Operating System - OpenVMS
1748169 Members
4147 Online
108758 Solutions
New Discussion юеВ

Someone deleted the sysuaf.dat file. Is that logged anywhere?

 
Steve Longenecker
Frequent Advisor

Someone deleted the sysuaf.dat file. Is that logged anywhere?

Despite warning management for years that too many users have system privileges, along with the associated risks, management will not allow tightening security.

Well, it finally happened yesterday when someone deleted sysuaf.dat. While I recovered the file from the nightly backup, no one has taken responsibility for deleting the file.

I support too many operating systems these days and have become a bit rusty with vms to recall all the accounting and security features. Question: Is the deletion of sysuaf.dat recorded anywhere on the system... assuming default installation settings for accounting and security? I have already scanned accounting and didn't find it there.
9 REPLIES 9
Ian Miller.
Honored Contributor

Re: Someone deleted the sysuaf.dat file. Is that logged anywhere?

Probably not unless you had an alarm/audit ACL on the file (DIR/SECURITY SYS$SYSTEM:SYSUAF.DAT)


Ensure the time and cost of recovering from this is visable to the mangagement - give them some beans to count.
____________________
Purely Personal Opinion
Jan van den Ende
Honored Contributor

Re: Someone deleted the sysuaf.dat file. Is that logged anywhere?

Steve,


Question: Is the deletion of sysuaf.dat recorded anywhere on the system... assuming default installation settings for accounting and security?


No.

But, if you fear for a repitition any time in the future, you CAN set an alarm ACE on it.

And then I hope it will not be "SYSTEM" who did it, because that will bring you back to square 1.

In that respect, did you really mean
"too many users have system privileges", (a relatively good thing)
or did you mean that many users have access to the SYSTEM account?
In the latter case, all you can do is hope to find out from which terminal/remote connection the faulty action was made, and be able to tie that to one individual.

But really, you should try with all means at your disposal to convince your management that this is an unresponsible risk!
-- but you probably gave them the best argument to the contrary, by demonstrating how quickly you can recoverm by a simple restore. :-(

As so often: the technical problems are NOTHING compared to managents complete incompetence ignorance.

Proost.

Have one on me.

jpe
Don't rust yours pelled jacker to fine doll missed aches.
labadie_1
Honored Contributor

Re: Someone deleted the sysuaf.dat file. Is that logged anywhere?

I know a site that has had for long 8000 acccounts with all privileges...

You are not alone :-)
Steve Longenecker
Frequent Advisor

Re: Someone deleted the sysuaf.dat file. Is that logged anywhere?

Thanks, I'll set an alarm ACE for the next time... assuming it works. Believe it or not, every DCL user in the IT department, regardless of position (System Manager, Operator, HelpDesk, Programmer, Application Support, etc.), has a copy of the system account, along with a UIC of [1,4]. The only user account differences from system are username and default directory.
Robert Gezelter
Honored Contributor

Re: Someone deleted the sysuaf.dat file. Is that logged anywhere?

Steve,

Having large numbers of privileged accounts is a problem.

OpenVMS DOES allow many management functions to be performed by users with suitable file access, not full privileges.

At HP WORLD 2004, I gave a presentation on how to manage a large environment (measured in thousands of users), with a minimum of privileged users. The introductory slides for the presentation can be found at http://www.rlgsc.com/hpworld/2004/N227.html .
(My apologies, but the workbook is not publicly available, it represents a half-day seminar).

Suffice it to say, particularly in these days of Sarbenes-Oxley and other accountability regulations, OpenVMS provides mechanisms to manage the system without requiring large numbers of privileged users.

- Bob Gezelter, http://www.rlgsc.com
Contributor, OpenVMS Security, Handbook of Information Security
Steve Longenecker
Frequent Advisor

Re: Someone deleted the sysuaf.dat file. Is that logged anywhere?

You are preaching to the choir... Yes, despite SARBOX and HIPAA (and yes, we are also a hospital), not properly configuring user accounts is a directive from the Director of IT. Even this scare is not enough to change his mind... the rational being "the hospital has been running VMS for over 20 years and this problem has only occurred once." Oh well, live and learn. I have documented my concerns and will drive on... Thanks.
Steve Longenecker
Frequent Advisor

Re: Someone deleted the sysuaf.dat file. Is that logged anywhere?

Closed...
Ian Miller.
Honored Contributor

Re: Someone deleted the sysuaf.dat file. Is that logged anywhere?

As you are in the USA then you can leverage Sarbenes-Oxley. You have to have individual accountability and minimum privilges to do the job. So thats unique UIC's and take away those privs.

Get your corporate auditor interested as they can wield a stick big enough for the management to take note of.

There are other security standards which apply if you have any govt work.

____________________
Purely Personal Opinion
Jan van den Ende
Honored Contributor

Re: Someone deleted the sysuaf.dat file. Is that logged anywhere?

Steve,


has a copy of the system account, along with a UIC of [1,4]. The only user account differences from system are username and default directory


In that case, I would not even like to THINK about what functionality you will break by taking away the privileges,
BUT,
the ONE important thing you CAN, (and should) do with little impact, but much gain, is assigning each user account a unique UIC.
To stay on the save side wrt breaking things, choose group-UICs .LE. SYSGENs MAXSYSGROUP, but then at least any activity that leaves a trace will in that trace show WHO did it.

hth

Proost.

Have one on me.

jpe
Don't rust yours pelled jacker to fine doll missed aches.