- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- Re: Command Logs in OpenVMS
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-02-2010 02:42 AM
тАО11-02-2010 02:42 AM
Command Logs in OpenVMS
We need to find out who has done the changes at what time.
Where I will get this informtion in OpenVMS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-02-2010 02:58 AM
тАО11-02-2010 02:58 AM
Re: Command Logs in OpenVMS
>> Where I will get this informtion in OpenVMS
You'll have to ask all the folks which were trusted with the priviliges to achieve this.
Typically the system does not record commands for you.
There may or might not be information for forensic research. It's unlikely though.
- command history/recall is typically not saved, and here might just have the TCPIP command.
- I don't think this is security auditing or operator.log event. It could be audited as successful file open, but typically those are not recorded and you would still not know which open preceded the change.
Your best bet it to determine roughly the time it was changed and from there who might have been logged on.
For repeat cases you could consider adding some 3rd party Change Data Capture (CDC) for RMS to the system, but really you should just ask.
hth,
Hein
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-02-2010 04:45 AM
тАО11-02-2010 04:45 AM
Re: Command Logs in OpenVMS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-02-2010 06:33 AM
тАО11-02-2010 06:33 AM
Re: Command Logs in OpenVMS
However if the change was truly significant, adjustments of full minutes, hours or days, as Hein said there aren't many *default* mechanisms to check for "fingers in the pie." According to the documentation there are tools in auditing that can watch for changes to date/time but unless that's configured *before* your incident the tracking is non-existant. You could enable "image mode accounting" but the volume of data can be daunting on a very busy system. This, again, has to be setup in advance. You probably wouldn't get a true "smoking gun" with accounting data either. More likely a list of users who touched a more general utility routine instead of a specific time or data adjustment program.
Check into the OpenVMS DCL Dictionary and review the details of SET AUDIT. The specific commands to enable auditing of changes to system time don't seem to be explicitly spelled-out. This is because setting up system security and monitoring really should be done as part of a process instead of a "point solution" just to monitor one item.
Small disclaimer: I'm not at all sure if these are *recent* changes to the auditing tools, as in "for V8.4." I'd expect this information to be in the O/S release notes if it was. Our lab had additional auditing setup and I *think* that we were monitoring time changes back to the V7 timeframe.
bob
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-02-2010 07:05 AM
тАО11-02-2010 07:05 AM
Re: Command Logs in OpenVMS
$ dir/date=m sys$specific:[tcpip$ntp]tcpip$ntp.conf
This might help to pin down the time.
Dave
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-03-2010 07:55 AM
тАО11-03-2010 07:55 AM
Re: Command Logs in OpenVMS
> Typically the system does not record
> commands for you.
> There may or might not be information for > forensic research. It's unlikely though.
> - command history/recall is typically not > saved, and here might just have the TCPIP > command.
If you are able to determine the time that the change was made and you have interactive users that are still logged in, it may be possible to view the command recall buffer for the processes that are still active using the System Dump Analyzer (SDA).
Of course, as Hein stated, this would only include commands issued at the DCL prompt - not any commands issued inside of some other utility like TCPIP. It may, however, contain and edit command for example.
Dave Williams
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-16-2010 02:45 PM
тАО11-16-2010 02:45 PM
Re: Command Logs in OpenVMS
$ show audit/journal
$ analyze/audit/full/ 'journal_file'/out=audit.txt
this possibility depends on the protections of the file, on the audit settings but also on the account used for modifying the file.