Operating System - OpenVMS
1748259 Members
3560 Online
108760 Solutions
New Discussion юеВ

Re: Detect configuration changes for SOX

 
SOLVED
Go to solution
Wim Van den Wyngaert
Honored Contributor

Detect configuration changes for SOX

For SOX reasons, I should be able to detect (unauthorized) configuration changes, t.i. changes to system procedures, configuarion databases, etc.

Is someone doing it already ? By preference with postable procedures and using standard VMS tools. If not postable, a description will also help me. I was thinking of some kind of checksum.

Wim
Wim
8 REPLIES 8
Ian Miller.
Honored Contributor

Re: Detect configuration changes for SOX

You could make a database with MD5 checksums of files.

I think pointaudit from pointsecure does this
http://www.pointsecure.com/

LJK/Security does
http://www.ljk.com/ljk/ljk_security.html
____________________
Purely Personal Opinion
Karl Rohwedder
Honored Contributor
Solution

Re: Detect configuration changes for SOX

We run a simple DCL procedure at regular intervals which uses CHECKSUM to create a database of known checksums and compares it to the last run. Any differences are mailed to SYSTEM.

The call is:
- define a path logical of directories to be searched, e.g.
$ define CHECKSUM_PATH SYS$SYSTEM,SYS$SHARE,SYS$LOADABLE_IMAGES
- define some excludes
$ Checksummer_Exclude_1 = ...
- and call
$ @Checksummer *.EXE "" EXE
P1 - filespec
P2 - optional mail target, if not SYSTEM
P3 - tags database

Fount it somewhere on the internet and modified it a little.

Perhaps it gives some idea...

regards Kalle
Karl Rohwedder
Honored Contributor

Re: Detect configuration changes for SOX

Just noticed some garbage characters at the end of the attachment, which may be safely ignored.
(File was attached from a NFS Share on a VMS system on a Linux system...)

regards Kalle
Wim Van den Wyngaert
Honored Contributor

Re: Detect configuration changes for SOX

Kalle,

Do you also have the config of excludes and the paths that are used ?

It seems to do exactly what I need. Only due to DTSS the revision date is not always stable. I logged only hh:mm. And I also logged the file protection.

Wim
Wim
Karl Rohwedder
Honored Contributor

Re: Detect configuration changes for SOX

Wim,

here is full call sequence from here:

1. Image check
$ Define/NoLog CHECKSUM_PATH -
SYS$SYSTEM,SYS$SHARE,SYS$LOADABLE_IMAGES,SYS$STARTUP,CNC_MANAGER,MEN_PROC,CNC_DISK:[CNC_*MGR_*]
$ Checksummer_Exclude_1 = "SYS$SYSTEM:TERMTABLE.EXE"
$ Checksummer_Exclude_2 = "SYS$LOADABLE_IMAGES:SYS.EXE"
$ Checksummer_Exclude_3 = "SYS$SYSTEM:NETSCAPE-EXPORT.EXE"
$ Checksummer_Exclude_Cnt = 3
$ @Cnc_manager:Checksummer *.EXE "" EXE

2. Procedure check:
$!__check procedures
$ Checksummer_Exclude_1 = "CNC_CLUMGR:SETRIGHTS.COM"
$ Checksummer_Exclude_2 = "SYS$SYSTEM:TNT$EMERGENCY_MOUNT.COM"
$ Checksummer_Exclude_Cnt = 2
$!__loop over TDC commandfiles to skip them from checksumming (they change every day)
$ TDC_Tmp = "SYS$MANAGER:TDC$*$*.COM"
$ TDC_1:
$ Nx = F$Search("''TDC_Tmp'")
$ If (Nx.nes."")
$ Then
$ Checksummer_Exclude_Cnt = Checksummer_Exclude_Cnt + 1
$ Checksummer_Exclude_'Checksummer_Exclude_Cnt' = Nx
$ Goto TDC_1
$ Endif
$ @Cnc_manager:Checksummer *.COM "" COM

regards Kalle
Wim Van den Wyngaert
Honored Contributor

Re: Detect configuration changes for SOX

And a final question : with what frequency do you run it ?

Wim
Wim
Karl Rohwedder
Honored Contributor

Re: Detect configuration changes for SOX

Wim,

we run it daily as part of our 'midnight' job.
I've attached the complete routine, which does the CHECKSUMMER call.

regards Kalle
Wim Van den Wyngaert
Honored Contributor

Re: Detect configuration changes for SOX

A remark for those that want to implement this too : ctf$section.dat is a variable record length file with invalid contents.

When you do a checksum with this file, the checksum goes into a cpu loop. I had to reboot the system (an AS500) to get the cpu back.

Wim
Wim