HPE Community
Operating System - OpenVMS
1753318 Members
7384 Online
108792 Solutions
New Discussion юеВ

Re: Disabling the system account

 
Julian Mathews_1
New Member

тАО04-11-2011 04:14 PM

тАО04-11-2011 04:14 PM

Disabling the system account

Hi,

I have to prove to auditors that disabling the system account on a VMS server is a bad idea.

Can any body provide me with a "silver bullet" explanation as to why this is?

I'm assuming from my limited understanding of process creation that its because the process owners uic is checked during loginout and if its disusered then the process wont run.

I'm sure this would wreck the boot process pretty comprehensively.

I'd also appreciate if anyone knows for sure that a server with system a/c disabled is not supported by HP.

Many thanks,
Julian
0 Kudos
Reply
14 REPLIES 14
abrsvc
Respected Contributor

тАО04-11-2011 06:14 PM

тАО04-11-2011 06:14 PM

Re: Disabling the system account

Julian, You are not going to get an official statement listed here. This is not an official gateway. Seek any official statements from HP sales or support directly.

In regards to the system account, I am not aware of any documentation that would specifically state that the system would fail. Experience tells me that if disusered, there would be problems. Rather than proving a negative like this, why not determine the issue being investigated. I have dealt with many regulators and auditors about similar things.

Contact me directly via email as this type of issue is best not discussed in a public forum. I can either help directly or direct you to others with more relevant info.

Dan

dansabrservices AT yahoo DOT com
0 Kudos
Reply
Steven Schweda
Honored Contributor

тАО04-11-2011 06:35 PM

тАО04-11-2011 06:35 PM

Re: Disabling the system account

> I have to prove [...]

In some well-run organizations, the people
who claim to have been abducted by aliens are
expected to provide some evidence to back up
their claims, and the sane people are not
required to prove them wrong.

Personally, I'd be tempted to say, "Ok.
You're the experts. Let's do that." And
then run the experiment. If the abductees
are right, then we'll all learn something
valuable. If they're, let's say, misguided,
then we'll all learn something else, which
would also be valuable. (And which might
also provide lasting relief from similar
future advice from that source.)

> [...] supported by HP.

Only HP can tell you that with any authority,
and I'd expect them not to maintain what
would need to be a very long list of every
possible stupid thing which a customer might
wish to do. If I were HP, I'd save myself
some effort, and advise against it, but I
wouldn't be prepared to guarantee that it
would cause a failure, or that it would work.

> I'm sure this would wreck [...]

Write it down, seal it in an envelope, and
hand it to the super-genius[*] in charge
before running the experiment.


[*] Like, say, Wile E. Coyote.
0 Kudos
Reply
Jan van den Ende
Honored Contributor

тАО04-11-2011 11:22 PM

тАО04-11-2011 11:22 PM

Re: Disabling the system account

Julian,

WE had a similar request, AND a test system.
So we tried on the test system.
All kinds of things "went bad" during reboot, and it was not even trivial to get into the system to re-enable SYSTEM.

If you are going to experiment, make REAL SURE you have IN WRITING who is responsible, and who is backing the experiment, and that YOU advised STRONGLY against it.

But hey, if anyone wants the jump down a cliff, there is no way of stopping him/her, just make sure you are NOT tied together...

Good luck,

Proost.

Have one on me.

jpe
Don't rust yours pelled jacker to fine doll missed aches.
0 Kudos
Reply
Steven Schweda
Honored Contributor

тАО04-12-2011 03:47 AM

тАО04-12-2011 03:47 AM

Re: Disabling the system account

> But hey, if anyone wants the jump down a
> cliff, [...]

Or, the Mark Twain analogue:

http://www.twainquotes.com/Cats.html

...the person that had took a bull by the
tail once had learnt sixty or seventy times
as much as a person that hadn't, and said a
person that started in to carry a cat home by
the tail was getting knowledge that was
always going to be useful to him, and warn't
ever going to grow dim or doubtful.


My dim recollection of one of Hal Holbrook's
"Mark Twain Tonight" recordings includes,
"... but if a man wants to carry a cat home
by the tail, I say, 'Let him.'"
0 Kudos
Reply
Craig A
Valued Contributor

тАО04-12-2011 03:56 AM

тАО04-12-2011 03:56 AM

Re: Disabling the system account

If you have a console connection, why not agree a compromise.

You will keep batch access enabled but remove local, remote and dialup. (I'm not so sure about network access, TBH)

I understand the SYSTEM account can always login to OPA0: if the password is correct (hence the console connection requirement)

HTH

Craig
0 Kudos
Reply
Jan van den Ende
Honored Contributor

тАО04-12-2011 04:58 AM

тАО04-12-2011 04:58 AM

Re: Disabling the system account

@Craig:

>>>
I understand the SYSTEM account can always login to OPA0:
<<<
Well, my experiment was (IIRC) in the V5 timeframe, so may be outdated, but NO.
You better do NOT disable it in your SYSUAFALT (or refrain from ever creating one), so you can boot conversational and set UAFALTERNATE.

btw Julian: WELCOME to the VMS forum!!!

Proost.

Have one on me.

jpe



Don't rust yours pelled jacker to fine doll missed aches.
0 Kudos
Reply
Robert Gezelter
Honored Contributor

тАО04-12-2011 08:08 AM

тАО04-12-2011 08:08 AM

Re: Disabling the system account

Julian,

I would definitely recommend not to try this on a production system. It might be a good use of one of the virtual Alpha systems as a sacrificial animal of choice.

Many things expect SYSTEM to be a usable username. I don't think I have ever had Jan's experience, but most cases that I have seen in the wild involve lost passwords, not disable accounts (I would expect the "trick" of conversationally booting with the startup set to OPA0: to work, however there may well be challenges to get the rest of the STARTUP to work -- good idea to backup SYSUAF before trying to make it easier to restore).

As an alternative, consider setting the password to something weird, and sealing the password in an envelope placed in the CFO's vault. Then, add automatic emails from the LOGIN.COM that announce that the account was used.

Your mileage will vary. I will be happy to clarify. I have assisted clients with a variety of security-related audits, interesting issues often arise.

- Bob Gezelter, http://www.rlgsc.com
0 Kudos
Reply
Peter Zeiszler
Trusted Contributor

тАО04-12-2011 11:47 AM

тАО04-12-2011 11:47 AM

Re: Disabling the system account

Hi,

We had this happen to a system when someone attempted to experiment on our security. System started having problems, batch jobs quit working, unable to login, etc and the local admin's first solution was to "reboot" which took a very dark turn. I think our recovery included booting to the CD and mounted the disk and fix things.

What is the Auditor really wanting to accomplish besides making your job tougher?

If you do this - try to keep a bootable backup disk in case you really have to recover from worst case scenario. Please let us know if you do and what exactly happened and recovery. Always curiouse to learn from others.
0 Kudos
Reply
abrsvc
Respected Contributor

тАО04-12-2011 11:52 AM

тАО04-12-2011 11:52 AM

Re: Disabling the system account

Many of the "prove this" types of scenerios come from people that don't understand the environment. Once they see how the system works and what security is in place, usually the questions stop.

Dan
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.