***** ***** ***** This first part is a summary of an assessment based on ***** controls specified in NIST Special Publication 800-53. ***** It is the output from the command: ***** ***** LJK/Security REPORT /SUMMARY=COMMENT ***** ***** after < none > interval < none > BOSTON 6-MAR-2005 17:40 completed 800_53 53 NIST SP 800-53 AC-02 51 NIST SP 800-53 AC-02 Control Enhancement (3) 14 NIST SP 800-53 AC-03 437 NIST SP 800-53 AC-06 1 NIST SP 800-53 AC-07 1 NIST SP 800-53 AC-07 Control Enhancement (1) 1 NIST SP 800-53 AC-08 17 NIST SP 800-53 AC-11 52 NIST SP 800-53 AC-17 134 NIST SP 800-53 AU-02 2 NIST SP 800-53 AU-05 2 NIST SP 800-53 CM-06 9 NIST SP 800-53 IA-02 208 NIST SP 800-53 IA-05 2 NIST SP 800-53 IR-04 1 NIST SP 800-53 IR-05 6 NIST SP 800-53 SC-06 17 NIST SP 800-53 SC-11 16 NIST SP 800-53 SI-07 ***** ***** ***** Below is just a _sample_ of the detail records for the ***** summary shown above. Some of the names have been changed ***** to protect the guilty. It is the output from the command: ***** ***** LJK/Security REPORT ***** ***** Node BOSTON Username DXD$SERVER has disable SET PASSWORD flag NIST SP 800-53 IA-05 (UAF, LOCKPWD, PROHIBITED) Node BOSTON Username UCX$BIND has base priority of 8 which is higher than maximum of 4 NIST SP 800-53 SC-06 (UAF, PRIO, ABSOLUTHI) Node BOSTON Username SYSTEM password minimum length value of 6 is lower than minimum of 8 for explicit privilege SETPRV NIST SP 800-53 IA-05 (UAF, PWDMINLEN, ABSOLUTLO) Node BOSTON Username SYSTEM has password lifetime of 365 days which is higher than maximum of 90 days for explicit privilege Category-All NIST SP 800-53 IA-05 (UAF, PWDLIFE, ABSOLUTHI) Node BOSTON Username DEMO has null primary password NIST SP 800-53 IA-02 (UAF, PWDNULL, PRIPROHIB) Node BOSTON Username DEMO has privileges at level Category-All which is higher than maximum of Category-None for a null primary password NIST SP 800-53 IA-02 (UAF, PWDNULL, PRIMAXPRIV) Node BOSTON Username DEMO has privileges at level Category-All which is higher than maximum of Category-Devour for a null secondary password NIST SP 800-53 IA-02 (UAF, PWDNULL, SECMAXPRIV) Node BOSTON Username DXD$SERVER Primary day access allowed for 0 hours, which is lower than minimum of 7 NIST SP 800-53 AC-03 (UAF, HOURSPRI, ABSOLUTLO) Node BOSTON Username DEFAULT Primary day access allowed for 24 hours, which is higher than maximum of 13 NIST SP 800-53 AC-03 (UAF, HOURSPRI, ABSOLUTHI) Node BOSTON Username DEFAULT Secondary day access allowed for 24 hours, which is higher than maximum of 0 NIST SP 800-53 AC-03 (UAF, HOURSSEC, ABSOLUTHI) Node BOSTON Username DXD$SERVER has privileges at level Category-None which is lower than minimum of Category-Normal NIST SP 800-53 AC-06 (UAF, PRIVLEVEL, ABSOLUTLO) Node BOSTON Username DEMO has privileges at level Category-All which is higher than maximum of Category-Normal NIST SP 800-53 AC-06 (UAF, PRIVLEVEL, ABSOLUTHI) Node BOSTON Username DEFAULT primary password encryption algorithm AD_II is older than allowed NIST SP 800-53 IA-05 (UAF, PWDENCRYPT, OLD) Node BOSTON Username LARRY had 8 login failures since last success, which is higher than maximum of 3 NIST SP 800-53 IR-04 (UAF, LOGFAIL, FAILURES) Node BOSTON Username DEMO is permitted login over LAT with privileges at level Category-All (e.g., via terminal _LTA0:) NIST SP 800-53 AC-17 (UAF, PRIVLGILAT, ABSOLUTHI) Node BOSTON Username DEFAULT expires in 0 days (17-NOV-1858 00:00:00.00) which is longer than the maximum of 90 days NIST SP 800-53 AC-02 (UAF, EXPIRATION, RELATIVHI) Node BOSTON Username DEMO is permitted network login with privileges at level Category-All NIST SP 800-53 AC-17 (UAF, PRIVLGINET, ABSOLUTHI) Node BOSTON Username DEFAULT 0 days ago (17-NOV-1858 00:00:00.00) expired primary password compared to which is longer than the maximum inactive period of 90 days (last non-interactive login was 17-NOV-1858 00:00:00.00) NIST SP 800-53 AC-02 Control Enhancement (3) (UAF, LASTLOGIN, INTERACT) Node BOSTON Username DEMO is permitted remote login with privileges at level Category-All NIST SP 800-53 AC-17 (UAF, PRIVLGIREM, ABSOLUTHI) Node BOSTON Password History lifetime is 365 days which is lower than minimum of 547 days NIST SP 800-53 IA-05 (VMS, PWDHISTORY, MINLIFE) Node BOSTON authorization file SYSUAF is in location DISK$COMMON:[SYSEXE]SYSUAF.DAT; when it is supposed to have location SYS$COMMON:[SYSEXE]SYSUAF.DAT NIST SP 800-53 AC-03 (VMS, SYSUAF, LOCATION) Node BOSTON SYS$ANNOUNCE message does not contain required text NIST SP 800-53 AC-08 (VMS, ANNOUNCE, CONTAINS) Node BOSTON breakin attempts will disable usernames only temporarily (system parameter BRKDISUSER) NIST SP 800-53 AC-07 Control Enhancement (1) (VMS, BRKDISUSER, REQUIRED) Node BOSTON login from username SYSTEM is allowed for dialup processes NIST SP 800-53 AC-17 (VMS, SYSTEMLGI, PROHIBITED) Node BOSTON Duration seconds for breakin evasion LGI_HID_TIM is 300 which is lower than minimum of 600 NIST SP 800-53 AC-07 (VMS, LGIHIDTIM, ABSOLUTLO) Node BOSTON System parameter LGI_CALLOUT is 0 which is lower than minimum of 1 NIST SP 800-53 IA-05 (VMS, LGICALLOUT, ABSOLUTLO) Node BOSTON SECURITY_POLICY system parameter prevents UPPERCASEINPUT NIST SP 800-53 CM-06 (VMS, SECPOLICY, REQUIRED) Node BOSTON Executor Default Access is BOTH in VOLATILE database when Default Incoming Access is prohibited NIST SP 800-53 AC-17 (DECNET, DEFACCINC, PROHIBITED) Node BOSTON Executor Default Access is BOTH in VOLATILE database when Default Outgoing Access is prohibited NIST SP 800-53 AC-17 (DECNET, DEFACCOUT, PROHIBITED) Node BOSTON FAL poor man's routing is present NIST SP 800-53 AC-17 (DECNET, FALPOOROUT, PROHIBITED) Node BOSTON Device _MBA11: allows 100 percent of users to have read access, which allows access wider than maximum of 10 percent NIST SP 800-53 AC-06 (DEVICE, PROTECTION, PERCENTHI) Node BOSTON Device _MBA6: owner is [10,40] rather than default of [SYSTEM] NIST SP 800-53 AC-06 (DEVICE, OWNER, WRONG) Node BOSTON Terminal _TTA5: disconnection is disabled NIST SP 800-53 AC-11 (TERM, DISCONNECT, REQUIRED) Node BOSTON Terminal _TTA5: hangup on logout is disabled NIST SP 800-53 AC-17 (TERM, HANGUP, REQUIRED) Node BOSTON Terminal _OPA0: use of secure server is disabled NIST SP 800-53 SC-11 (TERM, SECURE, REQUIRED) Node BOSTON Terminal _FTA9: allows 100 percent of users to have read access, which allows access wider than maximum of 10 percent NIST SP 800-53 AC-06 (TERM, PROTECTION, PERCENTHI) Node BOSTON Terminal _TTA3: typeahead buffer is enabled NIST SP 800-53 AC-17 (TERM, TYPEAHEAD, PROHIBITED) Node BOSTON Volume DISK$BOSTON0731: use of disk quotas is disabled NIST SP 800-53 SC-06 (DISK, QUOTA, REQUIRED) Node BOSTON File DISK$USER:[FINANCE]PAYROLL.DAT;1 has protection of (SYSTEM:RWED,OWNER:RWED,GROUP:RE,WORLD:RE) which allows access wider than maximum of (SYSTEM:RWED,OWNER:RWED,GROUP:RE,WORLD) NIST SP 800-53 AC-06 (DISK, DIRPROT, ABSOLUTHI) Node BOSTON Directory file SYS$SYSDEVICE:[000000]SYS0.DIR;1 allows 100 percent of users to have read access, which allows access wider than maximum of 10 percent NIST SP 800-53 AC-06 (DISK, DIRPROT, PERCENTHI) Node BOSTON File DISK$USER:[PHIL.HACKS]LIBRTL.EXE is installed as a known image NIST SP 800-53 SI-07 (DISK, INSTALLED, PROHIBITED) Node BOSTON File SYS$COMMON:[SYSEXE]DELETE.EXE is installed with privilege BYPASS NIST SP 800-53 SI-07 (DISK, INSTPRIV, PRIVPROHIB) Node BOSTON File SYS$COMMON:[SYSLIB]CDSA$DAALPROXY_SHR.EXE is installed as protected NIST SP 800-53 SI-07 (DISK, INSTPROT, PROHIBITED) Node BOSTON Mount security audits are disabled NIST SP 800-53 AU-02 (AUDIT, MOUNT, AUREQUIRE) Node BOSTON Access Control List security alarms are disabled NIST SP 800-53 IR-05 (AUDIT, ACL, ALREQUIRE) Node BOSTON BYPASS security audits are disabled for access type delete NIST SP 800-53 AU-02 (AUDIT, BYPASS, AUREQUIRE)