Operating System - OpenVMS
1748170 Members
4088 Online
108758 Solutions
New Discussion юеВ

Re: Security Auditing - How to log user logins for accounts that have SYSPRV.

 
Hoff
Honored Contributor

Re: Security Auditing - How to log user logins for accounts that have SYSPRV.

>Under 8.3 you also need SECURITY privilege to fiddle with the audit server. It is perfectly possible for users to hold SYSPRV and still be denied access to the SYSUAF (assuming they haven't got BYPASS).

Only if they don't know what they're doing.
Craig A Berry
Honored Contributor

Re: Security Auditing - How to log user logins for accounts that have SYSPRV.

There are multiple ways to approach this, and the best approach will depend on what you mean by "how frequently" and what action you intend to take based on whatever definition of frequent or infrequent you're using.

If you just want to find privileged accounts that haven't been used in awhile, grab Joe Meadows' UAF utility:

http://code.google.com/p/jmuaf/

and simply scan to see when users with privileges last logged in:

$ uaf/select=(flags=nodisuser,priv=(bypass,sysprv))/match=and/display=(user,inter,noninter)


But if you really need timestamps for each and every access, uaf won't do it.

You could use JUMP:

http://vms.process.com/scripts/fileserv/fileserv.com?JUMP

and set things up such that the users don't actually have privileges on their own accounts, but jump to another account that does. There are various extensive logging operations available (opcom, mail, log files, etc.).
The Brit
Honored Contributor

Re: Security Auditing - How to log user logins for accounts that have SYSPRV.

I have a similar requirement where I have to have a specific log showing when user with privilege higher than SYSPRV log in and out.

I use a variation on the suggestion of Bob and Dave above. See Attachment.

Dave.

Robert Gezelter
Honored Contributor

Re: Security Auditing - How to log user logins for accounts that have SYSPRV.

djk,

Personally, I would probably go with ensuring that ACCOUNTING was enabled, and using the accounting report utility (or scanning the account log file myself with a custom program).

As Hoff and others have noted, a user with elevated privileges can generally find a way around the SECURITY privilege, it is just more involved. (CMKRNL trumps just about everything!)

- Bob Gezelter, http://www.rlgsc.com
Joseph Huber_1
Honored Contributor

Re: Security Auditing - How to log user logins for accounts that have SYSPRV.

Dave,
this does not catch users with SETPRV, but no sysprv or bypass enabled by default.
One would have to set an ACL allowing write access on priv_logins.dat for each such user.
http://www.mpp.mpg.de/~huber
The Brit
Honored Contributor

Re: Security Auditing - How to log user logins for accounts that have SYSPRV.

Thank you for pointing that out Joseph. I must admit that I had missed that.

(In mitigation, SETPRV is not a privilege that we would normally grant in isolation, it is usually only granted as part of a "system-level" account set-up. i.e. a user with SETPRV (in our environment) would normally have SYSPRV.)

In any case, I will re-examine my procedure to try to close this loop-hole.

thanks

Dave.
Joseph Huber_1
Honored Contributor

Re: Security Auditing - How to log user logins for accounts that have SYSPRV.

Just to explain my policy:
Having SETPRV as the only enabled DEFAULT privilege forces me to explicitly enable any other elevated privilege when needed, so I can't do any unintended damage.

Just a suggestion:
On my system I have a resource identifier "SYSMGR" granted to all users with elevated privileges.
making Your priv_login.dat owned by SYSMGR or attaching an ACL allowing write access for SYSMGR would make the logging possible to all users in this group, not only for SYSPRV and BYPASS users.
http://www.mpp.mpg.de/~huber
RBrown_1
Trusted Contributor

Re: Security Auditing - How to log user logins for accounts that have SYSPRV.

My personal policy is similar to Joseph's. I generally work with only TMPMBX and NETMBX, but have SETPRV. I never change my privilege with SET PROCESS/PRIVILEGE. Instead I use my PRIV command file which removes the extra privileges I previously gave myself, and then adds the ones I am requesting this time.

See attached.