kcb@marque.mu.edu (Kent Brodie) (06/08/89)
one of the largest security "holes", as it were, is the fact that the
default "welcome" message on VAX/VMS systems is just that-- it WELCOMES
the user to the system. In the case of an unauthorized access to your
precious system, the existance of this message can cause ALL SORTS of
legal headaches, depending on your state/local laws.
The easy way around this, of course, is to just define a different message,
or even refer to a text file contaning a few lines. I have found, however,
that I really like the "default" mode of the SYS$WELCOME logical in that
it dynamically knows what's going on, i.e., your NODE name and the system
version number. Ina large cluster environment, this is one more stupid
thing that then has to be changed (if you use a text file).
I thought about this for a while, and immediately decided that the logicals
F$GETSYI("NODENAME") and F$GETSYI("VERSION") were obviously appropriate,
but how to use these on a MULTIPLE-LINE "unwelcome" message?
Well, the following neat example is one that I figured out for my system
using the handy (and selcom-used) F$FAO lexical function that allows you
to both tell the user that only AUTHORIZED people are allowed, and at the
same time do it via DCL so that the system's node name and version number
are always included. The result is a nice **TWO-LINE** message that
changes with each system used. In a cluster environment, this makes it even
easier to use.
Well, I've babbled enough on this, and all for a 4-line DCL segment
that should go in SYSTARTUP. However, I feel that this issue is
an IMPORTANT one, and should not be taken lightly. As always, just
save (extract) this message, and edit out all of the garbage. Include
the "executable" lines of the following DCL segment in your system-specific
startup file for your vax, and you're off and running.
Don't forget to execute this .COM file separately, right away, so you
don't have to wait for a reboot for the message to take effect!
I would appreciate any comments on this as well. Have fun.
$!------------ cut here 8< -----------------------------------------
$! UNWELCOME.COM Create a better (dynamic) "welcome" message for a VAX.
$! (C) 1989 Kent C. Brodie; Medical College of Wisconsin.
$!
$! These lines should go in the system-specific startup file for your
$! VAX system. V4: SYSTARTUP.COM V5: SYSTARTUP_V5.COM
$!
$! The welcome message is automatically set up to include the node name
$! and the system version number for your system, so any upgrades will
$! automatically be reflected in the "welcome" message. The purpose of
$! this message format is to both get rid of the word "WELCOME", and also
$! to let users know that unauthorized access is not allowed. Both of these
$! items are IMPORTANT when securing a VAX-- legal loopholes exist when the
$! default "welcome" message is used.
$!-----------------------------------------------------------------------
$ lineone = " You are on node ''f$getsyi("NODENAME")' running " + -
"VAX/VMS version ''f$edit(f$getsyi("VERSION"),"TRIM")'. "
$ linetwo = " Unauthorized access to this system is prohibited."
$ assign/system "''f$fao("!AS!/!AS",lineone,linetwo)'" sys$welcome
--
Kent C. Brodie Normally: kcb@marque.mu.edu
(System Manager OR: ..uwvax!uwmcsd1!marque!kcb
at Large) Sometimes: 7113BRODIEK@MUCSD (different machine..)
"Simon says.... 'DRY UP!'" -Simon Bar Sinister session@uncw.UUCP (Zack Sessions) (06/10/89)
In article <452@marque.mu.edu> kcb@marque.UUCP (Kent Brodie) writes: >one of the largest security "holes", as it were, is the fact that the >default "welcome" message on VAX/VMS systems is just that-- it WELCOMES >the user to the system. In the case of an unauthorized access to your >precious system, the existance of this message can cause ALL SORTS of >legal headaches, depending on your state/local laws. > [text and command file deleted] Kent, thanks for letting those of who were unaware of this legal loophole know of it's existance, and for writing and debugging a command file to help us coa. I installed it on all 9 of my VAXen. Works like a champ! One one comment. The f$getsyi("nodename") lexical function gets it's information from the SCSNODE sysgen parameter. If this value is null then no value appears for nodename in the unwelcome message. A workaround for system managers who do not need/want to assign an SCSNODE value for their system is to get the value from the system logical SYS$NODE. Replace the lines $ lineone = " You are on node ''f$getsyi("NODENAME")' running " + - "VAX/VMS version ''f$edit(f$getsyi("VERSION"),"TRIM")'. " with the following lines $ nodename = f$trnlnm("sys$node") - "_" - "::" $ lineone = " You are on node ''nodename' running " + - "VAX/VMS Version ''f$edit(f$getsyi("VERSION"),"TRIM")'. " That fixes it up nicely. Thanks again. Zack Sessions | Utilizing the computing facilities General Electric | at the University of North Carolina Nuclear Fuels & Component Manufacturing| at Wilmington Wilmington, NC | "If it ain't broke, then don't fix it!"
hill@faline.bellcore.com (Chris Hill) (06/13/89)
>In article <452@marque.mu.edu> kcb@marque.UUCP (Kent Brodie) writes: >>one of the largest security "holes", as it were, is the fact that the >>default "welcome" message on VAX/VMS systems is just that-- it WELCOMES >>the user to the system. In the case of an unauthorized access to your >>precious system, the existance of this message can cause ALL SORTS of >>legal headaches, depending on your state/local laws. So I guess we'd all better take in the WELCOME mats from our front doors: the next trespasser will claim (s)he was WELCOME...
devine@shodha.dec.com (Bob Devine) (06/16/89)
In article <452@marque.mu.edu> kcb@marque.UUCP (Kent Brodie) writes: > one of the largest security "holes", as it were, is the fact that the > default "welcome" message on VAX/VMS systems is just that-- it WELCOMES > the user to the system. In the case of an unauthorized access to your > precious system, the existance of this message can cause ALL SORTS of > legal headaches, depending on your state/local laws. NOTE: There has been no legal finding that having a welcome message constitutes an invitation to system cracking. However, if you are taking other steps to prevent a cracker's entry (eg call-back modems, proper password management) then you *might* be on a firmer legal standing if your login message gave warning about illegal use. One sleazy lawyer did advance that argument in a case but the judge's ruling did not include it in the decision. Bob Devine
kcb@marque.mu.edu (Kent Brodie) (06/16/89)
In article <2270@faline.bellcore.com> hill@faline.UUCP (Chris Hill) writes: >>In article <452@marque.mu.edu> kcb@marque.UUCP (Kent Brodie) writes: >>>default "welcome" message on VAX/VMS systems is just that-- it WELCOMES >>>the user to the system. In the case of an unauthorized access to your >>>precious system, the existance of this message can cause ALL SORTS of >>>legal headaches, depending on your state/local laws. > >So I guess we'd all better take in the WELCOME mats from our front >doors: the next trespasser will claim (s)he was WELCOME... invalid point. the thing here is that many state's computer "crime" laws are vague at best, as opposed to laws pertaining to "breaking and entering" a home. I could care less what "opinions" are in this matter. I want it KNOWN that unaithorized access to my system is "naughty".... -- Kent C. Brodie Normally: kcb@marque.mu.edu (System Manager OR: ..uwvax!uwmcsd1!marque!kcb at Large) Sometimes: 7113BRODIEK@MUCSD (different machine..) "Simon says.... 'DRY UP!'" -Simon Bar Sinister