topic Re: What does the SYSUAF user account audit flag do? in Operating System - OpenVMS

What does the SYSUAF user account audit flag do?

Neil Ashworth_1 — Tue, 28 Feb 2006 17:20:19 GMT

What exactly is the affect of setting the AUDIT flag on a user account in the SYSUAF. The VMS doc set is decidedly deficient in explaining what it does.

Thanks, Neil

Re: What does the SYSUAF user account audit flag do?

Arch_Muthiah — Tue, 28 Feb 2006 18:13:59 GMT

Neil,

The audit flag can be set to allow auditing of events that are related to specific users.

There are 19 event classes in VMS that VMS audit server can audit. The event classes are from object access, successful and unsuccessful login attempts, to the specific use of a privilege and changes of system parameters. By default, VMS will audit login failures, intrusion attempts (from the Intrusion Database), as well as any changes to the authorization database files (SYSUAF.DAT, NET$PROXY.DAT, etc.) as well as attempts to change the audit server configuration via the SET AUDIT command.

Audit information can be generated as either events or alarms where auditing activity is either logged as an event to the security logfile, as an alarm to an operator terminal or print device. In addition, the audit server can log security events to a remote node for archival and/or analysis.

Archunan

Re: What does the SYSUAF user account audit flag do?

Arch_Muthiah — Tue, 28 Feb 2006 18:20:38 GMT

Neil,

Once we enable the audit for a user using
UAF> modify username/flags=audit,

we can get the activity reports using
$ ANALYZE/AUDIT/SELECT=(FLAGS=MANDATORY,USERNAME=xxxx)SECURITY.AUDIT$JOURNAL

The security logfile,SECURITY.AUDIT$JOURNAL will have all the logged events for the specific user.

Archunan

Re: What does the SYSUAF user account audit flag do?

John Gillings — Tue, 28 Feb 2006 19:31:33 GMT

Neil,

Beware! Setting AUDIT on a UAF record will cause all possible auditable events triggered by that user name to be logged in the audit journal. Typically this is a very large volume of data, even for the most trivial sequence of commands. In most cases is not appropriate (but can be a useful "very big hammer" diagnostic tool).

I recommend you do a test. Check the current size of your audit journal. Select a UAF entry, enable AUDIT, log the user in and logout immediately. Use ANALYZE/AUDIT/SINCE=login-time to see how many audit records were added, also check the expansion of your journal.

If you decide to use FLAG=AUDIT, just make sure you have plenty of disk space for the journal file, and have a plan for managing and archiving the data.

Re: What does the SYSUAF user account audit flag do?

Arch_Muthiah — Tue, 28 Feb 2006 20:05:01 GMT

Neil,

You can find the list of events which can be activated in "VMS guide to system security" manual under 9th chapter "security
Auditing". As Mr.John said, the security audit log file will be large, so make sure you have enough disk space and better have a test auditing with only couple of events enabled.

$ set audit /alarm/audit/enable=(install, mount, ncp, login, logout, etc,...)

Re: What does the SYSUAF user account audit flag do?

John Gillings — Wed, 01 Mar 2006 16:14:27 GMT

Archunan,

>have a test auditing with only couple of events enabled.

Sorry, I didn't explain this clearly enough. The UAF AUDIT flag is independent of SET AUDIT. It doesn't matter how many or how few events are enabled with SET AUDIT, a process with the AUDIT flag always logs ALL possible auditable events that it triggers. As I said, it's a very heavy hammer.