Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

Capture / Report Failed Login Attempts

 
SOLVED
Go to solution
John T. Farmer
Regular Advisor

Capture / Report Failed Login Attempts

Hello,

I have a management/security request to provide a daily report of failed login attempts. I checked the accounting utility and can list out LOGFAIL entries, but it doesn't appear to provide the account which attempted login.

Is there something within VMS Accounting or some other VMS utility to provide more detailed information for this? Generally, looking for date, time and account that failed.

Running OpenVMS 8.3, available programming tools in DCL and HP COBOL (no C or Fortran, in case there are opensource/freeware utilities recommended). We access the Alpha server using PC terminal emulator over TCP/IP. The system creates TNA device names dynmaically.

Thanks,

John

john dot farmer at genworth dot com

4 REPLIES 4
Hoff
Honored Contributor
Solution

Re: Capture / Report Failed Login Attempts

The manual:

OpenVMS Guide to System Security.

The basic DCL commands:

ANALYZE /AUDIT /EVENT=(LOGFAIL, BREAKIN)

SET AUDIT /ENABLE ...

The details are in the manual.

The manuals (various of which you will want to read, this beyond the security manual) are available here:

http://www.hp.com/go/openvms/doc
Bill Hall
Honored Contributor

Re: Capture / Report Failed Login Attempts

John,

The audit server can be configured to collect and report login failures for you.

$set audit/audit/enable=(logfailure=all)

If you want OPCOM alarms:
$set audit/alarm/enable=(logfailure=all)

brief tabular report:
$analyze/audit/brief/event=(LOGFAIL)/output=report_name.lis

or full detail report:
$analyze/audit/full/event=(LOGFAIL)/output=report_name.lis

Check the Docs System Management utilities and Guide to System Security.
Bill
Bill Hall
John Gillings
Honored Contributor

Re: Capture / Report Failed Login Attempts

John,

> doesn't appear to provide the account
> which attempted login.

This is deliberate. IIRC, the rationale is that login failures often result from people entering their password at the username prompt, so listing the attempted usernames in clear text, in a file like ACCOUNTNG, which may be readable by non system users is not a good idea (consider its primary intent is for billing resources, so it would be reasonable to release ACCOUNTNG.DAT to the accounts department to generate bills).

Auditing gives much more information about login failures than accounting, and has finer control over access. It's also not intended for anything other than security, so it's reasonable as a store for potentially sensitive information.

See Bill's response for commands.
A crucible of informative mistakes
John T. Farmer
Regular Advisor

Re: Capture / Report Failed Login Attempts

All,

Yes, the audit option provides what I believe will satisfy the mgt request. Great info, thank you all.

John