On the Outside Looking In
Article Date: 6/96
Identification and authentication (I&A) of users of a computer system is a cornerstone of a security implementation. VOS requires a user to login using a precreated account (Identification) and the password associated with that account (Authentication). In previous issues of this newsletter, we have covered a number of points about I&A under VOS.
In their classic book, Practical UNIX Security , Simson Garfinkel and Gene Spafford (a guru of UNIX security) also describe the need to prevent users who have not yet logged on from learning information about the system. In an earlier issue, we looked at hiding the Stratus to the outside world by changing some of the standard prompts and banners. This month, let's look at a VOS facility which users who have not yet passed I&A might use to learn about your system.
Someone sitting in front of a live terminal connected to VOS before logging in is actually using a pre-login process. This process has a limited command list (try "help" while not logged in). These commands are referred to as pre-login commands. Some of these are internal commands (commands built into VOS itself) which have been flagged by Stratus as available to a pre-login user.
Other pre-login commands are external commands (executable files) which have been marked as available to pre-login. To be a pre-login external command, the command macro or program file must have two characteristics. It must be in one of the directories which are on the default library paths for commands on your module, and it must end in the suffix ".prelogin.cm" or ".prelogin.pm".
As a security administrator, you need to audit on a regular basis which commands are available as pre-login commands on your system. Consider the consequences of someone executing each of these commands as a privileged user in the "System" group, but without knowing who they are. You need to control access to the directories on the default library paths for commands (use list_default_library_paths to see them). If you are using pre-login commands for a good purpose, you should also monitor the integrity of those files to make sure no-one substitutes some other program for what you thought was available (a Trojan Horse).
Sharing tips and information with other users is a great reason for reading (and contributing to) this newsletter. It's also an excellent reason to attend the annual STRATAGY conference. For a few days, the highest concentration of Stratus users on earth are all in the same building. A couple of tips gained from this meeting can make it some of the most cost-effective time you spend this year. There is no better opportunity to talk to Stratus and hear what they are doing and tell them what your needs are. Between a couple of us here at LTS (Bill Scerra being the other), we have been to every single STRATAGY annual meeting, as attendees, presenters, exhibitors, instructors - you name it. We view it as a "must do" each year. Hope to be able to talk to you about VOS security in New Orleans!
| 
