LJK/Security Reference Manual

SHUTDOWN

Perform an orderly shutdown of the LJK/Security master process.

Format

$ LJK/SECURITY SHUTDOWN

or
LJKSÑ SHUTDOWN

Command Qualifiers	Defaults
None.	None.

restrictions

You must have the facility-specific identifier LJK$SECURITY_ROLE_STARTUP, LJK$SECURITY_SHUTDOWN or LJK$SECURITY_ALL.
On systems prior to VAX VMS V6.0 or systems which do not have a Rights List database, you must have the SECURITY privilege.

Parameters

None.

Description

LJK/Security starts a permanent detached master process on each master node, typically with a process name of "LJK/Security".
When a new version of LJK/Security is installed, this command is automatically invoked by the installation command procedure to shut down the master process which is running the previous version.
Although this command is available for explicit use, there are no particular circumstances in which SHUTDOWN is recommended by LJK Software.

Qualifiers

None.

STOP

Stop the collection of security data from tributary nodes.

Format

$ LJK/SECURITY STOP -

assessment-name

or
LJKSÑ STOP -

assessment-name

Command Qualifiers	Defaults
None.	None.

restrictions

You must have the facility-specific identifier LJK$SECURITY_ROLE_OPERATE, LJK$SECURITY_STOP or LJK$SECURITY_ALL.
On systems prior to VAX VMS V6.0 or systems which do not have a Rights List database, you must have the SECURITY privilege.

Parameters

assessment-name
Name of the assessment.

Description

Stop the collection of security data from tributary nodes.
This does not affect future scheduled future runs of the specified assessment. That is accomplished with the CANCEL command.

Qualifiers

None.

Example


$ LJK/SECURITY STOP MY_SPECIAL

Stop current collection of assessment MY_SPECIAL from remote nodes.

Tests

For a complete list of tests performed by LJK/Security, read:

Chapter 6,LJK/Security Tests

Chapter 6
LJK/Security Tests

This chapter lists each of the tests that can be performed by LJK/Security.

Specification of tests

Each LJK/Security test is specified by a set of three names: facility, element, and constraint.

Facility
Section of VMS or layered product being tested. ¹
Element
Particular parameter or security-relevant item being tested.
Constraint
Exact condition being tested (value too low, value too high, etc.).

Modification mechanism

As explained in Section 1.4.3 and Chapter 7, the two policy items associated with individual tests are limits and exemptions. The exact method for making a modification depends on which interface you are using, as described elsewhere in this manual:

Window Interface - A Policy Dialog Box created using techniques described in Chapter 3
Menu Interface - The CUSTOMIZE menu accessed using techniques described in Chapter 4
Command Interface - The MODIFY POLICY command described in Chapter 5

Items which can be modified

Using the appropriate modification technique, the following policy items can be modified for individual tests:

Value
For a limit, this is a standard against which comparison is made on the tributary node.
For an exemption, this is a relaxed standard against which suspected violations are compared on the master node. If an aspect of the tributary node violates a limit when compared on the tributary node but then is allowed by an exemption on the master node, no violation is reported.
Parameters (only for exemptions)
For an exemption, these specify under what condition the exemption will apply. The first parameter is always the (possibly wildcarded) node name. The meaning of the second parameter differs according to the facility to which the test belongs:
- DEVICE tests
  the device name (possibly wildcarded)
- DISK tests
  the volume name or file specification (possibly wildcarded)
- TERM tests
  the device name (possibly wildcarded)
- UAF tests
  the username (possibly wildcarded)
Selector (optional, but only for certain tests)
For certain tests (listed in the next section), a selector specifies a subdivision of the test on a further basis.

Use of selectors

Certain test values are actually multi-valued based on an additional variable called a selector:

AUDIT, BREAKIN and LOGIN and LOGFAIL and LOGOUT, ALPROHIBIT and ALREQUIRE and AUPROHIBIT and AUREQUIRE
The selector is the name of a VMS process type: BATCH, DIALUP, LOCAL, REMOTE, NETWORK, SUBPROCESS or DETACHED, except that BATCH and SUBPROCESS are not applicable to BREAKIN.
AUDIT, BYPASS and DOWNGRADE and FAILURE and GRPPRV and READALL and SUCCESS and SYSPRV and UPGRADE, ALPROHIBIT and ALREQUIRE and AUPROHIBIT and AUREQUIRE
The selector is the name of a VMS access type: READ, WRITE, EXECUTE, DELETE or CONTROL. LOGICAL and PHYSICAL access to devices are indicated by EXECUTE and DELETE respectively.
AUDIT, PRVFAIL and PRVSUCC, ALPROHIBIT and ALREQUIRE and AUPROHIBIT and AUREQUIRE
The selector is the name of a VMS privilege.
DEVICE, PROTECTION, PERCENTLO and PERCENTHI
The selector is the name of a VMS access type: READ, WRITE, LOGICAL, PHYSICAL or CONTROL.
DISK, DBMSPROT and DIRPROT and FILEPROT and MAILPROT and NOTESPROT and RDBVMSPROT and SYSEXEPROT and CHECKPROT and PROTECTION, PERCENTLO and PERCENTHI
The selector is the name of a VMS access type: READ, WRITE, EXECUTE, DELETE or CONTROL.
DISK, INSTPRIV, PRIVPROHIB
The selector is the name of a VMS privilege.
TERM, AUTOLOGIN, PRIVPROHIB
The selector is the name of a VMS privilege.
TERM, PROTECTION, PERCENTLO and PERCENTHI
The selector is the name of a VMS access type: READ, WRITE, LOGICAL, PHYSICAL or CONTROL.
UAF, DAYMUSTBE, PRIMARY and SECONDARY
The selector is the name of a day of the week.
UAF, PRIVILEGE, AUTHREQUIR and AUTHPROHIB and DEFREQUIR and DEFPROHIB
The selector is the name of a VMS privilege.
UAF, GRPNAM and GRPPRV and PRIVLGILAT and PRIVLGINET and PRIVLGIPRX and PRIVLGIREM and PRIVLGITCP and PRIVLGIX29, PRIVPROHIB
The selector is the name of a VMS privilege.
UAF, PWDGUESS, TRIES
The selector is the name of a VMS privilege or the name of a VMS privilege level.
UAF, PWDLIFE, ABSOLUTLO and ABSOLUTHI
The selector is the name of a VMS privilege or the name of a VMS privilege level.
UAF, PWDMINLEN, ABSOLUTLO and ABSOLUTHI
The selector is the name of a VMS privilege or the name of a VMS privilege level.
UAF, UICPRIV, PRIVPROHIB
The selector is the name of a VMS privilege.
VMS, SYSTEMLGI, PROHIBITED and REQUIRED
The selector is one of the login types: LOCAL, DIALUP, REMOTE, NETWORK, BATCH.
VMS, SECPOLICY, PROHIBITED and REQUIRED
The selector is one of the security policy bits introduced with VAX VMS v6.0 and later: DPS, MULTIDECW, TRANSPORTS, CROSSJOB, LOCPROFILE, LOCOBJECT, CAPTIVESPAWN, COMPRESSMAC, UPPERCASEINPUT, GUARDPASSWORDS, DOIAUTHORIZATION, IGNOREEXTAUTH, INTRUSIONSLOCAL, USEPOSIXUIDGID.

For more information on the effect of a selector, see the description of the individual tests later in this chapter.

Note

¹ Names may or may not correspond to official VMS facility names.

6.1 ACC Tests

Tests in the ACC facility deal with use of VMS Accounting features on a machine.

Exemptions are based on node name.

In establishing a policy for the ACC facility, it is important to be aware of the interaction between VMS Accounting controls. Five of the controls select types of processes for which accounting records are to be written:

Batch
Detached
Interactive
Network
Subprocess

But those five controls are effective only in combination with one or both of the following controls, specifying the types of accounting records to be written:

Image
Process

Independent of the interaction between those seven controls, three other controls act independently to govern the writing of specific types of accounting records:

Logfail
Print
Message

The interaction between the first two groups of controls listed is one which historically has not been understood by many VMS system managers. That lack of understanding has been exploited by successful attackers to hide the fact that they have gained privileged access to a machine.

BATCH

Determine whether generation of Batch process termination accounting records conforms to policy.

Violation reports

Constraint	Nature of the violation
PROHIBITED	Batch accounting is enabled in violation of policy
REQUIRED	Batch accounting is disabled in violation of policy

Description

Use of the qualifier /ENABLE=BATCH with the SET ACCOUNTING command causes process or image termination records for batch jobs to be written to the VMS accounting file (only if /ENABLE=IMAGE or /ENABLE=PROCESS has also been specified).

Default policy Enabling of batch accounting is required. Customizing Set limit REQUIRED to be FALSE to remove the general requirement that batch accounting be enabled. selector

Limits

Constraint	Value	Default
PROHIBITED	FALSE or TRUE	FALSE
REQUIRED	FALSE or TRUE	TRUE

Exemptions

Constraint	Value	Parameters
PROHIBITED	FALSE or TRUE	<node>
REQUIRED	FALSE or TRUE	<node>

Practical considerations Accounting records provide more information regarding resource usage that logout security alarms.

DETACHED

Determine whether generation of detached process termination accounting records conforms to policy.

Violation reports

Constraint	Nature of the violation
PROHIBITED	Detached accounting is enabled in violation of policy
REQUIRED	Detached accounting is disabled in violation of policy

Description

Use of the qualifier /ENABLE=DETACHED with the SET ACCOUNTING command causes process or image termination records for detached jobs to be written to the VMS accounting file (only if /ENABLE=IMAGE or /ENABLE=PROCESS has also been specified).

Default policy Enabling of detached accounting is required. Customizing Set limit REQUIRED to be FALSE to remove the general requirement that detached accounting be enabled. selector

Limits

Constraint	Value	Default
PROHIBITED	FALSE or TRUE	FALSE
REQUIRED	FALSE or TRUE	TRUE

Exemptions

Constraint	Value	Parameters
PROHIBITED	FALSE or TRUE	<node>
REQUIRED	FALSE or TRUE	<node>

Practical considerations Accounting records provide more information regarding resource usage that logout security alarms.

IMAGE

Determine whether generation of image termination accounting records conforms to policy.

Violation reports

Constraint	Nature of the violation
PROHIBITED	Image accounting is enabled in violation of policy
REQUIRED	Image accounting is disabled in violation of policy

Description

Use of the qualifier /ENABLE=IMAGE with the SET ACCOUNTING command causes image termination records to be written to the VMS accounting file.

Default policy Enabling of image accounting is neither prohibited nor required. Customizing Set limit REQUIRED to be TRUE to add a general requirement that image accounting be enabled. selector

Limits

Constraint	Value	Default
PROHIBITED	FALSE or TRUE	FALSE
REQUIRED	FALSE or TRUE	FALSE

Exemptions

Constraint	Value	Parameters
PROHIBITED	FALSE or TRUE	<node>
REQUIRED	FALSE or TRUE	<node>

Practical considerations Recording image termination accounting records greatly increases the disk space needed for the accounting file.

INTERACT

Determine whether generation of interactive process termination accounting records conforms to policy.

Violation reports

Constraint	Nature of the violation
PROHIBITED	Interactive accounting is enabled in violation of policy
REQUIRED	Interactive accounting is disabled in violation of policy

Description

Use of the qualifier /ENABLE=INTERACT with the SET ACCOUNTING command causes process or image termination records for interactive jobs to be written to the VMS accounting file (only if /ENABLE=IMAGE or /ENABLE=PROCESS has also been specified).

Default policy Enabling of interactive accounting is required. Customizing Set limit REQUIRED to be FALSE to remove the general requirement that interactive accounting be enabled. selector

Limits

Constraint	Value	Default
PROHIBITED	FALSE or TRUE	FALSE
REQUIRED	FALSE or TRUE	TRUE

Exemptions

Constraint	Value	Parameters
PROHIBITED	FALSE or TRUE	<node>
REQUIRED	FALSE or TRUE	<node>

Practical considerations Accounting records provide more information regarding resource usage that logout security alarms.

LOGFAIL

Determine whether generation of login failure accounting records conforms to policy.

Violation reports

Constraint	Nature of the violation
PROHIBITED	Logfail accounting is enabled in violation of policy
REQUIRED	Logfail accounting is disabled in violation of policy

Description

Use of the qualifier /ENABLE=LOGFAIL with the SET ACCOUNTING command causes login failure records to be written to the VMS accounting file.

Default policy Enabling of logfail accounting is required. Customizing Set limit REQUIRED to be FALSE to remove the general requirement that logfail accounting be enabled. selector

Limits

Constraint	Value	Default
PROHIBITED	FALSE or TRUE	FALSE
REQUIRED	FALSE or TRUE	TRUE

Exemptions

Constraint	Value	Parameters
PROHIBITED	FALSE or TRUE	<node>
REQUIRED	FALSE or TRUE	<node>

Practical considerations Login failure accounting records do not provide any more information than login failure security alarms.

Contents

Index

LJK/Security Reference Manual

SHUTDOWN

Format

$ LJK/SECURITY SHUTDOWN

LJKSÑ SHUTDOWN

restrictions

Parameters

Description

Qualifiers

STOP

Format

$ LJK/SECURITY STOP -

assessment-name

LJKSÑ STOP -

assessment-name

restrictions

Parameters

assessment-name

Description

Qualifiers

Example

Tests

Chapter 6LJK/Security Tests

Specification of tests

Modification mechanism

Items which can be modified

Use of selectors

1 Names may or may not correspond to official VMS facility names.

6.1 ACC Tests

BATCH

Violation reports

Description

Limits

Exemptions

DETACHED

Violation reports

Description

Limits

Exemptions

IMAGE

Violation reports

Description

Limits

Exemptions

INTERACT

Violation reports

Description

Limits

Exemptions

LOGFAIL

Violation reports

Description

Limits

Exemptions

Chapter 6
LJK/Security Tests

¹ Names may or may not correspond to official VMS facility names.