Online Expert Day - HPE Data Storage - Live Now
April 24/25 - Online Expert Day - HPE Data Storage - Live Now
Read more
Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

How to find the output file used with @something.com/out=file

Jeff Bath
Advisor

How to find the output file used with @something.com/out=file

Is there a way to find the filename used with the /out= qualifier for a DCL procedure run interactively? I would like to be able to get the output filename from within the procedure. I can use sho dev/files or SDA to see which files it has opened but there is no way to know which is the one from the /output qualifier.
22 REPLIES
Volker Halle
Honored Contributor

Re: How to find the output file used with @something.com/out=file

Jeff,

Guy Peleg has written an article about DCL internals in V1 of the OpenVMS Technical Journal:

http://h71000.www7.hp.com/openvms/journal/v1/dcl.html

Somewhere in there should be information to help find out the filename of the output file...

Volker.
Heinz W Genhart
Honored Contributor

Re: How to find the output file used with @something.com/out=file

Hi Jeff

the file is located in your current working directory.

$ SET DEF user_disk:[user1]
$ @test/out=a.a

You can find a.a in user_disk:[user1]

$ SET DEF user_disk:[user1]
$ @test/out=disk_mgr:[output]test.out

Now you will find the file test.out in disk_mgr:[output]

Hope thet answers your questin

regards

Geni
Jeff Bath
Advisor

Re: How to find the output file used with @something.com/out=file

What if they do /out=somedisk:[dir]a.a? I want to be able to do this from within the procedure. If some other user executes this procedure with the /out qualifier there is currently no way for me to know where the output file is or its name.
Volker Halle
Honored Contributor

Re: How to find the output file used with @something.com/out=file

Jeff,

looks like there is a PPF.MAR example on some old VMSSIG tape:

http://wwwvms.mppmu.mpg.de/vmssig/src/MAR/

ppf.mar (10KB): PPF.MAR PPF translate specified PPF logical name to file specification

SYS$OUTPUT is a process permanent file (PPF) and the above example program seems to be able to obtain the full filespec for a PPF file - I haven't tested that...

Volker.
Jeff Bath
Advisor

Re: How to find the output file used with @something.com/out=file

I was hoping to find a way to do this in DCL.
Dean McGorrill
Valued Contributor

Re: How to find the output file used with @something.com/out=file

I'd guess SDA>sho proc xxx/chan
on your suspect individual. they can
always do it w/o a procedure..

$ @tt:/out=x.tmp
_$ dir x.tmp;
_$ Exit
$ ty x.tmp

Directory DISK$USER2:[MCGORRILL]

X.TMP;153 0/0 25-JUN-2007 10:47:25.33

sda could find this.
Hein van den Heuvel
Honored Contributor

Re: How to find the output file used with @something.com/out=file


Curious minds want to know... WHY do u care?

Anyway, Unless I'm missing something this is a SMOP!?

$create test.c
/*
** show_sys$output.c Hein van den Heuvel, June 2007
**
** Have fun.
*/
#include
#include
main (int argc, char *argv[])
{
struct FAB fab;
struct NAM nam;
int sys$open(), sys$display();
int i, stat;
char rsa[256], sys$output[] = "sys$output:";
fab = cc$rms_fab;
fab.fab$b_shr = FAB$M_UPD;
fab.fab$b_fac = FAB$M_PUT;
fab.fab$l_fna = sys$output;
fab.fab$b_fns = sizeof (sys$output);
fab.fab$l_nam = &nam;
nam = cc$rms_nam;
nam.nam$l_rsa = rsa;
nam.nam$b_rss = sizeof (rsa) - 1;
stat = sys$open ( &fab );
if (!(stat&1)) return stat;
/*
** Ask RMS to fill in the NAM hooked off the FAB.
*/
stat = sys$display ( &fab );
if (!(stat&1)) return stat;

i = nam.nam$b_rsl;
rsa[i]=0;

printf ("fid=(%d,%d,%d), ifi=%04X, rsl=%d, rsa=%s\n",
nam.nam$w_fid[0], nam.nam$w_fid[1], nam.nam$w_fid[2],
fab.fab$w_ifi, i, rsa);
}
$
$cc test
$link test
$create test.com
$run test/nodebug
$exit
[exit]
$@test/output=[.tmp]x.y
$type [.tmp]x.y
fid=(43789,1341,256), ifi=C004, rsl=42, rsa=.TMP]X.Y;1

Cool?

Hope this helps some,
Hein van den Heuvel (at gmail dot com)
HvdH Performance Consulting
Jeff Bath
Advisor

Re: How to find the output file used with @something.com/out=file

Hein,

Basically we want to monitor what the user is doing with this procedure. We also want to keep a log of the exact command line used to invoke this procedure.
Hein van den Heuvel
Honored Contributor

Re: How to find the output file used with @something.com/out=file

Actually... looks like you want this from a DCL procedure. So here is the same, but setting up a (local) symbol: "my_sys$output".
You can readily make that name of that symbol a program argument and/or global.

Hein.

$ type SHOW_SYS$OUTPUT.c
/*
** show_sys$output.c Hein van den Heuvel, June 2007
** Defines DCL Local Symbol: my_sys$output
** Optionally prints details, if any argument is provided.
** Have fun.
*/


#include
#include

main (int argc, char *argv[])
{
struct FAB fab;
struct NAM nam;
struct {int len; char *addr;} symbol_desc, value_desc;
int sys$open(), sys$display(), lib$set_symbol();
int i, stat;
char rsa[256], sys$output[] = "sys$output:", symbol[] = "my_sys$output";
fab = cc$rms_fab;
fab.fab$b_shr = FAB$M_UPD;
fab.fab$b_fac = FAB$M_PUT;
fab.fab$l_fna = sys$output;
fab.fab$b_fns = sizeof (sys$output);
fab.fab$l_nam = &nam;
nam = cc$rms_nam;
nam.nam$l_rsa = rsa;
nam.nam$b_rss = sizeof (rsa) - 1;
stat = sys$open ( &fab );
if (!(stat&1)) return stat;
/*
** Ask RMS to fill in the NAMs hooked off the FAB.
*/
stat = sys$display ( &fab );
if (!(stat&1)) return stat;

i = nam.nam$b_rsl;
rsa[i]=0;

if (argc > 1) printf ("fid=(%d,%d,%d), ifi=%04X, rsl=%d, rsa=%s\n",
nam.nam$w_fid[0], nam.nam$w_fid[1], nam.nam$w_fid[2],
fab.fab$w_ifi, i, rsa);

symbol_desc.addr = symbol;
symbol_desc.len = sizeof (symbol) - 1;
value_desc.addr = rsa;
value_desc.len = i;
return lib$set_symbol ( &symbol_desc, &value_desc);
}
Hoff
Honored Contributor

Re: How to find the output file used with @something.com/out=file

There are ways to track object (these objects are files in most contexts, but there are other types of objects) accesses, and user activity, but command-level monitoring -- whether a specific file used for output, or the specific DCL commands that are executed -- is not a feature available within stock OpenVMS. Yes, you can dig around within the kernel, but there's no default user-level interface.

The futility of logging user input...
http://64.223.189.234/node/47

Dean McGorrill
Valued Contributor

Re: How to find the output file used with @something.com/out=file

Jeff,
there was a freebe watcher.mar somewhere around. I might have the source
and home, you can spy on a tty and watch
what he/she is typing. what do you suspect?
Hoff
Honored Contributor

Re: How to find the output file used with @something.com/out=file

Regarding Dean McGorrill's comment, if you want to monitor a user via inner-mode intercepts, packages such as Peek and Spy and other such tools are listed in the OpenVMS FAQ.

http://64.223.189.234/node/1

There are (or were) various offerings in this area.
Jon Pinkley
Honored Contributor

Re: How to find the output file used with @something.com/out=file

Jack Trachtman "I was hoping to find a way to do this in DCL."

Please explain what you mean by "in DCL". If you mean "pure DCL" where no images are activated, then as Hoff said, there isn't anything in stock VMS that does what you want.

PPF the program is a non-privileged program that can determine the file specification associated with any process permanent file. It sets DCL symbols (up to three, which can be quite different, see the comments in the source code). Other than not being guaranteed to be on every VMS system, this works well with DCL. As written, you have no choice of the symbols that the file name will be placed in, other than recompiling the code (in MACRO32, so that is on every VMS system).

There is no lexical function f$ppf to provide the same info that the ppf program does. (at least not in any version <= 8.3, and I am not aware of any plans for it).

This will work fine as long as someone is not actively trying to avoid it. If you put this into the command procedure, you will need to write the results somewhere, and if you are not protecting the source command procedure against read access, you can't prevent it being copied and being edited to remove any auditing capability you place into it. Also, I am not aware of any way to have DCL open a file using only trusted logical names, so for example, it you were writing to an audit file that was opened using a file name containing logical names, any of the logical names could be replaced by the user's process or job level logical names to point to their own "audit file".

I doubt the command procedure itself is "pure dcl", so if you want to be able to audit the use of programs, and where they write their output, you should be doing it in the program. You have much more control there, and you can then get more information from VMS, i.e. image level accounting and auditing will be able to show you what image accessed the file, etc.

You also have the ability to grant privilege to a program. This gives you the capability to allow a non-privileged user write access to an audit file they do not have write access to from DCL, via subsystem identifiers or a program installed with privilege.

Be aware that it is easy to introduce security vulnerabilities by installing a program with privilege if you are not extremely diligent and paranoid.

If you are still interested in the PPF program, see my comment dated Jun 22, 2007 21:00:12 GMT in the following thread

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=1138609

It has the PPF.MAR file attached as a text document, so it will display correctly on windows without jumping through hoops.

It is a useful program, and does work for the case @file/out=, but I don't think you will be able to use it as an auditing tool.

And if you are considering using mail to notify you, try this:

$ def/user mail mymail

and use your imagination as to how that can defeat what you want.

Getting the "raw" command line isn't trivial (at least in my experience). There are ways to get the commands from the recall buffer, but that works only for interactive processes, and can be erased without privilege. (recall/erase).

You may want to look at the jump package on the freeware, but that won't be transparent to the user. I am not sure it this the audit package, is still available, it was a commercial package that attempted to keep a record of what was sent to the terminal in a tamperproof way. I have no experience with the package. It was related to the Raxco support tool carboncopy, but couldn't be turned off by the (unprivileged) user.

If you haven't already read it, read the article referenced in Hoff's reply dated Jun 25, 2007 20:35:55 GMT.

Good luck,

Jon
it depends
Jon Pinkley
Honored Contributor

Re: How to find the output file used with @something.com/out=file

sorry, that should have been

Jeff Bath "I was hoping to find a way to do this in DCL."

Jack opened the other thread I referenced.

Jon.
it depends
Wim Van den Wyngaert
Honored Contributor

Re: How to find the output file used with @something.com/out=file

You can put this is a dcl procedure.
Suppose user to examine had pid X.

$ Ana/sys
set proc/id=X
clue proc/recall
exit

This will show you the recall buffer of the user. Only for interactive users !

Wim
Wim
Hein van den Heuvel
Honored Contributor

Re: How to find the output file used with @something.com/out=file

Wim, Wim, how naive... :-)

Watch this...

$ anal/sys
OpenVMS (TM) Alpha system analyzer
SDA> set proc hein
SDA> clue proc/recal
Process DCL Recall Buffer:
--------------------------
Index Command
1 anal/sys
2 show time
3 edit login.com
SDA>


This is the output from the following session:

$ edit:=="@copy_to_secret_location "
$ show:=="delete/log/conf"
$ define time "[.tmp]*.tmp.*
$ recal /erase
$ edit login.com
Files are being stashed away
$ show time
DELETE <...> ? [N]: y
%DELETE-I-FILDEL,...
:
$ anal/sys
set proc hein
clue proc/recal
Wim Van den Wyngaert
Honored Contributor

Re: How to find the output file used with @something.com/out=file

Yes Hein, easy to bypass but I use it to find out what a user is doing. MY users are very VMS unaware. So, no solution but could help.

Wim
Wim
Dean McGorrill
Valued Contributor

Re: How to find the output file used with @something.com/out=file

Jeff,
what is it you suspect? time for general interactive users, mail spreadsheets
etc is over. pretty much all dedicated systems is what I find. what are you
thinking the user might be doing, that might
help us articulate a solution. -Dean
Jon Pinkley
Honored Contributor

Re: How to find the output file used with @something.com/out=file

"MY users are very VMS unaware. So, no solution but could help."

But someone that knows about @file/out= is more aware of VMS than 99% of the vms using population.

And even if someone is not VMS aware, it is extremely easy to find information on the internet; even here.

Is examining a user's recall buffer or knowing what file is associated with sys$output useful for troubleshooting? Definitely.

But they are not very useful for auditing a malicious user's actions.

Jon

it depends
Wim Van den Wyngaert
Honored Contributor

Re: How to find the output file used with @something.com/out=file

Still have to get my first malicious user. Malicious (HP) programs yes, but not users.

Wim
Wim
Jeff Bath
Advisor

Re: How to find the output file used with @something.com/out=file

I was using this more for troubleshooting than auditing. We have cases where a user (developer or DBA) will say I ran x procedure but its not working. If I have a log of everything they did its much easier for me to troubleshoot. Its not really a big deal I was just hoping there was an easy to do this. I log everything else but I can't capture the /output qualifier.

I could probably look at SYS$OUTPUT and if its a disk device then I can assume that the user used the /output qualifier but I won't know the filename.
Jon Pinkley
Honored Contributor

Re: How to find the output file used with @something.com/out=file

Jeff Bath>>>"I was using this more for troubleshooting than auditing." ... "I log everything else but I can't capture the /output qualifier."

I am curious why you are opposed to using a program to get this info.

Other than an image rundown, and the creation of some DCL symbols, I am not aware of any side effects of running PPF.

You have all the tools needed to get the info if you want it.

Jon
it depends