- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- Select (or exclude) AUDIT entries by IP Address?
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-11-2012 07:53 AM
05-11-2012 07:53 AM
Re: Select (or exclude) AUDIT entries by IP Address?
I would tend to agree with you, John, but PCI DSS auditors don't.
I considered the AUDIT listener, but when I realized it could cause a system hang I discarded that idea immediately.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-11-2012 08:52 AM
05-11-2012 08:52 AM
Re: Select (or exclude) AUDIT entries by IP Address?
@Richard Brodie wrote:it depends exactly what your TCPIP stack passes to the auditing system. On mine it logs the 32-bit big-endian IP address as the DECNET id, and /ignore=remote=id=3483948345 works fine.@operagost wrote:That would be handy... but I use HP TCPIP, so I'll bet it's not supported!
Have you tried that? On every version of HP TCPIP that I can access each breakin from a particular source is uniquely identified and can be either /ignore(d) or /select(ed). It would be helpful if you posted the output from $tcpip show version
AFA your network scanner, I guess we'll presume that it logs its activity and reports a successful breakin, but if it were my system I'd also want to select those (if there are any) from the audit.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-13-2012 02:41 PM
05-13-2012 02:41 PM
Re: Select (or exclude) AUDIT entries by IP Address?
> but when I realized it could cause a system hang I discarded that idea immediately.
Lots of things can cause system hangs, but that doesn't stop people using them! Indeed, the audit server itself is effectively just another audit listener. If it stops, so does the system. The warnings in the security manual aren't supposed to scare you away, just to make sure you understand the implications and take appropriate care in using the feature.
If you write an audit listener process carefully you can minimise the risk. One fairly simple approach is to use a "deadman lock". Run two (or even three or more) processes simultaneously. Have the process attempt to get the deadman lock exclusively. When granted, start a new copy of self. That way there's always one or more processes waiting on the lock. If the currently active process goes away for any reason, the lock is dropped and another process takes over immediately (and starts another copy). About the only problem with this design is it's difficult to kill when you want to!
Create the listener mailbox with a healthy allocation and use an AST threaded design. The reader AST just shovels messages from the mailbox into a large internal buffer, processed by another thread, or the main line.
- « Previous
-
- 1
- 2
- Next »