REPRIEVE - makes SAFEGUARD PCI compliant in regard to the management of frozen users, and prevents a Denial-of-Service attack, caused by the AUTHENTICATE_FAIL_FREEZE setting in SAFEGUARD

The PCI paper discusses under point 8.5.13 the need to lock out a user when six authentication attempts have failed.  Under Point 8.5.14, the lock-out time is specified:  Set the lockout duration to thirty minutes or until the administrator re-enables the user ID.

These requirements cannot be satisfied with current SAFEGUARD features.

Actually, SAFEGUARD supports two different penalty schemes:

1. The process of performing authentication is terminatedfor a configurable time period.  This was a successful strategy when a user had one terminal and was connected by a dedicated line.  With TELNET and its windows, the number of terminals a user has access to is nearly unlimited.  A 'hanging' process is re-started from a new Telnet window, and a new authentication attempt can be started.
2. SAFEGUARD can be configured to freeze a user after sixfailed logon attempts.  This is what PCI requires.  However, activating this setting can easily result in a denial-of-service (DoS) attack, where a malicious user intentionally logs on to all available IDs with wrong passwords, freezing all users of the system, including SUPER.SUPER.  The result is a running system, where nobody can logon.

The current change request is to be able to configure:

1. those users who have to be frozen, for example aftersix failed attempts, and to automatically thaw them after 30 minutes
2. to define the freeze time on a 'by user' basis
3. to report FREEZE and THAW events to the EMS system
4. to have these activities logged in the SAFEGUARD audit trails

The solution is REPRIEVE from GreenHouse:

REPRIEVE is a program controlled by the $ZZKRN process.  It keeps an eye on the user-ID files and recognizes any change of a user.  When a user becomes frozen, REPRIEVE starts a timer for this user, and thaws her/him automatically when the timer times out.  All variables, such as 

• users, their freeze time, and EMS action type (information, critical, action needed)
• EMS collector process
• REPRIEVE cycle time

can be configured.

The configuration is done through a small EDIT type file (standard), or can be done through the REPRIEVE module of iWAMS, the web based management system from GreenHouse.

The configuration can be changed at run time.

Order Trial

Four steps to your free trial license:

1. Download the freeware tool SysInfo and run it on the target TANDEM machine
2. Put the system information in the following form
3. Select the product form the drop down list
4. GreenHouse will send the license key via EMail