Re: Auditing SYSUAF modifications to the SYSTEM account

Steven Fletcher_1 · ‎03-02-2009

Hi,

I'm looking for a way to audit modifications to the system account in the SYSUAF file. I've used the help files to generate a command which returns all SYSUAF modifications, but just wondered if there is a way to narrow the select statemnet down to an actual account (i.e. the system account).

This is what I have:
$ analyze /audit sys$manager:security.audit$journal /full /select=subtype=sysuaf_modify

I've tried using the "account" flag, but that doesn't seem to return what I need.

Is it possible, or will I need to write a batch file that will break down the results and find only what I need?

Many thanks,
Terry,

Hoff · ‎03-02-2009

Off-hand, I don't know of a way to do this short of processing the audit records directly (the record format for the file is in the back of the system manager's utilities manual, IIRC) but I'd tend to be concerned around any changes to any UAF entries regardless, not just changes to the SYSTEM username. Other than the last login times and such, most anything in that file that changes is interesting.

Hein van den Heuvel · ‎03-02-2009

All records in the SYSUAF.COM are created equal. Well no, they are not created equal, but any process having access to one, has access to all. As such FILE level autditing is typically all that is needed.

If you wanted to know about changes to one particular record, then you you could just use MCR AUTORHIZE SHOW xxx into a file very so often and keep on comparing. That may tell you that is was changed (and not reset back) but not when nor by who.

With the right license in place you can enable RMS AFTER IMAGE JOURNALING on SYSUAF, which will (with some work) tell you WHEN the record was changed, and maybe by who (I forget whether that's retained. Probably for the purpose of RU journalling, but... Journalling is not auditing)

Maybe it would help if you indicated exactly what problem you are really trying to solve.
- Can not trust the folks with privs?
- some mis-guided security audit?

Hope this helps a little,
Hein

John Gillings · ‎03-02-2009

Terry,

In general, look at an audit record like the one you're interested in to determine the field names to select on. In this case you'd expect it to be /SELECT=(USER_RECORD=SYSTEM) but it doesn't exist.

Although ANALYZE/AUDIT should be able to perform these types of query, not all possibiities are available, and sometimes working out the exact syntax of the command required is too much like hard work. I often find it's simpler to dump a /FULL listing into a file and use SEARCH, or some DCL parsing to narrow down exactly what I want.

$ ANALYZE/AUDIT/FULL/SELECT=(SUBTYPE=SYSUAF_MODIFY) SYS$MANAGER/OUTPUT=AUD.TMP
$ SEARCH AUD.TMP "User record: SYSTEM" /WINDOW=(10,10)

Unfortunately SEARCH of a pipe can't do a prior window, so this needs to go via a temporary file.

A crucible of informative mistakes

Craig A · ‎03-03-2009

Hi John

You can use the ANAL/AUDIT command with PIPE as long as you add /NOINTERACTIVE to the ANAL/AUDIT command.

Craig

Steven Fletcher_1 · ‎03-03-2009

Hi,

thanks for the replies.
Looks like I'll just do an output and parse it through DCl commands.

In response to what it's needed for, it's to combat a point in PCI-DSS compliancy where we are not allowed to use shared accounts.
Previously, the system account had a password which all the system administrators knew, but this breaches PCI-DSS. As a result I have reset the password on the System account and only I know it. We now need auditing on the system account so that if I'm not around and someone needs to use the system account they can reset the password, but it is logged automatically that another user has had access to the system account.

Ideally we'd like to just disuser (and maybe remove) the system account altogether, but after lots of reading up I don't think this is possible, hence the need for this workaround.

Thanks,
Terry.

Ian Miller. · ‎03-03-2009

Normally I disable interactive and network use of the SYSTEM user so it can be used for batch only, and set a long generated password to discourage password guessing. Then all support staff have their own username which have system level privs.

If the SYSTEM user is then needed then its password is set and perhaps interactive access enabled - of course all of this appears in the AUDIT log against the user that did it.

____________________
Purely Personal Opinion

Wim Van den Wyngaert · ‎03-03-2009

Note that audit can be bypassed.

On another node do :
$ def/us sysuaf yournode"us pwd"::sys$system:sysuaf.dat
% mc authoriz4e mod system/pass=toto

and the audit records will be in that other node's audit.

I would go for your own solution (e.g. list/fu system to a file and do a diff).

Wim

Wim

Craig A · ‎03-03-2009

Wim

I suppose a belt and braces approach would be to also add a SUCCESS+WRITE ACL (Audit) on SYSUAF.DAT so that network modifications can be tracked that way.

Craig

Ian Miller. · ‎03-03-2009

the audit ACL on SYSUAF, RIGHTLIST, PROXY is a a good idea

and Wim has successfully demonstrated one reeaon why a proxy for privilged username is a bad idea :-)

____________________
Purely Personal Opinion

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: Auditing SYSUAF modifications to the SYSTEM account

Auditing SYSUAF modifications to the SYSTEM account