- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- audit logins for a particular user
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-16-2010 01:33 PM
тАО11-16-2010 01:33 PM
Re: audit logins for a particular user
Here's a neat trick for generating customised audits for whatever you like. An example for your specific case, I'll call your user AUDIT_ME.
First create an empty, world readable file, with a name that indicates what you want to audit:
$ CREATE/PROTECTION=(W:R) SYS$MANAGER:LOGIN.AUDIT
Now add an ACL which specifies a READ+FAIL security audit ACE, and an ACE to pick out who you want to trigger it:
$ SET SECURITY/ACL=((AUDIT=SECURITY,ACCESS=READ+FAIL),(IDENTIFIER=AUDIT_ME,ACCESS=NONE)) SYS$MANAGER:LOGIN.AUDIT
Now, in SYLOGIN.COM trigger the audit:
$ PIPE TYPE SYS$MANAGER:LOGIN.AUDIT >NL: 2>NL:
(we're using PIPE here to redirect any output or errors to NL:, since it's single stage PIPE everything occurs in the context of the current process, so no real expense).
Since the file is W:R, this will be a NOOP for most users. For user AUDIT_ME, they'll trigger the AUDIT ACE, and generate an event in the audit journal. You can identify it by the object name LOGIN.AUDIT.
In practice, I'd use identifier LOGIN_AUDIT and then:
UAF> GRANT/IDENTIFIER LOGIN_AUDIT AUDIT_ME
this gives you a simple way to request the audit for other users.
The same mechanism can be used for anything you like. Use the PIPE TYPE command to generate a message.
If you have a code path that only your target user(s) will execute, it's even easier. Same empty file, but:
$ SET SECURITY/ACL=(AUDIT=SECURITY,ACCESS=READ+SUCCESS)SYS$MANAGER:LOGIN.AUDIT
and:
$ TYPE SYS$MANAGER:LOGIN.AUDIT
(since you won't generate an error message, and the file is empty, you don't need to redirect output).
For this to work, you need to have ACL audits enabled. From your SHOW AUDIT posting, you already have that.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-16-2010 01:39 PM
тАО11-16-2010 01:39 PM
Re: audit logins for a particular user
Why not audit all LOGINs for all users? For that matter throw in LOGOUTs as well. At today's storage prices, for a few cents you'll have capacity for hundreds of years worth of login traffic. Remember, it's easy to throw away data that you've gathered, but you can't recover data that you didn't capture.
Enabling AUDIT in the UAF will also work, but you'll also audit entries for literally everything that user does! Probably not what you want, especially if your objective of not capturing all logins is to save space. The data volume for a single login and immediate logout for a UAF AUDIT flagged user would probably exceed all the login and logout traffic for all your users across a week!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-16-2010 02:20 PM
тАО11-16-2010 02:20 PM
Re: audit logins for a particular user
Set a success audit on the users LOGIN.COM ?
- Yeah you can have false positives
- Do not tell user about Username: xxx/NOCOM
:-)
Hein
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-16-2010 03:22 PM
тАО11-16-2010 03:22 PM
Re: audit logins for a particular user
>>>
- Yeah you can have false positives
- Do not tell user about Username: xxx/NOCOM
<<<
... OR... like I said before, have this user be CAPTIVE!! Blocks /NOCOMM
Proost.
Have one on me.
jpe
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-18-2010 06:30 PM
тАО11-18-2010 06:30 PM
Re: audit logins for a particular user
1) User's LOGIN.COM is owned by them, so could be modified, breaking the mechanism
2) They may execute LOGIN.COM other than at login time, giving false positives
Try this.
Create a command procedure:
SYS$COMMON:[SYSMGR]AUDIT_LOGIN.COM (W:RE)
$ @SYS$LOGIN:LOGIN
put audit ACLs on this procedure:
$ SET SECURITY/ACL=(AUDIT=SECURITY,ACCESS=EXECUTE+SUCCESS)
For any users you wish to audit, change their UAF entry:
UAF> MODIFY user/LGICMD=SYS$STARTUP:AUDIT_LOGIN
Invoking the system level procedure will trigger the audit, and then execute the default login procedure for the user.
There is a 3rd issue:
3) /NOCOMMAND or /COMMAND=other-file
As Jan suggested /FLAG=CAPTIVE will block that, but it's a bit harsh. Perhaps /FLAG=RESTRICTED?
(an example of the application of Hext's rule - a further level of indirection solves all problems)
- « Previous
- Next »