HPE Community
Operating System - OpenVMS
1824983 Members
3882 Online
109678 Solutions
New Discussion юеВ

User Priviledges

 
SOLVED
Go to solution
Andrew Moody_1
Regular Advisor

тАО04-24-2006 11:33 PM

тАО04-24-2006 11:33 PM

User Priviledges

Dear All

I'm new a VMS cluster, and we are about to have a security audit.

What I'm looking for is a simple way to list users that have a specific priviledge. I don't seem to be able to see how to achieve this.

Andrew
A sobering thought: What if, right at this very moment, I am living up to my full potential?
0 Kudos
7 REPLIES 7
Jan van den Ende
Honored Contributor

тАО04-25-2006 12:01 AM

тАО04-25-2006 12:01 AM

Solution

Re: User Priviledges

Andrew,

assuming you have no special utilities (like GETUAF, or some security package) at your disposal, one way to do this using only native VMS utilities is
(if SYSUAF logical not defined then $ SET DEFAULT SYS$SYSTEM first)
$ MCR AUTHORIZE LIST *
# SEARCH SYSUAF.LIS "Username:", /OUTPUT=SYS$LOGIN:SYSUAF.PRIV

Any username immediately preceeding the listed priv in SYSUAF.PRIV is one sought for.

If you have many non-priv'd users, you can easily EDIT those out of the list.
Mind, in the occasions where a username holds a the priv both "Authorized" AND "Default", it will be listed twice under that username.

Note also, that several utilities are available to get the info in one pass, and if this is a regular excersise, it might be rewarding to get one of those. For a one-time inventory, the above will do well enough.

hth

Proost.

Have one on me (maybe in May in Nashua?)

jpe
Don't rust yours pelled jacker to fine doll missed aches.
0 Kudos
Ian Miller.
Honored Contributor

тАО04-25-2006 12:04 AM

тАО04-25-2006 12:04 AM

Re: User Priviledges

I use SCANUAF
ftp://ftp.process.com/vms-freeware/fileserv/scanuaf.zip

This also works
ftp://ftp.process.com/vms-freeware/fileserv/uaf.zip

____________________
Purely Personal Opinion
0 Kudos
Martin Vorlaender
Honored Contributor

тАО04-25-2006 12:16 AM

тАО04-25-2006 12:16 AM

Re: User Priviledges

Jan wrote:

>>>
$ MCR AUTHORIZE LIST *
<<<

Put a /FULL in there to get a verbose listing of all accounts, else you get a list with one line per account and only a privilege group.

HTH,
Martin
0 Kudos
Robert Gezelter
Honored Contributor

тАО04-25-2006 01:02 AM

тАО04-25-2006 01:02 AM

Re: User Priviledges

Andrew,

I concur, if the auditor is familiar with OpenVMS, he will be most comfortable with the standard listing from AUTHORIZE (do not be surprised if he wants to witness it or run it himself).

As preparation for the audit, consider the fact that large numbers of privileged users are a "Red Flag" on a security audit. Be prepared to provide an explanation of each privileged user and their privileges, it will demonstrate that you are alert to the issues.

Consider reducing the number of privileged accounts. I have had great success limiting the number of privileged users at my client's installations, and it makes security (and other) audits far simpler. See my presentation from HPWORLD 2004 at http://www.rlgsc.com/hpworld/2004/N227.html and my "OpenVMS Security" chapter in the Handbook of Information Security, abstract and brochure at http://www.rlgsc.com/hinfosec/hinfosec.html

I hope that the above is helpful.

- Bob Gezelter, http://www.rlgsc.com
0 Kudos
Andrew Moody_1
Regular Advisor

тАО04-25-2006 01:11 AM

тАО04-25-2006 01:11 AM

Re: User Priviledges


Cheers Guys

Just really digging around at the moment, I'm jointly responsible for a HP-UX and OpenVMS environments and I'm much more familiar (by a matter of months) with the UX stuff.

I've found the information I was looking for thanks to your help so I'm closing the thread.

Andrew
A sobering thought: What if, right at this very moment, I am living up to my full potential?
0 Kudos
Andrew Moody_1
Regular Advisor

тАО04-25-2006 01:11 AM

тАО04-25-2006 01:11 AM

Re: User Priviledges

closed
A sobering thought: What if, right at this very moment, I am living up to my full potential?
0 Kudos
Phil.Howell
Honored Contributor

тАО04-26-2006 03:31 PM

тАО04-26-2006 03:31 PM

Re: User Priviledges

If you want a similar tool for both unix and vms environments then have a look at the vms_check tool
Phil
http://h71000.www7.hp.com/openvms/journal/v7/vms_check_tool.html
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.