External

COMCARE OPERATIONAL ADVICE NO 83

ENHANCED SYSTEM ACCESS CONTROL [ESACS]

General Managers

State Managers

Manager, Operations

Manager, Review

Manager, Rehabilitation

State Executive Officer

System Administrator

Please find enclosed documentation regarding the implementation of ESACS software in State Office computer sites.  Installation of ESACS will create a more secure computing environment for both Comcare system users and data.

Implementation of ESACS will include certain restrictions on logon parameters.  To enable all users to understand the implications of ESACS, it is recommended that the minute enclosed should be distributed to all staff.

Also enclosed is a Wang VS User Access form.  This form should be used for all future Security requests.

Please advise Bill Jarvis (06) 275 0643 of the date and time that you would like the ESACS implementation to be scheduled.

ROBERT KNAPP

A/g Deputy Chief Executive Officer

2 November 1990


WANG VS USER ACCESS

NAME:__________________________________

TELEPHONE:____________________

TEAM/SECTION:________________________

DESIGNATION:__________________

AUTHORISED:____________________________

DATE:__________________________

                    Team Leader/Supervisor

USER ID (if FORMER/CURRENT COMCARE EMPLOYEE):_______________________

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

INITIAL ACCESS:

Place an [X] in all boxes except where access is required.

Only ONE box should be left blank.

Benefits Payments TeamBPT[    ]

COMPENSE

AS01

[    ]

AS02

[    ]

AS03

[    ]

AS04

[    ]

AS05

[    ]

AS06

[    ]

AS07

[    ]

TLE

[    ]

Rehabilitation

SRA

[    ]

Other (____________________)

____

[    ]

Remote Logon (ie, ORION, CAMS, SCR)____[    ]

System Administration Officer/Backup    SAO/SAB  [    ]

Temporary:

From ____/____/____ to ____/____/____TS__[    ]

Word Processing (General)

[    ] (SAO indicate library)

[    ]

Word Processing (Confidential)

[    ] (SAO indicate conf. library)

[    ]

Word Processing (Secure)

[    ] (SAO indicate secure library)

[    ]

APPROVED:____________________________________________ DATE:_____________

Manager Operations or equivalent

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

ACTIONED

User ID: [________]Date Issued: ____/____/____DateRemoved:____/____/____

SAO:_______________________

SAO:______________________

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

CHANGED ACCESS:To be used when the original access given above is amended, increased or where USERID is REACTIVATED

New Access Level

Approved

Actioned

Date


TO ALL STAFF

Computer Security

Please note that changes to COMPUTER SECURITY will take effect in your State Office in November 1990.  The new security parameters will be implemented using software which will enable a more secure computing environment for both system users and Comcare data.

The implications of the new Security Software are as follows:

.If a password has not been changed during a thirty day period, the system will request that the User change their password. When the password has been changed access will be permitted.

.The length of the password should be a least 5 characters and not more than 8 characters.

.The system will keep a record of the last three passwords used. This will prevent the same password being used repetitively.

.If a User incurs three invalid logon attempts, for example entering an incorrect password three times within thirty minutes, the workstation and Userid will be locked.  Should this occur, the System Administrator should be contacted.  A new password will be assigned and the workstation released.

.When leaving a computer terminal, remember to log off completely.  This prevents other users utilising the Logon ID and reduces the risk of lost data, particularly in Word Processing, should the system 'crash'.

.Logon Id and password details should be confidential.  Although it may sometimes be convenient to lend other users logon details, it may place the owner of the Userid at risk of allowing a security breach to occur.

.All Users requiring system access should contact the System Administrator for allocation of Logon details.

If you experience any problems with these new arrangements please contact your System Administrator.


E  S  A  C  S

C  O  M  C  A  R  E

The Installation of ESACS should take a maximum of 1 hour in all sites.  Additional time will be required to perform a full volume backup of VOL100 after the implementation has completed.

The following documentation explains the implementation procedures for ESACS in COMCARE State Offices.  It also details the standard ESACS parameters to be used in State Offices.

This documentation should be used in conjunction with the ESACS User Guide provided with the ESACS software.


Contents

Page 2/4Installation of Software

Page 5/8Utilisation of Software (State Office)

Page 9/10Adding & Maintaining User Records

Page 12/14Security Event Logging


Contents:

.Installation of Software

.Utilisation of Software (State Office)

The Installation of ESACS should take a maximum of 1 hour in all sites.  Additional time will be required to perform a full volume backup of VOL100 after the implementation has completed.

The following documentation explains the implementation procedures for ESACS in COMCARE State Offices.  It also details the standard ESACS parameters to be used in State Offices.

This documentation should be used in conjunction with the ESACS User Guide provided with the ESACS software.


ESAC Installation Procedures

.Prior to commencing these procedures, ensure you have cleared the USERLIST and AMUUSER file of any erroneous records.

WARNINGThe installation procedure deletes the SECURITY utility from @SYSTEM@ on VOL100.

1.Ensure you have a backup of the following files on a spare IPL volume.

USERLIST

@SECFILE

SECURITY

2.Inhibit all logons.

3.Logon as System Administrator.

4.Mount the diskette on which ESAC software is provided. Ensure you select the correct diskette, refer to the part number on the disk and the ESACS Release notice.

5.Run ESAC in @SYSTEM@ on (Diskette Name).

The Wang ESAC Install Procedure screen appears, with the prompt,

Please specify the restored volume:

6.In response to the prompt enter VOL100.

The following messages will appear:

.Procedure ESAC in progress

.Installation in Progress

.Scratching the SECURITY Utility

.Converting the @SECFILE file

When the procedure is complete, you will be returned to the Command Processor. The following message will be displayed:

"Procedure ESAC processing completed"

7.To verify that ESAC Release 1.0 was installed correctly perform the following steps:

.Run program DISPLAY

.Display the file @SECFILE in @SYSTEM@ on VOL100.

.Select PFKEY 8 Find Record and enter "@REVISIONREC" Verify that the last character of the record is not 0 (zero).

8.If the installation is successful, dismount the release diskette and store in safe place.  If you encounter problems contact the HELP DESK on (06) 2496796.

9.IPL the system.

10.Logon and run the program VSSECURE to verify success of installation.

11.Install new version of CHANGEPW program.

.Run DISPMANY on FILE: CHNG?  LIBRARY: ?  VOLUME: ?

.List locations of the existing CHNGPWD program.

.Backup new CHANGEPW in @SYSTEM@ on VOL100 to locations noted above.  Scratch the old version.

11.Update AMUSAO

.Run Backup, and Backup AMUMENUS in AMUSAONW on VOL100 to AMUMENUS in AMUSAO on VOL100 and scratch duplicate files.

.The new menus will contain access to the ESAC Security functions and the menu ADMIN containing the MONSEC software will be removed.

12.After a successful installation, you can conserve disk space by deleting installation files which are no longer needed.  Delete the files ESAC and SECFCONV in @SYSTEM@ on VOL100.

Installation of ESAC Software Complete

Logons should remain inhibited during the remainder of the installation which will entail the implementation of User and ESACS defaults.

Perform a full volume backup of VOL100 after the ESACS implementation is complete.

Files Contained in this Release:

Library = @SYSTEM@

Protection

Blocks

Module

Version

Class

Allocated

Description

ESAC

7.20.00

@

1

ESAC Release 1.0

Install procedure

SECFCONV

7.18.02

@

2

ESAC Release 1.0

conversion utility

VSSECURE

7.20.08

@

142

Enhanced security

utility

CHANGEPW

7.18.01

@

7

Change password

utility

LOGNCHPW

7.18.01

@

7

Expire password

utility

Library = @DOCLIB@

Protection

Blocks

Module

Version

Class

Allocated

Description

VSSECURE

7.20.00

$

50

VSSECURE help text

AMUMENUS AMUSAONW

VOL100

@

Updated menus for

ESACS s/w


Utilisation of ESACS Software (State Office)

Logon as SAO and run VSSECURE

.Select  PFKEY 3 Manage System Security Parameters

.Select  PFKEY 2  Set System Security Options

This option enables the specification of parameters that will apply to all system users.

.Minimum Logon ID length = 3 characters

.Minimum Password length  = 5 characters

.Number of Old Passwords to Keep = 3

(This option ensures users do not reuse the same password over and over again, it will keep a record of the last 3 passwords used by that USERID.)

Force Password Generation = N

(This option determines whether the user will receive a System generated password, rather than a password the user makes up themselves.)

Notify User of Last Logon ‑ N

If set to Y, this option informs the user of the date and time of their last logon.

Clear File Blocks at Allocation = N

A Y in this field causes the system to overwrite with binary zeros blocks allocated for a file, whenever a user creates a file.  This option if set to Y can reduce system performance because of the additional I/O requirement.  State Users will never create new data files.

Clear File Blocks at Scratch = N

This feature will overwrite file blocks with binary zeros after a file has been scratched.

Restrict access after Invalid Logon attempts

Enter After 3 invalid logon attempts within 00:30:00 respond as follows;

Lock Userid

Lock Workstation

Continue impression of attempts

Lock Userid and continue impression of attempts

X  Lock Userid and workstation

Press PFKEY 1 to Return to Manage System Security Parameters screen


Defining Defaults for New Users

This option enables the specification of parameters that will be used when new users are added under the ESACS software.

The following standards will be used in State Offices for the addition of new users.

Select PFKEY 3 (Set Defaults for New Users).

New User Security Defaults Screen:  Field Descriptions

System Administrator Privileges = N

This field determines whether the user has access to all files on the System.  The State Office Userlist will contain two logons with System Administrator rights, SAO (State System Administrator) and SYS (Central Office Network Administrator, a Remote User).

Diagnostic Privileges = N

The Diagnostic Privileges option determines whether the user can run disk I/O diagnostics. The Wang Engineer is the only user in the State Office environment with a need to run diagnostics.

File Access Privileges

The following file access should be implemented as a standard for all users in the State Office.

File Class

A  B  X

Access

W  R  W

File Class A = Protection Class for Compense Data Files

File Class B = Protection Class for Compense Program Files

File Class X = Protection Class for General Word Processing

Logon Procedure

The following logon procedure should be used in all State Office sites

Logon Procedure (Program) is AMULINK in Library AMUCOMP on VOL100

(This varies from Site to Site depending on colour preferences and multiworkstation requirements.)

Remote System Name for Auto Remote Logon = BLANK


New User Security Defaults Screen:  Field Descriptions Ctd

Modifiable Data Area Size = 1536

This field specifies the size of MDA for each user.  This setting overrides the default size specified using GENEDIT,

Maximum Logons = 1

This field specifies the number of times the user can logon to the system using one Userid.

Maximum Subtask Quota = 0

This field specifies the number of subtasks that interactive or background tasks run by a user can create.  The default value is 0. Certain utilities, for example, VS Graphics require a subtask quote for Graphics to run.

Allow User to Change Password = Y

This field determines whether Users without System Administrator rights can change their own passwords.  Y enables the user to run the CHANGEPW utility to define a new password.

Password Expires every n days = 30

This field specifies the number of days that elapse before the user is requested to change or assign a new password.

Lock Userids if Unused for n days = 30

If a Userid remains unused for a period of 30 days, the Userid will be automatically locked. The System Administrator can unlock the Userid using PFKEY 7 (Unlock Userid) from the User Profile screen.

Daily Logon Template Field

This option enables the specification of daily logon restrictions to all new users on a time basis.  This option will not be utilised in this release.

Yearly Logon Template Field

This option specifies the days of the year during which a user can use the system.  For each User up to 36 date ranges can be defined. Each period is expressed as a range of calendar days (for example from 24/12 to 29/12).  This option will not be utilised in this release.

Overriding Defaults for New User

Note:  Once Defaults for new Users have been set, it is possible to overwrite the defaults for particular users if required.  Changes to the default values apply only to the Userid being added at that time.


Select PFKEY 4 More Defaults

Granting Resource,,Access Privileges

This option enables the control of functions available from the Command Processor and Operator Mode screens that users can execute.

The following defaults will be used as standards for Administrative Service Officers in Comcare.

HELP PROCESSOR resources should be set to Y

Print PROGRAM SCREEN which should be set to Y

All other resources should be set to N for clerical staff. Press PFKEY 1 to return to the Defaults for New Users screen.

Press PFKEY 1 to return to the Manage System Security Parameters screen.

PFKEY 4 Manage Daily Logon Templates will not be used in this release.

PFKEY 5 Manage Yearly Logon Templates will not be used in this release.

Updating Options for All Users

The Update Option for All Users Function on the Manage System Security Parameters screen enables you to change password and userid options for all users.

To Update Options for EVERY user in the USERLIST:

1.Press PFKEY 6 (Update options for all users)

PFKEY 2 Expire Passwords every 30 days

PFKEY 3 Lock Userids if unused for 30 days

PFKEY 4 Allow Users to Change their own Password

Press PFKEY 1 to return to the Manage System Security Parameters screen.

Encrypting Passwords For All Users

The ESACS software allows the option of storing all passwords in encrypted form. Encryption encodes passwords in the USERLIST so that no user, even System Administrators can view the Userlist.

If passwords are already encrypted, the PF7 Option does not appear on the Manage System Parameters Menu and the message

Passwords are encrypted

is displayed on the Manage System Security Parameters screen.

Note that once passwords have been encrypted, unencrypted passwords can never be used in the USERLIST.


Maintaining and Adding User Records

Maintain User Record

1.To maintain a User Record select PFKEY 1 (Maintain User) from the VSSECURE Main Menu.  Enter the Userid of the record you wish to view.

If the Userid field is left blank, the first record in the Userlist will be displayed, the Userlist can be viewed record by record using the PFKEY 5.

2.When you have located the required record, perform the modification and press ENTER.  Note that the modification will not come into effect until the user has logged off and logged on again.

Add User Record

1.Select PFKEY 2 from the VSSECURE Main Menu.

2.Define user options by entering data in the User Profile fields.

3.Add the User record to the USERLIST by pressing ENTER. VSSECURE will display the Change (Assign) Password screen.

4.Assign a password and Press ENTER.

Setting Additional Security Options

When adding or maintaining a User record More Options are available by selecting PFKEY 4.

Set Workstation Logon Restrictions PF2

For each user, you can specify up to 51 workstations from which the user is restricted FROM or TO logging on.

all users except the System Administrator should be restricted FROM logging on to Workstation 0.

Set Daily Logon Restrictions PF3

This option enables the user to manually assign time restrictions for logon, this is available through Daily Logon Templates.

Set Yearly Logon Restrictions PF4

This option enables the user to manually assign date restrictions for logon, this is available through Daily Logon Templates.


Functions on the User Profile Screen

PF

Function

Action

1.

Return

Displays the Main VSSECURE menu.

2

First User

Displays the User Profile of the first user record, according to ASCII sequence of ID's.

4

More Options

Displays the User Security Options Menu.

5

Next User

Displays the User Profile of the next user record, according to ASCII sequence of ID's.

6

Expire Password

Causes the user's password to expire. This prohibits the user from logging on until a new password is assigned.

7

LOCK Userid

Prohibits the User from loggin on until the ID is unlocked. Unlocking is performed by the same function key.

8

Find User

Displays the User Profile of the requested record.

9

Modify

Enables modification of field in the required User Profile.

12

Delete

Deletes User Record.

13

Information

Accesses on‑line instructions.

14

Change Password

Enables the User's password to be changed.

16

Exit

Exit without making changes

VS FILE SECURITY

ACL's will not be implemented in this release.


EVENT LOGGING

The event logging operation comprises three utilities:

.Event Logging Facility

.LOGPRINT Utility

.CONVTLOG Utility

The Logging Facility allows the user to select events to monitor, manage log files and send messages to log files.

IMPORTANT

If the Log File is not managed carefully disk space problems can occur.  Initially, 500 records have been recommended as the size of the new Log File.  The size of the log file should be monitored on a daily basis after ESACS implementation to calculate the correct size for your site.  Because of the space implications only three events have been selected for logging.

.Security Modifications

.USERLIST changes

.File Deletion

To prevent disk space problems use the following procedures:

.Initiate a New Event Log each Monday morning.

.Print the previous weeks log file (using the LOGPRINT utility) and scratch the old log file.

.The previous weeks log should be printed and stored for reference for 2 months.

.If security violations are reported in the log they should be reported in writing to the State Manager.

.If Archiving of medical/travel records, or deletion of Word Processing documents are scheduled to take place during the current days event logging, the log should be cleared and printed before and after the archiving/deletions take place.

To Access the Logging Facility

.Select PFKEY 4 Manage Event Logging from the VSSECURE Main Menu.

.The Manage Event Logging screen will be displayed.  This screen shows logging status and the current log file name.

.To start Event Logging press PFKEY 3 Start New Log File in SECLOG on VOL200. This is the standard location for Event Logging files on Comcare computers.  The file name is system generated.

.Select PFREY 4 Select Events to be Logged,  Using PFKEY 9 Modify change System Event Logging to Y and press Enter:

Y  System Event Logging

N  User Event Logging

N  File Event Logging

.Press Enter against System Event Logging to select the events to be monitored.

Change the following events to indicate Y for logging:

.

Security Modifications

Y

Y

.

USERLIST changes

Y

Y

.

File Deletes

Y

Y

These events will be logged fur every User ID and file.

.PFKEY 5 Alternate Log Volume should be blank

This parameter specifies the volume that logging files should spill over to if the current logging disk runs out of space.

.PFKEY 6 Size of New Log File is 500 records

The default Log Size is 100 records.

.PFKEY 7 Write a Message to Log File

This parameter allows the user to enter notes of up to 70 characters to the Log File.

LOG FILE UTILITIES

Chapter 8

The log file can be accessed by System Administrators only.  The data it contains is encoded and utilities are required to convert the log file into a readable format.

The LOGPRINT Utility

LOGPRINT converts the log file into a print file.

To run LOGPRINT

.Access the Manage Event Logging screen from the VSSECURE Main Menu.

.Press PF4 (Manage Event Logging) on the VSSECURE Main Menu and the Manage Event Logging screen appears.

From the Manage Event Logging screen, complete the following:

.Write down the file name, library and volume of the current log file displayed in the Current Log File fields.

.Close the current log file by pressing PF2 (Start/Stop Event Logging) or PF3 (Start a new log file).

.Exit from the VSSECURE Logging Facility by pressing PF16 on the Manage Event Logging Menu.

.Run the LOGPRINT utility from the Command Processor by pressing PF1, and entering LOGPRINT for the name of the program.

.The LOGPRINT input screen prompts you for the log file name, library and volume. Type in the information and press ENTER.

.The LOGPRINT output screen prompts for an output file name, library and volume. Assign the values required and press ENTER.  The procedure then creates a print file.

Chapter 8 8‑6 provides information on Interpreting a Log File Report.

CONVTLOG UTILITY

CONVTLOG converts a log file into an indexed file that contains log file information in an uncompressed format.  This utility is useful if you wish to run customised reports against the log file.

Chapter 8 8‑9 provides more information on the CONVTLOG Utility.