***** ***** ***** This first part is a summary of violations from an assessment ***** based on controls specified in DoD Instruction 8500-2. ***** It is the output from the command: ***** ***** LJK/Security REPORT /SUMMARY=COMMENT ***** ***** after < none > interval < none > BOSTON 18-SEP-2008 19:34 completed DOD 22812 DoDI 8500.2 CODB-1 IV 1 DoDI 8500.2 DCBP-1 II , DoDI 8500.2 IATS-2 II 15 DoDI 8500.2 DCCT-1 I , DoDI 8500.2 DCII-1 I , DoDI 8500.2 ECSD-2 I 185 DoDI 8500.2 DCCT-1 II , DoDI 8500.2 DCSL-1 II 28 DoDI 8500.2 DCFA-1 II 4 DoDI 8500.2 DCPP-1 I 1 DoDI 8500.2 DCPP-1 IV 30 DoDI 8500.2 EBRP-1 I 77 DoDI 8500.2 ECAR-3 II 8 DoDI 8500.2 ECCD-1 I 95857 DoDI 8500.2 ECCD-1 II 4 DoDI 8500.2 ECCD-1 IV 10 DoDI 8500.2 ECLC-1 II 1 DoDI 8500.2 ECLO-2 III 1 DoDI 8500.2 ECLO-2 IV 2 DoDI 8500.2 ECLP-1 I 15 DoDI 8500.2 ECPA-1 I 1 DoDI 8500.2 ECTP-1 I 1 DoDI 8500.2 ECWM-1 IV 55 DoDI 8500.2 IAAC-1 I 16 DoDI 8500.2 IAIA-2 I 360 DoDI 8500.2 IAIA-2 II 1 DoDI 8500.2 IAIA-2 III ***** ***** ***** Below is just a _sample_ of the detail records for the ***** summary shown above. Some of the names have been changed ***** to protect the guilty. It is the output from the command: ***** ***** LJK/Security REPORT ***** ***** after < none > interval < none > BOSTON 18-SEP-2008 19:34 completed DOD Node BOSTON Username DXD$SERVER has disable SET PASSWORD flag DoDI 8500.2 IAIA-2 I (UAF, LOCKPWD, PROHIBITED) Node BOSTON Username FRED password minimum length value of 6 is lower than minimum of 8 for explicit privilege CMKRNL DoDI 8500.2 IAIA-2 II (UAF, PWDMINLEN, ABSOLUTLO) Node BOSTON Username FRED_PRIV has password lifetime of 0 days which is higher than maximum of 90 days for explicit privilege Category-System DoDI 8500.2 IAIA-2 II (UAF, PWDLIFE, ABSOLUTHI) Node BOSTON Username DEMO has null primary password DoDI 8500.2 IAIA-2 I (UAF, PWDNULL, PRIPROHIB) Node BOSTON Username DEMO has privileges at level Category-All which is higher than maximum of Category-None for a null primary password DoDI 8500.2 IAIA-2 I (UAF, PWDNULL, PRIMAXPRIV) Node BOSTON Username FRED_PRIV can obtain privileges at level Category-All because it shares UIC [FRED] with username DEBBIE DoDI 8500.2 ECLP-1 I (UAF, UICPRIV, ABSOLUTHI) Node BOSTON Username DXD$SERVER has privileges at level Category-None which is lower than minimum of Category-Normal DoDI 8500.2 ECPA-1 I (UAF, PRIVLEVEL, ABSOLUTLO) Node BOSTON Username DEMO has privileges at level Category-All which is higher than maximum of Category-Normal DoDI 8500.2 ECPA-1 I (UAF, PRIVLEVEL, ABSOLUTHI) Node BOSTON Username DEFAULT primary password encryption algorithm AD_II is older than allowed DoDI 8500.2 IAIA-2 II (UAF, PWDENCRYPT, OLD) Node BOSTON Username DEMO is permitted login over LAT with privileges at level Category-All (e.g., via terminal _LTA0:) DoDI 8500.2 EBRP-1 I (UAF, PRIVLGILAT, ABSOLUTHI) Node BOSTON Username DEMO is permitted network login with privileges at level Category-All DoDI 8500.2 EBRP-1 I (UAF, PRIVLGINET, ABSOLUTHI) Node BOSTON Username FRED is permitted proxy login with privileges at level Category-All from node AS250A username FRED DoDI 8500.2 EBRP-1 I (UAF, PRIVLGIPRX, ABSOLUTHI) Node BOSTON Username DEFAULT last interactive login was 0 days ago (17-NOV-1858 00:00:00.00) which is longer than the maximum inactive period of 90 days (last non-interactive login was 17-NOV-1858 00:00:00.00) DoDI 8500.2 IAAC-1 I (UAF, LASTLOGIN, INTERACT) Node BOSTON Username DEMO is permitted remote login with privileges at level Category-All DoDI 8500.2 EBRP-1 I (UAF, PRIVLGIREM, ABSOLUTHI) Node BOSTON Password History lifetime is 365 days which is lower than minimum of 547 days DoDI 8500.2 IAIA-2 II (VMS, PWDHISTORY, MINLIFE) Node BOSTON SYS$ANNOUNCE message does not contain required text DoDI 8500.2 ECWM-1 IV (VMS, ANNOUNCE, CONTAINS) Node BOSTON breakin attempts will disable usernames only temporarily (system parameter BRKDISUSER) DoDI 8500.2 ECLO-2 IV (VMS, BRKDISUSER, REQUIRED) Node BOSTON Duration seconds for breakin evasion LGI_HID_TIM is 300 which is lower than minimum of 600 DoDI 8500.2 ECLO-2 III (VMS, LGIHIDTIM, ABSOLUTLO) Node BOSTON System parameter LGI_CALLOUT is 0 which is lower than minimum of 1 DoDI 8500.2 DCBP-1 II , DoDI 8500.2 IATS-2 II (VMS, LGICALLOUT, ABSOLUTLO) Node BOSTON SECURITY_POLICY system parameter prevents GUARDPASSWORDS DoDI 8500.2 IAIA-2 III (VMS, SECPOLICY, REQUIRED) Node BOSTON Executor Default Access is BOTH in PERMANENT database when Default Incoming Access is prohibited DoDI 8500.2 DCPP-1 I (DECNET, DEFACCINC, PROHIBITED) Node BOSTON Executor Default Access is BOTH in PERMANENT database when Default Outgoing Access is prohibited DoDI 8500.2 DCPP-1 I (DECNET, DEFACCOUT, PROHIBITED) Node BOSTON FAL poor man's routing is present DoDI 8500.2 DCPP-1 IV (DECNET, FALPOOROUT, PROHIBITED) Node BOSTON Device _MBA5: protection is (SYSTEM,OWNER,GROUP,WORLD) which limits access narrower than minimum of (SYSTEM,OWNER:RWPL,GROUP,WORLD) DoDI 8500.2 ECCD-1 IV (DEVICE, PROTECTION, ABSOLUTLO) Node BOSTON Device _MBA1: allows 13 percent of users to have read access, which allows access wider than maximum of 10 percent DoDI 8500.2 ECCD-1 II (DEVICE, PROTECTION, PERCENTHI) Node BOSTON Device _MBA5: owner is [10,40] rather than default of [SYSTEM] DoDI 8500.2 ECCD-1 I (DEVICE, OWNER, WRONG) Node BOSTON Terminal _OPA0: use of secure server is disabled DoDI 8500.2 IAIA-2 I (TERM, SECURE, REQUIRED) Node BOSTON Mail file SYS$SYSDEVICE:[FRED.SYSMGR]PVMS.MAI;1 has protection of (SYSTEM:RWD,OWNER:RWD,GROUP,WORLD) which allows access wider than maximum of (SYSTEM:RW,OWNER:RW,GROUP,WORLD) DoDI 8500.2 ECCD-1 II (DISK, MAILPROT, ABSOLUTHI) Node BOSTON Mail file SYS$SYSDEVICE:[FRED]MAIL$DA2B6B7800050096.MAI;1 allows 17 percent of users to have read access, which allows access wider than maximum of 1 percent DoDI 8500.2 ECCD-1 II (DISK, MAILPROT, PERCENTHI) Node BOSTON Rdb/VMS file SYS$SYSDEVICE:[SYS0.SYSUPD.MSAU1012]DALDEMO.RDB;1 has protection of (SYSTEM:RWED,OWNER:RWED,GROUP:RWED,WORLD:RE) which allows access wider than maximum of (SYSTEM:RW,OWNER,GROUP,WORLD) DoDI 8500.2 ECCD-1 II (DISK, RDBVMSPROT, ABSOLUTHI) Node BOSTON Rdb/VMS file SYS$SYSDEVICE:[SYS0.SYSUPD.MSAU1012]DALDEMO.RDB;1 allows 100 percent of users to have read access, which allows access wider than maximum of 1 percent DoDI 8500.2 ECCD-1 II (DISK, RDBVMSPROT, PERCENTHI) Node BOSTON File SYS$SYSDEVICE:[DXD$SERVER]DXD$SCHEMA.DAT;41 has protection of (SYSTEM:RWD,OWNER:RWD,GROUP:R,WORLD:R) which limits access narrower than minimum of (SYSTEM:RWED,OWNER,GROUP,WORLD) DoDI 8500.2 ECCD-1 II (DISK, FILEPROT, ABSOLUTLO) Node BOSTON File SYS$SYSDEVICE:[BCI2000_DOC]BCI2000_DRIVER_DOC_IOSB.GRA;1 has protection of (SYSTEM:RWED,OWNER:RWED,GROUP:RWED,WORLD:RE) which allows access wider than maximum of (SYSTEM:RWED,OWNER:RWED,GROUP:RE,WORLD) DoDI 8500.2 ECCD-1 II (DISK, FILEPROT, ABSOLUTHI) Node BOSTON File SYS$SYSDEVICE:[000000]BACKUP.SYS;1 allows 13 percent of users to have read access, which allows access wider than maximum of 10 percent DoDI 8500.2 ECCD-1 II (DISK, FILEPROT, PERCENTHI) Node BOSTON System executable file SYS$COMMON:[MULTINET]LOADABLE_XDM_CONTROL.EXE;1 has protection of (SYSTEM:RE,OWNER:RE,GROUP,WORLD) which limits access narrower than minimum of (SYSTEM:RWED,OWNER,GROUP,WORLD) DoDI 8500.2 ECCD-1 II (DISK, SYSEXEPROT, ABSOLUTLO) Node BOSTON System executable file SYS$COMMON:[SYSHLP.EXAMPLES.DECW]HELLOWORLD.EXE;1 has protection of (SYSTEM:RWED,OWNER:RWED,GROUP:RWED,WORLD:RE) which allows access wider than maximum of (SYSTEM:RWED,OWNER:RWED,GROUP:RE,WORLD:RE) DoDI 8500.2 ECCD-1 II (DISK, SYSEXEPROT, ABSOLUTHI) Node BOSTON System executable file SYS$COMMON:[ACM]ACEREC_AXP061.EXE;2 allows 13 percent of users to have write access, which allows access wider than maximum of 1 percent DoDI 8500.2 ECCD-1 II (DISK, SYSEXEPROT, PERCENTHI) Node BOSTON Specified file DISK$COMMON:[SYSEXE]SYSUAF.DAT;2 has protection of (SYSTEM:RWE,OWNER:RWE,GROUP:RWE,WORLD) which allows access wider than maximum of (SYSTEM:RWED,OWNER:RWED,GROUP,WORLD) DoDI 8500.2 ECTP-1 I (DISK, CHECKPROT, ABSOLUTHI) Node BOSTON Specified file SYS$COMMON:[SYSMGR]SECURITY.AUDIT$JOURNAL;17 lacks Success Audit ACL for read access, which is contrary to a policy exemption specific to that file DoDI 8500.2 ECAR-3 II (DISK, CHECKPROT, AUSREQUIRE) Node BOSTON File SYS$SYSDEVICE:[000000]000000.DIR;1 was backed up (/RECORD) 2657 days ago (10-JUN-2001 15:18:42.05) which is longer than the maximum unprotected period of 30 days DoDI 8500.2 CODB-1 IV (DISK, BACKUP, ABSOLUTHI) Node BOSTON File SYS$SYSDEVICE:[000000]BITMAP.SYS;1 was backed up (/RECORD) 2657 days ago (10-JUN-2001 15:18:42.05) which is longer than the maximum unprotected period of 7 days and the file has been modified since the backup date DoDI 8500.2 CODB-1 IV (DISK, BACKUP, MODIFIEDHI) Node BOSTON File SYS$SYSDEVICE:[DXDV03_DXDDOCS]AVMS-INST.PS;3 has ACL containing UIC identifier [503,64] DoDI 8500.2 DCFA-1 II (DISK, ACLIDENT, NOUIC) Node BOSTON File SYS$COMMON:[SYSLIB]CDA$ACCESS.EXE;3 has SHA1 checksum of 43329A7252F107A45BA12EC95F5A2B7CD690D420, instead of exemption-specified value of 452C311E492588D6B95BBE5B8313A84D19EEEF3E DoDI 8500.2 DCCT-1 I , DoDI 8500.2 DCII-1 I , DoDI 8500.2 ECSD-2 I (DISK, CHECKSUM, SHA1) Node BOSTON Directory file SYS$SYSDEVICE:[000000]SYSEXE.DIR;1 has protection of (SYSTEM:R,OWNER:R,GROUP,WORLD) which limits access narrower than minimum of (SYSTEM:RWE,OWNER,GROUP,WORLD) DoDI 8500.2 ECCD-1 II (DISK, DIRPROT, ABSOLUTLO) Node BOSTON Directory file SYS$SYSDEVICE:[000000]000000.DIR;1 has protection of (SYSTEM:RWED,OWNER:RWED,GROUP:RE,WORLD:E) which allows access wider than maximum of (SYSTEM:RWED,OWNER:RWED,GROUP:RE,WORLD) DoDI 8500.2 ECCD-1 II (DISK, DIRPROT, ABSOLUTHI) Node BOSTON Directory file SYS$SYSDEVICE:[000000]000000.DIR;1 allows 13 percent of users to have read access, which allows access wider than maximum of 10 percent DoDI 8500.2 ECCD-1 II (DISK, DIRPROT, PERCENTHI) Node BOSTON File SYS$COMMON:[SYSEXE]ACS.EXE is installed as a known image DoDI 8500.2 DCCT-1 II , DoDI 8500.2 DCSL-1 II (DISK, INSTALLED, PROHIBITED) Node BOSTON File SYS$COMMON:[SYSEXE]MSA$MANAGER.EXE is installed with privilege CMKRNL DoDI 8500.2 DCCT-1 II , DoDI 8500.2 DCSL-1 II (DISK, INSTPRIV, PRIVPROHIB) Node BOSTON File SYS$COMMON:[SYSLIB]CMSPROSHR.EXE is installed as protected DoDI 8500.2 DCCT-1 II , DoDI 8500.2 DCSL-1 II (DISK, INSTPROT, PROHIBITED) Node BOSTON READALL security audits are disabled for access type read DoDI 8500.2 ECAR-3 II (AUDIT, READALL, AUREQUIRE) Node BOSTON Authentication security audits are disabled DoDI 8500.2 ECAR-3 II (AUDIT, AUTHENT, AUREQUIRE) Node BOSTON SYSPRV security audits are disabled for access type read DoDI 8500.2 ECAR-3 II (AUDIT, SYSPRV, AUREQUIRE) Node BOSTON Successful Use of Privilege CMEXEC security audits are disabled DoDI 8500.2 ECAR-3 II (AUDIT, PRVSUCC, AUREQUIRE) Node BOSTON BYPASS security audits are disabled for access type read DoDI 8500.2 ECAR-3 II (AUDIT, BYPASS, AUREQUIRE) Node BOSTON UPGRADE security audits are disabled for access type read DoDI 8500.2 ECLC-1 II (AUDIT, UPGRADE, AUREQUIRE) Node BOSTON DOWNGRADE security audits are disabled for access type read DoDI 8500.2 ECLC-1 II (AUDIT, DOWNGRADE, AUREQUIRE) Node BOSTON Failure security audits are disabled for access type read DoDI 8500.2 ECAR-3 II (AUDIT, FAILURE, AUREQUIRE) Node BOSTON Ill-Formed Audit security audits are disabled DoDI 8500.2 ECAR-3 II (AUDIT, AUDILLFOR, AUREQUIRE) Node BOSTON GRPPRV security audits are disabled for access type read DoDI 8500.2 ECAR-3 II (AUDIT, GRPPRV, AUREQUIRE) Node BOSTON Persona Creation security audits are disabled DoDI 8500.2 ECAR-3 II (AUDIT, PSBCREATE, AUREQUIRE) Node BOSTON Persona Deletion security audits are disabled DoDI 8500.2 ECAR-3 II (AUDIT, PSBDELETE, AUREQUIRE) Node BOSTON Persona Modification security audits are disabled DoDI 8500.2 ECAR-3 II (AUDIT, PSBMODIFY, AUREQUIRE)