audit logins for a particular user

TMcB · ‎11-16-2010

Hi everyone.
i would like to audit logins for one particular user.

At present we audit all logfailures and breakins.
But I'm not sure how to set up auditing the logins for just one user.

Any advice is greatly appreciated

Craig A · ‎11-16-2010

You need to make sure that your audits are properly enabled.

Do a $show audit and post the details here.

Have a look at the ANAL/AUDIT utility - This will allow you to interrogate the security audit journal file.

E.g. $ ANAL/AUDIT/FULL/SEL=USER= -

HTH

Craig

TMcB · ‎11-16-2010

Hi there.
Thanks for getting back to me.

current settings are :
System security alarms currently enabled for:
ACL
Authorization
Audit: illformed
Breakin: dialup,local,remote,network,detached
Logfailure: batch,dialup,local,remote,network,subprocess,detached

System security audits currently enabled for:
ACL
Authorization
Audit: illformed
Breakin: dialup,local,remote,network,detached
Logfailure: batch,dialup,local,remote,network,subprocess,detached

I'm happy enough with using the ANALYZE/AUDIT commands for single users, but at present we dont audit successfull logins.

I know to set it up for all users would be :
set aud /audit /enable=( login=all),
but I dont want to record successful logins for all users - just for one particular user.

Cheers

Craig A · ‎11-16-2010

You can set an audit flag for each individual user but this will generate a LOT of audits for a typical user:

$ MC AUTHORIZE MOD /FLAG=AUDIT

What info do you want to capture regarding the login session?

Can you get it from ACCOUNTING instead?

Craig

abrsvc · ‎11-16-2010

I have used a specific login procedure for an individual account to capture info with the final statment a reference to the standard login procedure. It all depends on what information you are trying to capture. If you can describe in more detail, what you with to log, we can provide some methods.

Dan

TMcB · ‎11-16-2010

Hi there
I just want to record the dates and times and from where the user logged in.

Craig A · ‎11-16-2010

You could add something in SYLOGIN.COM (maybe checking whether the caller holds an identifier - e.g. AUDIT$USER)

and log info lik:

f$getdvi("tt",""tt_accpornam")

or a $show term

That coupled with info from ACCOUNTING should get you what you want.

Craig

Jan van den Ende · ‎11-16-2010

TMcB,

this may or may not be usefull to you, but many moons ago we had a need to occasionally allow remote service access to our system by a remote package supplier.

We DID need to know if they ever touched sensitive info they had no business with.

We provided a captive login to an account, which only did a
$ SET HOST 0/LOG=
with embedded username/password
to another account on another device.
The "entry" account directory was pretty hard shielded and tripwired for any access by the "work" account.

The entry account was normally disusered, and only activited when needed, so we knew when a review was desired.

This may or may not be what you need, but it worked for us.

hth

Proost.

Have one on me.

jpe

Don't rust yours pelled jacker to fine doll missed aches.

TMcB · ‎11-16-2010

thanks -
i think using the users login.com file will be the easiest route. Will look into this

Craig A · ‎11-16-2010

That MIGHT work but also bear in mind that a user will typically have full access to their LOGIN.COM so could easily circumvent anything you place in it for auditing purposes.

Craig

audit logins for a particular user

audit logins for a particular user

Re: audit logins for a particular user

Re: audit logins for a particular user

Re: audit logins for a particular user

Re: audit logins for a particular user

Re: audit logins for a particular user

Re: audit logins for a particular user

Re: audit logins for a particular user

Re: audit logins for a particular user

Re: audit logins for a particular user

Hewlett Packard Enterprise International