topic Re: audit logins for a particular user in Operating System - OpenVMS

audit logins for a particular user

TMcB — Tue, 16 Nov 2010 11:31:37 GMT

Hi everyone.
i would like to audit logins for one particular user.

At present we audit all logfailures and breakins.
But I'm not sure how to set up auditing the logins for just one user.

Any advice is greatly appreciated

Re: audit logins for a particular user

Craig A — Tue, 16 Nov 2010 12:31:53 GMT

You need to make sure that your audits are properly enabled.

Do a $show audit and post the details here.

Have a look at the ANAL/AUDIT utility - This will allow you to interrogate the security audit journal file.

E.g. $ ANAL/AUDIT/FULL/SEL=USER= -

HTH

Craig

Re: audit logins for a particular user

TMcB — Tue, 16 Nov 2010 12:36:27 GMT

Hi there.
Thanks for getting back to me.

current settings are :
System security alarms currently enabled for:
ACL
Authorization
Audit: illformed
Breakin: dialup,local,remote,network,detached
Logfailure: batch,dialup,local,remote,network,subprocess,detached

System security audits currently enabled for:
ACL
Authorization
Audit: illformed
Breakin: dialup,local,remote,network,detached
Logfailure: batch,dialup,local,remote,network,subprocess,detached

I'm happy enough with using the ANALYZE/AUDIT commands for single users, but at present we dont audit successfull logins.

I know to set it up for all users would be :
set aud /audit /enable=( login=all),
but I dont want to record successful logins for all users - just for one particular user.

Cheers

Re: audit logins for a particular user

Craig A — Tue, 16 Nov 2010 12:43:31 GMT

You can set an audit flag for each individual user but this will generate a LOT of audits for a typical user:

$ MC AUTHORIZE MOD /FLAG=AUDIT

What info do you want to capture regarding the login session?

Can you get it from ACCOUNTING instead?

Craig

Re: audit logins for a particular user

abrsvc — Tue, 16 Nov 2010 12:46:08 GMT

I have used a specific login procedure for an individual account to capture info with the final statment a reference to the standard login procedure. It all depends on what information you are trying to capture. If you can describe in more detail, what you with to log, we can provide some methods.

Dan

Re: audit logins for a particular user

TMcB — Tue, 16 Nov 2010 12:46:37 GMT

Hi there
I just want to record the dates and times and from where the user logged in.

Re: audit logins for a particular user

Craig A — Tue, 16 Nov 2010 12:55:12 GMT

You could add something in SYLOGIN.COM (maybe checking whether the caller holds an identifier - e.g. AUDIT$USER)

and log info lik:

f$getdvi("tt",""tt_accpornam")

or a $show term

That coupled with info from ACCOUNTING should get you what you want.

Craig

Re: audit logins for a particular user

Jan van den Ende — Tue, 16 Nov 2010 13:23:45 GMT

TMcB,

this may or may not be usefull to you, but many moons ago we had a need to occasionally allow remote service access to our system by a remote package supplier.

We DID need to know if they ever touched sensitive info they had no business with.

We provided a captive login to an account, which only did a
$ SET HOST 0/LOG=
with embedded username/password
to another account on another device.
The "entry" account directory was pretty hard shielded and tripwired for any access by the "work" account.

The entry account was normally disusered, and only activited when needed, so we knew when a review was desired.

This may or may not be what you need, but it worked for us.

hth

Proost.

Have one on me.

jpe

Re: audit logins for a particular user

TMcB — Tue, 16 Nov 2010 13:51:53 GMT

thanks -
i think using the users login.com file will be the easiest route. Will look into this

Re: audit logins for a particular user

Craig A — Tue, 16 Nov 2010 14:04:28 GMT

That MIGHT work but also bear in mind that a user will typically have full access to their LOGIN.COM so could easily circumvent anything you place in it for auditing purposes.

Craig

Re: audit logins for a particular user

abrsvc — Tue, 16 Nov 2010 14:06:42 GMT

If there is concern about a user modifying their own login procedure, than I would add a line in the system wide procedure for that specific user. The F$USER lexical will return the UIC. Usse that to filter the logging for your specific user in the common login file.

Dan

Re: audit logins for a particular user

Craig A — Tue, 16 Nov 2010 14:29:07 GMT

Dan

Depending on how Change is managed in an environment will determine whether to go for a user-specific solution (i.e. username of UIC) or a more generic solution.

Personally, it is as much hassle to do the generica solution as it is to do the specific, so that would always be my route.

Craig

Re: audit logins for a particular user

abrsvc — Tue, 16 Nov 2010 14:43:10 GMT

Craig,

Agreed, all is dependent upon the environment. Another possibility that I have used is to change the LGICMD field in the uaf to point to a "logging" procedure that chains to the standard common login procedure. This makes changing logging easy. All that is needed is to change the UAF entry to point to the logging procedure. I have used this technique in the past as well. The bottom line is that you need to determine the security level needed as well as what flexibility you need to accomplish your goal.

Dan

Re: audit logins for a particular user

Joseph Huber_1 — Tue, 16 Nov 2010 15:05:13 GMT

>TMcB:
>At present we audit all logfailures and breakins.

Since the workarounds in sylogin or /flag=defcli are all rather clumpsy,
could You explain why enabling audit for LOGIN (dialup,local,remote,network only) is not an option for Your system?

Re: audit logins for a particular user

Jan van den Ende — Tue, 16 Nov 2010 15:33:43 GMT

Craih,

>>>
That MIGHT work but also bear in mind that a user will typically have full access to their LOGIN.COM so could easily circumvent anything you place in it for auditing purposes.
<<<

THAT is why the second user is completely distinct from the "tranfer" user!

The tranfer user has its own GROUP UIC, and the directory with SET HOST 0 /LOG in LOGIN.COM is as tight as can be!

TMcB:
Success!

Proost.

Have one on me.

jpe

Re: audit logins for a particular user

TMcB — Tue, 16 Nov 2010 16:28:59 GMT

Hi
I didnt want to enable all logins as we have thousands of users and i thought I had read previous warnings that it would be too much to log ALL logins for every user.

If this is not the case, I could just turn on auditing for all successfull logins.

Thanks

Re: audit logins for a particular user

Craig A — Tue, 16 Nov 2010 16:29:45 GMT

Jan

I've never been a fan of this sort of auditing as it is so easy to circumvent.

Craig

Re: audit logins for a particular user

Hein van den Heuvel — Tue, 16 Nov 2010 16:48:23 GMT

>> thanks -
i think using the users login.com file will be the easiest route. Will look into this

Hmmm,

I guess a simple ACCOUNTING report does not give teh righ access port information?

If you need a specific log then I would NOT put it in the normal use LOGIN.COM.
Either put this(*) in SYLOGIN, in a IF "xxx".EQS.F$GETJPI("","USERNAME")

or...

How about modifying the user lgicmd in authorize and point it to a special loginLOG.com which does this(*) logging and then chains to the real login.com

Hein

(*) this =

$ OPEN/APPEN log system_directory:world_writable.log
$ WRITE log write sys$output F$CVTIME(""), " ",f$getjpi("","USERNAME"), " ",f$getdvi("SYS$COMMAND","TT_ACCPORNAM")
$ CLOSE log

Better still would be process creating a permanent mailbox with a system logical name. Loop reading the mailbox writing to the log which now no longer needs world write access.

Re: audit logins for a particular user

Joseph Huber_1 — Tue, 16 Nov 2010 17:49:01 GMT

>>warnings that it would be too much to log ALL

It of course depends (disk-space , do all the thousends user login/logout very frequently ?).
I think if the LOGIN audit is restricted to
/LOGIN=(DIALUP,LOCAL,REMOTE)
then all interactive logins are catched (maybe NETWORK for SSH logins ?).
The vast amount could be detached,batch,subprocess,server, and those would make grow the audit file, not the interactive ones, they occur on a "human" time scale.

Re: audit logins for a particular user

Joseph Huber_1 — Tue, 16 Nov 2010 18:17:19 GMT

Apropos audit file disk space usage:
How about rotating (set audit/server=new_log),
then after evaluation archive the old file into a ZIP archive:
audit log files compress with an avarage ratio of ~90%, so the increase for login auditing is easily compensated.