HPE Community
Operating System - OpenVMS
1822196 Members
3777 Online
109640 Solutions
New Discussion юеВ

Re: how to find the users who have high privilege

 
SOLVED
Go to solution
Davor_7
Regular Advisor

тАО09-15-2005 06:48 PM

тАО09-15-2005 06:48 PM

how to find the users who have high privilege

for example, there are 100 users, some are OPER, some are SYSTEM, and some are others...
some are in same UIC group and some are different.

i want to display all users who only have OPER privilege. how to handle with?
0 Kudos
Reply
20 REPLIES 20
Bojan Nemec
Honored Contributor

тАО09-15-2005 07:07 PM

тАО09-15-2005 07:07 PM

Re: how to find the users who have high privilege

Davor,

I dont know any elegant solution. The fastest is to do:

$ run authorize
UAF> list/full
UAF> exit
$ edit sysuaf.lis

and use editor to find OPER.
The second is:

UAF> show * /page/search=OPER

And scroll the whole listing. Lines with OPER string are highlited .

The first solution is faster and more practical to use.

Bojan
0 Kudos
Reply
Uwe Zessin
Honored Contributor

тАО09-15-2005 07:09 PM

тАО09-15-2005 07:09 PM

Re: how to find the users who have high privilege

Most likely there are some utilities out there, but it can be done with a little manual work, too. For example:

AUTHORIZE> list/full

$ search SYSUAF.LIS "username:","oper"

It will find all usernames and below each username you will see if there is any string "OPER". I admit that is rather primitive, but sometimes it is not possible to find a tool or install it on a system and I beleive that's better than going over the full list.


For UIC groups you can try this:
AUTHORIZE> show /brief [123,*]
.
0 Kudos
Reply
Uwe Zessin
Honored Contributor

тАО09-15-2005 07:11 PM

тАО09-15-2005 07:11 PM

Re: how to find the users who have high privilege

Hm, of course the prompt is "UAF>".
I should have used a larger cup of coffee this morning...
.
0 Kudos
Reply
Karl Rohwedder
Honored Contributor

тАО09-15-2005 07:23 PM

тАО09-15-2005 07:23 PM

Re: how to find the users who have high privilege

I use a little utility SCANUAF for these things:

SAP01_Rohwedder. scanuaf
SCANUAF> priv=oper

===========
Node: LOCAL
===========
Username: xxxxxxxx
Username: xxxxxxxx
Username: DIA$MANAGER
Username: ROHWEDDER
Username: SYSTEM
Username: VET$SERVER
--------------------------------
Records: 132 Matches: 6
--------------------------------

You should find SCANUAF on Hunter Goatley's
fileserv.

regards Kalle
0 Kudos
Reply
Joseph Huber_1
Honored Contributor

тАО09-15-2005 07:26 PM

тАО09-15-2005 07:26 PM

Re: how to find the users who have high privilege

Just to see if somebody has elevated privileges, do
authorize show */brief
and look in the privs column.
You see there normal,devour,system,all .
OPER in the priv list raises to SYSTEM.
For a single user, there is the freeware utility GETUAI (I think in the process.com archive), which lets you get the privilege list like
GETUAI user /priv=privsym/defpriv=defsym
into DCL symbols.
To get a list of all users, create a userlist using AUTHORIZE/LIST/BRIEF * , and loop over the list with GETUAI.
http://www.mpp.mpg.de/~huber
0 Kudos
Reply
Davor_7
Regular Advisor

тАО09-15-2005 07:29 PM

тАО09-15-2005 07:29 PM

Re: how to find the users who have high privilege

Hi Kalle

could you give me the address for "Hunter Goatley's file server"?

or could you send this tool to me ?
0 Kudos
Reply
Karl Rohwedder
Honored Contributor

тАО09-15-2005 07:40 PM

тАО09-15-2005 07:40 PM

Solution

Re: how to find the users who have high privilege

It's here:
http://vms.process.com/scripts/fileserv/fileserv.com?SCANUAF


Since the original version is quite, I have added some new flags. I attach my version to this replay. It is written in FORTRAN.

regards Kalle
Reply
Davor_7
Regular Advisor

тАО09-15-2005 07:52 PM

тАО09-15-2005 07:52 PM

Re: how to find the users who have high privilege

thanks Kalle

but i donot know how to use it~
i'm a new system manager, even donot know how to install a software on VMS :p
0 Kudos
Reply
Karl Rohwedder
Honored Contributor

тАО09-15-2005 08:13 PM

тАО09-15-2005 08:13 PM

Re: how to find the users who have high privilege

Davor,

I just noticed, that the version is rather old (2000) and misses some of the new flags, so I just added them (PDMIX,VMSAUTH e.g.) and created a new version (see attached).

There is a userguide and releasenotes avaiable, as well as a HELP module for a helplibrary.

You must create a nodelist (template in kit), which tells SCANUAF where to find the SYSUAF files for different nodes (yes: scanuaf works network wide).

Besides addition to new flags, I moved the nodeslist and helpfile to a specific directory (CNC_MANAGER), but you can either define a logical name or change the source accordingly.

regards Kalle
0 Kudos
Reply
Davor_7
Regular Advisor

тАО09-15-2005 08:18 PM

тАО09-15-2005 08:18 PM

Re: how to find the users who have high privilege

hehe~ that's too complex for a new kisser...

thank you all the same. :)
0 Kudos
Reply
Ian Miller.
Honored Contributor

тАО09-15-2005 09:12 PM

тАО09-15-2005 09:12 PM

Re: how to find the users who have high privilege

Carl, parhaps you can submit your modified version to the fileserv archive and new/updated freeware is always wanted for the VMS freeware CDs.

I sometimes use
http://vms.process.com/scripts/fileserv/fileserv.com?uaf
for this sort of thing

$ UAF :== $dev:[dir]UAF.EXE
$ UAF/SELECT=(PRIV=CLASS=ALL,DEFPRIV=CLASS=ALL) /DISPLAY=(USERNAME,PRIV,DEFPRIV)

will list all the users with privs in the All class. For information on privilege classes see the Security Manual.

To list all users with OPER
UAF/SELECT=(PRIV=OPER,DEFPRIV=OPER) /DISPLAY=(USERNAME)
____________________
Purely Personal Opinion
Reply
comarow
Trusted Contributor

тАО09-18-2005 07:32 AM

тАО09-18-2005 07:32 AM

Re: how to find the users who have high privilege

There is an excellent third party tool called Point Secure which will provide this information as well as check file protections and all sorts of security related information. We recommend it's use at Colorado Springs for security sensative sites. It runs on the PC and reads your VMS systems.

Bob C
0 Kudos
Reply
Davor_7
Regular Advisor

тАО09-18-2005 12:11 PM

тАО09-18-2005 12:11 PM

Re: how to find the users who have high privilege

Hi Bob
you mean that this tool can be run on Windows and read data from VMS??
0 Kudos
Reply
Hein van den Heuvel
Honored Contributor

тАО09-18-2005 12:29 PM

тАО09-18-2005 12:29 PM

Re: how to find the users who have high privilege



Those tools are good.

If you have (g)awk or perl installed you can do something like:

$mcr authorize list/full
$ gawk "/^User/{u=$2} / Priv/{p=$1} / OPER /{print u,p}" sysuaf.lis

or

$ perl -ne "($a,$b)=split; $u=$b if /^Use/; $p=$a if /\sPriv/; print ""$u $p\n"" if /\sOPER/" sysuaf.lis

Or with a DCL loop workign directly on the source (SYSUAF.DAT) exploiting the following info:

$ pipe libr/ext=$uafdef/out=sys$output sys$library:lib.mlb | searc sys$pipe q_priv
$EQU UAF$Q_PRIV 412
$ pipe libr/ext=$prvdef/out=sys$output sys$library:starlet.mlb | search sys$pipe v_oper
$EQU PRV$V_OPER 18

---- uaf_oper.com ---

$open /read /share uaf 'f$parse("SYSUAF","SYS$SYSTEM:.DAT",,,"SYNTAX_ONLY")
$loop:
$ read/end=done uaf rec
$ if f$cvsi(412*8+18,1,rec) then write sys$output f$extr(0,12,rec)
$ goto loop
$done:
$close uaf


fwiw,
Hein.
0 Kudos
Reply
Wim Van den Wyngaert
Honored Contributor

тАО09-18-2005 08:49 PM

тАО09-18-2005 08:49 PM

Re: how to find the users who have high privilege

This .com does it. Just cut and paste it into test.com and execute it with @.

But there are other ways to get OPER. SETPRV for example.

Wim
Wim
0 Kudos
Reply
Robert_Boyd
Respected Contributor

тАО09-19-2005 02:48 AM

тАО09-19-2005 02:48 AM

Re: how to find the users who have high privilege

On post V7 systems you can do this:

$ pipe mcr authorize show */brief | search sys$input: all,system,oper /output=privileged_users.lis

Robert

Master you were right about 1 thing -- the negotiations were SHORT!
0 Kudos
Reply
Jan van den Ende
Honored Contributor

тАО09-19-2005 04:13 AM

тАО09-19-2005 04:13 AM

Re: how to find the users who have high privilege

Hein,

care to elaborate on your EQU command?
AFAIK it is not standard DCL....


Proost.

Have one on me.

jpe
Don't rust yours pelled jacker to fine doll missed aches.
0 Kudos
Reply
Uwe Zessin
Honored Contributor

тАО09-19-2005 06:08 AM

тАО09-19-2005 06:08 AM

Re: how to find the users who have high privilege

Jan,

>$EQU UAF$Q_PRIV 412

That is not a DCL command ;-)

It's one line in module ($uafdef) in Macro library (sys$library:lib.mlb) extracted by this command:

$ pipe libr/ext=$uafdef/out=sys$output sys$library:lib.mlb | searc sys$pipe q_priv
.
0 Kudos
Reply
comarow
Trusted Contributor

тАО09-21-2005 08:26 PM

тАО09-21-2005 08:26 PM

Re: how to find the users who have high privilege

Sep 19, 2005 00:11:53 GMT N/A: Question Author

--------------------------------------------------------------------------------
Hi Bob
you mean that this tool can be run on Windows and read data from VMS??



/Exeactly. It is a super monitor and alerts in red problems and can fix many conditions. For example it can fix quorum idssues. It warns if memory tight situations and many problems. Because it has power, it must be on the same lan on the system.

We are set up to do the anaylsis for you for a reasonable fee as well.

It also checks file protections and all sorts of goodies. It has a companion software, System Detective that sets up rules on your VMS system.

send mail to robert.comarow@hp.com for more specifics.

I'm impressed.

0 Kudos
Reply
Ian Miller.
Honored Contributor

тАО09-21-2005 08:34 PM

тАО09-21-2005 08:34 PM

Re: how to find the users who have high privilege

for futher info
http://h71000.www7.hp.com/openvms/system_secure.html
and on the products used
http://www.pointsecure.com/products/pointaudit.asp
http://www.pointsecure.com/products/sys_det.asp
____________________
Purely Personal Opinion
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.