- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- Re: Auditing SYSUAF modifications to the SYSTEM ac...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-02-2009 08:45 AM
тАО03-02-2009 08:45 AM
I'm looking for a way to audit modifications to the system account in the SYSUAF file. I've used the help files to generate a command which returns all SYSUAF modifications, but just wondered if there is a way to narrow the select statemnet down to an actual account (i.e. the system account).
This is what I have:
$ analyze /audit sys$manager:security.audit$journal /full /select=subtype=sysuaf_modify
I've tried using the "account" flag, but that doesn't seem to return what I need.
Is it possible, or will I need to write a batch file that will break down the results and find only what I need?
Many thanks,
Terry,
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-02-2009 10:55 AM
тАО03-02-2009 10:55 AM
Re: Auditing SYSUAF modifications to the SYSTEM account
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-02-2009 01:18 PM
тАО03-02-2009 01:18 PM
Re: Auditing SYSUAF modifications to the SYSTEM account
If you wanted to know about changes to one particular record, then you you could just use MCR AUTORHIZE SHOW xxx into a file very so often and keep on comparing. That may tell you that is was changed (and not reset back) but not when nor by who.
With the right license in place you can enable RMS AFTER IMAGE JOURNALING on SYSUAF, which will (with some work) tell you WHEN the record was changed, and maybe by who (I forget whether that's retained. Probably for the purpose of RU journalling, but... Journalling is not auditing)
Maybe it would help if you indicated exactly what problem you are really trying to solve.
- Can not trust the folks with privs?
- some mis-guided security audit?
Hope this helps a little,
Hein
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-02-2009 01:19 PM
тАО03-02-2009 01:19 PM
Re: Auditing SYSUAF modifications to the SYSTEM account
In general, look at an audit record like the one you're interested in to determine the field names to select on. In this case you'd expect it to be /SELECT=(USER_RECORD=SYSTEM) but it doesn't exist.
Although ANALYZE/AUDIT should be able to perform these types of query, not all possibiities are available, and sometimes working out the exact syntax of the command required is too much like hard work. I often find it's simpler to dump a /FULL listing into a file and use SEARCH, or some DCL parsing to narrow down exactly what I want.
$ ANALYZE/AUDIT/FULL/SELECT=(SUBTYPE=SYSUAF_MODIFY) SYS$MANAGER/OUTPUT=AUD.TMP
$ SEARCH AUD.TMP "User record: SYSTEM" /WINDOW=(10,10)
Unfortunately SEARCH of a pipe can't do a prior window, so this needs to go via a temporary file.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-03-2009 01:55 AM
тАО03-03-2009 01:55 AM
Re: Auditing SYSUAF modifications to the SYSTEM account
You can use the ANAL/AUDIT command with PIPE as long as you add /NOINTERACTIVE to the ANAL/AUDIT command.
Craig
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-03-2009 02:53 AM
тАО03-03-2009 02:53 AM
Re: Auditing SYSUAF modifications to the SYSTEM account
thanks for the replies.
Looks like I'll just do an output and parse it through DCl commands.
In response to what it's needed for, it's to combat a point in PCI-DSS compliancy where we are not allowed to use shared accounts.
Previously, the system account had a password which all the system administrators knew, but this breaches PCI-DSS. As a result I have reset the password on the System account and only I know it. We now need auditing on the system account so that if I'm not around and someone needs to use the system account they can reset the password, but it is logged automatically that another user has had access to the system account.
Ideally we'd like to just disuser (and maybe remove) the system account altogether, but after lots of reading up I don't think this is possible, hence the need for this workaround.
Thanks,
Terry.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-03-2009 02:59 AM
тАО03-03-2009 02:59 AM
Re: Auditing SYSUAF modifications to the SYSTEM account
If the SYSTEM user is then needed then its password is set and perhaps interactive access enabled - of course all of this appears in the AUDIT log against the user that did it.
Purely Personal Opinion
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-03-2009 03:04 AM
тАО03-03-2009 03:04 AM
SolutionOn another node do :
$ def/us sysuaf yournode"us pwd"::sys$system:sysuaf.dat
% mc authoriz4e mod system/pass=toto
and the audit records will be in that other node's audit.
I would go for your own solution (e.g. list/fu system to a file and do a diff).
Wim
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-03-2009 04:18 AM
тАО03-03-2009 04:18 AM
Re: Auditing SYSUAF modifications to the SYSTEM account
I suppose a belt and braces approach would be to also add a SUCCESS+WRITE ACL (Audit) on SYSUAF.DAT so that network modifications can be tracked that way.
Craig
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-03-2009 04:54 AM
тАО03-03-2009 04:54 AM
Re: Auditing SYSUAF modifications to the SYSTEM account
and Wim has successfully demonstrated one reeaon why a proxy for privilged username is a bad idea :-)
Purely Personal Opinion