HPE Community
Operating System - OpenVMS
1753670 Members
5430 Online
108799 Solutions
New Discussion юеВ

Re: How to remove audit journal files in audit settings

 
Wim Van den Wyngaert
Honored Contributor

тАО08-08-2006 09:07 PM

тАО08-08-2006 09:07 PM

Re: How to remove audit journal files in audit settings

John A.,

The destination file does exist. Because of the first entry that is enabled.

Also noted that set audit/listener is lost when you restart audit server. Good to know because we have a little process pumping it to our monitoring system.

I guess I will have to follow the hint of Kris.

Wim
Wim
0 Kudos
Reply
John Abbott_2
Esteemed Contributor

тАО08-08-2006 09:18 PM

тАО08-08-2006 09:18 PM

Re: How to remove audit journal files in audit settings

Yes, I was just pointing out that I suspect the _subsequent_ ones don't (as that's whay I see on my test lab box).

re:
> Also noted that set audit/listener is lost when you restart audit server. Good to know because we have a little process pumping it to our monitoring system

Can't check at the mo, but I'm sure we have an ACE on SETAUDIT.EXE to audit EXE+SUCCESS which triggers an event when listening is disabled, we then automatically re-enable it.

J.
Don't do what Donny Dont does
0 Kudos
Reply
Wim Van den Wyngaert
Honored Contributor

тАО08-08-2006 09:28 PM

тАО08-08-2006 09:28 PM

Re: How to remove audit journal files in audit settings

Wizard John,

How do you trigger the re-listening ?

Wim
Wim
0 Kudos
Reply
John Abbott_2
Esteemed Contributor

тАО08-08-2006 10:21 PM

тАО08-08-2006 10:21 PM

Re: How to remove audit journal files in audit settings

Hi Wim :-)

We use a product called Auditor Plus to listen for various security events in real-time and take appropriate action.

I thought we had some call out code which re-enabled it, but it would appear to be a feature within A+. Maybe I can find out how they do it, if you like ? (code wise)

In order for it to work we have to

1) Place at least the following ACL on sys$system:setaudit.exe
(AUDIT=SECURITY,ACCESS=EXECUTE+SUCCESS) or
(ALARM=SECURITY,ACCESS=EXECUTE+SUCCESS)
2) Ensure that ACL auditing and/or alarming is enabled and that ACL is selected
when starting the Audit Monitor.

I guess that... This way an alarm is generated and I assume shortly afterwards the mbx dies. A+ reads the mbx and detects no more mbx on next read, so it re-establishes it.

Sorry, not the complete picture, but hope it helps...

Kind Regards
John.
Don't do what Donny Dont does
0 Kudos
Reply
John Gillings
Honored Contributor

тАО08-09-2006 09:10 AM

тАО08-09-2006 09:10 AM

Re: How to remove audit journal files in audit settings

Wim,
I know what's wrong and I know how to fix it, but for a measly one point, it's not worth my time... sorry.
A crucible of informative mistakes
0 Kudos
Reply
Wim Van den Wyngaert
Honored Contributor

тАО08-13-2006 11:41 PM

тАО08-13-2006 11:41 PM

Re: How to remove audit journal files in audit settings

John A.,

Decided to monitor the refcnt of the audit mailbox. If not 2, alarm.
Manual investigation needed then but is more fool proof than monitoring the startup of audit_server or the audit alarm when the command /nolist is given. Thanks anyway.

Wim
Wim
0 Kudos
Reply
Hein van den Heuvel
Honored Contributor

тАО08-14-2006 01:44 AM

тАО08-14-2006 01:44 AM

Re: How to remove audit journal files in audit settings

The data for the audit journal settings is maintained in a simple indexed file:
sys$manager:VMS$AUDIT_SERVER.DAT;1

If those extra records really bother you then just remove tham with simple RMS commands??

The primary key is a simple string with "Journal name". The string length count is the byte preceding it.
The Journal file names is a counted string at offset 85 it seems.

First, create a backup:
$CONVERT/STAT/SHARE sys$manager:VMS$AUDIT_SERVER.DAT VMS$AUDIT_SERVER.BACKUP

Now open

$open/read/write/share=write x
sys$manager:VMS$AUDIT_SERVER.DAT

And test:

$read/key="SECUR" x record
$show symb recordwrite sys$output "->",f$extr(7,f$cvui(6*8,8,record),record),"<-"
->SECURITY<-
HEIN>write sys$output "->",f$extr(85,f$cvui(84*8,8,record),record),"<-"
->SYS$COMMON:[SYSMGR]SECURITY.AUDIT$JOURNAL<-

And play:


HEIN>record[7,8]:=nonsense
HEIN>record[85,41]:="Als ik kon toveren, kwam alles voor elkaar
HEIN>write/symb x record
HEIN>show audit /all
List of audit journals:
Journal name: NONSENSE
Journal owner: (system audit journal)
Destination: Als ik kon toveren, kwam alles voor elkaa
Monitoring: enabled
Warning thresholds, Block count: 100 Duration: 2 00:00:00.0
Action thresholds, Block count: 25 Duration: 0 00:30:00.0

Journal name: SECURITY
Journal owner: (system audit journal)
Destination: SYS$COMMON:[SYSMGR]SECURITY.AUDIT$JOURNAL
:


And cleanup:

$read/dele/key=NONSENSE x deleted_record
$close x


In summary, for Wim to cleanup I think the commands would be:

$convert/share/stat sys$manager:VMS$AUDIT_SERVER.DAT sys$manager:VMS$AUDIT_SERVER.backup
$open/read/write/share=write audit sys$manager:VMS$AUDIT_SERVER.DAT
$read/delete/key=AUDIT$JOURNAL audit audit_record
$read/delete/key=WIM wim_record
$close audit
$show audit/all

If anything went wrong, then you can used the backup, or you can re-write the deleted records from the dcl symbols the data was saved into.

Enjoy,
Hein.











0 Kudos
Reply
Hein van den Heuvel
Honored Contributor

тАО08-14-2006 04:23 PM

тАО08-14-2006 04:23 PM

Re: How to remove audit journal files in audit settings

Hi there Wim!

You assigned 3 points to my reply. The suggested meaning for this is "1-3: The answer didn't really help answer my question, but thanks for your assistance! "
I can not help but read this as...
"Bzzzzz, all wrong, thanks for playing"

And here I naively thought it perfectly answerred your immediate question:
"How do I remove the audit$journal ?"

I would appreciate a small explanation as to why you thought my suggestion did not solve the problem, and possibly is the only current solution to the problem.
Is there something I overlooked, or am I reading too much in those points?

Btw... obviously my solution is a workaround / hack / magic.
There appears to be a weakness / incomplete solution in the implementation here.
If this is a real problem, and it is important to your customer, just escalate through a support call to HP. No one in this forum of friends can actualy fix/change the code. You'll need to excercise your support contract for that. That's why folks buy support.

Met vriendelijke groetjes,
Hein.
0 Kudos
Reply
John Abbott_2
Esteemed Contributor

тАО08-14-2006 06:38 PM

тАО08-14-2006 06:38 PM

Re: How to remove audit journal files in audit settings

Thanks for your post Hein, your summary example worked fine on my test lab system, junk entry gone... but then you already know it works :-)
Never thought to look & play, quite simple really.
Thank again
J.
Don't do what Donny Dont does
0 Kudos
Reply
Wim Van den Wyngaert
Honored Contributor

тАО08-14-2006 07:49 PM

тАО08-14-2006 07:49 PM

Re: How to remove audit journal files in audit settings

Hein,

No hard feelings but your solution has the same result as that of Kris but the one of Kris is simplier. And the question is to solve the problem with "set audit" commands.
So yes, didn't really solve the question.

It's strange that nobody complaints when they get overpaid (the 10 on all answers).

I'm curious if it is bad documentation or simply missing functionality (strange that nobody noticed it before).

Wim
Wim
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.