topic Re: lgi_brk_disuser seems to be not working in Operating System - OpenVMS

lgi_brk_disuser seems to be not working

mustafa_12 — Fri, 11 Aug 2006 05:41:09 GMT

Hello,

I have changed LGI_BRK_DISUSER to 1 by:

mc sysman param set lgi_brk_disuser 1
mc sysman param write active

The value of LGI_BRK_LIM is 5. However, after I enter six wrong passwords for a specific user, it does not be a DISUSER. Instead, it becomes an INTRUDER (by show intrusion) for a duration of LGI_HID_TIM * a nondeterministic number between 1 and 1.5.

What can be the reason for that?

BR...

Re: lgi_brk_disuser seems to be not working

Volker Halle — Fri, 11 Aug 2006 06:00:38 GMT

Mustafa,

it worked for me as expected on OpenVMS Alpha F8.3.

Consider to use REPLY/ENABLE=SECURITY to watch the OPCOM messages during your test.

Also re-check the parameters:

$ MC SYSGEN
SYSGEN> USE ACTIVE
SYSGEN> SHOW/LGI

Volker.

Re: lgi_brk_disuser seems to be not working

Heinz W Genhart — Fri, 11 Aug 2006 06:00:57 GMT

Hi Mustafa

LGI_BRK_LIM defines how many times a user can try to login until something happens.

I think you should also set the SYSGEN parameter LGI_BRK_DISUSER to 1, that a user account will be set to disuser after LGI_BRK_LIM failed logins.

Regards

Heinz

Re: lgi_brk_disuser seems to be not working

Volker Halle — Fri, 11 Aug 2006 06:04:48 GMT

Mustafa,

I believe the problem is here:

mc sysman param set lgi_brk_disuser 1
mc sysman param write active

Once you exit SYSMAN the temporary parameter values are lost. You need to do this:

$ MC SYSMAN
SYSMAN> PARAM USE ACTIVE
SYSMAN> PARAM SET LGI_BRK_DISUSER 1
SYSMAN> PARAM WRITE ACTIVE
SYSMAN> EXIT

Then it will work.

Volker.

Re: lgi_brk_disuser seems to be not working

Ian Miller. — Fri, 11 Aug 2006 06:09:13 GMT

I think Volker has the solution. However why do you want to set LGI_BRK_DISUSER to 1. It's not recommended and causes all sorts of fun.

From the help file
"LGI_BRK_DISUSER turns on the DISUSER flag in the UAF record when an attempted break-in is detected, thus permanently locking out that account. The parameter is off (0) by default. You should set the parameter (1) only under extreme security watch conditions, because it results in severely restricted user service. "

Re: lgi_brk_disuser seems to be not working

Robert Gezelter — Fri, 11 Aug 2006 06:16:21 GMT

Mustafa,

I must agree with Ian. This imposes very tight security on a global basis. The downside of this is that it can lock large numbers of accounts very, very quickly. This will require each and every account to be unlocked manually, a manpower intensive process.

I have seen auditors insist on such severe measures. I recommend that you get such an instruction in writing, because the resulting workload can create problems on a variety of fronts.

- Bob Gezelter, http://www.rlgsc.com

Re: lgi_brk_disuser seems to be not working

Ian Miller. — Fri, 11 Aug 2006 07:42:48 GMT

Another reason is the potential for a DOS attack. Attempt to login using other peoples usernames and get their usernames disabled.

Re: lgi_brk_disuser seems to be not working

mustafa_12 — Fri, 11 Aug 2006 08:00:00 GMT

Thanks Volker,

The way you've suggested worked.

I want to set this variable on, since, as you have guessed, COBIT auditors want this like that. I know the possibility of DoS attack and admin-power required, but is it possible to convince them with those reasons? is there anybody?

Re: lgi_brk_disuser seems to be not working

Ian Miller. — Fri, 11 Aug 2006 08:07:28 GMT

Record the additional work distruption (and therefore cost) inccured and report this to management.
I assume you have pointed at the recommendation not to use this from hp (its in the help and I guess its in the docs somewhere)

Re: lgi_brk_disuser seems to be not working

Volker Halle — Fri, 11 Aug 2006 08:27:49 GMT

Mustafa,

make really sure, that you (and all other system managers) known the current SYSTEM account password and the physical location and correct operation of your console terminal (OPA0:). Because this will be the ONLY way to get access to your system, once all privileged accounts have been disusered...

Volker.

Re: lgi_brk_disuser seems to be not working

Jan van den Ende — Fri, 11 Aug 2006 13:40:46 GMT

Mustafa,

please follow Volkers last advise.

I can already forsee one of your (our your successor's) next questions:
"ALL of our accounts with SYSPRV have been blocked by too many tries. How can we still get into the system?"

It is a REAL danger. And it will not happen now, but probably some months, or years from now.
Maybe after you have left this site. In that case it will ruin your reputation!

Better convince the auditors of the risk. You may show them this thread, if they wish you to substantiate your arguments.

hth

Proost.

Have one on me.

jpe

Re: lgi_brk_disuser seems to be not working

Robert Gezelter — Sat, 12 Aug 2006 07:37:53 GMT

mustafa,

I must return Jan's compliment from the other day (in a different thread).

His advice is VERY sound. I often recommend going one step further: creating an emergency access account, whose username/password combination is stored in A SEALED ENVELOPE with other important corporate papers under control of the CFO.

Being completely locked out of the system is a serious problem, particularly when there is no option of rebooting the node in a standalone mode from the console to reset the password.

- Bob Gezelter, http://www.rlgsc.com

Re: lgi_brk_disuser seems to be not working

Wim Van den Wyngaert — Mon, 14 Aug 2006 05:29:49 GMT

Attempts to use decnet objects that have no listener active and that don't start one either can lead to intrusions. So, if you enable this LGI_BRK_LIM you might get into problems (user locked out and service not working when it get started).

Do know what exactly is done in the code but we do have that problem in server to server communications.

Wim

Re: lgi_brk_disuser seems to be not working

Wim Van den Wyngaert — Mon, 14 Aug 2006 06:20:19 GMT

Make that LGI_BRK_DISUSER of course.

Wim

Re: lgi_brk_disuser seems to be not working

mustafa_12 — Mon, 14 Aug 2006 08:37:35 GMT

LGI_BRK_DISUSER is 0 now and I will try to convince them using these posts.