HPE Community
Operating System - OpenVMS
1820645 Members
1999 Online
109626 Solutions
New Discussion юеВ

TCPIP command line question

 
SOLVED
Go to solution
Jorge Cocomess
Super Advisor

тАО09-24-2006 10:35 AM

тАО09-24-2006 10:35 AM

TCPIP command line question

Hi,

Currently, with some users that has more than standard VMS privs and know their way around VMS. I am trying to maintain a trouble free environment or just get a handle by keeping non VMS system personel from playing with the TCPIP, such as adding to routes, etc. I am currently running VMS 7.3-2 and I would like to know how I can make it more difficult for a non system personel to access TCPIP protocol? I'd at least a long command string before they can access the TCPIP prompt.

Is there anything I can do since the previous System Manager created these simple access privs for all these people and thought them way too much before he left the company??

Please help!!

Jorge
0 Kudos
Reply
10 REPLIES 10
Heinz W Genhart
Honored Contributor

тАО09-24-2006 06:24 PM

тАО09-24-2006 06:24 PM

Solution

Re: TCPIP command line question

Hi Jorge

You could simple set a ACL to the TCPIP Control Programms, like TCPIP$UCP or TCPIP$IFCONFIG (all TCPIP exe files in Sys$system). With the acl you can arrange, that only user System and other well selected users can execute those programms.

Regards

Heinz
Reply
Ian Miller.
Honored Contributor

тАО09-24-2006 08:41 PM

тАО09-24-2006 08:41 PM

Re: TCPIP command line question

ACLs will work unless the lUsers in question have BYPASS priv. You can ensure use of BYPASS to access something is recorded in the VMS audit log (to be used as evidence in the witchhunt that takes place after a major outage).

Managing privs is a people problem not a really a technical problem. Can you find some excuse for reviewing (downgrading) their privs?
____________________
Purely Personal Opinion
Reply
Jorge Cocomess
Super Advisor

тАО09-25-2006 12:37 AM

тАО09-25-2006 12:37 AM

Re: TCPIP command line question

As of now, I would look into the ACL option. I will also set an audit log on their user's account for audit trail, this should be good enough reason to down grade their privs.

Does any know how I can set the ACL parameter on the TCIP services?

Thanks much!

Jorge
0 Kudos
Reply
Ian Miller.
Honored Contributor

тАО09-25-2006 12:57 AM

тАО09-25-2006 12:57 AM

Re: TCPIP command line question

first add a id to use in the ACLs
$ MCR AUTHORIZE ADD/ID TCPIP_MANAGE

then add the ACL e.g.
$ set security/acl=((id=tcpip_manage,access=r+e),(id=[*,*],access=none)) sys$system:tcpip$ucp.exe

Add also to TCPIP$IFCONFIG.EXE and TCPIP$SYSCONFIG.EXE

Grant the identifier to appropriate people

$ MCR AUTHORIZE GRANT/ID TCPIP_MANAGE SYSTEM
$ MCR AUTHORIZE GRANT/ID TCPIP_MANAGE trusteduser

etc

ensure use of BYPASS gets recorded
$ SET AUDIT/AUDIT/ENABLE=(ACCESS=EXECUTE+BYPASS)
____________________
Purely Personal Opinion
Reply
Jan van den Ende
Honored Contributor

тАО09-25-2006 07:04 AM

тАО09-25-2006 07:04 AM

Re: TCPIP command line question

Jorge, Ian,

I am not convinced that monitoring of BYPASS is enough.
I would suggest that any mention of BYPASS in Ian's solutions entails SYSPRV as well.

Just my EUR 0.02

Proost.

Have one on me.

jpe
Don't rust yours pelled jacker to fine doll missed aches.
Reply
Jan van den Ende
Honored Contributor

тАО09-25-2006 07:09 AM

тАО09-25-2006 07:09 AM

Re: TCPIP command line question

Sorry, just an afterthought (that is, after hitting Submit).

This may or may not apply:
What are the group-UICs of the potentially malignant users?
Should they be within MAXSYSGROUP, consider changing their UICs, or, if they are not as low as 1, maybe lower MAXSYSGROUP sufficiently.

Proost.

Have one on me.

jpe
Don't rust yours pelled jacker to fine doll missed aches.
Reply
Ian Miller.
Honored Contributor

тАО09-25-2006 08:59 PM

тАО09-25-2006 08:59 PM

Re: TCPIP command line question

Jan, yes parhaps this would be better
$ SET AUDIT/AUDIT/ENABLE=(ACCESS=EXECUTE+SUCCESS+BYPASS+SYSPRV+GRPPRV)

essentially this is about collecting enough evidence to be allowed to remove privileges from some people.
____________________
Purely Personal Opinion
Reply
Wim Van den Wyngaert
Honored Contributor

тАО09-26-2006 12:12 AM

тАО09-26-2006 12:12 AM

Re: TCPIP command line question

But if they are clever they might copy an unprotected exe to the system (e.g. downloaded from the internet or from another VMS system).

Or they can stop audit and restart it after they are finished.

Or simply create a new version instead of modifiying the config file.

Also tcpip$etc:syscconfigtab.dat should be protected (config of tcp params). Never understood why it has its own place (instead of in tcpip$configuration).

Wim
Wim
Reply
Ian Miller.
Honored Contributor

тАО09-26-2006 01:28 AM

тАО09-26-2006 01:28 AM

Re: TCPIP command line question

a audit ACL on tcpip$etc:syscconfigtab.dat would be appropriate (along with the usual ones on OPERATOR.LOG etc). Stopping and starting auditing is recorded.
____________________
Purely Personal Opinion
Reply
Jorge Cocomess
Super Advisor

тАО09-26-2006 01:46 AM

тАО09-26-2006 01:46 AM

Re: TCPIP command line question

Good morning!

As of now, you guys are going way over my head with all these good ideas. Without making any mistakes or ???, I am auditing their login so that I can have enough evidence to remove their privileges. Worst of all, these folks are within the IS dept but never been a systems, systems person.

Please don't get me wrong, but these ideas are great and please keep it coming.

Have a great day!

Jorge
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.