topic Re: %SHOW-W-NOAUDITING, security auditing disabled; no events will be logge in Operating System - OpenVMS

%SHOW-W-NOAUDITING, security auditing disabled; no events will be logge

Clark Powell — Wed, 17 Sep 2008 21:11:03 GMT

After getting this message at the end of the SHOW AUDIT display (shown below) we have come to conclusion that the file VMS$AUDIT_SERVER.DAT can be located in different locations using the logical, VMS$AUDIT_SERVER, but that doesn't mean that it can be shared by a cluster. That is, every node must have it's own VMS$AUDIT_SERVER.DAT. We have our logical pointing to the same spot on both nodes and the audit server only runs and collects data on the first node to start. Does anyone agree with this or have a different idea of what our audit server problem might be?

$ show audit
System security alarms currently enabled for:
ACL
Authorization
Audit: illformed
Breakin: dialup,local,remote,network,detached
Logfailure: batch,dialup,local,subprocess,detached

System security audits currently enabled for:
ACL
Authorization
SYSGEN
Audit: illformed
Breakin: dialup,local,remote,network,detached
Logfailure: batch,dialup,local,remote,network,subprocess,detached
Privilege use:
OPER

%SHOW-W-NOAUDITING, security auditing disabled; no events will be logged

thanks,
Clark Powell

Re: %SHOW-W-NOAUDITING, security auditing disabled; no events will be logge

Jon Pinkley — Wed, 17 Sep 2008 22:39:10 GMT

what does show audit/all say at the top?

Re: %SHOW-W-NOAUDITING, security auditing disabled; no events will be logge

Jon Pinkley — Wed, 17 Sep 2008 22:56:07 GMT

As far as VMS$AUDIT_SERVER.DAT, we have a 2 node cluster running Alpha VMS 7.3-2 from a common system disk. We do not have VMS$AUDIT_SERVER defined as a logical name.

The file is in our sys$common:[sysmgr] directory, and it is shared by both nodes.

This is a realatively small file, it has the audit settings in it, not the audit records.

What version(s) of VMS are in your cluster?

I am not sure, but I think this information needs to be the same on all cluster nodes, i.e. I don't believe it is possible to have different items audited on different nodes, although I have never tried puting the VMS$AUDIT_SERVER.DAT file in a system specific location.

Jon

Re: %SHOW-W-NOAUDITING, security auditing disabled; no events will be logge

Jon Pinkley — Wed, 17 Sep 2008 23:25:00 GMT

Please look at sys$manager:sylogicals.template.

This has a list of the "Site-specific VMScluster core file definitions" that should be the same for all memebers of the cluster.

The intent is that VMS$AUDIT_SERVER be one file that is shared by all cluster nodes.

Where are you defining VMS$AUDIT_SERVER? It needs to be defined before the audit server starts. SYS$MANAGER:SYLOGICALS.COM is the normal place where it would be defined.

I am attaching an extract from sys$manager:sylogicals.com on an Alpha VMS 8.3 system.

Jon

Re: %SHOW-W-NOAUDITING, security auditing disabled; no events will be logge

Karl Rohwedder — Thu, 18 Sep 2008 03:54:37 GMT

Perhaps someone defined SYS$AUDIT_SERVER_INHIBIT? Check with SHOW LOGICAL.

regards Kalle

Re: %SHOW-W-NOAUDITING, security auditing disabled; no events will be logge

Wim Van den Wyngaert — Thu, 18 Sep 2008 06:28:37 GMT

We have a cluster with 2 system disks and 1 shared SAN disk with the common data. We did set aud/dest= to define a common audit file. No problem yet after 6 years.

Wim

Re: %SHOW-W-NOAUDITING, security auditing disabled; no events will be logge

Wim Van den Wyngaert — Thu, 18 Sep 2008 06:43:59 GMT

BTW : our vms$audit_server.dat is on each system disk. It's our responsibility to keep the setting on both nodes the same.

Wim

Re: %SHOW-W-NOAUDITING, security auditing disabled; no events will be logge

Wim Van den Wyngaert — Thu, 18 Sep 2008 08:11:36 GMT

Just tried to use a common file in a test. No problem at all (7.3).
1) did you define the logical on both nodes
2) did you restart audit_server on both nodes
3) is the destination as shown in show aud/all seen by both nodes >
4) nothing in the operator log file/accounting ?

Wim

Wim

Re: %SHOW-W-NOAUDITING, security auditing disabled; no events will be logge

Clark Powell — Thu, 18 Sep 2008 13:48:30 GMT

MORE BACKGROUND:
I have been so uniform in screwing up the audit server on both our Cert and Prod clusters that they have exactly same problem. In each cluster (alpha 8.3 almost all patches) there are two nodes, two separate system disk, logical VMS$AUDIT_SERVER defined on both nodes, logical SYS$AUDIT_SERVER_INHIBIT not defined, (see below,) At boot audit server does not start on both nodes. Here on our Cert cluster you can see what it looks like
right after boot with ALPHAX not running the audit server:
SYSMAN> DO SHO AUDIT
%SYSMAN-I-OUTPUT, command execution on node ALPHAZ
System security alarms currently enabled for:
ACL
Authorization
Audit: illformed
Breakin: dialup,local,remote,network,detached
System security audits currently enabled for:
ACL
Authorization
SYSGEN
Audit: illformed
Breakin: dialup,local,remote,network,detached
Logfailure: batch,dialup,local,remote,network,subprocess,detached
Privilege use:
OPER
%SYSMAN-I-OUTPUT, command execution on node ALPHAX
System security alarms currently disabled
System security audits currently disabled
%SHOW-W-NOAUDSRV, AUDIT_SERVER process not running; use "SET AUDIT/SERVER=START"
to start
%SHOW-W-NOAUDITING, security auditing disabled; no events will be logged

But after executing the SET AUDIT/SERVER=START we get what you see below.

To answer the second respondent on production cluster. I checked this command on both nodes and except for the SHOW-W-NOAUDITING error message the output is the same.

ALPHAC> sho audit/all
List of audit journals:
Journal name: SECURITY
Journal owner: (system audit journal)
Destination: SYS$COMMON:[SYSMGR]SECURITY.AUDIT$JOURNAL
Monitoring: enabled
Warning thresholds, Block count: 100 Duration: 2 00:00:00.0
Action thresholds, Block count: 25 Duration: 0 00:30:00.0

Security auditing server characteristics:
Database version: 4.4
Backlog (total): 100, 200, 700
Backlog (process): 5, 2
Server processing intervals:
Archive flush: 0 00:01:00.00
Journal flush: 0 00:05:00.00
Resource scan: 0 00:05:00.00
Final resource action: purge oldest audit events

Security archiving information:
Archiving events: none
Archive destination:

System security alarms currently enabled for:
ACL
Authorization
Audit: illformed
Breakin: dialup,local,remote,network,detached
Logfailure: batch,dialup,local,subprocess,detached

System security audits currently enabled for:
ACL
Authorization
SYSGEN
Audit: illformed
Breakin: dialup,local,remote,network,detached
Logfailure: batch,dialup,local,remote,network,subprocess,detached
Privilege use:
OPER

%SHOW-W-NOAUDITING, security auditing disabled; no events will be logged
ALPHAC>

thanks for helping!
Clark Powell

Re: %SHOW-W-NOAUDITING, security auditing disabled; no events will be logge

Hoff — Thu, 18 Sep 2008 13:58:46 GMT

You

*must*

set up the logical names per

SYLOGICALS.TEMPLATE

in an OpenVMS cluster.

Yes, OpenVMS might

*appear*

to work if you don't have all the right logical names and the files configured and shared (or -- in the case of a multiple-SYSUAF cluster -- carefully synchronized), but weirdness then tends to ensue.

I'm the perpetrator of that list of logical names, and I implemented that specifically because folks with multiple system disks inevitably got it wrong. (Until I put that list together, *I* got it wrong.) And weirdness ensued. Multiple system disk configurations are particularly prone to weirdnesses.

For the shared files on (I assume) a shared I/O bus, make sure you have the disks mounted at the appropriate place in startup; early on. (I'm assuming a shared I/O bus is present because a two-node cluster is pretty hairy otherwise. And it's way more work.)

If you *do* have these logical names defined and the cluster configured properly (and congrats; that's not easy!), then the next step is to take a look around for audit server dump files, or for whatever is causing the audit server to tip over. DIR SYS$SYSROOT:[*...]*.DMP /SINCE or such, and check the accounting data (ACCOUNT /SINCE=last-boot-time-and-date /FULL SYS$MANAGER:ACCOUNTNG.DAT or such)

Re: %SHOW-W-NOAUDITING, security auditing disabled; no events will be logge

Wim Van den Wyngaert — Thu, 18 Sep 2008 14:13:46 GMT

And my 4) ?

Wim

Re: %SHOW-W-NOAUDITING, security auditing disabled; no events will be logge

Jan van den Ende — Thu, 18 Sep 2008 14:36:04 GMT

Clark,

>>>
there are two nodes, two separate system disk, logical VMS$AUDIT_SERVER defined on both nodes,
<<<

Did you perhaps fall for the trap of having those defined as somehow derived from SYS$SYSDEVICE or SYS$SYSROOT?
(I once made that mistake also, and it puzzled me much, until the famous "Oh no, not THAT simple" experience.)
Those ARE the default definitions, but, in a multi-systemdisk cluster, they point to DIFFERENT devices! Be sure to use LNMs derived from the SAME device, and have that device MOUNTed (for EACH node) by SYLOGICALS.COM

hth

Proost.

Have one on me.

jpe

Re: %SHOW-W-NOAUDITING, security auditing disabled; no events will be logge

Jon Pinkley — Thu, 18 Sep 2008 16:09:00 GMT

Clark,

Here is what the security manual says, which is different than what sylogicals suggests.

HP OpenVMS Guide to System Security
OpenVMS Version 7.3-2

http://h71000.www7.hp.com/doc/732FINAL/aa-q2hlg-te/AA-Q2HLG-TE.pdf

Chapter 9 Security Auditing pg 204
-------------------------------------------------------------------------------------------------------
Moving the File from the System Disk
To relocate the file from the SYS$COMMON:[SYSMGR] directory, edit the command procedure
SYSECURITY.COM. This procedure executes each time the system is rebooted, before the audit server is
started.
To relocate the file, perform the following steps:
1. Change the startup sequence by adding a line to SYSECURITY.COM that directs the operating system to
mount the designated auditing disk before the audit server process is started rather than after. For
example:
$ IF .NOT. F$GETDVI("$1$DUA2","MNT") -
_$ THEN MOUNT/SYSTEM $1$DUA2 AUDIT AUDIT$ /NOREBUILD
The command in this example mounts a volume labeled AUDIT on $1$DUA2 and makes it available
systemwide. MOUNT also assigns the logical name AUDIT$.
2. Move the audit server database to the auditing disk, if you choose. The database remains small and fairly
stable so this step is not essential.
To move the database, add a second line to SYSECURITY.COM to define the system logical name
VMS$AUDIT_SERVER. (The line follows the one that mounts the auditing disk.) In the command, define
a system logical name and assign it to the VMS$AUDIT_SERVER data file on the disk with the logical
name AUDIT$. For example:
$ DEFINE/SYSTEM/EXEC VMS$AUDIT_SERVER AUDIT$:[AUDIT]VMS$AUDIT_SERVER.DAT
This command redirects the audit server database to the volume on $1$DUA2, which was mounted in
step 1.
3. From the DCL level, redirect the security audit log file to the volume mounted in SYSECURITY.COM (see
step 1). Use the SET AUDIT command to update the audit server database with the new location of the
security audit log file, and instruct the audit server process on each node in the cluster to begin using the
file. For example:
$ SET AUDIT/JOURNAL=SECURITY -
_$ /DESTINATION=AUDIT$:[AUDIT]SECURITY
Do not repeat this command on each system restart.
If you use a logical name in the specification of the security audit log file, it must be defined as a
/SYSTEM logical name in SYSECURITY.COM.
-------------------------------------------------------------------------------------------------------

Also see section "Managing the Auditing Subsystem" starting on page 212.

You currently have multiple audit journal files, since each system disk has its own sys$common. Accourding to the manual, that will work, but is not recommended: (from page 203)

-------------------------------------------------------------------------------------------------------
Ordinarily, all cluster events are written to a single audit log file. The use of one security audit log file in a
cluster results in a single record of all security-relevant events on the system. For this reason, one clusterwide
log file is preferable to node-specific audit logs, which lose the interrelationship of events across the cluster,
thus producing an incomplete analysis of security events. You can, if you wish, create node-specific audit logs
(see Maintaining the File), but this is not the recommended procedure.
-------------------------------------------------------------------------------------------------------

One more thing, set audit/start does not do everything needed to start auditing. You must do that, wait for the AUDSRV$CONTROL_MAILBOX to be created, then issue set audit/initiate. Or do what is recommended and use

$ @SYS$SYSTEM:STARTUP AUDIT_SERVER

(See help set audit/server)

Jon

Re: %SHOW-W-NOAUDITING, security auditing disabled; no events will be logge

Clark Powell — Thu, 18 Sep 2008 16:27:16 GMT

SYLOGICALS.COM mounts the disk which has the common logical name definition file and executes it and also is the target of the audit server (now.) This disk has other important files like SYSUAF.DAT so nothing would work if it was not commonly accessible. So that criteria is met.
There are no messages in operator.log that relate to audit server.
Audit server processes run on both nodes as shown:
ALPHAZ> PIPE SHO DEVICE/FILE DSA10: | SEA SYS$INPUT 218455CE
AUDIT_SERVER 218455CE [VMS$COMMON.SYSEXE]AUDIT_SERVER.EXE;1
ALPHAZ> PIPE SHO DEVICE/FILE DSA200: | SEA SYS$INPUT 218455CE
AUDIT_SERVER 218455CE [VMCOMMON]VMS$AUDIT_SERVER.DAT;1
AUDIT_SERVER 218455CE [VMCOMMON]SECURITY.AUDIT$JOURNAL;5
AUDIT_SERVER 218455CE [VMCOMMON]VMS$OBJECTS.DAT;1

After reading the last comments I decided that maybe the journal HAD to be shared so I used a definition that would equate to the same location for BOTH nodes. This only changed the journal entry in SHOW AUDIT/JOURNAL

ALPHAZ> sho audit/jou
List of audit journals:
Journal name: SECURITY
Journal owner: (system audit journal)
Destination: SYSDISK2:[VMCOMMON]SECURITY.AUDIT$JOURNAL
Monitoring: enabled
Warning thresholds, Block count: 100 Duration: 2 00:00:00.0
Action thresholds, Block count: 25 Duration: 0 00:30:00.0

%SHOW-W-NOAUDITING, security auditing disabled; no events will be logged

My guess is that the VMS$AUDIT_SERVER.DAT might be corrupted and require being recreated. (But, I don't know if the audit server would automatically do this if those files were missing....

Re: %SHOW-W-NOAUDITING, security auditing disabled; no events will be logge

Jon Pinkley — Thu, 18 Sep 2008 18:27:49 GMT

Clark,

Just to confirm: you did

$ set audit/initialize

or

$ @SYS$SYSTEM:STARTUP AUDIT_SERVER

after making your changes?

If your VMS$AUDIT_SERVER.DAT was corrupt, why is one node's audit server working correctly?

The data in this file is normally static, so you should be able to copy the working version to the shared directory using convert/share. My guess is that it is not the file, but that the /initialize needs to be done.

Reference: http://h71000.www7.hp.com/wizard/wiz_8897.html

Jon

Re: %SHOW-W-NOAUDITING, security auditing disabled; no events will be logge

Clark Powell — Thu, 18 Sep 2008 19:03:40 GMT

CONCLUSION:

Having SECURITY.AUDIT$JOURNAL in different locations for each node didn't work. I had to execute this command:
Set audit/DESTINATION=SYSDISK2:[VMCOMMON]SECURITY.AUDIT$JOURNAL/JOUR=SECURITY

and then I HAD to restart using
@SYS$SYSTEM:STARTUP AUDIT_SERVER
not
SET AUDIT/SERVER=START

collecting audit data now...

thanks everyone, the forum is working better than some of the HP support I've been getting lately.
Clark

Re: %SHOW-W-NOAUDITING, security auditing disabled; no events will be logge

Jon Pinkley — Fri, 19 Sep 2008 03:19:47 GMT

Sorry for the incorrect syntax I had.

As Clark posted, the correct set audit syntax is

$ set audit /SERVER=[start|initialize]

I left out the "/SERVER=" part in my recommendation.

zero points for this.

Re: %SHOW-W-NOAUDITING, security auditing disabled; no events will be logge

Wim Van den Wyngaert — Fri, 19 Sep 2008 07:46:38 GMT

I don't get it. How can you have 2 different destinations when you have 1 vms$audit_server.dat ?

Wim

Re: %SHOW-W-NOAUDITING, security auditing disabled; no events will be logge

Jon Pinkley — Fri, 19 Sep 2008 08:37:47 GMT

RE:"How can you have 2 different destinations when you have 1 vms$audit_server.dat ?"

If the journal file is set to Destination: SYS$COMMON:[SYSMGR]SECURITY.AUDIT$JOURNAL and you have two different system disks, or if is is set to Destination: SYS$SPECIFIC:[SYSMGR]SECURITY.AUDIT$JOURNAL and you have a shared system disk. Those are two ways I can think of. Although the logical specifications are the same, they will be distinct files.

Jon

Re: %SHOW-W-NOAUDITING, security auditing disabled; no events will be logge

Wim Van den Wyngaert — Fri, 19 Sep 2008 09:39:08 GMT

Jon,

Sorry I was incomplete but I saw the file on dsa200 not being the system disk. So, that should be shared.

I just did a test with 1 vms$audit_server.dat file common for both nodes. No problem at all for getting destination to 2 different disk (destination a:[000000]wim.lis where a is the local page file of both systems, not mounted by each other).

Wrong conclusion ?

Wim