LJK/Security Reference Manual

Part

Part Site-Specific Customization

Chapter 7

7 Policy Modification

     7.1     Disables

     7.2     Limits

     7.3     Exemptions

     7.4     Audit history

     7.5     Tri-valued logic

     7.6     Boolean customization techniques

     7.7     Numeric customization techniques

     7.8     Policy Performance Considerations

     7.9     SHOW POLICY/COMMAND_PROCEDURE

Chapter 8

8 Assessment Modification

     8.1     Adding and Removing Nodes from the Assessment

     8.2     Changing Policies Applied to Nodes

     8.3     Changing Request Media

     8.4     Changing Result Media

     8.5     Changing Media Protection

     8.6     Audit history

Chapter 9

9 Using Program Call Interfaces

     9.1     Master Node Invocation Entrypoints

         9.1.1         Parsing Entrypoints

             9.1.1.1             LJK$SECURITY_PARSE_DCL entry

             9.1.1.2             LJK$SECURITY_PARSE_CLI entry

             9.1.1.3             LJK$SECURITY_PARSE_FOREIGN entry

         9.1.2         Execution Entrypoint

             9.1.2.1             LJK$SECURITY_EXECUTE entry

     9.2     Tributary Node Callback Entrypoint

         9.2.1         Linking of Customer-Provided Software

         9.2.2         Distribution of Customer-Provided Software

         9.2.3         LJK$SECURITY_SITE_CHECKSUM callback

             9.2.3.1             Specialized use of the Limit

             9.2.3.2             Specialized use of Exemptions

     9.3     Detailed Entrypoint Descriptions

    Command 228     LJK$SECURITY_PARSE_DCL

    Command 229     LJK$SECURITY_PARSE_CLI

    Command 230     LJK$SECURITY_PARSE_FOREIGN

    Command 231     LJK$SECURITY_EXECUTE

    Command 232     LJK$SECURITY_SITE_CHECKSUM

Chapter 10

10 Using LJK/Security With Removable Media

     10.1     Reasons

     10.2     Software Installation

     10.3     Request Transmission

     10.4     Result Transmission

     10.5     Relation to Labeling

         10.5.1         No File Deletion

         10.5.2         Avoiding Premounted Media

Chapter 11

11 Tips for Special Situations

     11.1     Generating "Work Papers"for Auditors

     11.2     Tracking Usernames

         11.2.1         Tracking Username Presence

         11.2.2         Tracking Username Enabling

     11.3     Operating in a Classified Environment

         11.3.1         No DECnet

         11.3.2         Requests Must be Generated at the Lowest Security Level

         11.3.3         Results Must be Reported at the Highest Security Level

             11.3.3.1             Recommended Technique: Period Processing on the Master Node

Part

Part Appendices

Appendix A

Appendix A Master Node Installation

     A.1     Using VMSINSTAL.COM

     A.2     Using PRODUCT INSTALL

Appendix B

Appendix B Tributary Node Installation

Appendix C

Appendix C Moving the Software

     C.1     Removing LJK/SecuritySoftware

         C.1.1         Removing from a Tributary Node

         C.1.2         Removing from a Master Node

Appendix D

Appendix D Demonstration

Appendix E

Appendix E Other VMS Security Considerations

Appendix F

Appendix F Files Created by LJK/Security

     F.1     Naming Conventions

     F.2     Standard File Types

     F.3     LJK/Security-specific File Types

Appendix G

Appendix G Bug Reports

     G.1     Isolating the Problem

     G.2     Log Files

     G.3     Getting an Initial Opinion

     G.4     Collecting information for LJK Software

Appendix H

Appendix H Hints and Kinks

     H.1     LJK/Security Version Compatibility

     H.2     Tributary node disk space

         H.2.1         With disk quotas

         H.2.2         Without disk quotas

     H.3     Changing Template Terminal UCB Characteristics

     H.4     Autologin file record length

     H.5     Avoiding PRODUCT INSTALL

     H.6     REPORT RESULT output

     H.7     Renaming and Copying Files

     H.8     DCL Symbol Processing

     H.9     Analyzing Network Problems

         H.9.1         SS$_LINKEXIT

Appendix I

Appendix I Use of Privilege by LJK/Security

     I.1     Reading and Writing Policy, Assessment and Result Files

     I.2     Reading the User Authorization File

     I.3     Getting a List of All Devices

     I.4     Checking Disk File Protection and Backup Date

     I.5     Checking Disk Quota Values

     I.6     Synchronizing between LJK/Security Processes

     I.7     Setting up LJK/Security DECnet Object Database Entries

     I.8     Reading DECnet Database Entries

     I.9     Creating Detached LJK/Security Processes

     I.10     Reading Files for Kit Building

     I.11     Parsing the User Authorization File Specification

     I.12     Reading Accounting State

     I.13     Reading Audit State

     I.14     Reading Device Access Control Lists

     I.15     Reading Terminal Access Control Lists

     I.16     Reading the System Rightslist

     I.17     Reading the list of Installed Images

     I.18     Highwater Marking and Erase-on-Delete

     I.19     Checking Privilege

     I.20     System Owned Locks

     I.21     Creating detached processes running LOGINOUT

     I.22     Calling SYS$IDTOASC

Part
Part	Site-Specific Customization
Chapter 7
7	Policy Modification
7.1	Disables
7.2	Limits
7.3	Exemptions
7.4	Audit history
7.5	Tri-valued logic
7.6	Boolean customization techniques
7.7	Numeric customization techniques
7.8	Policy Performance Considerations
7.9	SHOW POLICY/COMMAND_PROCEDURE
Chapter 8
8	Assessment Modification
8.1	Adding and Removing Nodes from the Assessment
8.2	Changing Policies Applied to Nodes
8.3	Changing Request Media
8.4	Changing Result Media
8.5	Changing Media Protection
8.6	Audit history
Chapter 9
9	Using Program Call Interfaces
9.1	Master Node Invocation Entrypoints
9.1.1	Parsing Entrypoints
9.1.1.1	LJK$SECURITY_PARSE_DCL entry
9.1.1.2	LJK$SECURITY_PARSE_CLI entry
9.1.1.3	LJK$SECURITY_PARSE_FOREIGN entry
9.1.2	Execution Entrypoint
9.1.2.1	LJK$SECURITY_EXECUTE entry
9.2	Tributary Node Callback Entrypoint
9.2.1	Linking of Customer-Provided Software
9.2.2	Distribution of Customer-Provided Software
9.2.3	LJK$SECURITY_SITE_CHECKSUM callback
9.2.3.1	Specialized use of the Limit
9.2.3.2	Specialized use of Exemptions
9.3	Detailed Entrypoint Descriptions
Command 228	LJK$SECURITY_PARSE_DCL
Command 229	LJK$SECURITY_PARSE_CLI
Command 230	LJK$SECURITY_PARSE_FOREIGN
Command 231	LJK$SECURITY_EXECUTE
Command 232	LJK$SECURITY_SITE_CHECKSUM
Chapter 10
10	Using LJK/Security With Removable Media
10.1	Reasons
10.2	Software Installation
10.3	Request Transmission
10.4	Result Transmission
10.5	Relation to Labeling
10.5.1	No File Deletion
10.5.2	Avoiding Premounted Media
Chapter 11
11	Tips for Special Situations
11.1	Generating "Work Papers"for Auditors
11.2	Tracking Usernames
11.2.1	Tracking Username Presence
11.2.2	Tracking Username Enabling
11.3	Operating in a Classified Environment
11.3.1	No DECnet
11.3.2	Requests Must be Generated at the Lowest Security Level
11.3.3	Results Must be Reported at the Highest Security Level
11.3.3.1	Recommended Technique: Period Processing on the Master Node
Part
Part	Appendices
Appendix A
Appendix A	Master Node Installation
A.1	Using VMSINSTAL.COM
A.2	Using PRODUCT INSTALL
Appendix B
Appendix B	Tributary Node Installation
Appendix C
Appendix C	Moving the Software
C.1	Removing LJK/SecuritySoftware
C.1.1	Removing from a Tributary Node
C.1.2	Removing from a Master Node
Appendix D
Appendix D	Demonstration
Appendix E
Appendix E	Other VMS Security Considerations
Appendix F
Appendix F	Files Created by LJK/Security
F.1	Naming Conventions
F.2	Standard File Types
F.3	LJK/Security-specific File Types
Appendix G
Appendix G	Bug Reports
G.1	Isolating the Problem
G.2	Log Files
G.3	Getting an Initial Opinion
G.4	Collecting information for LJK Software
Appendix H
Appendix H	Hints and Kinks
H.1	LJK/Security Version Compatibility
H.2	Tributary node disk space
H.2.1	With disk quotas
H.2.2	Without disk quotas
H.3	Changing Template Terminal UCB Characteristics
H.4	Autologin file record length
H.5	Avoiding PRODUCT INSTALL
H.6	REPORT RESULT output
H.7	Renaming and Copying Files
H.8	DCL Symbol Processing
H.9	Analyzing Network Problems
H.9.1	SS$_LINKEXIT
Appendix I
Appendix I	Use of Privilege by LJK/Security
I.1	Reading and Writing Policy, Assessment and Result Files
I.2	Reading the User Authorization File
I.3	Getting a List of All Devices
I.4	Checking Disk File Protection and Backup Date
I.5	Checking Disk Quota Values
I.6	Synchronizing between LJK/Security Processes
I.7	Setting up LJK/Security DECnet Object Database Entries
I.8	Reading DECnet Database Entries
I.9	Creating Detached LJK/Security Processes
I.10	Reading Files for Kit Building
I.11	Parsing the User Authorization File Specification
I.12	Reading Accounting State
I.13	Reading Audit State
I.14	Reading Device Access Control Lists
I.15	Reading Terminal Access Control Lists
I.16	Reading the System Rightslist
I.17	Reading the list of Installed Images
I.18	Highwater Marking and Erase-on-Delete
I.19	Checking Privilege
I.20	System Owned Locks
I.21	Creating detached processes running LOGINOUT
I.22	Calling SYS$IDTOASC

Contents

Index