LJK/Security Reference Manual
Previous Contents Index

3.3.5 Running the Assessment

With both an assessment and a policy in place, you are now ready to run. From your own user process you will issue the command, but the actual testing on the master node and transmission of a request to tributary nodes takes place behind the scenes. This frees up your process for doing other work (or for logging out if you are leaving the area).


Select the Run command from the Control menu on the Main window. This creates a dialog box from which you can select which assessment to run.

The list of available assessments is displayed, and you can double-click on any of them to cause them to run. You can also select the text field at the bottom of the dialog box and type an assessment name in manually, but it must match one of the names from the list.

When you have specified which assessment is to be run, an Option dialog box is displayed to allow you to specify any delay or repetition in the running of the assessment. To use the After field you must specify an Absolute Time in the standard VMS format (dd-mmm-yyyy hh:mm). To use the Interval field you must specify a Delta Time in the sfect. (OK wi Dalso cause the box to disappear, while Apply leaves it in place for 8further actions such as creating more new node entries.)



/ 
N
Note

 ?

1Select the entire text of the Node field by clicking Gthree times in rapid succession, or else by dragging across the field. GThe selected portion will be highlighted with reverse video. Typing in 5the desired node name will replace the existing text.

EAnother change you will want to make is to specify the r tributary nodes. For a very simple Dpolicy with the Disk facility disabled and minimal ?password guessing it might be as little as 5 minutes. For more Hextensive testing, especially on heavily loaded machines, it might take several hours.


3G Select the Report command from the Control menu of the Main window. A F dialog box will be created with a list of possible assessments to be G reviewed. (It may be shorter than the list for the Run command, since E it does not include assessments for which the Run command has never D been issued). Double click on the desired assessment, and a Result  window will be created.


0In the result window you will see a list of all $violations reportedDfrom the running of the assessment. They are arranged in alphabetic Forder by node name and then in alphabetic order by test name. Use the Fscroll bar slider on the right hand side to move up and down the list 8if it is longer than can be shown on the screen at once.

%

i

3.4 Overview of LJK/Security Pulldown Menus

GFormalizing some of the information in the previous section, there are ,four types of LJK/Security windows provided:
  • Main
  • Assessment
  • Policy
  • Result


@

3.4.1 Main Window Menus

=The Control Menu contains commands to control the running of -assessments and to review assessment results.

GThe File menu contains commands to create new assessments and policies Aand to open existing new assessments and policies for review and modification.

HThe Kit menu contains commands to generate VMSINSTAL kits to be used to $install software on tributary nodes.

?The DECwindows menu contains commands to save and restore user preferences.

HThe Help menu contains commands to get further information on operation %of the LJK/Security Window Interface.

!

L

3.4.2 Assessment Window Menus

CThe Control Menu contains a command to close the Assessment Window.

HThe Edit menu contains commands to transfer information to and from the Fclipboard and to show or modify the contents of individual Assessment Drecords. Double-clicking on an individual record performs a default Baction which is equivalent to the Modify command on the Edit menu.

HThe Help menu contains commands to get further information on operation %of the LJK/Security Window Interface.

#

D

3.4.3 Policy Window Menus

?The Control Menu contains a command to close the Policy Window.

HThe Edit menu contains commands to transfer information to and from the @clipboard and to show or modify the contents of existing Policy Drecords, and to create new Exemption records. Double-clicking on an Gindividual record performs a default action which is equivalent to the Modify command on the Edit menu.

HThe Help menu contains commands to get further information on operation %of the LJK/Security Window Interface.

#

D

3.4.4 Result Window Menus

?The Control Menu contains a command to close the Result Window.

?The Edit menu contains commands to transfer information to the clipboard.

HThe Help menu contains commands to get further information on operation %of the LJK/Security Window Interface.

#

q

3.5 Using the Window Interface for Day-to-Day Tasks

@This section gives a sampling of some of the tasks which can be @performed with the LJK/Security Window Interface. The choice of Dexamples is intended to demonstrate aspects of the Window Interface >which are particularly useful but were not already covered in oSection 3.3, Using the Window Interface on a New Installation.

FFor information on specific portions of LJK/Security Window Interface displays, use the mechanism described in Section 3.2, Context Sensitive Help.

M

3.5.1 Viewing Multiple Assessments

GUsing the commands from the File menu of the Main Window, you can open Amultiple assessments and policies at the same time, to the limit Epermitted by the quotas authorized by your VMS account. (Exact quota 1values required depend on VMS versions and other variables---experimentation isGthe best method to determine what quota settings support your required pattern of operation.)



&

W

3.5.2 Copying an entry to another assessment

EYou can select one or more lines in an assessment window and use the >Copy command from the Edit menu to copy them to the clipboard.



"

EAfter the records have been copied to the DECwindows clipboard, they Ccan be pasted back into a different assessment window by using the FPaste command from the Edit menu of the target assessment window. The Dinformation copied is the full detailed assessment record, not just +what is displayed in the assessment window.

DNote that when a Paste command is used on an LJK/Security window, a 7dialog box is created asking for entry into the commentDfield. Whether such a field must be filled in depends on your local Crules, but in any case, LJK/Security does keep track of which user Eperformed the Paste operation, since that is the same as modifying a record directly.



#

AInformation copied to the clipboard from LJK/Security Assessment AWindows can also be pasted into text windows of other DECwindows Bapplications. That information is passed to those applications in Esummary text form (as shown in the assessment window) rather than in 2the binary form used between LJK/Security windows.

DFor advanced DECwindows users, all four forms of QuickCopy are also ;available between LJK/Security assessment windows. See the :DECwindows documentation from VMS Development for details.

U

3.5.3 Removing an entry from an assessment

FThe mechanism for removing records from an assessment with the Window BInterface is to select the desired record(s) and then use the Cut 4command from the Edit menu of the Assessment window.
!

FThe Cut command also copies the record to the clipboard, but if those Ccontents of the clipboard never get pasted anywhere that effect is immaterial.

GNote that records cut from an LJK/Security assessment window still are Edisplayed in that window, but with only the Node text field showing. DThis is to allow a security officer to review the history of record edeletions, as discussed in Section 3.5.4 a>.

e

3.5.4 Modification based on an assessment history record

GWhen you have created an assessment dialog box with the Modify command Ffrom the Edit Menu (or by double-clicking on a line in the assessment Fwindow), there is a vertical scroll bar along the right edge. You can Aexamine any previous versions of records for the subject node by .dragging the scroll bar slider toward the top.
%

DWhile viewing any previous version, you can use it as the basis for Afurther modifications by making any desired changes, such as the 8Comment field, and clicking on the Apply (or OK) button.

O

3.5.5 Examining an assessment entry


6H Select the Show command from the Edit menu of the Assessment window to F create a Read-Only assessment dialog box. Attempts to modify records 6 using the resulting dialog box will not be effective.




"

I

3.5.6 Modifying policy values

?Methods available for modifying the value in a policy limit or Fexemption dialog box vary depending on the data type of the value. In Eall cases, however, you can type text into the value field if you do 4not want to use one of the more specialized methods.;

3.5.6.1 Boolean



5Boolean values have radio buttons for True and False.

%

9

3.5.6.2 Scale

FNumeric values have a scale whose slider can be dragged left or right.
#

BThis works best for scales where the range of possible values are Blimited, such as percentages or hours in the day. Moving a slider Dbetween 0 and 2,147.483,647 to exactly 1,236 is quite difficult! In Dsuch a case, typing the desired number into the value field is best.



/  
Note
GIn the future, LJK Software may reduce the range of those wide-ranging Gscales so that only the more popular values can be set using the scale =and character typing must be used for extreme values.


>

3.5.6.3 Protection

BFor file or device protections, you can modify an array of toggle -buttons covering the protection field values.
(

C

3.5.6.4 Privilege Level

FFor Privilege Levels, select one of the seven radio buttons which are displayed.
#

L

3.5.7 Modifying a policy disable

CFor each LJK/Security facility, the first policy record shown is a Gdisable record which can be used to disable or enable Ctesting of that facility. The dialog box for those records has two 2radio buttons, similar to that for boolean values.
%

Z

3.5.8 Cutting a policy only removes exemptions

GWhen records are cut from a policy, all selected records are moved (to Fthe clipboard, for example), but only exemptions are deleted from the Dpolicy window. This is because there must always be some record for disables and limits.
&

EAs with assessments, (exemption) records cut from a policy are still Havailable in the policy window to allow examination of history records. DCompared to assessment entries, deleted policy exemptions have more Ffields still visible (only the value is erased), so the effect of the "Cut command may seem less obvious.

9

Chapter 4
Menu Interface



[This chapter describes how to control LJK/Security using a character cell display terminal.

GThe menu interface provides user-friendly, visually oriented access to FLJK/Security functions, compatible with character-cell video terminalsback to the VT100 series.

d

4.1 How to Use the Menu Interface

    D
  1. Start LJK/Security from the DCL prompt by issuing the command:

     

    " 
    $ LJK/Security 
        
    EIf your terminal is a VT100-compatible video terminal (and that fact has beenFindicated to VMS with the SET TERMINAL command), the main menu will be displayed.D

  2. Once any menu has been displayed on the screen, you can make aAmenu selection by using the [up arrow] and [down arrow] keys<on the item you want. Then press the [Return] or [Enter] key to make that selection.I
  3. When a menu selection is made, the next menu "page" will  be6displayed or a popup box requesting input will appear.H
  4. To exit from any menu page and get back to the previous menu, use ! the [down arrow] keyDto get to the "Exit this menu" selection (which is always last) and 3press the [Return] or [Enter]E key.
    Experienced users may prefer to use the [Ctrl/Z] combination to exit from a menu.I
  5. The Browse Box used to look at assessment reports  does9not have an "Exit this menu" selection, but pressing the )[Return] or [Enter] key on any item will exit.
l

4.2 Using the Menu Interface on a New Installation



AThis section discusses the minimal set of actions required for a Gsecurity officer to set up LJK/Security on a new system using the Menu CInterface. The description presumes the system manager has already Dinstalled the software using VMSINSTAL, as described in steps a-e ofeSection 2.2, Installation on the Master Node.

ETremendous numbers of violation reports can be generated by the DISK Ffacility, so as a brand new user of LJK/Security you Fwill likely have an easier time devising your initial policies if you Hstart with the DISK facility disabled. Enable the DISK Ffacility again after you are happy with results from the rest of your policy.

D

4.2.1 Starting LJK/Security

AUse the command LJK/SECURITY to start LJK/Security with the Menu CInterface. Providing your terminal has at least the VT100 level of Afeatures (and those features have been so indicated with the VMS 7command SET TERMINAL), the main menu will be displayed:





ATo run at a VAXstation or AXP Workstation entirely in a terminal <emulator window using the Menu Interface, use the qualifier /INTERFACE=.The possible values are:

 

" 
        /INTERFACE=DECWINDOWS    or "        /INTERFACE=CHARACTER_CELL 



BYou can specify use of the Command Interface rather than the Menu DInterface by using the qualifier /NOSMG in addition to the -/INTERFACE=CHARACTER_CELL qualifier.

>

4.2.2 Creating a Policy

DEach master node running LJK/Security must have at Eleast one policy to contain the rules against which %VMS system security will be measured.


6> Use the [up arrow] and [down arrow] keys to highlight Customize on the ; LJK/Security menu and then use the [Return] or C [Enter] key to bring up the  Customize Menu.


HThe Customize Menu offers a selection between the various actions which =can be applied to customize assessments and policies.


7> Use the [up arrow] and [down arrow] keys to highlight Create Policy on the 8 Customize menu and then use the [Return] or = [Enter] key to select " policy creation.


EIn the popup box, enter the name1 you want to use for the @new policy, followed by the [Return] key.



&

"Subsequent menus offer choices of:

    I
  • including limits from the policy  named DEFAULT3
  • including disables from the ' policy named DEFAULT5
  • including exemptions from the ' policy named DEFAULT+
  • showing audit and logging information
2For the last, choose Without Logging to save time.

C

4.2.3 Adding an Exemption

3Limits for individual tests within an LJK/Security Gpolicy set the overall standard against which testing Hwill be done, but in certain cases more lenient standards should be set Gup through use of an exemption. For example, the test G(UAF, PRIVLEVEL, ABSOLUTHI) generally prohibits assignment of powerful @VMS privileges. In the case of the username "SYSTEM", Dhowever, such privileges are required, for instance to allow proper Foperation of system management batch jobs which might be submitted as %part of the system startup procedure.

EThis section shows how to add such an exemption for the username "SYSTEM".


6> Use the [up arrow] and [down arrow] keys to highlight Modify Policy on the 8 Customize menu and then use the [Return] or = [Enter] key to select & policy modification.


DThe available policies will be displayed in a menu.


6> Use the [up arrow] and [down arrow] keys to highlight the policy I you want on the Modify Policy menu and then use the [Return] E or [Enter] key to select that  policy.
&In subsequent menus you should select:

    
  • Set exemption
  • UAF
  • PRIVLEVEL
  • ABSOLUTHI


@In the value popup box, enter the value you want to use for the ?exemption, followed by the [Return]G key. The possible values for each test are described Å in Chapter 6,LJK/Security Tests. In the case of this example, the proper value is  "Category-All".



$

FIn the Exemption Argument 1 popup box, enter what you want to use for ?the first exemption argument, followed by the [Return]E key. The first exemption argument is always a node ? name or the wildcard character "*", as described in ~ Chapter 6,LJK/Security Tests. In the case of this example, the proper value is F "*", to indicate that the exemption is to  apply to all nodes.



$

FIn the Exemption Argument 2 popup box, enter what you want to use for @the second exemption argument, followed by the [Return]G key. The use of the second exemption argument varies @ according to the facility being tested and is Ä described for each facility in Chapter 6,LJK/Security Tests. In the case of this G example, the proper value is "SYSTEM", to indicate that the H username SYSTEM is the one for which the exemption is desired.



$

"Subsequent menus offer choices of:

    +
  • showing audit and logging information


C

4.2.4 Creating an Assessment

DThe specification of which policies apply to which >tributary nodes is stored as an LJK/Security Gassessment. The assessment thus also ?provides a list of which nodes are to be tested, excluding for Dinstance, any which do not have the LJK/Security software installed.


7> Use the [up arrow] and [down arrow] keys to highlight Create Assessment on the 8 Customize menu and then use the [Return] or = [Enter] key to select & assessment creation.


EIn the popup box, enter the name2 you want to use for the Dnew assessment, followed by the [Return] key.



&

"Subsequent menus offer choices of:

    J
  • including entries from the assessment named DEFAULT+
  • showing audit and logging information
HUnlike the policy creation situation, it is reasonable Gto ask for logging of assessment creation information.

AThe assessment just created, however, lacks any ,indication of specific nodes to be assessed.


6> Use the [up arrow] and [down arrow] keys to highlight Modify Assessment on the 8 Customize menu and then use the [Return] or = [Enter] key to select * assessment modification.


GThe available assessments will be displayed in a menu.


6> Use the [up arrow] and [down arrow] keys to highlight the H assessment you want on the Modify Assessment menu and ; then use the [Return] or [Enter] key to select that assessment.


$In the next menus you should select:

    
  • Named Node
GIn the node name popup box, enter the name3 of the node you @want to add to the assessment, followed by the [Return] key.



"

9Use the [up arrow] and [down arrow]Akeys to highlight Policy on the Named Node menu and then use the )[Return] or [Enter] key.

DThe available policies will be displayed in a menu.



"

9Use the [up arrow] and [down arrow]Ekeys to highlight the policy you want on the Policy HFor Node menu and then use the [Return] or [Enter], key to select that policy.

$In the next menus you should select:

    ;
  • DECnet medium for REQUEST (at least for this example)D
  • Plaintext transmission for REQUEST (at least for this example):
  • DECnet medium for RESULT (at least for this example)C
  • Plaintext transmission for RESULT (at least for this example)


HIn the Comment popup box, enter any information you want to store about 5the modification, followed by the [Return] key.



$

$In the final menu you should select:

    +
  • showing audit and logging information
HUnlike the policy creation situation, it is reasonable ?