Introduction

POLYCENTER Security CM allows you to create your own test collections using your choice of supported programming language (for example, DCL) and include them in inspectors. This chapter provides information and guidelines for creating your own test collections and successfully integrating them in POLYCENTER Security CM.

In This Chapter

This chapter contains the following sections:

• The executor and user-defined tests
• Guidelines for creating your own test collections
• Including user-defined test collections

2.1 The Executor and User-Defined Tests

Summary

To successfully create and use your own test collections, you need a basic understanding of how the executor will deal with your tests. This section provides you with that explanation.

Understanding How the Executor Works

When an inspection is due to run, the executor analyzes the required work and creates the data structures and the logical names necessary to communicate with the test programs. When initialization is complete, the executor spawns subprocesses that run the programs that correspond to the user-defined test collections.

The executor takes the name of the user-defined program entered in the User Written Programs Dialog on the POLYCENTER Security Console GUI, and creates a command procedure to run this program. For example, imagine that to invoke your test you enter the program name USER$DISK1:SYS$MANAGER:MY_TEST.EXE on the GUI. The executor creates the following command procedure:

$ RUN USER$DISK1:SYS$MANAGER:MY_TEST.EXE

Then, when you run an inspector, the subprocess runs this command procedure and invokes your user-defined test collection. As long as your test collections follow the protocols described in the rest of this chapter, the results are included with the rest of the results for the inspector.

When test programs complete, the user-defined test programs call the SYS$EXIT system service to indicate the final result, Pass or Fail. This result is written to a termination mailbox, which the executor assigns to the subprocess and which the executor maintains to synchronize test completion. The status written to the termination mailbox is then stored in a database for later use.

After all user-defined test programs are complete, the executor reads the partial report segment generated by those programs. Whether the results are pass or fail, the partial report segments are included in the total report.

After all user-defined test programs are complete, the executor assembles the final lockdown and unlockdown files. If a user-defined test program passed, its assigned lockdown file is ignored. If a test program fails, its assigned lockdown file is appended to the total lockdown file.

2.2 Guidelines for Creating Your Own Test Collections

Summary

When creating user-defined test collections, there are a number of guidelines you must follow to ensure the seamless integration of your tests into POLYCENTER Security CM. This section provides a summary of these guidelines and then discusses each one in more detail.

Guidelines

The following is a summary of the guidelines.

1. Store the result you want to report in the report file pointed to by the INSPECT$UD_REPORT logical. See Reporting Results for more information.
2. Store any lockdown code in the file pointed to by the INSPECT$UD_LOCKDOWN logical and any unlockdown code in the file pointed to by the INSPECT$UD_UNLOCKDOWN logical. You must store code in DCL format. See Generating Lockdown Code for more information.
3. Open and initialize the report file and lockdown file. Both files must be new.
4. Perform tests. If the tests find noncompliant conditions, write appropriate report text to the report file and lockdown code to the lockdown file. Record the overall status.
5. Close the report file and lockdown file.
6. Define the INSPECT$UD_ITEMSTESTED logical and the INSPECT$UD_ITEMSFAILED logical. These logicals allow you to count the number of items that are tested and the number of items that fail the tests. See Counting Items Tested for more information.
7. If the test passes, delete the lockdown file and retain or delete the report file. Then, exit with the INSPECT$_PASS status.
   If the test fails, exit with the INSPECT$_FAIL status.

More information on each guideline is contained in the following sections.

Reporting Results

Your test collection can generate POLYCENTER Security CM report text, to describe noncompliant situations. You control the format of your report.

To include report text in the final POLYCENTER Security CM report, write the report text to the file defined by the logical name INSPECT$UD_REPORT. The job logical name table defines INSPECT$UD_REPORT to point to the file that the executor uses to build the final report. The report file must be a new file.

If a test collection passes, and you do not wish to include any informational text in the final report, delete any partial report segment you might have created.

Generating Lockdown Code

Your test collection can generate lockdown code that brings nodes into compliance with the testing performed by your test program. Your test collection can also generate unlockdown code that can reverse changes made by the lockdown code. You control the format of your lockdown and unlockdown code.

To include your lockdown commands in the final POLYCENTER Security CM lockdown command procedure, write the commands to a file defined by the logical name INSPECT$UD_LOCKDOWN. To include your unlockdown commands in the final POLYCENTER Security CM unlockdown command procedure, write the commands to a file defined by the logical name INSPECT$UD_UNLOCKDOWN. The job logical name table defines INSPECT$UD_LOCKDOWN and INSPECT$UD_UNLOCKDOWN to point to the files that the executor uses to build the final lockdown and unlockdown command procedures. These files should be new files.

If a node fails one or more of the test collections, the contents of INSPECT$UD_LOCKDOWN and INSPECT$UD_UNLOCKDOWN are appended to the total lockdown procedure. If the node passes, be sure to delete any partial lockdown segment that you might have created in anticipation of failed test collections.

Lockdown code must not rely on defaults defined outside your user-defined test. It is advisable to test the self-sufficiency of the lockdown code by separately executing the lockdown segment generated by your user-defined test.

Important Information

A user running an inspector must have the privileges required to execute the lockdown file associated with that inspector. Each supplied test allows the user sufficient privileges to execute the part of the script associated with that test. However, when including a user-defined test collection, you must make sure that the user has the required privileges. Using the POLYCENTER Security CM tool does not automatically provide privileges.

Counting Items Tested

Your test collection can track the number of items tested and the number of items that fail the tests. This information is then included in the test report. To track the number of items tested, define the logical INSPECT$UD_ITEMSTESTED in your program. To track the number of items that fail the tests, define the logical INSPECT$UD_ITEMSFAILED. You must define both of these logicals in the job logical name table (LNM$SYSTEM_TABLE).

If you do not define these logicals or you define them incorrectly, the system automatically assigns a value of 1 to INSPECT$UD_ITEMSTESTED and either 0 or 1 to INSPECT$UD_ITEMSFAILED depending on the test result.

Returning Status on Test Completion

When your test collection completes, it must return the final status to the executor. If a noncompliant condition is found, it must return a failure status. If everything passes, it must return a pass status. A status that is unknown or is not a pass status or a fail status is automatically considered to be a fail status. You must indicate how to return the status. Specify one of the following methods:

• Use the SYS$EXIT system service (for high-level languages)
• Use the DCL $ EXIT command

Using the SYS$EXIT Service

If you are using a high-level programming language, such as C, exit using the constant INSPECT$_PASS (for pass) or the constant INSPECT$_FAIL (for fail). Declare these as constants, for example:

# define INSPECT$_PASS 8618001 # define INSPECT$_PASS 8618304

Then link your program as usual.

Using the DCL EXIT Command

If you are using DCL, define DCL symbols that equate to the values of INSPECT$_PASS and INSPECT$_FAIL. The values for these are:

INSPECT$_PASS = 8618001 INSPECT$_FAIL = 8618304

When the user-defined DCL test collection completes, use $ EXIT to signal the result with the symbols already defined:

$ EXIT (INSPECT$_PASS) ! test passed $ EXIT (INSPECT$_FAIL) ! test failed

2.3 Including User-Defined Test Collections

Summary

This section contains information on tasks you must carry out to integrate user-defined test collections into a POLYCENTER Security CM inspector.

Including User-Defined Test Collections

After you create your test program, you must use the POLYCENTER Security Console GUI to include it in a test inspector. The GUI includes the User Written Programs Dialog to allow you to easily specify the name and location of your program. See the POLYCENTER Security Console for Microsoft Windows NT 4.0 Installation and User's Guide or the GUI online help for more information.

Version 2.3 User-Defined Test Programs

If you have existing test programs that you created for use with POLYCENTER Security CM Version 2.3 or 3.0, you can include them in POLYCENTER Security CM Version 3.1 without modification.

Securing User-Defined Test Programs

The owner of your user-defined test programs must be UIC [1,4]. Inspectors run only user-defined test collections whose programs are owned by UIC [1,4]. If you try to run a test collection that uses a program not owned by UIC [1,4], then POLYCENTER Security CM writes an error to the inspection report.

Introduction

This chapter explains how to carry out POLYCENTER Security CM tasks from the OpenVMS command line.

In This Chapter

This chapter contains the following sections:

• Command Line Interface overview
• Configuring POLYCENTER Security CM
• Site configuration tasks
• Executor configuration tasks
• Portal configuration tasks
• POLYCENTER SRF configuration tasks
• Viewing the executor status
• Configuring inspectors
• Managing inspectors
• Viewing log files
• Generating lockdown files
• Managing tokens
• Troubleshooting POLYCENTER Security CM
• POLYCENTER Security CM maintenance
• Starting POLYCENTER SRF

3.1 Command Line Interface Overview

Summary

This section describes the command line interface (CLI).

The CLI and the Local Node

The command line interface allows you to carry out some POLYCENTER Security CM tasks from the OpenVMS command line on the local node. It is expected that you will use the POLYCENTER Security Console GUI to perform most POLYCENTER Security CM tasks.

See the POLYCENTER Security Console GUI online help for more information.

Accessing the CLI

To access the CLI, enter the following command:

$ INSPECT

POLYCENTER Security CM displays the Main Menu.

The Main Menu

The Main Menu and prompt are displayed as follows:

1. Start PSCM. 2. PSCM Configuration. 3. Executor Status. 4. Inspector Configuration. 5. Configuration of Default Inspector. 6. Import Inspector. 7. Export Inspector. 8. View Log Files 9. Generate Lockdown Files. 10. Extract Inspector to Text File. 11. Delete Inspector. 12. Tokens. 13. PSCM Maintenance. 14. PSCM Troubleshooting. e. Exit from POLYCENTER Security Compliance Manager. Enter choice :

Choosing a Menu Item

To choose a menu item, enter the corresponding number at the Enter choice: prompt. POLYCENTER Security CM carries out the requested action or displays a submenu.

Exiting the CLI

To exit the CLI, enter e at the Enter choice: prompt.

Starting POLYCENTER Security CM

To start POLYCENTER Security CM, enter 1 at the Enter choice: prompt.

3.2 Configuring POLYCENTER Security CM

Summary

This section describes how to configure POLYCENTER Security CM parameters from the CLI.

The PSCM Configuration Menu

The CLI includes the PSCM Configuration Menu to allow you to change the values of a wide range of parameters related to to the way you set up POLYCENTER Security CM. The next 4 sections describe these tasks in detail.

Element	Description
Site Configuration	Details that are specific to your node or cluster.
Executor Configuration	Parameters related to the executor.
Portal Configuration	Parameters related to the portal.
PSRF Configuration	Parameters related to POLYCENTER Security Reporting Facility (SRF).

Using the PSCM Configuration Menu

To access the PSCM Configuration Menu, enter 2 at the Enter choice: prompt.

To access a sub-menu, for example, Site Configuration, enter the number corresponding to the menu item. To change the value of a parameter, do the following:

1. Enter the number associated with the parameter at the Enter choice: prompt.
2. Enter the new value at the Enter New Value: prompt.

3.3 Site Configuration Tasks

Summary

This section describes how to configure POLYCENTER Security CM details that are specific to your site.

Changing Values

You can change the values for the following POLYCENTER Security CM parameters by choosing the number corresponding to the parameter and then entering the new value.

• Default Inspector
  The name of the default inspector on the node. This is the inspector whose compliance status is color-coded on the POLYCENTER Security Console GUI main screen.
  Default: Example Required Inspector
• Error Destination
  The name of the account to receive error messages.
  Default: SYSTEM
• Log Detail
  The level of detail stored in the executor log file and in the portal log file. If this value is greater than 1, the portal logs the reason for any authentication errors when accessing POLYCENTER Security CM from POLYCENTER Security Console in the portal log file. The portal log file is INSPECT$PORTAL.LOG. It is stored in the area pointed to by the INSPECT$LOGS logical.
  Default: 1
• Purge Keep Inspector Job Number
  How many of the most recent jobs to retain when purging the database. The number specified here represents the number of jobs retained for each inspector.
  Default: 6
• Purge Keep Time
  Purge files older than the specified time.
  This parameter is specified in OpenVMS delta time format.
  Default: 182 0:00:00.00
• Retain Report Once Sent
  Whether reports are deleted or retained after they are mailed to the distribution list.
  Default: true
• Summary Result Depth
  The level of detailed summary results stored by POLYCENTER Security CM. This value can be one of the following:
  • 1---Summary results are stored for the inspector only. Summary results for individual subsystems and test collections are not stored.
  • 2---Summary results are stored for the inspector and for each of its subsystems. Summary results are not stored for individual test collections.
  • 3---Summary results are stored for the inspector, for each of its subsystems, and for each test collection.
  
  Default: 3
  It is recommended that you do not change this value.

3.4 Executor Configuration Tasks

Summary

This section describes how to configure the operation of the POLYCENTER Security CM executor.

Changing Values

You can change the values for the following POLYCENTER Security CM parameters by choosing the number corresponding to the parameter and then entering the new value:

• Account Login Cmd Subprocess
  Indicates whether the account login command test is performed using subprocesses.
  Default: true
  It is recommended that you do not change this value.
• Accounts Preferred Mode Wait Time
  If you specify preferred nodes on which to carry out accounts tests, the executor operates in preferred mode. This means that it will only execute the accounts tests on nodes specified in the Accounts Preferred Mode List for the length of time specified in this parameter. After the specified length of time has elapsed, it may also execute accounts tests on the other nodes on which the inspector is running. Using an Accounts Preferred Mode List can optimize the execution of the inspector by ensuring that it runs on the fastest machine available.

  Note You use the POLYCENTER Security Console GUI to create the Accounts Preferred Mode List as part of the inspector.

  
  This parameter is specified in OpenVMS delta time format.
  Default: 0 0:15:00.00
• Accounts Non Preferred Mode Wait Time
  If you do not specify preferred nodes on which to carry out accounts tests, the executor operates in non-preferred mode. However, it may not carry out accounts tests on all nodes at once. The executor chooses the preferred nodes and it may only run accounts tests on certain nodes during the time specified in this parameter. After the specified length of time has elapsed, it may also execute accounts tests on the other nodes on which the inspector is running.
  This parameter is specified in minutes.
  Default: 5
• Executor Inspection Limit
  The number of inspections executed before the executor restarts. To disable restarting, specify a value of 0. It is recommended that you do not disable restarting.
  Default: 20
• Executor Results Caching Interval
  The interval after which the executor caches inspection results. This parameter specifies a checkpoint interval for saving the executor's work. You can use this parameter to minimize the amount of work that the executor has to redo in the case of a system failure.
  This parameter is specified in OpenVMS delta time format.
  Default: 0 1:00:00.00
• Executor Startup Delay
  The time, in minutes, since the system was booted before the executor will proceed after being started. This startup delay allows you to ensure that inspections do not run before the system is fully booted.
  Default: 40
• Files Preferred Mode Wait Time
  If you specify preferred nodes on which to carry out files tests, the executor operates in preferred mode. This means that it will only execute the files tests on nodes specified in the Files Preferred Mode List for the length of time specified in this parameter. After the specified length of time has elapsed, it may also execute files tests on the other nodes on which the inspector is running.
  Using a Files Preferred Mode List can optimize the execution of the inspector by ensuring that it runs on the fastest machine available.

  Note You use the POLYCENTER Security Console GUI to create the Files Preferred Mode List as part of the inspector.

  
  This parameter is specified in OpenVMS delta time format.
  Default: 0 0:15:00.00
• Inspection Start Window
  If the executor fails to start an inspector within the number of minutes specified here after the start time specified in the inspector, it will not attempt to start it until 24 hours after the specified start time.
  Default: 30
• Password Dictionary Preformatted
  The Weak Passwords tests can use a user-specified dictionary. The test checks that the specified dictionary is in the required OpenVMS password format. If you do not want to check the dictionary, for example, if you are sure that all entries in the dictionary are already in the required format for OpenVMS passwords, specify True in this parameter. Specifying True can improve system performance.
  Default: false

Summary

This section describes how to configure POLYCENTER Security CM portal details.

Specifying Values

You can change the values for the following POLYCENTER Security CM parameters by choosing the number corresponding to the parameter and then entering the new value:

• Level of Scrambling
  Indicates the minimum level of scrambling for data exchanged between POLYCENTER Security CM and POLYCENTER Security Console on the PC.
  Scrambling data involves modifying it so that it would be difficult for a hacker to read it. Scrambling therefore provides more secure transfer of data. However, data that is scrambled takes longer to transfer. Specify the level of scrambling required:
  • 0---data will not be scrambled
  • 1---a moderate level of scrambling
  • 2---more intensive scrambling
  
  Default: 1
  You can also use the POLYCENTER Security Console GUI to specify the required level of scrambling for the PC. Before communication takes place, the scrambling level on the OpenVMS node is compared with the scrambling level on the PC and if they are not the same, the higher of the two levels is used in all communication.
• Local Channel Timeout
  The time, in milliseconds, after which data transfers between local processes will time out.
  Default: 5000
• Message Block Size
  The size, in bytes, of the blocks of data transmitted from the node running POLYCENTER Security CM to the PC running POLYCENTER Security Console. This can have a maximum value of 9216 (9 Kbytes).
  Default: 6144
• Portal DECnet
  Whether the node running POLYCENTER Security CM accepts connections over the DECnet protocol. To enable communication between POLYCENTER Security CM on the OpenVMS node and POLYCENTER Security Console on the PC, this parameter or the Portal TCP/IP parameter must be set to true. Both parameters can be set to true to allow communication over both transport protocols.
  Default: true
• Portal ExQuota Action
  Indicates whether the portal process should die if a system service call returns a status of SS$_EXQUOTA.
  Default: false
• Portal TCP/IP
  Whether the node running POLYCENTER Security CM accepts connections over the TCP/IP protocol. To enable communication between POLYCENTER Security CM on the OpenVMS node and POLYCENTER Security Console on the PC, this parameter or the Portal DECnet parameter must be set to true. Both parameters can be set to true to allow communication over both transport protocols.
  Default: true
• Portal TCP/IP Port Number
  The number of the port at which TCP/IP connections are accepted. You can also change this value on the PC running POLYCENTER Security Console. The PC running POLYCENTER Security Console and the OpenVMS node running POLYCENTER Security CM must have the same port number to enable communication over TCP/IP.
  Default: 1602
• Remote Channel Timeout
  The time, in milliseconds, after which data transfers between remote processes will time out.
  Default: 30 000