Summary

This section describes how to configure parameters related to POLYCENTER SRF.

POLYCENTER SRF Configuration Tasks

You can change the values for the following POLYCENTER Security CM parameters by choosing the number corresponding to the parameter and then entering the new value:

• Max Token Retry
  The maximum number of times that, in the case of transmission failure, POLYCENTER Security CM continues to try to send a token to POLYCENTER SRF. This parameter is specified in hours.
  Default: 144
• POLYCENTER PassThru Buffer Size
  The size of the blocks of data transmitted to POLYCENTER SRF. This buffer must be big enough to hold a token.
  Default: 1024 bytes
• POLYCENTER SRF DECnet Object
  The DECnet object to which you must connect when sending tokens to POLYCENTER SRF over DECnet.
  Default: "0=INSPECT$SERV"
• POLYCENTER SRF Enhanced Tokens
  Indicates whether enhanced tokens should be sent to POLYCENTER SRF. Enhanced tokens contain failure and test counts. Enhanced tokens are not compatible with versions of POLYCENTER SRF below version 2.1.
  Default: false
• POLYCENTER SRF Node
  The default POLYCENTER SRF node to which POLYCENTER Security CM sends tokens produced by all inspectors. You can also specify a different node for each inspector using the POLYCENTER Security Console GUI. POLYCENTER Security CM will also send tokens to these nodes.
• POLYCENTER SRF TCP/IP Port
  The TCP/IP port to which you must connect when sending tokens to POLYCENTER SRF over TCP/IP.
  Default: 6002
• POLYCENTER SRF Token Protocol
  Whether tokens are sent to POLYCENTER SRF via DECnet or TCP/IP.
  Default: DECnet
• Token Retry Interval
  How frequently POLYCENTER Security CM tries to send a token to POLYCENTER SRF if it fails on the first attempt.

3.7 Viewing the Executor Status

Summary

This section describes how to view the POLYCENTER Security CM executor status from the CLI.

Executor Status

The executor is the process that controls the POLYCENTER Security CM inspectors.

You can display the current status of the executor.

Displaying the Executor Status

To display the current status of the executor, enter 3 at the Enter choice: prompt. POLYCENTER Security CM displays a message indicating the current status of the executor.

In the case of a cluster, the message indicates the current status of the executor on the local node but only indicates whether the executor process is running on other nodes in the cluster.

3.8 Configuring Inspectors

Summary

This section describes how to configure POLYCENTER Security CM inspectors from the CLI.

The Default Inspector

The default inspector is the main inspector on each node. This is the inspector, whose compliance status is represented as a color-coded icon on the POLYCENTER Security Console Main Screen.

Displaying Configuration Information

To display configuration information for the default inspector, enter 5 at the Enter choice: prompt. POLYCENTER Security CM displays the current configuration information for the default inspector.

To display configuration information for other inspectors, enter 4 at the Enter choice: prompt and then enter the number associated with the inspector whose configuration information you want to change. POLYCENTER Security CM displays the current configuration information.

Inspector Configuration Information

The following configuration information is displayed for an inspector. You can modify all of this information except the Policy File ID.

Element	Description
Inspector Name	The name of the inspector. Note that modifying the inspector name also modifies the Policy File ID of the inspector.
Start Time	When the inspector is due to run. After you modify the start time, POLYCENTER Security CM compares the start time with the current system time. If the start time is in the past, the inspector runs immediately and then POLYCENTER Security CM resets the start time by adding the Resubmit Interval to it. If the start time is in the future, the inspector does not run until that time.
Resubmit Interval	How often the inspector runs.
Enabled	Whether the inspector is enabled. An inspector must be enabled before it can run.
Policy File ID	A unique key associated with an inspector. You can view this but you cannot modify it.

Changing the Inspector Name

Use the Inspector Configuration Information menu to change an inspector name. To change the name:

1. Enter 1 and then enter the new name for the inspector when the system prompts you to do so.
2. Enter e to save the inspector with the new name or enter q to cancel the operation and return to the previous menu.
   If you save the inspector, POLYCENTER Security CM creates a copy of the inspector with the new name. It does not delete the existing inspector.

Changing the Start Time

Use the Inspector Configuration Information menu to change the inspector start time. To change the start time:

1. Enter 2 and then enter the new start date when prompted to do so. The date must be in the format set by your OpenVMS time locale. It may be day/month/year or month/day/year depending on the locale.
2. Enter the new start time when prompted to do so. The time must be in the following format: hours:minutes:seconds , for example, 12:00:00 .
3. Enter e to save the changes or enter q to cancel the operation and return to the previous menu.

Changing the Resubmit Interval

Use the Inspector Configuration Information menu to change the inspector resubmit interval. To change the resubmit interval:

1. Enter 3 and then enter the new resubmit interval when prompted to do so. The resubmit interval must be in the following format: Number_of_days Hours:Minutes:Seconds , for example, 1 01:00:00 .
2. Enter e to save the changes or enter q to cancel the operation and return to the Main Menu.

Enabling an Inspector

Use the Inspector Configuration Information menu to enable an inspector. To enable the inspector:

1. Enter 4 at the Enter choice: prompt.
2. Enter 1 to enable the inspector or enter 2 to disable the inspector.
3. Enter e to save the changes or enter q to cancel the operation and return to the Main Menu.

3.9 Managing Inspectors

Summary

This section describes how to manage POLYCENTER Security CM inspectors from the CLI.

Inspector Management

You can carry out the following tasks for existing inspectors:

Task	Description
Import an inspector	Take an inspector from a file that you have copied from another system and place it in the database on the current system.
Export an inspector	Take an inspector and copy it to a file, which you can then copy to other systems.
Extract an inspector to a text file	Write a copy of the inspector to a text file.
Delete an inspector	Remove an inspector from the database.

Deleting an Inspector

To delete an inspector:

1. Enter 11 at the Enter choice: prompt to display the Select Inspector menu. POLYCENTER Security CM displays a list of available inspectors.
2. Enter the number corresponding to the inspector that you want to delete. POLYCENTER Security CM displays the Delete Inspector Menu.
3. Enter 1 to confirm that you want to delete the inspector or enter e to return to the previous menu.

Importing an Inspector

To import an inspector:

1. Enter 6 at the Enter choice: prompt.
2. Enter the name of the file containing the inspector.
3. Enter the name of the inspector.

Exporting an Inspector

Exporting an inspector involves taking an inspector and copying it to a file, which you can then copy to other systems.

To export an inspector:

1. Enter 7 at the Enter choice: prompt. POLYCENTER Security CM displays a list of available inspectors.
2. Enter the number corresponding to the inspector that you want to export.
3. Enter the name of the file in which the inspector is to be stored.
   POLYCENTER Security CM exports the inspector and returns you to the previous menu.

Extracting an Inspector to a Text File

Extracting an inspector to a text file involves writing the inspector with the values specified for each of its tests to a text file.

To extract an inspector:

1. Enter 10 at the Enter choice: prompt.
2. Enter the number corresponding to the inspector that you want to write.
3. Enter 1 to confirm the operation.
4. Enter the name of the file in which the inspector is to be stored.
   POLYCENTER Security CM writes the inspector and returns you to the previous menu.

3.10 Viewing Log Files

Summary

If you choose to automatically lock down an inspector by using the autolockdown feature on the POLYCENTER Security Console GUI, POLYCENTER Security CM produces a log file. This section describes how to view the log file from the CLI.

Viewing the Log File

To view the log file:

1. Enter 8 at the Enter choice: prompt.
2. Enter 1 to choose the View Autolockdown Log Files option.
3. Enter the number corresponding to the inspector, whose autolockdown file you want to view.
4. Enter the number corresponding to the date and time on which the inspector ran.
5. Enter 1 to view the log file.

3.11 Generating Lockdown Files

Summary

After each inspection, POLYCENTER Security CM creates a results file which you can use to generate a lockdown file. You can run the lockdown file to secure your system settings. You can also generate an unlockdown file which you can run to reverse changes made by running the lockdown file. To generate the files, you must use the CLI or the POLYCENTER Security Console GUI.

Generating the File

To generate the file:

1. Enter 9 at the Enter choice: prompt.
2. Enter the number corresponding to the inspector whose lockdown files you want to generate.
3. Enter the number corresponding to the date and time on which the inspector ran.
4. Enter 1 to generate the lockdown file.

POLYCENTER Security CM generates the lockdown file in the directory pointed to by the INSPECT$LOCKDOWNS logical.

3.12 Managing Tokens

Summary

This section describes how to manage tokens from the CLI.

Sending a Test Token

You can send a test token to a POLYCENTER SRF node. To send a test token:

1. Enter 12 at the Enter choice: prompt.
2. Enter 1 to choose Send Test Token.
3. Enter the following when prompted:
   • The name of the POLYCENTER SRF node to which you want to send the token.
   • Whether you want to send the token via DECnet or TCP/IP. DECnet is the default protocol.
   • The name of the DECnet object to which to connect when sending tokens. "0=INSPECT$SERV" is the default object if you chose DECnet. The TCP/IP port (default value, 6002) is the default object if you chose TCP/IP.

Registering System and Security Managers

You can enter details about a node's system manager and system location and then send a registration token containing this information to the POLYCENTER SRF software. To enter registration details:

1. Enter 12 at the Enter choice: prompt.
2. Enter 2 to choose Registration Configuration.
3. Enter the following information when prompted:

   Element	Description
   Security Contact Email	The node name and user name of someone who the POLYCENTER SRF administrator can contact to secure your node.
   Security Contact Name	The name of the security contact.
   Security Contact Phone #1	A phone number at which the POLYCENTER SRF administrator can contact the security contact.
   Security Contact Phone #2	A phone number at which the POLYCENTER SRF administrator can contact the security contact.
   System Location	A character string identifying where the system is located. The string can be up to 15 characters long.
   System Manager	The name of the system manager.
   System Manager Email	The node name and user name of the system manager.
   System Manager Phone #1	A phone number at which the POLYCENTER SRF administrator can contact the system manager.
   System Owner	An eight-character code or abbreviation. This field identifies the owner or controller of the node. The entry can be a person, group, or department. Your network security administrator might have specific requirements for the information placed in this field.

Sending a Registration Token

You can send a registration token to a POLYCENTER SRF node. A registration token allows you to register a node's system manager and system location with a POLYCENTER SRF collection node. To send a registration token:

1. Enter 12 at the Enter choice: prompt.
2. Enter 3 to choose Send Registration Token.
3. Enter the following when prompted:
   • The name of the POLYCENTER SRF node to which you want to send the token.
   • Whether you want to send the token via DECnet or TCP/IP. DECnet is the default protocol.
   • The name of the DECnet object to which to connect when sending tokens. "0=INSPECT$SERV" is the default object if you chose DECnet. The TCP/IP port (default value, 6002) is the default object if you chose TCP/IP.

Resending a Token

POLYCENTER Security CM checks for the successful transmission of tokens. If a token is not transmitted successfully, or if, for some other reason, you wand to resend it, you can do so. To resend a token:

1. Enter 12 at the Enter choice: prompt.
2. Enter 4 to choose the Resend Token option.
3. Enter the number corresponding to the inspector whose token you want to resend.
4. Enter the number corresponding to the date and time at which the inspector ran.
5. Enter 1 to resend the token.

3.13 POLYCENTER Security CM Maintenance

Summary

This section describes how to use the CLI to carry out day-to-day POLYCENTER Security CM maintenance.

Maintenance

You can carry out the following tasks:

• Purge the database.
  Purge result and history files from the inspector database.
• Release inspector locks.
  If an inspector is locked, you cannot delete it, you must first release it.

Purging the Database

To purge results and history files from the inspector database:

1. Enter 13 at the Enter choice: prompt.
2. Enter 1 to choose the Purge Database option.
3. Enter 1 to complete the operation.

You will be prompted to specify which files are to be purged, for example, you might want to keep all files generated in the last six months or those generated by the last six jobs for each inspector.

Releasing Inspector Locks

To release the inspector locks:

1. Enter 13 at the Enter choice: prompt.
2. Enter 2 to choose the Release Inspector Locks option.
   Note that choosing this option kills the executor and portal processes on all nodes in a cluster.

3.14 Troubleshooting POLYCENTER Security CM

Summary

This section describes how to change POLYCENTER Security CM parameters that can help you to troubleshoot POLYCENTER Security CM. It is unlikely that you will ever need to change most of these parameters.

Using the Troubleshooting Menu

To access the PSCM Troubleshooting Menu, do the following:

1. Enter 14 at the Enter choice: prompt.
2. Enter 1 to choose Troubleshooting Configuration.

To change the value of a parameter, do the following:

1. Enter the number associated with the parameter at the Enter choice: prompt.
2. Enter the new value at the Enter New Value: prompt.

Configuration Parameters

You can change the values for the following POLYCENTER Security CM parameters:

• Files Scoreboard By Disk
  Ensures that checks on files on each disk are only performed once per inspection.
  Default: true
• Files Scoreboard By File
  Ensures that checks on all files are only performed once per inspection.
  Default: false
• Files Scoreboard By Files Failed
  Ensures that files which fail one test are not included in other tests during the same inspection.
  Default: true
• Store User Written Output
  Stores the result data generated by user-defined test programs, in the inspector results file.
  Default: true
• Watchdog Cpu Quantum
  The amount of CPU time the executor must accumulate before the watchdog routine executes.
  Default: 0 0:15:00.00
• Watchdog Min Clock Time
  The amount of clock time that must elapse during the time it takes the executor to accumulate Watchdog Cpu Quantum worth of CPU time. This parameter is specified in seconds.
  Default: 1
• Watchdog Time Until Death
  The length of time during which the executor process stays alive once a compute-bound condition has been detected. This allows the process to provide debugging information before it dies.
  This parameter is specified in OpenVMS delta time format.
  Default: 0 0:00:15.00

Dumping the Executor

Dumping the executor can help you to solve problems related to the executor.

To dump the executor, enter 2 at the Enter choice: prompt on the PSCM Troubleshooting Menu.

It is recommended that you do not dump the executor unless asked to do so by a Digital Customer Support person.

3.15 Starting POLYCENTER SRF

POLYCENTER SRF allows the security administrator to access the tokens data to monitor the security compliance of nodes on the network.

Starting POLYCENTER SRF on the Local Node

If POLYCENTER SRF is installed and running on your OpenVMS VAX node, you can start it from the DCL Command line.

To start POLYCENTER SRF, enter the following command:

$ inspect/monitor