HP OpenVMS Systems

ask the wizard
Content starts here

Security Auditing, Null Passwords?

» close window

The Question is:

Auditor wants a list of accounts set with nopassword. The authorize utility
 does not seem to indicate this, although dumping the sysuaf.dat record show a
 bit changes when I do a $mcr authorize modi userz/nopass
Do I write a program to parse all of our sysuaf.dat or is there something I am

The Answer is :

  Unless the password itself is reset by a privileged user directly
  within SYSUAF, all users must have a password of the specified
  minimum length for the particular user.  Passwords cannot be
  set shorter than this value except through use of privileges.
  If you have untrusted privileged users, then you have a far larger
  exposure risk than null passwords, and this must be resolved before
  you can or should consider passwords and password policies.
  By default, /NOPASSWORD ford reset the primary and secondary password
  to null, but also marks the password as expired; the next login of
  the username requires a password change during login.  (Ensure that
  all users have a minimum password length set appropriately, of course.)
  Within SYSUAF, a username with (standard) local authentication and
  with no password set has a null hashed password value.  A privileged
  user can use $getuai calls to retrieve UAI$_PWD to detect this.  Or
  the usernames can be probed.  (You can establish the password length
  and force a password change on some or all users, of course.)  But
  again, if you have null passwords with reasonable password lengths
  set, you have far bigger problems with your privileged user(s).
  The OpenVMS Wizard would strongly encourage you and your auditor
  read and become familiar with the Guide to System Security manual.
  Particularly the NCSC Class C2 security recommendations that are
  present in an appendix of that manual, as a start.  If you believe
  you have had privileged users making unauthorized changes to local
  system security policies, see the materials on recovering from a
  system security breach -- effectively, this is the same situation.
  Existing discussions of passwords include (1461), (1475), (2938),
  (3039), (3233), (3684), (3883), (4303), (4481), (4612), (4778),
  (5258), (5333), (5333), (5508), (6328), and (7818).  Among others.

answer written or last revised on ( 2-AUG-2003 )

» close window