$TXT Created by FORT,WALLY at NXT.KERNEL.ISC-SF.VA.GOV  (KIDS) on MONDAY, 04/09/01 at 09:52
=============================================================================
Run Date: APR 12, 2001                     Designation: XU*8*180
Package : XU - KERNEL                          Priority: Mandatory
Version : 8       SEQ #165                       Status: Released
=============================================================================

Associated patches: (v)XU*8*36     <<= must be installed BEFORE `XU*8*180'
                    (v)XU*8*102    <<= must be installed BEFORE `XU*8*180'
                    (v)XU*8*149    <<= must be installed BEFORE `XU*8*180'
                    (v)XU*8*150    <<= must be installed BEFORE `XU*8*180'

Subject: Strong Verify codes

Category: 
  - Routine
  - Data Dictionary

Description: 
============

  
 NOIS: DAY-1000-42520   Vista Security (Verify Code) 
 These changes are required to meet VHA DIRECTIVE 6210 
 Available at http://vaww.va.gov/publ/direc/health/direct/vha6210d.pdf
 The rules listed below are from the Document "VA Account and Password 
 Management Interim Policy" 
  
  a.     Controls shall be implemented to require strong passwords.  
         Passwords shall be at least eight characters in length, and 
         contain three of the following four kinds of characters: 
         letters  (upper case and lower), numbers, and, characters 
         that are neither letters nor numbers (like "#", "@" or "$"). 
         
  b.     Passwords shall be changed no less frequently than every 90 days.  
         Information systems shall not permit re-assignment of the last 
         three passwords used.  
         
  c.     Accounts that have been inactive for 90 days shall be disabled.  
  
  d.     To preclude password guessing, an intruder lock out feature 
         shall suspend accounts after five invalid attempts to log on.  
         Where round-the-clock system administration service is available, 
         system administrator intervention shall be required to clear a 
         locked account.  Where round-the-clock system administration 
         service is not available, accounts shall remained locked out 
         for at least ten minutes.  
  
 Here is what was done based on the requirement from VHA POLICY:
  
 Item a. Because VistA has been case-insensitive for many years, we chose
         to retain this characteristic. This means that VistA only has three 
         sets of characters to build a password from: alpha, numeric and 
         punctuation. The change from the past requirements is the new 
         requirement for punctuation characters and an increase in length 
         from 6 to 8 characters.
         
         The Kernel XUS2 routine was changed to require that 
         verify codes be composed of the following three groups of 
         characters: alpha, numeric, and punctuation.
         
 Item b. This rule was implemented by changing the valid range in the data 
         dictionary and then checking the value in the KERNEL SYSTEM 
         PARAMETERS file (#8989.3) and resetting the value if it is found 
         to be greater than 90. Kernel has long kept old verify codes based 
         on the date they were changed. A change has been made to limit the 
         time frame for removal in option "Purge Log of Old Access and Verify 
         Codes" [XUSERAOLD].
  
 Item c. This rule was implemented by making changes to the scheduled Kernel 
         option 'Automatic Deactivation of Users' [XUAUTODEACTIVEATE] routine 
         XUSTERM1. This option has been changed to check each user's last 
         sign-on date and if it is more than 90 days old, sets the DISUSER 
         field for that user.  If this happens the user will get a "No Access 
         Allowed for this User."  message when they trying to logon.
         
         Note: The DISUSER field is shown on the 'User Inquiry' and is on the 
         second page of the Kernel option "Edit an Existing User" [XUSEREDIT].  
  
 Item d. Kernel has always implemented a form of 'lockout'. Changes where made 
         to the Kernel System parameters file DEFAULT # OF ATTEMPTS and DEFAULT 
         LOCK-OUT TIME field's. The values in the KSP were checked and changed 
         to meet the new limits for these fields.
         
  
         Note: In addition, the sign-on code was changed to echo 
               an asterisk (*) for each character entered. This 
               follows the Microsoft Windows login style, which is 
               a change from the VMS login style.
  
 Routine Summary
 The following routines are included in this patch.  The second line of each
 of these routines now looks like:
  ;;8.0;KERNEL;<patchlist>;Jul 10, 1995
  
                  Checksum
 Routine         Old       New      2nd Line
 XUINPCH4          n/a    786391    **180**
 XUS           8139177   8362765    **16,26,49,59,149,180**
 XUS2         14055468  15802718    **59,180**
 XUS4          3275391   3759854    **180**
 XUSPURGE      6034721   4746135    **180**
 XUSRB         6120921   6227685    **11,16,28,32,59,70,82,109,115,165,150,180**
 XUSTERM1     12539120  11515045    **102,180**
 XUSTZ         3010944   3161912    **36,180**
  
 List of preceding patches: 36, 102, 149, 150
 Sites should use CHECK^XTSUMBLD to verify checksums.
  
  
 ========================================================================= 
 Installation: 
  
 >>>Users may remain on the system.  
 >>>Taskman does not need to be stopped.  
  
   1.  DSM sites - Some of these routines are usually mapped, 
       so you will need to disable mapping for the affected routines. 
      
   2.  Use the 'INSTALL/CHECK MESSAGE' option on the PackMan menu. This 
       option will load the KIDS package onto your system.  
      
   3.  The patch has now been loaded into a Transport global on your 
       system. You now need to use KIDS to install the Transport global.  
       On the KIDS menu, under the 'Installation' menu, use the following 
       options: 
       
          Verify Checksums in Transport Global 
          Print Transport Global 
          Compare Transport Global to Current System 
          Backup a Transport Global 
      
   4.  Users can remain on the system if installed at non-peak hours.
       There is a small chance that a user could get a CLOBER error if they
       are signing on at the time the routines change.  
       This patch can be queued and installed at non-peak time.  
       TASKMAN can remain running.  
            
   5.  On the KIDS menu, under the 'Installation' menu, use the following 
       option: 
         Install Package(s)  'XU*8.0*180' 
                              ==========
     
       Want KIDS to Rebuild Menu Trees Upon Completion of Install? YES// NO
  
       Want KIDS to INHIBIT LOGONs during the install? YES// NO 
         
       No Options or Protocols need to be placed out-of-order.  
       Want to DISABLE Scheduled Options, Menu Options, and Protocols? NO 
                                                                         ==
      
   6.  DSM Sites, after patch has installed, rebuild your map set.  
 =========================================================================

Routine Information:
====================

Routine Name:
  - XUS


Routine Checksum:

Routine Name:
  - XUS2


Routine Checksum:

Routine Name:
  - XUS4


Routine Checksum:

Routine Name:
  - XUSPURGE


Routine Checksum:

Routine Name:
  - XUSTERM1


Routine Checksum:

Routine Name:
  - XUINPCH4


Routine Checksum:

Routine Name:
  - XUSTZ


Routine Checksum:

Routine Name:
  - XUSRB


Routine Checksum:

=============================================================================
User Information:                               
Entered By  : FORT,WALLY                     Date Entered : OCT 31, 2000
Completed By: SINGH,GURBIR                  Date Completed: APR 10, 2001
Released By : GIBBONS,JOE                   Date Released : APR 12, 2001
=============================================================================


Packman Mail Message:
=====================

$END TXT