ENHANCING THE SECURITY MECHANISMS FOR VAX/VMS RESISTING INTRUSION, CONTROLLING ACCESS, AND IMPEDING SCAVENGERS LOGIN IMPROVEMENTS o SYSTEM PASSWORD ENABLED PER TERMINAL NO RESPONSE UNTIL CORRECT PASSWORD o SECURE SERVER GUARANTEED CONNECTION TO LOGIN PREVENT PASSWORD GRABBERS LOGIN IMPROVEMENTS o MULTIPLE RETRIES HELP FOR THE FUMBLE-FINGERED o FORCED HANGUP ON FAILURES o INFORMATION ON SUCCESSFUL LOGIN TIME OF LAST LOGIN COUNT OF LOGIN FAILURES BREAKIN DETECTION o MONITORS RATE OF PASSWORD FAILURES NOT FOILED BY SUCCESSFUL LOGINS o ASSOCIATION ON SOURCE OF LOGIN TERMINAL + USERNAME NETWORK SOURCE (NODE + USER) PARENT PROCESS o LOCK OUT SOURCE o MINIMUM DENIAL OF SERVICE TO LEGITIMATE USERS o AUDITABLE EVENT PASSWORD AND USER MANAGEMENT o MINIMUM LENGTH o ENFORCED CHANGE FREQUENCY o PASSWORD GENERATOR o SECOND PASSWORD o ACCOUNT EXPIRATION o MORE FLEXIBLE HOURLY RESTRICTIONS PROXY LOGIN FOR NETWORK ACCESS o OUTBOUND REQUESTS INCLUDE NODE AND USERNAME o NETWORK AUTHORIZATION FILE SPECIFIES LOCAL AUTHORIZATION FOR PROCESS TO SERVE INBOUND REQUEST o ONLY SPECIFIC SERVER OBJECTS MAY NEED DEFAULT NETWORK ACCOUNT, E.G., MAIL EXTENDED ACCESS CONTROL o IDENTIFIERS o ACCESS CONTROL LISTS IDENTIFIER REPRESENTS: USER GROUP PROJECT ENVIRONMENTAL CONDITION ANY OTHER ATTRIBUTE SYSTEM RIGHTS DATABASE LISTS: ALL IDENTIFIERS IDENTIFIER NAMES HOLDERS OF IDENTIFIERS UIC = USERNAME UIC GROUP = GROUP NAME BUILT IN IDENTIFIERS o LISTED IN RIGHTS DATABASE o NOT PERMANENTLY GRANTED TO USERS o REPRESENT ENVIRONMENTAL CONDITIONS o DEC SUPPLIED: NETWORK, BATCH, INTERACTIVE, DIALUP, LOCAL, REMOTE o SPACE RESERVED FOR USER SUPPLIED IDENTIFIERS PROCESS RIGHTS LIST o BUILT FROM RIGHTS DATABASE BY LOGIN o MODIFIED BY SYSTEM SERVICES o PROPAGATES TO CREATED PROCESSES o USED IN PROTECTION CHECK ON ALL OBJECTS ACCESS CONTROL LIST o GRANTS ACCESS TO IDENTIFIERS o ORDERED LIST OF ENTRIES o ENTRY MATCHES IDENTIFIER(S) IN ACCESSOR'S RIGHTS LIST o GRANTS READ, WRITE, EXECUTE, DELETE, CONTROL o ACL ENTRIES ARE ORDERED, FIRST MATCH USE OF ACL'S o FILES (AND DIRECTORIES) o DEVICES o SET FILE / DIRECTORY / DEVICE / ACL o SHOW ACL o ACL EDITOR o $CHANGE_ACL SYSTEM SERVICE FILE ATTRIBUTE PROPAGATION o PROTECTION o OWNERSHIP (1) PREVIOUSLY EXISTING VERSION (2) PARENT DIRECTORY (3) PROCESS DEFAULT o IDENTIFIER RESOURCE ATTRIBUTE DEFEATING DATA SCAVENGING o ERASE ON DELETE o ERASE ON EXTEND o SELECTABLE ERASE PATTERN SECURITY AUDITING FILE ACCESS o TYPE OF ACCESS READ, WRITE, EXECUTE, DELETE, CONTROL, SUCCESS, FAILURE o TYPE OF EVENT ANY ACCESS USE OF PRIVILEGE SELECTIVE BY ACL SECURITY AUDITING o LOGIN / LOGOUT LOCAL, DIALUP, REMOTE, NETWORK, BATCH, SUCCESS, FAILURE BREAKIN ATTEMPT o UAF MODIFICATIONS o MOUNT & DISMOUNT o PROCESS MANDATORY AUDIT DATA ENCRYPTION o USER CALLABLE IMPLEMENTATION OF DES ALGORITHM o USE OF DES ALGORITHM IMPLEMENTATION WITH BACKUP o NETWORK TRANSMISSION ENCRYPTION o GOVERNMENT RESTRICTIONS ON TECHNOLOGY EXPORT FUTURES o MORE AUDITING o AUDIT JOURNALS o ACL'S ON MORE SYSTEM OBJECTS o GROUP MANAGEMENT o PROTECTED SUBSYSTEMS o NON-DISCRETIONARY CONTROLS NON-DISCRETIONARY CONTROLS o BELL & LA PADULA (LATTICE) MODEL o CONTROL FLOW OF INFORMATION OUTSIDE OF USERS' CONTROL o SECURITY LEVEL - 0 TO 255 o SECURITY CATEGORIES - 64 SECURITY ACCESS CHECK CONTROL FLOW OF INFORMATION SIMPLE SECURITY PROPERTY TO READ: LEVEL (ACCESSOR) LEVEL (OBJECT) CATEGORY (ACCESSOR) CATEGORY (OBJECT) CONFINEMENT (*-PROPERTY) TO WRITE: LEVEL (ACCESSOR) LEVEL (OBJECT) CATEGORY (ACCESSOR) CATEGORY (OBJECT) INTEGRITY ACCESS CHECK CONTROL RELIABILITY OF INFORMATION SIMPLE INTEGRITY PROPERTY TO READ: LEVEL (ACCESSOR) LEVEL (OBJECT) CATEGORY (ACCESSOR) CATEGORY (OBJECT) CONFINEMENT (*-PROPERTY) TO WRITE: LEVEL (ACCESSOR) LEVEL (OBJECT) CATEGORY (ACCESSOR) CATEGORY (OBJECT)