topic Re: Does AUDIT=SECURITY,ACCESS=DELETE work? in Operating System - OpenVMS

Does AUDIT=SECURITY,ACCESS=DELETE work?

Jess Goodman — Wed, 04 Mar 2009 21:48:09 GMT

Can anyone explain why I am not getting a security audit record when I delete a file that has the ACL:
(AUDIT=SECURITY,ACCESS=WRITE+DELETE+SUCCESS+FAILURE)
on it?

$ SHOW SYSTEM/NOPROCESS
OpenVMS V7.3-2 on node AX38 4-MAR-2009 21:30:50
$ SHOW AUDIT /AUDIT
System security audits currently enabled for:
ACL
Authorization
Time
SYSGEN
Audit: illformed
Breakin: dialup,local,remote,network,detached
Logfailure: dialup,local,remote,network,subprocess,detached
QUEUE access:
Failure: submit,manage,delete,control
$ CREATE JUNK.TXT /FDL=NL:
$ SET SECURITY JUNK.TXT -
/ACL=(AUDIT=SECURITY,ACCESS=WRITE+DELETE+SUCCESS+FAILURE)
$ DIRECTORY /SECURITY JUNK.TXT

Directory DSKC:[GOODMAN]

JUNK.TXT;1 [STAFF,GOODMAN] (RWED,RWED,RE,)
(AUDIT=SECURITY,ACCESS=WRITE+DELETE+SUCCESS+FAILURE)

Total of 1 file.
$ DELETE /LOG JUNK.TXT;1
%DELETE-I-FILDEL, DSKC:[GOODMAN]JUNK.TXT;1 deleted (0 blocks)

$ ANALYZE/AUDIT SYS_COMMON:SECURITY.AUDIT$JOURNAL -
/EVENT=ACCESS /SINCE=21:00
%AUDSRV-W-NOSELECT, no records selected

If I just write to the file I do get an audit record. If I put the same ACL on the directory the file is in, then I get an audit record when I delete the file, but that is because of write access to the directory.

Hard to believe that ACCESS=DELETE audits don't work at all, at least thru VMS 7.3-2.

Re: Does AUDIT=SECURITY,ACCESS=DELETE work?

Jess Goodman — Wed, 04 Mar 2009 21:57:50 GMT

Never mind..............

Just figured it out - have to use /EVENT=DELETE instead of /EVENT=ACCESS.

Sorry for wasting bandwidth.

Re: Does AUDIT=SECURITY,ACCESS=DELETE work?

John Gillings — Wed, 04 Mar 2009 22:48:40 GMT

Jess,

> Sorry for wasting bandwidth.

Not waste, it's the accumulation of informative mistakes that brings wisdom.

As we've seen in recent threads, finding the correct ANALYZE/AUDIT query can be difficult (even if it's one of the documented ones!).

Highly targetted ANALYZE/AUDIT commands are great for regular (and debugged) reports, but for casual use, it's usually faster and more reliable to just dump the whole lot!

If in doubt use ANALYZE/AUDIT/FULL/SINCE=time/OUTPUT=file to dump the whole lot and SEARCH the output.

Note although you can PIPE the output into a SEARCH command, you can't use /WINDOW to include text prior to the search string.