- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- Re: Security Auditing - How to log user logins for...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-31-2011 07:59 AM
тАО05-31-2011 07:59 AM
Security Auditing - How to log user logins for accounts that have SYSPRV.
I don't see how to do this with SET AUDIT/AUDIT. Can it be done?
- Tags:
- auditing
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-31-2011 10:02 AM
тАО05-31-2011 10:02 AM
Re: Security Auditing - How to log user logins for accounts that have SYSPRV.
Two possibilities:
(1) audit all (interactive,batch) logins.
Then use analyze/audit to select all logins, and check the users against sysuaf for elevated prvileges.
(2) set audit/audit/enable=(ACCESS=SYSPRV,ACCESS=BYPASS)
to audit all accesses due to those privileges.
See HELp SET AUDIT /ENABLE for details.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-31-2011 10:06 AM
тАО05-31-2011 10:06 AM
Re: Security Auditing - How to log user logins for accounts that have SYSPRV.
All I know is what I read in HELP just now.
I would look into putting an AUDIT ACE on the LOGIN.COM files for these accounts. SET AUDIT/ENABLE=ACCESS for these files to audit EXECUTE and MANAGE access to this file.
I think that the EXECUTE auditing would tell you when LOGIN.COM is executed (mostly only when the user logs on) and when the user tries to modify the ACE (to stop the logging).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-31-2011 10:13 AM
тАО05-31-2011 10:13 AM
Re: Security Auditing - How to log user logins for accounts that have SYSPRV.
set audit/audit/enable=(ACCESS=(SYSPRV,BYPASS))
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-31-2011 11:03 AM
тАО05-31-2011 11:03 AM
Re: Security Auditing - How to log user logins for accounts that have SYSPRV.
This query sequence isn't a single step, but it's quite simple to brute-force the necessary solution with some DCL-level queries into accounting or auditing.
The other traditional sequence available here is to add the necessary auditing into SYLOGIN using explicit DCL-level tests.
And the usual and long-standing recommendation: remove the privileges from the users, as impolitic as that can be.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-31-2011 01:44 PM
тАО05-31-2011 01:44 PM
Re: Security Auditing - How to log user logins for accounts that have SYSPRV.
Auditing /ENABLE=(ACCESS=(SYSPRV,BYPASS)) tracks every USE of the privilege, which may be too fine grained for what you want.
It may be simpler to audit all logins and filter them for the usernames you're interested in:
$ SET AUDIT/AUDIT/ENABLE=LOGIN=ALL
Login audits are a fairly useful thing to have anyway.
There's a fairly general approach to generating audits for arbitrary events which allows you to be highly specific, using files with audit ACLs which generated audits when touched in various ways. In this case, here's a possibility:
First create a file with a distinctive name to identify the event you're auditing. Leave the file empty.
$ CREATE SYS$MANANGER:SYSPRV_BYPASS_LOGIN.AUDIT
Apply security and ACE which will audit SUCCESSFUL access to that file:
$ SET SECURITY /PROTECTION=(S:R,O,G,W) -
SYS$MANANGER:SYSPRV_BYPASS_LOGIN.AUDIT -
/ACL=(AUDIT=SECURITY,ACCESS=READ+SUCCESS)
Since it's protected S:R, only users with SYSPRV and BYPASS can access the file.
Now, plant an access to the file in SYLOGIN.COM in a path that's executed by everyone. Since non-privileged users will get an error, use PIPE output redirection to block the message
$ SET NOON ! Don't exit on error
$ PIPE TYPE SYS$MANANGER:SYSPRV_BYPASS_LOGIN.AUDIT >nl: 2>nl:
Make sure ACL audits are enabled:
$ SET AUDIT/AUDIT/ENABLE=ACL
You can now search the audit journal for audit records with filename = SYS$MANANGER:SYSPRV_BYPASS_LOGIN.AUDIT these will identify the users and times they executed SYLOGIN (note that anyone can execute SYLOGIN at any time!).
As others have stated, privileged users can do anything, so this won't necessarily work if they're hostile (but if that's the case they shouldn't have privileges!).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-01-2011 01:24 AM
тАО06-01-2011 01:24 AM
Re: Security Auditing - How to log user logins for accounts that have SYSPRV.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-01-2011 02:31 AM
тАО06-01-2011 02:31 AM
Re: Security Auditing - How to log user logins for accounts that have SYSPRV.
For me, the number 1 priority here is to ensure that only those people who really need BYPASS, actually have it.
Under 8.3 you also need SECURITY privilege to fiddle with the audit server. It is perfectly possible for users to hold SYSPRV and still be denied access to the SYSUAF (assuming they haven't got BYPASS).
Craig
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-01-2011 04:51 AM
тАО06-01-2011 04:51 AM
Re: Security Auditing - How to log user logins for accounts that have SYSPRV.
f$getjpi(0,"AUTHPRIV") will return the list of all authorized privileges for the current process.
Dave
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-01-2011 05:50 AM
тАО06-01-2011 05:50 AM
Re: Security Auditing - How to log user logins for accounts that have SYSPRV.
.
.
.
$ pid = f$getjpi("","PID")
$ username = f$getjpi("''pid'","USERNAME")
$ username = f$edit("''username'","TRIM,UPCASE")
$ if username.eqs."WHOEVER" THEN ...
Instead of the last IF check, you could also maintain a simple flat file of the users that have high privileges and check that file with a SEARCH checking the status of the search results.
Just another way to skin the cat.
Cheers,
Bob