In a meeting at the office a few weeks ago, someone mentioned that our annual external IT audit was about to begin. For me, this was a heads up that folks would soon be asking me to collect a variety of information from our OpenVMS system, information that the auditors always want in order to determine whether we’re doing the right thing security-wise. At least for one definition of “the right thing.”
I've increasingly automated this process over the years and have it down to a command procedure that runs several utilities to collect the information, zips up the results, and mails it to me. I can then forward it to my manager or our contact with the auditing firm. However, this year there was a wrinkle.
During last year’s audit (and for many years prior to that), we were running on OpenVMS Alpha, but during the past year we’ve migrated to OpenVMS I64 (the somewhat non-intuitive marketing name for HP’s OpenVMS on Intel’s Itanium processor family). Most of the utilities that my procedure runs are native ones, such as AUTHORIZE to collect user account information and SYSGEN to collect system parameters (for example, they always look at the LGI_BRK_xxx parameters to see if we are being sufficiently cruel to users who forget their passwords). But there is one thing the auditors want done that AUTHORIZE should do but doesn’t: query the system authorization file (SYSUAF) for users matching any arbitrary set of attributes. What they want specifically is a list of all active users who have one or more of the OPER, SYSPRV, or SETPRV privileges.
Enter Joe Meadows’ UAF utility, first released in 1989 and freely circulating the net since. With UAF, this query is a simple matter of running the following command:
$ UAF/SELECT=(PRIV=(OPER,SYSPRV,SETPRV), -
$_ FLAG=NODISUSER)/DISPLAY=(USERNAME,PRIV)/MATCH=AND
Of course you have to have UAF installed to run the command, which I didn’t, because I’m the only one who runs it, and I only do so once a year, and, well, I just hadn’t thought about it when we moved from Alpha to Itanium. I was unsuccessful in finding a binary kit compiled for Itanium, but with a moderate amount of fuss got the ancient sources to compile and do what we needed for our audit.
In building the code, though, I had to hold my nose and avert my eyes to the fact that it needed to be compiled with an arcane compatibility setting (/STANDARD=VAXC) in order to keep a modern C compiler from choking on questionable constructs and the utter lack of function prototypes; it used very old and long since deprecated run-time library and system service routines; and of course it knew nothing about privileges and account flags introduced to the SYSUAF record in recent decades.
So I decided to correct these things. It’s not that there was anything wrong with what was done in 1989, and in fact I made few if any logic changes, but some updates were in order to give this very fine utility a boost into the future and to make it more useful and available to people running modern OpenVMS systems. My results, which I’ve decided to call v2.0, are available via Google project hosting at http://code.google.com/p/jmuaf/. A source kit as well as binary installers for Alpha and Itanium are provided on the Downloads tab. Enjoy.
No comments:
Post a Comment