Restricting Privileges

This chapter shows you how to use HITMAN to guard against unauthorized users gaining privileges on your system. You can tell HITMAN to monitor your system and stop processes which have privilege but are not on your list of authorized users.  Use this function as a second line of defense against hackers who appear on the system with privilege without your knowledge. This check is made every data collection interval when HITMAN wakes up..

 HITMAN checks for processes with privileges under the ALL category (a subset of available privileges defined under OpenVMS).  Users with one or more of these privileges are considered privileged: BYPASS, CMEXEC, CMKRNL, DETACH, DOWNGRADE, LOG_IO, PFNMAP, PHY_IO,  SETPRV, SYSNAM, SYSPRV or UPGRADE. Since there are multiple privilege masks in effect for any process HITMAN V8 now allows you to specify which mask(s) should be checked. Define a system logical, HITMAN$PRIVS, to be a value from 1 to 4 to control which mask(s) are checked. The different modes are as follows:

1    This is the default if HITMAN$PRIVS is not defined and behaves exactly as HITMAN did in versions 6 and 7. This option checks the process privilege mask. It will, however, terminate any users running a privileged image IF that image also requests the privilege for the process. If the image doesn’t request the privilege be granted to the process HITMAN will not detect the additional privileges.

2    This option will not detect users as privileged if they are running a privileged image that has requested  privilege(s) for the process. This is less secure but may eliminate a situation where users are being detected with privileges unexpectedly.

3    This is a more secure variation of option 1. It detects if users can request privileges and acts on them even if they have not yet requested those privileges for their process. It adds a check of the authorized privilege mask.

4    This is a more secure variation of option 2. It also checks the authorized privilege mask and acts on processes that may request privileges.

Use the /AUTHORIZED/USER qualifiers to identify users who can run on the system with privilege.  Any user with one or more privileges in the ALL category, who is not on the authorized list is stopped as soon as their process is detected.

 If there are no users in the authorized list or if /AUTHORIZED/USER=ALL is specified, HITMAN does not make any privilege checks.

If /AUTHORIZED/NOUSER=ALL is specified, all users on the system are checked for privilege.  Any user with a privilege in the ALL category is stopped.

LOGINOUT
During the process of logging in, a process has temporary privileges.  HITMAN ignores any process running the image  LOGINOUT.

MAXSYSGROUP
If the UIC group number for a process is less than or equal to the SYSGEN parameter    MAXSYSGROUP, the process is treated like it has the privilege SYSPRV by default, and is therefore a privileged user.  HITMAN automatically ignores these users.  It checks the value of MAXSYSGROUP every time it checks for privilege.  Any change you make to that parameter will take effect in HITMAN immediately.

Specifying AUTHORIZE message text
  You can tell HITMAN to send a message when a processes is killed.  You can specify the text of the AUTHORIZE message using the qualifier:

    /AUTHORIZE_MESSAGE="message text"

If you do not specify message text, HITMAN uses the default message text:

    *** PROCESS IS UNAUTHORIZED FOR PRIVILEGE ** ?L?

The maximum length of the message is 200 characters.

Suppressing the /AUTHORIZE message
You can suppress the AUTHORIZE using the qualifier /NOAUTHORIZE_MESSAGE.

/NOBROADCAST
If users have their terminals set /NOBROADCAST or have typed <CTRL/S>, the AUTHORIZE message is not displayed and an error message is written to the HITMAN_ERROR file. Processes, however, are still terminated.

You can use message variables in the AUTHORIZE message.  For more information on message variables, see the chapter "Warning idle users".

You can specify qualifiers with the message to change the action of the message. If you specify /BELL, HITMAN rings the terminal bell when it sends the message to the user terminal. If you specify /ALARM, HITMAN sends a warning message to the system console when it sends the message to the user terminal. If you specify /KILL, the process is terminated.  If you specify /NOKILL, the process is only warned.

If the logical    HITMAN$AUTHORIZE is defined, HITMAN will disuser the user account when it terminates the process.