topic Re: audit question in Operating System - OpenVMS

audit question

SAMI AHMAD — Mon, 02 Mar 2009 20:05:08 GMT

what does the following audit information means ? :

FILE access:
Failure: read,write,execute,delete,control
SYSPRV: read,write,execute,delete,control
BYPASS: read,write,execute,delete,control
READALL: read,write,execute,delete,control

Re: audit question

John Gillings — Mon, 02 Mar 2009 20:30:12 GMT

SAMI,

This looks like an extract from a SHOW AUDIT command. It could be from "alarms currently enabled" or "audits currently enabled". It shows that auditing will alarm or audit file access events for access failures, and privileged access using SYSPRV, BYPASS or READALL.

Now, what's the real question?

Re: audit question

Hoff — Mon, 02 Mar 2009 20:37:39 GMT

The /HP OpenVMS Guide to System Security/ manual in the OpenVMS documentation set describes the OpenVMS security model, operations, command syntax and auditing.

For that output, that output from the SHOW AUDIT command means that the specified types of file access failures, and failures with the specified privileges, will generate either audits or alarms; as the output was truncated, I can't tell if that's for audits or alarms.

Please take the time to read the manual; it'll save you time, and it'll provide you with insight into how OpenVMS security is structured and operates, and pointers to the available options and commands.

The OpenVMS operating system manuals are available here:

http://www.hp.com/go/openvms/doc/

When you get into audits and alarms and privileges and ACLs (oh, my!), reading through the security manual is necessary but might not be sufficient. Grokking ACLs, for instance, is fundamental to understanding the read, write, execute, delete and control operations, for instance.

Re: audit question

SAMI AHMAD — Fri, 06 Mar 2009 18:49:16 GMT

my question is that our applicatoin having BYPASS priviliges must be generating an audit record on every file access right ?

how much IO benifit I can gain by disabling this file access audit on BYPASs ? how can i do some bench mark testing ?

Re: audit question

Ian Miller. — Fri, 06 Mar 2009 20:28:02 GMT

Is there a requirement to audit use of BYPASS?

If not then use T4 or your choice of performance data collector and analyser and measure what's going on.

Is there a performance issue with this system, (particularly the disk on which the audit log is held) which has lead you to look at this?

Re: audit question

SAMI AHMAD — Fri, 06 Mar 2009 20:56:42 GMT

we see heavy disk IO if we use monitor system. see attachement
so I was logically thinking that if we are auditing every successfull access to all the files this must be a heavy write operation to audit file right or not?

Re: audit question

SAMI AHMAD — Fri, 06 Mar 2009 22:41:16 GMT

here is the attachment !

Re: audit question

Robert Gezelter — Fri, 06 Mar 2009 23:02:37 GMT

Sami,

Actually, I am not sure that the supposition that auditing is involved in the high IO rate is warranted (it is certainly not proven).

As an example, what is the batch job [BATCH_794] doing? Also, there is a fair amount of page faulting.

How this fits into the overall performance picture is an excellent question. This snapshot may be representative, then again, it may not.

The access checks are done when the file is opened, not on every operation. Perhaps, a thorough review of system performance is in order [disclosure: we provide such services, as do Hoff and several other regular contributors].

- Bob Gezelter, http://www.rlgsc.com

Re: audit question

Hein van den Heuvel — Sat, 07 Mar 2009 05:01:30 GMT

>> my question is that our applicatoin having BYPASS priviliges must be generating an audit record on every file access right ?

Only on OPENS, not on simple writes

>> how much IO benifit I can gain by disabling this file access audit on BYPASs ?

Benefit by what measurement standard?
You seem to imply you want the benefit to be less IO. Do you have a reason to believe there is measureable, quantifiable, IO?

>> how can i do some bench mark testing ?

Try with, try without under similar load, over a similar time period and compare?!

>> we see heavy disk IO if we use monitor system. see attachement

I saw the attachement it show a good few DIRECT IOS in total.
So, that's great no? That's supposedly why they bought the system!
And what makes you believe that auditing is an intersting component in that picture?
Hot-file tool?

I see an busy Oracle task, so i would guess that most IOs are going to oracle file. I would want to confirm that by asking Oracle what it is doing (STATS_PACK, AWR,...)

What problem are you really trying to solve?

Best regards,

Hein van den Heuvel ( at gmail dot com )
HvdH Performance Consulting

Re: audit question

SAMI AHMAD — Mon, 09 Mar 2009 15:28:45 GMT

hi Hein !

I think our systems are doing excessive IO and i am trying to investigate that.

regards

Re: audit question

Hein van den Heuvel — Mon, 09 Mar 2009 16:01:04 GMT

Yeah I get that.
I just do not get the approach.
What is the methodology here?
Why did you start looking where you started to look?

Hein