LJK/Security Reference Manual

2.3 Installation on Tributary Nodes

Note

If you have a single-node license skip ahead to Section 2.4. The installation of the software on the master node above is sufficient.

You will need disk space available on the system disk of the tributary node as shown in Table 2-2. If there is insufficient space available, the VMSINSTAL procedure will exit with an appropriate error message.

Table 2-2 Tributary Node Disk Space Requirements
AXP VAX

peak 20,000 21,000

net 13,000 7000

**Table 2-2 Tributary Node Disk Space Requirements**
	AXP	VAX
peak	20,000	21,000
net	13,000	7000

To permit access to the software just installed on the master node, you should log out and log back in again.
Log back in to the master node under a username which has appropriate facility-specific identifiers or is otherwise authorized as discussed in Section 5.4 (full privileges are not necessary for this part).
Build a software kit to install on tributary nodes using the following command:
$ LJK/SECURITY KIT_BUILD/FILESPEC=LJK$SECURITY_RESULT_AREA:

2.3.1 Installation on Tributary Nodes using VMSINSTAL.COM

Log into a fully privileged account on each tributary node and issue the commands:

$ COPY node"username password"::LJK$SECURITY_RESULT_AREA:LJK_SECURITY%%%.% - SYS$LOGIN: $ @SYS$UPDATE:VMSINSTAL * SYS$LOGIN:

where node is the name of the master node.

Note

At least as of VMS V5.4, DEC had coded the VMSINSTAL command procedure so that it cannot directly access save sets across DECnet with explicit access control strings. A separate COPY command is the recommended method (as above), on the presumption that a security-conscious site will not have default DECnet accounts established, particularly on the machine chosen for a LJK/Security master node.

You will be asked 1 question, about UIC selection. You should choose an unused UIC group number in coordination with any UIC-assignment plan in effect at your site. This group must be unused on all nodes in the same cluster as this tributary node, but does not need to be the same as the group number used on the master node.

* What UIC group should be used for username LJK$SECURITY: 362

Explanations of this question will be given before it is asked. You can get further information about the question by responding with a question mark (?).

On an initial installation where file [000000]QUOTA.SYS is present, you will be reminded of the need to add quota for the LJK$SECURITY UIC.

A disk quota file is present on the system disk, so you must ensure at least 4000 blocks of quota is given to UIC [362,1] ([LJK$SECURITY]).

On an initial installation under VMS V4.7 or earlier, you will also be told to insert a command in your site-specific system startup command procedure to enable LJK/Security each time the machine is booted.

To set up LJK/Security on each system boot, your site-specific startup command file (SYS$COMMON:[SYSMGR]SYSTARTUP.COM) must contain the following line: $ @SYS$MANAGER:LJK$SECURITY_STARTUP

Magnetic media installation is described in Chapter 10, Using LJK/Security With Removable Media. That may be of interest if transmission lines are slow or if you choose to avoid DECnet for other reasons, such as security.

A complete sample script of a default installation on the tributary node can be found in Appendix B.

Installing on Shared System Disks

If you install LJK/Security on one system to run it also on other systems that share that system disk, you should issue the following command on each additional system sharing that system disk:

$ MCR SYSMAN STARTUP ADD FILE LJK$SECURITY_STARTUP.COM/MODE=DIRECT/PHASE=END

2.3.2 Installation on Tributary Nodes using PRODUCT INSTALL

Log into a fully privileged account on each tributary node and issue the commands:

$ COPY node"username password"::LJK$SECURITY_RESULT_AREA:LJK_SECURITY%%%.% - SYS$LOGIN: $ PRODUCT INSTALL LJK_SECURITY/SOURCE=SYS$LOGIN:

where node is the name of the master node.

Installing on Shared System Disks

If you install LJK/Security on one system to run it also on other systems that share that system disk, you should issue the following command on each additional system sharing that system disk:

$ MCR SYSMAN STARTUP ADD FILE LJK$SECURITY_STARTUP.COM/MODE=DIRECT/PHASE=END

2.4 Starting Operation after a New Installation

The steps remaining in the initial setup can be carried out by the security officer---someone with appropriate facility-specific identifiers or who is otherwise authorized as discussed in Section 5.4 on the master node. Full system management privileges are not required.

Depending on the type of terminal you have, refer to one of the following sections:

Regardless of which interface you use, as a brand new user of LJK/Security you will likely have an easier time devising your initial policies if you start with the DISK facility disabled. Enable the DISK facility again after you are happy with results from the rest of your policy.

Note

It is recommended that users running LJK/Security have a VMS process ENQLM quota of at least 100.

User Interfaces

To learn details on controlling LJK/Security, read one of:

Chapter 3
Window Interface

This chapter describes how to control LJK/Security using the DECwindows graphic user interface. For those with a DECwindows workstation available, the LJK/Security Window Interface is usually the easiest mechanism for using the software.

Descriptions of the Window Interface is divided into five sections:

Performance Note

Care should be taken to ensure there are sufficient resources to properly run DECwindows. In particular, those with a VAXstation II or VAXstation 2000 should run LJK/Security on a larger host, using the workstation only for the display server.

This can be accomplished by using the SET DISPLAY command on the host prior to running LJK/Security:

$ SET DISPLAY /CREATE /NODE=<workstation> $ LJK/Security

Of course the workstation specified can only be accessed if its security options are set to allow access by your username from the host you are on, as described in the VMS DECwindows user documentation.

Using the DECwindows interface, LJK/Security performance is quite sensitive to the size of the user working set. LJK Software recommends setting the user account WSEXTENT quota to at least 3000 or 4000 to allow the use of any memory which may be available. (Leaving the WSQUOTA and WSDEFAULT quotas undisturbed prevents unfair disruption of other users on the system.) The large WSEXTENT quota will only have any effect to the limit set by the system parameter WSMAX.

3.1 Windowing Terminology

Within this chapter, certain terms are used which are specific to a windowing environment.

window
In this chapter the term window means a rectangular area on the screen which has a title bar across the top and a menu bar just below it.
dialog box
In this chapter the term dialog box means a rectangular area on the screen which may or may not have a title bar across the top, but has no menu bar.
mouse
The puck usually provided to cause cursor motion on the workstation screen. In some cases a different pointing device such as a tablet and stylus or a trackball is provided, but this chapter will use the term "mouse" to refer to whatever pointing device is present.
mouse button
One of the buttons on the mouse used to perform operations in conjunction with cursor movement.
click
To depress and release a mouse button without moving the mouse between the two actions.
drag
To depress a mouse button, move the mouse with the button still depressed, and then release the mouse button.
double-click
To click a mouse button twice in rapid succession, without moving the mouse. The critical timing is that between the first release of the button and the second depression. The maximum time interval which counts as a double click defaults to 250 milliseconds (one quarter of a second), but can be modified through the DECwindows session manager.
selection
To click mouse button 1 on a single line within a window, or to drag mouse button 1 across a range of lines within a window. The subject lines remain highlighted in reverse video. Technically this is "primary selection".
incremental selection
While holding the keyboard Shift key depressed, to click mouse button 1 on a single line within a window, or to drag mouse button 1 across a range of lines within a window. The subject lines have their highlighting status reversed from what it used to be.
secondary selection
To drag mouse button 3 across a range of lines within a window. On color displays the subject lines will have their segments outlined for the duration of time the button is depressed. Secondary selection is used for DECwindows QuickCopy operations, a method of copying between windows without using the clipboard.
menu
In the simplest form, a "pulldown menu", displayed by depressing mouse button 1 on a name listed across the "menu bar" across the top of a window.
command
One of the selections made available in a pulldown menu.
selecting a command
Depressing mouse button 1 to cause a menu to be displayed, dragging the cursor down to the desired command and releasing the mouse button while it is on that command.

3.2 Context Sensitive Help

To find out about any LJK/Security graphic element you can hold down the "Help" key on the keyboard and then click on the element in question before releasing the "Help" key. (In the case of a command from a pulldown menu, it is necessary to depress the mouse button on the menu name and drag the cursor down to the command in question before releasing it.)

3.3 Using the Window Interface on a New Installation

This section discusses the minimal set of actions required for a security officer to set up LJK/Security on a new system using the Window Interface. The description presumes the system manager has already installed the software using VMSINSTAL, as described in steps a-e of Section 2.2, Installation on the Master Node.

Tremendous numbers of violation reports can be generated by the DISK facility, so as a brand new user of LJK/Security you will likely have an easier time devising your initial policies if you start with the DISK facility disabled. Enable the DISK facility again after you are happy with results from the rest of your policy.

3.3.1 Starting LJK/Security

Use the normal command LJK/SECURITY to start LJK/Security with the Window Interface. So long as a DECwindows display has been defined, either by default in process creation, or explicitly with the SET DISPLAY command, an LJK/Security Main Window will appear within 30 seconds.

To run at a workstation entirely in a terminal emulator window without using the Window Interface, use the qualifier /INTERFACE=. The possible values are:

/INTERFACE=DECWINDOWS or /INTERFACE=CHARACTER_CELL

As always, DECwindows terminal emulator users can specify use of the Command Interface rather than the Menu Interface by using the qualifier /NOSMG in addition to the /INTERFACE=CHARACTER_CELL qualifier.

3.3.2 Creating a Policy

Each master node running LJK/Security must have at least one policy to contain the rules against which VMS system security will be measured.

Selecting the New Policy command from the File Menu of the Main Window creates a series of dialog boxes.

In the first dialog box you must type the name¹ you want to use for the new policy. The second dialog box asks whether you want to include values from an existing policy named DEFAULT. This is immaterial in this case since your first policy has yet to be created, but the dialog box is presented anyway to provide a consistent interface.

When you have clicked on the "OK" button in each of the two dialog boxes, a policy is created and displayed in a new window on the screen.

After creation of the policy window, there is a slight delay while the message "Reading Policy File" is displayed in a Work In Progress box in the center of the new window. When that message disappears the regular contents of the policy will be displayed.

Policy windows contain additional columns (the rightmost of which is only filled for exemptions), so you may wish to drag on the resize button to make the window wider.

3.3.3 Adding an Exemption

Limits for individual tests within an LJK/Security policy set the overall standard against which testing will be done, but in certain cases more lenient standards should be set up through use of an exemption. For example, the test (UAF, PRIVLEVEL, ABSOLUTHI) generally prohibits assignment of powerful VMS privileges. In the case of the username "SYSTEM", however, such privileges are required, for instance to allow proper operation of system management batch jobs which might be submitted as part of the system startup procedure.

This section shows how to add such an exemption for the username "SYSTEM".

Select the test (UAF, PRIVLEVEL, ABSOLUTHI) from the Policy Window causing it to be highlighted in reverse video.

While the desired test is highlighted, select the Exempt command from the Edit menu of the Policy window creating a dialog box for adding an exemption.

Enter the desired value for the Exemption (Category-all, in this case) by clicking the appropriate radio button, or by selecting the Value field within the dialog box and typing th text if you prefer.

In the field for the Exemption Node, enter an asterisk "*" as a wildcard indicator, since this particular exemption you are adding should apply to all nodes covered by this policy. If you were adding a similar exemption for an individual user authorized extreme privileges, such as the system manager, you would enter separate exemptions for each node on which that individual was permitted to have extreme privileges.

In the field for the Exemption String, enter the username for which the exemption is to be granted, in this case "SYSTEM".

The Comment field allows you to make a notation explaining the reason why a particular policy change was made. For example, "January 14, 1990 memo from vice-president Mary Smith". Especially in cases where multiple individual security officers will be running LJK/Security, it is important to leave a record of why particular changes were made so actions can be taken in a coordinated fashion.

Since LJK/Security keeps a record of which username made the change, it will be quite obvious which member of the team is failing to fill in the comment field!

3.3.4 Creating an Assessment

The specification of which policies apply to which tributary nodes is stored as an LJK/Security assessment. The assessment thus also provides a list of which nodes are to be tested, excluding for instance, any which do not have the LJK/Security software installed.

Select the New Assessment command from the File Menu of the Main Window to create a series of dialog boxes. In the first dialog box you must type the name² you want to use for the new assessment. The second dialog box asks whether you want to include values from an existing assessment named DEFAULT. This is immaterial in this case since your first assessment has yet to be created, but the dialog box is presented anyway to provide a consistent interface.

When you have clicked on the "OK" button in each of the two dialog boxes, an assessment is created and displayed in a new window on the screen.

The new assessment contains only one entry called "< Prototype >". This entry does not actually represent a node to be assessed, but is present to be used as a template for creating assessment entries.

Select the < Prototype > entry from the Assessment Window causing it to be highlighted in reverse video.

While the entry is highlighted, select the Modify command from the Edit menu of the Assessment window creating a dialog box modifying an Assessment entry. The same thing can be accomplished by double-clicking on the < Prototype > entry, since the default action for the Assessment window is Modify.

The dialog box displays the fields of an existing entry so they can be viewed or changed. If they are changed and accepted with the Apply or OK button, there are two possibilities:

If the node name field was not changed, then the assessment values on disk for the subject node are changed.
If the node name field was one of those changed, then the values of the other fields are applied for some other node, either adding a new node to the assessment or some set of existing values for that node. In all cases where a change is made, LJK/Security maintains a history record of the previous values.

In this case (initial setup of an assessment) you should change the node name³ from < Prototype > to the node name you are going to test. For single-node licenses, this will be the same as the name of the master node on which you are running LJK/Security. Select the entire text of the Node field by clicking three times in rapid succession, or else by dragging across the field. The selected portion will be highlighted with reverse video. Typing in the desired node name will replace the existing text.

Another change you will want to make is to specify the proper policy (unless the policy name you want to use happens to match the one in the policy field). Click once on the policy field and you will be shown a list of available policies.

Select a policy from the list and it will be highlighted. Then clicking the OK button will return you to the assessment dialog box with your new choice in place. (It is also possible to double-click in the list of policies to save time.)

As with the policy dialog box, the assessment dialog box contains a comment field where you can record the reason for assessment changes. When you are satisfied with the contents of the assessment dialog box you can click on Apply or OK to make your changes take effect. (OK will also cause the box to disappear, while Apply leaves it in place for further actions such as creating more new node entries.)

Note