$TXT Created by KRNIRIS.FO-OAKLAND.DOMAIN.EXT (KIDS) on Wednesday, 08/09/23 at 10:48 ============================================================================= Run Date: NOV 01, 2023 Designation: XU*8*788 Package : XU - KERNEL Priority: Mandatory Version : 8 SEQ #630 Status: Released Compliance Date: DEC 02, 2023 ============================================================================= Subject: SET AUDIT FOR KERNEL FILES Category: - Data Dictionary - Other - Routine Description: ============ There was a network outage that caused the Computerized Patient Record System (CPRS) to be unavailable at the San Diego, CA VA Medical Center. The affected end-users were unable to access CPRS with their Personal Identity Verification (PIV) login. The issue was due to Infrastructure Operations technicians who modified parameters that were incorrect in the system. To resolve this issue Kernel Patch XU*8.0*788 sets up audits, locks, and a listing of menu option that have security keys to prevent this from occurring again. Patch Components: ----------------- Files & Fields Associated: File Name (Number) Field Name (Number) New/Modified/Deleted ------------------ ------------------- -------------------- NEW PERSON(#200) ACCESS CODE(#2) Modified NEW PERSON(#200) FILE MANAGER ACCESS CODE(#3) Modified NEW PERSON(#200) DISUSER (#7) Modified NEW PERSON(#200) VERIFY CODE never expires(#7.2) Modified NEW PERSON(#200) TERMINATION DATE(#9.2) Modified NEW PERSON(#200) TERMINATION REASON(#9.4) Modified NEW PERSON(#200) VERIFY CODE(#11) Modified NEW PERSON(#200) FILE RANGE(#31.1) Modified NEW PERSON(#200) ACCESSIBLE FILE(#32) Modified NEW PERSON(#200) KEYS(#51) Modified NEW PERSON(#200) TIMED READ(#200.1) Modified KERNEL SYSTEM PARAMETERS(#8989.3) DOMAIN NAME(#.01) Modified KERNEL SYSTEM PARAMETERS(#8989.3) AGENCY CODE(#9) Modified KERNEL SYSTEM PARAMETERS(#8989.3) ROUTINE MONITORING(#9.8) Modified KERNEL SYSTEM PARAMETERS(#8989.3) ROUTINE N-SPACE TO MONITOR(#9.81) Modified KERNEL SYSTEM PARAMETERS(#8989.3) AUTO-GENERATE ACCESS CODES(#11) Modified KERNEL SYSTEM PARAMETERS(#8989.3) AUTO-GENERATE VERIFY CODES(#11.2) Modified KERNEL SYSTEM PARAMETERS(#8989.3) NEW PERSON IDENTIFIERS(#21) Modified KERNEL SYSTEM PARAMETERS(#8989.3) CCOW TOKEN TIMEOUT(#30.1) Modified KERNEL SYSTEM PARAMETERS(#8989.3) MAX SPOOL LINES PER USER(#31.1) Modified KERNEL SYSTEM PARAMETERS(#8989.3) MAX SPOOL DOCUMENTS PER USER(#31.2) Modified KERNEL SYSTEM PARAMETERS(#8989.3) MAX SPOOL DOCUMENT LIFE-SPAN(#31.3) Modified KERNEL SYSTEM PARAMETERS(#8989.3) VOLUME SET(#41) Modified KERNEL SYSTEM PARAMETERS(#8989.3) DNS IP(#51) Modified KERNEL SYSTEM PARAMETERS(#8989.3) DEFAULT # OF ATTEMPTS(#202) Modified KERNEL SYSTEM PARAMETERS(#8989.3) DEFAULT LOCK-OUT TIME(#203) Modified KERNEL SYSTEM PARAMETERS(#8989.3) DEFAULT MULTIPLE SIGN-ON(#204) Modified KERNEL SYSTEM PARAMETERS(#8989.3) ASK DEVICE TYPE AT SIGN-ON(#205) Modified KERNEL SYSTEM PARAMETERS(#8989.3) DEFAULT AUTO-MENU(#205) Modified KERNEL SYSTEM PARAMETERS(#8989.3) DEFAULT LANGUAGE(#207) Modified KERNEL SYSTEM PARAMETERS(#8989.3) DEFAULT TYPE-AHEAD(#209) Modified KERNEL SYSTEM PARAMETERS(#8989.3) DEFAULT TIMED-READ (SECONDS)(#210) Modified KERNEL SYSTEM PARAMETERS(#8989.3) BYPASS DEVICE LOCK-OUT(#211) Modified KERNEL SYSTEM PARAMETERS(#8989.3) LIFETIME OF VERIFY CODE(#214) Modified KERNEL SYSTEM PARAMETERS(#8989.3) DEFAULT INSTITUTION(#217) Modified KERNEL SYSTEM PARAMETERS(#8989.3) DEFAULT AUTO SIGN-ON(#218) Modified KERNEL SYSTEM PARAMETERS(#8989.3) DEFAULT MULTIPLE SIGN-ON LIMIT(#219) Modified KERNEL SYSTEM PARAMETERS(#8989.3) STRICT TOKEN VALIDATION(#220) Modified KERNEL SYSTEM PARAMETERS(#8989.3) BROKER ACTIVITY TIMEOUT(#230) Modified KERNEL SYSTEM PARAMETERS(#8989.3) PRIMARY HFS DIRECTORY(#320) Modified KERNEL SYSTEM PARAMETERS(#8989.3) SECONDARY HFS DIRECTORY(#320.2) Modified DEVICE (#3.5) NAME(#.01) Modified DEVICE (#3.5) LOCATION OF TERMINAL(#.02) Modified DEVICE (#3.5) $I(#1) Modified DEVICE (#3.5) SUBTYPE(#3) Modified TASKMAN SITE PARAMETERS (#14.7) BOX-VOLUME PAIR(#.01) Modified TASKMAN SITE PARAMETERS (#14.7) LOG TASKS?(#2) Modified TASKMAN SITE PARAMETERS (#14.7) DEFAULT TASK PRIORITY(#3)Modified TASKMAN SITE PARAMETERS (#14.7) TASK PARTITION SIZE(#4) Modified TASKMAN SITE PARAMETERS (#14.7) SUBMANAGER RETENTION TIME(#5) Modified TASKMAN SITE PARAMETERS (#14.7) TASKMAN JOB LIMIT(#6) Modified TASKMAN SITE PARAMETERS (#14.7) TASKMAN HANG BETWEEN NEW JOBS(#7) Modified TASKMAN SITE PARAMETERS (#14.7) MODE OF TASKMAN(#8) Modified TASKMAN SITE PARAMETERS (#14.7) VAX ENVIROMENT FOR DCL(#9) Modified TASKMAN SITE PARAMETERS (#14.7) MIN SUBMANAGER CNT(#11) Modified TASKMAN SITE PARAMETERS (#14.7) TM MASTER(#12) Modified TASKMAN SITE PARAMETERS (#14.7) Balance Interval(#13) Modified TASKMAN SITE PARAMETERS (#14.7) LOAD BALANCE ROUTINE(#21)Modified VOLUME SET(#14.5) VOLUME SET(#.01) Modified VOLUME SET(#14.5) TYPE(#.1) Modified VOLUME SET(#14.5) INHIBIT LOGONS?(#1) Modified VOLUME SET(#14.5) LINK ACCESS?(#2) Modified VOLUME SET(#14.5) OUT OF SERVICE?(#3) Modified VOLUME SET(#14.5) REQUIRED VOLUME SET?(#4) Modified VOLUME SET(#14.5) TASKMAN FILES UCI(#5) Modified VOLUME SET(#14.5) TASKMAN FILES VOLUME SET(#6) Modified VOLUME SET(#14.5) REPLACEMENT VOLUME SET(#7) Modified VOLUME SET(#14.5) DAYS TO KEEP OLD TASKS(#8) Modified VOLUME SET(#14.5) SIGNON/PRODUCTION VOLUME SET(#9) Modified VOLUME SET(#14.5) RE-QUEUES BEFORE UN-SCHEDULE(#10) Modified Forms Associated: Form Name File Number New/Modified/Deleted --------- ----------- -------------------- N/A Mail Groups Associated: Mail Group Name New/Modified/Deleted --------------- -------------------- N/A Options Associated: Option Name Type New/Modified/Deleted ----------- ---- -------------------- XUSITEPARM ACTION Modified XUFILEGRANT RUN ROUTINE Modified XUFILESINGLEADD EDIT Modified XUFILERANGEASSIGN EDIT Modified Protocols Associated: Protocol Name New/Modified/Deleted ------------- -------------------- N/A Security Keys Associated: Security Key Name ----------------- N/A Template Name Type File Name (Number) New/Modified/Deleted ------------- ---- ------------------ -------------------- N/A Remote Procedures Associated: Remote Procedure Name New/Modified/Deleted --------------------- -------------------- N/A Parameter Definitions Associated: Parameter Name New/Modified/Deleted -------------- -------------------- N/A Additional Information: ----------------------- New Service Requests (NSRs): N/A Patient Safety Issues (PSIs): N/A Defect Tracking System Ticket(s) & Overview: SCTASK12767764 -Parent request: SCTASK11920799 "Due to the events at SDC (INC26930788) yesterday and the incident at MIW (INC26566451) in March. Jimmy Sallee, supervisor for the Kernel Applications Team and I would like to review "sensitive" VistA Kernel menus. We would like to identify menu options that can be locked with the XUPROG key to avoid inadvertent user actions. We both feel this should be a Kernel patch to avoid any changes being overwritten by future patches." Problem: -------- It has been happening untracking modifications on the important fields in the New Person File. Resolution: ----------- 1) Turn on AUDIT for the following FILEs/FIELDs: a) File NEW PERSON(#200) Field# Field Name 2 ACCESS CODE 3 FILE MANAGER ACCESS CODE 7 DISUSER 7.2 VERIFY CODE never expires 9.2 TERMINATION DATE 9.4 Termination Reason 11 VERIFY CODE 31.1 FILE RANGE 32 ACCESSIBLE FILE (multiple) .001 FILE NUMBER .01 ACCESSIBLE FILE 1 DATA DICTIONARY ACCESS 2 DELETE ACCESS 3 LAYGO ACCESS 4 READ ACCESS 5 WRITE ACCESS 6 AUDIT ACCESS 51 KEYS (multiple) .01 KEY 1 GIVEN BY 2 DATE GIVEN 200.1 TIMED READ (# OF SECONDS) b) File KERNEL SYSTEM PARAMATERS(#8989.3) Field# Field Name .01 DOMAIN NAME 9 AGENCY CODE 9.8 ROUTINE MONITORING 9.81 ROUTINE N-SPACE TO MONITOR (multiple) 11 AUTO-GENERATE ACCESS CODES 11.2 AUTO-GENERATE VERIFY CODES 21 NEW PERSON IDENTIFIERS 30.1 CCOW TOKEN TIMEOUT 31.1 MAX SPOOL LINES PER USER 31.2 MAX SPOOL DOCUMENTS PER USER 31.3 MAX SPOOL DOCUMENT LIFE-SPAN 41 VOLUME SET (multiple) .01 VOLUME SET .2 MAX SIGNON ALLOWED 51 DNS IP 202 DEFAULT # OF ATTEMPTS 203 DEFAULT LOCK-OUT TIME 204 DEFAULT MULTIPLE SIGN-ON 205 ASK DEVICE TYPE AT SIGN-ON 206 DEFAULT AUTO-MENU 207 DEFAULT LANGUAGE 209 DEFAULT TYPE-AHEAD 210 DEFAULT TIMED-READ (SECONDS) 211 BYPASS DEVICE LOCK-OUT 214 LIFETIME OF VERIFY CODE 217 DEFAULT INSTITUTION 218 DEFAULT AUTO SIGN-ON 219 DEFAULT MULTIPLE SIGN-ON LIMIT 220 STRICT TOKEN VALIDATION 230 BROKER ACTIVITY TIMEOUT 320 PRIMARY HFS DIRECTORY 320.2 SECONDARY HFS DIRECTORY c) File DEVICE (#3.5) Field# Field Name .01 NAME .02 LOCATION OF TERMINAL 1 $I 3 SUBTYPE d) File TASKMAN SITE PARAMETERS (#14.7) Field# Field Name .01 BOX-VOLUME PAIR 2 LOG TASKS? 3 DEFAULT TASK PRIORITY 4 TASK PARTITION SIZE 5 SUBMANAGER RETENTION TIME 6 TASKMAN JOB LIMIT 7 TASKMAN HANG BETWEEN NEW JOBS 8 MODE OF TASKMAN 9 VAX ENVIROMENT FOR DCL 11 MIN SUBMANAGER CNT 12 TM MASTER 13 Balance Interval 21 LOAD BALANCE ROUTINE e) File VOLUME SET(#14.5) Field# Field Name .01 VOLUME SET .1 TYPE 1 INHIBIT LOGONS? 2 LINK ACCESS? 3 OUT OF SERVICE? 4 REQUIRED VOLUME SET? 5 TASKMAN FILES UCI 6 TASKMAN FILES VOLUME SET 7 REPLACEMENT VOLUME SET 8 DAYS TO KEEP OLD TASKS 9 SIGNON/PRODUCTION VOLUME SET 10 RE-QUEUES BEFORE UN-SCHEDULE 2) Set LOCK for the following Kernel Options: a) Enter/Edit Kernel Site Parameters [XUSITEPARM] - Add the LOCK [XUPROG] b) Grant Users' Access to a Set of Files [XUFILEGRANT] - Add the LOCK [XUMGR] - Set ENTRY ACTION: S R2DUZ=$G(DUZ(0)),DUZ(0)="@" - Set EXIT ACTION : K V,W,C,DI,DISYS,DQ,%X,%Y,DLAYGO S DUZ(0)=$G(R2DUZ) c) Single file add/delete for a user [XUFILESINGLEADD] - Add the LOCK [XUMGR] - Set ENTRY ACTION: S R2DUZ=$G(DUZ(0)),DUZ(0)="@" - Set EXIT ACTION : K V,W,C,DI,DISYS,DQ,%X,%Y,DLAYGO S DUZ(0)=$G(R2DUZ) d) Assign/Delete a File Range [XUFILERANGEASSIGN] - Add the LOCK [XUMGR] - Set ENTRY ACTION: S R2DUZ=$G(DUZ(0)),DUZ(0)="@" - Set EXIT ACTION : K V,W,C,DI,DISYS,DQ,%X,%Y,DLAYGO S DUZ(0)=$G(R2DUZ) Test Sites: Change Order #: --------------------------------------- Iron Mountain VAMC CHG0416721 Pittsburgh VAMC CHG0414038 Software and Documentation Retrieval Instructions: -------------------------------------------------- The software for this patch is being released in a PackMan message. Documentation describing the new functionality is not included in this release. Documentation is not included in this release. Patch Installation: Pre/Post Installation Overview: ------------------------------- No post install instructions Pre-Installation Instructions: ------------------------------ This patch may be installed with users on the system although it is recommended that it be installed during non-peak hours to minimize potential disruption to users. This patch should take less than 5 minutes to install. Installation Instructions: -------------------------- 1. Choose the PackMan message containing this build. Then select the INSTALL/CHECK MESSAGE PackMan option to load the build. 2. From the Kernel Installation and Distribution System Menu, select the Installation Menu. From this menu, A. Select the Verify Checksums in Transport Global option to confirm the integrity of the routines that are in the transport global. When prompted for the INSTALL NAME enter XU*8*788 NOTE: Using will not bring up a Multi-Package build even if it was loaded immediately before this step. It will only bring up the last patch in the build. B. Select the Backup a Transport Global option to create a backup message. You must use this option and specify what to backup; the entire Build or just Routines. The backup message can be used to restore the routines and components of the build to the pre-patch condition. i. At the Installation option menu, select Backup a Transport Global ii. At the Select INSTALL NAME prompt, enter your build XU*8*788 iii. When prompted for the following, enter "R" for Routines or "B" for Build. Select one of the following: B Build R Routines Enter response: Build iv. When prompted "Do you wish to secure this message? NO//", press and take the default response of "NO". v. When prompted with, "Send mail to: Last name, First Name", press to take default recipient. Add any additional recipients. vi. When prompted with "Select basket to send to: IN//", press and take the default IN mailbox or select a different mailbox. C. You may also elect to use the following options: i. Print Transport Global - This option will allow you to view the components of the KIDS build. ii. Compare Transport Global to Current System - This option will allow you to view all changes that will be made when this patch is installed. It compares all of the components of this patch, such as routines, DDs, templates, etc. D. Select the Install Package(s) option and choose the patch to install. i. If prompted 'Want KIDS to Rebuild Menu Trees Upon Completion of Install? NO//', press and take the default response of "NO". ii. When prompted 'Want KIDS to INHIBIT LOGONs during the install? NO//', press and take the default response of "NO". iii. When prompted 'Want to DISABLE Scheduled Options, Menu Options, and Protocols? NO//', press and take the default response of "NO". Post-Installation Instructions: ------------------------------- none Back-Out/Roll Back Plan: ------------------------------- To rollback/backout this patch, please install the Backup a Transport Global from the step (2B) of the "Installation Instructions" section. If assistance is needed to rollback/backout the patch, please log a SNOW ticket so the development team can assist. Routine Information: ==================== The second line of each of these routines now looks like: ;;8.0;KERNEL;**[Patch List]**;Jul 10, 1995;Build 2 The checksums below are new checksums, and can be checked with CHECK1^XTSUMBLD. Routine Name: XUS8P788 Before: n/a After: B5142132 **788** ============================================================================= User Information: Entered By : Date Entered : JUL 03, 2023 Completed By: Date Completed: NOV 01, 2023 Released By : Date Released : NOV 01, 2023 ============================================================================= Packman Mail Message: ===================== $END TXT