topic Re: Disabling the system account in Operating System - OpenVMS

Disabling the system account

Julian Mathews_1 — Mon, 11 Apr 2011 23:14:20 GMT

Hi,

I have to prove to auditors that disabling the system account on a VMS server is a bad idea.

Can any body provide me with a "silver bullet" explanation as to why this is?

I'm assuming from my limited understanding of process creation that its because the process owners uic is checked during loginout and if its disusered then the process wont run.

I'm sure this would wreck the boot process pretty comprehensively.

I'd also appreciate if anyone knows for sure that a server with system a/c disabled is not supported by HP.

Many thanks,
Julian

Re: Disabling the system account

abrsvc — Tue, 12 Apr 2011 01:14:02 GMT

Julian, You are not going to get an official statement listed here. This is not an official gateway. Seek any official statements from HP sales or support directly.

In regards to the system account, I am not aware of any documentation that would specifically state that the system would fail. Experience tells me that if disusered, there would be problems. Rather than proving a negative like this, why not determine the issue being investigated. I have dealt with many regulators and auditors about similar things.

Contact me directly via email as this type of issue is best not discussed in a public forum. I can either help directly or direct you to others with more relevant info.

Dan

dansabrservices AT yahoo DOT com

Re: Disabling the system account

Steven Schweda — Tue, 12 Apr 2011 01:35:07 GMT

> I have to prove [...]

In some well-run organizations, the people
who claim to have been abducted by aliens are
expected to provide some evidence to back up
their claims, and the sane people are not
required to prove them wrong.

Personally, I'd be tempted to say, "Ok.
You're the experts. Let's do that." And
then run the experiment. If the abductees
are right, then we'll all learn something
valuable. If they're, let's say, misguided,
then we'll all learn something else, which
would also be valuable. (And which might
also provide lasting relief from similar
future advice from that source.)

> [...] supported by HP.

Only HP can tell you that with any authority,
and I'd expect them not to maintain what
would need to be a very long list of every
possible stupid thing which a customer might
wish to do. If I were HP, I'd save myself
some effort, and advise against it, but I
wouldn't be prepared to guarantee that it
would cause a failure, or that it would work.

> I'm sure this would wreck [...]

Write it down, seal it in an envelope, and
hand it to the super-genius[*] in charge
before running the experiment.

[*] Like, say, Wile E. Coyote.

Re: Disabling the system account

Jan van den Ende — Tue, 12 Apr 2011 06:22:26 GMT

Julian,

WE had a similar request, AND a test system.
So we tried on the test system.
All kinds of things "went bad" during reboot, and it was not even trivial to get into the system to re-enable SYSTEM.

If you are going to experiment, make REAL SURE you have IN WRITING who is responsible, and who is backing the experiment, and that YOU advised STRONGLY against it.

But hey, if anyone wants the jump down a cliff, there is no way of stopping him/her, just make sure you are NOT tied together...

Good luck,

Proost.

Have one on me.

jpe

Re: Disabling the system account

Steven Schweda — Tue, 12 Apr 2011 10:47:42 GMT

> But hey, if anyone wants the jump down a
> cliff, [...]

Or, the Mark Twain analogue:

http://www.twainquotes.com/Cats.html

...the person that had took a bull by the
tail once had learnt sixty or seventy times
as much as a person that hadn't, and said a
person that started in to carry a cat home by
the tail was getting knowledge that was
always going to be useful to him, and warn't
ever going to grow dim or doubtful.

My dim recollection of one of Hal Holbrook's
"Mark Twain Tonight" recordings includes,
"... but if a man wants to carry a cat home
by the tail, I say, 'Let him.'"

Re: Disabling the system account

Craig A — Tue, 12 Apr 2011 10:56:23 GMT

If you have a console connection, why not agree a compromise.

You will keep batch access enabled but remove local, remote and dialup. (I'm not so sure about network access, TBH)

I understand the SYSTEM account can always login to OPA0: if the password is correct (hence the console connection requirement)

HTH

Craig

Re: Disabling the system account

Jan van den Ende — Tue, 12 Apr 2011 11:58:20 GMT

@Craig:

>>>
I understand the SYSTEM account can always login to OPA0:
<<<
Well, my experiment was (IIRC) in the V5 timeframe, so may be outdated, but NO.
You better do NOT disable it in your SYSUAFALT (or refrain from ever creating one), so you can boot conversational and set UAFALTERNATE.

btw Julian: WELCOME to the VMS forum!!!

Proost.

Have one on me.

jpe

Re: Disabling the system account

Robert Gezelter — Tue, 12 Apr 2011 15:08:12 GMT

Julian,

I would definitely recommend not to try this on a production system. It might be a good use of one of the virtual Alpha systems as a sacrificial animal of choice.

Many things expect SYSTEM to be a usable username. I don't think I have ever had Jan's experience, but most cases that I have seen in the wild involve lost passwords, not disable accounts (I would expect the "trick" of conversationally booting with the startup set to OPA0: to work, however there may well be challenges to get the rest of the STARTUP to work -- good idea to backup SYSUAF before trying to make it easier to restore).

As an alternative, consider setting the password to something weird, and sealing the password in an envelope placed in the CFO's vault. Then, add automatic emails from the LOGIN.COM that announce that the account was used.

Your mileage will vary. I will be happy to clarify. I have assisted clients with a variety of security-related audits, interesting issues often arise.

- Bob Gezelter, http://www.rlgsc.com

Re: Disabling the system account

Peter Zeiszler — Tue, 12 Apr 2011 18:47:52 GMT

Hi,

We had this happen to a system when someone attempted to experiment on our security. System started having problems, batch jobs quit working, unable to login, etc and the local admin's first solution was to "reboot" which took a very dark turn. I think our recovery included booting to the CD and mounted the disk and fix things.

What is the Auditor really wanting to accomplish besides making your job tougher?

If you do this - try to keep a bootable backup disk in case you really have to recover from worst case scenario. Please let us know if you do and what exactly happened and recovery. Always curiouse to learn from others.

Re: Disabling the system account

abrsvc — Tue, 12 Apr 2011 18:52:26 GMT

Many of the "prove this" types of scenerios come from people that don't understand the environment. Once they see how the system works and what security is in place, usually the questions stop.

Dan

Re: Disabling the system account

MarkOfAus — Wed, 13 Apr 2011 03:14:54 GMT

Hi Julian,

In dealing with auditors, one is best to just advise them of the best approach, usually contrary to their stated goal, while stating the costs and possible deadly ramifications.

Then wait the required amount of time until the next audit and the next vaccuous idea.

Specific to you, we had a similar request. We just laughed so hard the auditor was embarassed. We gave him the analogy of taking the steering wheel out of the car and still expecting it to work. (He was also requesting the same be done for root!)

We also added that the onus of proof is on him to prove that having root/system active is a security breach. A vacant stare was the only reply.

Cheers
Mark

Re: Disabling the system account

Steve Reece_3 — Wed, 13 Apr 2011 07:21:46 GMT

Back in the dim and distant past (1995 to 1997, VMS 5.5-2), I worked with systems that did have the SYSTEM account disabled. At that time, Craig is correct - the SYSTEM account could login on OPA0: anyway if you had the correct password.

It takes time to do this and get it right. All of the jobs that you expect to start as SYSTEM need to be changed to run as someone else. This would usually be as another privileged user that was site-specific. I wouldn't expect network protocols (other than, perhaps, LAT) to be a problem since they start as the network users rather than SYSTEM. VMS Server jobs (audit server, shadow server, SMI, Swapper etc) would be a different matter and would probably need their startup command procedures modifying so that they started as the alternate system rather than the SYSTEM account itself.

So, on VAX, on Version 5.5-2, it was certainly achievable.

Would you want to do it? Only if you had a lot of time to get it right and a lot of testing carried out so that you could be sure that everything worked and that you weren't creating a problem for yourself.

Would I expect HP to support such a configuration? Absolutely not. The SYSTEM account is there to run server processes and to do system management.

Steve

Re: Disabling the system account

Hoff — Wed, 13 Apr 2011 11:38:05 GMT

Your auditors appear unfamiliar with VMS, which means you'll receive questionable advice (such as this advice) and quite possibly other and VMS-specific risks will be missed by these folks. Which is not a good situation.

Here are links to security checklists, including to the old VMS SRR:

http://labs.hoffmanlabs.com/node/43

I'd tend to go double-password on SYSTEM here, and would most definitely not disable it. Issue one of the two passwords to SYSTEM to half of your administrative team, and the other password to the other half of the team, and a policy that all SYSTEM activity requires both users to be present. (Assuming a typical distribution, odd corporate badge numbers or odd UIC members get one password, even badges or even UIC members gets the other.)

Re: Disabling the system account

Doug Phillips — Wed, 13 Apr 2011 15:25:45 GMT

The System Manager's Manual, (Specifically, Vol.1, Sec 7.1.6) provides the information you need and should be definitive enough for the auditors.

Re: Disabling the system account

Julian Mathews_1 — Tue, 19 Apr 2011 00:30:25 GMT

Many thanks to all the kind people who replied to this post particularly Doug and Hoff.

One of the things these guys wanted to do was rename the system account so having it stated not to in black and white is pretty compelling proof.

Points coming up...

Julian