https://community.hpe.com/t5/operating-system-openvms/mailbox-protection/m-p/3931822#M11304 I don't seem to find where the RWPL protection of mailboxes is documented (RW is easy but the other 2). Anyone ?<BR /><BR />Is there a way to change the protection of audit_mbx (set audit/list) ? The default is "allow all", thus anyone can manipulate it.<BR />I know I could do it after the set auduit/list with set sec but this requires a program change in my case, and that I want to avoid.<BR /><BR />Wim<BR /><BR /> Wed, 24 Jan 2007 03:56:39 GMT Wim Van den Wyngaert 2007-01-24T03:56:39Z https://community.hpe.com/t5/operating-system-openvms/mailbox-protection/m-p/3931822#M11304 I don't seem to find where the RWPL protection of mailboxes is documented (RW is easy but the other 2). Anyone ?<BR /><BR />Is there a way to change the protection of audit_mbx (set audit/list) ? The default is "allow all", thus anyone can manipulate it.<BR />I know I could do it after the set auduit/list with set sec but this requires a program change in my case, and that I want to avoid.<BR /><BR />Wim<BR /><BR /> Wed, 24 Jan 2007 03:56:39 GMT https://community.hpe.com/t5/operating-system-openvms/mailbox-protection/m-p/3931822#M11304 Wim Van den Wyngaert 2007-01-24T03:56:39Z https://community.hpe.com/t5/operating-system-openvms/mailbox-protection/m-p/3931823#M11305 Oh yes : I don't want to change the global default mailbox protection. Not even for a second.<BR /><BR />Wim<BR /> Wed, 24 Jan 2007 03:59:52 GMT https://community.hpe.com/t5/operating-system-openvms/mailbox-protection/m-p/3931823#M11305 Wim Van den Wyngaert 2007-01-24T03:59:52Z https://community.hpe.com/t5/operating-system-openvms/mailbox-protection/m-p/3931824#M11306 The MBDRIVER treats IO$_WRITE/READPLBK, READLBLK, READVBLK all the same so I don't think P,L protection bits make any difference. They may for other functions (SENSMODE, SETMODE).<BR /><BR />Your issue is that non-priv users potentiall could read this mailbox?<BR /><BR />I think you need to specify the correct protection when the mailbox is created or use SET SECURITY. Wed, 24 Jan 2007 04:14:03 GMT https://community.hpe.com/t5/operating-system-openvms/mailbox-protection/m-p/3931824#M11306 Ian Miller. 2007-01-24T04:14:03Z https://community.hpe.com/t5/operating-system-openvms/mailbox-protection/m-p/3931825#M11307 Ian : my question is "where is this RWPL documented".<BR />And yes, my issue is that anyone can manipulate the mailbox.<BR />I hope their is some kind of (undocumented)logical to alter the audit mailbox creation behaviour.<BR /><BR />Wim Wed, 24 Jan 2007 04:34:23 GMT https://community.hpe.com/t5/operating-system-openvms/mailbox-protection/m-p/3931825#M11307 Wim Van den Wyngaert 2007-01-24T04:34:23Z https://community.hpe.com/t5/operating-system-openvms/mailbox-protection/m-p/3931826#M11308 Section 4.1.3 of the I/O users Manual documents mailbox protection.<BR /><BR /> Wed, 24 Jan 2007 06:08:32 GMT https://community.hpe.com/t5/operating-system-openvms/mailbox-protection/m-p/3931826#M11308 Ian Miller. 2007-01-24T06:08:32Z https://community.hpe.com/t5/operating-system-openvms/mailbox-protection/m-p/3931827#M11309 Not exactly what I was looking for.<BR /><BR />This did : help set sec /prot. <BR /><BR />A list of what protection codes exist (object class device indicates a mailbox. May be this was choosen too general ?).<BR /><BR />Wim Wed, 24 Jan 2007 07:13:43 GMT https://community.hpe.com/t5/operating-system-openvms/mailbox-protection/m-p/3931827#M11309 Wim Van den Wyngaert 2007-01-24T07:13:43Z https://community.hpe.com/t5/operating-system-openvms/mailbox-protection/m-p/3931828#M11310 Do take a look at the Security Manual, in the region of Chapter 5 entitled Device Protection. <BR /><BR />There are a couple of pages of details there. <BR /><BR />The bits for shared devices are defined as:<BR />Read, Write, Physical, Logical, Control. Unshared devices include Read, Write and Control.<BR /><BR />If you fire up the search box on the PDF, there are numerous references to mailboxes within the security manual. Mostly located within the pages 92 and 96 in the V7.3-2 edition that's presently current.<BR /><BR />ACLs are (an)approach here for protecting a device, though having an audit mailbox exposed in the fashion described looks to be a security bug, and one that appears worthy of a formal report. I'd hope that only suitably privileged users would be able to access and to read the mailbox and its data.<BR /> Wed, 24 Jan 2007 23:39:05 GMT https://community.hpe.com/t5/operating-system-openvms/mailbox-protection/m-p/3931828#M11310 Hoff 2007-01-24T23:39:05Z https://community.hpe.com/t5/operating-system-openvms/mailbox-protection/m-p/3931829#M11311 What is creating the mailbox?<BR />If it's your program then you can control the protection. Thu, 25 Jan 2007 04:43:39 GMT https://community.hpe.com/t5/operating-system-openvms/mailbox-protection/m-p/3931829#M11311 Ian Miller. 2007-01-25T04:43:39Z https://community.hpe.com/t5/operating-system-openvms/mailbox-protection/m-p/3931830#M11312 I think it is the audit_server process.<BR />My program spawns a "set aud/list". So, I will need to modify it if sox audit requires it.<BR /><BR />Wim Thu, 25 Jan 2007 05:29:37 GMT https://community.hpe.com/t5/operating-system-openvms/mailbox-protection/m-p/3931830#M11312 Wim Van den Wyngaert 2007-01-25T05:29:37Z https://community.hpe.com/t5/operating-system-openvms/mailbox-protection/m-p/3931831#M11313 I thought the way that worked is that you create the mailbox then specify its name in the SET AUDIT/LISTENER command?<BR /> Thu, 25 Jan 2007 05:50:54 GMT https://community.hpe.com/t5/operating-system-openvms/mailbox-protection/m-p/3931831#M11313 Ian Miller. 2007-01-25T05:50:54Z https://community.hpe.com/t5/operating-system-openvms/mailbox-protection/m-p/3931832#M11314 No. You create it with set audit/listen=audit_mbx where audit_mbx is a logical created by the set command. <BR /><BR />Audit_server is signaled that it must use the mailbox. But not sure who executes it : a rtl or audit_server or ??? No file is accessed by setaudit.exe (set watch done).<BR /><BR />Wim Thu, 25 Jan 2007 05:58:46 GMT https://community.hpe.com/t5/operating-system-openvms/mailbox-protection/m-p/3931832#M11314 Wim Van den Wyngaert 2007-01-25T05:58:46Z https://community.hpe.com/t5/operating-system-openvms/mailbox-protection/m-p/3931833#M11315 &lt; No. You create it with set <BR />&lt; audit/listen=audit_mbx where a udit_mbx is a <BR />&lt; logical created by the set command. <BR /><BR />If I do a SET AUDIT/LIST=MBX I get an invalid device error. To specify a audit-listener mailbox I had to CREATE/MAILBOX mbx and do a SET AUDIT with the MBAxxx device name, specifying MBX leads again to an error (OpenVMS/Alpha V8.3).<BR /><BR />regards Kalle Thu, 25 Jan 2007 06:18:22 GMT https://community.hpe.com/t5/operating-system-openvms/mailbox-protection/m-p/3931833#M11315 Karl Rohwedder 2007-01-25T06:18:22Z https://community.hpe.com/t5/operating-system-openvms/mailbox-protection/m-p/3931834#M11316 Wim,<BR /> If you create a mailbox (specifying the device protection you require) and then enter a SET AUDIT/LISTENER command specifying the mailbox that you have created then this will give you what you require.<BR /><BR />I tried this using OpenVMS Alpha V8.3 CREATE/MAILBOX command.<BR /><BR />I think in your case the mailbox is being created by SET AUDIT as it does not already exist and it inherits the default protection. Thu, 25 Jan 2007 06:20:46 GMT https://community.hpe.com/t5/operating-system-openvms/mailbox-protection/m-p/3931834#M11316 Ian Miller. 2007-01-25T06:20:46Z https://community.hpe.com/t5/operating-system-openvms/mailbox-protection/m-p/3931835#M11317 OOOEEEEPPPSSSS<BR /><BR />I didn't notice the crembx in the program (Fortran). That explains everything.<BR /><BR />Thanks Kalle &amp; Ian.<BR /><BR />Wim Thu, 25 Jan 2007 06:40:21 GMT https://community.hpe.com/t5/operating-system-openvms/mailbox-protection/m-p/3931835#M11317 Wim Van den Wyngaert 2007-01-25T06:40:21Z