MCKEEVER@UMKCVAX2.BITNET.UUCP (06/19/87)
I think I may have discovered a way for those sites who have not received
the patch from DEC yet to know if their users are taking advantage of the
security hole. From an account with SECURITY priv. type in the command
(interactively, and then put it in your SYSTARTUP):
$ SET AUDIT/ALARM/ENABLE=(AUTH,ACL)
What this does is tell you when the SYSUAF.DAT or the RIGHTSLIST.DAT are
modified by issuing an OPCOM message to every terminal enabled with security
as well as logging it to the console and the OPERATOR.LOG. If the system
manager is careful about who he or she gives SECURITY to, this cannot be
disabled without setting off the alarm at least once. This won't plug the
hole, but it should tell you who has been poking around. And if you're
QUICK, you could disuser the perpetrator before they can do any damage. The
drawback to this is that before you modify SYSUAF you must turn off the
alarm with:
$ SET AUDIT/ALARM/DISABLE=(AUTH,ACL)
Otherwise, sitting next to the console can be a bit un-nerving. With the
alarm on, you are also notified of any password changes that people make
since it requires modification of SYSUAF.
I'm not sure if this will work since I've already applied the patch. But
if someone out there has a program that takes advantage of the bug, and
hasn't applied the patch yet, I'm sure there are a lot of people who would
be anxious to know whether the little alarm does go off. If it does, maybe
it would give system managers who haven't received or applied the patch yet a
little peace of mind. If it's not already too late.
-------------------------------------------------------------------------
UMU UMUMUMUMUM
UMU UMUMUMUMUM Brian McKeever
UMU UMUMUMUMUM
UMU UMUMUMUMUM University of Missouri Kansas City
U UM U Computer Science
U UM UM UM 4747 Building Rm. 219
UMUMUMUM UMUM UMUM 5100 RockHill Rd.
UMUMUMUM UMUM UMUM Kansas City, MO 64110
UMUMUMUM UMUM UMUM BITNET: MCKEEVER@UMKCVAX1
UMUMUMUM UMUM UMUM
-------------------------------------------------------------------------