The USERS program is used to obtain information about users from the USERID file. The USERS program is used frequently to determine the name of an owner of a file, a user's default security vector or default subvolume. In functionality it has no inherent risks.
The information displayed for each user is:
User Name
User Number
Guardian Default Security Vector
Guardian Default Volume
RISK Unrestricted use of the USERS program can potentially make it easier for a hacker to launch a denial of service attack, because the hacker can obtain a list of all userids on the system.
Restricting the use of the USERS program must be weighed against the inconvenience for user's who cannot look up the USER NAME when they only know the USER NUMBER and vice versa.
The #USERNAME function in TACL can be used to provide the same translation of USER NAME to USER NUMBER. As a built-in TACL function, #USERNAME cannot be restricted.
BP-FILE-USERS-01 USERS should be secured "UUNU".
BP-OPSYS-LICENSE-01 USERS should be LICENSED.
BP-OPSYS-OWNER-01 USERS should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-01 USERS must reside in $SYSTEM.SYSnn.
If available, use Safeguard software or a third party object security product to grant access to USERS object files to necessary personnel, and deny access to all other users.
BP-SAFE-USERS-01 Add a Safeguard Protection Record to grant appropriate access to the USERS object file.
Discovery Questions | Look Here: | |
---|---|---|
FILE-POLICY | Are all users allowed to use the USERS program? | Policy |
OPSYS-OWNER-01 | Who owns the USERS object file? | Fileinfo |
OPSYS-LICENSE-01 | Is the USERS object file licensed? | Fileinfo |
FILE-USERS-01 | Is the USERS object file correctly secured with the Guardian or Safeguard system? | Fileinfo Safecom |
Related Topics
User Administration
LOGON