***** ***** ***** This first part is a summary of violations from an assessment ***** based on requirements specified in the Payment Card Industry ***** Data Security Standard. It is the output from the command: ***** ***** LJK/Security REPORT /SUMMARY=COMMENT ***** ***** after < none > interval < none > BOSTON 18-SEP-2008 16:45 completed PCI 8 PCI DSS,10.1 2 PCI DSS,10.2 48 PCI DSS,10.2.2 39 PCI DSS,10.2.4 4 PCI DSS,10.2.7 2 PCI DSS,10.6 2 PCI DSS,11.4 1 PCI DSS,2.2 - NIST AC-03 4 PCI DSS,2.2 - NIST AC-04,2.2 - NIST IA-03,2.2 - NIST SC-07(5) 11 PCI DSS,2.2 - NIST AC-05 1 PCI DSS,2.2 - NIST AC-07(1) 13 PCI DSS,2.2 - NIST AC-11 1 PCI DSS,2.2 - NIST AC-17(1) 1 PCI DSS,2.2 - NIST AU-02 51 PCI DSS,2.2 - NIST CM-06 57 PCI DSS,2.2 - NIST IA-05 1 PCI DSS,2.2 - NIST MA-02(2) 1 PCI DSS,2.2 - NIST SC-05 5 PCI DSS,2.2 - NIST SC-06 12 PCI DSS,2.2 - NIST SC-11 9 PCI DSS,4.1 187 PCI DSS,6.1 95973 PCI DSS,7.1 335 PCI DSS,7.2 58 PCI DSS,8.1 2 PCI DSS,8.2 1 PCI DSS,8.4 349 PCI DSS,8.5.10 1 PCI DSS,8.5.11 1 PCI DSS,8.5.12 1 PCI DSS,8.5.14 11 PCI DSS,8.5.9 ***** ***** ***** Below is just a _sample_ of the detail records for the ***** summary shown above. Some of the names have been changed ***** to protect the guilty. It is the output from the command: ***** ***** LJK/Security REPORT ***** ***** BOSTON 18-SEP-2008 16:45 completed PCI Node BOSTON Username DXD$SERVER has disable SET PASSWORD flag PCI DSS,8.5.9 (UAF, LOCKPWD, PROHIBITED) Node BOSTON Username UCX$BIND has base priority of 8 which is higher than maximum of 4 PCI DSS,2.2 - NIST SC-06 (UAF, PRIO, ABSOLUTHI) Node BOSTON Username FRED password minimum length value of 6 is lower than minimum of 8 for explicit privilege CMKRNL PCI DSS,8.5.10 (UAF, PWDMINLEN, ABSOLUTLO) Node BOSTON Username JOHN password minimum length value of 31 is higher than maximum of 14 for explicit privilege TMPMBX PCI DSS,2.2 - NIST CM-06 (UAF, PWDMINLEN, ABSOLUTHI) Node BOSTON Username FRED_PRIV has password lifetime of 0 days which is higher than maximum of 90 days for explicit privilege Category-System PCI DSS,8.5.9 (UAF, PWDLIFE, ABSOLUTHI) Node BOSTON Username SIGHTLINE primary password guessed in 1 tries, which is lower than minimum of 10 for explicit privilege TMPMBX PCI DSS,8.5.11 (UAF, PWDGUESS, TRIES) Node BOSTON Username DEMO lacks disable username flag PCI DSS,7.1 (UAF, DISUSER, REQUIRED) Node BOSTON Username DEMO has null primary password PCI DSS,8.2 (UAF, PWDNULL, PRIPROHIB) Node BOSTON Username DEMO has privileges at level Category-All which is higher than maximum of Category-None for a null primary password PCI DSS,8.2 (UAF, PWDNULL, PRIMAXPRIV) Node BOSTON Username DEMO has privileges at level Category-All which is higher than maximum of Category-Devour for a null secondary password PCI DSS,2.2 - NIST AC-05 (UAF, PWDNULL, SECMAXPRIV) Node BOSTON Username LINWOOD access authorization for hour 0 on primary days distinguishes based on lines being declared dialup PCI DSS,7.1 (UAF, DIALUP, DISTRUST) Node BOSTON Username DXD$SERVER Primary day access allowed for 0 hours, which is lower than minimum of 7 PCI DSS,7.1 (UAF, HOURSPRI, ABSOLUTLO) Node BOSTON Username DEFAULT Primary day access allowed for 24 hours, which is higher than maximum of 13 PCI DSS,7.1 (UAF, HOURSPRI, ABSOLUTHI) Node BOSTON Username FRED_PRIV can obtain privileges at level Category-All because it shares UIC [FRED] with username FRED PCI DSS,7.1 (UAF, UICPRIV, ABSOLUTHI) Node BOSTON Username DEFAULT Secondary day access allowed for 24 hours, which is higher than maximum of 0 PCI DSS,7.1 (UAF, HOURSSEC, ABSOLUTHI) Node BOSTON Username FRED is among 8 usernames sharing UIC [FRED] which is higher than maximum of 5 PCI DSS,10.1 (UAF, UICSHARE, ABSOLUTHI) Node BOSTON Username DEMO has privileges at level Category-All which is higher than maximum of Category-Normal PCI DSS,7.1 (UAF, PRIVLEVEL, ABSOLUTHI) Node BOSTON Username DEFAULT primary password encryption algorithm AD_II is older than allowed PCI DSS,8.4 (UAF, PWDENCRYPT, OLD) Node BOSTON Username MSAP$ACCOUNT has disable reconnection flag PCI DSS,2.2 - NIST AC-11 (UAF, DISRECON, PROHIBITED) Node BOSTON Username FRED had 10 login failures since last success, which is higher than maximum of 3 PCI DSS,10.6 (UAF, LOGFAIL, FAILURES) Node BOSTON Username DEMO is permitted login over LAT with privileges at level Category-All (e.g., via terminal _LTA0:) PCI DSS,7.1 (UAF, PRIVLGILAT, ABSOLUTHI) Node BOSTON Username LINWOOD expires in 0 days ( 1-DEC-2005 00:00:00.00) which is shorter than the minimum of 10 days PCI DSS,8.1 (UAF, EXPIRATION, RELATIVLO) Node BOSTON Username DEFAULT expires in 0 days (17-NOV-1858 00:00:00.00) which is longer than the maximum of 366 days PCI DSS,8.1 (UAF, EXPIRATION, RELATIVHI) Node BOSTON Username DEMO is permitted network login with privileges at level Category-All PCI DSS,7.1 (UAF, PRIVLGINET, ABSOLUTHI) Node BOSTON Username DEFAULT 0 days ago (17-NOV-1858 00:00:00.00) expired primary password compared to limit of 14 days when expiration has not yet been noticed PCI DSS,2.2 - NIST IA-05 (UAF, PWDEXPIRED, NOTNOTICED) Node BOSTON Username MSAP$ACCOUNT 5010 days ago (31-DEC-1994 22:58:45.97) expired primary password compared to limit of 14 days when expiration has been noticed PCI DSS,2.2 - NIST IA-05 (UAF, PWDEXPIRED, NOTICED) Node BOSTON Username FRED is permitted proxy login with privileges at level Category-All from node AS250A username FRED PCI DSS,7.1 (UAF, PRIVLGIPRX, ABSOLUTHI) Node BOSTON Username DEFAULT last interactive login was 0 days ago (17-NOV-1858 00:00:00.00) which is longer than the maximum inactive period of 90 days (last non-interactive login was 17-NOV-1858 00:00:00.00) PCI DSS,7.2 (UAF, LASTLOGIN, INTERACT) Node BOSTON Username DEFAULT last non-interactive login was 0 days ago (17-NOV-1858 00:00:00.00) which is longer than the maximum inactive period of 90 days (last interactive login was 17-NOV-1858 00:00:00.00) PCI DSS,7.2 (UAF, LASTLOGIN, OTHER) Node BOSTON Username DEFAULT lacks disable control-Y flag PCI DSS,2.2 - NIST CM-06 (UAF, DISCTLY, REQUIRED) Node BOSTON Username DEMO is permitted remote login with privileges at level Category-All PCI DSS,7.1 (UAF, PRIVLGIREM, ABSOLUTHI) Node BOSTON Password History lifetime is 365 days which is lower than minimum of 547 days PCI DSS,8.5.12 (VMS, PWDHISTORY, MINLIFE) Node BOSTON authorization file SYSUAF is in location DISK$COMMON:[SYSEXE]SYSUAF.DAT; when it is supposed to have location SYS$COMMON:[SYSEXE]SYSUAF.DAT PCI DSS,2.2 - NIST AC-03 (VMS, SYSUAF, LOCATION) Node BOSTON system will not log ECC correction of memory errors (system parameter CRDENABLE) PCI DSS,2.2 - NIST MA-02(2) (VMS, CRDENABLE, REQUIRED) Node BOSTON breakin attempts will disable usernames only temporarily (system parameter BRKDISUSER) PCI DSS,2.2 - NIST AC-07(1) (VMS, BRKDISUSER, REQUIRED) Node BOSTON Duration seconds for breakin evasion LGI_HID_TIM is 300 which is lower than minimum of 1800 PCI DSS,8.5.14 (VMS, LGIHIDTIM, ABSOLUTLO) Node BOSTON SECURITY_POLICY system parameter prevents UPPERCASEINPUT PCI DSS,11.4 (VMS, SECPOLICY, REQUIRED) Node BOSTON Executor Default Access is BOTH in PERMANENT database when Default Incoming Access is prohibited PCI DSS,2.2 - NIST AC-04,2.2 - NIST IA-03,2.2 - NIST SC-07(5) (DECNET, DEFACCINC, PROHIBITED) Node BOSTON Executor Default Access is BOTH in PERMANENT database when Default Outgoing Access is prohibited PCI DSS,2.2 - NIST AC-04,2.2 - NIST IA-03,2.2 - NIST SC-07(5) (DECNET, DEFACCOUT, PROHIBITED) Node BOSTON FAL poor man's routing is present PCI DSS,2.2 - NIST AC-17(1) (DECNET, FALPOOROUT, PROHIBITED) Node BOSTON Device _MBA5: protection is (SYSTEM,OWNER,GROUP,WORLD) which limits access narrower than minimum of (SYSTEM,OWNER:RWPL,GROUP,WORLD) PCI DSS,2.2 - NIST CM-06 (DEVICE, PROTECTION, ABSOLUTLO) Node BOSTON Device _MBA1: allows 13 percent of users to have read access, which allows access wider than maximum of 10 percent PCI DSS,7.2 (DEVICE, PROTECTION, PERCENTHI) Node BOSTON Device _MBA5: owner is [10,40] rather than default of [SYSTEM] PCI DSS,7.2 (DEVICE, OWNER, WRONG) Node BOSTON Terminal _TTA0: reception of broadcast messages is disabled PCI DSS,2.2 - NIST CM-06 (TERM, BROADCAST, REQUIRED) Node BOSTON Terminal _OPA0: disconnection is disabled PCI DSS,2.2 - NIST AC-11 (TERM, DISCONNECT, REQUIRED) Node BOSTON Terminal _OPA0: hangup on logout is disabled PCI DSS,4.1 (TERM, HANGUP, REQUIRED) Node BOSTON Terminal _OPA0: use of secure server is disabled PCI DSS,2.2 - NIST SC-11 (TERM, SECURE, REQUIRED) Node BOSTON Terminal _OPA0: allows 13 percent of users to have read access, which allows access wider than maximum of 10 percent PCI DSS,7.1 (TERM, PROTECTION, PERCENTHI) Node BOSTON Terminal _OPA0: typeahead buffer is enabled PCI DSS,7.1 (TERM, TYPEAHEAD, PROHIBITED) Node BOSTON Mail file SYS$SYSDEVICE:[FRED.SYSMGR]PVMS.MAI;1 has protection of (SYSTEM:RWD,OWNER:RWD,GROUP,WORLD) which allows access wider than maximum of (SYSTEM:RW,OWNER:RW,GROUP,WORLD) PCI DSS,7.1 (DISK, MAILPROT, ABSOLUTHI) Node BOSTON Mail file SYS$SYSDEVICE:[FRED]MAIL$DA2B6B7800050096.MAI;1 allows 17 percent of users to have read access, which allows access wider than maximum of 1 percent PCI DSS,7.1 (DISK, MAILPROT, PERCENTHI) Node BOSTON Volume DISK$LJKVAX073: use of disk quotas is disabled PCI DSS,2.2 - NIST SC-05 (DISK, QUOTA, REQUIRED) Node BOSTON Rdb/VMS file SYS$SYSDEVICE:[SYS0.SYSUPD.MSAU1012]DALDEMO.RDB;1 has protection of (SYSTEM:RWED,OWNER:RWED,GROUP:RWED,WORLD:RE) which allows access wider than maximum of (SYSTEM:RW,OWNER,GROUP,WORLD) PCI DSS,7.1 (DISK, RDBVMSPROT, ABSOLUTHI) Node BOSTON Rdb/VMS file SYS$SYSDEVICE:[SYS0.SYSUPD.MSAU1012]DALDEMO.RDB;1 allows 100 percent of users to have read access, which allows access wider than maximum of 1 percent PCI DSS,7.1 (DISK, RDBVMSPROT, PERCENTHI) Node BOSTON File SYS$SYSDEVICE:[DXD$SERVER]DXD$SCHEMA.DAT;41 has protection of (SYSTEM:RWD,OWNER:RWD,GROUP:R,WORLD:R) which limits access narrower than minimum of (SYSTEM:RWED,OWNER,GROUP,WORLD) PCI DSS,7.1 (DISK, FILEPROT, ABSOLUTLO) Node BOSTON File SYS$SYSDEVICE:[MULTINET.LJKVAX.SYSCOMMON.MULTINET]NETWORK_DATABASE.;5 has protection of (SYSTEM:RWD,OWNER:RWD,GROUP:R,WORLD:R) which allows access wider than maximum of (SYSTEM:RWED,OWNER:RWED,GROUP:RE,WORLD) PCI DSS,7.1 (DISK, FILEPROT, ABSOLUTHI) Node BOSTON File SYS$SYSDEVICE:[000000]BACKUP.SYS;1 allows 13 percent of users to have read access, which allows access wider than maximum of 10 percent PCI DSS,7.1 (DISK, FILEPROT, PERCENTHI) Node BOSTON System executable file SYS$COMMON:[MULTINET]LOADABLE_XDM_CONTROL.EXE;1 has protection of (SYSTEM:RE,OWNER:RE,GROUP,WORLD) which limits access narrower than minimum of (SYSTEM:RWED,OWNER,GROUP,WORLD) PCI DSS,7.1 (DISK, SYSEXEPROT, ABSOLUTLO) Node BOSTON System executable file SYS$COMMON:[SYSHLP.EXAMPLES.DECW]HELLOWORLD.EXE;1 has protection of (SYSTEM:RWED,OWNER:RWED,GROUP:RWED,WORLD:RE) which allows access wider than maximum of (SYSTEM:RWED,OWNER:RWED,GROUP:RE,WORLD:RE) PCI DSS,7.1 (DISK, SYSEXEPROT, ABSOLUTHI) Node BOSTON System executable file SYS$COMMON:[ACM]ACEREC_AXP061.EXE;2 allows 13 percent of users to have write access, which allows access wider than maximum of 1 percent PCI DSS,7.1 (DISK, SYSEXEPROT, PERCENTHI) Node BOSTON Specified file DISK$COMMON:[SYSEXE]SYSUAF.DAT;2 has protection of (SYSTEM:RWE,OWNER:RWE,GROUP:RWE,WORLD) which allows access wider than maximum of (SYSTEM:RWED,OWNER:RWED,GROUP,WORLD) (DISK, CHECKPROT, ABSOLUTHI) Node BOSTON Specified file SYS$COMMON:[SYSMGR]SECURITY.AUDIT$JOURNAL;17 lacks Success Alarm ACL for read access, which is contrary to a policy exemption specific to that file (DISK, CHECKPROT, ALSREQUIRE) Node BOSTON Specified file DISK$COMMON:[SYSMGR]VMS$AUDIT_SERVER.DAT;1 lacks Success Audit ACL for read access, which is contrary to a policy exemption specific to that file (DISK, CHECKPROT, AUSREQUIRE) Node BOSTON File SYS$SYSDEVICE:[DXDV03_DXDDOCS]AVMS-INST.PS;3 has ACL containing UIC identifier [503,64] PCI DSS,7.2 (DISK, ACLIDENT, NOUIC) Node BOSTON File SYS$COMMON:[SYSLIB]CDA$ACCESS.EXE;3 has SHA1 checksum of 43329A7252F107A45BA12EC95F5A2B7CD690D420, instead of exemption-specified value of 452C311E492588D6B95BBE5B8313A84D19EEEF3E (DISK, CHECKSUM, SHA1) Node BOSTON Directory file SYS$SYSDEVICE:[000000]SYSEXE.DIR;1 has protection of (SYSTEM:R,OWNER:R,GROUP,WORLD) which limits access narrower than minimum of (SYSTEM:RWE,OWNER,GROUP,WORLD) PCI DSS,7.1 (DISK, DIRPROT, ABSOLUTLO) Node BOSTON Directory file SYS$SYSDEVICE:[000000]000000.DIR;1 has protection of (SYSTEM:RWED,OWNER:RWED,GROUP:RE,WORLD:E) which allows access wider than maximum of (SYSTEM:RWED,OWNER:RWED,GROUP:RE,WORLD) PCI DSS,7.1 (DISK, DIRPROT, ABSOLUTHI) Node BOSTON Directory file SYS$SYSDEVICE:[000000]000000.DIR;1 allows 13 percent of users to have read access, which allows access wider than maximum of 10 percent PCI DSS,7.1 (DISK, DIRPROT, PERCENTHI) Node BOSTON File SYS$COMMON:[SYSEXE]ACS.EXE is installed as a known image PCI DSS,6.1 (DISK, INSTALLED, PROHIBITED) Node BOSTON File SYS$COMMON:[SYSEXE]MSA$MANAGER.EXE is installed with privilege CMKRNL PCI DSS,6.1 (DISK, INSTPRIV, PRIVPROHIB) Node BOSTON File SYS$COMMON:[SYSLIB]CMSPROSHR.EXE is installed as protected PCI DSS,6.1 (DISK, INSTPROT, PROHIBITED) Node BOSTON READALL security audits are disabled for access type read PCI DSS,10.2.2 (AUDIT, READALL, AUREQUIRE) Node BOSTON Failed Use of Privilege CMEXEC security audits are disabled PCI DSS,10.2.4 (AUDIT, PRVFAIL, AUREQUIRE) Node BOSTON SYSPRV security audits are disabled for access type read PCI DSS,10.2.2 (AUDIT, SYSPRV, AUREQUIRE) Node BOSTON Successful Use of Privilege CMEXEC security audits are disabled PCI DSS,10.2.2 (AUDIT, PRVSUCC, AUREQUIRE) Node BOSTON BYPASS security audits are disabled for access type read PCI DSS,10.2.2 (AUDIT, BYPASS, AUREQUIRE) Node BOSTON Object Creation security audits are disabled PCI DSS,10.2.7 (AUDIT, OBJCREATE, AUREQUIRE) Node BOSTON Final Action of Crash is disabled PCI DSS,10.2 (AUDIT, FINCRASH, REQUIRED) Node BOSTON Final Action of Ignore is disabled PCI DSS,10.2 (AUDIT, FINIGNORE, REQUIRED) Node BOSTON Failure security audits are disabled for access type read PCI DSS,10.2.4 (AUDIT, FAILURE, AUREQUIRE) Node BOSTON Ill-Formed Audit security audits are disabled PCI DSS,2.2 - NIST AU-02 (AUDIT, AUDILLFOR, AUREQUIRE) Node BOSTON Persona Creation security audits are disabled PCI DSS,10.2.7 (AUDIT, PSBCREATE, AUREQUIRE) Node BOSTON Persona Deletion security audits are disabled PCI DSS,10.2.7 (AUDIT, PSBDELETE, AUREQUIRE) Node BOSTON Persona Modification security audits are disabled PCI DSS,10.2.7 (AUDIT, PSBMODIFY, AUREQUIRE)