$TXT Created by FORT,WALLY at NXT.KERNEL.FO-OAKLAND.MED.VA.GOV (KIDS) on Wednesday, 10/05/05 at 15:39 ============================================================================= Run Date: DEC 12, 2005 Designation: XU*8*265 Package : XU - KERNEL Priority: Mandatory Version : 8 SEQ #320 Status: Released Compliance Date: JAN 12, 2006 ============================================================================= Associated patches: (v)XU*8*208 <<= must be installed BEFORE `XU*8*265' (v)XU*8*238 <<= must be installed BEFORE `XU*8*265' (v)XU*8*252 <<= must be installed BEFORE `XU*8*265' (v)XU*8*258 <<= must be installed BEFORE `XU*8*265' Subject: 3 Strikes and You Are Out Category: - Routine - Data Dictionary Description: ============ Patch Tracking #: 36802340 Test Sites: WRJ VMAC, FORUM, MUSKOGEE, OK, TOMAH, WI Blood Bank Clearance: 10/17/2003 NOTE: If you also have patch XU*8*337 installed, it will need to be re-installed after installing XU*8*265. Further information is provided in a separate document, XU8_0P265IG.DOC. This document can be obtained by using FTP from the appropriate Customer Service directory: OI FIELD OFFICE FTP ADDRESS DIRECTORY ====================================================== any download.vista.med.va.gov Albany ftp.fo-albany.med.va.gov Hines ftp.fo-hines.med.va.gov Salt Lake City ftp.fo-slc.med.va.gov Host File Name: XU8_0P265IG.DOC Please read this guide before turning on the IP lockout this patch provides. The IP lockout will default to off when the install is done. this patch was developed to compliment patch XU*8*258 'Multiple sign-on from one IP address' and to enhance security. It is based on work done by Dennis Follensbee. With telnet sessions, a user could circumvent the device lockout by disconnecting and reconnecting. To address this problem IP address locking was setup. There is list of IP addresses that belong to Terminal Servers that get special treatment. Individual users can also so be locked if a valid Access Code is entered and just the Verify code is wrong. All this lockout can be turned ON or OFF with one parameter. This patch keeps a list of IP addresses that have exceeded the sign-on attempt limit and will prevent them from completing a sign-on until the timeout period has passed. There is an option "Release IP lock" to release a Locked IP address. There is a list of Terminal servers that can have a higher limit than normal IP's. There is an option "Edit Site IP lockout" that can edit these values. There is a new Option to be scheduled to run. XUSFACHK (Check Failed Access Log) This option runs the Failed Access Check routine "XUSFACHK". This routine looks to see if there have been a large number of failed access attempts since the routine was last run. If it finds that the number of failed access attempts is greater than the limit in the Kernel system parameter file (#8989.3) field "FAILED ATTEMPTS LIMIT - IRM" (# 405.12) during normal business hours (8am to 4:30pm) it sends a message to the mail group stored in the "IRM MAIL GROUP" (#.02) field or the limit set in Kernel system parameter "FAILED ATTEMPTS LIMIT - AOD" (#405.13) after hours, it sends a message to the mail group in the "AFTER HOURS MAIL GROUP" (#.03) field. The two mail groups are on the last page of option "Enter/Edit Kernel Site Parameters". The option "Edit Site IP lockout" (XU SITE LOCKOUT) is used to edit these parameters. New fields in the Kernel System Parameters (#8989.3) file. STANDARD DATA DICTIONARY #8989.3 -- KERNEL SYSTEM PARAMETERS FILE JUL 21,2003@16:49:18 PAGE 1 STORED IN ^XTV(8989.3, (1 ENTRY) SITE: SF CIOFO, KERNEL PATCH ACCOUNT DATA NAME GLOBAL DATA ELEMENT TITLE LOCATION TYPE ----------------------------------------------------------------------------- 8989.3,405.1 IP SECURITY ON 405;1 SET 'n' FOR No; 'y' FOR Yes; LAST EDITED: JUL 28, 2003 DESCRIPTION: This field turns on or off the IP security "Three strikes and you are out" code. 8989.3,405.12 FAILED ATTEMPTS LIMIT - IRM 405;2 NUMBER INPUT TRANSFORM: K:+X'=X!(X>1000)!(X<1)!(X?.E1"."1N.N) X LAST EDITED: MAR 24, 2004 HELP-PROMPT: Type a Number between 1 and 1000, 0 Decimal Digits DESCRIPTION: This field holds the value of how many Failed Attempts must be counted by the XUSFACHK routine before a message is sent to the IRM during normal business hours (8:00 am to 4:30 pm). This can be change by the value in the TOTAL COUNT INCREASE field. 8989.3,405.13 FAILED ATTEMPTS LIMIT - AOD 405;3 NUMBER INPUT TRANSFORM: K:+X'=X!(X>1000)!(X<1)!(X?.E1"."1.N) X LAST EDITED: MAR 24, 2004 HELP-PROMPT: Type a number between 1 and 1000, 0 Decimal Digits DESCRIPTION: This field holds the value of how many Failed Attempts must be counted by the XUSFACHK routine before a message is sent to the AOD during after hours (4:30 pm to 8:00 am). This can be changed by the value in the TOTAL COUNT INCREASE field. 8989.3,405.14 USER LOCKING 405;4 SET 'n' FOR No; 'y' FOR Yes; LAST EDITED: NOV 19, 2002 DESCRIPTION: This field controls if Users are locked out of the system because of exceeding the limit on bad attempts. The ACCESS code must be correct so we can identify the user, and it is just the VERIFY code that is being entered wrong. 8989.3,405.15 LAST RUN FAILED ATTEMPTS CHECK 405;5 DATE INPUT TRANSFORM: S %DT="ESTX" D ^%DT S X=Y K:X<1 X LAST EDITED: FEB 19, 2003 HELP-PROMPT: (No range limit on date) DESCRIPTION: This field holds the date time of the last run of the FAILED ATTEMPTS checking routine (XUSFACHK). This field is filled in by the routine and doesn't need user entry. 8989.3,405.16 DEFAULT TS SLACK 405;6 NUMBER INPUT TRANSFORM: K:+X'=X!(X>99)!(X<0)!(X?.E1"."1.N) X LAST EDITED: MAR 24, 2004 HELP-PROMPT: Type a number between 0 and 99, 0 Decimal Digits DESCRIPTION: This field holds a default value for how many times in 10 minutes a Terminal Server can have a sign-on failure (entries in the FAILED ACCESS ATTEMPTS LOG) before it is locked. A default value is 2 is used if no value is entered. 8989.3,405.17 KEEP THRESHOLD 405;7 NUMBER INPUT TRANSFORM: K:+X'=X!(X>9999)!(X<1)!(X?.E1"."1N.N) X LAST EDITED: OCT 15, 2003 HELP-PROMPT: Type a Number between 1 and 9999, 0 Decimal Digits DESCRIPTION: This field holds the number of Failed Access Attempts in the current sample period that will cause the count to be saved for the next sample period. This is used by the routine XUSFACHK and the value will need to be smaller for a more frequent running and larger for less frequent running. A starting value could be 10 if XUSFACHK is scheduled to run every 30 minutes. 8989.3,405.18 TOTAL COUNT INCREASE 405;8 NUMBER INPUT TRANSFORM: K:+X'=X!(X>9999)!(X<1)!(X?.E1"."1N.N) X LAST EDITED: OCT 15, 2003 HELP-PROMPT: Type a Number between 1 and 9999, 0 Decimal Digits DESCRIPTION: This field holds the value to be added to the IRM or AOD limits. If the total number of Failed Access Attempts in the sample period is greater than the IRM (or AOD) limit plus the TOTAL COUNT INCREASE then it will trigger the sending of the failed attempts message. 8989.3,405.2 TERMINAL SERVER IP 405.2;0 Multiple #8989.305 8989.305,.01 TERMINAL SERVER IP 0;1 FREE TEXT (Multiply asked) INPUT TRANSFORM: K:$L(X)>40!($L(X)<7) X LAST EDITED: OCT 28, 2002 HELP-PROMPT: Answer must be 7-40 characters in length. DESCRIPTION: This field holds the IP addresses of Terminal servers that should get special treatment from the IP security software. CROSS-REFERENCE: 8989.305^B 1)= S ^XTV(8989.3,DA(1),405.2,"B",$E(X,1,30),DA) ="" 2)= K ^XTV(8989.3,DA(1),405.2,"B",$E(X,1,30),DA) 8989.305,1 AFTER HOURS SLACK 0;2 NUMBER Slack INPUT TRANSFORM: K:+X'=X!(X>300)!(X<0)!(X?.E1"."1.N) X LAST EDITED: MAR 24, 2004 HELP-PROMPT: Type a number between 0 and 300, 0 Decimal Digits DESCRIPTION: This field holds the after hours slack value use to delay locking the Terminal Server address. Between the hours of 4:30 pm & 8:00 am, If the FAILED ACCESS ATTEMPTS LOG has had more entries from this Terminal Server in the last 10 minutes than the slack value the TS IP address will be locked. 8989.305,2 LAST TIME RESET 0;3 DATE INPUT TRANSFORM: S %DT="ESTX" D ^%DT S X=Y K:Y<1 X LAST EDITED: NOV 14, 2002 DESCRIPTION: This field holds the FileMan date time that the LOCK on this Terminal Server was last cleared. New File: STANDARD DATA DICTIONARY #3.083 -- LOCKED IP or DEVICE FILE STORED IN ^XUSEC(3, *** NO DATA STORED YET *** SITE: SF CIOFO, KERNEL PATCH DATA NAME GLOBAL DATA ELEMENT TITLE LOCATION TYPE ----------------------------------------------------------------------------- This file holds the IP address or domain name of a system that has failed to successfully signon with in the limits imposed. Once the lock out time has passed the record is removed, so it would be normal for this file to have no records most of the time. DD ACCESS: @ RD ACCESS: @ WR ACCESS: # DEL ACCESS: @ LAYGO ACCESS: @ AUDIT ACCESS: @ CROSS REFERENCED BY: LOCKED IP/DEVICE(B) CREATED ON: MAR 6,2003 by FORT,WALLY 3.083,.01 LOCKED IP/DEVICE 0;1 FREE TEXT (Required) INPUT TRANSFORM: K:$L(X)>40!($L(X)<3)!'(X'?1P.E) X LAST EDITED: MAR 06, 2003 HELP-PROMPT: Answer must be 3-40 characters in length. DESCRIPTION: This field holds a list of IP's or Device ID's that have been locked. These are cleaned up automatically. CROSS-REFERENCE: 3.083^B 1)= S ^XUSEC(3,"B",$E(X,1,30),DA)="" 2)= K ^XUSEC(3,"B",$E(X,1,30),DA) 3.083,2 LOCKED UNTIL 0;2 DATE (Required) INPUT TRANSFORM: S %DT="ESTXR" D ^%DT S X=Y K:Y<1 X LAST EDITED: MAR 06, 2003 DESCRIPTION: This field holds the fileman date/time that this IP should be locked until. New File: STANDARD DATA DICTIONARY #3.084 -- FAILED SIGNON ATTEMPTS FILE STORED IN ^XUSEC(4, *** NO DATA STORED YET *** SITE: SF CIOFO, KERNEL PATCH DATA NAME GLOBAL DATA ELEMENT TITLE LOCATION TYPE ----------------------------------------------------------------------------- This file holds the count of signon attempts from a IP address or domain. This is to prevent a user from disconnecting after each try. Once a signon is successful the record is removed, so it would be normal for this file to have no records most of the time. DD ACCESS: @ RD ACCESS: @ WR ACCESS: # DEL ACCESS: @ LAYGO ACCESS: @ AUDIT ACCESS: @ CROSS REFERENCED BY: IP or DEVICE(B) CREATED ON: JUL 14,2003 by FORT,WALLY 3.084,.01 IP or DEVICE 0;1 FREE TEXT (Required) INPUT TRANSFORM: K:$L(X)>30!(X?.N)!($L(X)<3)!'(X'?1P.E) X HELP-PROMPT: NAME MUST BE 3-30 CHARACTERS, NOT NUMERIC OR STARTING WITH PUNCTUATION CROSS-REFERENCE: 3.084^B 1)= S ^XUSEC(4,"B",$E(X,1,30),DA)="" 2)= K ^XUSEC(4,"B",$E(X,1,30),DA) 3.084,2 ATTEMPT COUNT 0;2 NUMBER INPUT TRANSFORM: K:+X'=X!(X>99)!(X<0)!(X?.E1"."1N.N) X LAST EDITED: JUL 14, 2003 HELP-PROMPT: Type a Number between 0 and 99, 0 Decimal Digits DESCRIPTION: This field keeps track of the count of failed signon attempts from a given device or IP address. 3.084,3 HOROLOG OF LAST UPDATE 0;3 FREE TEXT INPUT TRANSFORM: K:$L(X)>12!($L(X)<4) X LAST EDITED: JUL 15, 2003 HELP-PROMPT: Answer with current $H value. DESCRIPTION: This field holds the $H value of the last time this record was updated so we can know when to clear it out. New Field in the New Person File (#200). STORED IN ^VA(200, (99 ENTRIES) SITE: SF CIOFO, KERNEL PATCH ACCOUNT DATA NAME GLOBAL DATA ELEMENT TITLE LOCATION TYPE ----------------------------------------------------------------------------- 200,202.05 LOCKOUT USER UNTIL 1.1;5 DATE INPUT TRANSFORM: S %DT="ESTX" D ^%DT S X=Y K:Y<1 X LAST EDITED: NOV 14, 2002 DESCRIPTION: This field is used by the signon code to lockout users that have tried bad VERIFY codes to many times. This field holds the date/time that the user should be locked out of the system until. It is set with the current time plus the lockout time. New Options: XU IP RELEASE XU SITE LOCKOUT XUSFACHK New Bulletin: XUSLOCK New Forms: XUSITEIP FILE #8989.3 XUSITEPARM FILE #8989.3 New Dialogs: DIALOG NUMBER SHORT DESCRIPTION 30810.010 Signons not currently allowed. 30810.020 Max Users. 30810.030 Unknown Device. 30810.040 A/V code not valid. 30810.050 No access allowed for this user. 30810.060 Invalid device password. 30810.070 Device locked. 30810.080 This device is out of service. 30810.090 MULTIPLE SIGNONS NOT ALLOWED 30810.100 You don't have access to this device! 30810.110 Your access code has been terminated. 30810.120 Verify code must be changed. 30810.130 Device time limit. 30810.140 Not a valid UCI! 30810.150 Not a valid routine. 30810.160 No primary menu. 30810.170 User Time limit. 30810.180 User Locked. 30810.190 Signon not allowed as you have required forms to sign in terminal mode 30810.200 IP Address not set. 30810.410 You may now signon. 30810.420 Please wait 30810.430 Your Access Locked 30810.440 IP locked 30810.450 Already signed on 30810.510 Access code 30810.520 Verify code 30810.610 thru 30810.620 Access restricted Routine Summary The following routines are included in this patch. The second line of each of these routines now looks like: ;;8.0;KERNEL;**[Patch List]**;Jul 10, 1995 Checksum Routine Old New Patch List XUS 8362765 7565684 **16,26,49,59,149,180,265** XUS1 9808429 9733299 **9,59,111,165,150,252,265** XUS1A 6070439 6160612 **153,149,183,258,265** XUS3 5735173 5016793 **32,149,265** XUSFACHK n/a 4308226 **265** XUSRA 1722541 1681697 **70,115,208,265** XUSRB 8315324 7662022 **11,16,28,32,59,70,82,109,115,165, 150,180,213,234,238,265** XUSTZ 3161912 2806823 **36,180,265** XUSTZIP n/a 5551747 **265** XUVERIFY 3888236 2933614 **2,26,59,265** List of preceding patches: 208, 238, 252, 258 Sites should use CHECK^XTSUMBLD to verify checksums. ========================================================================= Installation: >>>Do not allow users to log in to the system during installation. >>>TaskMan does *not* need to be stopped. 1. Use the 'INSTALL/CHECK MESSAGE' option on the PackMan menu. This option will load the KIDS package onto your system. 2. The patch has now been loaded into a Transport global on your system. You now need to use KIDS to install the Transport global. On the KIDS menu, under the 'Installation' menu, use the following options: Verify Checksums in Transport Global Print Transport Global Compare Transport Global to Current System Backup a Transport Global 3. Inhibit users from login into the system. Because sign-on routines are being changed, Users attempting to sign-on may cause error to be trapped. Current users should be OK. TaskMan can remain running. 4. Installation will take less than 2 minutes. On the KIDS menu, under the 'Installation' menu, use the following option: Install Package(s) 'XU*8.0*265' ========== Want KIDS to Rebuild Menu Trees Upon Completion of Install? YES// Want KIDS to INHIBIT LOGONs during the install? YES// YES No Options or Protocols need to be placed out-of-order. Want to DISABLE Scheduled Options, Menu Options, and Protocols? NO == 5. Edit the Kernel System Parameters for the new fields and schedule the new option XUSFACHK. ========================================================================= Routine Information: ==================== The checksums below are new checksums, and can be checked with CHECK1^XTSUMBLD. Routine Name: XUS Before: B21025346 After: B25245953 **16,26,49,59,149,180,265** Routine Name: XUS1 Before: B24152939 After: B25051927 **9,59,111,165,150,252,265** Routine Name: XUS1A Before: B11947178 After: B12342712 **153,149,183,258,265** Routine Name: XUS3 Before: B10965117 After: B18656920 **32,149,265** Routine Name: XUSFACHK Before: After: B9500878 **265** Routine Name: XUSRA Before: B3418206 After: B3358978 **70,115,208,265** Routine Name: XUSRB Before: B32256407 After: B29869823 **11,16,28,32,59,70,82,109,115, 165,150,180,213,234,238,265** Routine Name: XUSTZ Before: B4907511 After: B8122743 **36,180,265** Routine Name: XUSTZIP Before: After: B25477365 **265** Routine Name: XUVERIFY Before: B7642643 After: B7660618 **2,26,59,265** ============================================================================= User Information: Entered By : FORT,WALLY Date Entered : OCT 23, 2002 Completed By: SINGH,GURBIR Date Completed: DEC 09, 2005 Released By : TILLIS,LEWIS Date Released : DEC 12, 2005 ============================================================================= Packman Mail Message: ===================== $END TXT