Guardian Authentication
The Guardian system requires that users must logon to the system with a valid userid or alias and a password. TACL is the command interpreter used with the Guardian system.
The logging on process calls the USER_AUTHENTICATE_ routine. During this system call a PRELOGON message is sent to CMON, if it is running. If the PRELOGON request passes the CMON rules, a LOGON request is sent to CMON, if it is running. The USER_AUTHENTICATE_ procedure will utilize the Safeguard facility, $ZSMP, if Safeguard software is on the system. $ZSMP evaluates both the Safeguard configuration and the User Record attributes to determine if the access will be granted. Based on the Safeguard configuration, $ZSMP also determines whether or not the logon will be audited .
If the USER_AUTHENTICATE_ procedure does not exist in the system library, TACL calls the VERIFYUSER system procedure.
There are several ways to control how the user logs on to the system:
TACLCONF parameters
CMON parameters
User-Record parameters
User-Related Safeguard Global parameters
Logon-Related TACLCONF Configuration
The TACLCONF parameters that affect the authentication process are:
CMONREQUIRED
CMONTIMEOUT
REMOTECMONREQUIRED
REMOTECMONTIMEOUT
These parameters are discussed in the section on CMON later in this Part of the handbook and in the section on CMON in the Gazette.
The following parameters are discussed in Managing Userids with the Safeguard Subsystem in Part Three:
BLINDLOGON
NAMELOGON
Logon-Related CMON Configuration
If there is a CMON running on the system, see the program's documentation or review the code and configuration files to determine whether or not CMON is handling PRELOGON and LOGON activity and the optional user-specific TACLCONF message.
Logon-Related Password Issues
The logging on process requires the entry of a userid and a valid password. Refer to Passwords in Part Three for additional discussions on passwords.
The following Safeguard Global parameters are discussed in the section on Password Administration and affect the requirements of passwords when logging on:
BP-SAFEGARD-GLOBAL-06 PASSWORD-ENCRYPT = ON
BP-SAFEGARD-GLOBAL-05 PASSWORD-HISTORY = 10
BP-SAFEGARD-GLOBAL-07 PASSWORD-MINIMUM-LENGTH = 6
BP-SAFEGARD-GLOBAL-04 PASSWORD-REQUIRED = OFF
BP-SAFEGARD-GLOBAL-09 PASSWORD-EXPIRY-GRACE = between 7 and 15
BP-SAFEGARD-GLOBAL-08 PASSWORD-MAY-CHANGE 7= DAYS BEFORE EXPIRE ( assuming a 90 days password expiration cycle)
Logon-Related Safeguard Global Parameters
The Safeguard GLOBAL parameters that affect authentication are:
AUTHENTICATE-FAIL-FREEZE
AUTHENTICATE-FAIL-TIMEOUT
AUTHENTICATE-MAXIMUM-ATTEMPTS
AUTHENTICATE-FAIL{-FREEZE -TIMEOUT }
The AUTHENTICATE-FAIL-FREEZE parameter determines whether or not a userid will be FROZEN when the user enters the wrong password too many times in a row.
If the AUTHENTICATE-FAIL-FREEZE value is ON, when a user exceeds the maximum number of attempts to enter a correct password, the target userid is FROZEN.
RISK An intruder could easily freeze all the IDs on a system by simply exceeding AUTHENTICATE-MAXIMUM-ATTEMPTS for each user.
RISK If there are no logged on SUPER.SUPER users or Security Administrators prior to the freeze, the system might have to be reloaded to regain access to the system.
BP-SAFEGARD-GLOBAL-03 AUTHENTICATE-FAIL-FREEZE = OFF
If the AUTHENTICATE-FAIL-TIMEOUT value is n <time interval>>, when a user exceeds the maximum number of attempts to enter a correct password, a delay of the authentication process occurs.
The AUTHENTICATE-FAIL-TIMEOUT determines the length of the delay. The default setting is 60 seconds.
RISK A longer value slows down an intruder's attempts to break in. However, avoid unreasonably long periods, because a legitimate user who accidentally exceeds AUTHENTICATE-MAXIMUM-ATTEMPTS will be barred from the system for the duration of the delay period.
BP-SAFEGARD-GLOBAL-02 AUTHENTICATE-FAIL-TIMEOUT = 60 seconds
AUTHENTICATE-MAXIMUM-ATTEMPTS
The AUTHENTICATE-MAXIMUM-ATTEMPTS parameter determines the number of times a user can enter an incorrect password before the appropriate AUTHENTICATE-FAIL action takes place.
The default setting is 3.
BP-SAFEGARD-GLOBAL-01 AUTHENTICATE-MAXIMUM- ATTEMPTS = 3
