Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

What does the SYSUAF user account audit flag do?

 
SOLVED
Go to solution
Highlighted
Neil Ashworth_1
Occasional Advisor

What does the SYSUAF user account audit flag do?

What exactly is the affect of setting the AUDIT flag on a user account in the SYSUAF. The VMS doc set is decidedly deficient in explaining what it does.

Thanks, Neil
5 REPLIES 5
Highlighted
Arch_Muthiah
Honored Contributor
Solution

Re: What does the SYSUAF user account audit flag do?

Neil,

The audit flag can be set to allow auditing of events that are related to specific users.

There are 19 event classes in VMS that VMS audit server can audit. The event classes are from object access, successful and unsuccessful login attempts, to the specific use of a privilege and changes of system parameters. By default, VMS will audit login failures, intrusion attempts (from the Intrusion Database), as well as any changes to the authorization database files (SYSUAF.DAT, NET$PROXY.DAT, etc.) as well as attempts to change the audit server configuration via the SET AUDIT command.

Audit information can be generated as either events or alarms where auditing activity is either logged as an event to the security logfile, as an alarm to an operator terminal or print device. In addition, the audit server can log security events to a remote node for archival and/or analysis.

Archunan
Regards
Archie
Highlighted
Arch_Muthiah
Honored Contributor

Re: What does the SYSUAF user account audit flag do?

Neil,

Once we enable the audit for a user using
UAF> modify username/flags=audit,

we can get the activity reports using
$ ANALYZE/AUDIT/SELECT=(FLAGS=MANDATORY,USERNAME=xxxx)SECURITY.AUDIT$JOURNAL

The security logfile,SECURITY.AUDIT$JOURNAL will have all the logged events for the specific user.

Archunan

Regards
Archie
Highlighted
John Gillings
Honored Contributor

Re: What does the SYSUAF user account audit flag do?

Neil,

Beware! Setting AUDIT on a UAF record will cause all possible auditable events triggered by that user name to be logged in the audit journal. Typically this is a very large volume of data, even for the most trivial sequence of commands. In most cases is not appropriate (but can be a useful "very big hammer" diagnostic tool).

I recommend you do a test. Check the current size of your audit journal. Select a UAF entry, enable AUDIT, log the user in and logout immediately. Use ANALYZE/AUDIT/SINCE=login-time to see how many audit records were added, also check the expansion of your journal.

If you decide to use FLAG=AUDIT, just make sure you have plenty of disk space for the journal file, and have a plan for managing and archiving the data.
A crucible of informative mistakes
Highlighted
Arch_Muthiah
Honored Contributor

Re: What does the SYSUAF user account audit flag do?

Neil,

You can find the list of events which can be activated in "VMS guide to system security" manual under 9th chapter "security
Auditing". As Mr.John said, the security audit log file will be large, so make sure you have enough disk space and better have a test auditing with only couple of events enabled.

$ set audit /alarm/audit/enable=(install, mount, ncp, login, logout, etc,...)
Regards
Archie
Highlighted
John Gillings
Honored Contributor

Re: What does the SYSUAF user account audit flag do?

Archunan,

>have a test auditing with only couple of events enabled.

Sorry, I didn't explain this clearly enough. The UAF AUDIT flag is independent of SET AUDIT. It doesn't matter how many or how few events are enabled with SET AUDIT, a process with the AUDIT flag always logs ALL possible auditable events that it triggers. As I said, it's a very heavy hammer.
A crucible of informative mistakes