HP OpenVMS Systems Documentation
OpenVMS System Manager's Manual
This section describes some common BACKUP errors and how to recover
If, in the course of a backup operation, the Backup utility or standalone BACKUP encounters fatal hardware- or media-related errors or encounters more media errors than considered reasonable for data reliability, BACKUP generates the following informational message and prompt:
The option you choose depends on several factors, as explained in Table 11-9.
The following example illustrates the sequence of events that occurs when BACKUP encounters an excessive rate of media errors on VOL3 and you choose the RESTART option:
11.19.2 Tape Label Errors
When you instruct BACKUP to use a tape that has a label other than the one you specified, BACKUP issues the following message:
Depending on the option you specify, you can quit the backup operation (QUIT), dismount the old tape and mount a new one (NEW), overwrite the data on the tape (OVERWRITE), or USE the loaded tape.
If you use blank tapes or tapes that you intend to overwrite, use the /IGNORE=LABEL_PROCESSING qualifier. This suppresses the previous BACKUP message, which normally occurs if BACKUP encounters a non-ANSI-labeled tape during a save operation.
|Managing passwords||Section 12.2|
|Adding to the system password dictionary||Section 12.2.1|
|Setting up intrusion detection||Section 12.3|
|Interpreting a user identification code (UIC)||Section 12.4.1|
|Parsing a protection code||Section 12.4.2|
|Creating access control lists (ACLs)||Section 12.6|
|Using the access control list editor (ACL editor)||Section 12.8|
|Auditing security-relevant events||Section 12.9.1|
This chapter explains the following concepts:
|What security management involves||Section 12.1|
|Aspects of password management||Section 12.2|
|Ways to protect objects||Section 12.4|
|Construction of access control lists (ACLs)||Section 12.6|
|Audit log file analysis||Section 12.10|
For full descriptions of all these tasks and concepts, refer to the
OpenVMS Guide to System Security.
12.1 Understanding Security Management
As the person responsible for the day-to-day system management, you play an important role in ensuring the security of your system. Therefore, you should familiarize yourself with the security features available with the OpenVMS operating system and implement the features needed to protect systems, users, and files from damage caused by tampering. Effective operating system security measures help prevent unauthorized access and theft of proprietary software, software plans, and computer time. These measures can also protect equipment, software, and files from damage caused by tampering.
Security problems on most systems are generally caused by irresponsibility, probing, or penetration. The tolerance that your site might have to a breach of security depends on the type of work that takes place at your site.
A secure system environment is a key to system security. Compaq strongly encourages you to stress environmental considerations when reviewing site security.
In the OpenVMS operating system, managing system security is concerned with three major areas:
The following sections describe measures to control access to your
system and its resources.
12.2 Managing Passwords
A site needing average security protection always requires the use of passwords. Sites with more security needs frequently require generated passwords and system passwords. Highly secure sites sometimes choose to use secondary passwords to control network access.
For information about external authentication (also known as single
sign-on), refer to the Authorize section in the OpenVMS System Management Utilities Reference Manual and the
Managing System Access section in the OpenVMS Guide to System Security.
12.2.1 Initial Passwords
When you open an account for a new user with the Authorize utility, you must give the user a user name and an initial password. When you assign temporary initial passwords, observe all guidelines recommended in Section 12.2.5. You should consider using the automatic password generator. Avoid any obvious pattern when assigning passwords.
To use the automatic password generator while using the Authorize utility to open an account, add the /GENERATE_PASSWORD qualifier to either the ADD or the COPY command. The system responds by offering you a list of automatically generated password choices. Select one of these passwords, and continue setting up the account.
The OpenVMS operating system automatically compares new passwords with a system dictionary to ensure that a password is not a native language word. It also maintains a password history list of a user's last 60 passwords. The operating system compares each new password with entries in the password history list to ensure that an old password is not reused.
The system dictionary is located in SYS$LIBRARY. You can enable or disable the dictionary search by specifying the DISPWDDIC or NODISPWDDIC option with the /FLAGS qualifier in AUTHORIZE. The password history list is located in SYS$SYSTEM. To enable or disable the history search, specify the DISPWDHIS or NODISPWDHIS option to the /FLAGS qualifier.
You can modify the system password dictionary to include words of significance to your site. The following procedure allows you to add words to the system dictionary. The procedure also allows you to retain a file of the passwords that you consider unacceptable.
$ CREATE LOCAL_PASSWORD_DICTIONARY.DATA somefamous localheroes [Ctrl/Z]
$ SET PROCESS/PRIVILEGE=SYSPRV $ CONVERT/MERGE/PAD LOCAL_PASSWORD_DICTIONARY.DATA - _$ SYS$LIBRARY:VMS$PASSWORD_DICTIONARY.DATA
When you add a new user to the UAF, you might want to define that user's password as having expired previously using the AUTHORIZE qualifier /PWDEXPIRED. This forces the user to change the initial password when first logging in.
Preexpired passwords are conspicuous in the UAF record listing. The entry for the date of the last password change carries the following notation:
By default, the OpenVMS operating system forces new users to change
their passwords the first time they log in. Encourage your site to use
a training program for its users that includes information about
12.2.2 System Passwords
Implementing system passwords is a two-stage operation involving the
DCL commands SET TERMINAL and SET PASSWORD. First, you must decide
which terminals require system passwords. Then, for each terminal, you
enter the DCL command SET TERMINAL/SYSPASSWORD/PERMANENT. To enable
system passwords for all terminals, set the appropriate bit in the
system parameter TTY$DEFCHAR2.
12.2.3 Primary and Secondary Passwords
The use of dual passwords is cumbersome and mainly needed at sites with high-level security concerns. The effectiveness of a secondary passwords depends entirely on the trustworthiness of the supervisor who supplies it. A supervisor can easily give out the password or worse yet, change it to a null string.
The main advantage of a second password is that it prevents accounts from being accessed through DECnet for OpenVMS using simple access control.
Another advantage of a second password is that it can serve as a
detection tool when a site has unexplained break-ins after the password
has been changed and the use of the password generator has been
enforced. Select problem accounts, and make them a temporary target of
this restriction. If the problem goes away when you institute personal
verification through the secondary password, you know you have a
personnel problem. Most likely, the authorized user is revealing the
password for the account to one or more other users who are abusing the
account. Refer to the OpenVMS Guide to System Security for an explanation of how to add
12.2.4 Enforcing Minimum Password Standards
Security managers can use AUTHORIZE to impose minimum password standards for individual users. Specifically, qualifiers and login flags provided by AUTHORIZE control the minimum password length, how soon passwords expire, and whether the user is forced to change passwords at expiration.
With the AUTHORIZE qualifier /PWDLIFETIME, you can establish the maximum length of time that can elapse between password changes before the user will be forced to change the password or lose access to the account.
The use of a password lifetime forces the user to change the password regularly. The lifetime can be different for different users. Users who have access to critical files generally should have the shortest password lifetimes.
By default, users are forced to change expired passwords when logging in. Users whose passwords have expired are prompted for new passwords at login. A password is valid for 90 days unless a site modifies the value with the /PWDLIFETIME qualifier.
With the AUTHORIZE qualifier /PWDMINIMUM, you can direct that all password choices must be a minimum number of characters in length. Users can still specify passwords up to the maximum length of 32 characters.
The /FLAGS=GENPWD qualifier in AUTHORIZE allows you to force the use of
the automatic password generator when a user changes a password. At
some sites, all accounts are created with this qualifier. At other
sites, the security manager can be more selective.
12.2.5 Guidelines for Protecting Passwords
The following actions are not strictly for password protection, but they reduce the potential of password detection or limit the extent of the damage if passwords are discovered or bypassed:
The password history database maintains a history of previous passwords
associated with each user account. By default, the system retains these
records for one year. Password history records that are older than the
system password history lifetime are allowed as valid password choices.
When a user account is deleted, the system removes the associated
password history records from the history database.
12.3 Using Intrusion Detection Mechanisms
This section describes how to set up intrusion detection and evasion and how to display the intrusion database.
You can control the number of login attempts the user is allowed through a dialup line. If the user makes a typing mistake after obtaining the connection, the user does not automatically lose the connection. This option is useful for authorized users, while still restricting the number of unauthorized attempts.
To implement control of retries, use the following two LGI system parameters: LGI_RETRY_TMO and LGI_RETRY_LIM. If you do not change the values of these system parameters, the default values allow the users three retries with a 20-second interval between each.
Keep in mind that controlling dialup retries is only a part of an overall security program and is not, in itself, sufficient to avoid break-ins. An obstacle like redialing is not going to prove an effective deterrent to a persistent intruder.
The OpenVMS operating system offers additional methods of discouraging break-in attempts. These methods also use system parameters in the LGI category.
|LGI_BRK_LIM||Defines a threshold count for login failures. When the count of login failures exceeds the LGI_BRK_LIM value within a reasonable time interval, the system assumes that a break-in is in progress.|
|LGI_BRK_TERM||Controls the association of terminals and user names for counting failures.|
|LGI_BRK_TMO||Controls the time period in which login failures are detected and recorded.|
|LGI_HID_TIM||Controls the duration of the evasive action.|
|LGI_BRK_DISUSER||Makes the effects of intrusion detection more severe. If you set this parameter to 1, the OpenVMS operating system sets the DISUSER flag in the UAF record for the account where the break-in was attempted. Thus, that user name is disabled until you manually intervene.|
Refer to the OpenVMS Guide to System Security for a full description of these parameters.
The Security Server process, which is created as part of normal operating system startup, performs the following tasks:
The intrusion database keeps track of failed login attempts. This information is scanned during process login to determine if the system should take restrictive measures to prevent access to the system by a suspected intruder.
The network proxy database file (NET$PROXY.DAT) is used during network connection processing to determine if a specific remote user may access a local account without using a password. The information contained in this database is managed by the Authorize utility.
The following example shows the expanded expiration time field in the new SHOW INTRUSION output.
$ SHOW INTRUSION Intrusion Type Count Expiration Source NETWORK SUSPECT 1 21-MAY-2000 12:41:01.07 DEC:.ZKO.TIDY::SYSTEM