POLYCENTER
Security Compliance Manager for OpenVMS
User's Guide


Previous Contents Index


Appendix A
Distributing Inspectors

Introduction

This appendix contains information about using a POLYCENTER Security CM inspector to implement your security policy and distributing the inspector to remote nodes.

In This Appendix

The appendix contains information about the following:

A.1 Implementing Your Security Policy

Summary

This section describes how to use a sample inspector to implement your security policy and how to distribute this inspector to remote nodes.

Customizing the Sample Inspector

POLYCENTER Security CM includes a sample inspector, EXAMPLE_REQUIRED_INSPECTOR.DAT. This inspector contains test collections to test many areas of your system and is typical of the default inspector that you should use to implement your security policy. Use the POLYCENTER Security Console GUI to customize the inspector.

Distributing the Customized Inspector

After you have customized the inspector so that it accurately reflects your security policy, you can distribute it to other machines as follows:

  1. Create or locate the desired customized inspector.
  2. Unpack the INSPECT031.A saveset from the kit distribution media.
    To rebuild the POLYCENTER Security CM kit, restore the "A" saveset from the media kit. Perform the following steps:
    1. Obtain and mount the POLYCENTER Security CM distribution media.
    2. Use the DCL command BACKUP to restore the INSPECT031.A saveset to an empty directory. See the OpenVMS System Management Utilities Reference Manual for instructions on restoring a saveset.

    The following example creates an empty directory on DUA2, mounts the kit media on MUA5, then restores it to the empty directory:


     
    $ CREATE DUA2:[NEW_REQUIRED] /DIRECTORY
    $ MOUNT MUA5: INSPEC /FOREIGN
    $ BACKUP MUA5:INSPECT031.A DUA2:[NEW_REQUIRED]
    

  3. Replace the EXAMPLE_REQUIRED_INSPECTOR.DAT file.
    With the saveset unpacked, you can now replace the factory-supplied EXAMPLE_REQUIRED_INSPECTOR.DAT file. Use the DCL command SET DEFAULT to change your default directory to that which contains the unpacked saveset. Issue the following command, substituting the name of your customized inspector policy file for the xxx:


    $ COPY INSPECT$DATABASE:INSPECT$xxx.DAT -   _EXAMPLE_REQUIRED_INSPECTOR.DAT
    $ PURGE EXAMPLE_REQUIRED_INSPECTOR.DAT
    

  4. Rebuild the INSPECT031.A saveset.
    Use the OpenVMS BACKUP utility to rebuild the INSPECT031.A saveset. The following command initializes a new tape mounted on MKA300, then writes the saveset:


    $ BACKUP *.*; MKA300:INSPECT031.A -
        /REWIND /INTERCHANGE /IGNORE=LABEL /BLOCK=9000 /VERIFY
    

    After you create the INSPECT031.A saveset, copy the INSPECT031.B, and INSPECT031.C savesets from the distribution media to the new media using the DCL command COPY. The following example copies the saveset from the distribution media on MUA5 to the new media mounted on MKA300


    $ COPY MUA5:INSPECT031.B MKA300:INSPECT031.B
    

  5. Verify the new kit
    Once you create the customized POLYCENTER Security CM kit, you should verify that it installs properly, and that it contains the appropriate inspector. Perform the installation using the steps in the POLYCENTER Security Compliance Manager for OpenVMS Installation Guide, then use the POLYCENTER Security Console test dialogs to verify the inspector's test collection and parameter settings. The customization process is complete when you are satisfied with the resulting kit.

Reporting the Policy File ID

After you create and install the customized inspector, report the policy file ID to your POLYCENTER SRF administrator. The POLYCENTER SRF administrator uses the policy file identifier (ID) to determine the validity of a token. Most changes to parameters change the policy file ID.


Appendix B
Troubleshooting

Introduction

This appendix contains information to help troubleshoot POLYCENTER Security CM. It assumes that you are familiar with OpenVMS system management and have OpenVMS documentation available.

In This Appendix

The appendix contains information about the following:

B.1 Solving System Startup Problems

Summary

This section describes problems that may occur at startup and how to solve them.

You Receive a Mail

You may receive a mail on startup if you do not have sufficient resources (privileges, quotas, or identifiers) to start one of the POLYCENTER Security CM executable images. The mail indicates the resources that you must have to start the image. Update your account with these resources and then restart the image.

Inspectors Do Not Run

The POLYCENTER Security CM executor waits for a user-specified period of time after system startup before it runs inspectors. By default, this time is 40 minutes. You can customize the wait period by changing the value for the Executor Startup Delay to a value suitable for your site. See Section 3.4 in Chapter 3 for information on using the CLI to change the Executor Startup Delay.

If a scheduled inspection has been missed due to system failure or other problems, the POLYCENTER Security CM executor runs the inspector after startup if the resubmit interval is greater than one day and if the scheduled inspection time has not elapsed by more than a user-specified period of time. By default, this time is 30 minutes. You can customize this time period by changing the value of the Inspection Start Window to a value suitable for your site. See Section 3.4 in Chapter 3 for information on using the CLI to change the Inspection Start Window. If the inspection has been missed by more than the specified time period, the executor attempts to run the inspector on the following day at the originally scheduled time.

The INSPECT$LOGS:INSPECT$EXECUTOR.LOG file contains information on rescheduled inspections.

B.2 Solving Connection Problems

Summary

This section describes connection problems that may occur when connecting to POLYCENTER Security CM from POLYCENTER Security Console and how to solve them.

Authentication Errors

You may get an authentication error when you try to connect to POLYCENTER Security CM from POLYCENTER Security Console. If you do not know why you are getting this error, you can ensure that POLYCENTER Security CM logs the reason for the error in the INSPECT$LOGS:INSPECT$PORTAL.LOG file. To do this, use the CLI to change the Log Detail level to the value 2. See Section 3.3 in Chapter 3 for information on using the CLI to change the Log Detail value. By default, POLYCENTER Security CM does not log the reason for authentication errors.

Timeout Errors

You may get a timeout error when you try to connect to POLYCENTER Security CM from POLYCENTER Security Console. You can configure the time period during which the system waits before data transfers between remote processes will time out. See Section 3.5 in Chapter 3 for information on using the CLI to change the Remote Channel Timeout value.

B.3 Using Log Files

Summary

This section explains where to find logs and how to use them.

Log Files

POLYCENTER Security CM retains log files that can help you to identify problems. These log files exist in the INSPECT$LOGS directory, in the INSPECT$SCRATCH directory, and in the SYS$SYSROOT:[INSPECT$SERV] directory. If, for some reason, an inspector or the passthru server encounters a malfunction, you can edit the log files to learn more about the malfunction. These files are similar to batch log files in this respect.

Executor Logs

The executor on each node generates the following log files:

Portal Logs

The portal on each node generates the followings log files:

Passthru Server Logs

The passthru server generates the followings log file:


SYS$SYSROOT:[INSPECT$SERV]NET$SERVER.LOG 

This log file records all the activities of the passthru server. If the passthru server fails, examining the log file can help you to determine what the passthru server was doing when it failed.

Error Logs

The executor, portal, CLI, and passthru server can all generate error logs. The error log file name for the executor, the portal, and the CLI has the following format:


INSPECT$LOGS:INSPECT$process_name_ERROR.LOG 

The error log file name for the passthru server is:


SYS$SYSROOT:[INSPECT$SERV]INSPECT$ERROR_FILE 

These logs are in text format. If you are reporting an error to Digital Support, you must include the logs.

User-Written Program Logs

If an inspector contains one or more user-written programs, log files generated by these programs are placed in the following location:


INSPECT$SCRATCH:INSPECT$process_id.LOG 

Contacting Digital Customer Support

If an error occurs while you are using POLYCENTER Security CM and you believe that there is a problem with the POLYCENTER Security CM software, you may need to contact your Customer Support Center. When providing details of the error to your Customer Support Center, you must include some or all of the following files depending on what POLYCENTER Security CM was doing when the error occurred:

See Section 3.9 in Chapter 3 for information on using the CLI to extract an inspector to a text file.

See the POLYCENTER Security Compliance Manager Installation Guide for more information on reporting errors.

B.4 Solving Output Problems

Summary

This section provides information on possible problems with POLYCENTER Security CM output and how to solve them.

Reports are Not Mailed

After an inspection, POLYCENTER Security CM may mail a report to one or more recipients specified when creating the inspector. If for any reason, POLYCENTER Security CM cannot send this mail, it generates the following log file:


INSPECT$SCRATCH:INSPECT$process_id.LOG 

If you do not receive the mail, examining the log file may help you to determine why it did not arrive.

Problems Running Lockdown

When you choose to execute a lockdown file or an unlockdown file, a log file is generated in the INSPECT$LOGS directory. The name of the log file depends on whether it is for a lockdown file or an unlockdown file. The file name has one of the following formats:

If you have any problems running the files, examining the log files may help you to determine the cause of the problems.

POLYCENTER Security CM also generates a log file when you choose to have the product automatically execute a lockdown file for you. Use the CLI to view the autolockdown log file.

Tokens Not Transmitted

If tokens are not transmitted correctly, POLYCENTER Security CM continues to try to send the token up to the limit specified in the Token Retry Interval parameter. You can also resend the token from either the POLYCENTER Security CM CLI or the POLYCENTER Security Console GUI. Digital recommends that you do not resend tokens in normal circumstances.

The Token Status Memo provides information on the status of the transmission of the token for each node in the inspector's domain. See Appendix C for more information on the Token Status Memo.

Tokens Not Processed Successfully

Each inspector can send a token (security status message) to a POLYCENTER SRF collection node designated during the installation of POLYCENTER Security CM. POLYCENTER Security CM checks for the successful transmission of this token.

If test tokens are not being processed successfully, verify that you are meeting the following conditions:

If you have access to the POLYCENTER SRF collection node, examine the log files in the directory pointed to by the DSRF$LOGS logical.

B.5 Solving Disk Space and Privilege Problems

Summary

This section provides some guidelines to help solve diskspace and privilege problems.

Purging the Database Files

Job files generated by each inspection are stored in the inspector database area (pointed to by the INSPECT$DATABASE logical). To avoid diskspace problems, these files must be purged regularly. POLYCENTER Security CM automatically purges the files using the value specified in the Purge Keep Time parameter and the Purge Keep Inspector Job Number parameter to determine which files to purge. See Section 3.3 in Chapter 3 for information on using the CLI to change the values of these parameters.

You can also use the CLI to manually purge the files. See Purging the Database in Chapter 3 for more information.

Purging Logs

To avoid diskspace problems, purge the INSPECT$LOGS directory, the INSPECT$LOCKDOWNS directory, and the INSPECT$SCRATCH directory regularly. POLYCENTER Security CM does not automatically purge the INSPECT$LOGS directory and the INSPECT$LOCKDOWNS directory. POLYCENTER Security CM deletes logs in the INSPECT$SCRATCH directory only when you restart the product.

Verifying Privileges and Resources

Each security manager's account must have the INSPECT$SECURITY_MANAGER identifier. The account must also have the privileges required to run each of the POLYCENTER Security CM executable images.

If the account does not have these privileges and resources, then you cannot run POLYCENTER Security CM and if you try to do so, you receive a mail specifying the privileges, quotas, or identifiers that you need.

See the POLYCENTER Security Compliance Manager for OpenVMS Installation Guide for information on required privileges and quotas.

B.6 Solving Database Problems

This section provides some guidelines to help solve database problems.

Releasing Inspector Locks

An inspector is automatically locked when it is executing to prevent users trying to modify or delete it. If the system fails during execution, the executor and portal should recover normally. In exceptional circumstances, you may need to release the inspector locks after system recovery. See Section 3.13 in Chapter 3 for information on using the CLI to release the inspector locks.

Note

Releasing the inspector locks kills the executor and portal processes on all nodes in a cluster.

Creating a New Database

In the unlikely event that the inspector database is corrupted, you can create a new database. To create a new database, enter the following command to invoke a utility that allows you to create the database:


$ @INSPECT$IMAGES:INSPECT$CONFIG.COM

POLYCENTER Security CM displays the Main Menu of the utility.

Note

Creating a new database stops the POLYCENTER Security CM executor on all nodes and deletes all existing history from the database area. Files in INSPECT$LOGS and INSPECT$SCRATCH are also deleted. You can choose whether to keep existing inspectors.


Previous Next Contents Index