topic User Priviledges in Operating System - OpenVMS

User Priviledges

Andrew Moody_1 — Tue, 25 Apr 2006 06:33:58 GMT

Dear All

I'm new a VMS cluster, and we are about to have a security audit.

What I'm looking for is a simple way to list users that have a specific priviledge. I don't seem to be able to see how to achieve this.

Andrew

Re: User Priviledges

Jan van den Ende — Tue, 25 Apr 2006 07:01:13 GMT

Andrew,

assuming you have no special utilities (like GETUAF, or some security package) at your disposal, one way to do this using only native VMS utilities is
(if SYSUAF logical not defined then $ SET DEFAULT SYS$SYSTEM first)
$ MCR AUTHORIZE LIST *
# SEARCH SYSUAF.LIS "Username:", /OUTPUT=SYS$LOGIN:SYSUAF.PRIV

Any username immediately preceeding the listed priv in SYSUAF.PRIV is one sought for.

If you have many non-priv'd users, you can easily EDIT those out of the list.
Mind, in the occasions where a username holds a the priv both "Authorized" AND "Default", it will be listed twice under that username.

Note also, that several utilities are available to get the info in one pass, and if this is a regular excersise, it might be rewarding to get one of those. For a one-time inventory, the above will do well enough.

hth

Proost.

Have one on me (maybe in May in Nashua?)

jpe

Re: User Priviledges

Ian Miller. — Tue, 25 Apr 2006 07:04:37 GMT

I use SCANUAF
ftp://ftp.process.com/vms-freeware/fileserv/scanuaf.zip

This also works
ftp://ftp.process.com/vms-freeware/fileserv/uaf.zip

Re: User Priviledges

Martin Vorlaender — Tue, 25 Apr 2006 07:16:16 GMT

Jan wrote:

>>>
$ MCR AUTHORIZE LIST *
<<<

Put a /FULL in there to get a verbose listing of all accounts, else you get a list with one line per account and only a privilege group.

HTH,
Martin

Re: User Priviledges

Robert Gezelter — Tue, 25 Apr 2006 08:02:28 GMT

Andrew,

I concur, if the auditor is familiar with OpenVMS, he will be most comfortable with the standard listing from AUTHORIZE (do not be surprised if he wants to witness it or run it himself).

As preparation for the audit, consider the fact that large numbers of privileged users are a "Red Flag" on a security audit. Be prepared to provide an explanation of each privileged user and their privileges, it will demonstrate that you are alert to the issues.

Consider reducing the number of privileged accounts. I have had great success limiting the number of privileged users at my client's installations, and it makes security (and other) audits far simpler. See my presentation from HPWORLD 2004 at http://www.rlgsc.com/hpworld/2004/N227.html and my "OpenVMS Security" chapter in the Handbook of Information Security, abstract and brochure at http://www.rlgsc.com/hinfosec/hinfosec.html

I hope that the above is helpful.

- Bob Gezelter, http://www.rlgsc.com

Re: User Priviledges

Andrew Moody_1 — Tue, 25 Apr 2006 08:11:15 GMT

Cheers Guys

Just really digging around at the moment, I'm jointly responsible for a HP-UX and OpenVMS environments and I'm much more familiar (by a matter of months) with the UX stuff.

I've found the information I was looking for thanks to your help so I'm closing the thread.

Andrew

Re: User Priviledges

Andrew Moody_1 — Tue, 25 Apr 2006 08:11:56 GMT

closed

Re: User Priviledges

Phil.Howell — Wed, 26 Apr 2006 22:31:04 GMT

If you want a similar tool for both unix and vms environments then have a look at the vms_check tool
Phil
http://h71000.www7.hp.com/openvms/journal/v7/vms_check_tool.html