topic Re: Someone deleted the sysuaf.dat file. Is that logged anywhere? in Operating System - OpenVMS

Someone deleted the sysuaf.dat file. Is that logged anywhere?

Steve Longenecker — Wed, 05 Apr 2006 10:25:19 GMT

Despite warning management for years that too many users have system privileges, along with the associated risks, management will not allow tightening security.

Well, it finally happened yesterday when someone deleted sysuaf.dat. While I recovered the file from the nightly backup, no one has taken responsibility for deleting the file.

I support too many operating systems these days and have become a bit rusty with vms to recall all the accounting and security features. Question: Is the deletion of sysuaf.dat recorded anywhere on the system... assuming default installation settings for accounting and security? I have already scanned accounting and didn't find it there.

Re: Someone deleted the sysuaf.dat file. Is that logged anywhere?

Ian Miller. — Wed, 05 Apr 2006 10:39:13 GMT

Probably not unless you had an alarm/audit ACL on the file (DIR/SECURITY SYS$SYSTEM:SYSUAF.DAT)

Ensure the time and cost of recovering from this is visable to the mangagement - give them some beans to count.

Re: Someone deleted the sysuaf.dat file. Is that logged anywhere?

Jan van den Ende — Wed, 05 Apr 2006 10:48:14 GMT

Steve,

Question: Is the deletion of sysuaf.dat recorded anywhere on the system... assuming default installation settings for accounting and security?

No.

But, if you fear for a repitition any time in the future, you CAN set an alarm ACE on it.

And then I hope it will not be "SYSTEM" who did it, because that will bring you back to square 1.

In that respect, did you really mean
"too many users have system privileges", (a relatively good thing)
or did you mean that many users have access to the SYSTEM account?
In the latter case, all you can do is hope to find out from which terminal/remote connection the faulty action was made, and be able to tie that to one individual.

But really, you should try with all means at your disposal to convince your management that this is an unresponsible risk!
-- but you probably gave them the best argument to the contrary, by demonstrating how quickly you can recoverm by a simple restore. :-(

As so often: the technical problems are NOTHING compared to managents complete incompetence ignorance.

Proost.

Have one on me.

jpe

Re: Someone deleted the sysuaf.dat file. Is that logged anywhere?

labadie_1 — Wed, 05 Apr 2006 11:00:42 GMT

I know a site that has had for long 8000 acccounts with all privileges...

You are not alone :-)

Re: Someone deleted the sysuaf.dat file. Is that logged anywhere?

Steve Longenecker — Wed, 05 Apr 2006 11:14:57 GMT

Thanks, I'll set an alarm ACE for the next time... assuming it works. Believe it or not, every DCL user in the IT department, regardless of position (System Manager, Operator, HelpDesk, Programmer, Application Support, etc.), has a copy of the system account, along with a UIC of [1,4]. The only user account differences from system are username and default directory.

Re: Someone deleted the sysuaf.dat file. Is that logged anywhere?

Robert Gezelter — Wed, 05 Apr 2006 11:26:57 GMT

Steve,

Having large numbers of privileged accounts is a problem.

OpenVMS DOES allow many management functions to be performed by users with suitable file access, not full privileges.

At HP WORLD 2004, I gave a presentation on how to manage a large environment (measured in thousands of users), with a minimum of privileged users. The introductory slides for the presentation can be found at http://www.rlgsc.com/hpworld/2004/N227.html .
(My apologies, but the workbook is not publicly available, it represents a half-day seminar).

Suffice it to say, particularly in these days of Sarbenes-Oxley and other accountability regulations, OpenVMS provides mechanisms to manage the system without requiring large numbers of privileged users.

- Bob Gezelter, http://www.rlgsc.com
Contributor, OpenVMS Security, Handbook of Information Security

Re: Someone deleted the sysuaf.dat file. Is that logged anywhere?

Steve Longenecker — Wed, 05 Apr 2006 11:34:06 GMT

You are preaching to the choir... Yes, despite SARBOX and HIPAA (and yes, we are also a hospital), not properly configuring user accounts is a directive from the Director of IT. Even this scare is not enough to change his mind... the rational being "the hospital has been running VMS for over 20 years and this problem has only occurred once." Oh well, live and learn. I have documented my concerns and will drive on... Thanks.

Re: Someone deleted the sysuaf.dat file. Is that logged anywhere?

Steve Longenecker — Wed, 05 Apr 2006 11:36:26 GMT

Closed...

Re: Someone deleted the sysuaf.dat file. Is that logged anywhere?

Ian Miller. — Wed, 05 Apr 2006 11:37:35 GMT

As you are in the USA then you can leverage Sarbenes-Oxley. You have to have individual accountability and minimum privilges to do the job. So thats unique UIC's and take away those privs.

Get your corporate auditor interested as they can wield a stick big enough for the management to take note of.

There are other security standards which apply if you have any govt work.

Re: Someone deleted the sysuaf.dat file. Is that logged anywhere?

Jan van den Ende — Wed, 05 Apr 2006 11:41:38 GMT

Steve,

has a copy of the system account, along with a UIC of [1,4]. The only user account differences from system are username and default directory

In that case, I would not even like to THINK about what functionality you will break by taking away the privileges,
BUT,
the ONE important thing you CAN, (and should) do with little impact, but much gain, is assigning each user account a unique UIC.
To stay on the save side wrt breaking things, choose group-UICs .LE. SYSGENs MAXSYSGROUP, but then at least any activity that leaves a trace will in that trace show WHO did it.

hth

Proost.

Have one on me.

jpe