|
HP OpenVMS Systemsask the wizard |
|
The Question is: Hi, I am currently working assist a client to secure their openVMS v6.2 and have recommended that the following files be secured in the following manner Files Protection Masks AUTHORISE.EXE S:RWED, O:RWED, G:,W: DCL.EXE;1 S:RWED, O:RWED, G:,W: INSTALL.EXE;1 S:RWED, O:RWED, G:,W: INIT.EXE;1 S:RWED, O:RWED, G:,W: STARTUP.COM;1 S:RWED, O:RWED, G:, W: SYSGEN.EXE;1 S:RWED, O:RWED, G:, W: My question are: 1. would you recommend such a setting for these system files and; 2. would these settings result in the users having difficulties signing on to the system. Thanks for your assistance on the matter. Best Regards. system and is this The Answer is : The recommended protection settings are those in the documentation set. Altering the protection settings on OpenVMS files can potentially lead to (unexpected) system problems, to OpenVMS upgrade or layered product installation failures, to simple cases of user or system manager confusion, and to potential problems with folks performing customer support services. OpenVMS uses privileges to control access, and makes the assumption that users can acquire tools such as AUTHORIZE or INSTALL from other sources, such as from distribution kits, or can acquire similar tools from other sources. OpenVMS generally prevents write access to key structures and data files, with only a very few files protected against read access. File and object protections are also ineffective against privileged users -- before even considering file protections, ensure that only the appropriate users and applications are operating with or have available enhanced privileges. Protecting the AUTHORIZE image, for instance, provides no benefits unless you also have the necessary protections in place for the associated system services and the appropriate privileges removed from all untrusted users, and you can prevent the user from reloading a copy of AUTHORIZE or a tool such as the freeware DWAUTH utility. Protecting the INSTALL image provides no benefits over removing CMKRNL privilege from untrusted users. If system security is of concern, the OpenVMS Wizard recommends following the Class C2 settings as documented in the appendix of the _Guide to OpenVMS System Security_ manual. Further, rather than attempting changing the file protection model, the OpenVMS Wizard would recommend better use of the auditing and alarm subsystems -- on the appropriate files -- to detect and log failed access attempts and (when appropriate) even successful accesses.
|