Andreas,
I too prefer the BACKG method to the system wide UDC for Security/3000 and
use it regularly. One thing you said below caught my attention. It seems
to me that once BACKG (with logon running) is streamed, if you stop it the
Security/3000 hook is still in place. So, stopping the BACKG job, even with
the "parm=-1" option would not let you on. It does give you an out from the
"lock-out", although it's pretty intrusive :) You can reboot your system
and prior to streaming the BACKG job you can get on, but there is a good
chance somebody will notice that hack :)
Thanx,
Jonathan (Jon) M. Backus, MPE-CSM ~ President
Tech Group ~ 15 Catawba Place ~ Hagerstown, MD ~ 21742-6515
Email: [log in to unmask] ~ AIM: JMBackus
Vmail: 301.988.0614 ~ Fmail: 301.714.1854
Web: www.TechGroupMD.com
-----Original Message-----
From: HP-3000 Systems Discussion [mailto:[log in to unmask]]On
Behalf Of Andreas Schmidt
Sent: Thursday, May 03, 2001 2:04 PM
To: [log in to unmask]
Subject: Re: mpe script for menu at logon
The famous ;PARM=-1 ...
Although having Sec/3000 in place (by a system wide UDC) but not using the
LOGON Background task of VESOFT so far an auditor, unfortunately finding a
password list in Operations (exact: on a NT Lotus Notes server, not
encrypted), was able to login our HP3000 (for one minute ... after this he
was kicked off the system by VESOFTs LOGOFF routine by using a wrong
session name). If he had used an valid session name for SM nobody would
have detected this!
That's the reason we added the BACKG LOGON task, and this is highly
recommended on sites which do want keep the ;PARM=-1 option (for good
reason) but want to close the door for unauthorized usage of this parm.
Having activated the BACKG LOGON, a stop of this process is needed first
(by Ops or SM) before ;PARM=-1 will work as supposed in bypassing System
Wide Logon UDCs.
On top of this, we monitor the execution of BACKG with IT/O OpC (Vantage
Point).
The people from VESOFT could explain more, and there was an article in the
HP 3000 Newswire a while ago on this topic.
Best regards, Andreas Schmidt, CSC, Germany
"Jonathan M. Backus" <[log in to unmask]>@RAVEN.UTC.EDU> on
03/05/2001 06:47:35 PM
Please respond to [log in to unmask]
Sent by: HP-3000 Systems Discussion <[log in to unmask]>
To: [log in to unmask]
cc:
Subject: Re: [HP3000-L] mpe script for menu at logon
Donna,
The one thing you want to be careful about with this example is to
make
sure you allow "parm=-1" on HELLO. If this is the system wide UDC and
somebody purges the "logon.cmd.sys" file everybody will say HELLO fail the
finfo check and automatically be logged off. The only way to get around
the
"lock-out" would be to logon as SM with "-1" to bypass the cataloging of
the
UDC.
Thanx,
Jonathan (Jon) M. Backus, MPE-CSM ~ President
Tech Group ~ 15 Catawba Place ~ Hagerstown, MD ~ 21742-6515
Email: [log in to unmask] ~ AIM: JMBackus
Vmail: 301.988.0614 ~ Fmail: 301.714.1854
Web: www.TechGroupMD.com
-----Original Message-----
From: HP-3000 Systems Discussion [mailto:[log in to unmask]]On
Behalf Of Donna Garverick
Sent: Thursday, May 03, 2001 12:30 PM
To: [log in to unmask]
Subject: Re: mpe script for menu at logon
Rich Farrar wrote:
> I'm trying to set up a simple menu so users can choose after their hello
> logon between entering our manufacturing module, running a QUIZ report,
or
> downloading a file. Basically a simple A) MANMAN B) QUIZ C)DOWNLOAD
choice,
> I don't think this should be too difficult to put in an option logon udc,
my
> problem is I have little experience with MPE scripting. Can anyone point
me
> to some snippets of script to get me started on this? Any help greatly
> appreciated. At the moment we are running V6.0.
i'd suggest attacking this problem in two steps.... first, with a logon
udc
that executes a script. i'd further suggest that this udc includes a 'bye'
at
the end (but that's your call....) the second part is the script itself.
here's an example of a logon udc that does what i've described:
logon
option logon, nobreak, nolist, nohelp
if finfo('logon.cmd.sys','exists')
xeq logon.cmd.sys
endif
bye
***
the checking for the existence of the logon script file is probably not a
bad
idea. it's one of those 'cya' things :-) (of course, the naming and
location
of the script may need adjusting to fit your environment. here, .cmd.sys
is
part of everyone's hppath)
within the logon script, you'd probably want to set up a while loop that
goes
until the user opts to leave. something like:
setvar done false
while not done
<do a bunch of echo's>
<get a menu option>
<evaluate the input>
<do something if 'exit' wasn't picked>
<if 'exit' was picked, set done to true>
endwhile
imo, mpe scripting is very powerful and an admin's friend. you might want
to
check:
<http://docs.hp.com/mpeix/onlinedocs/32650-90493/32650-90493.html>
this manual pretty well explains the fundamentals of mpe scripting. you'll
probably also want to check:
<http://jazz.external.hp.com/papers/SolSymposium_01/CIprogramming/index.htm
>
this builds on the first and should start 'turning on the lightbulb' :-)
hth - d
--
Donna Garverick Sr. System Programmer
925-210-6631 [log in to unmask]
"Unix _is_ user friendly.
It's just very selective about who its friends are.
And sometimes even best friends have fights."
>>>MY opinions, not Longs Drug Stores'<<<
* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *
* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *
* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *
* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *
|
