HPE Community
Operating System - OpenVMS
1752777 Members
6353 Online
108789 Solutions
New Discussion юеВ

Re: audit question

 
SAMI AHMAD
Regular Advisor

тАО03-02-2009 12:05 PM

тАО03-02-2009 12:05 PM

audit question

what does the following audit information means ? :

FILE access:
Failure: read,write,execute,delete,control
SYSPRV: read,write,execute,delete,control
BYPASS: read,write,execute,delete,control
READALL: read,write,execute,delete,control

0 Kudos
Reply
10 REPLIES 10
John Gillings
Honored Contributor

тАО03-02-2009 12:30 PM

тАО03-02-2009 12:30 PM

Re: audit question

SAMI,

This looks like an extract from a SHOW AUDIT command. It could be from "alarms currently enabled" or "audits currently enabled". It shows that auditing will alarm or audit file access events for access failures, and privileged access using SYSPRV, BYPASS or READALL.

Now, what's the real question?
A crucible of informative mistakes
0 Kudos
Reply
Hoff
Honored Contributor

тАО03-02-2009 12:37 PM

тАО03-02-2009 12:37 PM

Re: audit question

The /HP OpenVMS Guide to System Security/ manual in the OpenVMS documentation set describes the OpenVMS security model, operations, command syntax and auditing.

For that output, that output from the SHOW AUDIT command means that the specified types of file access failures, and failures with the specified privileges, will generate either audits or alarms; as the output was truncated, I can't tell if that's for audits or alarms.

Please take the time to read the manual; it'll save you time, and it'll provide you with insight into how OpenVMS security is structured and operates, and pointers to the available options and commands.

The OpenVMS operating system manuals are available here:

http://www.hp.com/go/openvms/doc/

When you get into audits and alarms and privileges and ACLs (oh, my!), reading through the security manual is necessary but might not be sufficient. Grokking ACLs, for instance, is fundamental to understanding the read, write, execute, delete and control operations, for instance.

0 Kudos
Reply
SAMI AHMAD
Regular Advisor

тАО03-06-2009 10:49 AM

тАО03-06-2009 10:49 AM

Re: audit question

my question is that our applicatoin having BYPASS priviliges must be generating an audit record on every file access right ?

how much IO benifit I can gain by disabling this file access audit on BYPASs ? how can i do some bench mark testing ?
0 Kudos
Reply
Ian Miller.
Honored Contributor

тАО03-06-2009 12:28 PM

тАО03-06-2009 12:28 PM

Re: audit question

Is there a requirement to audit use of BYPASS?

If not then use T4 or your choice of performance data collector and analyser and measure what's going on.

Is there a performance issue with this system, (particularly the disk on which the audit log is held) which has lead you to look at this?
____________________
Purely Personal Opinion
0 Kudos
Reply
SAMI AHMAD
Regular Advisor

тАО03-06-2009 12:56 PM

тАО03-06-2009 12:56 PM

Re: audit question

we see heavy disk IO if we use monitor system. see attachement
so I was logically thinking that if we are auditing every successfull access to all the files this must be a heavy write operation to audit file right or not?
0 Kudos
Reply
SAMI AHMAD
Regular Advisor

тАО03-06-2009 02:41 PM

тАО03-06-2009 02:41 PM

Re: audit question

here is the attachment !
0 Kudos
Reply
Robert Gezelter
Honored Contributor

тАО03-06-2009 03:02 PM

тАО03-06-2009 03:02 PM

Re: audit question

Sami,

Actually, I am not sure that the supposition that auditing is involved in the high IO rate is warranted (it is certainly not proven).

As an example, what is the batch job [BATCH_794] doing? Also, there is a fair amount of page faulting.

How this fits into the overall performance picture is an excellent question. This snapshot may be representative, then again, it may not.

The access checks are done when the file is opened, not on every operation. Perhaps, a thorough review of system performance is in order [disclosure: we provide such services, as do Hoff and several other regular contributors].

- Bob Gezelter, http://www.rlgsc.com
0 Kudos
Reply
Hein van den Heuvel
Honored Contributor

тАО03-06-2009 09:01 PM

тАО03-06-2009 09:01 PM

Re: audit question

>> my question is that our applicatoin having BYPASS priviliges must be generating an audit record on every file access right ?

Only on OPENS, not on simple writes


>> how much IO benifit I can gain by disabling this file access audit on BYPASs ?

Benefit by what measurement standard?
You seem to imply you want the benefit to be less IO. Do you have a reason to believe there is measureable, quantifiable, IO?

>> how can i do some bench mark testing ?

Try with, try without under similar load, over a similar time period and compare?!

>> we see heavy disk IO if we use monitor system. see attachement

I saw the attachement it show a good few DIRECT IOS in total.
So, that's great no? That's supposedly why they bought the system!
And what makes you believe that auditing is an intersting component in that picture?
Hot-file tool?

I see an busy Oracle task, so i would guess that most IOs are going to oracle file. I would want to confirm that by asking Oracle what it is doing (STATS_PACK, AWR,...)

What problem are you really trying to solve?

Best regards,

Hein van den Heuvel ( at gmail dot com )
HvdH Performance Consulting

0 Kudos
Reply
SAMI AHMAD
Regular Advisor

тАО03-09-2009 08:28 AM

тАО03-09-2009 08:28 AM

Re: audit question

hi Hein !

I think our systems are doing excessive IO and i am trying to investigate that.

regards
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.