topic Re: how to find the users who have high privilege in Operating System - OpenVMS

how to find the users who have high privilege

Davor_7 — Fri, 16 Sep 2005 01:48:20 GMT

for example, there are 100 users, some are OPER, some are SYSTEM, and some are others...
some are in same UIC group and some are different.

i want to display all users who only have OPER privilege. how to handle with?

Re: how to find the users who have high privilege

Bojan Nemec — Fri, 16 Sep 2005 02:07:21 GMT

Davor,

I dont know any elegant solution. The fastest is to do:

$ run authorize
UAF> list/full
UAF> exit
$ edit sysuaf.lis

and use editor to find OPER.
The second is:

UAF> show * /page/search=OPER

And scroll the whole listing. Lines with OPER string are highlited .

The first solution is faster and more practical to use.

Bojan

Re: how to find the users who have high privilege

Uwe Zessin — Fri, 16 Sep 2005 02:09:35 GMT

Most likely there are some utilities out there, but it can be done with a little manual work, too. For example:

AUTHORIZE> list/full

$ search SYSUAF.LIS "username:","oper"

It will find all usernames and below each username you will see if there is any string "OPER". I admit that is rather primitive, but sometimes it is not possible to find a tool or install it on a system and I beleive that's better than going over the full list.

For UIC groups you can try this:
AUTHORIZE> show /brief [123,*]

Re: how to find the users who have high privilege

Uwe Zessin — Fri, 16 Sep 2005 02:11:03 GMT

Hm, of course the prompt is "UAF>".
I should have used a larger cup of coffee this morning...

Re: how to find the users who have high privilege

Karl Rohwedder — Fri, 16 Sep 2005 02:23:41 GMT

I use a little utility SCANUAF for these things:

SAP01_Rohwedder. scanuaf
SCANUAF> priv=oper

===========
Node: LOCAL
===========
Username: xxxxxxxx
Username: xxxxxxxx
Username: DIA$MANAGER
Username: ROHWEDDER
Username: SYSTEM
Username: VET$SERVER
--------------------------------
Records: 132 Matches: 6
--------------------------------

You should find SCANUAF on Hunter Goatley's
fileserv.

regards Kalle

Re: how to find the users who have high privilege

Joseph Huber_1 — Fri, 16 Sep 2005 02:26:09 GMT

Just to see if somebody has elevated privileges, do
authorize show */brief
and look in the privs column.
You see there normal,devour,system,all .
OPER in the priv list raises to SYSTEM.
For a single user, there is the freeware utility GETUAI (I think in the process.com archive), which lets you get the privilege list like
GETUAI user /priv=privsym/defpriv=defsym
into DCL symbols.
To get a list of all users, create a userlist using AUTHORIZE/LIST/BRIEF * , and loop over the list with GETUAI.

Re: how to find the users who have high privilege

Davor_7 — Fri, 16 Sep 2005 02:29:04 GMT

Hi Kalle

could you give me the address for "Hunter Goatley's file server"?

or could you send this tool to me ?

Re: how to find the users who have high privilege

Karl Rohwedder — Fri, 16 Sep 2005 02:40:33 GMT

It's here:
http://vms.process.com/scripts/fileserv/fileserv.com?SCANUAF

Since the original version is quite, I have added some new flags. I attach my version to this replay. It is written in FORTRAN.

regards Kalle

Re: how to find the users who have high privilege

Davor_7 — Fri, 16 Sep 2005 02:52:04 GMT

thanks Kalle

but i donot know how to use it~
i'm a new system manager, even donot know how to install a software on VMS :p

Re: how to find the users who have high privilege

Karl Rohwedder — Fri, 16 Sep 2005 03:13:04 GMT

Davor,

I just noticed, that the version is rather old (2000) and misses some of the new flags, so I just added them (PDMIX,VMSAUTH e.g.) and created a new version (see attached).

There is a userguide and releasenotes avaiable, as well as a HELP module for a helplibrary.

You must create a nodelist (template in kit), which tells SCANUAF where to find the SYSUAF files for different nodes (yes: scanuaf works network wide).

Besides addition to new flags, I moved the nodeslist and helpfile to a specific directory (CNC_MANAGER), but you can either define a logical name or change the source accordingly.

regards Kalle

Re: how to find the users who have high privilege

Davor_7 — Fri, 16 Sep 2005 03:18:33 GMT

hehe~ that's too complex for a new kisser...

thank you all the same. :)

Re: how to find the users who have high privilege

Ian Miller. — Fri, 16 Sep 2005 04:12:49 GMT

Carl, parhaps you can submit your modified version to the fileserv archive and new/updated freeware is always wanted for the VMS freeware CDs.

I sometimes use
http://vms.process.com/scripts/fileserv/fileserv.com?uaf
for this sort of thing

$ UAF :== $dev:[dir]UAF.EXE
$ UAF/SELECT=(PRIV=CLASS=ALL,DEFPRIV=CLASS=ALL) /DISPLAY=(USERNAME,PRIV,DEFPRIV)

will list all the users with privs in the All class. For information on privilege classes see the Security Manual.

To list all users with OPER
UAF/SELECT=(PRIV=OPER,DEFPRIV=OPER) /DISPLAY=(USERNAME)

Re: how to find the users who have high privilege

comarow — Sun, 18 Sep 2005 14:32:45 GMT

There is an excellent third party tool called Point Secure which will provide this information as well as check file protections and all sorts of security related information. We recommend it's use at Colorado Springs for security sensative sites. It runs on the PC and reads your VMS systems.

Bob C

Re: how to find the users who have high privilege

Davor_7 — Sun, 18 Sep 2005 19:11:53 GMT

Hi Bob
you mean that this tool can be run on Windows and read data from VMS??

Re: how to find the users who have high privilege

Hein van den Heuvel — Sun, 18 Sep 2005 19:29:23 GMT

Those tools are good.

If you have (g)awk or perl installed you can do something like:

$mcr authorize list/full
$ gawk "/^User/{u=$2} / Priv/{p=$1} / OPER /{print u,p}" sysuaf.lis

or

$ perl -ne "($a,$b)=split; $u=$b if /^Use/; $p=$a if /\sPriv/; print ""$u $p\n"" if /\sOPER/" sysuaf.lis

Or with a DCL loop workign directly on the source (SYSUAF.DAT) exploiting the following info:

$ pipe libr/ext=$uafdef/out=sys$output sys$library:lib.mlb | searc sys$pipe q_priv
$EQU UAF$Q_PRIV 412
$ pipe libr/ext=$prvdef/out=sys$output sys$library:starlet.mlb | search sys$pipe v_oper
$EQU PRV$V_OPER 18

---- uaf_oper.com ---

$open /read /share uaf 'f$parse("SYSUAF","SYS$SYSTEM:.DAT",,,"SYNTAX_ONLY")
$loop:
$ read/end=done uaf rec
$ if f$cvsi(412*8+18,1,rec) then write sys$output f$extr(0,12,rec)
$ goto loop
$done:
$close uaf

fwiw,
Hein.

Re: how to find the users who have high privilege

Wim Van den Wyngaert — Mon, 19 Sep 2005 03:49:15 GMT

This .com does it. Just cut and paste it into test.com and execute it with @.

But there are other ways to get OPER. SETPRV for example.

Wim

Re: how to find the users who have high privilege

Robert_Boyd — Mon, 19 Sep 2005 09:48:17 GMT

On post V7 systems you can do this:

$ pipe mcr authorize show */brief | search sys$input: all,system,oper /output=privileged_users.lis

Robert

Re: how to find the users who have high privilege

Jan van den Ende — Mon, 19 Sep 2005 11:13:55 GMT

Hein,

care to elaborate on your EQU command?
AFAIK it is not standard DCL....

Proost.

Have one on me.

jpe

Re: how to find the users who have high privilege

Uwe Zessin — Mon, 19 Sep 2005 13:08:42 GMT

Jan,

>$EQU UAF$Q_PRIV 412

That is not a DCL command ;-)

It's one line in module ($uafdef) in Macro library (sys$library:lib.mlb) extracted by this command:

$ pipe libr/ext=$uafdef/out=sys$output sys$library:lib.mlb | searc sys$pipe q_priv

Re: how to find the users who have high privilege

comarow — Thu, 22 Sep 2005 03:26:16 GMT

Sep 19, 2005 00:11:53 GMT N/A: Question Author

--------------------------------------------------------------------------------
Hi Bob
you mean that this tool can be run on Windows and read data from VMS??

/Exeactly. It is a super monitor and alerts in red problems and can fix many conditions. For example it can fix quorum idssues. It warns if memory tight situations and many problems. Because it has power, it must be on the same lan on the system.

We are set up to do the anaylsis for you for a reasonable fee as well.

It also checks file protections and all sorts of goodies. It has a companion software, System Detective that sets up rules on your VMS system.

send mail to robert.comarow@hp.com for more specifics.

I'm impressed.