The Question is:
Auditor wants a list of accounts set with nopassword. The authorize utility
does not seem to indicate this, although dumping the sysuaf.dat record show a
bit changes when I do a $mcr authorize modi userz/nopass
Do I write a program to parse all of our sysuaf.dat or is there something I am
The Answer is :
Unless the password itself is reset by a privileged user directly
within SYSUAF, all users must have a password of the specified
minimum length for the particular user. Passwords cannot be
set shorter than this value except through use of privileges.
If you have untrusted privileged users, then you have a far larger
exposure risk than null passwords, and this must be resolved before
you can or should consider passwords and password policies.
By default, /NOPASSWORD ford reset the primary and secondary password
to null, but also marks the password as expired; the next login of
the username requires a password change during login. (Ensure that
all users have a minimum password length set appropriately, of course.)
Within SYSUAF, a username with (standard) local authentication and
with no password set has a null hashed password value. A privileged
user can use $getuai calls to retrieve UAI$_PWD to detect this. Or
the usernames can be probed. (You can establish the password length
and force a password change on some or all users, of course.) But
again, if you have null passwords with reasonable password lengths
set, you have far bigger problems with your privileged user(s).
The OpenVMS Wizard would strongly encourage you and your auditor
read and become familiar with the Guide to System Security manual.
Particularly the NCSC Class C2 security recommendations that are
present in an appendix of that manual, as a start. If you believe
you have had privileged users making unauthorized changes to local
system security policies, see the materials on recovering from a
system security breach -- effectively, this is the same situation.
Existing discussions of passwords include (1461), (1475), (2938),
(3039), (3233), (3684), (3883), (4303), (4481), (4612), (4778),
(5258), (5333), (5333), (5508), (6328), and (7818). Among others.