Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

%SHOW-W-NOAUDITING, security auditing disabled; no events will be logge

 
SOLVED
Go to solution
Wim Van den Wyngaert
Honored Contributor

Re: %SHOW-W-NOAUDITING, security auditing disabled; no events will be logge

And my 4) ?

Wim
Wim
Jan van den Ende
Honored Contributor

Re: %SHOW-W-NOAUDITING, security auditing disabled; no events will be logge

Clark,

>>>
there are two nodes, two separate system disk, logical VMS$AUDIT_SERVER defined on both nodes,
<<<

Did you perhaps fall for the trap of having those defined as somehow derived from SYS$SYSDEVICE or SYS$SYSROOT?
(I once made that mistake also, and it puzzled me much, until the famous "Oh no, not THAT simple" experience.)
Those ARE the default definitions, but, in a multi-systemdisk cluster, they point to DIFFERENT devices! Be sure to use LNMs derived from the SAME device, and have that device MOUNTed (for EACH node) by SYLOGICALS.COM

hth

Proost.

Have one on me.

jpe
Don't rust yours pelled jacker to fine doll missed aches.
Jon Pinkley
Honored Contributor
Solution

Re: %SHOW-W-NOAUDITING, security auditing disabled; no events will be logge

Clark,

Here is what the security manual says, which is different than what sylogicals suggests.

HP OpenVMS Guide to System Security
OpenVMS Version 7.3-2

http://h71000.www7.hp.com/doc/732FINAL/aa-q2hlg-te/AA-Q2HLG-TE.pdf

Chapter 9 Security Auditing pg 204
-------------------------------------------------------------------------------------------------------
Moving the File from the System Disk
To relocate the file from the SYS$COMMON:[SYSMGR] directory, edit the command procedure
SYSECURITY.COM. This procedure executes each time the system is rebooted, before the audit server is
started.
To relocate the file, perform the following steps:
1. Change the startup sequence by adding a line to SYSECURITY.COM that directs the operating system to
mount the designated auditing disk before the audit server process is started rather than after. For
example:
$ IF .NOT. F$GETDVI("$1$DUA2","MNT") -
_$ THEN MOUNT/SYSTEM $1$DUA2 AUDIT AUDIT$ /NOREBUILD
The command in this example mounts a volume labeled AUDIT on $1$DUA2 and makes it available
systemwide. MOUNT also assigns the logical name AUDIT$.
2. Move the audit server database to the auditing disk, if you choose. The database remains small and fairly
stable so this step is not essential.
To move the database, add a second line to SYSECURITY.COM to define the system logical name
VMS$AUDIT_SERVER. (The line follows the one that mounts the auditing disk.) In the command, define
a system logical name and assign it to the VMS$AUDIT_SERVER data file on the disk with the logical
name AUDIT$. For example:
$ DEFINE/SYSTEM/EXEC VMS$AUDIT_SERVER AUDIT$:[AUDIT]VMS$AUDIT_SERVER.DAT
This command redirects the audit server database to the volume on $1$DUA2, which was mounted in
step 1.
3. From the DCL level, redirect the security audit log file to the volume mounted in SYSECURITY.COM (see
step 1). Use the SET AUDIT command to update the audit server database with the new location of the
security audit log file, and instruct the audit server process on each node in the cluster to begin using the
file. For example:
$ SET AUDIT/JOURNAL=SECURITY -
_$ /DESTINATION=AUDIT$:[AUDIT]SECURITY
Do not repeat this command on each system restart.
If you use a logical name in the specification of the security audit log file, it must be defined as a
/SYSTEM logical name in SYSECURITY.COM.
-------------------------------------------------------------------------------------------------------

Also see section "Managing the Auditing Subsystem" starting on page 212.

You currently have multiple audit journal files, since each system disk has its own sys$common. Accourding to the manual, that will work, but is not recommended: (from page 203)

-------------------------------------------------------------------------------------------------------
Ordinarily, all cluster events are written to a single audit log file. The use of one security audit log file in a
cluster results in a single record of all security-relevant events on the system. For this reason, one clusterwide
log file is preferable to node-specific audit logs, which lose the interrelationship of events across the cluster,
thus producing an incomplete analysis of security events. You can, if you wish, create node-specific audit logs
(see Maintaining the File), but this is not the recommended procedure.
-------------------------------------------------------------------------------------------------------

One more thing, set audit/start does not do everything needed to start auditing. You must do that, wait for the AUDSRV$CONTROL_MAILBOX to be created, then issue set audit/initiate. Or do what is recommended and use

$ @SYS$SYSTEM:STARTUP AUDIT_SERVER

(See help set audit/server)

Jon
it depends
Clark Powell
Frequent Advisor

Re: %SHOW-W-NOAUDITING, security auditing disabled; no events will be logge

SYLOGICALS.COM mounts the disk which has the common logical name definition file and executes it and also is the target of the audit server (now.) This disk has other important files like SYSUAF.DAT so nothing would work if it was not commonly accessible. So that criteria is met.
There are no messages in operator.log that relate to audit server.
Audit server processes run on both nodes as shown:
ALPHAZ> PIPE SHO DEVICE/FILE DSA10: | SEA SYS$INPUT 218455CE
AUDIT_SERVER 218455CE [VMS$COMMON.SYSEXE]AUDIT_SERVER.EXE;1
ALPHAZ> PIPE SHO DEVICE/FILE DSA200: | SEA SYS$INPUT 218455CE
AUDIT_SERVER 218455CE [VMCOMMON]VMS$AUDIT_SERVER.DAT;1
AUDIT_SERVER 218455CE [VMCOMMON]SECURITY.AUDIT$JOURNAL;5
AUDIT_SERVER 218455CE [VMCOMMON]VMS$OBJECTS.DAT;1

After reading the last comments I decided that maybe the journal HAD to be shared so I used a definition that would equate to the same location for BOTH nodes. This only changed the journal entry in SHOW AUDIT/JOURNAL

ALPHAZ> sho audit/jou
List of audit journals:
Journal name: SECURITY
Journal owner: (system audit journal)
Destination: SYSDISK2:[VMCOMMON]SECURITY.AUDIT$JOURNAL
Monitoring: enabled
Warning thresholds, Block count: 100 Duration: 2 00:00:00.0
Action thresholds, Block count: 25 Duration: 0 00:30:00.0

%SHOW-W-NOAUDITING, security auditing disabled; no events will be logged

My guess is that the VMS$AUDIT_SERVER.DAT might be corrupted and require being recreated. (But, I don't know if the audit server would automatically do this if those files were missing....

Jon Pinkley
Honored Contributor

Re: %SHOW-W-NOAUDITING, security auditing disabled; no events will be logge

Clark,

Just to confirm: you did

$ set audit/initialize

or

$ @SYS$SYSTEM:STARTUP AUDIT_SERVER

after making your changes?

If your VMS$AUDIT_SERVER.DAT was corrupt, why is one node's audit server working correctly?

The data in this file is normally static, so you should be able to copy the working version to the shared directory using convert/share. My guess is that it is not the file, but that the /initialize needs to be done.

Reference: http://h71000.www7.hp.com/wizard/wiz_8897.html

Jon
it depends
Highlighted
Clark Powell
Frequent Advisor

Re: %SHOW-W-NOAUDITING, security auditing disabled; no events will be logge

CONCLUSION:

Having SECURITY.AUDIT$JOURNAL in different locations for each node didn't work. I had to execute this command:
Set audit/DESTINATION=SYSDISK2:[VMCOMMON]SECURITY.AUDIT$JOURNAL/JOUR=SECURITY

and then I HAD to restart using
@SYS$SYSTEM:STARTUP AUDIT_SERVER
not
SET AUDIT/SERVER=START

collecting audit data now...

thanks everyone, the forum is working better than some of the HP support I've been getting lately.
Clark
Jon Pinkley
Honored Contributor

Re: %SHOW-W-NOAUDITING, security auditing disabled; no events will be logge

Sorry for the incorrect syntax I had.

As Clark posted, the correct set audit syntax is

$ set audit /SERVER=[start|initialize]

I left out the "/SERVER=" part in my recommendation.

zero points for this.
it depends
Wim Van den Wyngaert
Honored Contributor

Re: %SHOW-W-NOAUDITING, security auditing disabled; no events will be logge

I don't get it. How can you have 2 different destinations when you have 1 vms$audit_server.dat ?

Wim
Wim
Jon Pinkley
Honored Contributor

Re: %SHOW-W-NOAUDITING, security auditing disabled; no events will be logge

RE:"How can you have 2 different destinations when you have 1 vms$audit_server.dat ?"

If the journal file is set to Destination: SYS$COMMON:[SYSMGR]SECURITY.AUDIT$JOURNAL and you have two different system disks, or if is is set to Destination: SYS$SPECIFIC:[SYSMGR]SECURITY.AUDIT$JOURNAL and you have a shared system disk. Those are two ways I can think of. Although the logical specifications are the same, they will be distinct files.

Jon
it depends
Wim Van den Wyngaert
Honored Contributor

Re: %SHOW-W-NOAUDITING, security auditing disabled; no events will be logge

Jon,

Sorry I was incomplete but I saw the file on dsa200 not being the system disk. So, that should be shared.

I just did a test with 1 vms$audit_server.dat file common for both nodes. No problem at all for getting destination to 2 different disk (destination a:[000000]wim.lis where a is the local page file of both systems, not mounted by each other).

Wrong conclusion ?

Wim
Wim