parm groupset="@.!hpaccount"; entry='MaIn' setvar insidempex 0 # Command file: MPETREE 2003/05/08 # Author: Paul H. Christidis : phchristidis@raytheon.com # Remarks: Lists the MPE groups of an account, the name of # each MPE user 'homed' to each group and an indication # of 'objects' that have 'risky' capabilities (No password, # SM, PM, or OP capabilities). # # NOTE: This was an enhancement of the 'homeuser' command file. # if "!entry" = "MaIn" AND insidempex <> 0 then MPE xeq CI.PUB.SYS;PARM=3;info='!hpfile "!groupset",!entry' escape endif # #------------------------------------------------------------ # ParseUserList section. Reads file with list of MPE users for the # account and creates another file that contains the user name its # home group and the user capabilities. Done to 'speed up' later # processing and facilitate reporting of users without home group. # if "!entry" = "ParseUserLiSt" then file usrlist2,oldtemp echo xxxxxxxxxx > usrlist2 while POS("$eou$",(SETVAR(_guText,INPUT()))) = 0 do if POS("USER: ",_guText) <> 0 then setvar _guUser RTRIM(STR(_guText,7,17) - ".!_guAcct") elseif POS("HOME GROUP: ",_guText) <> 0 then setvar _guHomegroup RTRIM(STR(_guText,13,17)) + ".!_guAcct" setvar _guUsrPaswrd RTRIM(STR(_guText,43,8)) elseif POS("CAP: ",_guText) <> 0 then setvar _guUsrCap DWNS(RHT(_guText,-6)) # setvar _guUFlags "...." if LEN(_guUsrPaswrd) = 0 then setvar _guUFlags "n..." endif if POS("sm",_guUsrCap) <> 0 then setvar _guUFlags LFT(_guUFlags,1) + "s.." endif if POS("pm",_guUsrCap) <> 0 then setvar _guUFlags LFT(_guUFlags,2) + "p." endif if POS("op",_guUsrCap) <> 0 then setvar _guUFlags LFT(_guUFlags,3) + "o" endif echo !_guHomegroup|!_guUser|!_guUFlags|!_guUsrCap|>>*usrlist2 endif endwhile echo $eou$ >>*usrlist2 return # # ReadUserList section. Reads file with list of MPE users for the # account and reports anyone that has the 'current' MPE group as his # home group. It also lists the user's capabilities. # elseif "!entry" = "ReadUserLiSt" then while POS("$eou$",(SETVAR(_guText,INPUT()))) = 0 do setvar _guHomegroup WORD(_guText,"|") if _guHomegroup = _guReqGroup then setvar _guUser WORD(_guText,"|",2) setvar _guUFlags WORD(_guText,"|",3) setvar _guUsrCap WORD(_guText,"|",4) setvar _guLongCap LEN(_guUsrCap) > 54 if _guLongCap then setvar _guUsrCap2 _guUsrCap - LFT(_guUsrCap,54) setvar _guUsrCap LFT(_guUsrCap,54) endif # if _guUFlags <> "...." then echo | |--![DWNS(_guUser)] ![RPT(" ",(10-LEN(_guUser)))](& !_guUFlags) !_guUsrCap setvar _guSecFlags true else echo | |--![DWNS(_guUser)] ![RPT(" ",(16-LEN(_guUser)))] & !_guUsrCap endif if _guLongCap then echo | |...![RPT(" ",16)]+!_guUsrCap2 endif endif endwhile return # # ReadGroupList section. Reads file containing list of MPE groups, # reports each group with its capabilities and for each one 'calls' # the section for locating any users 'homed' to it. # elseif "!entry" = "ReadGroupList" then while POS("$eog$",(SETVAR(_guText,INPUT()))) = 0 do if POS("GROUP: ",_guText) <> 0 then setvar _guReqGroup RTRIM(STR(_guText,8,17)) setvar _guDspGroup _guReqGroup - ".!_guAcct" elseif POS("CAP: ",_guText) <> 0 then if LEN(_guText) < 6 then setvar _guText _guText + " " endif setvar _guGrpCap RHT(_guText,-6) setvar _guGflags " " # if POS("PM",_guGrpCap) <> 0 then setvar _guGflags "[ P ]" setvar _guSecFlags true endif echo |__!_guDspGroup ![RPT(" ",(12-LEN(_guDspGroup)))] & !_guGflags !_guGrpCap xeq !hpfile ;entry="ReadUserLiSt" <*usrlist2 endif endwhile return # # ReadAcctList section. Reads file with list of MPE accounts and # for each one generates a list of groups and list of users. It then # 'calls' the section for processing each group. # elseif "!entry" = "ReadAcctList" then while POS("$eoa$",(SETVAR(_guText,INPUT()))) = 0 do if POS("ACCOUNT: ",_guText) <> 0 then setvar _guAcct RTRIM(STR(_guText,10,8)) elseif POS("DISC SPACE: ",_guText) <> 0 then setvar _guActPaswrd RTRIM(STR(_guText,43,8)) elseif POS("CAP: ",_guText) <> 0 then if LEN(_guText) < 6 then setvar _guText _guText + " " endif setvar _guActCap DWNS(RHT(_guText,-6)) setvar _guLongActCap LEN(_guActCap) > 54 if _guLongActCap then setvar _guActCap2 RHT(_guActCap,-55) setvar _guActCap LFT(_guActCap,54) endif file grplist=grplist,oldtemp if NOT FINFO("grplist","exists") then build grplist;rec=,,v,ascii;disc=50000;temp endif echo echo !_guBell Getting MPE groups for '!_guAcct' account.... errclear continue listgroup !_guGroup.!_guAcct >*grplist if hpcierr <> 0 then print *grplist;page=0;start=-1 else echo $eog$ >>*grplist # # Generate list of users, Parse 'user list' for user name, home group # and capabilities, print heading, 'call' command section to report # any 'homeless' users and then the section to process each group. # file usrlist,oldtemp listuser @.!_guAcct;pass > usrlist echo $eou$ >>*usrlist xeq !hpfile ;entry="ParseUserLiSt" <*usrlist echo !_guClear echo !>AccountName echo |__GroupName Sec * echo | |--UserName Flags Capabilities echo ----------------- ------ ![RPT("-",54)] setvar _guAFlags "...." if LEN(_guActPaswrd) = 0 then setvar _guAFlags "N..." endif if POS("sm",_guActCap) <> 0 then setvar _guAFlags LFT(_guAFlags,1) + "S.." endif if POS("pm",_guActCap) <> 0 then setvar _guAFlags LFT(_guAFlags,2) + "P." endif if POS("op",_guActCap) <> 0 then setvar _guAFlags LFT(_guAFlags,3) + "O" endif # if _guAFlags = "...." then echo !>!_guAcct ![RPT(" ",(23-LEN(_guAcct)))]& !_guActCap else echo !>!_guAcct ![RPT(" ",(16-LEN(_guAcct)))]{& !_guAFlags} !_guActCap setvar _guSecFlags true endif if _guLongActCap then echo |...![RPT(" ",19)]+!_guActCap2 endif # setvar _guReqGroup RTRIM(".!_guAcct") xeq !hpfile ;entry="ReadUserLiSt" <*usrlist2 # xeq !hpfile ;entry="ReadGroupList" <*grplist endif endif endwhile return # # Main Section: # Display banner and/or usage, validate parameters, build files. else echo (PHC) MPE Structure with Cap/Risk V2003.05.08 !hpdatef, !hptimef setvar _guClear " " setvar _guBell " " if hpduplicative then setvar _guClear CHR(27)+"&a0c-1R"+CHR(27)+"J"+CHR(27)+"&a0c-1R" setvar _guBell CHR(7) endif setvar _guGroup UPS("!groupset") if "!_guGroup" = "?" then echo Usage: !_guBell echo ![BASENAME(hpfile)] [ GroupSet ] echo echo Produces a 'structure tree' of an account's MPE groups and echo users along with the capability list for each 'object', while echo flagging, in the process, objects with 'risky' capabilities. echo echo GroupSet - An MPE group name in the form "Group.Account". echo While wild card characters are allowed for the "group" echo and "account" name portions of the specification, its echo "processing" depends on the user's capabilities. return endif setvar _guAcct _guGroup setvar _guGroup STR(_guGroup,1,(POS(".",_guGroup)-1)) setvar _guAcct _guAcct - "!_guGroup." file actlist=actlist,oldtemp if NOT FINFO("actlist","exists") then build actlist;rec=,,v,ascii;disc=50000;temp endif errclear continue listacct !_guAcct;pass >*actlist if hpcierr <> 0 then print *actlist;page=0;start=-1 escape !hpcierr endif echo $eoa$ >>*actlist xeq !hpfile ;entry="ReadAcctList" <*actlist echo if BOUND(_guSecFlags) then echo * N|n - Without MPE Password, S|s - Has 'SM' capability echo P|p - Has 'PM' capability, O|o - Has 'OP' capability echo NOTE: MPE groups are ONLY checked for 'PM' capability. echo endif endif # **CLEAN UP** if BOUND(TraceOn) AND TraceOn then showvar _gu@ listftemp @,2 else deletevar _gu@ purge grplist ,temp > $null purge actlist ,temp > $null purge usrlist ,temp > $null purge usrlist2 ,temp > $null endif echo ** End of ![BASENAME(hpfile)] **