HP OpenVMS Systems

ask the wizard
Content starts here

CMKRNL, Auditing, and SET UIC?

» close window

The Question is:

Is there a way to audit the set UIC command?  Generally I know the answer is
 no.  But is there an alternate route, like a CLD change in the set.cld and
 mcrset.cld definition files or some such work around.

The Answer is :

  Enable auditing of the use of CMKRNL privilege, or remove the privilege.
  Untrusted users with CMKRNL privilege are, of course, fully and completely
  privileged -- the SET UIC command is the least of the problems that can
  be caused by such users.
  If an unreliable and insecure approach is acceptable, remove the command
  verb from the command tables.  Given the complete system access permitted
  by CMKRNL, there are other ways -- not the least of which involves direct
  modification of kernel-mode data structures -- which can cause
  security-relevent exposure.

answer written or last revised on ( 18-JUN-2004 )

» close window