Technical Requirements - PowerPoint PPT Presentation

1 / 15
About This Presentation
Title:

Technical Requirements

Description:

OpenVMS. Account & Password Controls ... OpenVMS. Access Controls ... OpenVMS ... – PowerPoint PPT presentation

Number of Views:53
Avg rating:3.0/5.0
Slides: 16
Provided by: SandyP1
Category:

less

Transcript and Presenter's Notes

Title: Technical Requirements


1
FAISSR
  • Technical Requirements
  • What is feasible?
  • How do I Configure Security Features?

This presentation was produced for the Florida
Association of IS Security Representatives
(FAISSR). Any reference to products are for
example only and are not an endorsement by
FAISSR. CAUTION - Not all of the information in
this presentation has been tested.
Implementation of the suggestions contained in
this presentation must be validated by the ISSM
and approved by the CSA.
3-Apr-2001
2
Before we Start .
DISCLAIMER
  • This presentation is intended as a Starting Point
    only
  • Not everything in this presentation has been
    verified (tested)
  • Viewgraphs that define events to be audited are a
    first cut suggestion to meet the minimum
    requirements

3
Technical Security Features
  • Technical Security Features now required by
    Chapter 8
  • Logon Authentication
  • Session Controls
  • Access Controls
  • Audit
  • When technically feasible ??

4
The Questions .
SGI IRIX
?
 
5
OpenVMS
6
OpenVMS
  • Account Password Controls
  • VMS stores account and password information in
    the SYSSYSTEMSYSUAF.DAT file, and is accessed
    through the Authorize utility.
  • On VAXs the default accounts include DEFAULT,
    FIELD, SYSTEM, SYSTEST, and SYSTEST_CLIG. On
    Alpha systems, the default accounts include
    DEFAULT and SYSTEM
  • SYSTEM is the all powerful account in VMS. At
    one time the default password for the SYSTEM
    account was Manager.

7
OpenVMS
  • Account Password Controls
  • The FIELD and TEST accounts should be disabled
    To disable an account
  • RUN SYSSYSTEMAUTHORIZE
  • UAFgt MODIFY account name/FLAGSDISUSER
  • To establish password restrictions, use the
    following flags when establishing accounts, or
    modify the default account to have these flags
    set
  • /PWDMINIMUM 8
  • /PWDLIFETIME365
  • /FLAGSGENPWD
  • /GENERATE_PASSWORD

8
OpenVMS
  • Account Password Controls
  • To control failed login attempts
  • Run SYSSYSTEMSYSMAN
  • SYSMANgtPARAMETERS SET LGI_BRK_LIM 5
  • SYSMANgtPARAMETERS SET LGI_BRK_TMO 300
  • SYSMANgtPARAMETERS WRITE CURRENT
  • Login Banner Edit SYSANNOUNCE in the
    site-specific startup command procedure
    SYSMANAGERSYSTARTUP_VMS.COM.

9
OpenVMS
  • Access Controls
  • By default VMS has file access protections that
    control access (read, write, execute, control,
    delete) for System, Owner, Group, and World
  • Optional Access Control Lists may also be set on
    files to grant access to individual user accounts
  • Additional privileges may be added to any account
    with the Authorize utility with the parameters
    /DEFPRIVILEGES and /PRIVILEGES
  • DEFPRIVILEGES are available at login. A user may
    use the SET PROCESS/PRIVILEGES command to
    increase their privileges if authorized.

10
OpenVMS
  • OpenVMS Auditing
  • OpenVMS by default audits the following events
  • ACL Access to objects holding a security ACE
  • Audit Usage of the SET AUDIT comand
  • Authorization Changes to the SYSUAF.DAT file
    and the RIGHTSLIST.DAT file
  • Break-In Multiple failed login attempts
  • Log Failure All failed logins
  • Enable additional auditing with
    SET/AUDIT/ENABLE
  • LOGINS(ALL)
  • LOGOUTS(ALL)
  • PRIVILEGE(SUCCESSSECURITY,FAILURESECURITY)

11
OpenVMS
  • OpenVMS Auditing
  • To enable auditing on specific files use the
    command SET SECURITY/ACLAUDIT

12
OpenVMS
  • By default the audit file is located in
    SYSCOMMONSYSMGR directory and named
    SECURITY.AUDITJOURNAL
  • The audit file may be viewed with the
    ANALYZE/AUDIT command
  • Example
  • ANALYSE/AUDIT/BRIEF SYSMANAGERSECURITY.AUDITJOU
    RNAL
  • Date / Time Type Subtype
    Node Username ID Term
  • -------------------------------------------------
    -----------------------------
  • 1-NOV-1995 160003.37 ACCESS FILE_ACCESS
    HERE SYSTEM 5B600AE4
  • 1-NOV-1995 160059.66 LOGIN SUBPROCESS
    GONE ROBINSON 3BA011D4
  • 1-NOV-1995 160237.31 LOGIN SUBPROCESS
    GONE MILANT 000000D5
  • 1-NOV-1995 160636.40 LOGFAIL LOCAL
    SUPER MBILLS 000000E5 _TTA1
  • Note To see more details use ANALIZE/AUDIT/FULL

13
Macintosh
14
Macintosh
  • The current MAC operating system (MAC OS 9.0) is
    not capable of implementing technical security
    features.
  • The NEW version, OS X, released March 25, 2001 is
    based upon a BSD version of UNIX, named Darwin.
    It will most likely have the typical UNIX
    security features. It is doubtful, that it will
    have an auditing subsystem.

Note With the change to a UNIX O/S, Mac users
should be prepared to start experiencing attacks
from hackers they have never had to deal with!
15
One more slide .
  • What I havent told you .
  • How to control the size and maintenance of audit
    files. Make sure you research this and plan for
    plenty of disk space!
  • Be aware that these audit systems can be
    configured to shut down auditing if a disk fills
    up .. Or shut down the system
  • The impact on performance from auditing.
  • A strategy to archive all of the audit files so
    they can be kept for the required time periods
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Technical Requirements" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!