topic Capture / Report Failed Login Attempts in Operating System - OpenVMS

Capture / Report Failed Login Attempts

John T. Farmer — Wed, 02 Dec 2009 17:44:40 GMT

Hello,

I have a management/security request to provide a daily report of failed login attempts. I checked the accounting utility and can list out LOGFAIL entries, but it doesn't appear to provide the account which attempted login.

Is there something within VMS Accounting or some other VMS utility to provide more detailed information for this? Generally, looking for date, time and account that failed.

Running OpenVMS 8.3, available programming tools in DCL and HP COBOL (no C or Fortran, in case there are opensource/freeware utilities recommended). We access the Alpha server using PC terminal emulator over TCP/IP. The system creates TNA device names dynmaically.

Thanks,

John

john dot farmer at genworth dot com

Re: Capture / Report Failed Login Attempts

Hoff — Wed, 02 Dec 2009 18:04:14 GMT

The manual:

OpenVMS Guide to System Security.

The basic DCL commands:

ANALYZE /AUDIT /EVENT=(LOGFAIL, BREAKIN)

SET AUDIT /ENABLE ...

The details are in the manual.

The manuals (various of which you will want to read, this beyond the security manual) are available here:

http://www.hp.com/go/openvms/doc

Re: Capture / Report Failed Login Attempts

Bill Hall — Wed, 02 Dec 2009 18:11:44 GMT

John,

The audit server can be configured to collect and report login failures for you.

$set audit/audit/enable=(logfailure=all)

If you want OPCOM alarms:
$set audit/alarm/enable=(logfailure=all)

brief tabular report:
$analyze/audit/brief/event=(LOGFAIL)/output=report_name.lis

or full detail report:
$analyze/audit/full/event=(LOGFAIL)/output=report_name.lis

Check the Docs System Management utilities and Guide to System Security.
Bill

Re: Capture / Report Failed Login Attempts

John Gillings — Wed, 02 Dec 2009 22:27:20 GMT

John,

> doesn't appear to provide the account
> which attempted login.

This is deliberate. IIRC, the rationale is that login failures often result from people entering their password at the username prompt, so listing the attempted usernames in clear text, in a file like ACCOUNTNG, which may be readable by non system users is not a good idea (consider its primary intent is for billing resources, so it would be reasonable to release ACCOUNTNG.DAT to the accounts department to generate bills).

Auditing gives much more information about login failures than accounting, and has finer control over access. It's also not intended for anything other than security, so it's reasonable as a store for potentially sensitive information.

See Bill's response for commands.

Re: Capture / Report Failed Login Attempts

John T. Farmer — Thu, 03 Dec 2009 19:03:43 GMT

All,

Yes, the audit option provides what I believe will satisfy the mgt request. Great info, thank you all.

John