- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- Re: lgi_brk_disuser seems to be not working
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-10-2006 10:41 PM
тАО08-10-2006 10:41 PM
I have changed LGI_BRK_DISUSER to 1 by:
mc sysman param set lgi_brk_disuser 1
mc sysman param write active
The value of LGI_BRK_LIM is 5. However, after I enter six wrong passwords for a specific user, it does not be a DISUSER. Instead, it becomes an INTRUDER (by show intrusion) for a duration of LGI_HID_TIM * a nondeterministic number between 1 and 1.5.
What can be the reason for that?
BR...
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-10-2006 11:00 PM
тАО08-10-2006 11:00 PM
Re: lgi_brk_disuser seems to be not working
it worked for me as expected on OpenVMS Alpha F8.3.
Consider to use REPLY/ENABLE=SECURITY to watch the OPCOM messages during your test.
Also re-check the parameters:
$ MC SYSGEN
SYSGEN> USE ACTIVE
SYSGEN> SHOW/LGI
Volker.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-10-2006 11:00 PM
тАО08-10-2006 11:00 PM
Re: lgi_brk_disuser seems to be not working
LGI_BRK_LIM defines how many times a user can try to login until something happens.
I think you should also set the SYSGEN parameter LGI_BRK_DISUSER to 1, that a user account will be set to disuser after LGI_BRK_LIM failed logins.
Regards
Heinz
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-10-2006 11:04 PM
тАО08-10-2006 11:04 PM
SolutionI believe the problem is here:
mc sysman param set lgi_brk_disuser 1
mc sysman param write active
Once you exit SYSMAN the temporary parameter values are lost. You need to do this:
$ MC SYSMAN
SYSMAN> PARAM USE ACTIVE
SYSMAN> PARAM SET LGI_BRK_DISUSER 1
SYSMAN> PARAM WRITE ACTIVE
SYSMAN> EXIT
Then it will work.
Volker.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-10-2006 11:09 PM
тАО08-10-2006 11:09 PM
Re: lgi_brk_disuser seems to be not working
From the help file
"LGI_BRK_DISUSER turns on the DISUSER flag in the UAF record when an attempted break-in is detected, thus permanently locking out that account. The parameter is off (0) by default. You should set the parameter (1) only under extreme security watch conditions, because it results in severely restricted user service. "
Purely Personal Opinion
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-10-2006 11:16 PM
тАО08-10-2006 11:16 PM
Re: lgi_brk_disuser seems to be not working
I must agree with Ian. This imposes very tight security on a global basis. The downside of this is that it can lock large numbers of accounts very, very quickly. This will require each and every account to be unlocked manually, a manpower intensive process.
I have seen auditors insist on such severe measures. I recommend that you get such an instruction in writing, because the resulting workload can create problems on a variety of fronts.
- Bob Gezelter, http://www.rlgsc.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-11-2006 12:42 AM
тАО08-11-2006 12:42 AM
Re: lgi_brk_disuser seems to be not working
Purely Personal Opinion
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-11-2006 01:00 AM
тАО08-11-2006 01:00 AM
Re: lgi_brk_disuser seems to be not working
The way you've suggested worked.
I want to set this variable on, since, as you have guessed, COBIT auditors want this like that. I know the possibility of DoS attack and admin-power required, but is it possible to convince them with those reasons? is there anybody?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-11-2006 01:07 AM
тАО08-11-2006 01:07 AM
Re: lgi_brk_disuser seems to be not working
I assume you have pointed at the recommendation not to use this from hp (its in the help and I guess its in the docs somewhere)
Purely Personal Opinion
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-11-2006 01:27 AM
тАО08-11-2006 01:27 AM
Re: lgi_brk_disuser seems to be not working
make really sure, that you (and all other system managers) known the current SYSTEM account password and the physical location and correct operation of your console terminal (OPA0:). Because this will be the ONLY way to get access to your system, once all privileged accounts have been disusered...
Volker.