[Search for users] [Overall Top Noters] [List of all Conferences] [Download this site]

Conference iamok::inspect_srf

Title:	DECinspect CM, SRF, and Corporate Implementation
Notice:	For FAQ see note 4.; For CM kits see note 3.
Moderator:	KIMBLE::TMULLIGAN

Created:	Thu Sep 27 1990
Last Modified:	Mon May 26 1997
Last Successful Update:	Fri Jun 06 1997
Number of topics:	1699
Total number of notes:	8580

99.0. "ACCOUNTNG.DAT ACL FAILS" by GLDOA::RBROWN (Are there no work houses ?) Fri Nov 16 1990 16:52

T.R	Title	User	Personal Name	Date	Lines
99.1	Happens on OPERATOR.LOG also.	QUINCE::MADDEN	Organizationally Challenged	`Fri Nov 16 1990 17:40`	8
99.2	Boot Minimum and run lockdown	LNKUGL::BOWMAN	Bob Bowman, CSC/CS SPACE Team	`Sun Nov 18 1990 18:15`	3
99.3	Applying ACLs to OPERATOR.LOG & ACCOUNTNG.DAT	ICS::DARCANGELO		`Tue Nov 27 1990 09:30`	124
99.4	An Approach	PARITY::MITCHELL	Rob Mitchell Data Center Mgr	`Tue Nov 27 1990 11:17`	5
99.5	I leave 'em running, and play file games	NEPHI::COAR	I'm the NRA/SAF/GOAL	`Tue Nov 27 1990 13:28`	18
99.6	Make that deleting OPERATOR.TMD;* not .LOG;*!	NEPHI::COAR	I'm the NRA/SAF/GOAL	`Thu Nov 29 1990 14:50`	0
99.7	HOW ABOUT IMPROVED LOCKDOWN ?	GLDOA::RBROWN	Are there no work houses ?	`Mon Dec 03 1990 17:21`	13
99.8		MADMAG::NORRIS	What is it, Miss Pfeffernuss?	`Tue Dec 04 1990 08:41`	6
99.9	Shouldn't be `dropping out'	NEPHI::COAR	I'm the NRA/SAF/GOAL	`Tue Dec 04 1990 21:36`	17
99.10	Help or hinder - automate it.	RDGENG::SJONES	Communication? Tell me about it!	`Fri Dec 21 1990 07:34`	16
99.11	fix the LOCKDOWN file	GUESS::DOUCETTE	More Chuck for the buck!	`Wed Jan 09 1991 09:46`	10
99.12	An answer to automating ACC and OP log ACLs	RDGENG::SJONES	Communication? Tell me about it!	`Wed Jan 09 1991 15:30`	5
99.13	System Alarm ACE lockdown won't work	NECSC::LEVY	Across the lazy river	`Tue Jan 29 1991 09:56`	31
99.14	Acknowledged, but no plans to change	QUINCE::MADDEN	Pat, Secure Systems Development	`Tue Jan 29 1991 14:00`	11
99.15	Lockdown text modified for next release	QUINCE::MADDEN	Pat, Secure Systems Development	`Tue Jan 29 1991 15:53`	18
99.16		DUCATI::LASTOVICA	Nudnick - A naked Santa Claus	`Tue Jan 29 1991 18:05`	1
99.17	.15 is a good start...	NECSC::LEVY	Across the lazy river	`Tue Jan 29 1991 21:47`	19
99.18	that's what I wanted to type	AZTECH::LASTOVICA	Nudnick - A naked Santa Claus	`Wed Jan 30 1991 10:47`	7
99.19		BOMBE::MOORE	Amiga: Real computing on a PC budget	`Wed Jan 30 1991 21:03`	11
99.20	It should do what it says it will do	NECSC::LEVY	Across the lazy river	`Wed Jan 30 1991 21:31`	18
99.21	oh please, no sob stories	AZTECH::LASTOVICA	Nudnick - A naked Santa Claus	`Wed Jan 30 1991 23:16`	12
99.22	Poor order of operations also get in the way...	LNKUGL::BOWMAN	Bob Bowman, CSC/CS SPACE Team	`Sun Feb 03 1991 13:08`	12
99.23	Good idea, Bob!	QUICHE::PITT	Suspend all hackers ... by the neck!	`Mon Feb 04 1991 04:28`	13
99.24	UPDATE TO NOTE 99.3	ICS::DARCANGELO		`Tue Feb 05 1991 14:10`	166
99.25	SET_OPER_AND_ACCT_ACL.COM	ICS::DARCANGELO		`Thu Apr 03 1997 09:25`	183
	RE: .3 "Applying ACLs to OPERATOR.LOG & ACCOUNTNG.DAT" RE: .24 "UPDATE TO NOTE 99.3" I have attached the latest version of SET_OPER_AND_ACCT_ACL.COM which applies to PSCM V2.3+ and VMS 6.0+. ............................ CUT ALONG DOTTED LINE ........................... $ SET NOVERIFY $ GOTO START $! $! SET_OPER_AND_ACCT_ACL.COM $! $! V1.1 (09-JUN-1994) $! $! Paul D'Arcangelo $! $! REFERENCE: Corporate Security Standard 11.1, Section 4.5.3 $! $! I. PROLOGUE $! $! In order to set the required ACLs on the operator log(s) and the $! accounting file(s), you need to perform a few necessary steps in $! order to skirt around the 'locked file' error, which occurs when $! you try to apply an ACL to an opened file. $! $! This command procedure will execute the necessary steps in order $! to apply the "required" ACLs to all versions of the operator log $! file and also the accounting file. $! $! This command procedure will handle the enhanced required ACLs in $! PSCM V2.3 for VMS V6 systems, but is also downward compatible to $! VMS V5 systems. $! $! II. IMPLEMENTATION IN A CLUSTER ENVIRONMENT $! $! It is suggested that you execute this procedure in SYSMAN in or- $! der to apply these ACLs in a cluster environment for ease of op- $! eration. This command file should be located in the SYS$COMMON: $! [SYSMGR] directory in order for the commands below to work: $! $! $MCR SYSMAN $! SYSMAN> SET ENVI/CLUSTER $! SYSMAN> SET TIME 00:01:00 $! SYSMAN> SET PROFILE/DEFAULT=SYS$SYSROOT:[SYSMGR] $! SYSMAN> DO @SET_OPER_AND_ACCT_ACL.COM $! SYSMAN> EXIT $! $! III. TECHNICAL INFORMATION $! $! In order to apply an ACL to the accounting file and the operator $! log, a new version of each file is created using the CREATE com- $! mand and an ACL is applied to this unopened version. Then, each $! of the opened files is closed and a new file is created with the $! appropriate commands. These new files will inherit the ACL from $! the CREATEd files. $! $! This command procedure will search for the logicals: "ACCOUNTNG" $! and "OPC$LOGFILE_NAME" for those configurations where the opera- $! or file(s) and accounting file(s) are intentionally located on a $! non-default device and/or directory. $! $! Due to the restrictions of OPCOM communications, SYS$COMMAND is $! temporarily assigned to OPA0: within this procedure in order to $! create a new operator log while using the SYSMAN utility. $! $! IV. CONCLUSION $! $! As a result of this command procedure, new operator log files & $! accounting files will be created with no purge being done on ei- $! ther of the files; all file versions will now meet the require- $! ments set out in the Corporate Security Standard 11.1 document, $! section 4.5.3. "Auditing Important System Files". $! $! $ $ START: $ $ SET NOON $ WO := WRITE SYS$OUTPUT $ $ vms_vers = F$GETSYI("VERSION") $ vms_vers = F$EDIT(vms_vers,"COLLAPSE") $ $ offset = 0 $ offset = F$LOCATE(".",vms_vers) $ abbr_vms_vers = F$EXTRACT(0,offset,vms_vers) $ $ OPERATOR_LOG_ACL: $ $ IF F$TRNLNM("OPC$LOGFILE_NAME") .EQS. "" THEN - DEFINE/PROCESS OPC$LOGFILE_NAME SYS$MANAGER:OPERATOR.LOG $ $ OPERATOR_LOG = F$TRNLMN("OPC$LOGFILE_NAME") $ $ IF F$SEARCH("''OPERATOR_LOG'") .EQS. "" $ THEN $ WO " " $ WO "%FILE-NOT-FOUND; ''OPERATOR_LOG'" $ WO " " $ GOTO ACCOUNTING_FILE_ACL $ ELSE $ CONTINUE $ ENDIF $ $ OPERATOR_LOG = OPERATOR_LOG + ";" $ $ CREATE OPC$LOGFILE_NAME $ $ IF abbr_vms_vers .EQS. "V6" $ THEN $ DEFINE/USER SYS$OUTPUT _NL: $ DEFINE/USER SYS$ERROR _NL: $ SET ACL 'OPERATOR_LOG - /ACL=(ALARM=SECURITY,ACCESS=DELETE+CONTROL+SUCCESS) $ DEFINE/USER SYS$OUTPUT _NL: $ DEFINE/USER SYS$ERROR _NL: $ SET ACL 'OPERATOR_LOG - /ACL=(AUDIT=SECURITY,ACCESS=DELETE+CONTROL+SUCCESS) $ ELSE $ DEFINE/USER SYS$OUTPUT _NL: $ DEFINE/USER SYS$ERROR _NL: $ SET ACL 'OPERATOR_LOG - /ACL=(ALARM=SECURITY,ACCESS=DELETE+CONTROL+SUCCESS) $ ENDIF $ $ ASSIGN OPA0: SYS$COMMAND $ REPLY/ENABLE $ REPLY/LOG $ REPLY/DISABLE $ DEASSIGN SYS$COMMAND $ $ DIRECTORY/ACL 'OPERATOR_LOG $ $ ACCOUNTING_FILE_ACL: $ $ IF F$TRNLNM("ACCOUNTNG") .EQS. "" THEN - DEFINE/PROCESS ACCOUNTNG SYS$MANAGER:ACCOUNTNG.DAT $ $ ACCOUNTNG_DAT = F$TRNLMN("ACCOUNTNG") $ $ IF F$SEARCH("''ACCOUNTNG_DAT'") .EQS. "" $ THEN $ WO " " $ WO "%FILE-NOT-FOUND; ''ACCOUNTNG_DAT'" $ WO " " $ GOTO FINISH $ ELSE $ CONTINUE $ ENDIF $ $ ACCOUNTNG_DAT = ACCOUNTNG_DAT + ";" $ $ CREATE ACCOUNTNG $ $ IF abbr_vms_vers .EQS. "V6" $ THEN $ DEFINE/USER SYS$OUTPUT _NL: $ DEFINE/USER SYS$ERROR _NL: $ SET ACL 'ACCOUNTNG_DAT - /ACL=(ALARM=SECURITY,ACCESS=DELETE+CONTROL+SUCCESS) $ DEFINE/USER SYS$OUTPUT _NL: $ DEFINE/USER SYS$ERROR _NL: $ SET ACL 'ACCOUNTNG_DAT - /ACL=(AUDIT=SECURITY,ACCESS=DELETE+CONTROL+SUCCESS) $ ELSE $ DEFINE/USER SYS$OUTPUT _NL: $ DEFINE/USER SYS$ERROR _NL: $ SET ACL 'ACCOUNTNG_DAT - /ACL=(ALARM=SECURITY,ACCESS=DELETE+CONTROL+SUCCESS) $ ENDIF $ $ SET ACCOUNTING/ENABLE/DISABLE=IMAGE/NEW $ $ DIRECTORY/ACL 'ACCOUNTNG_DAT $ $ FINISH: $ $ WO " " $ WO "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" $ WO " " $ EXIT