You need an account with privileges to perform
the tasks of a security administrator.
An administrator who reviews security violations
and possible vulnerabilities requires at least three privileges:
SECURITY and AUDIT privileges
to enable security auditing and to set up security operator terminals
READALL privilege to review
the protection of files and resources
In many cases, a security administrator serves
as both the security administrator and the system manager. This person
requires a full set of privileges. The HP OpenVMS System
Manager's Manual describes the necessary characteristics
of a system management account.
“Sample Security Administrator's Account” illustrates a number of AUTHORIZE
qualifiers appropriate for a security administrator's account.
Any value not specified defaults to the value provided by the default
record in SYSUAF.DAT.
Example 6-1 Sample Security Administrator's Account
$SET DEFAULT SYS$SYSTEM$RUN AUTHORIZEUAF>ADD RIRONWOOD/PASSWORD=VALTERSY/UIC=[001,100] -_UAF>/DEVICE=SYS$SYSDEVICE/DIRECTORY=[RIRONWOOD] -_UAF>/OWNER="Russ Ironwood"/ACCOUNT=SECURITY/FLAGS=GENPWD -[1]_UAF> /PWDLIFETIME=30-/PWDMINIMUM=8 -[2]_UAF> /PRIVILEGES=(AUDIT,SECURITY,READALL)[3]
identifier for value:[000001,000100] added to RIGHTSLIST.DAT
UAF>
Notice the following:
The requirement that the
automatic password generator be used to change passwords.
The use of a short password
lifetime.
Measures 1 and 2 are important
to protect the account because it affords many valuable privileges
and access rights.
SECURITY, AUDIT, and READALL
privileges allow monitoring of the system but no modification. If
you perform the tasks of a system manager, then you would need an
account with SYSPRV. With SYSPRV, you can access protected objects
by the system protection field and change the owner UIC and protection.
You can change an object's protection to gain access to it.
