- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- Re: Security Auditing - How to log user logins for...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-01-2011 06:28 AM
тАО06-01-2011 06:28 AM
Re: Security Auditing - How to log user logins for accounts that have SYSPRV.
Only if they don't know what they're doing.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-01-2011 06:36 AM
тАО06-01-2011 06:36 AM
Re: Security Auditing - How to log user logins for accounts that have SYSPRV.
If you just want to find privileged accounts that haven't been used in awhile, grab Joe Meadows' UAF utility:
http://code.google.com/p/jmuaf/
and simply scan to see when users with privileges last logged in:
$ uaf/select=(flags=nodisuser,priv=(bypass,sysprv))/match=and/display=(user,inter,noninter)
But if you really need timestamps for each and every access, uaf won't do it.
You could use JUMP:
http://vms.process.com/scripts/fileserv/fileserv.com?JUMP
and set things up such that the users don't actually have privileges on their own accounts, but jump to another account that does. There are various extensive logging operations available (opcom, mail, log files, etc.).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-01-2011 07:13 AM
тАО06-01-2011 07:13 AM
Re: Security Auditing - How to log user logins for accounts that have SYSPRV.
I use a variation on the suggestion of Bob and Dave above. See Attachment.
Dave.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-01-2011 11:27 AM
тАО06-01-2011 11:27 AM
Re: Security Auditing - How to log user logins for accounts that have SYSPRV.
Personally, I would probably go with ensuring that ACCOUNTING was enabled, and using the accounting report utility (or scanning the account log file myself with a custom program).
As Hoff and others have noted, a user with elevated privileges can generally find a way around the SECURITY privilege, it is just more involved. (CMKRNL trumps just about everything!)
- Bob Gezelter, http://www.rlgsc.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-01-2011 11:41 AM
тАО06-01-2011 11:41 AM
Re: Security Auditing - How to log user logins for accounts that have SYSPRV.
this does not catch users with SETPRV, but no sysprv or bypass enabled by default.
One would have to set an ACL allowing write access on priv_logins.dat for each such user.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-02-2011 02:39 AM
тАО06-02-2011 02:39 AM
Re: Security Auditing - How to log user logins for accounts that have SYSPRV.
(In mitigation, SETPRV is not a privilege that we would normally grant in isolation, it is usually only granted as part of a "system-level" account set-up. i.e. a user with SETPRV (in our environment) would normally have SYSPRV.)
In any case, I will re-examine my procedure to try to close this loop-hole.
thanks
Dave.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-02-2011 09:34 AM
тАО06-02-2011 09:34 AM
Re: Security Auditing - How to log user logins for accounts that have SYSPRV.
Having SETPRV as the only enabled DEFAULT privilege forces me to explicitly enable any other elevated privilege when needed, so I can't do any unintended damage.
Just a suggestion:
On my system I have a resource identifier "SYSMGR" granted to all users with elevated privileges.
making Your priv_login.dat owned by SYSMGR or attaching an ACL allowing write access for SYSMGR would make the logging possible to all users in this group, not only for SYSPRV and BYPASS users.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-03-2011 08:57 AM
тАО06-03-2011 08:57 AM
Re: Security Auditing - How to log user logins for accounts that have SYSPRV.
See attached.
- « Previous
-
- 1
- 2
- Next »