> Our corporate security auditors insist logons on the HP3000 must "lock
> out" for a period of time after a certain number of failed password
> attempts. I know of no way this is possible, so I thought I would ask if
> anyone on the list knows a way.

Purchase and install HP Security Monitor/iX from HP.

Then use SECCONF.PUB.SYS to configure the number of invalid logon attempts
before MPE will disable the user.

Warning, set it to at least four, for if a user types the return to the
password prompt, three times (very typical), it will disable the user,
resulting in many extra calls to someone who can re-enable the user (must
be MANAGER.SYS, possibly just SM, doesn't allow someone with AM to
re-enable a user in their account).

Also, though it won't disable MANAGER.SYS for sessions, it will for batch
jobs.  If you have a scheduled job (like a nightly backup/audit trail,
etc.) and someone types HELLO MANAGER.SYS and presses return enough times
to disable the user, your scheduled backup job will not log on.

You can find the complete manual for this product at:

http://www.docs.hp.com/mpeix/onlinedocs/32650-90498/32650-90498.html

The price (US) ranges from $4,000 to $7,600, depending upon processor
tier.

Support is additional.

Product number is B3175A.

Why isn't this feature a standard feature of a modern operating system?

The other very useful feature which can be configured is an additional
password for session access to a particular logical device, such as ldev
21 for the remote support modem, or any DTC connected modem ports.

Those are the two features satisfy the most common requests of security
auditors to by banking clients.

Rick Gilligan
Senior Software Specialist
Computer And Software Enterprises, Inc.
E-mail: rick AT case.net

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *