Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

Re: Disable OPEN VMS User Account Automatically

 
Regular Advisor

Re: Disable OPEN VMS User Account Automatically

Hi Willem Grooters

Thanks for your reply. We have two different accounts for this application.

1. User id -ABCLOWPRV - This is regular user account for application startup and shutdown.
2. User id -ABCUSER - this account has all the privilege and use rarely for application maintained or trouble shooting application problems. Since this has all the privileges we want to protect this account.

You suggested procedure is suitable to this environment and want to implement the same.
I want to add the /DISUSER Flag on the exit/logout of the ABCUSER. This will prevent users login if he know the last password..

How do I implement the same;
Is there any options in authorize to do this ?
or do i need to write a command procedure for this?
Honored Contributor

Re: Disable OPEN VMS User Account Automatically

CA1467620 ,

>>>
I want to add the /DISUSER Flag on the exit/logout of the ABCUSER. This will prevent users login if he know the last password..

How do I implement the same;
Is there any options in authorize to do this ?
<<<

$ MCR AUTHORIZE MODIFY ABCUSER /FLAG=DISUSER

(undo with /FLAG=NODISUSER)

Before using AUTHORIZE in this way, you should have defined
$ DEFINE /SYSTEM/EXECUTIVE SYSUAF (by default: SYS$SYSTEM:SYSUAF.DAT)
Be aware that the logical might already be defined, in that case LEAVE it!

hth

Proost.

Have one on me.

jpe
Don't rust yours pelled jacker to fine doll missed aches.
Honored Contributor

Re: Disable OPEN VMS User Account Automatically

CA1467620,

AUTHORIZE is used to set the DISUSER flag (see HELP MOD /FLAGS within AUTHORIZE).

As Willem noted, unless the user has NO ACCESS to DCL, this is not an effective measure. If the user has access to DCL, they can undo (or fail to do) this measure as they please.

- Bob Gezelter, http://www.rlgsc.com
Honored Contributor

Re: Disable OPEN VMS User Account Automatically

CA1467620,

In the spirit of "trust but verify", giving this account TWO different passwords (see AUTHORIZE HELP /SECONDARY ), where each person to use the account has only ONE of those, then the account can only ever be used if TWO people are available to log in.
Now, (as long as they do not conspire :-) ), you can be reasonably sure that they will only do legitimate things.

This will get you much closer to what you want than any other OS. If this does not satidfy the auditors, then let THEM show how it has to be done!

hth

Proost.

Have one on me.

jpe
Don't rust yours pelled jacker to fine doll missed aches.
Honored Contributor

Re: Disable OPEN VMS User Account Automatically

Hmm, I don't know why the first reply by Karl did not get the full 10 points for a perfect reply and closed the question.

It solves the problem and as bonus points out legitimate and serious concerns.

As Karl indicates, in the login.com for the account issue MCR AUTHOURIZE /DISUER.

Anything more is just window dressing / fluff.

You may want to describe the real problem better. That is, what is the task to be 'protected' and why is the user not trusted the rest of the time.

One of my customs uses a 'careful' mode where specially flagged users can login with full privs, but with all input and output logged. I'm sure that also can be hacked around, but any person caught attempting that is 'questionable'.
Just enough of a hurdle and clear demarkation imho.

fwiw,
Hein.


Trusted Contributor

Re: Disable OPEN VMS User Account Automatically

No user should have ALL privileges unless they need access to ALL resources on the system, and those *few* users should be very knowledgeable and very trusted.

Any Application-level manager should only have full access to the resources needed to manage that application. It's better to look at the system's security from the bottom-up rather than top-down.

To use AUTHORIZE, a user needs W access to the SYSUAF, NET($)PROXY and RIGHTSLIST files (SYSTEM uic or SYSPRV) so you shouldn't give them that, and don't give them BYPASS or any such elevated priv's (which they *really* shouldn't need to do what you describe.) Application resources should be protected/isolated at the Group level, and/or via ACL's.

Following the other advice on ways to limit their access times should work fine for you if your system and application's security is properly configured.
Honored Contributor

Re: Disable OPEN VMS User Account Automatically

>I want to add the /DISUSER Flag on the
>exit/logout of the ABCUSER. This will
>prevent users login if he know the last
>password..

If I'm understanding your objective, I'd suggest adding the DISUSER it to the *LOGIN* rather than the LOGOUT. DISUSER doesn't affect an existing process, it just prevents new processes from starting. You definitely have control over LOGIN, but may not get to the LOGOUT (process disconnection, bug in application, power fail, system crash, etc...). This also prevents your user from connecting a second session before finishing with the first.

Assuming your user has a high level of privileges, just add these lines to LOGIN.COM

$ IF F$TRNLNM("SYSUAF").EQS."" THEN DEFINE/USER SYSUAF SYS$SYSTEM:SYSUAF
$ MCR AUTHORIZE MODIFY 'F$GETJPI("","USERNAME")' /FLAG=DISUSER

This will use the system defined SYSUAF, or set a logical name to use the default one if there's no system defined one.
(note to Jan, for AUTHORIZE use, the SYSUAF logical name may be in any mode, or in any table visible to the process)

If the user doesn't have SYSPRV (and doesn't need it for the other processing), you can set it as a "trapdoor" privilege:

(permanent setting for account:
$ MCR AUTHORIZE user/DEFPRIVILEGE=SYSUAF/PRIVILEGE=NOSYSUAF

Once you've done the AUTHORIZE command in LOGIN.COM, issue:

$ SET PROCESS/PRIVILEGE=NOSYSPRV

Once SYSPRV has gone from the default mask, it can't be reinstated because it's not in the authorized mask.

All that said, as others have already mentioned, but it's worth stressing... if the privileged user has ANY access to DCL, or, in some cases even a prompt for data, it really doesn't matter how many tricks and traps you set, if they know what they're doing they WILL be able to get past them.

It comes down to a very simple test - If you don't trust the person, don't give them privilege.
A crucible of informative mistakes
Honored Contributor

Re: Disable OPEN VMS User Account Automatically

>I want to add the /DISUSER Flag on the
>exit/logout of the ABCUSER. This will
>prevent users login if he know the last
>password..

If I'm understanding your objective, I'd suggest adding the DISUSER it to the *LOGIN* rather than the LOGOUT. DISUSER doesn't affect an existing process, it just prevents new processes from starting. You definitely have control over LOGIN, but may not get to the LOGOUT (process disconnection, bug in application, power fail, system crash, etc...). This also prevents your user from connecting a second session before finishing with the first.

Assuming your user has a high level of privileges, just add these lines to LOGIN.COM

$ IF F$TRNLNM("SYSUAF").EQS."" THEN DEFINE/USER SYSUAF SYS$SYSTEM:SYSUAF
$ MCR AUTHORIZE MODIFY 'F$GETJPI("","USERNAME")' /FLAG=DISUSER/NOACCESS

This will use the system defined SYSUAF, or set a logical name to use the default one if there's no system defined one.
(note to Jan, for AUTHORIZE use, the SYSUAF logical name may be in any mode, or in any table visible to the process)

If the user doesn't have SYSPRV (and doesn't need it for the other processing), you can set it as a "trapdoor" privilege:

(permanent setting for account:
$ MCR AUTHORIZE user/DEFPRIVILEGE=SYSUAF/PRIVILEGE=NOSYSUAF

Once you've done the AUTHORIZE command in LOGIN.COM, issue:

$ SET PROCESS/PRIVILEGE=NOSYSPRV

Once SYSPRV has gone from the default mask, it can't be reinstated because it's not in the authorized mask.

All that said, as others have already mentioned, but it's worth stressing... if the privileged user has ANY access to DCL, or, in some cases even a prompt for data, it really doesn't matter how many tricks and traps you set, if they know what they're doing they WILL be able to get past them.

It comes down to a very simple test - If you don't trust the person, don't give them privilege.
A crucible of informative mistakes
Respected Contributor

Re: Disable OPEN VMS User Account Automatically

CA1467620, if you want the account disusered as the user logs off then bad news. No direct way of doing it.
We use a nightly job which disables and changes password for a number of selected accounts. One being FIELD. We also produce reports on when specific accounts were used. This seems to please the auditors.

Maybe an internals specialist can hook in some code to disable accounts at logout ?

My 2 cents.
Regular Advisor

Re: Disable OPEN VMS User Account Automatically

If you decide to DISUSER the account during login, I'd also add the RESTRICTED flag to the account, to ensure that LOGIN.COM is executed.

Another tool that I use is a daily job to analyse accounting records and report on what I deem to be suspect modifications to SYSUAF. This approach is not bullet proof, but I find it adequate for keeping an eye on privileged users (typically application managers).
For the fashion of Minas Tirith was such that it was built on seven levels, each delved into a hill, and about each was set a wall, and in each wall was a gate. (J.R.R. Tolkien). Quote stolen from VAX/VMS IDSM 5.2