| Title: | DECinspect CM, SRF, and Corporate Implementation |
| Notice: | For FAQ see note 4.*; For CM kits see note 3.* |
| Moderator: | KIMBLE::TMULLIGAN |
| Created: | Thu Sep 27 1990 |
| Last Modified: | Mon May 26 1997 |
| Last Successful Update: | Fri Jun 06 1997 |
| Number of topics: | 1699 |
| Total number of notes: | 8580 |
Hello,
Is there anyone out there who can give me an authoritive answer
on the following please! I have a requirement for an answer on this.
CP211-00 General Requirments for Computer Security, states passwd
expirey etc....
However to do passwd expirey on ULTRIX and DUNIX you need to
install C2.
CP211-02 Corporate Security Standard: Unix Operating System
Environment., states on section 4.1
"It is recommended, but not required, that you employ the
ENCHANCED identification and authentication features described in this
document. These features suppliment the traditional BSD (Berkeley
Standard Distribution) identification and authentication features"
Normally, if the information in a minor document is ambigeous
then we would go to the major document, ie CP211-00.
So, as C2 (or also known as Enchanced Security) is the only way
of attain password length and expirey. Is it then a corporate
requirement that _ALL_ UNIX systems on EASYNET install and run C2? or
is the words "but not required" enough to allow just the standard
distribution to run (with of course DECINSPECT).
Please can someone reply or mail me a reply, my management have
asked me to authenticate this issue.
Regards,
Dave
| T.R | Title | User | Personal Name | Date | Lines |
|---|---|---|---|---|---|
| 1692.1 | Enhanced security status | VARDAF::BERBIGIER | No known policy forbids common sense | Mon Feb 17 1997 05:18 | 27 |
without installing enhanced security, all passwords are stored in /etc/passwd which is readable by 'others'. (including Decnet default account) and a password cracker can be run against its contents; as without Enhanced security passwords are limited to 8 characters, the security of the system is weak, unless other mechanism (like single use password, or network restrictions are in place) THIS IS A MAJOR RISK. Additionally, without enhanced security, audit reports are not available However there are some instances where enhanced security does break the normal operation of some layered products; This is the main reason why Enhanced security is highly recommended rather than required within the 211-02 Standard Albeit not reflected today in the policies, the new security model does a distinction between 'Critical Nodes' and other nodes. Critical nodes criteria are given in http://www-is-security.mso.dec.com/is-sec/gen-info/critical-systems.html If enhanced security is not installed on a critical node, then the system owner must be able to provide a valid reason and appropriate additional controls to keep the system secure. Pierre | |||||