|
HP OpenVMS Systemsask the wizard |
|
The Question is: Auditor wants a list of accounts set with nopassword. The authorize utility does not seem to indicate this, although dumping the sysuaf.dat record show a bit changes when I do a $mcr authorize modi userz/nopass Do I write a program to parse all of our sysuaf.dat or is there something I am missing? The Answer is : Unless the password itself is reset by a privileged user directly within SYSUAF, all users must have a password of the specified minimum length for the particular user. Passwords cannot be set shorter than this value except through use of privileges. If you have untrusted privileged users, then you have a far larger exposure risk than null passwords, and this must be resolved before you can or should consider passwords and password policies. By default, /NOPASSWORD ford reset the primary and secondary password to null, but also marks the password as expired; the next login of the username requires a password change during login. (Ensure that all users have a minimum password length set appropriately, of course.) Within SYSUAF, a username with (standard) local authentication and with no password set has a null hashed password value. A privileged user can use $getuai calls to retrieve UAI$_PWD to detect this. Or the usernames can be probed. (You can establish the password length and force a password change on some or all users, of course.) But again, if you have null passwords with reasonable password lengths set, you have far bigger problems with your privileged user(s). The OpenVMS Wizard would strongly encourage you and your auditor read and become familiar with the Guide to System Security manual. Particularly the NCSC Class C2 security recommendations that are present in an appendix of that manual, as a start. If you believe you have had privileged users making unauthorized changes to local system security policies, see the materials on recovering from a system security breach -- effectively, this is the same situation. Existing discussions of passwords include (1461), (1475), (2938), (3039), (3233), (3684), (3883), (4303), (4481), (4612), (4778), (5258), (5333), (5333), (5508), (6328), and (7818). Among others.
|