1748219 Members
4466 Online
108759 Solutions
New Discussion юеВ

Re: Security Auditing

 
himabindu s
Occasional Advisor

Security Auditing

Hi,

openVMS by default stores all the audit related data in a binary log file.
We have analyze/audit tool that can be used to generate reports from that binary file.
The output of the report can also be redirected to a file.
So,is there any other way to convert this binary log file to a normal text file?

Thanks,
S.Hima Bindu
14 REPLIES 14
Jan van den Ende
Honored Contributor

Re: Security Auditing

Hima,

you practically gave the answer yourself in the question:
$ ANALYZE/AUDIT for everything redirected to an output file.
Be aware that thet will take VERY MUCH more diskspace.
The audit file is stored in binary for this reason.

hth

Proost.

Have one on me.

jpe
Don't rust yours pelled jacker to fine doll missed aches.
Volker Halle
Honored Contributor

Re: Security Auditing

S.Hima,

there is no other utility in OpenVMS to read and display the SECURITY.AUDIT$JOURNAL file.

This is a sequential file, so you could write your own utility to read and display it's records. The record definitions should be in LIB.REQ (NSA$...).

Volker.
himabindu s
Occasional Advisor

Re: Security Auditing

I want my binary audit files to be converted to ASCII files in some periodic basis(say every 2hr or so).

How can we achieve this?
Volker Halle
Honored Contributor

Re: Security Auditing

S.Hima,

write a little DCL procedure using ANAL/AUDIT and /OUTPUT=filename qualifier and specify /SINCE=. Then submit this procedure as a batch job and make it re-submit itself at the desired intervals.

As you could use a hard-coded value like "-2:0:0" or you could use the creation date of the previous output file, to make sure you don't miss any events.

Volker.
John Gillings
Honored Contributor

Re: Security Auditing

>So,is there any other way to convert this
>binary log file to a normal text file?

You could write your own program. There are interfaces, but the file is complex, so it's probably not a good idea!

The simplest conversion is:

$ ANALYZE/AUDIT/FULL/OUT=audit.txt SYS$MANAGER

The resulting file is relatively easy to parse. Entries have a heading starting with the word "Security" and are separated by a blank line. Each field in an entry is of the form:

:

continuation lines start with white space.

What format were you hoping for, and for what purpose?
A crucible of informative mistakes
himabindu s
Occasional Advisor

Re: Security Auditing

Hi..
Thank You for ur answers.
When the output is directed to a text file, the audit events appear in name value pairs.
For example:

Event 1:

Security audit (SECURITY) on TRUTH, system id: 56622
Auditable event: Object creation
Event time: 16-DEC-2009 08:25:29.41
PID: 206000BC
Process name: TCPIP$FTPC0000E
Username: SYSTEM
Process owner: [SYSTEM]
Image name: $4$DKA200:[SYS0.SYSCOMMON.][SYSEXE]LOGINOUT.EXE
Object class name: FILE
File name: _$4$DKA200:[SYS0.SYSMGR]TCPIP$FTP_SERVER.LOG;31
File ID: (8505,15,0)
Posix UID: -2
Posix GID: -2 (%XFFFFFFFE)
Deaccess key: 81570BC0
Sequence key: 0000E7C2
Status: %SYSTEM-S-NORMAL, normal successful completion

Event 2:

Security audit (SECURITY) on TRUTH, system id: 56622
Auditable event: Object creation
Event time: 17-DEC-2009 06:09:56.42
PID: 20600105
Process name: _TNA15:
Username: SYSTEM
Process owner: [SYSTEM]
Terminal name: TNA15:
Image name: $4$DKA200:[SYS0.SYSCOMMON.][SYSEXE]SETAUDIT.EXE
Object class name: DEVICE
Object name: _TRUTH$MBA145:
Posix UID: -2
Posix GID: -2 (%XFFFFFFFE)
Status: %SYSTEM-S-NORMAL, normal successful completion

In both of the events above, the task done is object creation, but the name (which appear on the left side of each name value pair)audited are different.(File name and File id doesn't appear in the second event)

Is there any way to get all the possible names that can appear for an event?
For example: For the event object creation what are all the possible fields that can be populated in the audit llog file?

Thanks,
S.Hima bindu
Volker Halle
Honored Contributor

Re: Security Auditing

S.Hima Bindu,

could you explain the reason behind your questions ? What are you trying to achieve ?

The 2 examples you've shown are a related to a FILE and a DEVICE object and therefore the audit messages have different parameters.

To get an idea about all the different parameters, look at the ANAL/AUDIT/SELECT qualifier and the values you can specify for this parameter. To get a full listing of all possible event and parameter names, you probably have to buy the OpenVMS source code listings and look at [AUDSRV]FORMATBL.LIS.

Did you have a look at the SYS$FORMAT_AUDIT system service ? It converts a security auditing event message from binary format to ASCII text.

Volker.
himabindu s
Occasional Advisor

Re: Security Auditing

Volker,
We are actually trying to collect all the possible log messages that are possible on Open VMS.As the format of the log message changes for each event, can we get all the possible list of events generated by OpenVMS?

Thanks,
S.Hima Bindu
Hoff
Honored Contributor

Re: Security Auditing

You are describing potential solutions here, and not the particular problems or requirements that you are targeting. Please spend a few minutes at the keyboard and describe what problem you are solving here with this and with cron, and not how you have proposed to solve the problem(s). My guess is that there's a far better solution than you're working with here, too; catching the audits off a mailbox, for instance. Asking specific and targeted questions will get you answers, but not necessarily the best answer. Or even the right answer, in some cases.

As for formatting the events, use the provided system services for translating events. sys$format_audit being one of the key events here.

Don't presume you will ever get a list of all events; that's not how OpenVMS is designed.

You're expected to look for events you care about, and pass through the rest.

The intent of this scheme is one of upward-compatibility.

If an application or OpenVMS itself adds a new event (and that has happened) any design that is built on the premise of knowing all possible events will, well, fail.

Code that is built on parsing text output (whether from the auditing events or from DCL commands or other such output) is also considered precarious at best and typically unsupported and subject to change without notice; parsing command output is an application design that will fail.

If you need to parse and act upon auditing remotely, then I'd suggest passing over your own "encoded" format in the network records rather than depending on the details of the text translation of sys$format__audit, too.

Being unfamiliar with security services and the details of maintaining security can produce large (and expensive) security holes, too. This is an area of OpenVMS with very serious considerations around maintaining security and around avoiding exposures.