$TXT Created by H. at KRNDEV.FO-OAKLAND.DOMAIN.EXT (KIDS) on Wednesday, 06/11/25 at 06:24 ============================================================================= Run Date: AUG 05, 2025 Designation: DI*22.2*29 Package : DI - VA FILEMAN Priority: Mandatory Version : 22.2 SEQ #25 Status: Released Compliance Date: SEP 05, 2025 ============================================================================= Associated patches: (v)DI*22.2*27 <<= must be installed BEFORE `DI*22.2*29' Subject: AUDIT PURGE OPTION SECURITY Category: - Routine Description: ============ Patch DI*22.2*29 adds additional security constraints to the Audit Purge options. These constraints restrict access to privileged users with DUZ(0) of "@" for options PURGE DATA AUDITS and PURGE DD AUDITS. EHRM Impact Statement: ---------------------- This patch should have no EHRM impact, and can be installed at all sites, including EHRM converted sites. Patch Components: ----------------- Files & Fields Associated: File Name (Number) Field Name (Number) New/Modified/Deleted ------------------ ------------------- -------------------- N/A Forms Associated: Form Name File Number New/Modified/Deleted --------- ----------- -------------------- N/A Mail Groups Associated: Mail Group Name New/Modified/Deleted --------------- -------------------- N/A Options Associated: Option Name Type New/Modified/Deleted ----------- ---- -------------------- N/A Protocols Associated: Protocol Name New/Modified/Deleted ------------- -------------------- N/A Security Keys Associated: Security Key Name ----------------- N/A Templates Associated: Template Name Type File Name (Number) New/Modified/Deleted ------------- ---- ------------------ -------------------- N/A Remote Procedures Associated: Remote Procedure Name New/Modified/Deleted --------------------- -------------------- N/A Parameter Definitions Associated: Parameter Name New/Modified/Deleted -------------- -------------------- N/A Additional Information: ----------------------- New Service Requests (NSRs): N/A Patient Safety Issues (PSIs): N/A Defect Tracking System Ticket(s) & Overview: -------------------------------------------- INC26797410 FM and KP3 File Access Security Audit Property Concern Problem: -------- During a review of the FM and Kernel 8 Access Security (KP3) manual, and observation on how KP3 was implemented at multiple FR3 sites, if not all, I discovered a potential security concern that I believe will allow non-elevated privileged users the ability to complete what should be elevated privilege actions. Note: While my example identifies only one such example at Cleveland, I believe this potential security concern could exist on all VistA Production sites as a result of this KP3 deficiency. In fact, on HUN, an ISO has access to the whole DIAUDIT menu option and if this 'Audit' security property vulnerability is confirmed legitimate, then her DIAUDIT access should be construed as a Segregation of Duties violation. Resolution: ----------- Modify routine DIAU to enforce only users with DUZ(0)=@ can make deletions using options PURGE DATA AUDITS and PURGE DD AUDITS. Test Sites: SNOW Change Order #: ----------- -------------------- Tomah VAMC CHG0626534 Fort Harrison VAMC CHG0626563 Miami VAMC CHG0627105 Software and Documentation Retrieval Instructions: -------------------------------------------------- The software for this patch is being released in a PackMan message. Documentation is not included in this release. Patch Installation: ------------------- Pre/Post Installation Overview: ------------------------------- There are no Pre/Post installation routine processes. Pre-Installation Instructions: ------------------------------ This patch may be installed with users on the system although it is recommended that it be installed during non-peak hours to minimize potential disruption to users. This patch should take less than 5 minutes to install. There are no options to disable. Installation Instructions: 1. Choose the PackMan message containing this build. Then select the INSTALL/CHECK MESSAGE PackMan option to load the build. 2. From the Kernel Installation and Distribution System Menu, select the Installation Menu. From this menu, A. Select the Verify Checksums in Transport Global option to confirm the integrity of the routines that are in the transport global. When prompted for the INSTALL NAME enter DI*22.2*29 NOTE: Using will not bring up a Multi-Package build even if it was loaded immediately before this step. It will only bring up the last patch in the build. B. Select the Backup a Transport Global option to create a backup message. You must use this option and specify what to backup; the entire Build or just Routines. The backup message can be used to restore the routines and components of the build to the pre-patch condition. i. At the Installation option menu, select Backup a Transport Global ii. At the Select INSTALL NAME prompt, enter your build DI*22.2*29 iii. When prompted for the following, enter "R" for Routines or "B" for Build. Select one of the following: B Build R Routines Enter response: Build iv. When prompted "Do you wish to secure this message? NO//", press and take the default response of "NO". v. When prompted with, "Send mail to: Last name, First Name", press to take default recipient. Add any additional recipients. vi. When prompted with "Select basket to send to: IN//", press and take the default IN mailbox or select a different mailbox. C. You may also elect to use the following options: i. Print Transport Global - This option will allow you to view the components of the KIDS build. ii. Compare Transport Global to Current System - This option will allow you to view all changes that will be made when this patch is installed. It compares all of the components of this patch, such as routines, DDs, templates, etc. D. Select the Install Package(s) option and choose the patch to install. i. If prompted 'Want KIDS to Rebuild Menu Trees Upon Completion of Install? NO//', press and take the default response of "NO". ii. When prompted 'Want KIDS to INHIBIT LOGONs during the install? NO//', press and take the default response of "NO". iii. When prompted 'Want to DISABLE Scheduled Options, Menu Options, and Protocols? NO//', press and take the default response of "NO". Post-Installation Instructions: ------------------------------- none Back-Out/Roll Back Plan: ------------------------ If rollback/backout is required, the installer can use the packman message containing the backup build. The packman message subject will begin with "Backup of DI*22.2*29". The installer will select the INSTALL/CHECK MESSAGE packman option to load the backup build. Install the backup build using the Kernel Installation and Distribution System Menu. If assistance is needed, please submit a SNOW ticket. Routine Information: ==================== The second line of each of these routines now looks like: ;;22.2;VA FileMan;**[Patch List]**;Jan 05, 2016;Build 7 The checksums below are new checksums, and can be checked with CHECK1^XTSUMBLD. Routine Name: DIAU Before: B44643812 After: B45398523 **27,29** ============================================================================= User Information: Entered By : Date Entered : FEB 14, 2024 Completed By: Date Completed: AUG 05, 2025 Released By : Date Released : AUG 05, 2025 ============================================================================= Packman Mail Message: ===================== $END TXT