topic Re: Strange return from Scanuaf freeware in Operating System - OpenVMS

Strange return from Scanuaf freeware

Mike R Smith — Fri, 07 May 2010 17:40:00 GMT

I was using scanuaf to check for accounts not meeting our security criteria when I received what appears to be output for an account that does not exist. It shows up as an anomaly for several security criteria but a manual check/dump/search of sysuaf does not reveal the record. Has anyone seen anything like this before? The one difference is that this node is 7.3-2 and only one other node runs that version.

SCANUAF> pwdminimum<8

============
Node: XXXYYY
============

Username :
PWDMINIMUM : 0

--------------------------------
Records: 6835 Matches: 1
--------------------------------

It is almost like this is a hidden account or maybe scanuaf is confused but a manual search does not find any account with a pwdminimum of 0.

Re: Strange return from Scanuaf freeware

P Muralidhar Kini — Fri, 07 May 2010 18:06:43 GMT

Hi Mike,

>> but a manual check/dump/search of sysuaf does not reveal the record
By manually do u mean you have dumped all the contents of the SYSUAF to
a file and checked thi file for the USERNAME displayed by SCANUAF ?

Regards,
Murali

Re: Strange return from Scanuaf freeware

Mike R Smith — Fri, 07 May 2010 18:17:53 GMT

Yes, I did things like:

$ defin/user sys$output t.t
$ mcr authorize show *

I then ran searches on this file as well as manual edits. I did things like searching for the offending setting from inside and outside the file just to be sure.

$ sea t.t "pwdminium: 8"

spacing may be off but you get the idea

Re: Strange return from Scanuaf freeware

P Muralidhar Kini — Fri, 07 May 2010 18:26:49 GMT

Hi Mike,

About PWDMINIMUM,
PWDMINIMUM specifies the minimum password length in characters.
But this rule is enforced only by DCL command SET PASSWORD.
It does not prevent you from entering a password shorter than the
minimum length when you use AUTHORIZE to create or modify an
account. By default, a password must have at least 6 characters.

>> Username :
>> PWDMINIMUM : 0
SCANUAF has given you a entry where it says that some entry has
PWDMINIMUM of 0.

>> $ sea t.t "pwdminium: 8"
You are searching for SYSUAF output in file t.t for user with PWDMINIMUM of 8.

I think the search should be
$ sea t.t "pwdminium: 0"

Regards,
Murali

Re: Strange return from Scanuaf freeware

Mike R Smith — Fri, 07 May 2010 18:33:53 GMT

You are correct, I was just using that search string as an example of how I was looking for the "strange" account. The point I was trying to make is that, I did search for the offending criteria in trying to understand what was being flagged.

The correct search was for pwdminimum of 0 which is what I did and nothing came back.

Re: Strange return from Scanuaf freeware

Hoff — Fri, 07 May 2010 18:43:30 GMT

That entry is an expected and entirely normal SYSUAF record entry that's present within some OpenVMS systems and configurations.

That record happens to be where the so-called system password (the system-wide login password, as differentiated from SYSTEM username and its password) is stored.

See SET TERMINAL /SYSPASSWORD and the system parameter TTY_DEFCHAR2 for related details.

Its presence within SYSUAF can be safely ignored for the purposes of a security audit or a password audit, and it is never available as an interactive login username.

Re: Strange return from Scanuaf freeware

Hoff — Fri, 07 May 2010 21:26:14 GMT

Duh. I neglected to provide the major commands involved here with the system password, in favor of providing some far more obscure ones. Here are the major knobs:

UAF> MODIFY /SYSTEM_PASSWORD=string

$ SET PASSWORD /SYSTEM

Have a look at the VMS source listings for some of the related details with the SYSUAF storage; I don't know how much of this stuff was ever officially documented.

There are other details (such as VMS- and customer-reserved identifier ranges that exist over in the RIGHTSLIST file) that can also lurk here, too.

Re: Strange return from Scanuaf freeware

P Muralidhar Kini — Sat, 08 May 2010 06:55:19 GMT

Hi Mike,

The entry displayed by SCANUAF is indeed the system password (i.e not the
password associated with the SYSTEM account in SYSUAF.DAT file)

Generally when you login to a VMS system, you are asked for username and
password. This would be based on various accounts that are created in the
SYSUAF.DAT file.

System password is the one which is used in order to gain access to a
particular terminal. Once the system password is entered, then user would be
prompted for the username/password in order to login to the system.
The system password are generally used to control access to terminals that
are publicly acessible and not tightly secured.
Example: Computer lab at universities.

Note that this system password is different from the password for SYSTEM
account in the SYSUAF.DAT file.

This is documented in the HP VMS Guide to System Security Document.
You can download it from the following link -
http://h71000.www7.hp.com/doc/732final/aa-q2hlg-te/aa-q2hlg-te.pdf

Refer
* Knowing what type of passwords to use
* Entering a system password
* Using password to control system Access

1) If you are setting the system password for the first time then you have to use
UAF>MODIFY SYSTEM_PASSWORD=PASSWORD
This will create a corresponding record in the SYSUAF.DAT file.

2) Once the record is created in SYSUAF.DAT file, subsequent change to the
system password can be done using DCL "$SET PASSWORD/SYSTEM" command.

Without a record created for system password in SYSUAF.DAT file, if you use
step 2 (i.e. DCL command) then you will get a error
%SET-F-UAFERR, error accessing authorization file
-RMS-E-RNF, record not found

To enable the use of the system password for the remote class of logins
(those accomplished through the DCL command SET HOST), set the
appropriate bit in the default terminal characteristics parameter by using
AUTOGEN. This is bit 19 (hexadecimal value 80000) in the parameter TTY_DEFCHAR2.

SYS_PARAMETERS
TTY_DEFCHAR2

TTY_DEFCHAR2 sets a second longword of default terminal characteristics.
The default characteristics are represented as a code that is derived by
summing the following hexadecimal values:
Characteristic Value (Hex) Function
...
SYSPWD 80000 Log in with system password only.

Check out the DCL help of SET TERM also -
SET
TERMINAL
/SYSPASSWORD
/SYSPASSWORD
/NOSYSPASSWORD (default)

Requires LOG_IO (logical I/O) privilege.

Determines whether the terminal requires that a system password
be entered before the Username: prompt.

>> It is almost like this is a hidden account or maybe scanuaf is confused but a
>> manual search does not find any account with a pwdminimum of 0.
As Hoff has suggested, looks like entry displayed by SCANUAF is the system
password as mentioned above. In which case you can safely ignore this entry
for auditing purpose.

Regards,
Murali

Re: Strange return from Scanuaf freeware

Mike R Smith — Mon, 10 May 2010 15:36:02 GMT

Two great answers that not only answered the question but led me to addtional documentation for review. Thanks!!!

Re: Strange return from Scanuaf freeware

Art Wiens — Sat, 15 May 2010 15:57:49 GMT

"
Yes, I did things like:

$ defin/user sys$output t.t
$ mcr authorize show *
"

No one pointed out, but just as an FYI ... you can just use UAF to produce a brief or full listing with:

$ MCR AUTHORIZE LIST

or

$ MCR AUTHORIZE LIST /FULL

Both variations provide a file named SYSUAF.LIS .

This listing capability can be used to provide information regarding various entities in the SYSUAF and RIGHTSLIST files with a few other LIST command switches.

UAF> help list

to see all it can do.

Cheers,
Art