(* This file contains useful security examples of $LOGON-EXECUTE, *) (* to be used in SECURCON.DATA.VESOFT. *) (* The following $LOGON-EXECUTE will abort any previously logged *) (* on, concurrent session. The use of this function requires the *) (* user to be ALLOWed the ABORTJOB command. Security/3000 has the *) (* $ALLOW keyword which does this as illustrated below. *) (* We do not consider this a security loophole since low level *) (* users should be protected by menus. For the following command *) (* to work, you must be an MPEX and Security/3000 user. *) $DEFINE-USERSET TWO_USERS VANILLA.TECH @.MFG $ALLOW ABORTJOB !TWO_USERS $LOGON-EXECUTE "MPE('%ABORTJOB !HPJOBNAME,!HPUSER.!HPACCOUNT-LDEV=!HPLDEVIN& &ONLINE;NOVERIFY>$NULL')" !TWO_USERS&ONLINE (* To display the last and current logon date, time, and ldev, *) (* at logon time, use the next two $LOGON-EXECUTE's. *) $LOGON-EXECUTE "IF LASTLOGONLDEV<>0 THEN & BEGIN & WRITELN(' '); & WRITELN('Last logon : ',LASTLOGONDATE,' at ', & LASTLOGONTIME,' on LDEV ', LASTLOGONLDEV); & END" ONLINE $LOGON-EXECUTE "WRITELN('Current logon: ',HPINTRODATE[9:2],HPINTRODATE[4:5],& HPINTRODATE[15:2],' at ',HPINTROTIME,' on LDEV ', HPLDEVIN,& '; DTC port ', NTOKEN(HPDTCPORTID,2,' '),& ' (#',HPJOBTYPE,HPJOBNUM,')')" ONLINE (* LOG all successful modem logons to the SECURITY/3000 log file; *) (* i.e. LOG20.DATA.VESOFT. *) $LOGON-EXECUTE "securitylog('MODEM OK: for ' + hpjobname +','+hpuser+'.'+hpaccount)" @.@&DEV=MODEM (* MODEM security enhanced. ADD userfield definition to profile and *) (* allow SECURITY/3000 to check for truly authorized modem users. *) $define-userset modems ldev=100 ldev=105 ldev=109 $user-field dialup "Can this user dial up, (Y/N): " @,user.acct $logon-execute "if ups(userprofile.uf('DIALUP')) <> 'Y' then & BEGIN & MPE('echo');& MPE('echo You are not authorized to DIAL IN! ');& MPE('BYE');& END" !modems&@,user.acct (* An alternative to setting FILE equations from an OPTION LOGON *) (* UDC. Include them in a file to be executed at logon time. *) $LOGON-EXECUTE "IF FEXISTS('SYSFILEQ.PUB.SYS') THEN & MPE('XEQ SYSFILEQ.PUB.SYS')" @.@&ONLINE (* Prompt for user input, notify userset of modem logon, and post *) (* log record to SECURITY/3000 logging facility. *) $LOGON-EXECUTE "BEGIN & WRITELN('Please identify yourself for our records');& setvar(technician,readstring('Your name:','nocr'));& setvar(callID,readstring('PICS call ID you are responding to:',& 'nocr'));& mpe('%tell @,MANAGER.SYS;HP technician !technician, '+& 'working on call: !callid, has just logged on SYSTEM!');& mpe('%warnf @,MANAGER.SYS;HP technician !technician, '+& 'working on call: !callid, has just logged on SYSTEM!');& securitylog('HPRC:technician '+svar('technician')+& '; call:'+svar('callid'));& END" @.TELESUP&DEV=MODEM (* Display, on terminal, WARNING, number of attempts, and last *) (* LOGON information. *) $LOGON-EXECUTE "IF (INVALIDATTEMPTS<>0) THEN BEGIN & writeln ();& IF (INVALIDATTEMPTS=1) THEN & WRITELN ('&dCWARNING: &d@There has been an unsuccessful ',& 'attempt to use this profile!')& else & WRITELN ('&dCWARNING: &d@There have been ',& '&dC***',INVALIDATTEMPTS,'***&d@',& ' unsuccessful attempts to use ',& 'this profile!');& writeln ('Last attempt was: ',LASTLOGONDATE, ' at ',& LASTLOGONTIME,' on LDEV ',LASTLOGONLDEV);& end" online