HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

Audit selected accounts?

 
Björn E Rydén
Occasional Contributor

Audit selected accounts?

Hi Gurus,

In OpenVMS 8.3, is it possible to "audit" selected accounts, something like "set host/log"? If so, how do I do it?
Appreciate any help.


Guru-nono
BjörnR
7 REPLIES
Jon Pinkley
Honored Contributor

Re: Audit selected accounts?

BjornR,

By Audit you mean log what is going to the terminal, not the system audits of events?

There are commercial products that allow that to be done. Here is one:

http://www.raxco.co.uk/product.asp?ProductID=96

If you don't mind the overhead and non-transparent nature, there is the freeware JUMP utility that creates a psuedo terminal and allow for a log in a secure location. The formatting leaves a lot to be desired, as rubouts, etc. aren't cleaned up.

It is available from Hunter Goatley's freeware site.

http://vms.process.com/scripts/fileserv/fileserv.com?JUMP

Jon
it depends
Hoff
Honored Contributor

Re: Audit selected accounts?

OpenVMS traditionally monitors object accesses (files, queues, global sections, devices, etc) for success and for failure, and does not log user commands. Objects are the security-relevent and protected structures.

So... Are you dealing with an actual attacker and with improving your security, or are you complying with auditing requirements; the approaches used for these two goals are quite different.

Depending on your goals...

Use dual-passsord logins, and require both users to be present when the username is in use.

Set the /FLAG=AUDIT auditing flag on the user in SYSUAF.

Set up a "jump" login that issues the SET HOST /LOG for you.

Use a CAPTIVE login for the particular task.

Add-on logging tools including PEEK and SPY.

Logs are popular with auditing standards, but they're a comparatively poor choice for detecting or preventing attacks.

Björn E Rydén
Occasional Contributor

Re: Audit selected accounts?

Thanks for your fast replies.

Our customers "internal control"-department wants the possibility to log activities/commands for a few selected accounts. They want an output somewhat like set host/log...

//Björn
Hoff
Honored Contributor

Re: Audit selected accounts?

You'll want to use a captive login that does a SET HOST /LOG or such. Or add some third-party logging tools. No integrated logging exists. The other approach here (and the likelihood of success varies with the auditors involved) is to teach the auditors about the OpenVMS security model, and about how security auditing and security alarms work.

If you want some backup...

http://labs.hoffmanlabs.com/node/43
John Gillings
Honored Contributor

Re: Audit selected accounts?

Björn,

The UAF /AUDIT flag will record a LOT of informaion. It may be worth trying it on one of your target accounts to see if it does what your auditors want.

For a keystroke log, you can pay for a commercial product, but there's a "poor man's" mechanism using two accounts.

The username the user logs in with is a captive account with no password. The login procedure issues:

$ SET HOST 0/LOG=logfile L_

using this syntax, the login starts with the username, so prompts for the password. Thus the user enters their username, then a password, possibly with some messages in between.

The L_ username needs to be at least RESTRICTED, and granted a MUST_BE_LOGGED identifier. If that identifier is present, the SYLOGIN procedure checks the source of the login and requires it to be the correct user and node, indicating that the session is being logged.

If you want to step the security up a notch, have two different nodes. One for logging, with two network adapters. Users login on one, the node then SET HOSTs through the other one to the target node. Since there's no direct path from the users to the secure node, they only way to get there is via the logging node. (just change the SET HOST 0 to SET HOST ).

Obviously you could use an IP protocol instead of SET HOST, the advantage of SET HOST is you can feed it the username - SSH can do the same) with -l.
A crucible of informative mistakes
Ian Miller.
Honored Contributor

Re: Audit selected accounts?

Another commercial product what is worth a look is

Pointsecure System Detective

http://www.pointsecure.com/products/sys_det.aspx
____________________
Purely Personal Opinion
Björn E Rydén
Occasional Contributor

Re: Audit selected accounts?

Thanks all for your replies - I´ll look more closely into your suggestions, and propose one or more ways for our customer, so they can decide what level of auditing they want.

Thanks!

BR

Björn Rydén