Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

lgi_brk_disuser seems to be not working

SOLVED
Go to solution
mustafa_12
Frequent Advisor

lgi_brk_disuser seems to be not working

Hello,

I have changed LGI_BRK_DISUSER to 1 by:

mc sysman param set lgi_brk_disuser 1
mc sysman param write active

The value of LGI_BRK_LIM is 5. However, after I enter six wrong passwords for a specific user, it does not be a DISUSER. Instead, it becomes an INTRUDER (by show intrusion) for a duration of LGI_HID_TIM * a nondeterministic number between 1 and 1.5.

What can be the reason for that?

BR...
14 REPLIES
Volker Halle
Honored Contributor

Re: lgi_brk_disuser seems to be not working

Mustafa,

it worked for me as expected on OpenVMS Alpha F8.3.

Consider to use REPLY/ENABLE=SECURITY to watch the OPCOM messages during your test.

Also re-check the parameters:

$ MC SYSGEN
SYSGEN> USE ACTIVE
SYSGEN> SHOW/LGI

Volker.
Heinz W Genhart
Honored Contributor

Re: lgi_brk_disuser seems to be not working

Hi Mustafa

LGI_BRK_LIM defines how many times a user can try to login until something happens.

I think you should also set the SYSGEN parameter LGI_BRK_DISUSER to 1, that a user account will be set to disuser after LGI_BRK_LIM failed logins.


Regards

Heinz
Volker Halle
Honored Contributor
Solution

Re: lgi_brk_disuser seems to be not working

Mustafa,

I believe the problem is here:

mc sysman param set lgi_brk_disuser 1
mc sysman param write active

Once you exit SYSMAN the temporary parameter values are lost. You need to do this:

$ MC SYSMAN
SYSMAN> PARAM USE ACTIVE
SYSMAN> PARAM SET LGI_BRK_DISUSER 1
SYSMAN> PARAM WRITE ACTIVE
SYSMAN> EXIT

Then it will work.

Volker.
Ian Miller.
Honored Contributor

Re: lgi_brk_disuser seems to be not working

I think Volker has the solution. However why do you want to set LGI_BRK_DISUSER to 1. It's not recommended and causes all sorts of fun.

From the help file
"LGI_BRK_DISUSER turns on the DISUSER flag in the UAF record when an attempted break-in is detected, thus permanently locking out that account. The parameter is off (0) by default. You should set the parameter (1) only under extreme security watch conditions, because it results in severely restricted user service. "
____________________
Purely Personal Opinion
Robert Gezelter
Honored Contributor

Re: lgi_brk_disuser seems to be not working

Mustafa,

I must agree with Ian. This imposes very tight security on a global basis. The downside of this is that it can lock large numbers of accounts very, very quickly. This will require each and every account to be unlocked manually, a manpower intensive process.

I have seen auditors insist on such severe measures. I recommend that you get such an instruction in writing, because the resulting workload can create problems on a variety of fronts.

- Bob Gezelter, http://www.rlgsc.com
Ian Miller.
Honored Contributor

Re: lgi_brk_disuser seems to be not working

Another reason is the potential for a DOS attack. Attempt to login using other peoples usernames and get their usernames disabled.
____________________
Purely Personal Opinion
mustafa_12
Frequent Advisor

Re: lgi_brk_disuser seems to be not working

Thanks Volker,

The way you've suggested worked.

I want to set this variable on, since, as you have guessed, COBIT auditors want this like that. I know the possibility of DoS attack and admin-power required, but is it possible to convince them with those reasons? is there anybody?
Ian Miller.
Honored Contributor

Re: lgi_brk_disuser seems to be not working

Record the additional work distruption (and therefore cost) inccured and report this to management.
I assume you have pointed at the recommendation not to use this from hp (its in the help and I guess its in the docs somewhere)
____________________
Purely Personal Opinion
Volker Halle
Honored Contributor

Re: lgi_brk_disuser seems to be not working

Mustafa,

make really sure, that you (and all other system managers) known the current SYSTEM account password and the physical location and correct operation of your console terminal (OPA0:). Because this will be the ONLY way to get access to your system, once all privileged accounts have been disusered...

Volker.
Jan van den Ende
Honored Contributor

Re: lgi_brk_disuser seems to be not working

Mustafa,

please follow Volkers last advise.

I can already forsee one of your (our your successor's) next questions:
"ALL of our accounts with SYSPRV have been blocked by too many tries. How can we still get into the system?"

It is a REAL danger. And it will not happen now, but probably some months, or years from now.
Maybe after you have left this site. In that case it will ruin your reputation!

Better convince the auditors of the risk. You may show them this thread, if they wish you to substantiate your arguments.

hth

Proost.

Have one on me.

jpe
Don't rust yours pelled jacker to fine doll missed aches.
Robert Gezelter
Honored Contributor

Re: lgi_brk_disuser seems to be not working

mustafa,

I must return Jan's compliment from the other day (in a different thread).

His advice is VERY sound. I often recommend going one step further: creating an emergency access account, whose username/password combination is stored in A SEALED ENVELOPE with other important corporate papers under control of the CFO.

Being completely locked out of the system is a serious problem, particularly when there is no option of rebooting the node in a standalone mode from the console to reset the password.

- Bob Gezelter, http://www.rlgsc.com
Wim Van den Wyngaert
Honored Contributor

Re: lgi_brk_disuser seems to be not working

Attempts to use decnet objects that have no listener active and that don't start one either can lead to intrusions. So, if you enable this LGI_BRK_LIM you might get into problems (user locked out and service not working when it get started).

Do know what exactly is done in the code but we do have that problem in server to server communications.

Wim
Wim
Wim Van den Wyngaert
Honored Contributor

Re: lgi_brk_disuser seems to be not working

Make that LGI_BRK_DISUSER of course.

Wim
Wim
mustafa_12
Frequent Advisor

Re: lgi_brk_disuser seems to be not working

LGI_BRK_DISUSER is 0 now and I will try to convince them using these posts.