- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- Re: What does the SYSUAF user account audit flag d...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-28-2006 09:20 AM
тАО02-28-2006 09:20 AM
Thanks, Neil
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-28-2006 10:13 AM
тАО02-28-2006 10:13 AM
SolutionThe audit flag can be set to allow auditing of events that are related to specific users.
There are 19 event classes in VMS that VMS audit server can audit. The event classes are from object access, successful and unsuccessful login attempts, to the specific use of a privilege and changes of system parameters. By default, VMS will audit login failures, intrusion attempts (from the Intrusion Database), as well as any changes to the authorization database files (SYSUAF.DAT, NET$PROXY.DAT, etc.) as well as attempts to change the audit server configuration via the SET AUDIT command.
Audit information can be generated as either events or alarms where auditing activity is either logged as an event to the security logfile, as an alarm to an operator terminal or print device. In addition, the audit server can log security events to a remote node for archival and/or analysis.
Archunan
Archie
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-28-2006 10:20 AM
тАО02-28-2006 10:20 AM
Re: What does the SYSUAF user account audit flag do?
Once we enable the audit for a user using
UAF> modify username/flags=audit,
we can get the activity reports using
$ ANALYZE/AUDIT/SELECT=(FLAGS=MANDATORY,USERNAME=xxxx)SECURITY.AUDIT$JOURNAL
The security logfile,SECURITY.AUDIT$JOURNAL will have all the logged events for the specific user.
Archunan
Archie
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-28-2006 11:31 AM
тАО02-28-2006 11:31 AM
Re: What does the SYSUAF user account audit flag do?
Beware! Setting AUDIT on a UAF record will cause all possible auditable events triggered by that user name to be logged in the audit journal. Typically this is a very large volume of data, even for the most trivial sequence of commands. In most cases is not appropriate (but can be a useful "very big hammer" diagnostic tool).
I recommend you do a test. Check the current size of your audit journal. Select a UAF entry, enable AUDIT, log the user in and logout immediately. Use ANALYZE/AUDIT/SINCE=login-time to see how many audit records were added, also check the expansion of your journal.
If you decide to use FLAG=AUDIT, just make sure you have plenty of disk space for the journal file, and have a plan for managing and archiving the data.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-28-2006 12:05 PM
тАО02-28-2006 12:05 PM
Re: What does the SYSUAF user account audit flag do?
You can find the list of events which can be activated in "VMS guide to system security" manual under 9th chapter "security
Auditing". As Mr.John said, the security audit log file will be large, so make sure you have enough disk space and better have a test auditing with only couple of events enabled.
$ set audit /alarm/audit/enable=(install, mount, ncp, login, logout, etc,...)
Archie
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-01-2006 08:14 AM
тАО03-01-2006 08:14 AM
Re: What does the SYSUAF user account audit flag do?
>have a test auditing with only couple of events enabled.
Sorry, I didn't explain this clearly enough. The UAF AUDIT flag is independent of SET AUDIT. It doesn't matter how many or how few events are enabled with SET AUDIT, a process with the AUDIT flag always logs ALL possible auditable events that it triggers. As I said, it's a very heavy hammer.