LJK/Security Reference Manual
Previous Contents Index

Overview

 This gives basic information on LJK/Security.

Chapter 1
Introduction

This chapter describes the overall operational concepts of LJK/Security and gives a tutorial-order explanation of various terms (denoted in boldface throughout this manual) that have specialized meanings within the context of LJK/Security.

1.1 What LJK/Security Does

LJK/Security runs a series of tests of security-relevant conditions on VMS systems, comparing them to user-specified standards. The results are forwarded to a master node for reporting.

LJK/Security control and reporting software is installed on one master node with only data-gathering software installed on other tributary nodes.

1.2 What LJK/Security Does Not Do

LJK/Security does no modification1 to the systems being assessed. It is intended as an unbiased tool for observation of system security, without getting involved in issues of control. Although in some organizations, the same individuals may be involved both in establishing security and evaluating it, LJK/Security makes no assumption that this is the case. It is organized, rather, to support the principle of separation of duties between those who implement security and those who evaluate it.

LJK/Security makes individual assessments on a user-specified schedule, rather than on a continuous basis. Thus, its results are based on sampling rather than logging, so effective monitoring depends on selection of a schedule appropriate for the environment.

Note

1 Aside from data files LJK/Security creates for use in its own operation

1.3 How LJK/Security is licensed

Each LJK/Security license covers one machine referred to as a master node, and some number (possibly zero) of other machines referred to as tributary nodes.

Note
The use of the term "node" does not mean that use of DECnet is required. A set of machines without DECnet can be accessed by moving removable magnetic media (e.g., tapes) back and forth, but in this document those machines are still referred to as "nodes".
If your master node is in a VAXcluster or a VMScluster, you have the option when installing LJK/Security of specifying that any machine in the cluster can serve as the master node (providing your license is large enough to cover all machines in the cluster).

1.4 Elements of the LJK/Security Control Structure

Throughout this manual there are terms (denoted by boldface type) which have a specific technical meaning within the context of LJK/Security.

1.4.1 Node

The term node refers to a single VMS system, regardless of whether or not it is connected via DECnet. Thus, a multi-processor system is one node, while a VAXcluster or VMScluster is multiple nodes. The DECnet node address used at some sites for a cluster-wide alias node name does not count as an additional node for purposes of LJK/Security.

1.4.1.1 Master Node

The master node is the one on which LJK/Security software is originally installed. All commands are issued from the master node.

1.4.1.2 Tributary Node

A tributary node is one on which LJK/Security data-gathering is conducted. In most cases a master node will also be a tributary node (and it is counted as such in license size limits).

1.4.2 Test

A test is an individual comparison to be made between a security-relevant condition on a node and a limit in the relevant policy. The various tests available within LJK/Security are each denoted by a set of three names: facility, element, and constraint.

1.4.2.1 Facility

Particular section of VMS or layered product being tested.

1.4.2.2 Element

Particular parameter or security-relevant item being test.

1.4.2.3 Constraint

Exact condition being tested (value too low, value too high, etc.).

1.4.3 Policy

The term policy refers to a collection of security rules against which a single node can be evaluated.

LJK/Security allows for multiple policies within a given set of licensed nodes. This allows for a distinction to be made between nodes with varying security requirements or to account for special needs (e.g., machines used primarily to develop VMS device drivers will have an abnormally high proportion of privileged users).

Support for multiple simultaneous policy definitions also allows for variations in the security measurement process, such as running very thorough (and resource-intensive) security checks on weekends with quicker security checks each evening.

Figure 1-1 Contents of a Policy

As shown in Figure 1-1, within a policy there can be three types of rules:

1.4.3.1 Disable

A rule which is used to bypass all tests for a particular facility.

This is the only type of rule which applies to more than a single test.

1.4.3.2 Limit

A rule which specifies a value which must be met by a particular test.

1.4.3.3 Exemption

A rule which permits certain failures of a particular test not to be counted as violations.

1.4.4 Assessment

The term assessment refers to a coordinated testing of a set of nodes based on (possibly diverse) specified policies. The relationships established by an assessment are shown in Figure 1-2. An assessment specifies, for each tributary node:

For the simplest (default) case, the same policy will be applied to all nodes, and DECnet will be used for transmission of both requests and results.

Figure 1-2 Contents of an Assessment

Chapter 2
Installing LJK/Security

This chapter describes those steps which must be taken by the VMS system manager to get LJK/Security up and running in your environment..

There are four phases involved in starting up from scratch:

  1. Choosing the Master Node
  2. Installation on the Master Node
  3. Installation on Tributary Nodes
  4. Starting Operation after a New Installation
The second and third steps must be performed by someone with full system management privileges on the machine(s) in question.

The example shown below takes program defaults wherever possible, for instance assuming that DECnet connections will be used for all communications between the master node and the tributary nodes.

In many cases 95% of the criteria you want will be taken care of by these default values. As you gain experience you can turn to the part about Site-Specific Customization Part, but initially you should use the built-in defaults.

Note
Installation of LJK/Security create the username LJK$SECURITY, using the UIC group number you provide. This username is only for use in processes created by the LJK/Security software, and it should not be used interactively.

2.1 Choosing the Master Node

Control of the assessment process is done from a single node 1 designated as the master node. Factors you should consider in selecting that node include:

Note
If you change your mind later, moving the master node will be just as time-consuming as the original installation, because all of the tributary nodes have LJK/Security software installed which is configured only to respond to requests originating from the master node.

Note

1 In cases where the master node is a member of a VAXcluster or a VMScluster you may choose as an installation option to allow or prohibit other members of the cluster to serve as master node. That power, of course, also depends on the particular username having the appropriate LJK/Security facility-specific identifiers (or the SECURITY privilege on older versions of VMS), but bear in mind that an aggressive penetrator can always obtain privilege if permitted physical access to a machine (even a MicroVAX, VAXstation or AXP Workstation serving as a satellite node).

2.2 Installation on the Master Node

To install LJK/Security on the master node you will need disk space on the system disk of the master node as shown in Table 2-1. If there is insufficient space available, the VMSINSTAL procedure will exit with an appropriate error message.

Table 2-1 Master Node Disk Space Requirements
  Maximum Options Minimum Options
  System Disk Data Disk System Disk Data Disk
peak 50,000 6000 43,000 2500
net 40,000 6000 40,000 2500

Ensure users are logged off the master node. If they remain on during the installation, one of them could be accessing the VMS help library at the moment when the VMSINSTAL command procedure tries to update it, causing the installation to fail.

Effective with VAX VMS V5.4, VMSINSTAL sends a message to all users urging them to exit help. This is transmitted at 15 second intervals up to 20 times.

There are two methods available for installing LJK/Security, but LJK Software strongly recommends the VMSINSTAL.COM method due to shortcomings and version-to-version differences in the other method.

2.2.1 Installation on the Master Node using VMSINSTAL.COM

The following commands must be issued from a fully privileged username (e.g., one used for system management purposes).
  1. Mount the LJK/Security distribution CDROM: 


    $ MOUNT ddcu: LJK_SEC_029
    replacing ddcu: with the name of your CDROM drive.

  2. Issue the PRODUCT INSTALL command specifying the product CDROM: 


    $ @SYS$UPDATE:VMSINSTAL * DISK$LJK_SEC_029:[LJK_SECURITY029.KIT]

  3. You will be asked 2 or 8 questions. The one you should concentrate on is the first one (about UIC selection). You should choose an unused UIC group number in coordination with any UIC-assignment plan in effect at your site. 


    * What UIC group should be used for username LJK$SECURITY: 25 
* Would you like the simplified installation dialog [YES]? 
* Is that object number for transmitting REQUESTS satisfactory [YES]? 
* Is that object number for receiving RESULTS satisfactory [YES]? 
* Is that treatment of other cluster member nodes acceptable [YES]? 
* Is that location for LJK/Security files satisfactory [YES]? 
* Is that DECwindows interface decision acceptable [YES]? 
* Is that Bookreader documentation decision acceptable [YES]?
    Explanations of each question will be given before it is asked. You can get further information about any question by responding with a question mark (?), and for all but the first question you can respond with a carriage return to get the default behavior.

    Note
    The ability to let other cluster member nodes serve as LJK/Security master node depends on the VMS cluster alias node number feature. Therefore it will not be enabled for master nodes running VMS V4.2 or V4.3.
  4. On an initial installation where file [000000]QUOTA.SYS is present, you will be reminded of the need to add disk quota for the LJK$SECURITY UIC. 


     
 A disk quota file is present on the system disk, so you must 
 ensure at least 10000 blocks of quota is given to UIC [25,1] 
 ([LJK$SECURITY]).

  5. On an initial installation under VMS V4.7 or earlier, you will also be told to insert a command in your site-specific system startup command procedure to enable LJK/Security each time the machine is booted. 


     
 To set up LJK/Security on each system boot, your site-specific 
 startup command file (SYS$COMMON:[SYSMGR]SYSTARTUP.COM) must 
 contain the following line: 
 
  $ @SYS$MANAGER:LJK$SECURITY_STARTUP

If you accepted the default action of installing Bookreader documentation for LJK/Security, the file LIBRARY.DECW$BOOKSHELF is installed in the area LJK$SECURITY_POLICY_AREA:, along with the actual Bookreader documentation (file type .DECW$BOOK). An individual user can access this information by defining the logical name DECW$BOOK to have an equivalence name of LJK$SECURITY_POLICY_AREA:. For longer term access it is better to make the LJK$SECURITY_POLICY_AREA: equivalence name be just one in a series of equivalence names for the logical name DECW$BOOK. This can be done as a system logical name to make the information generally available.

For experienced users of VMSINSTAL, optional features of that VMS facility are available when installing LJK/Security, with the following exceptions:

As with other software products installed for the first time on VMS, if any other user was logged in during the installation, they will not be able to access the LJK/SECURITY command until they log out and log in again.

A complete sample script of a default installation on the master node can be found in Appendix A.

Installing on Shared System Disks
If you install LJK/Security on one system to run it also on other systems that share that system disk, you should issue the following command on each additional system sharing that system disk: 


$ MCR SYSMAN STARTUP ADD FILE LJK$SECURITY_STARTUP.COM/MODE=DIRECT/PHASE=END

2.2.2 Installation on the Master Node using PRODUCT INSTALL
  1. Mount the LJK/Security distribution CDROM: 


    $ MOUNT ddcu: LJK_SEC_029
    replacing ddcu: with the name of your CDROM drive.

  2. Issue the PRODUCT INSTALL command specifying the product CDROM: 


    $ PRODUCT INSTALL LJK_SECURITY/SOURCE=DISK$LJK_SEC_029:[LJK_SECURITY029.KIT]

  3. Select the appropriate architecture for your master node: 


     
   1 - LJK AXPVMS LJK_SECURITY V2.9        Layered Product 
   2 - LJK VAXVMS LJK_SECURITY V2.9        Layered Product 
   3 - All products listed above 
   4 - Exit 
 
Choose one or more items from the menu separated by commas: 1

  4. Use a carriage return to confirm the architecture selection: 


     
 
The following product has been selected: 
    LJK AXPVMS LJK_SECURITY V2.9           Layered Product 
 
Do you want to continue? [YES]
    Respond with a question mark if you are not sure.

  5. Use a carriage return to accept the choice of DECnet object numbers: 


     
    DECnet objects 200 and 201 will be used for LJK/Security 
 
Do you want to continue? [YES]
    Respond with a question mark if those values are not satisfactory.

  6. Use a carriage return to accept the choice of locations for policy storage: 


     
    SYS$COMMON:[LJK$SECURITY_POLICY] will be used for LJK/Security 
 
Do you want the defaults for all options? [YES]
    Respond with a question mark if that value are not satisfactory.

  7. Use a carriage return to say you do not want to review options: 


    Do you want to review the options? [NO]

  8. Wait for completion: 


    Execution phase starting ... 
 
The following products will be installed to destinations: 
    LJK AXPVMS LJK V2.10                   DISK$VMS073:[VMS$COMMON.] 
    LJK AXPVMS LJK_SECURITY V2.9           DISK$VMS073:[VMS$COMMON.] 
 
Portion done: 0%...10%...20%...30%...60%...80%...90%...100% 
 
The following products have been installed: 
    LJK AXPVMS LJK V2.10                   Layered Product 
    LJK AXPVMS LJK_SECURITY V2.9           Layered Product 
$

    Clarification of PRODUCT INSTALL mechanism

    Up through VMS V7.3, a message on initial installations: 


    %LJK-F-GETUAI, Error getting UIC for username LJK$SECURITY 
-RMS-E-RNF, record not found

    can be corrected by answering NO to the question: 


    Terminating is strongly recommended.  Do you want to terminate? [YES]

    and re-running the PRODUCT INSTALL command.
    It is caused by PCSI invoking the "assemble execute" procedure for file LJK$SECURITY_STARTUP.COM (owned by user LJK$SECURITY) before it has created the LJK$SECURITY username.

Note
The command PRODUCT REMOVE LJK_SECURITY on more recent versions of VMS (circa V7.2-V7.3) produces the message: 


"%PCSI-E-PARUDF, file [SYS$STARTUP]LJK$SECURITY_STARTUP.COM was not 
previously installed or is present but out of scope; file ownership 
and protection update skipped 
Terminating is strongly recommended.  Do you want to terminate? [YES]"

LJK Software recommends answering NO to this question to complete the removal. We will work on resolving this issue in the future.

As with other software products installed for the first time on VMS, if any other user was logged in during the installation, they will not be able to access the LJK/SECURITY command until they log out and log in again.

Installing on Shared System Disks
If you install LJK/Security on one system to run it also on other systems that share that system disk, you should issue the following command on each additional system sharing that system disk: 


$ MCR SYSMAN STARTUP ADD FILE LJK$SECURITY_STARTUP.COM/MODE=DIRECT/PHASE=END

Previous Next Contents Index