Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

Missing Directory in VMS Server

 
Anup Varghese
Occasional Advisor

Missing Directory in VMS Server

Hi,

I am supporting VMS server in which today when i logged into one of the servers i found that one of the directory is missing/Deleted, is there any possiblities to identifiy who has deleted the directory, in the system the accounting and auding has been enabled as below.

Nsil01_TNs» show accounting
Accounting is currently enabled to log the following activities:

PROCESS any process termination
INTERACTIVE interactive job termination
LOGIN_FAILURE login failures
SUBPROCESS subprocess termination
DETACHED detached job termination
BATCH batch job termination
NETWORK network job termination
PRINT all print jobs
MESSAGE user messages
Nsil01_TNs»
Nsil01_TNs»
Nsil01_TNs»
Nsil01_TNs» show audit
System security alarms currently enabled for:
ACL
Authorization
Audit: illformed
Breakin: dialup,local,remote,network,detached
Logfailure: batch,dialup,local,remote,network,subprocess,detached

System security audits currently enabled for:
ACL
Authorization
Audit: illformed
Breakin: dialup,local,remote,network,detached
Logfailure: batch,dialup,local,remote,network,subprocess,detached
Nsil01_TNs»
Nsil01_TNs»
Nsil01_TNs»
Nsil01_TNs» show system/noproc
OpenVMS V6.2-1H2 on node NSIL01 21-FEB-2011 12:44:40.22 Uptime 438 17:01:27
Nsil01_TNs»

Kindly help me if there is any possiblity in finding the user who may have deleted the directory.
4 REPLIES 4
abrsvc
Respected Contributor

Re: Missing Directory in VMS Server

Deleting a directory will require 2 steps if there are files within it.

1) Either delete all the files in the directory, or mark the directory file /NODIR. Please note that setting the file/nodir requires SYSPRV and should be used with extreme caution.

2) Actually delete the directory file (x.DIR).

If the /nodir was used, there will be files that have no directory entry. These can be retrieved using the ANAL/DISK/REPAIR utility which will place these files into the [syslost] area.

I am not aware of any way to determine who deleted the directory using the information captured with your settings as described.

Dan
Ian Miller.
Honored Contributor

Re: Missing Directory in VMS Server

Unlikely unless there was a alarm acl on the directory or file within it.

Have you checked the audit log for the last few days?

Time to start the request for restore.
____________________
Purely Personal Opinion
The Brit
Honored Contributor

Re: Missing Directory in VMS Server

As pointed out by Ian, unless you have an Alarm/Audit ACL on the directory, there is not much hope of identifying precisely who was responsible.

If you can narrow the time window, and you dont have too many users, you may be able to narrow down the suspects, bearing in mind the privilege required to delete the directory. If telnet is a standard method of accessing your systems then Logins and Logouts are recorded in Operator.log (usually).

Note also however, (and as pointed out), deleting the directory (without using the /NoDir qualifier) requires at least two explicit commands, first it is necessary to remove all of the files in the directory, and any sub-directories. This command may have to be executed repeatedly until the directory is empty. Then a second explicit command to delete the directory.

This makes it quite possible that the act was done maliciously, (and may help narrow down the list of suspects), but does not provide any proof.

Good Luck

Dave.
Anup Varghese
Occasional Advisor

Re: Missing Directory in VMS Server

Thanks for all your replies.