every 5 minutes /NONOTIFY - ! do not bother the humans /PARAMETERS="''P1'" - ! Preserve any queue name specified /NOPRINTER - ! Do not print log file 'QUEUE' - ! Specified or existing queue /RESTART - ! Restart-enabled /RETAIN=ERROR ! Track failures $ ! $ EXIT $STATUS ! From LJK$SECURITY_TCPIP_MASTER.COM $ !