LISTSERV - HP3000-L Archives

HP3000-L Archives

July 2008, Week 2

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L July 2008, Week 2

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives
Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]
Subject:	Re: Finding stream job signons
From:	Tom Emerson <[log in to unmask]>
Reply To:	Tom Emerson <[log in to unmask]>
Date:	Mon, 14 Jul 2008 12:28:39 -0700
Content-Type:	text/plain
Parts/Attachments:	text/plain (191 lines)
There is also the approach of "break it and see what fails" -- in this case, I'm fairly sure this is what Vladimir suggests (when promoting Streamx) -- basically, go and change EVERY actual PASSWORD on your system, then watch for what jobs "fail", or (and this is where the sales pitch comes in) use Streamx and it will go ahead and replace "bad" passwords in the file with the "good" password from the system at the time the job is submitted (it doesn't actually change the file-on-disk, but rather what goes to the STREAMS device)

The "good part" about this is that if an intruder gets ahold of a "live" jobstream, the passwords IN THAT FILE will not match the system and the intruder cannot use them to attack your system.  OTOH, if an intruder gets to a relatively insecure account (i.e., one where he can put in an arbitrary file) AND can convince someone with AM or SM capability to submit the job via STREAMX, then the attacker doesn't even need to know or attempt to break the password as streamx will have gone ahead and looked up the current password to submit in the file [this is more of a social engineering problem, though, since the SM should be aware of what he or she is submitting...]

Likewise to the above, if an intruder gets ahold of an OUTDATED jobstream (presumably a bit easier -- perhaps by dumpster diving when some long-time employee retires and their office gets "tidied up"...) again, the passwords in the file (or printout) won't do the attacker any good.  In the rare (?) cases this is a "once a year job", streamx will still insert the correct password.

NOTE: while this does sound like a "big pitch" for streamx, I no longer work for VEsoft [and when I did, it was in tech support, not sales, so I wouldn't get a penny from a sale anyway, but that's beside the point]  There are OTHER third-party job pre-processor/submission tools out there, and even the OS itself (in later years) has the provision for doing much the same (inserting the "actual" password at submission time), so these techniques may apply as well.

----- Original Message ----
From: "Dave Powell, MMfab" <[log in to unmask]>
To: [log in to unmask]
Sent: Monday, July 14, 2008 11:57:22 AM
Subject: Re: [HP3000-L] Finding stream job signons

We have used both Jim's tricks, except that in our case it is command files,
not jobs, that use "echo" to build jobs.  We don't have UDCs doing it, but
that should be possible too.

Have you considered turning it around and tracking the ids of jobs that
actually log on ?  There's a big hole with jobs / logons that aren't used
often, unless you track for a LONG time, but otherwise it should be easy.

I suspect there is someing in the system logs, but if there isn't, you can
roll your own.  In a system logon UDC, insert lines like:
if not hpinteractive
    echo  !hpjobname,  !hpuser,  !hpaccount   >> somefile
endif
If it matters, you could also track "hpstreamedby", date & time, etc.

Then have something read that file and count whatever you need.
At our site, "not hpinteractive" = "is a job".  I think a creative person
could find ways for that not to be true, but I suspect most sites don't play
those tricks.

----- Original Message ----- 
From: "Hawkins, Jim (ESS TCEandQ)" <[log in to unmask]>
To: <[log in to unmask]>
Sent: Monday, July 14, 2008 11:11
Subject: Re: [HP3000-L] Finding stream job signons


Jim,

Not exactly sure what end point you're trying to reach, a few other things to
consider:

1) Don't forget that !JOB is NOT the only way to start a job.

#JOB is valid with "STREAM jobf,#"

(:HELP STREAM ALL)

2) Also around here we have lots of jobs which build other jobs

!echo #JOB xxx.xxxx > *x

so searching just the first record of a file might not catch "all" jobs. . ..

Jim H.

-----Original Message-----
From: HP-3000 Systems Discussion [mailto:[log in to unmask]] On Behalf Of
Bahrs, Art
Sent: Monday, July 14, 2008 9:50 AM
To: [log in to unmask]
Subject: Re: [HP3000-L] Finding stream job signons

Hi Jim & Craig :)
   Hey... If you have grep available - maybe a simple grep command for
the !job pattern... Piping the grep output into another file which can
then be used to do all sorts of wonderful technogeekie things :)

Art "*nix isn't so bad afterall! Hehe" Bahrs

Thanks,
Art
Art Bahrs, CISSP
Security Engineer
Providence Health & Services
[log in to unmask]
Phone: 503-216-2722


-----Original Message-----
From: HP-3000 Systems Discussion [mailto:[log in to unmask]] On
Behalf Of Craig Lalley
Sent: Monday, July 14, 2008 9:28 AM
To: [log in to unmask]
Subject: Re: Finding stream job signons

Jim,

Watch out for message files.  type MSG?

-Craig



--- On Mon, 7/14/08, English, Jim <[log in to unmask]> wrote:

> From: English, Jim <[log in to unmask]>
> Subject: Finding stream job signons
> To: [log in to unmask]
> Date: Monday, July 14, 2008, 11:10 AM
> Does anyone know of a command, or commands, I could use to find all
> stream jobs on our HP3000 system? I want to search the jobs to find
> all signons that are used in stream jobs.
>
> I'm using the MPEX print command to search the system for any file
> that has "!JOB" in the first record, but it's taking a very long time
> (more than 24 hours). This is the command I'm using:
>
> %PURGE JLERPT.JIM
> %BUILD JLERPT.JIM;REC=-256,,F,ASCII;DEV=DISC;DISC=100000
> %FILE JLERPT=JLERPT.JIM,OLD;ACC=APPEND %PRINT
> @[log in to unmask]@[log in to unmask]@[log in to unmask]@.ACCOUNT4+&
> @[log in to unmask](INTCODE=0 AND ISASCII AND LOCKWORD="");&

> SEARCH="!JOB" AND RECNUM=1;OUT=*JLERPT %EXIT
>
> I was using PRINT @[log in to unmask]@, but it kept getting hung up on device files
> in the SYS account and files with lockwords in them, so I changed it
> to search accounts and groups where I know there are stream jobs.
> However, I'd like to really search the entire system to find any jobs
> outside of my current search criteria.
>
> The JLERPT file isn't filling up, because right now, there are 1814
> records in it, and the limit is 100000 records.
>
> We have a lot of files in our HFS directories, and I think that is
> what's contributing to the problem. Account names have been changed to

> protect the innocent.
>
> Thanks,
>
> Jim.
>
> ______________________________________
> James English
> Financial Systems Analyst
> TB Wood's Incorporated
> 440 N. Fifth Avenue
> Chambersburg, PA 17201
> Phone: (717) 264-7161 x2119
> Fax: (717) 264-0890
> Email: [log in to unmask]
> Web: http://www.tbwoods.com
> ______________________________________
> ________________________________________________________
>
> This e-mail is intended solely for the person or entity to which it is

> addressed and may contain confidential and/or privileged information.
> Any review, dissemination, copying, printing, forwarding or other use
> of this e-mail by persons or entities other than the addressee is
> prohibited. If you have received this e-mail in error, please contact
> the sender immediately and delete the material from your computer.
> Opinions, conclusions and other information in this message that do
> not relate to the official business of Altra Industrial Motion, Inc.
> shall be understood as neither given or endorsed by it.
>
> * To join/leave the list, search archives, change list settings, *
> * etc., please visit
> http://raven.utc.edu/archives/hp3000-l.html *

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *


DISCLAIMER:
This message is intended for the sole use of the addressee, and may contain
information that is privileged, confidential and exempt from disclosure under
applicable law. If you are not the addressee you are hereby notified that you
may not use, copy, disclose, or distribute to anyone the message or any
information contained in the message. If you have received this message in
error, please immediately advise the sender by reply email and delete this
message.

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *
ATOM RSS1 RSS2
RAVEN.UTC.EDU