HPE Community
Operating System - OpenVMS
1752754 Members
4502 Online
108789 Solutions
New Discussion юеВ

Re: Keystroke auditing on OpenVMS Integrity v8.3-1H1

 
SOLVED
Go to solution
Steve Reece_3
Trusted Contributor

тАО01-08-2010 08:46 AM

тАО01-08-2010 08:46 AM

Keystroke auditing on OpenVMS Integrity v8.3-1H1

Hiya,

We presently have AUDIT installed on our VMS systems to take logs of keystrokes from privileged users and other users that have access to a VMS prompt. This is a requirement for company auditing purposes.

Does anyone have any ideas of other tools that are available that can do logging of keystrokes on VMS for auditing?

What I'm specifically interested in is the keystrokes that the users put into the VMS system, not necessarily the response from the system. We also still want the input even if the terminal is set /NOECHO

Thanks in advance

Steve
0 Kudos
Reply
14 REPLIES 14
Jon Pinkley
Honored Contributor

тАО01-08-2010 12:47 PM

тАО01-08-2010 12:47 PM

Re: Keystroke auditing on OpenVMS Integrity v8.3-1H1

Steve,

It isn't clear to me if there is a problem with AUDIT, or if you are looking for a cheaper alternative.

Does AUDIT have the capability to log /input ?

My opinion is that keystroke logging by itself is of limited use from an auditing standpoint. A knowledgeable user with privilege and malicious intent, can disguise what they are doing with command files and other techniques. The point being that keystrokes alone are not sufficient. They can be useful for debugging and for determining what was being done when other auditing events occurred.

Jon
it depends
0 Kudos
Reply
Steve Reece_3
Trusted Contributor

тАО01-08-2010 01:08 PM

тАО01-08-2010 01:08 PM

Re: Keystroke auditing on OpenVMS Integrity v8.3-1H1

Hi Jon,

We're evaluating options now that we're planning the move to Integrity. We don't just use keystroke logging/auditing, we use other things too, such as the auditing within VMS. The keystroke logging/auditing is but one of the tools that's necessary with corporate standards

Steve
0 Kudos
Reply
EWL
Occasional Advisor

тАО01-08-2010 01:42 PM

тАО01-08-2010 01:42 PM

Solution

Re: Keystroke auditing on OpenVMS Integrity v8.3-1H1

Hey Steve

We use Peek and Spy for the exact same thing. Works great.
Reply
Steve Reece_3
Trusted Contributor

тАО01-09-2010 01:10 AM

тАО01-09-2010 01:10 AM

Re: Keystroke auditing on OpenVMS Integrity v8.3-1H1

Do you have a web reference for Peek and Spy please?

Thanks
Steve
0 Kudos
Reply
Volker Halle
Honored Contributor

тАО01-09-2010 07:05 AM

тАО01-09-2010 07:05 AM

Re: Keystroke auditing on OpenVMS Integrity v8.3-1H1

Steve,

how about:

http://www.networkingdynamics.com/TheVmsStore.htm

Look at Peek & Spy and KeyCapture

Volker.
Reply
John Gillings
Honored Contributor

тАО01-10-2010 01:28 PM

тАО01-10-2010 01:28 PM

Re: Keystroke auditing on OpenVMS Integrity v8.3-1H1

Steve,

I'm not a huge fan of keystroke logging. Who's going to read it?

The "poor man's" keystroke log is fairly simple. Arrange for the user to login to one username, which does a SET HOST/LOG to a second username (or system).

Ideally use two systems. The "audit" system has two network adapters. Users on one side, and "audited" system on the other. That way there's no physical path between the users and the audited system, except via the audit system. The users also have no non-captive access to the audit system, so even privileged users can't mess with the audit logs.

Give the users a captive account on the audit system with no password. The LOGIN procedure generates a log file name, then:

$ SET HOST/LOG


Note the username is SYS$INPUT for the SET HOST command. This will pass the username to the target system.

The user will therefore see only one "Username:" prompt and one "Password:" prompt. Whatever welcome message or LOGIN.COM output you generate will appear between the prompts.

On the audited system, have the SYLOGIN procedure check the source of all logins. Anything not from the audit system is immediately logged out.

I don't think this will capture /NOECHO input, but it's simple to setup and needs no special privileges or non-standard privileged code.
A crucible of informative mistakes
0 Kudos
Reply
Steve Reece_3
Trusted Contributor

тАО01-10-2010 11:10 PM

тАО01-10-2010 11:10 PM

Re: Keystroke auditing on OpenVMS Integrity v8.3-1H1

I'm not a great fan either John, but audit requirements are audit requirements so it's not even worth having that argument with management.

Steve
0 Kudos
Reply
Jon Pinkley
Honored Contributor

тАО01-11-2010 01:14 AM

тАО01-11-2010 01:14 AM

Re: Keystroke auditing on OpenVMS Integrity v8.3-1H1

Here are some things you should check if you are using any of the terminal logging or keystroke logging utilities, especially if they are being used for auditing purposes.

Does it handle large QIO operations to TCPIP services TNA (Telnet) devices?

Does it survive a disconnect/reconnect on a VTA terminal?

Does it provide secure logging (at least for non-privileged users)? As John Gillings said, if the logging is being done on the same system as the privileged users being monitored, I am not aware of any way to guarantee that the logs will be valid. In other words, a user with CMKRNL privilege can compromise the logging.

Does it have the ability to post process the output to clean up the rubout processing? This makes the output easier to read, but may also hide some info.
it depends
Reply
Ian Miller.
Honored Contributor

тАО01-11-2010 02:46 AM

тАО01-11-2010 02:46 AM

Re: Keystroke auditing on OpenVMS Integrity v8.3-1H1

System Detective does session logging and more

http://www.pointsecure.com/products/sys_det.aspx

____________________
Purely Personal Opinion
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.