topic Submiting batch jobs as a different user in Operating System - OpenVMS

Submiting batch jobs as a different user

Jimson_1 — Tue, 07 Dec 2010 16:05:22 GMT

Hi,

I suspect someone at my place of work may be submitting batch jobs under my UIC. In fact I'm certain of it. Its not malicious but nonetheless its something that I want to keep an eye on.

Anyone know of a way of monitoring this sort of activity?

Re: Submiting batch jobs as a different user

Jan van den Ende — Tue, 07 Dec 2010 16:14:10 GMT

Jimson,

that would require CMKRNL privilege. That should be VERY scarse, and therefor easy to find out!

But other than that, it would require an audit on the submit command. Also pretty straightforward, for a priv'd user.
The audit log is fairly easy to search.
Adding an alarm would usually cause MUCH noise!

hth

Proost.

Have one on me.

jpe

Re: Submiting batch jobs as a different user

Jimson_1 — Tue, 07 Dec 2010 16:18:30 GMT

Unfortunately lots of users here in our development environment have elevated privileges.

Can you explain how to audit the SUBMIT command?

Re: Submiting batch jobs as a different user

RBrown_1 — Tue, 07 Dec 2010 16:25:11 GMT

What version of VMS?

How much privilege do you have?

What do you know about these jobs?

Off the top of my head:

With no privilege at all, when you log in you can see when your last batch login was.

You could modify your LOGIN.COM file to send you mail when a batch job in your name starts. You probably won't need extra privilege to do this, but you won't find out who submitted it.

If accounting is active, you can review processes run with your username or uic. This does not, however, report who submitted it. You will need permission to view the accounting file.

If you turn on image accounting. And see who executes the submit command. If you match this with batch jobs in your name, perhaps you would find out who is doing it. You will need permission to view the accounting file and lots of extra disk space for the larger accounting files.

You could put an alarm or an audit ACE on the submit command to see when it is executed, but you will still need to match this info with accounting or something to figure out which is doing it in your name. And you will need privilege to do this.

You could give everybody a SUBMIT symbol that checks the command line to see if it does /USER=you (and then does the SUBMIT anyway). You will need privilege to this. And any non-privileged user can defeat it.

That is all I can think of for now. Probably somebody else knows a simple obvious way.

Re: Submiting batch jobs as a different user

Hoff — Tue, 07 Dec 2010 16:26:10 GMT

Why do you suspect that SUBMIT is in use here, and why do you suspect this is another user? Please post details, log file contents or other information around the rogue process(es).

As for your question, start with the Security Manual at:

http://www.hp.com/go/openvms/doc

Online help for the specific commands of interest here:

$ HELP SET AUDIT
$ HELP ANALYZE /AUDIT

You can selectively enable alarms or (preferably) audits for batch process creation as well as use of privileges audits.

And using the documented interface, batch jobs are submitted under a username and not under a UIC, and it is entirely possible to have two users with the same UIC.

Re: Submiting batch jobs as a different user

Jimson_1 — Tue, 07 Dec 2010 16:39:39 GMT

Ok that's a start.
I'll modify my login.com to log details of the job which is executing it.

Thanks