The exemptions can only be to loosen standards, not to tighten them.

Remove LJK/Security software from a node.

Format

$ MCR LJK$SECURITY REMOVE

restrictions

• You must have full system management privileges as well as the identifier LJK$SECURITY_ROLE_STARTUP, LJK$SECURITY_REMOVE or LJK$SECURITY_ALL.
• On systems prior to VAX VMS V6.0 or systems which do not have a Rights List database, you must have the SECURITY privilege and also full system management privileges.

Parameters

None.

Description

Remove LJK/Security software from a node.

Before attempting to remove the LJK/Security software, all use of it should be completed on the node and any nodes with which it shares a system disk.

The REMOVE command will automatically perform an orderly shutdown of the LJK/Security master process on the local node, but it does not do so for other nodes which might share the system disk.

This command takes a different form than other commands because it is also supported on tributary nodes, where the command form LJK/SECURITY is not available.

Note Do not use the SYSMAN utility to issue this command between nodes, since that command does not fully replicate the normal process context and only a partial removal will be achieved.

Shared System Disks For shared system disks, use the SHUTDOWN command first on all nodes to avoid problems. Some residue will be cleaned up by the next disk rebuild, typically the next time the nodes are rebooted.

Qualifiers

None.

Reserved to LJK Software for use in starting LJK/Security software over DECnet connections.

Format

$ LJK/SECURITY REMOTE

or

LJKSÑ REMOTE

restrictions

• You must have the facility-specific identifier LJK$SECURITY_ROLE_STARTUP, LJK$SECURITY_REMOTE or LJK$SECURITY_ALL.
• On systems prior to VAX VMS V6.0 or systems which do not have a Rights List database, you must have the SECURITY privilege.

Parameters

None.

Description

This command is used by LJK Software to start LJK/Security software over DECnet connections.

Qualifiers

None.

Give the results of a completed assessment.

Format

$ LJK/SECURITY REPORT -

assessment-name

or

LJKSÑ REPORT -

assessment-name

restrictions

• You must have the facility-specific identifier LJK$SECURITY_ROLE_REVIEW, LJK$SECURITY_REPORT or LJK$SECURITY_ALL.
• On systems prior to VAX VMS V6.0 or systems which do not have a Rights List database, you must have the SECURITY privilege.

Parameters

assessment-name

Name of the assessment.

Description

Give the results of a completed assessment. Along with each report of a test failure is included any /COMMENT value specified in setting the value of the LIMIT (not exemptions¹ for that test.

The command

$ LJK/SECURITY REPORT <assessment-name>

may return to DCL the special non-failure status

%LJK-I-NOTCOMPLETE, This assessment has not completed on all nodes

indicating a later check might be appropriate. That situation can be checked with the DCL test

$ IF $SEVERITY .EQ. 3

Qualifiers

/NODE=(node-name,...)

Specifies particular tributary nodes to be included in the report.

/OMIT_NODE=(node-name,...)

Specifies particular tributary nodes to be excluded from the report.

/OUTPUT (D)

/OUTPUT=file-spec

/NOOUTPUT

Specifies the destination of the output listing. If /OUTPUT is specified without a value (the default) the listing is sent to SYS$OUTPUT.

/STATUS_ONLY

/NOSTATUS_ONLY (D)

The report is to contain only indications as to the completion of the assessment. The /SUMMARY and /STATUS_ONLY qualifiers cannot be used together.

/SUMMARY=(COMMENT,TEST)

/SUMMARY=COMMENT

/SUMMARY=TEST (D)

Specifies that just a summary of assessment results should be given, showing the total number of violations found:

• /SUMMARY=COMMENT
  Summarize according to the full text of /COMMENT values.
  
• /SUMMARY=(COMMENT,TEST)
  Summarize according to test names.
  
• /SUMMARY=TEST
  Summarize first according to the full text of /COMMENT values and second according to test names.

The /SUMMARY and /STATUS_ONLY qualifiers cannot be used together.

/TESTNAMES (D)

/NOTESTNAMES

The report is to contain names of LJK/Security tests in addition to the result text.

Example

$ LJK/SECURITY REPORT
      

Display a report on the user terminal.

$ LJK/SECURITY REPORT/OUTPUT=SYS$LOGIN:RESULTS.LIS
      

Store a report in the specified file on disk.

RUN

Start the collection of security data from tributary nodes.

Format

$ LJK/SECURITY RUN -

assessment-name

or

LJKSÑ RUN -

assessment-name

restrictions

• You must have the facility-specific identifier LJK$SECURITY_ROLE_OPERATE, LJK$SECURITY_RUN or LJK$SECURITY_ALL.
• On systems prior to VAX VMS V6.0 or systems which do not have a Rights List database, you must have the SECURITY privilege.

Parameters

assessment-name

Name of the assessment.

Description

Start the collection of security data from tributary nodes.

Qualifiers

/AFTER=absolute-time

/NOAFTER (D)

Requests that the specified assessment not be made until the specified time. If the specified time has already passed, the assessment is started immediately.

You can specify either an absolute time or a combination of absolute and delta times. See the VMS documentation for complete information on specifying time values.

/INTERVAL=delta-time

/NOINTERVAL (D)

Requests that the specified assessment be re-run at regular intervals. See the VMS documentation for complete information on specifying delta time values.

If you specify both /AFTER=absolute-time and /INTERVAL=delta-time, the first assessment will be made at <absolute-time> and after that subsequent assessments will be made every <delta-time>.

When specifying /INTERVAL=delta-time you should ensure that <delta-time> is long enough to allow one run of an assessment to complete before the next run of that assessment is to start.

Example

$ LJK/SECURITY RUN MY_SPECIAL/AFTER="21:00"
      

Run assessment MY_SPECIAL today at 9 pm.

$ LJK/SECURITY RUN WEEKLY_FULL/AFTER="TOMORROW+0-03"/INTERVAL="7-"
      

Run assessment WEEKLY_FULL at 3 am tomorrow and every week thereafter.

Display node, policy and transport-medium associations from an existing assessment.

Format

$ LJK/SECURITY SHOW ASSESSMENT -

assessment-name

or

LJKSÑ SHOW ASSESSMENT -

assessment-name

restrictions

• You must have the facility-specific identifier LJK$SECURITY_ROLE_REVIEW, LJK$SECURITY_ROLE_POLICY, LJK$SECURITY_SHOW_ASSESSMENT or LJK$SECURITY_ALL.
• On systems prior to VAX VMS V6.0 or systems which do not have a Rights List database, you must have the SECURITY privilege.

Parameters

assessment-name

Name of the assessment to be modified.

As described in Section H.8, DCL Symbol Processing, DCL symbol substitution may be used for this parameter, even when using the Subsystem Command Format.

Description

• If the assessment name includes wildcard characters:
  Displays a list of all assessment names.
• If the assessment name gives an exact name:
  Reads a assessment from disk and displays its node, policy and transport-medium associations.

Qualifiers

/AUDIT

/NOAUDIT (D)

Specifies whether information about assessment changes is displayed.

/HISTORY

/NOHISTORY (D)

Specifies that historical assessment contents be displayed in addition to current ones. By default only current assessment contents are displayed.

/OUTPUT[=SYS$OUTPUT] (D)

/OUTPUT=file-spec

/NOOUTPUT

Specifies the destination of the output listing. If /OUTPUT is specified without a value (the default) the listing is sent to SYS$OUTPUT.

Example

$ LJK/SECURITY SHOW ASSESSMENT MY_ASSESSMENT
      

Display the node, policy and transport-medium associations for the subject assessment.

$ LJK/SECURITY SHOW ASSESSMENT *_TEMP/OUTPUT=ASSESSMENT.LIS
      

Create a list of the names of all assessments that end in "_TEMP".

Display information about tributary nodes currently authorized for this copy of LJK/Security.

Format

$ LJK/SECURITY SHOW NODES

or

LJKSÑ SHOW NODES

restrictions

• You must have the facility-specific identifier LJK$SECURITY_ROLE_REVIEW, LJK$SECURITY_ROLE_POLICY, LJK$SECURITY_SHOW_NODES or LJK$SECURITY_ALL.
• On systems prior to VAX VMS V6.0 or systems which do not have a Rights List database, you must have the SECURITY privilege.

Parameters

None.

Description

The LJK/Security license terms say a license can be moved to another node as often as each 30 days. If you want to move LJK/Security from one tributary to another, use the command SHOW NODES to see which tributary nodes have had LJK/Security installed for more than 30 days.

Qualifiers

/OUTPUT[=SYS$OUTPUT] (D)

/OUTPUT=file-spec

/NOOUTPUT

Specifies the destination of the output listing. If /OUTPUT is specified without a value (the default) the listing is sent to SYS$OUTPUT.

Example

$ LJK/SECURITY SHOW NODES/OUTPUT=NODES.LIS
      

Create a list of the nodes currently occupying LJK/Security license slots.

$ LJK/SECURITY SHOW NODES
%LJK-I-NODENOW, node ATHENS license slot can be freed now by:
        a. removing LJK/Security from the node
                and
        b. modifying assessments /NOPOLICY for the node
%LJK-I-NODENOW, node PLUTO license slot can be freed now by:
        a. removing LJK/Security from the node
                and
        b. modifying assessments /NOPOLICY for the node
%LJK-I-NODENOW, node RQ54J license slot can be freed now by:
        a. removing LJK/Security from the node
                and
        b. modifying assessments /NOPOLICY for the node
%LJK-I-NODELATER, node TESTME license slot can be freed after after 22-FEB-2005 19:23:55.50
%LJK-I-NODELATER, node NEWVAX license slot can be freed after after 22-FEB-2005 19:40:59.03
      

Display a list of the nodes currently occupying LJK/Security license slots. The listing of each node indicates whether or not it has been occupying its license slot for the required 30 days.

Display the limits and/or exemptions of an existing policy.

Format

$ LJK/SECURITY SHOW POLICY -

policy-name

or

LJKSÑ SHOW POLICY -

policy-name

restrictions

• You must have the facility-specific identifier LJK$SECURITY_ROLE_REVIEW, LJK$SECURITY_ROLE_POLICY, LJK$SECURITY_SHOW_POLICY or LJK$SECURITY_ALL.
• On systems prior to VAX VMS V6.0 or systems which do not have a Rights List database, you must have the SECURITY privilege.

Parameters

policy-name

Name of the policy to be modified.

As described in Section H.8, DCL Symbol Processing, DCL symbol substitution may be used for this parameter, even when using the Subsystem Command Format.

Description

• If the policy name includes wildcard characters:
  Displays a list of all policy names.
• If the policy name gives an exact name:
  Reads a policy from disk and displays its limits and/or exemptions.

Qualifiers

/AUDIT

/NOAUDIT (D)

Specifies whether information about policy changes is displayed.

/COMMAND_PROCEDURE

/NOCOMMAND_PROCEDURE (D)

Specifies whether the policy information is displayed in the format of a command procedure that could be edited to apply the same policy elements to another policy, as discussed in Section 7.9, SHOW POLICY/COMMAND_PROCEDURE. This qualifier is most useful in conjunction with the /OUTPUT= qualifier or with a particular /TEST= specification.

/EXEMPTIONS (D)

/NOEXEMPTIONS

Specifies that exemptions be displayed (the default).

/HISTORY

/NOHISTORY (D)

Specifies that historical limits and/or exemptions be displayed in addition to current ones. By default only current limits and/or exemptions are displayed.

/LIMITS (D)

/NOLIMITS

Specifies that limits be displayed (the default).

/OUTPUT[=SYS$OUTPUT] (D)

/OUTPUT=file-spec

/NOOUTPUT

Specifies the destination of the output listing. If /OUTPUT is specified without a value (the default) the listing is sent to SYS$OUTPUT.

/SELECTOR=value

/NOSELECTOR (D)

Specifies that only limits and exemptions for a particular selector be displayed.

/TEST=(facility,element,constraint)

Specifies the name of a single test whose limits and/or exemptions are to be shown.

Example

$ LJK/SECURITY SHOW POLICY MY_POLICY
      

Show all limits and exemptions of the specified policy.

$ LJK/SECURITY SHOW POLICY MY_POLICY/TEST=(UAF,PWDMINLEN,ABSOLUTLO)/EXEMPTIONS
      

Show only limits and exemptions of the specified test within the specified policy.